Sun JavaTM System Directory Server Directory Server Enterprise Edition provides a browser interface and command-line tools for administering multiple servers, instances, and suffixes in a replicated environment. This chapter provides overview information about Directory Server administration tools.
This chapter covers the following topics:
Information about the Directory Server administration framework is provided in other guides in this documentation set.
For an overview of the Directory Server administration framework, see Directory Server Enterprise Edition Administration Model in Sun Java System Directory Server Enterprise Edition 6.2 Deployment Planning Guide.
For more detailed reference information about the Directory Server administration framework, see Chapter 1, Directory Server Overview, in Sun Java System Directory Server Enterprise Edition 6.2 Reference.
Directory Server Enterprise Edition provides two user interfaces for managing Directory Servers and Directory Proxy Servers: a browser interface, Directory Service Control Center (DSCC), and a command-line interface.
Most procedures in this guide can be performed using either the command line or DSCC. The procedures in this guide show how to use the command line to accomplish the procedure. In most cases DSCC can be used to perform the same task. If DSCC can be used for a particular procedure, a statement to that effect appears at the beginning of the procedure.
The DSCC online help provides detailed instructions on how to use DSCC to perform the procedures in this guide.
DSCC enables you to perform some operations and tasks more easily than you can perform them from the command line, as explained in the following sections. In general, any command that must be applied to several servers is best performed using DSCC.
DSCC displays tables that show all server instances that have been registered in DSCC, all suffixes that have been configured, and the status of each.
The servers table is on the Directory Servers tab and shows the operational status of the server. For a complete list of possible server states, see the Directory Server online help.
The suffixes table is on the Suffixes tab and shows replication status information, such as the number of entries and the number and age of any missing changes. For more information about the information displayed in this table, see the Directory Server online help.
Server groups assist you in monitoring and configuring servers. You can create groups and assign servers to the groups. For example, you can group servers by geographical location, or by function. If you have a large number of servers, you can filter the servers shown on the Directory Servers tab so that only the servers in the group are shown. You can also copy the server configuration (for example index or cache settings) of one server to all other servers in a group. For instructions on how to set up and use a server group, see the Directory Server online help.
DSCC enables you to copy the configuration settings of an existing server, suffix, or replication agreement to one or more other servers, suffixes, or replication agreements. For information about how to perform each of these tasks, see the Directory Server online help.
With DSCC, you can set up a replication topology quickly and easily. Simply create the server instances, then use the steps provided by DSCC to designate the role of each server. DSCC automatically creates the replication agreements for you. For more information about how to configure replication using DSCC, see the Directory Server online help.
Directory Service Control Center (DSCC) is a user interface that enables you to manage Directory Servers and Directory Proxy Servers by using a browser.
To configure DSCC, see Configuring DSCC. For information about using DSCC, see the following sections.
DSCC has a few administration logins.
OS user. Creates a server instance and is the only user who has the right to run operating system commands on a server instance by using the dsadm command. DSCC might request the OS user password in some cases. This user must have a password and must be able to create directory server instances.
Directory Manager. The LDAP superuser for a server. The default DN is cn=Directory Manager.
Directory Administrator. Administers a Directory Server. This user has the same rights as the Directory Manager but are subject to access controls, password policies, and authentication requirements. You can create as many Directory Administrators as you need.
Directory Service Manager. Manages server configuration and data on multiple machines through DSCC. This user has the same rights as the Directory Manager for each of the servers registered in DSCC and is a member of the Directory Administrators Group.
If you experience any difficulty accessing DSCC, see To Troubleshoot Directory Service Control Center Access in Sun Java System Directory Server Enterprise Edition 6.2 Installation Guide.
Ensure that DSCC has been correctly installed, as described in Software Installation in Sun Java System Directory Server Enterprise Edition 6.2 Installation Guide.
If you have installed DSCC with the native package installation, follow these steps:
Open a browser, and type the DSCC host URL in the following format:
https://hostname:6789 |
For example:
https://host1:6789 |
where hostname is the system on which you installed the DSCC software.
The Sun Java Web Console default port is 6789.
The following figure shows a Sun Java Web Console login window.
Log in to the Sun Java Web Console.
If this is the first time that you log in to Sun Java Web Console, log in as root on the system where you installed the DSCC software.
If this is a subsequent login, type your operating system user name and password. This user should have the privileges to start, stop, and manage Directory Server instances.
When you log in, you see a list of applications.
Select Directory Service Control Center (DSCC).
The DSCC login window is displayed.
If you have installed DSCC with a zip installation, follow these steps:
Access DSCC directly in your preferred application server by typing the DSCC host URL. DSCC host URL can be any of the following depending on the configuration of your application server.
https://hostname:6789 |
or
http://hostname:6789 |
Initialize DSCC using the following command.
$ install path/dscc6/bin/dsccsetup ads-create |
Log in to DSCC.
If this is the first time that you log in to DSCC, you must set the Directory Service Manager password. On subsequent logins, use the password that you set on the first login.
You are now logged into DSCC and at the Common Tasks tab.
Navigate by using the tabs.
The Common Tasks tab contains shortcuts to commonly used windows and wizards.
The Directory Servers tab displays all Directory Servers managed by DSCC. To see more options for managing and configuring a particular server, click the server name.
The Proxy Servers tab displays all Directory Proxy Servers managed by DSCC. To see more options for managing and configuring a particular server, click the server name.
For instructions on how to perform tasks using DSCC, see the DSCConline help.
Use the tabs in DSCC to navigate the interface.
The Common Tasks tab (see Figure 1–2) is the first interface that you see when opening DSCC. It contains links to commonly used administrative tasks, such as searching directory data, checking logs, and managing servers.
The Directory Servers tab (see Figure 1–3) lists all directory servers registered in DSCC. For each server, you can see the server status and instance path, which shows where the instance is located.
When you click a server name, you see another window with a different set of tabs that relate only to that server.
The Proxy Servers tab lists all the directory proxy servers that are registered in DSCC. For each server, you can see the server status and the server instance path, which shows where the instance resides.
When you click a server name, you see another window with a different set of tabs that relate only to that server.
The Server Groups tab enables you to assign servers to groups, to make server management easier. If you have numerous servers, you can use filters to display only the servers in a certain group. You can also copy the server configuration (for example index or cache settings) from one server to all other servers in a group.
This tab displays DSCC port numbers and allows you to create and delete Directory Service Managers.
The online help provides the following:
Context-sensitive help for the page you are currently using.
General help for performing administration and configuration procedures using DSCC.
You can access help from most pages by clicking the Help button on the top right corner of the screen. From within a wizard, you can access help by clicking the Help tab. You can also access the online help from the Common Tasks tab.
Most tasks you perform on DSCC can be performed using command-line tools. These tools enable you to manage Directory Server directly from the command line, and to manage your server by using scripts.
The main directory server commands are dsadm and dsconf. You can use these commands to perform backups, export to LDIF, manage certificates, and so on. For information about these commands, see the dsadm(1M) and dsconf(1M) man pages.
This section contains the following information about Directory Server command-line tools:
The Directory Server command-line tools are contained in a default installation directory:
install-path/ds6/bin |
The directory for your installation depends on your operating system. Installation paths for all operating systems are listed in Default Paths and Command Locations.
The dsconf command requires some options that you can preset by using environment variables. If you do not specify an option when using the command, or do not set the environment variable, the default setting is used. You can configure environment variables for the following options:
User bind DN. Environment variable: LDAP_ADMIN_USER. Default: cn=Directory Manager.
Password file for the user bind DN. Environment variable: LDAP_ADMIN_PWF. Default: Prompt for password.
Host name. Environment variable: DIRSERV_HOST. Default: local host.
LDAP port number. Environment variable: DIRSERV_PORT. Default: 389.
Specifies that dsconf should open a clear connection by default. Environment variable: DIRSERV_UNSECURED. If this variable is not set, dsconf opens a secure connection by default.
For more details, see the dsconf(1M) man page.
The following table shows a comparison of the dsadm and dsconf commands.
Table 1–1 Comparison of the dsadm and dsconf Commands
For complete information about how to use the dsadm and dsconf commands, see the dsadm(1M) and dsconf(1M) man pages.
To obtain a list of subcommands, type the appropriate command:
$ dsadm --help |
$ dsconf --help |
To obtain information about how to use a subcommand, type the appropriate command:
$ dsadm subcommand --help |
$ dsconf subcommand --help |
Many of the dsconf subcommands enable you to view and modify configuration properties.
To list the configuration properties used in Directory Server, type:
$ dsconf help-properties |
To find a particular property, search the output of the help properties.
For example, if you are using a UNIX® platform and you want to search for all properties relating to referrals, use the following command.
$ dsconf help-properties | grep -i referral SER referral-url rw M LDAP_URL | undefined Referrals returned to clients requesting a DN not stored in this Directory Server (Default: undefined) SUF referral-mode rw disabled|enabled|only-on-write Specifies how referrals are used for requests involving the suffix (Default: disabled) SUF referral-url rw M LDAP_URL | undefined Server(s) to which updates are referred (Default: undefined) SUF repl-rewrite-referrals-enabled rw on|off Specifies whether automatic referrals are overwritten (Default: off) |
Note that the properties are grouped by targeted objects, such as suffixes (SUF) and server (SER). The rw keyword indicates that the property is readable and writable. The M keyword indicates that the property is multi-valued.
To see the server attribute, use verbose mode. For example, on a UNIX system, type:
$ dsconf help-properties -v | grep -i referral-mode SUF referral-mode rw disabled|enabled|only-on-write nsslapd-state Specifies how referrals are used for requests involving the suffix (Default: disabled) |
For more information about individual properties, see the man page for that property. The man pages are in Sun Java System Directory Server Enterprise Edition 6.2 Man Page Reference.
Certain Directory Server properties can take multiple values. The syntax to specify these values is as follows:
$ dsconf set-container-prop -h host -p port container-name \ property:value1 property:value2 |
For example, to set multiple encryption ciphers for a server, use the following command:
$ dsconf set-server-prop -h host1 -p 1389 ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 \ ssl-cipher-family:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA |
To add a value to a multi-valued property that already contains values, use the following syntax:
$ dsconf set-container-prop -h host -p port container-name property+:value |
To remove a value from a multi-valued property that already contains values, use the following syntax:
$ dsconf set-container-prop -h host -p port container-name property-:value |
For example, in the scenario described previously, to add the SHA encryption cipher to the list of ciphers, run this command:
$ dsconf set-server-prop -h host1 -p 1389 \ ssl-cipher-family+:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
To remove the MD5 cipher from the list, run this command:
$ dsconf set-server-prop -h host1 -p 1389 ssl-cipher-family-:SSL_RSA_WITH_RC4_128_MD5 |
The man pages provide descriptions of all commands and attributes used in Directory Server. In addition, the man pages show some useful examples of how to use the commands in deployment.
Legacy tools are included with the regular Directory Server tools for backwards compatibility. These tools are present but deprecated.