Previous Contents Index DocHome Next |
iPlanet Directory Server Administrator's Guide |
Chapter 1Introduction to iPlanet Directory Server
iPlanet Directory Server product ships with a Directory Server, an administration server, and iPlanet Console. This chapter provides overview information about the Directory Server, and the most basic tasks you need to start administering a directory service.It includes the following sections:
Overview of Directory Server Management
Using the Directory Server Console
Binding to the Directory From iPlanet Console
Starting and Stopping the Directory Server
Configuring the Directory Manager
Overview of Directory Server Management
iPlanet Directory Server is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). The Directory Server is a robust, scalable server designed to manage an enterprise-wide directory of users and resources. The Directory Server runs as the ns-slapd process or service on your machine. The server manages the directory databases and responds to client requests.You perform most Directory Server administrative tasks through the Administration Server, a second server that iPlanet provides to help you manage Directory Server (and all other iPlanet servers). For Directory Server, you use a part of the Administration Server called iPlanet Console. Directory Server Console is a part of iPlanet Console designed specifically for use with iPlanet Directory Server.
You can perform most Directory Server administrative tasks from the Directory Server Console. You can also perform administrative tasks manually by editing the configuration files or by using command-line utilities. For more information about the iPlanet Console see Managing Servers with iPlanet Console.
Using the Directory Server Console
The Directory Server Console is an integral part of the iPlanet Console. You start the Directory Server Console from iPlanet Console, which is described in Managing Servers with iPlanet Console.
Starting Directory Server Console
Check that the directory server daemon, slapd-serverID is running. If it is not, as root user, enter the following command to start it:
# /usr/iplanet/servers/slapd-serverID/start-slapd
Check that the administration server daemon, admin-serv is running. If it is not, as root user, enter the following command to start it:
# /usr/iplanet/servers/start-admin
Start iPlanet Console by entering the following command:
% /usr/iplanet/servers/startconsole
Log in using the bind DN and password of a user with sufficient access permissions for the operations you want to perform.
- The Console login window is displayed. Or, if your configuration directory (the directory that contains the o=NetscapeRoot suffix) is stored in a separate instance of Directory Server, a window is displayed requesting the administrator user id, password, and the URL of the Admin Server for that directory server.
On the Topology tab, go down the navigation tree until you locate the Directory Server icon, and double-click this icon.
- For example, use cn=Directory Manager, and the appropriate password. The iPlanet Console is displayed.
- The Directory Server Console is displayed.
Configuring the Directory Manager
The Directory Manager is the privileged database administrator, comparable to the root user in UNIX. Access control does not apply to the entry you define as Directory Manager. You initially defined this entry during installation. The default is cn=Directory Manager.The password for this user is defined in the nsslapd-rootdn attribute.
To change the Directory Manager DN and password, and the encryption scheme used for this password:
Log in to the Directory Console as Directory Manager.
On the Directory Server Console, select the Configuration tab and then select the top entry in the navigation tree in the left pane.
- If you are already logged in to the Console, see "Binding to the Directory From iPlanet Console" for instructions on how to log in as a different user.
Select the Manager tab in the right pane.
Enter the new distinguished name for the Directory Manager in the Root DN field.
From the Manager Password Encryption pull-down menu, select the storage scheme you want the server to use to store the password for Directory Manager.
- The default value is cn=Directory Manager.
Enter the new password and confirm it using the text fields provided.
Binding to the Directory From iPlanet Console
When you create or manage entries from the Directory Server Console, and when you first access the iPlanet Console, you are given the option to log in by providing a bind DN and a password. This option lets you indicate who is accessing the directory tree. This determines the access permissions granted to you, and whether you can perform the requested operation.
Changing Login Identity
You can log in with the Directory Manager DN when you first start the iPlanet Console. At any time, you can choose to log in as a different user, without having to stop and restart the Console.To change your login in iPlanet Console:
On the Directory Server Console, select the Tasks tab.
For more information about the Directory Manager DN and password, refer to "Configuring the Directory Manager".Click "Log on to the Directory Server as a New User."
Enter the new DN and password and click OK.
- A login dialog box appears.
- Enter the full distinguished name of the entry with which you want to bind to the server. For example, if you want to bind as the Directory Manager, then enter the following in the Distinguished Name text box:
- cn=Directory Manager
Viewing the Current Bind DN From the Console
You can view the bind DN you used to log in to the Directory Server Console by clicking the login icon in the lower-left corner of the display. The current bind DN appears next to the login icon as shown here:
Figure 1-1    Viewing the Bind DN
Starting and Stopping the Directory Server
If you are not using Secure Sockets Layer (SSL), you can start and stop the Directory Server using the methods listed here. If you are using SSL, see "Starting the Server with SSL Enabled".
Starting/Stopping the Server From the Console
Start the Directory Server Console.
When you successfully start or stop your Directory Server from the Directory Server Console, the server displays a message box stating either that the server started or has shut down.
On the Tasks tab, click "Start the Directory Server" or "Stop the Directory Server" as appropriate.
- For instructions, refer to "Starting Directory Server Console".
Alternatively, if you are using a Windows NT machine, from the Windows NT Services Control Panel:
Select Start > Settings > Control Panel from the desktop.
Double-click the Services icon.
Scroll through the list of services and select the iPlanet Directory Server.
Start or stop the service:
- The service name is iPlanet Directory Server 5.0 (serverID), where serverID is the identifier you specified for the server when you installed it.
Starting/Stopping the Server From the Command Line
Use one of the following scripts:/usr/iplanet/servers/slapd-serverID/start-slapd
/usr/iplanet/servers/slapd-serverID/stop-slapd
where serverID is the identifier you specified for the server when you installed it.
On UNIX, both of these scripts must run with the same UID and GID as the Directory Server. For example, if the Directory Server runs as nobody, you must run the start-slapd and stop-slapd utilities as nobody.
Configuring LDAP Parameters
You can view and change the parameters relevant to the server's network and LDAP settings through the Directory Server Console. This section provides information on:For information on schema checking, see Chapter 9, "Extending the Directory Schema."
Changing Directory Server Port Numbers
You can modify the port or secure port number of your user directory server using the Directory Server Console or by changing the value of the nsslapd-port attribute under the cn=config entry.If you want to modify the port or secure port for a iPlanet Directory Server that contains the iPlanet configuration information (o=NetscapeRoot subtree), you may do so through Directory Server Console.
If you change the configuration directory or user directory port or secure port numbers, you should be aware of the following repercussions:
You need to change the configuration or user directory port or secure port number configured for the Administration Server. See Managing Servers with iPlanet Console for information.
To modify the port or secure port on which either a user or a configuration directory listens for incoming requests:If you have other iPlanet Servers installed that point to the configuration or user directory, you need to update those servers to point to the new port number.
On the Directory Server Console, select the Configuration tab and then select the top entry in the navigation tree in the left pane.
Select the Settings tab in the right pane.
Enter the port number you want the server to use for non-SSL communications in the "Port" text box.
Enter the port number you want the server to use for SSL communications in the Encrypted Port text box.
Click Save and then restart the server.
- The encrypted port number that you specify must not be the same port number as you are using for normal LDAP communications. The default value is 636.
- See "Starting and Stopping the Directory Server" for information.
Placing the Entire Directory Server in Read-Only Mode
If you maintain more than one database with your directory server and you need to place all your databases in read-only mode, you can do this in a single operation. Note, however, that if your Directory Server contains replicas, you must not use read-only mode because it will disable replication.To put the Directory Server in read-only mode:
On the Directory Server Console, select the Configuration tab and then select the top entry in the navigation tree in the left pane.
For information on placing a single database in read-only mode, refer to "Enabling Read-Only Mode," on page 152.Select the Settings tab in the right pane.
Select the Make Entire Server Read-Only checkbox.
Click Save and then restart the server.
Tracking Modifications to Directory Entries
You can configure the server to maintain special attributes for newly created or modified entries:
creatorsNameThe distinguished name of the person who initially created the entry.
To enable the Directory Server to track this information:createTimestampThe timestamp for when the entry was created in GMT (Greenwich Mean Time) format.
modifiersNameThe distinguished name of the person who last modified the entry.
modifyTimestampThe timestamp for when the entry was last modified in GMT format.
Note When a database link is used by a client application to create or modify entries, the creatorsName and modifiersName attributes do not reflect the real creator or modifier of the entries. These attributes contain the name of the administrator who is granted proxy authorization rights on the remote server. For information on proxy authorization, refer to "Providing Bind Credentials," on page 97.
On the Directory Server Console, select the Configuration tab and then select the top entry in the navigation tree in the left pane.
Select the Settings tab in the right pane.
Select the Track Entry Modification Times checkbox.
Click Save and then restart the server.
- The server adds the creatorsName, createTimestamp, modifiersName, and modifyTimestamp attributes to every newly created or modified entry.
- See "Starting and Stopping the Directory Server" for more information.
Starting the Server with SSL Enabled
On Windows NT, if you are using SSL with your server, you must start the server from the server's host machine. This is because a dialog box will prompt you for the certificate PIN before the server will start. For security reasons, this dialog box appears only on the server's host machine.On UNIX, you must start the server from the command line.
Alternatively, on either platform, you can create a password file to store your certificate password. By placing your certificate database password in a file, you can start your server from the server console, and also allow your server to automatically restart when running unattended.
This password is stored in clear text within the password file, so its usage represents a significant security risk. Do not use a password file if your server is running in an unsecured environment.
The password file must be placed in the following location:
/usr/iplanet/servers/alias/slapd-serverID-pin.txt
where serverID is the identifier you specified for the server when you installed it.
You need to include the token name and password in the file as follows:
Internal (Software) Token:mypassword
To create certificate databases, you must use the administration server and the Certificate Setup Wizard. For information on certificate databases, certificate aliases, SSL, and obtaining a server certificate, see Managing Servers with iPlanet Console. For information on using SSL with your Directory Server, see Chapter 11, "Managing SSL."
Cloning a Directory Server
Once you have set up and configured your directory server, iPlanet Console offers a simple way of duplicating your configuration on another instance of the directory server. This is a two-phase procedure:
First, you must create a new instance of the directory server;
Second, you must clone the configuration of your first directory server instance and apply it to the new one.
Note The configuration information that is duplicated during these operations does not include the o=NetscapeRoot suffix of the configuration directory.
Creating a New Directory Server Instance
In the iPlanet Console window, select then right click Server Group in the navigation tree.
From the pop-up menu, select Create Instance of > Directory Server.
Enter a unique identifier for the server in the Server Identifier field.
Enter the a port number for LDAP communications in the Network port field.
Enter the suffix managed by this new instance of the directory in the base suffix field.
Enter a DN for the Directory Manager in the Root DN field.
Enter the password for this user in the Password for Root DN field, and confirm it by entering it again in the Confirm Password field.
- For information on the role and privileges of the Directory Manager entry, refer to "Configuring the Directory Manager".
If running the server on a UNIX host, enter the user ID for the directory server daemon, in the Server Runtime User ID field.
Cloning the Directory Configuration
In the iPlanet Console window, expand the Server Group folder, and right-click on the directory server that you want to clone.
From the pop-up menu, select Clone Server Config.
In this window, select the server to which you want the configuration to apply, and click the Clone To button.
Starting the Server in Referral Mode
You can also start the server in referral mode. You might want to do this if you're making configuration changes to the Directory Server and you want all clients to be referred to another master for the duration. To do this, you must start the server with the refer command.If the server is already running, you can put it in referral mode by using the Directory Server Console. This procedure is explained in "Setting Default Referrals," on page 126.
Using the refer Command
On a UNIX machine, to start the Directory Server in referral mode follow these steps:
Go to the /bin/slapd/server directory under your installation directory:
On a Windows NT machine, to start the Directory Server in referral mode follow these steps:Run the refer command as follows:
- prompt% ./ns-slapd refer -p port -r ldapurl
- where port is the port number of the Directory Server you want to start in referral mode, and ldapurl is the referral returned to clients. For information on the format of an LDAP URL, refer to Appendix C, "LDAP URLs."
Go to the following directory under your installation directory:
Run the refer command as follows:
- slapd refer -p port -r ldapurl
- where port is the port number of the Directory Server you want to start in referral mode, and ldapurl is the referral returned to clients. For information on the format of an LDAP URL, refer to Appendix C, "LDAP URLs."
Previous Contents Index DocHome Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.
Last Updated March 23, 2001