Sun Directory Services 3.1 Administration Guide

Chapter 10 Managing the Directory Services

This chapter describes the tasks that you occasionally need to perform to manage your directory service.

Starting the Sun Directory Services

To start the directory server from the Admin Console, choose Start from the LDAP Server menu. You can also start the directory server daemon, dsservd, by typing the following command as root:

# /etc/init.d/dsserv start

To start the web gateway, dswebd, as root type:

# /etc/init.d/dsweb start

To start the directory administration server, dsadm, as root type:

# /etc/init.d/dsadm start

The RADIUS server daemon, dsradiusd, is started at the same time as the dsservd daemon. If you have stopped it independently from dsservd, you can also start it independently. As root type:

#/opt/SUNWconn/ldap/sbin/dsradius start

When you install the Sun Directory Services, these commands are added to the system startup file, so that all the server daemons are started automatically when the machine is rebooted.

Stopping the Sun Directory Services

To stop the directory server, from the Admin Console, choose Stop from the LDAP Server menu. You can also stop the directory server by typing the following command as root:

# /etc/init.d/dsserv stop

Stopping the directory server automatically stops the replication server. If you have set up a replication schedule, the replication server is restarted automatically when you restart the directory server, and will continue to follow the schedule.

To stop the web gateway, dsweb, as root type:

# /etc/init.d/dsweb stop

To stop the directory administration server, dsadm, as root type:

# /etc/init.d/dsadm stop

The RADIUS server daemon, dsradiusd, is stopped at the same time as the dsservd daemon. If you want to stop it independently from dsservd, as root type:

# /opt/SUNWconn/ldap/sbin/dsradius stop

Monitoring Directory Services with SNMP

Sun Directory Services provides two SNMP agents:

dsnmpserv, to monitor the directory server
dsnmprad, to monitor the RADIUS server

The first SNMP agent, dsnmpserv, supports the management information bases (MIBs) defined in the following standards:

Network Services Monitoring MIB (RFC 1565)
X.500 Directory Monitoring MIB (RFC 1567)

These MIBs are part of the messaging and directory management (MADMAN) standards that apply to all messaging and directory applications.

The second SNMP agent, dsnmprad, supports the MIBs defined in the following draft standards:

RADIUS Authentication Server MIB (draft-ietf-radius-auth-servmib-01.txt)
RADIUS Accounting Server MIB (draft-ietf-radius-acc-servmib-01.txt)

For a detailed list of the type of information collected by each agent, refer to "Directory Server Statistics" and "RADIUS Server Statistics".

On a Solaris 2.6 machine, the SNMP agents are started automatically during the installation process. This is possible because the Solaris 2.6 operating environment includes a master SNMP agent, snmpdx that resides on UDP port 161 and relays SNMP traffic to and from all other SNMP agents installed on the machine.

Starting and Stopping the SNMP Agents

If you need to start or stop an agent manually, use the following commands.

To start the SNMP agent for the directory server, dsnmpserv, as root type:

# /etc/init.d/init.dsnmpserv start

To start the SNMP agent for the RADIUS server, dsnmprad, as root type:

# /opt/SUNWconn/ldap/sbin/init.dsnmprad start

To stop the SNMP agent for the directory server, dsnmpserv, as root type:

# /etc/init.d/init.dsnmpserv stop

To stop the SNMP agent for the RADIUS server, dsnmprad, as root type:

# /opt/SUNWconn/ldap/sbin/init.dsnmprad stop

Configuring the SNMP Agents

When you install Sun Directory Services on a Solaris 2.6 machine, configuration information for the dsnmpserv and dsnmprad agents is added to the configuration of the Solaris master agent snmpdx, and all SNMP agents are started. By default, the Sun Directory Services agents report events to the local host. The UDP ports that the agents use are dynamically assigned by the master agent.

In both cases, you can configure the hosts to which the SNMP agents report events. This is done using the dsnmpcfg command as follows (you must be logged in as root):

# /opt/SUNWconn/ldap/sbin/dsnmpcfg configure

You are prompted to provide the hostnames of the machines to which you want each agent to report events. If the agents are running when you perform the configuration, they are restarted to take your changes into account.

Directory Server Statistics

This section lists the information collected by the directory server SNMP agent, dsnmpserv, and explains how to display it using the Admin Console.

Information Collected by `dsnmpserv`

The information collected by the dsnmpserv SNMP agent can be monitored from a management platform such as SunNet Manager^TM or Solstice Enterprise Manager^TM. The following directory service information is monitored:

Application information
- Application name
- Application directory name
- Application version
- Application uptime
- Application status (up or down)
- Last status change
- Number of inbound associations
- Number of outbound associations
- Accumulated inbound associations
- Accumulated outbound associations
- Last inbound activity
- Last outbound activity
- Rejected inbound association
- Failed inbound association
Association information
- The distinguished name of the remote application
- The protocol being used to communicate
- The type of the remote application, and whether it is an initiator or responder
- The current duration of the association
Directory server operations
- Anonymous bind
- Unauthenticated bind
- Simple authentication bind
- Strong authentication bind
- Bind security errors
- Inbound operations
- Read operations
- Compare operations
- Add Entry operations
- Delete Entry operations
- Modify Entry operations
- List operations
- Search operations
- One-level search operations
- Whole tree search operations
- Referrals
- Chaining
- Security errors
- DSA errors
Directory entry information
- Master entries
- Copy entries
- Cached entries
- Cache Hits
- Slave Hits
Interactions with other directory servers
- Distinguished name of remote directory server
- Time of creation of remote directory server
- Time of last attempt to contact the remote directory server
- Time of last successful interaction with the remote directory server
- Number of failures since last successful contact
- Total number of failures to contact the remote directory server
- Total number of successful interactions with the remote directory server

Information Collected by `dsservd`

You can view statistics collected by the directory server, dsservd, in five categories:

Global
Detailed
Operations
Associations

Interactions

The statistics available are the same information that is collected by the dsnmpserv SNMP agent. See "Monitoring Directory Services with SNMP" for details of the information collected.

To Monitor Directory Server Statistics

In the Admin Console main window, go to the LDAP section under Services

Click the Show Statistics button.

The LDAP Statistics window is displayed. It presents a snapshot of the statistics available for the directory server.

Click the tab for the category that you want to view.

Click the Update button to get the latest statistics.

To update the statistics at regular intervals:
1. Set the Refresh Interval field
2. Click Start Auto Update
  
  Note -
  The Start Auto Update and Stop Auto Update controls apply to viewing the statistics, not to collecting the data. They only apply while the window is displayed. If you close the window, the refresh interval is reset to the default and automatic updating of the statistics view stops.

RADIUS Server Statistics

This section lists the information collected by the RADIUS server SNMP agent dsnmprad. This information can be monitored from a management platform such as SunNet Manager or Solstice Enterprise Manager.

Information Collected

The following RADIUS authentication service information is monitored:

Server identifier
Uptime
Reset time
Configuration reset
Total access requests
Total invalid requests
Total duplicate access requests
Total access requests
Total access accepts
Total access rejects
Total access challenges
Total malformed access requests
Total bad authenticators
Total packets dropped
Total unknown type
Client entry (contains authentication information monitored for every NAS connected to the server)
- Client Index
- Client Address
- Client ID
- Access requests
- Duplicate access requests
- Access accepts
- Access rejects
- Access challenges
- Malformed access requests
- Bad authenticators
- Packets dropped
- Unknown type

The following RADIUS accounting service information is monitored:

NAS identifier
Uptime
Reset time
Configuration reset
Total requests
Total invalid requests
Total duplicate requests
Total responses
Total malformed requests
Total bad authenticators
Total packets dropped
Total no record
Total unknown type
Client entry (contains accounting information monitored for every NAS connected to the server)
- Client Index
- Client Address
- Client ID
- Packets dropped
- Requests
- Duplicate requests
- Responses
- Bad authenticators
- Malformed requests
- No record
- Unknown type

Displaying RADIUS Server Statistics

You cannot display RADIUS server statistics in the Admin Console. You need a management application such as SunNet Manager or Solstice Enterprise Manager. The files required to interoperate with these management applications are provided with Sun Directory Services:

The directory /opt/SUNWconn/ldap/snmp/snm contains all files necessary for dsnmprad to report events to a SunNet Manager station
The directory /opt/SUNWconn/ldap/snmp/sem contains all files necessary for dsnmprad to report events to a Solstice Enterprise Manager station

The Web Gateway

The web gateway provides an interface to an LDAP directory from any web browser. You can use this interface to browse the directory, to search for and read entries, and to modify some directory information. This is useful for checking information in the directory.

This section explains how to configure the web gateway to adapt it to the needs of your users, in particular to display new attributes or corporate profiles that you have defined.

Information on using the web gateway is provided in Sun Directory Services 3.1 User's Guide.

Configuring the Web Gateway

The gateway daemon, dswebd, requires the dsservd daemon to be running on the same machine. To enable users to browse the directory from any web browser, you must make sure that the dsservd and dswebd daemons are running. You can check their status in the Status section of the Admin Console. The LDAP service and the Web gateway service must be shown as Running. If they are not, use the Start button to start them.

You can change the default HTTP port (1760) used by the web gateway from the Admin Console. To do so, change the HTTP port number in the Web gateway section under Services.

You can modify the behavior of the web gateway and the way it displays information by editing the following configuration files:

dswebfilter.conf

Controls how the gateway makes a search request to the directory. See the dswebfilter.conf(4) man page for details.
dswebfriendly.conf

Contains user-friendly equivalents of certain attribute values that might be used in the directory. By default, it contains mappings between the ISO country codes and the names of countries.
dsweb.help

Contains help text for the user interface to the web gateway. You can edit this file and change the help text to reflect any changes you make to the user interface.
dsweb.helpattr

Contains an explanation of the directory attributes visible through the user interface to the web gateway.
dsweb.messages

Contains the messages and screen text used in the user interface to the web gateway. You can customize the user interface by changing this file.
dswebtmpl.conf

Contains templates that control how information retrieved from the directory is displayed. If you have modified the schema, especially if you have added object classes and attributes, you must modify this file to be able to display entries that use the new object classes and attributes. See the dswebtmpl.conf(4) man page for details.