Sun ONE Directory Server Administration Guide |
ContentsPurpose of This Guide
Introduction to Sun ONE Directory Server
Prerequisites
Typographical Conventions
Default Paths and Filenames
Downloading Directory Server Tools
Suggested Reading
Overview of Directory Server Management
Creating Directory Entries
Starting and Stopping the Directory Server
Starting and Stopping the Server From the Command Line (Unix)
Starting the Server with SSL Enabled
Starting and Stopping the Server From the Control Panel (Windows)
Starting and Stopping the Server From the Console (All Platforms)
Using the Directory Server Console
Starting Directory Server Console
Configuring LDAP Parameters
Navigating the Directory Server Console
Viewing the Current Bind DN From the Console
Changing Your Login Identity
Using the Online Help
The Console Clipboard
Console Settings
Configuring the Directory Manager
Verifying Plug-In Signatures
Changing Directory Server Port Numbers
Setting Global Read-Only Mode
Tracking Modifications to Directory Entries
Configuring the Verification of Plug-In Signatures
Configuring DSML
Viewing the Status of a Plug-In
Enabling DSML Requests
Configuring DSML Security
DSML Identity Mapping
Configuration Entries
Creating Your Directory Tree
Modifying the Configuration Using the Console
Managing Entries Using the Console
Modifying the Configuration From the Command Line
Modifying the dse.ldif File
Creating Directory Entries
Managing Entries From the Command Line
Modifying Entries With a Custom Editor
Modifying Entries With the Generic Editor
Deleting Directory Entries
Bulk Operations Using the Console
Providing LDIF Input
Setting Referrals
Adding Entries Using ldapmodify
Modifying Entries Using ldapmodify
Renaming an Entry Using ldapmodify
Deleting Entries Using ldapdelete
Deleting Entries Using ldapmodify
Setting the Default Referrals
Encrypting Attribute Values
Creating Smart Referrals
Configuring Attribute Encryption Using the Console
Maintaining Referential Integrity
Configuring Attribute Encryption From the Command Line
How Referential Integrity Works
Configuring Referential Integrity
Using Referential Integrity with Replication
Introduction
Populating Directory Contents
Creating Suffixes
Creating a New Root Suffix Using the Console
Managing Suffixes
Creating a New Subsuffix Using the Console
Creating Suffixes From the Command Line
Disabling or Enabling a Suffix
Creating Chained Suffixes
Setting Access Permissions and Referrals
Deleting a Suffix
Creating a Proxy Identity
Managing Chained Suffixes
Setting Default Chaining Parameters
Creating Chained Suffixes Using the Console
Creating Chained Suffixes From the Command Line
Access Control Through Chained Suffixes
Chaining Using SSL
Configuring the Chaining Policy
Configuring Cascading Chaining
Disabling or Enabling a Chained Suffix
Setting Access Permissions and Referrals
Modifying the Chaining Parameters
Optimizing Thread Usage
Deleting a Chained Suffix
Setting the Cascading Parameters
Transmitting LDAP Controls for Cascading
Setting Suffix Read-Only Mode
Advanced Entry Management
Importing Data
Importing LDIF Files
Exporting Data
Initializing a Suffix
Exporting the Entire Directory to LDIF Using the Console
Backing Up Data
Exporting a Single Suffix to LDIF Using the Console
Exporting to LDIF From the Command Line
Backing Up Your Server Using the Console
Restoring Data from Backups
Backing Up Your Server From the Command Line
Backing Up the dse.ldif Configuration File
Restoring Replicated Suffixes
Restoring Your Server Using the Console
Restoring Your Server from the Command Line
Restoring the dse.ldif Configuration File
Managing Groups
Managing Access Control
Assigning Roles
About Roles
Defining Class of Service (CoS)
Assigning Roles Using the Console
Managing Roles From the Command Line
About CoS
CoS Limitations
Managing CoS Using the Console
Managing CoS From the Command Line
Creating Role-Based Attributes
Access Control Principles
User Account Management
ACI Structure
Default ACIs
ACI Placement
ACI Evaluation
ACI Limitations
ACI Syntax
Defining Targets
Bind Rules
Defining Permissions
Bind Rule Syntax
Creating ACIs From the Command Line
Defining User Access - userdn Keyword
Defining Group Access - groupdn Keyword
Defining Role Access - roledn Keyword
Defining Access Based on Value Matching
Defining Access From a Specific IP Address
Defining Access from a Specific Domain
Defining Access at a Specific Time of Day or Day of Week
Defining Access Based on Authentication Method
Using Boolean Bind Rules
Viewing aci Attribute Values
Creating ACIs Using the Console
Viewing the ACIs of an Entry
Access Control Usage Examples
Creating a New ACI
Editing an ACI
Deleting an ACI
Defining Permissions for DNs That Contain a Comma
Viewing Effective Rights
Proxy Authorization ACI Example
Using the Get Effective Rights Control
Advanced Access Control: Using Macro ACIs
Macro ACI Example
Access Control and Replication
Macro ACI Syntax
Logging Access Control Information
Compatibility with Earlier Releases
Overview of Password Policies
Managing Replication
Preventing Dictionary-Style Attacks
Configuring the Global Password Policy
Password Policies in a Replicated Environment
Configuring the Password Policy Using the Console
Managing Individual Password Policies
Configuring the Password Policy From the Command Line
Defining a Policy Using the Console
Resetting User Passwords
Defining a Policy From the Command Line
Assigning Password Policies
Inactivating and Activating Users and Roles
Setting User and Role Activation Using the Console
Setting Individual Resource Limits
Setting User and Role Activation From the Command Line
Setting Resource Limits Using the Console
Setting Resource Limits From the Command Line
Introduction
Extending the Directory Schema
Summary of Steps for Configuring Replication
Choosing Replication Managers
Configuring a Dedicated Consumer
Creating the Suffix for the Consumer Replica
Configuring a Hub
Enabling a Consumer Replica
Advanced Consumer Configuration
Creating the Suffix for the Hub Replica
Configuring a Master Replica
Enabling a Hub Replica
Advanced Hub Configuration
Defining the Suffix for the Master Replica
Creating Replication Agreements
Enabling a Master Replica
Advanced Multi-Master Configuration
Configuring Fractional Replication
Considerations for Fractional Replication
Initializing Replicas
Defining the Attribute Set
Enabling Fractional Replication
When to Initialize
Enabling the Referential Integrity Plug-In
Convergence After Multi-Master Initialization
Initializing a Replica Using the Console
Initializing a Replica From the Command Line
Initializing a Replica Using Binary Copy
Replication Over SSL
Replication Over a WAN
Configuring Network Parameters
Modifying the Replication Topology
Scheduling Replication Activity
Data Compression
Managing Replication Agreements
Replication With Earlier Releases
Promoting or Demoting Replicas
Disabling Replicas
Moving the Change Log
Keeping Replicas in Sync
Configuring Directory Server 5.2 as a Consumer of Directory Server 4.x
Using the Retro Change Log Plug-In
Updating Directory Server 5.1 Schema
Enabling the Retro Change Log Plug-In
Monitoring Replication Status
Trimming the Retro Change Log
Accessing Retro Change Log
Command-Line Tools
Solving Common Replication Conflicts
Replication Status Tab
Solving Naming Conflicts
Solving Orphan Entry Conflicts
Solving Potential Interoperability Problems
Schema Checking
Managing Indexes
Setting Schema Checking Using the Console
Overview of Extending the Schema
Setting Schema Checking From the Command Line
Modifying the Schema Files
Managing Attribute Definitions
Modifying the Schema From the Command Line
Modifying the Schema Using the Console
Viewing Attributes
Managing Object Class Definitions
Creating Attributes
Editing Attributes
Deleting Attributes
Viewing Object Classes
Replicating Schema Definitions
Creating Object Classes
Editing Object Classes
Deleting Object Classes
Modifying Replicated Schema Files
Limiting Schema Replication
Overview of Indexing
Implementing Security
System Indexes
Managing Indexes
Default Indexes
Standard Index Files in a Database
Attribute Name Quick Reference Table
Managing Indexes Using the Console
Managing Browsing Indexes
Managing Indexes From the Command Line
Reindexing a Suffix
Modifying the Set of Default Indexes
Browsing Indexes for the Console
Browsing Indexes for Client Searches
Introduction to SSL in the Directory Server
Managing Log Files
Summary of Steps for Enabling SSL
Obtaining and Installing Server Certificates
Creating a Certificate Database
Activating SSL
Generating a Certificate Request
Installing the Server Certificate
Trusting the Certificate Authority
Choosing Encryption Ciphers
Configuring Client Authentication
Allowing Client Authentication
SASL Authentication Through DIGEST-MD5
Identity Mapping
SASL Authentication Through GSSAPI (Solaris Only)
Configuring LDAP Clients to Use Security
Configuring Server Authentication in Clients
Configuring Certificate-Based Authentication in Clients
Using SASL DIGEST-MD5 in Clients
Using Kerberos SASL GSSAPI in Clients
Defining Log File Policies
Monitoring Directory Server Using SNMP
Defining a Log File Rotation Policy
Access Log
Defining a Log File Deletion Policy
Manual Log File Rotation
Errors Log
Audit Log
Monitoring Server Activity
Monitoring Your Server Using the Console
Monitoring Your Server From the Command Line
SNMP in Sun ONE Servers
Using the Pass-Through Authentication Plug-In
Overview of the Directory Server MIB
Setting Up SNMP
On UNIX Platforms
Configuring SNMP in the Directory Server
On AIX Platforms
On Windows Platforms
Starting and Stopping the SNMP Subagent
On UNIX and AIX Platforms
On Windows Platforms
How Directory Server Uses PTA
Using the UID Uniqueness Plug-In
Configuring the PTA Plug-In
Creating the Plug-In Configuration Entry
Configuring PTA to Use a Secure Connection
Setting the Optional Connection Parameters
Specifying Multiple Servers and Subtrees
Modifying the PTA Plug-In Configuration
Overview
Third Party Licence Acknowledgements
Enforcing Uniqueness of the uid Attribute
Configuring the Plug-In Using the Console
Enforcing Uniqueness of Another Attribute
Configuring the Plug-In From the Command Line
Using the Uniqueness Plug-In With Replication
Single-Master Replication Scenario
Multi-Master Replication Scenario