Sun Java logo     Copyright      Index      Next     

Sun logo
Sun Java(TM) System Directory Server 5.2 2005Q1 Administration Guide 

Contents


List of Figures    

List of Tables    

List of Procedures    

List of Code Examples    

Preface    
Conventions    
Related Books    
Directory Server Books    
Administration Server Books    
Directory Proxy Server Books    
Related Java Enterprise System Books    
Documentation, Support, and Training    
Related Third-Party Web Site References    
Sun Welcomes Your Comments    

Chapter 1   Directory Server Administration Overview    
Overview of Directory Server Management    
Starting and Stopping Directory Server    
Starting and Stopping the Server From the Command Line    
Starting and Stopping the Server From the Console    
Starting the Server with SSL Enabled    
Starting the Server as a Non-Root User on Ports less than 1024    
Using Directory Server Console    
Starting Directory Server Console    
Navigating Directory Server Console    
Tasks Tab    
Configuration Tab    
Directory Tab    
Status Tab    
Viewing the Current Bind DN From the Console    
Changing Your Login Identity    
Using the Online Help    
The Console Clipboard    
Console Settings    
Visual Configuration Preferences    
Directory Tree View Options    
Configuring LDAP Parameters    
Configuring the Directory Manager    
Changing Directory Server Port Numbers    
To Modify the Port or Secure Port on Which Directory Server Listens for Incoming LDAP Requests    
Setting Global Read-Only Mode    
Tracking Modifications to Directory Entries    
Verifying Plug-In Signatures    
Configuring the Verification of Plug-In Signatures    
Viewing the Status of a Plug-In    
Configuring DSML    
Enabling DSML Requests    
Configuring DSML Security    
DSML Identity Mapping    

Chapter 2   Managing Directory Entries    
Configuration Entries    
Modifying the Configuration Using the Console    
Modifying the Configuration From the Command Line    
Modifying the dse.ldif File    
Managing Entries Using the Console    
Creating Directory Entries    
Creating an Entry Using a Custom Editor    
Creating Other Types of Entries    
Modifying Entries With a Custom Editor    
Invoking the Custom Editor    
Setting Attributes for Language Support    
Modifying Entries With the Generic Editor    
Invoking the Generic Editor    
To Invoke the Generic Editor for Any Entry in the Directory    
Modifying Attribute Values    
To Modify Attribute Values    
Editing Multi-Valued Attributes    
Adding an Attribute    
Removing an Attribute    
Managing Object Classes    
Deleting Directory Entries    
Bulk Operations Using the Console    
Managing Entries From the Command Line    
Providing LDIF Input    
Terminating LDIF Input on the Command Line    
Using Special Characters    
Using Attribute OIDs    
Schema Checking    
Ordering of LDIF Entries    
Managing Large Entries    
Error Handling    
Adding Entries Using ldapmodify    
Modifying Entries Using ldapmodify    
Adding an Attribute Value    
Using the Binary Attribute Subtype    
Adding an Attribute with a Language Subtype    
Modifying Attribute Values    
Deleting an Attribute Value    
Modifying One Value of a Multi-Valued Attribute    
Deleting Entries Using ldapdelete    
Deleting Entries Using ldapmodify    
Renaming and Moving Entries    
Introduction to the Modify DN Operation    
Difference Between Rename and Move Operations    
Guidelines and Limitations for Using the Modify DN Operation    
Renaming or Moving an Entry by Using the Console    
Enabling the Modify DN Operation by Using the Console    
To Extend the ACI Rights by Using the Console    
To Enable or Disable the Modify DN Operation Globally by Using the Console    
To Enable the Modify DN Operation for Specified Suffixes by Using the Console    
Renaming an Entry by Using the Console    
To Rename an Entry by Using the Console    
Moving an Entry by Using the Console    
To Move an Entry by Using the Console    
Moving and Renaming an Entry by Using the Console    
Renaming or Moving an Entry by Using the ldapmodify Command    
Enabling the Modify DN Operation by Using the ldapmodify Command    
To Enable the Modify DN Operation Globally by Using the ldapmodify Command    
To Enable the Modify DN Operation for a Suffix by Using the ldapmodify Command    
Renaming an Entry by Using the ldapmodify Command    
To Rename a Leaf Entry by Using the ldapmodify Command    
Moving an Entry by Using the ldapmodify Command    
To Move an Entry by Using the ldapmodify Command    
To Rename and Move an Entry by Using the ldapmodify Command    
Setting Referrals    
Setting the Default Referrals    
Setting a Default Referral Using the Console    
Setting a Default Referral From the Command Line    
Creating Smart Referrals    
Creating Smart Referrals Using the Console    
Creating Smart Referrals From the Command Line    
Encrypting Attribute Values    
Configuring Attribute Encryption Using the Console    
Configuring Attribute Encryption From the Command Line    
Maintaining Referential Integrity    
How Referential Integrity Works    
Configuring Referential Integrity    
Configuring Referential Integrity From the Console    
Using Referential Integrity with Replication    
Using Referential Integrity With Legacy Replication    
Searching the Directory    
Searching the Directory With ldapsearch    
ldapsearch Command-Line Format    
Using Special Characters    
Commonly Used ldapsearch options    
ldapsearch Examples    
Returning All Entries    
Specifying Search Filters on the Command Line    
Searching the Root DSE Entry    
Searching the Schema Entry    
Using LDAP_BASEDN    
Displaying Subsets of Attributes    
Searching Multi-Valued Attributes    
Using Client Authentication When Searching    
LDAP Search Filters    
Search Filter Syntax    
Using Attributes in Search Filters    
Using Operators in Search Filters    
Using OIDs in Search Filters    
Using Compound Search Filters    
Specifying Search Filters Using a File    
Specifying Non 7-Bit ASCII Characters in Search Filters    
Search Filter Examples    
Searching for Operational Attributes    
Searching an Internationalized Directory    
Matching Rule Filter Syntax    
Matching Rule Formats    
Using Wildcards in Matching Rule Filters    
Supported Search Types    
International Search Examples    
Less Than Example    
Less Than or Equal to Example    
Equality Example    
Greater Than or Equal to Example    
Greater Than Example    
Substring Example    
Accessing the Directory Using DSMLv2    
An Empty Anonymous DSML "Ping" Request    
Issuing a DSML Request to Bind as a Particular User    
A DSML Search Request    

Chapter 3   Creating Your Directory Tree    
Creating Suffixes    
Creating a New Root Suffix Using the Console    
Creating a New Subsuffix Using the Console    
Creating Suffixes From the Command Line    
Managing Suffixes    
Disabling or Enabling a Suffix    
Disabling or Enabling a Suffix Using the Console    
Disabling or Enabling a Suffix From the Command Line    
Setting Access Permissions and Referrals    
Setting Access Permissions and Referrals Using the Console    
Setting Access Permissions and Referrals From the Command Line    
Deleting a Suffix    
Deleting a Suffix Using the Console    
Deleting a Suffix From the Command Line    
Creating Chained Suffixes    
Creating a Proxy Identity    
Creating a Proxy Identity Using the Console    
Creating a Proxy Identity From the Command Line    
Setting Default Chaining Parameters    
Client Return Parameters    
Cascading Chaining Parameters    
Connection Management Parameters    
Error Detection Parameters    
Setting Default Chaining Parameters Using the Console    
Setting Default Chaining Parameters From the Command Line    
Creating Chained Suffixes Using the Console    
Creating Chained Suffixes From the Command Line    
Access Control Through Chained Suffixes    
Chaining Using SSL    
Managing Chained Suffixes    
Configuring the Chaining Policy    
Chaining Policy of LDAP Controls    
Chaining Policy of Server Components    
Modifying the Chaining Policy Using the Console    
Modifying the Chaining Policy From the Command Line    
Disabling or Enabling a Chained Suffix    
Disabling or Enabling a Chained Suffix Using the Console    
Disabling or Enabling a Suffix From the Command Line    
Setting Access Permissions and Referrals    
Setting Access Permissions and Referrals Using the Console    
Setting Access Permissions and Referrals Using the Console    
Modifying the Chaining Parameters    
Modifying the Chaining Parameters Using the Console    
Modifying the Chaining Parameters From the Command Line    
Optimizing Thread Usage    
Setting Thread Resources Using the Console    
Setting Thread Resources From the Command Line    
Deleting a Chained Suffix    
Deleting a Chained Suffix Using the Console    
Deleting a Suffix From the Command Line    
Configuring Cascading Chaining    
Setting the Cascading Parameters    
Setting the Cascading Parameters Using the Console    
Setting the Cascading Parameters From the Command Line    
Transmitting LDAP Controls for Cascading    

Chapter 4   Backing Up and Restoring Data    
Setting Suffix Read-Only Mode    
Importing Data    
Importing LDIF Files    
Importing LDIF Using the Console    
Importing LDIF From the Command Line    
Initializing a Suffix    
Initializing a Suffix From the Console    
Initializing a Suffix Using the ldif2db Command    
Initializing a Suffix Using ldif2db-task    
Exporting Data    
Exporting the Entire Directory to LDIF Using the Console    
Exporting a Single Suffix to LDIF Using the Console    
Exporting to LDIF From the Command Line    
Backing Up Data    
Backing Up Your Server Using the Console    
Backing Up Your Server From the Command Line    
Backing Up the dse.ldif Configuration File    
Restoring Data from Backups    
Restoring Replicated Suffixes    
Restoring the Supplier in a Single-Master Scenario    
Restoring a Supplier in a Multi-Master Scenario    
Restoring a Hub    
Restoring a Dedicated Consumer    
Restoring Your Server Using the Console    
Restoring Your Server from the Command Line    
Using the bak2db Command    
Using bak2db-task    
Restoring the dse.ldif Configuration File    

Chapter 5   Managing Identity and Roles    
Managing Groups    
Adding a New Static Group    
Adding a New Dynamic Group    
Modifying a Group Definition    
Removing a Group Definition    
Assigning Roles    
About Roles    
Searching the nsRole Attribute    
Permissions on the nsRole Attribute    
Assigning Roles Using the Console    
Creating a Managed Role    
Creating a Filtered Role    
Creating a Nested Role    
Viewing and Editing an Entry's Roles    
Modifying a Role Entry    
Deleting a Role    
Managing Roles From the Command Line    
Example of a Managed Role Definition    
Example of a Filtered Role Definition    
Example of a Nested Role Definition    
Defining Class of Service (CoS)    
About CoS    
CoS Limitations    
Managing CoS Using the Console    
Creating a New CoS    
Editing an Existing CoS    
Deleting a CoS    
Managing CoS From the Command Line    
Creating the CoS Definition Entry From the Command Line    
Overriding Real Attribute Values    
Multivalued CoS Attributes    
Cos Attribute Priority    
Creating the CoS Template Entry From the Command Line    
Example of a Pointer CoS    
Example of an Indirect CoS    
Example of a Classic CoS    
Creating Role-Based Attributes    
Monitoring the CoS Plug-In    

Chapter 6   Managing Access Control    
Access Control Principles    
ACI Structure    
ACI Placement    
ACI Evaluation    
ACI Limitations    
Default ACIs    
ACI Syntax    
Defining Targets    
Targeting a Directory Entry    
Targeting Attributes    
Targeting Both an Entry and Attributes    
Targeting Entries or Attributes Using LDAP Filters    
Targeting Attribute Values Using LDAP Filters    
Targeting a Single Directory Entry    
Defining Targets Using Macros    
Defining Permissions    
Allowing or Denying Access    
Assigning Rights    
Rights Required for LDAP Operations    
Permissions Syntax    
Bind Rules    
Bind Rule Syntax    
Defining User Access - userdn Keyword    
Anonymous Access (anyone Keyword)    
General Access (all Keyword)    
Self Access (self Keyword)    
Parent Access (parent Keyword)    
LDAP URLs    
Wildcards    
Logical OR of LDAP URLs    
Excluding a Specific LDAP URL    
Defining Group Access - groupdn Keyword    
Single LDAP URL    
Logical OR of LDAP URLs    
Defining Role Access - roledn Keyword    
Defining Access Based on Value Matching    
Using the userattr Keyword    
Using the userattr Keyword With Inheritance    
Granting Add Permission Using the userattr Keyword    
Defining Access From a Specific IP Address    
Defining Access from a Specific Domain    
Defining Access at a Specific Time of Day or Day of Week    
Defining Access Based on Authentication Method    
Examples    
Using Boolean Bind Rules    
Creating ACIs From the Command Line    
Viewing ACI Attribute Values    
Creating ACIs Using the Console    
Viewing the ACIs of an Entry    
Creating a New ACI    
Editing an ACI    
Deleting an ACI    
Access Control Usage Examples    
Granting Anonymous Access    
Granting Write Access to Personal Entries    
Restricting Access to Key Roles    
Granting a Group Full Access to a Suffix    
Granting Rights to Add and Delete Group Entries    
Granting Conditional Access to a Group or Role    
Denying Access    
Setting a Target Using Filtering    
Allowing Users to Add or Remove Themselves From a Group    
Defining Permissions for DNs That Contain a Comma    
Proxy Authorization ACI Example    
Viewing Effective Rights    
Restricting Access to the Get Effective Rights Control    
Using the Get Effective Rights Control    
Understanding Effective Rights Results    
Advanced Access Control: Using Macro ACIs    
Macro ACI Example    
Macro ACI Syntax    
Matching for ($dn) in the Target    
Substituting ($dn) in the Subject    
Substituting [$dn] in the Subject    
Macro Matching for ($attr.attrName)    
Access Control and Replication    
Access Control and Chaining    
Logging Access Control Information    
Compatibility with Earlier Releases    

Chapter 7   Managing User Accounts and Passwords    
Overview of Password Policies    
Configuring the Global Password Policy    
Configuring the Password Policy Using the Console    
Configuring the Password Policy From the Command Line    
Managing Individual Password Policies    
Defining a Policy Using the Console    
Defining a Policy From the Command Line    
Assigning Password Policies    
Using the Console    
From the Command Line    
Using Roles and CoS    
Protecting the Individual Password Policy    
Resetting User Passwords    
Inactivating and Activating Users and Roles    
Setting User and Role Activation Using the Console    
Setting User and Role Activation From the Command Line    
Setting Individual Resource Limits    
Setting Resource Limits Using the Console    
Setting Resource Limits From the Command Line    

Chapter 8   Managing Replication    
Introduction    
Summary of Steps for Configuring Replication    
Choosing Replication Managers    
Configuring a Dedicated Consumer    
Creating the Suffix for the Consumer Replica    
Enabling a Consumer Replica    
Advanced Consumer Configuration    
Configuring a Hub    
Creating the Suffix for the Hub Replica    
Enabling a Hub Replica    
Advanced Hub Configuration    
Configuring a Master Replica    
Defining the Suffix for the Master Replica    
Enabling a Master Replica    
Advanced Multi-Master Configuration    
Creating Replication Agreements    
Configuring Fractional Replication    
Considerations for Fractional Replication    
Defining the Attribute Set    
Enabling Fractional Replication    
Initializing Replicas    
When to Initialize    
Initializing Replicas in Multi-Master Replication    
Initializing Replicas in Cascading Replication    
Convergence After Multi-Master Initialization    
To Begin Accepting Updates Through the Console    
To Begin Accepting Updates Through the Command Line    
To Set the Automatic Referral Delay    
Initializing a Replica Using the Console    
Performing Online Replica Initialization    
Initializing a Replica From the Command Line    
Exporting a Replica to LDIF    
Filtering an LDIF File for Fractional Replication    
Importing the LDIF File to the Consumer Replica    
Initializing a Replica Using Binary Copy    
Binary Copy Restrictions    
Binary Copy Without Stopping the Server    
Binary Copy Using Minimum Disk Space    
Enabling the Referential Integrity Plug-In    
Replication Over SSL    
Replication Over a WAN    
Configuring Network Parameters    
Scheduling Replication Activity    
Data Compression    
Modifying the Replication Topology    
Managing Replication Agreements    
Changing the Replication Manager    
Duplicating a Replication Agreement    
Disabling a Replication Agreement    
Enabling a Replication Agreement    
Deleting a Replication Agreement    
Promoting or Demoting Replicas    
Disabling Replicas    
Moving the Change Log    
Keeping Replicas in Sync    
Replication Retry Algorithm    
Forcing Replication Updates from the Console    
Forcing Replication Updates from the Command Line    
Replication With Earlier Releases    
Replicating Between Directory Server 5.2 and Directory Server 5.1    
Replicating Between Directory Server 5.2 and Directory Server 4.x    
To Configure Directory Server 5.2 as a Consumer of Directory Server 4.x    
Updating Directory Server 5.1 Schema    
To Update Directory Server 5.1 Schema    
Using the Retro Change Log Plug-In    
Description of the Retro Change Log Plug-In    
More Information About Retro Change Log    
Enabling the Retro Change Log Plug-In    
To Enable the Retro Change Log Plug-In by Using Directory Server Console    
To Enable the Retro Change Log Plug-In by Using the Command Line    
Configuring Retro Change Log to Record Updates to Specified Suffixes    
To Configure Retro Change Log to Record Updates for Specified Suffixes by Using Directory Server Console    
To Configure Retro Change Log to Record Updates for Specified Suffixes by Using the Command Line    
Configuring Retro Change Log to Record Attributes of a Deleted Entry    
To Configure Retro Change Log to Record Attributes of a Deleted Entry by Using Directory Server Console    
To Configure Retro Change Log to Record Attributes of a Deleted Entry by Using the Command Line    
Trimming the Retro Change Log    
Accessing the Retro Change Log    
Monitoring Replication Status    
Command-Line Tools    
Replication Status Tab    
Solving Common Replication Conflicts    
Solving Naming Conflicts    
Renaming an Entry with a Multi-Valued Naming Attribute    
Renaming an Entry with a Single-Valued Naming Attribute    
Solving Orphan Entry Conflicts    
Solving Potential Interoperability Problems    

Chapter 9   Extending the Directory Schema    
Schema Checking    
Setting Schema Checking Using the Console    
Setting Schema Checking From the Command Line    
Overview of Extending the Schema    
Modifying the Schema Files    
Modifying the Schema From the Command Line    
Modifying the Schema Using the Console    
Managing Attribute Definitions    
Viewing Attributes    
Creating Attributes    
Editing Attributes    
Deleting Attributes    
Managing Object Class Definitions    
Viewing Object Classes    
Creating Object Classes    
Editing Object Classes    
Deleting Object Classes    
Replicating Schema Definitions    
Modifying Replicated Schema Files    
Limiting Schema Replication    

Chapter 10   Indexing Directory Data    
Overview of Indexing    
System Indexes    
Default Indexes    
Attribute Name Quick Reference Table    
Managing Indexes    
Managing Indexes Using the Console    
Managing Indexes From the Command Line    
Creating an Index Configuration Entry    
Modifying an Index Configuration Entry    
Running db2index-task    
Deleting all Indexes for an Attribute    
Reindexing a Suffix    
Reindexing a Suffix    
Reinitializing a Suffix    
Modifying the Set of Default Indexes    
Managing Browsing Indexes    
Browsing Indexes for the Console    
Browsing Indexes for Client Searches    
Specifying the Browsing Index Entries    
Running the vlvindex Command    

Chapter 11   Managing Authentication and Encryption    
Introduction to SSL in Directory Server    
Summary of Steps for Enabling SSL    
Obtaining and Installing Server Certificates    
Creating a Certificate Database    
Using the Console    
Using the Command Line    
Generating a Certificate Request    
Using the Console    
Using the Command Line    
Installing the Server Certificate    
Using the Console    
Using the Command Line    
Trusting the Certificate Authority    
Using the Console    
Using the Command Line    
Activating SSL    
Choosing Encryption Ciphers    
Allowing Client Authentication    
Configuring Client Authentication    
SASL Authentication Through DIGEST-MD5    
Configuring the DIGEST-MD5 Mechanism    
DIGEST-MD5 Identity Mappings    
SASL Authentication Through GSSAPI (Solaris Only)    
Configuring the Kerberos System    
Configuring the GSSAPI Mechanism    
GSSAPI Identity Mappings    
Identity Mapping    
Configuring LDAP Clients to Use Security    
Configuring Server Authentication in Clients    
Managing Client Certificates Through Mozilla    
Managing Client Certificates Through the Command Line    
Specifying SSL Options for Server Authentication    
Configuring Certificate-Based Authentication in Clients    
Obtaining and Installing a User Certificate    
Specifying SSL Options for Certificate-Based Client Authentication    
Using SASL DIGEST-MD5 in Clients    
Specifying a Realm    
Specifying Environment Variables    
Examples of the ldapsearch Command    
Using Kerberos SASL GSSAPI in Clients    
Configuring Kerberos V5 on a Client Host    
Specifying SASL Options for Kerberos Authentication    
Configuring Kerberos Authentication using GSSAPI with SASL: Example procedure    

Chapter 12   Implementing Pass-Through Authentication    
How Directory Server Uses PTA    
Configuring the PTA Plug-In    
Creating the Plug-In Configuration Entry    
Configuring PTA to Use a Secure Connection    
Setting the Optional Connection Parameters    
Specifying Multiple Servers and Subtrees    
Modifying the PTA Plug-In Configuration    

Chapter 13   Monitoring Directory Server Using Log Files    
Defining Log File Policies    
Defining a Log File Rotation Policy    
Defining a Log File Deletion Policy    
Manual Log File Rotation    
Access Log    
Viewing the Access Log    
Configuring the Access Log    
Errors Log    
Viewing the Errors Log    
Configuring the Errors Log    
Audit Log    
Configuring the Audit Log    
Viewing the Audit Log    
Monitoring Server Activity    
Monitoring Your Server Using the Console    
Monitoring Your Server From the Command Line    

Chapter 14   Monitoring Directory Server Using SNMP    
SNMP in Sun Java System Servers    
Overview of the Directory Server MIB    
Setting Up SNMP    
On Solaris Platforms    
Plugging into the snmpdx SNMP master agent - Solaris example    
On Linux Platforms    
Hints for SNMP on Linux    
Configuring SNMP in Directory Server    
Starting and Stopping the SNMP Subagent    

Chapter 15   Enforcing Attribute Value Uniqueness    
Overview    
Enforcing Uniqueness of the uid Attribute    
Configuring the Plug-In Using the Console    
Configuring the Plug-In From the Command Line    
Enforcing Uniqueness of Another Attribute    
Using the Uniqueness Plug-In With Replication    
Single-Master Replication Scenario    
Multi-Master Replication Scenario    

Chapter 16   Troubleshooting Directory Server    
Troubleshooting Installation and Login    

Appendix A   Using the Sun Crypto Accelerator Board    
Before You Start    
Creating a Token    
Generating Bindings for the Board    
Importing Certificates    
Configuring SSL    

Appendix B   Third Party Licence Acknowledgements    
Glossary    


Copyright      Index      Next     

Part No: 817-7613-10.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.