This chapter describes the Directory Server Enterprise Edition service manageability features. This chapter covers the following topics:
The primary interface for DSEE is the Directory Service Control Center (DSCC). The DSCC enables you to perform almost all administrative tasks.
When you initiate an action through the DSCC, the operation is passed to the appropriate console agents or through LDAP. The console agents run the corresponding Directory Server or Directory Proxy Server command to perform the administrative action.
The DSCC plugs in to Sun Java Web Console. For information about starting and using the DSCC, see Directory Service Control Center Interface in Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide.
The DSCC provides various data views to help you manage your services most effectively. For example, the DSCC provides a topology view, where you can see all of the servers involved in a replication topology and the relationship between them. The following figure demonstrates the topology view of a simple two-master, two-consumer replication topology.
The arrows show the direction in which information is propagated. The servers are listed hierarchically, with the master servers appearing at the top and the read-only consumer replicas appearing at the bottom. If hub servers were used, they would be displayed in the middle. The DSCC allows you to modify the view by applying filters so that you can display only a particular suffix.
The DSCC provides tools for viewing the replication status of suffixes. This view summarizes for each server the number of changes currently missing and the age of the latest change that needs to be applied, as illustrated in the following figure.
You can also use the DSCC to view the Directory Server and Directory Proxy Server logs, which show the timestamp, log level, messages, and message sort. You can modify the log view to show only entries that contain a string you specify.
A production environment usually includes multiple instances for redundancy and load balancing. In most cases, each of these servers has the same configuration. The DSCC simplifies service management by allowing you to install an instance of the server once and to copy that server's configuration and replication configuration to another instance.
The DSCC enables you to clone an instance or suffix configuration by selecting an existing instance and then cloning either the instance or the suffix configuration to other directory instances.
For example, to simplify the deployment of your replicated topology, you can create a master replication configuration and then propagate it to the other masters in your topology. You can also choose to clone only parts of the configuration, such as the indexes.
The following figure illustrates how you can copy configuration settings from one Directory Server to other servers by using the Copy Directory Server Configuration wizard.
The DSCC provides similar wizards for copying suffix configuration or cloning a Directory Proxy Server configuration.
The DSEE CLI is designed to reduce all administrative tasks to a few commands. The look, feel, and use of these commands is similar across the DSEE administrative framework. For example, administrative tasks for Directory Server and Directory Proxy Server are performed with the dsadm and dpadm commands, respectively. The usage and syntax of these two commands is similar.
The command-line tools wrap much of the complexity of LDIF-based configuration, enabling you to write more succinct, readable scripts.
The DSEE includes the following new tools to facilitate command-line management of the server:
dsadm – Handles local Directory Server instance files, creating instances and managing the server process running on the local host.
For more information, see the dsadm(1M) man page.
dpadm – Handles local Directory Proxy Server instance files, creating instances and managing the server process running on the local host.
For more information, see the dpadm(1M) man page.
dsconf – Connects to a Directory Server instance over LDAP to manage the server configuration: imports, backups, replication agreements and more.
For more information, see the dsconf(1M) man page.
dpconf – Connects to a Directory Proxy Server instance over LDAP to manage the server configuration.
For more information, see the dpconf(1M) man page.
On a Solaris package installation, these commands are located in /opt/SUNWdsee/ds6/bin and /opt/SUNWdsee/dps6/bin by default.
Some administrative operations, such as starting and stopping a server instance, require a local agent. For the command line, the local agent is the command itself. The dsadm and dpadm commands run locally because they require the server to be offline or they require specific system rights. For example, if you use the dsadm command to change a certificate, the server can be running but the operation needs to be executed by a privileged user.
You can use the DSEE CLI to administer and configure your directory remotely. You can run the dsconf and dpconf commands remotely to create suffixes, server instances, and indexes. These commands use LDAP authentication, so you do not need a local user on your machine, although the server instance itself must be running.
DSEE includes several features that improve the way in which the component products can be installed.
DSEE provides flexible commands for each step of the installation process so that you can write custom scripts to install and minimally configure a DSEE instance. You can then use your scripts to standardize your deployment so that each server is automatically configured the same.
Directory Server allows you to install the DSEE components as a non-root user. This non-root installation is possible with the zip distribution. You can also install the Directory Service Control Center as a non-root user using the WAR file.
Operating system-specific packaging formats, such as SVR4 for Solaris and rpm for Linux, require installation as a privileged user.
Both the zip distribution and Java Enterprise System distribution provide the ability to install DSEE components into a user-specified installation directory.
With the zip distribution, you can install multiple distinct installations of the component products within a single operating system instance. You can even install the zip distribution on a system with an existing directory server packaging installation. The following constraints apply when installing multiple installations on a single system:
Each instance must be configured so that the total resources (RAM, CPU, and disk) that are consumed by the sum of all instances on the server do not exceed the available resources.
Each installation must have its own distinct installation path.
Each installation must have its own agent port.
With the introduction of Solaris 10 zones, you can also install different versions and installations of the package version of DSEE. In this case, each installation must be contained within its own unique Solaris 10 whole root zone.
The dsmig tool migrates a single Directory Server instance. The dsmig tool included with Directory Server 6.x allows you to migrate your schema, security information, and configuration information, including replication data, from Directory Server 5.1 to 6.2.
Directory Server allows you to change the configuration of the following while the server is running:
Suffixes. After Directory Server has been installed and brought online, you can continue to add new suffixes dynamically while the server keeps running.
Indexes. After you have defined the suffixes, you can add new indexes to accelerate search performance. You can customize your index according to function, such as indexes that list entries that have a particular attribute, that approximate a particular attribute, that contain a substring, or that match a particular locale. Indexes can be updated dynamically without interrupting the normal functions of the directory server itself.
Schema.You can change the directory schema dynamically. If the schema needs to be extended to meet the needs of an application, you can add new object classes and attributes while the server is running, without affecting operations.
Replication topology. You can set up and modify the replication topology while the server is running.
Directory Server can be configured to listen on multiple specific IP addresses. This feature allows Directory Server to be available simultaneously on several networks, including intranets and secure or restricted networks, such as demilitarized zones (DMZs).
You can simplify entry management by associating related entries in groups. The group mechanism makes it easy to retrieve a list of entries that are members of a given group and set access permissions for a whole group.
Entries can be managed as members of dynamic and static groups. Static groups are suitable for groups with few members, such as a group of directory administrators. A dynamic group specifies one or more URL search filters, so the dynamic group membership is defined each time these search filters are evaluated.
You can retrieve a list of all the static groups a given user is a member of by using the dynamic isMemberOf attribute. This attribute is located in the user entry and in nested group entries and holds the DNs of the static groups to which the member belongs. For example, Kirsten Vaughan is a new system administrator in the human resources department. Her entry shows that she is a member of both the System Administrators group and the HR Managers group.
$ ldapsearch -b "dc=example,dc=com" uid=kvaughan isMemberOf uid=kvaughan, ou=People, dc=example,dc=com isMemberOf: cn=System Administrators, ou=Groups, dc=example,dc=com isMemberOf: cn=HR Managers,ou=groups,dc=example,dc=com
Membership testing for group entries has been improved. These improvements remove some of the previous restrictions on static groups, specifically the restriction on group size. This performance improvement is only effective after the group entry has been loaded into the entry cache.
Directory Server supports configuring the all IDs threshold individually for each index, saving disk space. You can change the global default all IDs threshold value and index-specific values by using the CLI or the DSCC.
See the all-ids-threshold(5dsconf) man page for details on this property.
For example, the server level all IDs threshold setting is inherited for any indexes on suffixes that do not have a defined value.
The following command shows the default value of the global all IDs threshold:
# dsconf get-server-prop -w /tmp/.pwd-file -p 20390 all-ids-threshold all-ids-threshold : 4000
You can change the global default all IDs threshold value by using the following command:
# dsconf set-server-prop -w /tmp/.pwd-file -p 20390 -i all-ids-threshold:2000
To view the current value of the global all IDs threshold, run the following command:
# dsconf get-server-prop -w /tmp/.pwd-file -p 20390 all-ids-threshold all-ids-threshold : 2000
To read more about the features presented in this chapter, refer to the following documentation.
Directory Service Control Center
Part I, Installing Directory Service Control Center, Directory Proxy Server, Directory Server, and Directory Server Resource Kit, in Sun Java System Directory Server Enterprise Edition 6.2 Installation Guide
Migrating Directory Server
Static and dynamic groups
Tuning the all IDs threshold property
all-ids-threshold(5dsconf) man page