|  Index    
DocHome    
Next | 
| iPlanet Directory Server 5.1 Administrator's Guide | 
Contents 
List of Tables 
About This Guide 
Prerequisite Reading 
Conventions Used in This Book 
Related Information 
Chapter 1 Introduction to iPlanet Directory Server 
Overview of iPlanet Directory Server Management 
Using the iPlanet Directory Server Console 
Starting iPlanet Directory Server Console 
Navigating the Directory Server Console 
Tasks Tab 
Configuration Tab 
Directory Tab 
Status Tab 
Viewing the Current Bind DN From the Console 
Changing Login Identity 
Configuring the Directory Manager 
Launching the Help System 
The Console Clipboard 
Starting and Stopping the iPlanet Directory Server 
Starting/Stopping the Server From the Console 
Starting/Stopping the Server From the Command Line 
Configuring LDAP Parameters 
Changing Directory Server Port Numbers 
Placing the Entire Directory Server in Read-Only Mode 
Tracking Modifications to Directory Entries 
Starting the Server with SSL Enabled 
Chapter 2 Creating Directory Entries 
Managing Entries From the Directory Console 
Creating a Root Entry 
Creating Directory Entries 
Creating an Entry Using a Predefined Template 
Creating Other Types of Entries 
Modifying Directory Entries 
Displaying the Property Editor 
Adding an Object Class to an Entry 
Removing an Object Class 
Adding an Attribute to an Entry 
Adding Attribute Values 
Removing an Attribute Value 
Adding an Attribute Subtype 
Deleting Directory Entries 
Managing Entries From the Command Line 
Providing Input From the Command Line 
Creating a Root Entry From the Command Line 
Adding Entries Using LDIF 
Adding and Modifying Entries Using ldapmodify 
Adding Entries Using ldapmodify 
Modifying Entries Using ldapmodify 
Deleting Entries Using ldapdelete 
Using Special Characters 
LDIF Update Statements 
Adding an Entry Using LDIF 
Renaming an Entry Using LDIF 
A Note on Renaming Entries 
Modifying an Entry Using LDIF 
Adding Attributes to Existing Entries Using LDIF 
Changing an Attribute Value Using LDIF 
Deleting All Values of an Attribute Using LDIF 
Deleting a Specific Attribute Value Using LDIF 
Deleting an Entry Using LDIF 
Modifying an Entry in an Internationalized Directory 
Maintaining Referential Integrity 
How Referential Integrity Works 
Using Referential Integrity with Replication 
Configuring the Supplier Server 
Enabling/Disabling Referential Integrity 
From the iPlanet Directory Server Console 
Recording Updates in the Change Log 
From the iPlanet Directory Server Console 
Modifying the Update Interval 
From the iPlanet Directory Server Console 
Modifying the Attribute List 
From the iPlanet Directory Server Console 
Chapter 3 Configuring Directory Databases 
Creating and Maintaining Suffixes 
Creating Suffixes 
Creating a New Root Suffix Using the Console 
Creating a New Sub-Suffix Using the Console 
Creating Root and Sub Suffixes From the Command Line 
Maintaining Suffixes 
Using Referrals in a Suffix 
Enabling Referrals Only During Update Operations 
Disabling a Suffix 
Deleting a Suffix 
Creating and Maintaining Databases 
Creating Databases 
Creating a New Database for an Existing Suffix Using the Console 
Creating a New Database for a Single Suffix From the Command Line 
Adding Multiple Databases for a Single Suffix 
Adding the Custom Distribution Function to a Suffix 
Maintaining Directory Databases 
Placing a Database in Read-Only Mode 
Deleting a Database 
Creating and Maintaining Database Links 
Configuring the Chaining Policy 
Chaining Component Operations 
Chaining LDAP Controls 
Creating a New Database Link 
Creating a New Database Link Using the Console 
Creating a Database Link From the Command Line 
Chaining Using SSL 
Maintaining Database Links 
Updating Remote Server Authentication Information 
Deleting Database Links 
Database Links and Access Control Evaluation 
Advanced Feature: Tuning Database Link Performance 
Managing Connections to the Remote Server 
Detecting Errors During Normal Processing 
Managing Threaded Operations 
Advanced Feature: Configuring Cascading Chaining 
Overview of Cascading Chaining 
Configuring Cascading Chaining Defaults Using the Console 
Configuring Cascading Chaining Using the Console 
Configuring Cascading Chaining From the Command Line 
Summary of Cascading Chaining Configuration Attributes 
Cascading Chaining Configuration Example 
Configuring Server One 
Configuring Server Two 
Configuring Server Three 
Using Referrals 
Setting Default Referrals 
Setting a Default Referral Using the Console 
Setting a Default Referral From the Command Line 
Creating Smart Referrals 
Creating Smart Referrals Using the iPlanet Directory Server Console 
Creating Smart Referrals From the Command Line 
Creating Suffix Referrals 
Creating Suffix Referrals Using the Console 
Creating Suffix Referrals From the Command Line 
Chapter 4 Populating Directory Databases 
Enabling and Disabling Read-Only Mode 
Enabling Read-Only Mode 
Disabling Read-Only Mode 
Importing Data 
Performing an Import From the Console 
Initializing a Database From the Console 
Importing From the Command Line 
Importing Using the ldif2db Command 
Importing Using ldif2db-task Command 
Importing Using the ldif2ldap Command 
Exporting Data 
Exporting Directory Data to LDIF Using the Console 
Exporting a Single Database to LDIF Using the Console 
Exporting to LDIF From the Command Line 
Backing Up and Restoring Data 
Backing Up All Databases 
Backing Up All Databases From the Server Console 
Backing Up All Databases From the Command Line 
Backing Up a Single Database 
Backing Up the dse.ldif Configuration File 
Restoring All Databases 
Restoring All Databases from the Console 
Restoring Your Database From the Command Line 
Restoring a Single Database 
Restoring Databases that Include Replicated Entries 
Restoring a Supplier Replica 
Restoring a Consumer Replica 
Restoring the dse.ldif Configuration File 
Chapter 5 Advanced Entry Management 
Managing Groups 
Adding a New Static Group 
Adding a New Dynamic Group 
Modifying a Group Definition 
Removing a Group Definition 
Assigning Roles 
About Roles 
Role Limitations 
Managing Roles Using the Console 
Creating a Managed Role 
Creating a Filtered Role 
Creating a Nested Role 
Viewing and Editing an Entry's Roles 
Modifying a Role Entry 
Making a Role Inactive 
Reactivating a Role 
Deleting a Role 
Managing Roles Using the Command Line 
Example of a Managed Role Definition 
Example of a Filtered Role Definition 
Example of a Nested Role Definition 
Using Roles Securely 
Defining Class of Service (CoS) 
About CoS 
The CoS Definition and Template Entries 
Pointer CoS Example 
Indirect CoS Example 
Classic CoS Example 
CoS Limitations 
Managing CoS Using the Console 
Creating a New CoS 
Editing an Existing CoS 
Deleting a CoS 
Managing CoS From the Command Line 
Creating the CoS Definition Entry From the Command Line 
Creating the CoS Template Entry From the Command Line 
Example of a Pointer CoS 
Example of an Indirect CoS 
Example of a Classic CoS 
Creating Role-Based Attributes 
Making CoS Secure 
Protecting the CoS Definition Entry 
Protecting the CoS Template Entries 
Protecting the Target Entries of a CoS 
Protecting Other Dependencies 
Chapter 6 Managing Access Control 
Access Control Principles 
ACI Structure 
ACI Placement 
ACI Evaluation 
ACI Limitations 
Default ACIs 
Creating ACIs Manually 
The ACI Syntax 
Example ACI 
Defining Targets 
Targeting a Directory Entry 
Targeting Attributes 
Targeting Both an Entry and Attributes 
Targeting Entries or Attributes Using LDAP Filters 
Targeting Attribute Values Using LDAP Filters 
Targeting a Single Directory Entry 
Defining Permissions 
Allowing or Denying Access 
Assigning Rights 
Rights Required for LDAP Operations 
Permissions Syntax 
Bind Rules 
Bind Rule Syntax 
Defining User Access - userdn Keyword 
Anonymous Access (anyone Keyword) 
General Access (all Keyword) 
Self Access (self Keyword) 
Parent Access (parent Keyword) 
LDAP URLs 
Wildcards 
Examples 
Defining Group Access - groupdn Keyword 
Examples 
Defining Role Access - roledn Keyword 
Defining Access Based on Value Matching 
Using the userattr Keyword 
Using the userattr Keyword With Inheritance 
Granting Add Permission Using the userattr Keyword 
Defining Access From a Specific IP Address 
Defining Access from a Specific Domain 
Defining Access at a Specific Time of Day or Day of Week 
Examples 
Defining Access Based on Authentication Method 
Examples 
Using Boolean Bind Rules 
Creating ACIs From the Console 
Displaying the Access Control Editor 
Viewing Current ACIs 
Creating a New ACI 
Editing an ACI 
Deleting an ACI 
Access Control Usage Examples 
Granting Anonymous Access 
Granting Write Access to Personal Entries 
Restricting Access to Key Roles 
Granting a Group Full Access to a Suffix 
Granting Rights to Add and Delete Group Entries 
Granting Conditional Access to a Group or Role 
Denying Access 
Setting a Target Using Filtering 
Allowing Users to Add or Remove Themselves From a Group 
Defining Permissions for DNs That Contain a Comma 
Proxy Authorization ACI Example 
Viewing the ACIs for an Entry 
Advanced Access Control: Using Macro ACIs 
Macro ACI Example 
Macro ACI Syntax 
Macro Matching for ($dn) 
Macro Matching for [$dn] 
Macro Matching for ($attr.attrName) 
Access Control and Replication 
Logging Access Control Information 
Compatibility with Earlier Releases 
Chapter 7 User Account Management 
Managing the Password Policy 
Configuring the Password Policy 
Configuring the Password Policy Using the Console 
Configuring the Password Policy Using the Command-Line 
Setting User Passwords 
Configuring the Account Lockout Policy 
Configuring the Account Lockout Policy Using the Console 
Configuring the Account Lockout Policy Using the Command Line 
Managing the Password Policy in a Replicated Environment 
Inactivating Users and Roles 
Inactivating User and Roles Using the Console 
Inactivating User and Roles Using the Command Line 
Activating User and Roles Using the Console 
Activating User and Roles Using the Command Line 
Setting Resource Limits Based on the Bind DN 
Setting Resource Limits Using the Console 
Setting Resource Limits Using the Command Line 
Chapter 8 Managing Replication 
Replication Overview 
Replica 
Supplier/Consumer 
Change Log 
Unit of Replication 
Replication Identity 
Replication Agreement 
Compatibility with Earlier Versions of iPlanet Directory Server 
Replication Scenarios 
Single-Master Replication 
Multi-Master Replication 
Cascading Replication 
Summary of Steps for Complex Replication Configurations 
Detailed Replication Tasks 
Creating the Supplier Bind DN Entry 
Configuring Supplier Settings 
Configuring a Supplier Replica 
Configuring a Consumer Replica 
Configuring a Hub Replica 
Creating a Replication Agreement 
Configuring Single-Master Replication 
Configuring the Consumer Server and Replica 
Configuring the Supplier Server and Replica 
Initializing Replicas in Single-Master Replication 
Configuring Multi-Master Replication 
Configuring the Consumer Servers and Replicas 
Configuring the Supplier Servers and Replicas 
Initializing Replicas in Multi-Master Replication 
Configuring Cascading Replication 
Configuring the Consumer Server and Replica 
Configuring the Hub Supplier and Replica 
Configuring the Supplier Server and Replica 
Configuring Replication Agreements 
Initializing Replicas in Cascading Replication 
Deleting the Change Log 
Removing the Change Log 
Moving the Change Log to a New Location 
Initializing Consumers 
When to Initialize a Consumer 
Online Consumer Initialization Using the Console 
Performing Online Consumer Initialization 
Manual Consumer Initialization Using the Command Line 
Manual Consumer Initialization Overview 
Exporting a Replica to LDIF 
Importing the LDIF File to the Consumer Server 
Keeping Replicas in Sync 
Replication Retry Algorithm 
Forcing Replication Updates from the Console 
Replication over SSL 
Configuring Replication Over SSL Using the Replication Wizard 
Configuring Replication Over SSL Using the Console 
Replication with Earlier Releases 
Configuring iPlanet Directory Server 5.1 as a Consumer of a Legacy Directory Server 
Using the Retro Change Log Plug-In 
Enabling the Retro Change Log Plug-In 
Trimming the Retro Change Log 
Searching and Modifying the Retro Change Log 
Retro Change Log and the Access Control Policy 
Monitoring Replication Status 
Solving Common Replication Conflicts 
Solving Naming Conflicts 
Renaming an Entry with a Multi-Valued Naming Attribute 
Renaming an Entry with a Single-Valued Naming Attribute 
Solving Orphan Entry Conflicts 
Solving Potential Interoperability Problems 
Chapter 9 Extending the Directory Schema 
Overview of Extending Schema 
Managing Attributes 
Viewing Attributes 
Creating Attributes 
Editing Attributes 
Deleting Attributes 
Managing Object Classes 
Viewing Object Classes 
Creating Object Classes 
Editing Object Classes 
Deleting Object Classes 
Turning Schema Checking On and Off 
Chapter 10 Managing Indexes 
About Indexes 
About Index Types 
About Default, System, and Standard Indexes 
Overview of Default Indexes 
Overview of System Indexes 
Overview of Standard Indexes 
Overview of the Searching Algorithm 
Balancing the Benefits of Indexing 
Creating Indexes 
Creating Indexes From the Server Console 
Creating Indexes From the Command Line 
Adding an Index Entry 
Running the db2index-task Command 
Creating Browsing Indexes From the Server Console 
Creating Browsing Indexes from the Command Line 
Adding a Browsing Index Entry 
Running the vlvindex Command 
Deleting Indexes 
Deleting Indexes From the Server Console 
Deleting Indexes From the Command Line 
Deleting an Index Entry 
Regenerating the Remaining Indexes 
Deleting Browsing Indexes From the Server Console 
Deleting Browsing Indexes From the Command Line 
Deleting a Browsing Index Entry 
Regenerating the Remaining Indexes 
Managing Indexes 
Benefits of the All IDs Mechanism 
Drawbacks of the All IDs Mechanism 
When All IDs Threshold is Too Low 
When All IDs Threshold is Too High 
All IDs Threshold Tuning Advice for Single- Enterprise Directories 
All IDs Threshold Tuning Advice for Service Providers and Extranets 
Default All IDs Threshold Value 
Symptoms of an Inappropriate All IDs Threshold Value 
Changing the All IDs Threshold Value 
Attribute Name Quick Reference Table 
Chapter 11 Managing SSL 
Introduction to SSL in the iPlanet Directory Server 
Enabling SSL: Summary of Steps 
Obtaining and Installing Server Certificates 
Step 1: Generate a Certificate Request 
Step 2: Send the Certificate Request 
Step 3: Install the Certificate 
Step 4: Trust the Certificate Authority 
Step 5: Confirm That Your New Certificates Are Installed 
Activating SSL 
Setting Security Preferences 
Using Certificate-Based Authentication 
Setting up Certificate-Based Authentication 
Allowing/Requiring Client Authentication 
Configuring LDAP Clients to Use SSL 
Chapter 12 Monitoring Server and Database Activity 
Viewing and Configuring Log Files 
Defining a Log File Rotation Policy 
Defining a Log File Deletion Policy 
Access Log 
Viewing the Access Log 
Configuring the Access Log 
Error Log 
Viewing the Error Log 
Configuring the Error Log 
Audit Log 
Viewing the Audit Log 
Configuring the Audit Log 
Manual Log File Rotation 
Monitoring Server Activity 
Monitoring Your Server From the iPlanet Directory Server Console 
Viewing the Server Performance Monitor 
Overview of Server Performance Monitor Information 
General Information (Server) 
Resource Summary 
Current Resource Usage 
Connection Status 
Global Database Cache Information 
Monitoring Your Server From the Command Line 
Monitoring Database Activity 
Monitoring Database Activity From the Server Console 
Viewing Database Performance Monitors 
Overview of Database Performance Monitor Information 
General Information (Database) 
Summary Information Table 
Database Cache Information Table 
Database File-Specific Table 
Monitoring Databases From the Command Line 
Monitoring Database Link Activity 
Chapter 13 Monitoring iPlanet Directory Server Using SNMP 
About SNMP 
SNMP Overview 
NMS-Initiated Communication 
Managed Device-Initiated Communication 
Overview of the iPlanet Directory Server Management Information Base 
About the Operations Table 
The Entries Table 
Setting Up SNMP 
Starting and Stopping the SNMP Subagent 
Configuring SNMP for the iPlanet Directory Server 
Chapter 14 Tuning Directory Server Performance 
Tuning Server Performance 
Tuning Database Performance 
Optimizing Search Performance 
Tuning Transaction Logging 
Changing the Location of the Database Transaction Log 
Changing the Database Checkpoint Interval 
Disabling Durable Transactions 
Specifying Transaction Batching 
Miscellaneous Tuning Tips 
Creating Entries Under cn=config 
Chapter 15 Administering iPlanet Directory Server Plug-Ins 
Server Plug-in Functionality Reference 
7-bit Check Plug-In 
ACL Plug-In 
ACL Preoperation Plug-In 
Binary Syntax Plug-In 
Boolean Syntax Plug-In 
Case Exact String Syntax Plug-In 
Case Ignore String Syntax Plug-In 
Chaining Database Plug-In 
Class of Service Plug-In 
Country String Syntax Plug-In 
Distinguished Name Syntax Plug-In 
Generalized Time Syntax Plug-In 
Integer Syntax Plug-In 
Internationalization Plug-In 
ldbm Database Plug-In 
Legacy Replication Plug-In 
Multimaster Replication Plug-In 
Octet String Syntax Plug-in 
CLEAR Password Storage Plug-In 
CRYPT Password Storage Plug-In 
NS-MTA-MD5 Password Storage Plug-In 
SHA Password Storage Plug-In 
SSHA Password Storage Plug-in 
Postal Address String Syntax Plug-In 
PTA Plug-In 
Referential Integrity Postoperation Plug-In 
Retro Change Log Plug-In 
Roles Plug-In 
Telephone Syntax Plug-In 
UID Uniqueness Plug-in 
URI Plug-in 
Enabling and Disabling Plug-Ins From the Server Console 
Chapter 16 Using the Pass-Through Authentication Plug-In 
How Directory Server 5.1 Uses PTA 
PTA Plug-In Syntax 
Configuring the PTA Plug-In 
Turning the Plug-in On or Off 
Configuring the Servers to Use a Secure Connection 
Specifying the Authenticating Directory Server 
Specifying the Pass-Through Subtree 
Configuring the Optional Parameters 
PTA Plug-In Syntax Examples 
Chapter 17 Using the Attribute Uniqueness Plug-In 
Overview of the Attribute Uniqueness Plug-In 
Overview of the UID Uniqueness Plug-in 
Attribute Uniqueness Plug-In Syntax 
Creating an Instance of the Attribute Uniqueness Plug-In 
Configuring Attribute Uniqueness Plug-Ins 
Viewing Plug-In Configuration Information 
Configuring Attribute Uniqueness Plug-Ins From the iPlanet Directory Server Console 
Configuring Attribute Uniqueness Plug-Ins from the Command Line 
Turning the Plug-in On or Off 
Specifying a Suffix or Subtree 
Using the markerObjectClass and requiredObjectClass Keywords 
Attribute Uniqueness Plug-In Syntax Examples 
Replication and the Attribute Uniqueness Plug-In 
Simple Replication Scenario 
Multi-Master Replication Scenario 
Appendix A LDAP Data Interchange Format 
LDIF File Format 
Continuing Lines in LDIF 
Representing Binary Data 
Using Base 64 Encoding 
Specifying Directory Entries Using LDIF 
Specifying Organization Entries 
Specifying Organizational Unit Entries 
Specifying Organizational Person Entries 
Defining Directories Using LDIF 
LDIF File Example 
Storing Information in Multiple Languages 
Appendix B Finding Directory Entries 
Finding Entries Using the Server Console 
Using ldapsearch 
Using Special Characters 
ldapsearch Command-Line Format 
Commonly Used ldapsearch options 
ldapsearch Examples 
Returning All Entries 
Specifying Search Filters on the Command Line 
Searching the Root DSE Entry 
Searching the Schema Entry 
Displaying Subsets of Attributes 
Specifying DNs that Contain Commas in Search Filters 
LDAP Search Filters 
Search Filter Syntax 
Using Attributes in Search Filters 
Using Operators in Search Filters 
Using Compound Search Filters 
Search Filter Examples 
Searching an Internationalized Directory 
Matching Rule Filter Syntax 
Matching Rule Formats 
Using Wildcards in Matching Rule Filters 
Supported Search Types 
International Search Examples 
Less Than Example 
Less Than or Equal to Example 
Equality Example 
Greater Than or Equal to Example 
Greater Than Example 
Substring Example 
Appendix C LDAP URLs 
Components of an LDAP URL 
Escaping Unsafe Characters 
Examples of LDAP URLs 
Appendix D Internationalization 
About Locales 
Identifying Supported Locales 
Supported Language Subtypes 
Glossary 
Index 
Index DocHome Next
Copyright © 2002 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.
Last Updated February 26, 2002