Document Information
Configuring the Directory Server
Managing Administration Traffic to the Server
Overview of the Administration Connector
Accessing Administrative Suffixes
To Configure the Administration Connector
Configuring the Directory Server With
dsconfig
Overview of the
dsconfig
Command
Using
dsconfig
in Interactive Mode
Getting Help With
dsconfig
Configuring a Directory Server Instance
To Display the Properties of a Component
To List Components
To Modify the Properties of a Component
To Modify the Values of a Multi-Valued Property
To Create a Component
To Delete a Component
Configuring the Connection Handlers
To Display All Connection Handlers
Configuring the LDAP Connection Handler
To Control Which Clients Have LDAP Access to the Directory Server
Configuring the LDIF Connection Handler
To Enable the JMX Alert Handler Through the LDIF Connection Handler
Configuring the JMX Connection Handler
To Change the Port on Which the Server Listens for JMX Connections
Configuring Plug-Ins With
dsconfig
Overview of Plug-In Types
Modifying the Plug-In Configuration
To Display the List of Plug-Ins
To Create a New Plug-In
To Enable or Disable a Plug-In
To Display and Configure Plug-In Properties
To Configure Plug-In Invocation Order
Configuring Commands As Tasks
Utilities That Can Schedule Tasks
Controlling Which Tasks Can Be Run
Scheduling and Configuring Tasks
To Schedule a Task
To Schedule a Recurring Task
To Configure Task Notification
To Configure Task Dependencies
Managing and Monitoring Scheduled Tasks
To Obtain Information About Scheduled Tasks
To Cancel a Scheduled Task
To Cancel a Recurring Task
Managing the Directory Server With the Control Panel
To Start the Control Panel
To Specify the Trust Manager Provider and Trust Store Algorithm Used by the Control Panel
Configuring and Testing the DSML Gateway
Deploying the DSML Gateway
Deploying the DSML Gateway in Apache Tomcat
Deploying the DSML Gateway in Glassfish
Deploying the DSML Gateway in Sun Java System Web Server 7
Configuring the DSML Gateway
Confirming the DSML Gateway Deployment
Confirming the DSML Gateway Deployment with JXplorer
Confirming the DSML Gateway Deployment with the Directory Server Resource Kit
Configuring Security in the Directory Server
Getting SSL Up and Running Quickly
To Accept SSL-Based Connections Using a Self-Signed Certificate
Enabling SSL and StartTLS in QuickSetup
Configuring Key Manager Providers
Key Manager Provider Overview
Using the JKS Key Manager Provider
To Generate the Private Key
To Self-Sign the Certificate
To Sign the Certificate by Using an External Certificate Authority
To Configure the JKS Key Manager Provider
Using the PKCS #12 Key Manager Provider
Using the PKCS #11 Key Manager Provider
Configuring Trust Manager Providers
Overview of Certificate Trust Mechanisms
Using the Blind Trust Manager Provider
Using the JKS Trust Manager Provider
Using the PKCS #12 Trust Manager Provider
Configuring Certificate Mappers
Using the Subject Equals DN Certificate Mapper
Using the Subject Attribute to User Attribute Certificate Mapper
Using the Subject DN to User Attribute Certificate Mapper
Using the Fingerprint Certificate Mapper
Configuring SSL and StartTLS for LDAP and JMX
Configuring the LDAP and LDAPS Connection Handlers
To Enable a Connection Handler
To Specify a Connection Handler's Listening Port
To Specify a Connection Handler's Authorization Policy
To Specify a Nickname for a Connection Handler's Certificate
To Specify a Connection Handler's Key Manager Provider
To Specify a Connection Handler's Trust Manager Provider
To Enable StartTLS Support
To Enable SSL-Based Communication
Enabling SSL in the JMX Connection Handler
Using SASL Authentication
Supported SASL Mechanisms
Authorization IDs
SASL Options for the ANONYMOUS Mechanism
SASL Options for the CRAM-MD5 Mechanism
SASL Options for the DIGEST-MD5 Mechanism
SASL Options for the EXTERNAL Mechanism
SASL Options for the GSSAPI Mechanism
SASL Options for the PLAIN Mechanism
Configuring SASL Authentication
Configuring SASL External Authentication
Configuring SASL DIGEST-MD5 Authentication
Configuring SASL GSSAPI Authentication
Configuring Kerberos and the Sun OpenDS Standard Edition Directory Server for GSSAPI SASL Authentication
To Configure Kerberos V5 on a Host
To Specify SASL Options for Kerberos Authentication
Example Configuration of Kerberos Authentication Using GSSAPI With SASL
Troubleshooting Kerberos Configuration
Testing SSL, StartTLS, and SASL Authentication With
ldapsearch
ldapsearch Command Line Arguments Applicable To Security
Testing SSL
Testing StartTLS
Managing Directory Data
Importing and Exporting Data
Populating a Stand-Alone Directory Server With Data
Importing Data Using
import-ldif
To Import Data in Offline Mode
To Replace Existing Data During an Offline Import
To Append Imported Data to Existing Data
To Import Fractional Files
To Import Fractional Files by Using Filters
To Include or Exclude Attributes During Import
To Import a Compressed LDIF File
To Record Rejected or Skipped Entries During Import
To Import Data From a MakeLDIF Template
To Run an Import in Online Mode
To Schedule an Import
Exporting Data Using
export-ldif
To Export Data to LDIF
To Export Partial Data
To Export Part of a Back End by Using Filters
To Include or Exclude Attributes During Export
To Export to LDIF and Then Compress the File
To Run an Export in Online Mode
To Schedule an Export
Importing and Exporting Entries With the Control Panel
To Import Entries With the Control Panel
To Export Entries to an LDIF File With the Control Panel
Creating MakeLDIF Template Files
The Template File Format
make-ldif Template File Tags
Defining Custom Tags
Backing Up and Restoring Data
Overview of the Backup and Restore Process
Backing Up Data
To Back Up All Back Ends
To Back Up All Back Ends with Encryption and Signed Hashes
To Perform an Incremental Backup on All Back Ends
To Back Up a Specific Back End
To Perform an Incremental Backup on a Specific Back End
To Schedule a Backup as a Task
Backing Up the Server Configuration
Backing Up for Disaster Recovery
To Back Up the Directory Server For Disaster Recovery
Restoring Data
To Restore a Back End
To Restore a Back End From Incremental Backups
To Schedule a Restore as a Task
To Restore the Configuration File
To Restore a Directory Server During Disaster Recovery
Restoring Replicated Directory Servers
Backing Up and Restoring Directory Data With the Control Panel
To Back Up Data With the Control Panel
To Restore Data With the Control Panel
Searching Directory Data
Overview of the
ldapsearch
Command
ldapsearch
Location and Format
Understanding Search Criteria
ldapsearch
Examples
To Return All Entries
To Search For a Specific User
To Search for Specific User Attributes
To Perform a Search With Base Scope
To Perform a Search With One-Level Scope
To Perform a Search With Subtree Scope
To Return Attribute Names Only
To Return User Attributes Only
To Return Base DNs Only
To Search For Specific Object Classes
To Return a Count of All Entries in the Directory
To Perform a Search With a Compound Filter
To Perform a Search Using a Filter File
To Limit the Number of Entries Returned in a Search
Using Advanced Search Features
Searching for Special Entries and Attributes
To Search for Operational Attributes
To Search the Root DSE Entry
To Search for ACI Attributes
To Search the Schema Entry
To Search the Configuration Entry
To Search the Monitoring Entry
Searching Over SSL
To Search Over SSL With Blind Trust
To Search Over SSL Using a Trust Store
To Search Over SSL With No Trust Store
To Search Over SSL Using a Keystore
To Search Using StartTLS
To Search Using SASL With DIGEST-MD5 Client Authentication
To Search Using SASL With the GSSAPI Mechanism
To Search Using SASL With the PLAIN Mechanism
Searching Using Controls
To View the Available Controls
To Search Using the Account Usability Request Control
To Search Using the Authorization Identity Request Control
To Search Using the Get Effective Rights Control
To Search Using the LDAP Assertion Control
To Search Using the LDAP Subentry Control
To Search Using the Manage DSA IT Control
To Search Using the Matched Values Filter Control
To Search Using the Password Policy Control
To Search Using the Persistent Search Control
To Search Using the Proxied Authorization Control
To Search Using the Server-Side Sort Control
To Search Using the Simple Paged Results Control
Searching Using the Virtual List View Control
To Search Using the Virtual List View Control
To Search Using Virtual List View With a Specific Target
To Search Using Virtual List View With a Known Total
Searching in Verbose Mode and With a Properties File
To Search in Verbose Mode
To Search Using a Properties File
Searching Internationalized Entries
Adding, Modifying, and Deleting Directory Data
Adding Directory Entries
To Create a Root Entry
To Add an Entry Using the
--defaultAdd
Option With
ldapmodify
To Add Entries Using an LDIF Update Statement With
ldapmodify
Adding Attributes
To Add an Attribute to an Entry
To Add an ACI Attribute
To Add an International Attribute
Modifying Directory Entries
To Modify an Attribute Value
To Modify an Attribute With Before and After Snapshots
To Delete an Attribute
To Change an RDN
To Move an Entry
Deleting Directory Entries
To Delete an Entry With
ldapmodify
To Delete an Entry With
ldapdelete
To Delete Multiple Entries by Using a DN File
Indexing Directory Data
Configuring Indexes on the Local DB Back End
To Create a New Local DB Index
Configuring VLV Indexes
To Create a New VLV Index
Managing Indexes With the Control Panel
To Display a List of Indexes
To Add an Index
To Add a VLV Index
To Delete an Index
To Verify Indexes
To Rebuild Indexes
Reducing Stored Data Size
To Enable or Disable Compact Encoding
To Enable or Disable Entry Compression
Managing Directory Data With the Control Panel
Managing Entries With the Control Panel
To Display A List of All Directory Entries
To Add a New Entry With the Control Panel
To Add a New Entry From an LDIF Specification With the Control Panel
To Change the Values of an Entry's Attributes With the Control Panel
To Delete an Entry With the Control Panel
Managing Base DNs With the Control Panel
Adding a New Base DN
Deleting a Base DN
Copying an Entry's DN to the Clipboard
Managing Users
To Reset a User's Password
To Create a Group
To Add a User to a Group
Deleting a Back End With the Control Panel
To Delete a Back End With the Control Panel
Selecting a View of Entry Data
To Select a View of Entry Data
Ensuring Attribute Value Uniqueness
Overview of the Unique Attribute Plug-In
Configuring the Unique Attribute Plug-In Using
dsconfig
To Ensure Uniqueness of the Value of the
uid
Attribute
To Ensure Uniqueness of the Value of Any Other Attribute
Replication and the Unique Attribute Plug-In
Configuring Virtual Attributes
To List the Existing Virtual Attributes
To Create a New Virtual Attribute
To Enable or Disable a Virtual Attribute
To Display the Configuration of a Virtual Attribute
To Change the Configuration of a Virtual Attribute
Configuring Referrals
Configuring LDAP URLs
To Create a Referral
To Modify a Referral
To Delete a Referral
Controlling Access To Data
Managing Global ACIs With
dsconfig
Default Global ACIs
To Display the Global ACIs
To Delete a Global ACI
To Add a Global ACI
Managing ACIs With
ldapmodify
To View ACI Attribute Values
To Add an ACI
To Remove an ACI
Access Control Usage Examples
Disabling Anonymous Access
Granting Write Access to Personal Entries
Granting a Group Full Access to a Suffix
Granting Rights to Add and Delete Group Entries
Allowing Users to Add or Remove Themselves From a Group
Granting Conditional Access to a Group
Denying Access
Defining Permissions for DNs That Contain a Comma
Proxy Authorization ACIs
Viewing Effective Rights
The Get Effective Rights Control
Using the Get Effective Rights Control
Understanding Effective Rights Results
Restricting Access to the Get Effective Rights Control
Replicating Data
Configuring Replication With
dsreplication
To Enable Replication Between Two Servers
To Initialize a Replicated Server
To Initialize an Entire Topology
To Test Replication
To Obtain the Status of a Replicated Topology
Modifying the Replication Configuration With
dsconfig
Retrieving the Replication Domain Name
Changing the Replication Purge Delay
To Change the Replication Purge Delay
Changing the Window Size
To Change the Window Size
Changing the Heartbeat Interval
To Change the Heartbeat Interval
Changing the Isolation Policy
To Change the Isolation Policy
Configuring Encrypted Replication
To Configure Encrypted Replication
Configuring Replication Groups
To Configure A Replication Group
Configuring Assured Replication
To Configure Assured Replication in Safe Data Mode
To Configure Assured Replication in Safe Read Mode
Configuring Replication Status
To Configure the Degraded Status Threshold
Initializing a Replicated Server With Data
Initializing a Single Replicated Server
Initializing a New Replicated Topology
Adding a Directory Server to an Existing Replicated Topology
Changing the Data Set in an Existing Replicated Topology
To Change the Data Set With
import-ldif
or Binary Copy
Configuring Schema Replication
Specifying the Schema Source
Disabling Schema Replication
Replicating to a Read-Only Server
To Configure a Replica as Read-Only
Detecting and Resolving Replication Inconsistencies
Types of Replication Inconsistencies
Detecting Inconsistencies
Resolving Inconsistencies
Managing Users and Groups
Managing Root User, Global Administrator, and Administrator Accounts
Working With Multiple Root Users
Root Users and the Privilege Subsystem
Managing Root Users With
dsconfig
To View the Default Root User Privileges
To Edit the Default Root User Privileges
To Create a Root User
To Change a Root User's Password
To Change a Root User's Privileges
Setting Root User Resource Limits
Managing Global Administrators
Managing Administrators
To Create a New Administrator
Managing Password Policies
Password Policy Components
Password Policies in a Replicated Environment
To View the List of Password Policies
Properties of the Default Password Policy
To View the Properties of the Default Password Policy
Configuring Password Policies
To Create a New Password Policy
To Create a First Login Password Policy
To Assign a Password Policy to an Individual Account
To Prevent Password Policy Modifications
To Assign a Password Policy to a Group of Users
To Delete a Password Policy
Managing User Accounts
Changing Passwords
To Change the Directory Manager's Password
To Reset and Generate a New Password for a User
To Change a User's Password
Managing a User's Account Information
To View a User's Account Information
To View Account Status Information
To Disable an Account
To Enable an Account
Setting Resource Limits on a User Account
To Set Resource Limits on an Account
Defining Groups
Defining Static Groups
To Create a Static Group With
groupOfNames
To Create a Static Group With
groupOfUniqueNames
To Create a Static Group With
groupOfEntries
To List All Members of a Static Group
To List All Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Group
Defining Dynamic Groups
To Create a Dynamic Group
To List All Members of a Dynamic Group
To List All Dynamic Groups of Which a User Is a Member
To Determine Whether a User Is a Member of a Dynamic Group
Defining Virtual Static Groups
To Create a Virtual Static Group
To List All Members of a Virtual Static Group
To List All Virtual-Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Virtual Static Group
Defining Nested Groups
To Create a Nested Group
Maintaining Referential Integrity
Overview of the Referential Integrity Plug-In
To Enable the Referential Integrity Plug-In
Simulating DSEE Roles in an OpenDS Directory Server
To Determine Whether a User is a Member of a Role
To Alter Membership by Using the
nsRoleDN
Attribute
Directory Server Monitoring
Monitoring the Directory Server
Working With Monitor Providers
To View Monitor Providers
To Disable a Monitor Provider
To Create a Monitor Provider
To Delete a Monitor Provider
Viewing Monitoring Information Using the
cn=monitor
Entry
To View the Available Monitoring Information
To Monitor General-Purpose Server Information
To Monitor System Information
To Monitor Version Information
To Monitor the User Root Back End
To Monitor the Backup Back End
To Monitor the Tasks Back End
To Monitor the
monitor
Back End
To Monitor the Schema Back End
To Monitor the
adminRoot
Back End
To Monitor the
ads-truststore
Back End
To Monitor Client Connections
To Monitor the LDAP Connection Handler
To Monitor LDAP Connection Handler Statistics
To Monitor Connections on the LDAP Connection Handler
To Monitor the Administration Connector
To Monitor Administration Connector Statistics
To Monitor Connections on the Administration Connector
To Monitor the LDIF Connection Handler
To Monitor the Work Queue
To Monitor the
userRoot
Database Environment
To Monitor the Entry Cache
To Monitor JVM Stack Trace Information
To Monitor the JVM Memory Usage
Monitoring Using JConsole
Monitoring Using Managed Tasks
Configuring Alert Notifications and Account Status Notification Handlers
Accessing Logs
To View the Access Logs
To View the Audit Logs
To View the Debug Logs
To View the Error Logs
To View the Replication Repair Logs
To View the server.out Logs
General Purpose Enterprise Monitoring Solutions
Monitoring the Directory Server With JConsole
To Configure JMX on a Directory Server Instance
Starting JConsole
Accessing a Directory Server Instance From JConsole
Viewing Directory Monitoring Information With JConsole
Monitoring the Directory Server With SNMP
Configuring SNMP in the Directory Server
To Configure SNMP in the Directory Server
To View the SNMP Connection Handler Properties
To Access SNMP on a Directory Server Instance
SNMP Security Configuration
Monitoring the Directory Server With the Control Panel
To View Monitoring Information With the Control Panel
Configuring Logs With
dsconfig
Overview of Directory Server Logs
Configuring Log Publishers
Logging Internal Operations
To Configure Log Retention Policies
To Configure Log Rotation Policies
To Configure Debug Targets
Logging Access Control Information
Differences Between Logging in Sun OpenDS Standard Edition and Sun Java System Directory Server
Configuring Alerts and Account Status Notification Handlers
Managing Alert Handlers
To View All Configured Alert Handlers
To Enable an Alert Handler
To Create a New Alert Handler
To Delete an Alert Handler
To Disable an Alert Type
Managing Account Status Notification Handlers
To View the Configured Account Status Notification Handlers
To Enable Account Status Notification Handlers
To Create a New Account Status Notification Handler
To Delete an Account Status Notification Handler
Monitoring a Replicated Topology
Monitoring Replication Status With
dsreplication
Advanced Replication Monitoring
Improving Performance
Tuning Performance
General Performance Tuning
Java Virtual Machine Settings
Directory Server Configuration
Improving Performance When Importing Large Data Sets
Data Import Overview
Adjusting Import Parameters
To Adjust the Number of Import Threads
To Adjust the Queue Size
Adjusting Memory Requirements to Match Configuration Settings
Advanced Administration
Running the Directory Server as a Non-Root User
Working With Directory Schema
Directory Schema Overview
Configuring Schema Checking
Working With Object Identifiers (OIDs)
Extending the Directory Schema
Managing Attribute Types
To View Attribute Types
To Create an Attribute Type
To Delete an Attribute Type
Managing Object Classes
To View Object Classes
To Create an Object Class
To Delete an Object Class
Extending the Schema With a Custom Schema File
Replicating Directory Schema
Managing the Schema With the Control Panel
To Display Schema Items
To Add a New Object Class
To Add a New Attribute to the Schema
docs.sun.com
|
sun.com
Sun OpenDS Standard Edition 2.0 Administration Guide
July 2009
This guide provides task-based information on administering the directory server.