Netscape Directory Server Administrator's Guide: Administering Netscape Directory Server

Enter the full distinguished name of the entry with which you want to bind to the server. For example, if you want to bind as the Root DN and the Root DN is Directory Manager, then enter the following in the Distinguished Name text box:

cn=Directory Manager

For more information about the root DN and password, refer to "Managing the Root DN".

Do not perform daily administrative tasks using the directory manager as your bind DN. Instead, set up a directory server administrator account with the access control privileges required for the most common tasks you perform. For information on how to do this, see Managing Servers with Netscape Console.

Viewing the Current Bind DN From Netscape Console

You can view the bind DN you used to log in to the Directory Server Console by clicking the login icon in the lower-left corner of the display. The current bind DN appears next to the login icon as shown here.

Figure 1.1 Viewing the bind DN

Starting and Stopping the Directory Server

If you are not using Secure Sockets Layer (SSL), you can start and stop the directory server using the methods listed here. If you are using SSL, see "Starting the Server with SSL Enabled".

From the Directory Server Console. On the Tasks tab, click "Start the Directory Server" or "Stop the Directory Server" as appropriate.

When you successfully start or stop your directory server from the server console, the server displays a message box stating either that the server started or has shut down.

From the Windows NT Services Control Panel.

Select Start|Settings|Control Panel from the desktop.

Double-click the Services icon.

Scroll through the list of services and select the Netscape Directory Server.

The service name is Netscape Directory Server 4.1 (<serverID>) where is the identifier you gave the server when you installed it.

Start or stop the service:

To stop the service, click Stop and then confirm that you want to stop the service.

To start the service, select the directory server service and click Start.

From the Unix or Windows NT command line. Use one of the following scripts:

<NSHOME>/slapd-<serverID>/start-slapd

<NSHOME>/slapd-<serverID>/stop-slapd

where <NSHOME> is the location where your server is installed, and <serverID> is the identifier you gave the server when you installed it.

On Unix, both of these scripts must run with the same UID and GID as that used by the directory server. For example, if the directory server runs as nobody, you must run the start-slapd and stop-slapd utilities as nobody.

Starting the Server with SSL Enabled

On Windows NT, if you are using SSL with your server, then you must start the server from the server's host machine. This is because a dialog box will prompt you for the certificate PIN before the server will start. For security reasons, this dialog box appears only on the server's host machine.

On Unix, you must start the server from the command line.

Note. If you are using FORTEZZA, see "Starting the Server with FORTEZZA Enabled" for information on starting and stopping the server.

Alternatively, on either platform, you can create a password file to store your certificate password. By placing your certificate database password in a file, you can start your server from the server console, and also allow your server to automatically restart when running unattended.

This password is stored in clear text within the password file, so its usage represents a significant security risk. Do not use a password file if your server is running in an unsecured environment.

The password file must be placed in the following location:

<NSHOME>/alias/slapd-<serverID>-pin.txt

where <NSHOME> is the location where your server is installed, and <serverID> is the identifier you gave the server when you installed it.

You create certificate databases using the administration server and the Certificate Setup Wizard. For information on certificate databases, certificate aliases, SSL, and obtaining a server certificate, see Managing Servers with Netscape Console. For information on using SSL with your directory server, see Chapter �11, "Managing SSL."

Starting the Server in Referral-Only Mode

You can also start the server in referral-only mode. You might want to do this if you're making configuration changes to the directory server and you want all clients to be referred to another master for the duration. There are two ways to configure the server to start up in referral-only mode:

Add the following directive to slapd.conf and restart the server:

referralmode

where is the LDAP URL you want the server to send to clients.

Start the server with the refer command as follows:

On Unix-Change to the directory:

/bin/slapd/server/

and then run the refer command as follows:

./ns-slapd refer -p -r �

On Windows NT-run the refer command as follows:

\bin\slapd\server\slapd refer -p -r �

where is the directory where you installed the directory server, is the port number of the directory server you want to start in referral-only mode, and is the LDAP URL you want to return to clients. If you use this option, the server starts up without reading slapd.conf. You should use this option if the database is undergoing maintenance or is otherwise unavailable.

Using the Command-Line Utilities

Netscape Directory Server comes with a robust set of command-line utilities that you can use to manage the entries in your directory. The most important of these are listed in Table 1.1.

Table 1.1 Commonly used command-line utilities �
Command-line utility
Description
aclupg
Upgrades LDIF formatted with the 1.x access control statements to the 4.x ACI. See the Netscape Directory Server Installation Guide for more information.
ldapdelete
Allows you to delete entries in the directory. For information on using this utility, see "Deleting Entries Using ldapdelete".
ldapsearch
Allows you to search the directory. Returns search results in LDIF format. For details on this tool, see Chapter �8, "Finding Directory Entries."
ldapmodify
Allows you to add, delete, modify, or rename entries. All operations are specified using LDIF update statements. For details on this tool, see "Adding and Modifying Entries Using ldapmodify".
ns-slapd (Unix)
slapd (Windows NT)
Used to start the directory server process, to build a directory database from an LDIF file, or to convert an existing database to an LDIF file. For details, see
"Starting and Stopping the Directory Server"
"Importing LDIF From the Command Line"
"Exporting to LDIF From the Command Line"
ldif
Automatically formats LDIF files for you, and creates base 64 encoded attribute values. For details on this tool, see "Base 64 Encoding".

Finding the Command-Line Utilities

Most of the directory server's command line utilities are stored in a single location. You can find them in the following directory:

<NSHOME>/bin/slapd/server

where <NSHOME> is your server installation directory.

The remaining three-ldapdelete, ldapmodify, and ldapsearch-are stored in the following directory:

<NSHOME>/shared/bin

where <NSHOME> is your server installation directory.

Warning. The command-line utilities in these directories that are not described in this manual are used internally by the directory server. Their use outside of that environment is not recommended.

Setting Environment Variables

On Windows NT, before using the command-line utilities, set your PATH variable to include the locations of the directory server command-line utilities:

<NSHOME>/bin/slapd/server

and

/shared/bin

For information on how to set environment variables, see the documentation available for your operating system.

On Unix, to run the command-line utilities, change to the directory where they are stored.

Directory Server Command-Line Scripts

In addition to the command-line utilities described in "Using the Command-Line Utilities", the Netscape Directory Server provides several scripts you can use to invoke the utilities with the most common options set. These scripts are stored in the following directory:

<NSHOME>/slapd-<serverID>/

All of these scripts assume that you want to use the slapd.conf file located in

<NSHOME>/slapd-<serverID>/config/

You can copy these scripts and modify your copies to suit your needs. In general, the rest of this manual does not describe the use of these scripts. Some of the most commonly used scripts are listed in Table �1.2.

Table 1.2 Commonly used command-line scripts �
Command-line script
Description
bak2db
Restores the database from the most recent archived backup. Syntax: bak2db [backup_directory]
db2bak
Creates a backup of the current database contents. Syntax: db2bak [backup_directory]. For more information, see "Backing Up Your Database From the Command Line".
db2ldif
Exports the contents of the database to LDIF. By default, the server stores the LDIF file in: <NSHOME>/slapd-<serverID>/ldif/
Syntax: db2ldif <ldif_filename> [-s ] [-x ]
getpwenc
Prints the encrypted form of a password using one of the server's encryption algorithms. If a user cannot log in, you can use this script to compare the user's password to the password stored in the directory. Syntax: �getpwenc �sha �<password>
or: getpwenc �crypt �<password>
ldif2db
Runs the slapd (Windows NT) or ns-slapd (Unix) command-line utility with the ldif2db keyword. By default, the script first saves and then merges any existing configuration tree (o=NetscapeRoot), with any files to be imported. You can specify -noconfig if you want to overwrite the configuration information.
Warning. Netscape recommends that you do not overwrite the configuration data unless instructed to do so by Netscape Techical Support.
Syntax:
ldif2db [-noconfig] -i [-i ] ... [-s ] [-x }
monitor
Retrieves performance monitoring information using the ldapsearch command-line utility.
Syntax: monitor �-b �<baseDN> �[options] �filter
or:
monitor "cn=monitor"
See "Using ldapsearch" for more information on ldapsearch.
restart-slapd
Restarts the directory server. Syntax: restart-slapd
start-slapd
Starts the directory server. Syntax: start-slapd
stop-slapd
Stops the directory server. Syntax: stop-slapd
vlvindex
Reserved.

Directory Server Configuration Files

You can also perform many administrative tasks manually by editing the directory server's configuration files. There are two main configuration files:

slapd.conf-A text (UTF-8) file that contains the server's configuration and parameter values. These parameters are read by the server only at startup time, and define all of the server parameters that are not related to the server's database, for example, the server's name, the port that it uses, and performance tuning values. The slapd.conf file and its parameters are described in detail in Chapter �17, "Configuration Parameters."

slapd.ldbm.conf-Included in the slapd.conf using the dynamicconf parameter. This file contains the directory server's database parameters.

All of the directory server's configuration files are located in the following directory:

<NSHOME>/slapd-<serverID>/config

where <NSHOME> is your server installation directory and <serverID> is the server identifier that you defined when you installed your directory server. Thus, if you installed your directory server in /usr/dirserver and you selected a server identifier of phonebook, then your configuration files are all stored under

/usr/dirserver/slapd-phonebook/config

Table �1.3 briefly describes each configuration file.

�