Appendix C UI Reference

Clear the checkbox next to the task(s) for which you do not want the server to require confirmation. The options include:

• Delete object class
• Delete attribute
• Delete entry
• Delete subtree
• Delete index
• Delete suffix
• Delete replication agreement
• Remove changelog
• Overwrite database (on import)
• Stop the server

Managing Servers with Netscape Console

From Local Machine. if you want to import a file from the local machine, select this option. This option is not visible if you are running the Directory Server Console on the directory server's host.

Remote File radio button. if you want to import a file from the server's host machine, select this option. This option is not visible if you are running the Directory Server Console on the directory server's host.

LDIF File. Enter the path and the name of the LDIF file you want the server to import. If you do not enter the path to the LDIF file, the server looks for the file in <NSHOME>/slapd-serverID/ldif. If you chose to import a file from the local machine, or if you are running the Directory Server Console on the server's host machine, you can also click Browse to select the file you want to import.

Overwrite Entire Database. Select this option to configure the server to overwrite the entire database with the contents of the LDIF file. Before you can import using this option, the server must be shut down. The server console prompts you to shut the server down if it is still running.

Preserve Configuration. Select this option if you want to preserve the configuration tree. This includes the o=NetscapeRoot suffix and all configuration information stored within that tree. Netscape recommends that you do not clear this checkbox unless instructed to do so by Netscape Technical Support.

Append Data to Database. When you import using this option, the server does not delete the contents of the directory before adding the entries from the LDIF file.

Add Only. An LDIF file may contain modify and delete instructions in addition to the default add instructions. If you want the server to ignore operations other than add, select the "Add only" checkbox.

Continue on Error. If you want the server to continue with the import even if errors occur, select the "Continue on error checkbox". This is useful if some, but not all, of the entries in the LDIF already exist in the directory.

Read / Values From Files. If you want the server to interpret values that begin with a forward slash "/" or a drive letter "C:\" as file names, select the Read/values from files checkbox.

File for Rejects. The server keeps a record of all entries that it cannot import. This might happen, for example, if an entry already exists in the database or if there is no parent object for the entry you are trying to add. If you leave this field blank, the server will not record rejects. By default, the server stores the rejects file in the same directory where the LDIF file you are importing is stored.

Exporting to LDIF Using the Server Console
Importing LDIF From the Server Console

To Local Machine. Choose this option to export the database to a local file. This option is not visible if you are running the Directory Server Console on the directory server's host.

To Server Machine. Choose this option to export the database to a file on the server's host machine. If you choose this option, you cannot Browse to select a different file. This option is not visible if you are running the Directory Server Console on the directory server's host.

LDIF File. Enter the name you want the server to use for the LDIF file, or if you are running the Directory Server Console on the server's host machine, you can also click Browse to select the file to which you want to export.

Entire Database. Select this option to configure the server to export the entire database to LDIF.

Subtree (radio button). Select this option if you want the server to export only a portion of the directory to LDIF. If you choose this option, you must also select the subtree you want the server to export.

Subtree (text box). If you selected the Subtree radio button, you can enter the subtree you want the server to export to LDIF in this text box. You can also click Browse to browse the directory and select a subtree.

Exporting to LDIF Using the Server Console
Importing LDIF From the Server Console

Port. Sets the port used for non-SSL communications.

Encrypted Port. Sets the port used for SSL communications.

Referrals To. Sets the LDAP referral used for client requests that are out of bounds for the directory tree(s) serviced by your directory server. For more information on referrals, see Chapter  14, "Managing Referrals."

Enable NT Synchronization Service. Enables directory server to NT synchronization. Turning this on causes the directory server to start verifying changes made to NT user and group information, and to transmit changes made to NT user and group information to the NT Primary Domain Controller. Also, the NT Synchronization Service propogates changes made to user and group information from the PDC to the directory server. For information on how directory server to PDC synchronization occurs, see "How Synchronization Occurs".

Use SSL in NT Synchronization Service. Enables SSL communication between the NT Synchronization Service and the Directory Server. See Chapter  15, "NT Directory Synchronization," for information.

Synchronization Port. Defines the non-LDAP port over which the directory server communicates with the NT synchronization service. For more information on the NT synchronization service, see Chapter  15, "NT Directory Synchronization."

Make Entire Server Read-Only. Causes the server to be placed in read-only mode. Selecting this option also places all databases managed by the server into read-only mode. When a database is in read-only mode, your slapd.conf Read-only parameter is set to true, and you cannot create, modify, or delete any entries.

Track Entry Modification Times. Specifies whether modification attributes are maintained for directory server entries, to record the time an entry is created or modified.

Enable Schema Checking. Specifies that schema checking is performed when directory entries are created or modified. For more information on this parameter, refer to "Turning Schema Checking On and Off".

Managing Network and LDAP Settings
Chapter  15, "NT Directory Synchronization"

Size Limit X Entries. The maximum number of entries the server will return to a client in response to a search operation.

Time Limit X Seconds. The maximum amount of real time the server spends performing a search request

Idle Timeout. The time (in seconds) the servers maintains an idle connection before terminating the connection.

Max Number of File Descriptors. The maximum number of file descriptors available to the directory server. This option is not available for directory servers running on Windows NT or IBM AIX.

Tuning Server Performance

Enable SSL. Select this checkbox to enable SSL communications for the directory server; clear the checkbox to disable SSL.

Cipher Family. Select the checkbox next to the cipher family or families you want the server to use for SSL communications. If you are using FORTEZZA with the directory server, you must select the FORTEZZA checkbox.

Token. Select the token you want the server to use. You define tokens during certificate setup.

Certificate. Select the certificate you want the server to use. You must have a certificate set up on your system to use SSL.

Cipher Preferences. Click this button to access the Encryption Preferences Dialog Box that allows you to select which ciphers you want the server to use from the cipher families you have already selected.

Certificate Setup Wizard. Click this button to bring up the Certificate Setup wizard. This wizard walks you through the process of obtaining a certificate for your directory server. You must have a certificate on your system to use SSL.

Do Not Allow Client Authentication. Select this option if you want clients to connect to the server using only simple authentication.

Allow Client Authentication. Select this option if you want clients to be able to connect to the server using either simple authentication or client authentication.

If you are using certificate-based authentication with supplier-initiated replication, then you must select either Allow Client Authentication or Require Client Authentication on the consumer server.

If you are using certificate-based authentication with consumer-initiated replication, then you must select either Allow Client Authentication or Require Client Authentication on the supplier server.

Require Client Authentication. Select this option if you want clients to connect to the server only using client authentication. If you select this option, simple authentication is not allowed.

WARNING! Requiring client authentication disables communication between the Netscape Console and the directory server. This is because the Netscape Console does not support client authentication. If you configure the server to require client authentication, you will no longer be able to manage your Netscape Servers from the Netscape Console; instead, you must use the command-line tools.

Use SSL in Netscape Console. Select this checkbox if you want the communication between the Netscape Console and the directory server to be secured using SSL.

If you use this option with client authentication, communication between the Netscape Console and the server will take place over a secure channel, but without client authentication.

Obtaining and Installing Server Certificates
Setting Security Preferences
Using Certificate-Based Authentication

Select the checkboxes next to the ciphers you want your server to use. The ciphers are described in detail in "Setting Security Preferences".

Obtaining and Installing Server Certificates
Activating SSL
Setting Security Preferences
Activating FORTEZZA
Using Certificate-Based Authentication
Managing Servers with Netscape Console

Enable Statistics Collection. Select this checkbox to enable SNMP for the directory server; clear this checkbox to disable SNMP.

Master Host (Unix Only). The hostname of the machine on which the master subagent is installed.

Master Port (Unix Only). The port number used to communicate with the master subagent. Normally, this port is 199.

Description. Uniquely describes the directory server instance.

Organization. The organization to which the directory server belongs.

Location. The location where the directory server resides.

Contact. The email address of the person responsible for maintaining the directory server.

SNMP Subagent Buttons. Allow you to Stop, Start, and Restart the SNMP subagent on Unix, or the SNMP Service on Windows NT.

Setting Up SNMP
The Directory Server MIB
Understanding SNMP
Configuring SNMP for the Directory Server
Starting and Stopping the SNMP Subagent on Unix

Root DN. Contains the DN for the directory manager. By default, this user is cn=Directory Manager.

Manager Password Encryption. Defines how the directory server will store the directory manager password in the directory.

New Password. If you want to change the directory manager password, enter the new password in this text box.

Confirm Password. If you are changing the directory manager password, you need to reenter the password in this text box for verification.

Managing the Root DN

For more information about specific index types and how they are used within the Netscape Directory Server, see Chapter  7, "Managing Indexes".

Attribute Name. Contains the name of the attribute to be indexed.

Approximate. Select this checkbox to configure the server to create and maintain an approximate, or "sounds-like," index for the attribute; clear this checkbox to discontinue indexing on this attribute.

Equality. Select this checkbox to configure the server to create and maintain an equality index for the attribute; clear this checkbox to discontinue indexing on this attribute.

Presence. Select this checkbox to configure the server to create and maintain a presence index for the attribute; clear this checkbox to discontinue indexing on this attribute.

Substring. Select this checkbox to configure the server to create and maintain a substring index for the attribute; clear this checkbox to discontinue indexing on this attribute.

Matching Rule. Enter the matching rule OID (if any) you want the server to use when clients search the directory using this attribute. See "International Index" for more specific information about using matching rules.

Add Attribute. If the attribute you want to index is not listed in the table, click the "Add Attribute" button. This brings up the New Attribute dialog box. Select the attribute you want to add and click OK.

Delete Attribute. To remove all of the indexes for a particular attribute, select the attribute in the table, click Delete Attribute, and then click Save.

Types of Indexes
The Cost of Indexing
Creating Indexes
Removing Indexes
Using Browsing Indexes
Appendix  B, "Internationalization"

Attributes List. This list contains all of the attributes currently in the directory server schema. Select the attribute for which you want to maintain an index and click OK.

User Must Change Password After Reset. When selected, users must change their passwords on the first login or after the passwords are reset by the administrator.

User May Change Password. When selected, allows users to change their own passwords.

Allow Changes In X Day(s). Defines how often a user can change her password. Use this in conjunction with password history to discourage users from cycling through old passwords.

Keep Password History. Specifies that the server keep a list of user passwords. Use this in conjunction with "Allow Changes in X Day(s)" to discourage users from reusing old passwords. If you select this option, you must enter the number of passwords users must cycle through before they can reuse a password.

Remember X Passwords. If the server is keeping a password history, this option specifies how many old passwords the server should store in the history list. Valid values are 2 to 24.

Password Never Expires. Select this if you do not require users to change their passwords periodically.

Password Expires After X Days. Select this if you want users to change their passwords periodically. If you select this option, you must enter the number of days in which the password will expire in the text box. Valid values are 1 to 24,855 days.

Send Warning X Day(s) Before Password Expires. Indicates the number of days before a user's password is due to expire that the user will be sent a warning message. Valid values are 1 to 24,855 days.

Check Password Syntax. Indicates whether any constraints on the password will be checked before the password is saved. Select this checkbox to enforce password syntax checking.

Password Minimum Length. If syntax checking is on, this option specifies the minimum number of characters that must be used in directory server passwords. Valid values are 2 to 512 characters.

Password Encryption. Identifies how user passwords are stored in the directory. You can specify:

• no encryption
• SHA (Secure Hash Algorithm)
• crypt (Unix crypt algorithm)

Configuring the Password Policy
Password Policy Parameters
Chapter  6, "Managing Password and Account Lockout Policies"

Accounts May Be Locked Out. Select this option to enable account lockout; clear this checkbox if you do not want users to be locked out of the directory after a series of failed bind attempts.

Lockout After X Login Failures. Specify the number of allowed bind failures in this text box. The server will lock a user out of the directory after the number of bind failures you specify in this text box. Valid values are 1 to 32,767 attempts. This option is available only if account lockout is enabled.

Reset Password Failure Count After X Minutes. Indicates the amount of time that must elapse before the failure counter is reset. This option is available only if account lockout is enabled. Valid values are 1 to 35,791,394 minutes.

Lockout Forever. Select this option to indicate that user accounts that have been locked must be reset by the administrator before users can access the directory. If you select this option, you cannot set a lockout duration.

Lockout Duration X Minutes. Select this radio button to indicate the amount of time a user will be locked out of the directory after a series of failed bind attempts. If you select this option, you must enter a number of minutes in the text box. Valid values are 1 to 35,791,394 minutes. This option is only available if account lockout is enabled.

Configuring the Account Lockout Policy
Account Lockout Policy Parameters
Chapter  6, "Managing Password and Account Lockout Policies"

Maximum Entries in Cache. The number of entries you want the server to keep in memory.

Maximum Cache Size X Bytes. The amount of memory you want to make available for open index files.

Look Through Limit X Entries. The maximum number of entries you want the server to check in response to a search request.

Tuning Database Performance

Make Database Read-Only. Select this checkbox to place the database in read-only mode; clear this checkbox to return the server to normal operation. When a database is in read-only mode, your slapd.conf Read-only parameter is set to true, and you cannot create, modify, or delete any entries.

Location of Database. Read-only text box that contains the location where the database is stored on the server's host machine.

Suffixes. Contains a list of the suffixes within the database.

Add. Click this button to add a blank line to the suffixes list. Type the new suffix, for example, o=airius.com, in the new line.

Delete. Select the suffix you want to delete in the Suffixes list and then click Delete to delete it. The server deletes the suffix immediately. There is no undo.

Placing a Database in Read-Only Mode
Placing the Entire Directory Server in Read-only Mode
Setting Suffixes for Your Database

Directory. Enter the full path of the directory where you want the server to store the backup file, or click Browse to browse to an existing directory.

Use Default. Click this button if you want the server to suggest a path for you. If you choose this option, the server stores the backup file in:

<NSHOME>/slapd-<serverID>/bak/<backup_name>

where <backup_name> is a directory given the name of the backup. By default, the backup name identifies the time and date when the backup was created.

Backing Up Your Database From the Server Console
Restoring Your Database From the Server Console
Deleting Database Backups

Available Backups. The Console lists all backups in the default directory (<NSHOME>/slapd-<serverID>/bak/<backup_name>) in this list box. If no backups exist in this directory you need to enter the full pathname to a location containing a valid backup in the Directory text box.

Directory. You can either select the backup from the Available Backups list or enter the full pathname to a location containing a valid backup in the Directory text box.

Backing Up Your Database From the Server Console
Restoring Your Database From the Server Console
Deleting Database Backups

To access this tab, from the Directory Server Console, select Configuration tab|Database icon|schema folder, and then select the Object Class tab in the right pane.

Parent. Identifies the object class structure for the object class selected in the Object Classes list.

OID. Object identifier (OID) for the object class selected in the Object Classes list. An OID is simply a string, usually of decimal numbers, that uniquely identifies an object, such as an object class or an attribute, in an object-oriented system. If no OID is assigned, the directory server automatically uses <ObjectClass name>-oid. For example, if you created the object class division without supplying an OID, the directory server automatically uses division-oid as the OID.

Object Classes. Contains a list of all the user-defined and standard object classes that currently exist in the schema.

Required Attributes. Lists the required attributes for the object class selected in the Object Classes list. When you add an entry to the directory using this object class, you must add values for the required attributes to the entry. The list also includes inherited attributes.

Allowed Attributes. Lists the optional attributes for the object class selected in the Object Classes list. When you add an entry to the directory using this object class, you may add values for the allowed attributes to the entry. The list also includes inherited attributes.

Create. Click this button to create a new object class.

Edit. To edit a user-defined object class, select it in the Object Classes list and then click Edit.

Delete. Select a user-defined object class in the Object Classes list and then click Delete to delete it from the schema. You cannot delete the standard object classes that came with the directory server.

Managing Object Classes
Viewing Object Classes
Creating Object Classes
Editing Object Classes
Deleting Object Classes

To access this tab, from the Directory Server Console, select Configuration tab|Database icon|schema folder, and then select the Object Class tab in the right pane.

If you want to create a new object class, click New. If you want to edit an existing object class, select the object class, and click Edit.

Name. Contains a unique name for the object class.

Parent. Identifies the object class from which the new object class will inherit attributes and structure. You can choose from any existing object class.

OID (Optional). Allows you to change the object identifier (OID) for the object class. An OID is simply a string, usually of decimal numbers, that uniquely identifies an object, such as an object class or an attribute, in an object-oriented system. This field is optional. If you do not specify an OID, the directory server automatically uses <ObjectClass name>-oid. For example, if you create the object class division without supplying an OID, the directory server automatically uses division-oid as the OID.

Available Attributes. Lists all of the attributes in the schema not inherited from the parent object class. You can add attributes to a user-defined object class by selecting the attribute in the list and then clicking the Add button to the left of either the Required Attributes or Allowed Attributes list box.

To delete an attribute that you previously added, highlight the attribute in the Required Attributes list or the Allowed Attributes list and then click the corresponding Remove button.

You cannot remove either allowed or required inherited attributes.

Required Attributes. Lists the required attributes for the object class including inherited attributes. To add an attribute to the required attributes list, select it in the Available Attributes list and then click the Add button next to the Required Attributes list box.

Allowed Attributes. Lists the allowed attributes for the object class including inherited attributes. To add an attribute to the allowed attributes list, select it in the Available Attributes list and then click the Add button next to the Allowed Attributes list box.

Managing Object Classes
Viewing Object Classes
Creating Object Classes
Editing Object Classes
Deleting Object Classes

To access this tab, from the Directory Server Console, select Configuration tab|Database icon|schema folder, and then select the Attributes tab in the right pane.

Standard Attributes (Read-Only). The Standard Attributes table lists all standard attributes along with their OIDs and corresponding attribute syntax. This allows you to see an alphabetical listing of all available attributes so that you can determine whether or not you need to create a new attribute. The information in the table is defined below. More specific information is available in the Schema Reference Guide.

• Name—The unique name of the attribute.
• OID—The object identifier of the attribute.
• Syntax—Displays the syntax of the attribute, for example, Case Ignore String.
• Multi—Defines whether the attribute is multi-valued. An X in this column indicates that the attribute is multi-valued, if the column is empty, the attribute is not multi-valued. The directory server allows more than one instance of a multi-valued attribute per entry.

User Defined Attributes. Table that lists the user-defined attributes in the directory schema. The information displayed for each attribute is the same for user-defined attributes as standard attributes (see above).

Create. Click this button to create a new attribute.

Edit. Click this button to edit the currently selected attribute in the tables above.

Delete. You can delete user-defined attributes by selecting them in the User-Defined Attributes table and then clicking Delete. Make sure that no object classes are using the attribute before you delete it.

Managing Object Classes
Viewing Attributes
Creating Attributes
Editing Attributes
Deleting Attributes

To access this tab, from the Directory Server Console, select Configuration tab|Database icon|schema folder, and then select the Attributes tab in the right pane.

If you want to create a new attribute, click New. If you want to edit an existing attribute, select the attribute, and click Edit.

Attribute Name. Requires a unique string for identifying the attribute you are creating.

Attribute OID (Optional). The Attribute OID field is an optional field that you can use to supply an object identifier (OID) for the new attribute. If you do not supply an OID, the directory server automatically uses <attribute name>-oid. For example, if you create a new attribute called birthdate, the default OID is birthdate-oid.

Syntax. The Syntax field requires that you select a syntax that describes the data to be held by the attribute. Available syntaxes are Case Ignore String, Binary, Case Exact String, Telephone, Distinguished Name, and Integer. For a description of each syntax, see the Schema Reference Guide.

Multi-Valued. When selected, this option specifies that the attribute you are creating is multi-valued, that is, an entry may contain more than one instance of this attribute.

Managing Object Classes
Viewing Attributes
Creating Attributes
Editing Attributes
Deleting Attributes

Matching rules provide special guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use. For example, a matching rule in an international search might tell the server to search for attribute values that come at or after llama in the Spanish collation order.

To access this tab, from the Directory Server Console, select Configuration tab|Database icon|schema folder, and then select the Matching Rules tab in the right pane.

Name. Contains a list of all the user-defined and standard matching rules currently available to the directory server. Standard matching rules are named according to the following syntax:

<AttributeSyntax><SearchType>-<Lang>

Where <AttributeSyntax> is the type of attribute on which this matching rule may be applied, <SearchType> is the type of search for which this matching rule may be applied, and <Lang> is the abbreviated code for the locale associated with the matching rule. For example:

caseIgnoreOrderingMatch-en

indicates that the matching rule may be applied to attributes with cis syntax and the English locale should be applied. More information about supported locales is available in Appendix  B, "Internationalization."

The possible name types include:

• caseIgnoreOrderingMatch-(Lang)
• caseExactOrderingMatch-(Lang)
• caseIgnoreSubstringMatch-(Lang)
• caseExactSubstringMatch-(Lang)

OID. The object identifier of the matching rule's locale. Each locale supported by the directory server has an associated collation order OID. For a list of locales supported by the directory server and their associated OIDs, see Table  B.1.

Syntax. Displays the Syntax of the matching rule's locale. Matching rule syntax is defined as "Directory String" and is used internally by the directory server. For more information on matching rule syntax, see the Netscape Directory Server Programmer's Guide.

Description. Contains the two character language tag associated with the locale. If necessary to distinguish regional differences in language, the language tag may also contain a country code, which is a two-character uppercase string (as defined in ISO standard 3166). The language code and country code are separated by a hyphen. For example, the language tag used to identify the British English locale is en-GB.

Appendix  B, "Internationalization"

Agreement. Contains the name you provided when you set up the replication agreement. A red bullet to the left of the name indicates an error has occurred and replication cannot take place. A green bullet indicates that replication is occurring normally. A yellow bullet indicates that all of the changes have not yet been sent to the consumer; this does not always indicate an error condition.

Supplier. Specifies the supplier server in the agreement.

Consumer. Specifies the consumer server in the agreement.

Change-Number. Indicates the number of successfully replicated changes and the number of changes currently in the changelog. For example: [7] - [10] indicates that seven (7) changes have been successfully replicated and that ten (10) changes are listed in the changelog as needing updating. "Unknown" indicates that the server has encountered an error and replication cannot continue or the server could not read one of the following:

• The last changenumber from the supplier
• The copiedFrom on the consumer

Status. Specifies the current state of the agreement. The possible values include:

• Idle—No replication is currently taking place through this agreement.
• Synchronizing—Changes are currently being sent to the consumer.
• Populating—Online Replica Creation is in progress; the consumer is being initialized.
• Halted—the synchronization process has encountered an error and quit.

Refresh. Refreshes the display.

Replication Overview
Managing Supplier-Initiated Replication (SIR)
Managing Consumer-Initiated Replication (CIR)
Initializing Consumers
Monitoring Replication Status
Replication Algorithms

Supplier DN. Contains the distinguished name used by any supplier server to connect to this consumer server for replication.

Normal Authentication. Lets you specify whether normal authentication (passwords) should be used by a supplier server when authenticating to this consumer server. If a password is specified, the supplier server uses this password to bind to the consumer server.

Certificate-Based Authentication. Lets you specify whether certificate-based authentication should be used by a supplier server when authenticating to this consumer server. If a certificate subject DN is specified, the supplier server uses this certificate to bind to the consumer server.

Replication Overview
Managing Supplier-Initiated Replication (SIR)
Managing Consumer-Initiated Replication (CIR)
Replication Algorithms

Changelog Database Directory. The directory in which the supplier server stores the change log.

Use Default. If you want the server to suggest a default pathname for the change log database, click this button.

Changelog Suffix. DN used as the change log's suffix. Typically, this suffix is cn=changelog.

Max Changelog Records. The maximum number of entries recorded in the change log. If you select the Unlimited checkbox, no maximum size is set for the change log.

Max Changelog Age. When an entry in the change log reaches the age specified here, the server removes the entry from the change log. If you select the Unlimited checkbox, the server does not remove entries from the change log based on age.

Replication Overview
Managing Supplier-Initiated Replication (SIR)
Replication Algorithms

Select whether the replication agreement will be a consumer-initiated or supplier-initiated agreement.

Consumer Initiated Agreement. Select this radio button if you want to create a CIR agreement.

Supplier Initiated Agreement. Select this radio button if you want to create an SIR agreement.

Replication Agreement Wizard Dialog Box
Replication Overview
Managing Supplier-Initiated Replication (SIR)
Managing Consumer-Initiated Replication (CIR)
Replication Algorithms

Name. Enter a meaningful name for the replication agreement. This field is required.

Replication Agreement Wizard Dialog Box
Replication Overview
Managing Supplier-Initiated Replication (SIR)
Managing Consumer-Initiated Replication (CIR)
Replication Algorithms

Supplier. If you are creating an SIR Agreement, this area contains a static display of the name and port number of the supplier server in this agreement.

If you are creating a CIR agreement, select the supplier server in the replication agreement from this drop-down menu. If the server does not appear in the list, click Other to enter the host and port of the supplier.

Consumer. If you are creating an SIR agreement, select the consumer server in the replication agreement from this drop-down menu. If the server does not appear in the list, click Other to enter the host and port of the consumer.

If you are creating a CIR agreement, this area contains a static display of the name and port number of the consumer server in this agreement.

Other. If you want, you can manually enter the host and port of a consumer server (for SIR agreements) or supplier (for CIR agreements) that doesn't appear in the Consumer drop-down list by clicking this button.

Using Encrypted SSL Connection. If you want the supplier and consumer servers to use SSL for secure communication, select this checkbox. In order to use this option, you must have first configured your servers to use SSL.

SSL Client Authentication. Select this option if you want the supplier and consumer servers to use certificates for secure communication. You cannot use SSL client authentication unless the "Using Encrypted SSL Connection" checkbox is selected. The "Bind As" and Password fields are unavailable with this option because the servers will use security certificates to authenticate to each other.

In order for you to use this option, you must first do the following:

• Configure SSL for both your supplier and consumer servers (see Chapter  11, "Managing SSL").
• Configure your consumer server to recognize your supplier server's certificate as the supplier DN (see "Configuring the Supplier DN for SIR" or "Configuring the Change Log for CIR".)

Simple Authentication. Select this option if you want the supplier and consumer servers to use simple authentication during communication. If you select the "Using Encrypted SSL Connection" checkbox and you specify this option, the simple authentication will take place over a secure channel but without certificates.

Bind As. If you are creating an SIR agreement, and you are not using SSL, or you are using SSL with simple authentication, enter the consumer server's supplier DN in the Bind As text box.

If you are creating a CIR agreement, and you are not using SSL, or you are using SSL with simple authentication, enter the DN the consumer will use to bind to the supplier in the Bind As text box.

Password. If you are creating an SIR agreement, and you are not using SSL, or you are using SSL with simple authentication, enter the Supplier DN password in the Password field.

If you are creating a CIR agreement, and you are not using SSL, or you are using SSL with simple authentication, enter the password of the DN the consumer will use to bind to the supplier in the Password field.

Subtree. Identifies the content to be replicated. If you are going to replicate a subtree, you must make sure the appropriate parent entry is available on the consumer server. For example, if you are replicating the ou=people, o=airius.com subtree, then you must first make sure the consumer server contains the o=airius.com entry.

Replication Agreement Wizard Dialog Box
Replication Overview
Managing Supplier-Initiated Replication (SIR)
Managing Consumer-Initiated Replication (CIR)
Replication Algorithms

Host Name. Enter the host name of the supplier or consumer server as appropriate.

Port Number. Enter the port number of the supplier or consumer server as appropriate.

Replication Agreement Wizard Dialog Box
Replication Overview
Managing Supplier-Initiated Replication (SIR)
Managing Consumer-Initiated Replication (CIR)
Replication Algorithms

Always Keep Directories in Sync. Select this option if you do not want to set time restrictions on the replication agreement.

Sync on the Following Days. When selected, you can select the checkbox(es) next to the day(s) of the week on which replication can occur. In addition, you can select specific hours during which replication can take place.

Replication Agreement Wizard Dialog Box
Replication Overview
Managing Supplier-Initiated Replication (SIR)
Managing Consumer-Initiated Replication (CIR)
Replication Algorithms

Do Not Initialize Consumer. Select this radio button if you do not want to initialize the consumer immediately or create an LDIF file. If you are replicating a directory with a large number of entries (>10,000), you should select this option. If you do select this option, you will need to manually initialize the consumer before replication can occur.

Initialize Consumer Now. Select this if you want the server to initialize the consumer when you finish creating the replication agreement. This is not recommended for databases larger than 10,000 entries.

Create Consumer Initialization File. SIR Only. Select this if you want the server to export the replicated tree to LDIF so you can manually import it to the consumer. If you choose to have the server export to LDIF, supply the LDIF filename in the field provided.

Replication Agreement Wizard Dialog Box
Replication Overview
Managing Supplier-Initiated Replication (SIR)
Managing Consumer-Initiated Replication (CIR)
Replication Algorithms
Initializing Consumers

Replication Agreement Wizard Dialog Box
Replication Overview
Managing Supplier-Initiated Replication (SIR)
Managing Consumer-Initiated Replication (CIR)
Replication Algorithms
Initializing Consumers

To access this tab from the Directory Server Console, select Configuration tab|Replication Agreements folder. Next, open the Supplier Initiated Agreements folder or Consumer-Initiated Agreements folder as appropriate. Select an SIR or CIR agreement in the navigation tree and then select the Summary tab in the right pane.

Name. Contains the name of the replication agreement.

General. Displays information about:

• Supplier—The name of the supplier server in the agreement.
• Consumer—The name of the consumer server in the agreement.
• Replicated Subtree—The subtree replicated in the agreement.

Status. This area displays information about the replication agreement; including the number of the last change sent to the consumer server, current status of the replication agreement, and the replication history. See "Monitoring Replication Status" for details on the status information displayed.

Monitoring Replication Status
Replication Overview
Managing Supplier-Initiated Replication (SIR)
Configuring Servers for SIR
Creating an SIR Agreement
Editing an SIR Agreement
Managing Consumer-Initiated Replication (CIR)
Configuring Servers for CIR
Creating a CIR Agreement
Editing a CIR Agreement

To access this tab from the Directory Server Console, select Configuration tab|Replication Agreements folder. Next, open the Supplier Initiated Agreements folder or Consumer-Initiated Agreements folder as appropriate. Select an SIR or CIR agreement in the navigation tree and then select the Schedule tab in the right pane.

Update Interval. CIR only. The consumer server checks the supplier server to see if there are any pending updates at the time interval specified in this text box.

Always Keep Directories in Sync. Select this option if you do not want to set time restrictions on the replication agreement.

Sync on the Following Days. When selected, you can select the checkbox(es) next to the day(s) of the week when replication can occur. In addition, you can select specific hours during which replication can take place.

Replication Overview
Managing Supplier-Initiated Replication (SIR)
Configuring Servers for SIR
Creating an SIR Agreement
Editing an SIR Agreement
Managing Consumer-Initiated Replication (CIR)
Configuring Servers for CIR
Creating a CIR Agreement
Editing a CIR Agreement

To access this tab from the Directory Server Console, select Configuration tab|Replication Agreements folder. Next, open the Supplier Initiated Agreements folder or Consumer-Initiated Agreements folder as appropriate. Select an SIR or CIR agreement in the navigation tree and then select the Content tab in the right pane.

Supplier. For SIR agreements, this area contains a static display of the name and port number of the supplier server in this agreement. For CIR agreements, this drop-down identifies the supplier server in the replication agreement.

Consumer. For SIR agreements, this drop-down identifies the consumer server in the replication agreement. For CIR agreements, this area contains a static display of the name and port number of the consumer server in this agreement.

Other. Click this button to manually enter the host and port of a different consumer or supplier server.

Using Encrypted SSL Connection. When selected, specifies that the supplier and consumer servers use SSL for secure communication. You must have first configured your servers to use SSL. See Chapter  11, "Managing SSL" for more information.

SSL Client Authentication. When selected, this option specifies that the supplier and consumer servers use certificates for secure communication. You cannot use SSL client authentication unless the "Using Encrypted SSL Connection" checkbox is selected. The Bind As and Password fields are unavailable with this option because the server will use its security certificate to authenticate to the consumer server.

In order for you to select this option, you must first do the following:

• Configure SSL for both your supplier and consumer servers (see Chapter  11, "Managing SSL").
• Configure your consumer server to recognize your supplier server's certificate as the supplier DN (see "Configuring the Supplier DN for SIR").

Simple Authentication. When selected, this option specifies that the supplier and consumer servers use simple authentication during communication. If you select the "Using Encrypted SSL Connection" checkbox and you specify this option, the simple authentication will take place over a secure channel but no certificates are required. If you are not using SSL, or if you are using SSL with simple authentication, enter the DN the supplier will use to bind to the consumer in the Bind As field, and the password in the Password field.

Subtree. Identifies the content to be replicated. If you are going to replicate a subtree, you must make sure the appropriate parent entry is available on the consumer server. For example, if you are replicating the ou=people, o=airius.com subtree, then you must first make sure the consumer server contains the o=airius.com entry.

Replication Overview
Managing Supplier-Initiated Replication (SIR)
Configuring Servers for SIR
Creating an SIR Agreement
Editing an SIR Agreement
Managing Consumer-Initiated Replication (CIR)
Configuring Servers for CIR
Creating a CIR Agreement
Editing a CIR Agreement
Chapter  11, "Managing SSL"

To access this tab from the Directory Server Console, select Status tab|Logs icon, and then select the Access Log tab in the right pane.

To access the Access Log dialog box from the Directory Server Console, select Configuration tab|Logs icon, then select the Access Log tab in the right pane and click View Log.

Refresh. Refreshes the currently displayed log file.

Continuous. When selected, this checkbox specifies that the server continuously update the currently displayed log file.

Select Log. Lets you specify which access log to view.

Lines to Show. Lets you specify the number of messages to view. If you leave this text box blank, the server displays the 25 most recent messages. Specify an integer, n, to view the n most recent messages.

Show only lines containing. Provides a searching capability. Only those messages containing the string entered in this text box are displayed. When you specify a search string in this text box along with an integer, n, in the Lines to Show text box the server searches only the n most recent messages for the specified search string.

Date. Contains the date the error or event occurred in the format dd/Month/yyyy. For example, 10/Feb/1998.

Time. Contains the time the access occurred.

Conn. Connection Number.

Op. Operation. The number in this field indicates the number of the operation within a single connection.

Details. Contains specific information about the log entry.

Viewing and Configuring Log Files
Viewing the Access Log
Configuring the Access Log

Enable Logging. Select this checkbox to configure the server to keep an access log; clear this checkbox to disable access logging.

View Log. Click this button to view the access log for the directory server.

Log File. Contains the full pathname where the access log file is stored.

Creation Policy. These options allow you to specify how often the server archives the current access log and starts a new log file.

Maximum Number of Logs. The number of logs to archive per directory.

File Size for Each Log. The maximum file size (in KB) for active access log files. Once a file reaches the size you specify, the server archives the file and starts a new one.

Create a New Log Every. How often you want the server to start a new access log.

Deletion Policy. These options allow you to configure the server to delete unneeded archived access log files.

When Total Log Exceeds. The server will delete the oldest archived access log once the total of all the logs reaches this amount.

When Free Disk Space is Less Than. The server will delete the oldest archived access log if the available disk space is less than this amount.

When a File is Older Than. The server will delete an archived access log when the file is older than the age you specify.

Viewing and Configuring Log Files
Viewing the Access Log
Configuring the Access Log

To access this tab from the Directory Server Console, select Status tab|Logs icon, and then select the Error Log tab in the right pane.

To access the Error Log dialog box from the Directory Server Console, select Configuration tab|Logs icon, then select the Error Log tab in the right pane and click View Log.

Refresh. Refreshes the currently displayed log file.

Continuous. When selected, this checkbox specifies that the server continuously update the currently displayed log file.

Select Log. Lets you specify which access log to view.

Lines to show. Lets you specify the number of messages to view. If you leave this text box blank, the server displays the 25 most recent messages. Specify an integer, n, to view the n most recent messages.

Show only lines containing. Provides a searching capability. Only those messages containing the string entered in this text box are displayed. When you specify a search string in this text box along with an integer, n, in the Lines to show text box the server searches only the n most recent messages for the specified search string.

Date. Contains the date the error or event occurred in the format dd/Month/yyyy. For example, 10/Feb/1998.

Time. Contains the time the error or event occurred.

Details. Contains specific information about the error or event.

Viewing and Configuring Log Files
Viewing the Error Log
Configuring the Error Log

Enable Logging. Select this checkbox to configure the server to keep an error log; clear this checkbox to disable error logging.

View Log. Click this button to view the error log for the directory server.

Log File. Contains the full pathname where the error log files are stored.

Creation Policy. These options allow you to specify how often the server archives the current error log and starts a new log file.

Maximum Number of Logs. The number of logs to archive per directory.

File Size for Each Log. The maximum file size (in KB) for active error log files. Once a file reaches the size you specify, the server archives the file and starts a new one.

Create a New Log Every. How often you want the server to start a new error log.

Deletion Policy. These options allow you to configure the server to delete unneeded archived error log files.

When Total Log Exceeds. The server will delete the oldest archived error log once the total of all the logs reaches this amount.

When Free Disk Space is Less Than. The server will delete the oldest archived error log if the available disk space is less than this amount.

When a File is Older Than. The server will delete an archived error log when the file is older than the age you specify.

Log Level. Specifies the kinds of error and event messages the server should store in the error log. By default, no options are selected. Selecting any option will cause the error log to grow very rapidly because additional information is written for every request the server receives. For detailed information about log levels, see "Log Level".

Viewing and Configuring Log Files
Viewing the Error Log
Configuring the Error Log

To access this tab from the Directory Server Console, select Status tab|Logs icon, and then select the Audit Log tab in the right pane.

To access the Audit Log dialog box from the Directory Server Console, select Configuration tab|Logs icon, then select the Audit Log tab in the right pane and click View Log.

Refresh. Refreshes the currently displayed log file.

Continuous. When selected, this checkbox specifies that the server continuously update the currently displayed log file.

Select Log. Lets you specify which audit log to view.

Lines to show. Lets you specify the number of messages to view. If you leave this text box blank, the server displays the 25 most recent messages. Specify an integer, n, to view the n most recent messages.

Show only lines containing. Provides a searching capability. Only those messages containing the string entered in this text box are displayed. When you specify a search string in this text box along with an integer, n, in the Lines to Show text box the server searches only the n most recent messages for the specified search string.

Audit Log. Displays the contents of the Audit Log.

Viewing and Configuring Log Files
Viewing the Audit Log
Configuring the Audit Log

Enable Logging. Select this checkbox to configure the server to keep an audit log; clear this checkbox to disable audit logging.

View Log. Click this button to view the audit log for the directory server.

Log File. Contains the full pathname where the audit log is stored.

Creation Policy. These options allow you to specify how often the server archives the current audit log and starts a new log file.

Maximum Number of Logs. The number of logs to archive per directory.

File Size for Each Log. The maximum file size (in KB) for active audit log files. Once a file reaches the size you specify, the server archives the file and starts a new one.

Create a New Log Every. How often you want the server to start a new audit log.

Deletion Policy. These options allow you to configure the server to delete unneeded archived audit log files.

When Total Log Exceeds. The server will delete the oldest archived audit log once the total of all the logs reaches this amount.

When Free Disk Space is Less Than. The server will delete the oldest archived audit log if the available disk space is less than this amount.

When a File is Older Than. The server will delete an archived audit log when the file is older than the age you specify.

Viewing and Configuring Log Files
Viewing the Audit Log
Configuring the Audit Log

You cannot modify plugins from the Directory Server Console. For information on working with plugins, see the Netscape Directory Server Plug-in Programmer's Guide.

Plugin ID. Identifies the name of the plugin.

Description. Contains descriptive text about the plugin.

Version. Identifies the plugin's version number.

Vendor. Identifies the manufacturer of the plugin.

Plugin Module Path. Identifies the name and path of the shared object or dynamic link library that contains the plugin.

Initialization Function. Identifies the function that the server calls to initialize the plugin.

Plugin Type. Defines the type of plugin, for example, preoperational or postoperational. For more information on plugin types, see the Netscape Directory Server Plug-in Programmer's Guide.

Arguments. Specifies any additional arguments that are passed to the initialization function.

Enabled. Select this checkbox to enable the plugin; clear the checkbox to disable the plugin. After enabling or disabling a plugin, you must restart the directory server.

Enabling and Disabling Plug-Ins From the Server Console
Managing the Referential Integrity Plug-in
Netscape Directory Server Plug-in Programmer's Guide

See  "Tuning Server Performance" for specific information about the contents of this tab.

Tuning Server Performance
Tuning Database Performance

See  "Tuning Database Performance" for specific information about the contents of this tab.

Tuning Server Performance
Tuning Database Performance

To access the property editor for an entry, right click the entry on the Directory tab of the Directory Server Console and select Open from the pop-up menu. If the entry is a person, organizational unit, or group, you can also access this dialog box by clicking Advanced on the Edit Entry dialog box.

File Menu Commands (Property Editor)

Close. Use this command to close the property editor without saving changes.

Edit Menu Commands (Property Editor)

Delete Attribute. Use this command to delete the currently selected attribute from the entry.

Add Attribute. Use this command to add an attribute to the entry. When you select this command, the Add Attribute dialog box appears. This dialog box only lists those attributes contained within the object classes already assigned to this entry.

Delete Value. Use this command to delete the currently selected attribute value. This will not delete the attribute itself.

Add Value. If the currently selected attribute is not the objectclass attribute or a binary attribute, you can use this command to insert a blank text box for the currently selected attribute. Enter the new value in the text box.

If a value already exists for the attribute and the attribute is not multi-valued, you cannot enter additional values. Attempting to do so results in an object class violation.

View Menu Commands (Property Editor)

Show Attribute Names. Select this option if you want the property editor to display the names of the attributes as they appear in the schema. For example, mail instead of Email address.

Show Attribute Descriptions. Select this option if you want the property editor to display the friendly names of the attributes. For example, Email address instead of mail. This option is selected by default.

Show All Attributes. Select this option if you want the property editor to display all the allowed attributes for this entry. By default, the property editor only displays those attributes that contain values.

Show Only Attributes With Values. Select this option if you want the property editor to display only those attributes that have values. This option is selected by default.

Using the Property Editor to Manage Entries
Adding Entries Using LDIF
Adding and Modifying Entries Using ldapmodify

Object Class List. This list contains all of the object classes currently in the directory server schema. Select the object class you want to add to the entry and click OK.

Managing Directory Entries
Extending the Directory Schema

Language. Contains a list of languages that can be assigned to the attribute as subtypes.

Sometimes a user's name can be more accurately represented in characters of a language other than the default language. For example, Noriko's name is Japanese, and she has indicated on her hiring forms that she prefers that her name be represented by Japanese characters when possible. You can select Japanese as a language subtype for the givenname attribute so that other users can search for her Japanese name.

If you specify a language subtype for an attribute, the subtype is added to the attribute name as follows:

<attribute>;lang-<subtype>

Where <attribute> is the attribute you are adding to the entry and <subtype> is the two character abbreviation for the language. See Table  B.2 for a list of supported language subtypes. For example:

givenname;lang-ja

You can assign only one language subtype per instance of an attribute in an entry. To assign multiple language subtypes, add another instance of the attribute to the entry and then assign the new language subtype to the copy.

Subtype. Contains a list of commonly-used subtypes (other than languages) that can be assigned to the attribute as a subtype. The options include:

• Binary—Indicates that the attribute value is binary. For example, usercertificate;binary.
• Pronunciation—Indicates that the attribute value is a phonetic representation. The subtype is added to the attribute name as follows: <attribute>;phonetic. This subtype is commonly used in combination with a language subtype for languages that have more than one alphabet, where one is a phonetic representation. You might want to use this with attributes that are expected to contain user names, such as cn or givenname. For example, givenname;lang-ja;phonetic indicates that the attribute value is the phonetic version of the entry's Japanese name.

Attributes List. This list contains all of the attributes that are allowed within the object classes currently assigned to the entry. To add an attribute to the entry, select it in the list and then click OK.

Managing Directory Entries
Extending the Directory Schema

Search Filter. Enter the search filter you want to use in this text box and then click OK.

Finding Entries Using the Server Console
LDAP Search Filters
Using ldapsearch
Searching an Internationalized Directory

Server Identifier. Enter a unique identifier for the server. The prefix "slapd-" will automatically be added to the identifier you enter here. Do not use spaces " " in the identifier.

Network Port. Type the port number on which you want the directory server to listen for incoming requests.

Base Suffix. Enter the user directory suffix, for example, o=airius.com.

Root DN. Enter the distinguished name of the privileged directory user, for example, cn=directory manager.

Password for Root DN. Enter the password for the privileged directory user.

Confirm Password. Reenter the Root DN password.

Server Runtime (Unix) User. Unix Only. If you are running the server on a Unix host, type the name of the user you want the server to run as.

Netscape Directory Server Installation Guide
Managing Servers with Netscape Console