Red Hat Directory Server 8.0

Red Hat Directory Server 8.0

Administrator's Guide

Ella Deon Lackey

Red Hat Documentation Team
Legal Notice

1. Directory Server Overview
2. Example and Default References
3. Document Conventions
4. Related Information
1. General Red Hat Directory Server Usage
1.1. Directory Server File Locations
1.2. LDAP Tool Locations
1.3. Starting and Stopping Servers
1.3.1. Starting and Stopping Directory Server from the Console
1.3.2. Starting and Stopping Directory Server from the Command Line
1.3.3. Starting and Stopping Administration Server
1.4. Starting the Directory Server Console
1.4.1. Logging into Directory Server
1.4.2. Changing Login Identity
1.4.3. Viewing the Current Console Bind DN
1.5. Changing Directory Server Port Numbers
1.6. Creating a New Directory Server Instance
1.7. Configuring the Directory Manager
2. Creating Directory Entries
2.1. Managing Entries from the Directory Console
2.1.1. Creating a Root Entry
2.1.2. Creating Directory Entries
2.1.3. Modifying Directory Entries
2.1.4. Deleting Directory Entries
2.2. Managing Entries from the Command-Line
2.2.1. Providing Input from the Command-Line
2.2.2. Creating a Root Entry from the Command-Line
2.2.3. Adding Entries Using LDIF
2.2.4. Adding and Modifying Entries Using ldapmodify
2.2.5. Deleting Entries Using ldapdelete
2.2.6. Using Special Characters
2.3. Tracking Modifications to Directory Entries
2.4. LDIF Update Statements
2.4.1. Adding an Entry Using LDIF
2.4.2. Renaming an Entry Using LDIF
2.4.3. Modifying an Entry Using LDIF
2.4.4. Deleting an Entry Using LDIF
2.4.5. Modifying an Entry in an Internationalized Directory
2.5. Maintaining Referential Integrity
2.5.1. How Referential Integrity Works
2.5.2. Using Referential Integrity with Replication
2.5.3. Enabling/Disabling Referential Integrity
2.5.4. Modifying the Update Interval
2.5.5. Modifying the Attribute List
3. Configuring Directory Databases
3.1. Creating and Maintaining Suffixes
3.1.1. Creating Suffixes
3.1.2. Maintaining Suffixes
3.2. Creating and Maintaining Databases
3.2.1. Creating Databases
3.2.2. Maintaining Directory Databases
3.2.3. Database Encryption
3.3. Creating and Maintaining Database Links
3.3.1. Configuring the Chaining Policy
3.3.2. Creating a New Database Link
3.3.3. Chaining Using SSL
3.3.4. Maintaining Database Links
3.3.5. Database Links and Access Control Evaluation
3.3.6. Advanced Feature: Tuning Database Link Performance
3.3.7. Advanced Feature: Configuring Cascading Chaining
3.4. Using Referrals
3.4.1. Starting the Server in Referral Mode
3.4.2. Setting Default Referrals
3.4.3. Creating Smart Referrals
3.4.4. Creating Suffix Referrals
4. Populating Directory Databases
4.1. Importing Data
4.1.1. Importing a Database from the Console
4.1.2. Initializing a Database from the Console
4.1.3. Importing from the Command-Line
4.2. Exporting Data
4.2.1. Exporting Directory Data to LDIF Using the Console
4.2.2. Exporting a Single Database to LDIF Using the Console
4.2.3. Exporting to LDIF from the Command-Line
4.3. Backing up and Restoring Data
4.3.1. Backing up All Databases
4.3.2. Backing up the dse.ldif Configuration File
4.3.3. Restoring All Databases
4.3.4. Restoring a Single Database
4.3.5. Restoring Databases That Include Replicated Entries
4.3.6. Restoring the dse.ldif Configuration File
5. Managing Entries with Roles, Class of Service, and Views
5.1. Using Roles
5.1.1. About Roles
5.1.2. Managing Roles Using the Console
5.1.3. Managing Roles Using the Command-Line
5.1.4. Using Roles Securely
5.2. Assigning Class of Service
5.2.1. About CoS
5.2.2. Managing CoS Using the Console
5.2.3. Managing CoS from the Command-Line
5.2.4. Creating Role-Based Attributes
5.2.5. Access Control and CoS
5.3. Using Views
5.3.1. Creating Views in the Console
5.3.2. Deleting Views from the Directory Server Console
5.3.3. Creating Views from the Command Line
5.3.4. Deleting Views from the Command Line
5.4. Using Groups
5.4.1. Managing Static Groups
5.4.2. Managing Dynamic Groups
6. Managing Access Control
6.1. Access Control Principles
6.1.1. ACI Structure
6.1.2. ACI Placement
6.1.3. ACI Evaluation
6.1.4. ACI Limitations
6.2. Default ACIs
6.3. Creating ACIs Manually
6.3.1. The ACI Syntax
6.3.2. Defining Targets
6.3.3. Defining Permissions
6.4. Bind Rules
6.4.1. Bind Rule Syntax
6.4.2. Defining User Access - userdn Keyword
6.4.3. Defining Group Access - groupdn Keyword
6.4.4. Defining Role Access - roledn Keyword
6.4.5. Defining Access Based on Value Matching
6.4.6. Defining Access from a Specific IP Address
6.4.7. Defining Access from a Specific Domain
6.4.8. Defining Access at a Specific Time of Day or Day of Week
6.4.9. Defining Access Based on Authentication Method
6.4.10. Using Boolean Bind Rules
6.5. Creating ACIs from the Console
6.5.1. Displaying the Access Control Editor
6.5.2. Creating a New ACI
6.5.3. Editing an ACI
6.5.4. Deleting an ACI
6.6. Viewing ACIs
6.7. Get Effective Rights Control
6.7.1. Using Get Effective Rights from the Command-Line
6.7.2. Using Get Effective Rights from the Console
6.7.3. Get Effective Rights Return Codes
6.8. Logging Access Control Information
6.9. Access Control Usage Examples
6.9.1. Granting Anonymous Access
6.9.2. Granting Write Access to Personal Entries
6.9.3. Restricting Access to Key Roles
6.9.4. Granting a Group Full Access to a Suffix
6.9.5. Granting Rights to Add and Delete Group Entries
6.9.6. Granting Conditional Access to a Group or Role
6.9.7. Denying Access
6.9.8. Setting a Target Using Filtering
6.9.9. Allowing Users to Add or Remove Themselves from a Group
6.9.10. Defining Permissions for DNs That Contain a Comma
6.9.11. Proxied Authorization ACI Example
6.10. Advanced Access Control: Using Macro ACIs
6.10.1. Macro ACI Example
6.10.2. Macro ACI Syntax
6.11. Access Control and Replication
6.12. Compatibility with Earlier Releases
7. Managing User Accounts and Passwords
7.1. Managing the Password Policy
7.1.1. Configuring the Password Policy
7.1.2. Setting User Passwords
7.1.3. Password Change Extended Operation
7.1.4. Configuring the Account Lockout Policy
7.1.5. Managing the Password Policy in a Replicated Environment
7.1.6. Synchronizing Passwords
7.2. Inactivating Users and Roles
7.2.1. Inactivating User and Roles Using the Console
7.2.2. Inactivating User and Roles Using the Command-Line
7.2.3. Activating User and Roles Using the Console
7.2.4. Activating User and Roles Using the Command-Line
7.3. Setting Resource Limits Based on the Bind DN
7.3.1. Setting Resource Limits Using the Console
7.3.2. Setting Resource Limits Using the Command-Line
8. Managing Replication
8.1. Replication Overview
8.1.1. What Directory Units Are Replicated
8.1.2. Read-Write and Read-Only Replicas
8.1.3. Suppliers and Consumers
8.1.4. Changelog
8.1.5. Replication Identity
8.1.6. Replication Agreement
8.1.7. Compatibility with Earlier Versions of Directory Server
8.2. Replication Scenarios
8.2.1. Single-Master Replication
8.2.2. Multi-Master Replication
8.2.3. Cascading Replication
8.3. Creating the Supplier Bind DN Entry
8.4. Configuring Single-Master Replication
8.4.1. Configuring the Read-Write Replica on the Supplier Server
8.4.2. Configuring the Read-Only Replica on the Consumer
8.4.3. Create the Replication Agreement
8.5. Configuring Multi-Master Replication
8.5.1. Configuring the Read-Write Replicas on the Supplier Servers
8.5.2. Configuring the Read-Only Replicas on the Consumer Servers
8.5.3. Setting up the Replication Agreements
8.5.4. Preventing Monopolization of the Consumer in Multi-Master Replication
8.6. Configuring Cascading Replication
8.6.1. Configuring the Read-Write Replica on the Supplier Server
8.6.2. Configuring the Read-Only Replica on the Consumer Server
8.6.3. Configuring the Read-Only Replica on the Hub
8.6.4. Setting up the Replication Agreements
8.7. Configuring Replication from the Command Line
8.7.1. Configuring Suppliers from the Command Line
8.7.2. Configuring Consumers from the Command Line
8.7.3. Configuring Hubs from the Command Line
8.7.4. Configuring Replication Agreements from the Command Line
8.7.5. Initializing Consumers Online from the Command Line
8.8. Making a Replica Updatable
8.9. Deleting the Changelog
8.9.1. Removing the Changelog
8.9.2. Moving the Changelog to a New Location
8.10. Initializing Consumers
8.10.1. When to Initialize a Consumer
8.10.2. Online Consumer Initialization Using the Console
8.10.3. Initializing Consumers Online Using the Command Line
8.10.4. Manual Consumer Initialization Using the Command Line
8.10.5. Filesystem Replica Initialization
8.11. Forcing Replication Updates
8.11.1. Forcing Replication Updates from the Console
8.11.2. Forcing Replication Updates from the Command-Line
8.12. Replicating Account Lockout Attributes
8.13. Replication over SSL
8.14. Replicating o=NetscapeRoot for Administration Server Failover
8.15. Replication with Earlier Releases
8.16. Using the Retro Changelog Plug-in
8.16.1. Enabling the Retro Changelog Plug-in
8.16.2. Trimming the Retro Changelog
8.16.3. Searching and Modifying the Retro Changelog
8.16.4. Retro Changelog and the Access Control Policy
8.17. Monitoring Replication Status
8.17.1. Monitoring Replication Status from the Directory Server Console
8.17.2. Monitoring Replication Status from Administration Express
8.18. Solving Common Replication Conflicts
8.18.1. Solving Naming Conflicts
8.18.2. Solving Orphan Entry Conflicts
8.18.3. Solving Potential Interoperability Problems
8.19. Troubleshooting Replication-Related Problems
9. Extending the Directory Schema
9.1. Overview of Extending Schema
9.2. Managing Attributes
9.2.1. Viewing Attributes
9.2.2. Creating Attributes
9.2.3. Editing Attributes
9.2.4. Deleting Attributes
9.3. Managing Object Classes
9.3.1. Viewing Object Classes
9.3.2. Creating Object Classes
9.3.3. Editing Object Classes
9.3.4. Deleting Object Classes
9.4. Turning Schema Checking On and Off
10. Managing Indexes
10.1. About Indexes
10.1.1. About Index Types
10.1.2. About Default, System, and Standard Indexes
10.1.3. Overview of the Searching Algorithm
10.1.4. Approximate Searches
10.1.5. Balancing the Benefits of Indexing
10.2. Creating Indexes
10.2.1. Creating Indexes from the Server Console
10.2.2. Creating Indexes from the Command-Line
10.2.3. Creating Browsing Indexes from the Server Console
10.2.4. Creating Browsing Indexes from the Command-Line
10.3. Deleting Indexes
10.3.1. Deleting Indexes from the Server Console
10.3.2. Deleting Indexes from the Command-Line
10.3.3. Deleting Browsing Indexes from the Server Console
10.3.4. Deleting Browsing Indexes from the Command-Line
10.4. Managing Indexes
10.4.1. Indexing Performance
10.4.2. Search Performance
10.4.3. Backwards Compatibility and Migration
10.5. Attribute Name Quick Reference Table
11. Managing SSL
11.1. Introduction to SSL in the Directory Server
11.1.1. Enabling SSL: Summary of Steps
11.1.2. Command-Line Functions for Start TLS
11.2. Obtaining and Installing Server Certificates
11.2.1. Step 1: Generate a Certificate Request
11.2.2. Step 2: Send the Certificate Request
11.2.3. Step 3: Install the Certificate
11.2.4. Step 4: Trust the Certificate Authority
11.2.5. Step 5: Confirm That The New Certificates Are Installed
11.3. Using certutil
11.3.1. Creating Directory Server Certificates through the Command Line
11.3.2. certutil Usage
11.4. Starting the Server with SSL Enabled
11.4.1. Enabling SSL Only in the Directory Server
11.4.2. Enabling SSL in the Directory Server, Administration Server, and Console
11.4.3. Creating a Password File for the Directory Server
11.4.4. Creating a Password File for the Administration Server
11.5. Setting Security Preferences
11.5.1. Available Ciphers
11.5.2. Selecting the Encryption Cipher
11.6. Using Certificate-Based Authentication
11.6.1. Setting up Certificate-Based Authentication
11.6.2. Allowing/Requiring Client Authentication
11.7. Configuring LDAP Clients to Use SSL
12. Managing SASL
12.1. Authentication Mechanisms
12.2. SASL Identity Mapping
12.3. Configuring SASL Identity Mapping from the Console
12.4. Configuring SASL Identity Mapping from the Command-Line
12.5. Configuring Kerberos
12.5.1. Realms
12.5.2. Configuring the KDC Server
12.5.3. Example: Configuring an Example KDC Server
12.5.4. Configuring SASL Authentication at Directory Server Startup
13. Monitoring Server and Database Activity
13.1. Viewing and Configuring Log Files
13.1.1. Defining a Log File Rotation Policy
13.1.2. Defining a Log File Deletion Policy
13.1.3. Access Log
13.1.4. Error Log
13.1.5. Audit Log
13.2. Manual Log File Rotation
13.3. Monitoring Server Activity
13.3.1. Monitoring the Server from the Directory Server Console
13.3.2. Monitoring the Directory Server from the Command Line
13.4. Monitoring Database Activity
13.4.1. Monitoring Database Activity from the Directory Server Console
13.4.2. Monitoring Databases from the Command Line
13.5. Monitoring Database Link Activity
14. Monitoring Directory Server Using SNMP
14.1. About SNMP
14.2. Configuring the Master Agent
14.3. Configuring the Subagent
14.3.1. Subagent Configuration File
14.3.2. Starting the Subagent
14.3.3. Testing the Subagent
14.4. Configuring SNMP Traps
14.5. Configuring the Directory Server for SNMP
14.6. Using the Management Information Base
14.6.1. Operations Table
14.6.2. Entries Table
14.6.3. Entity Table
14.6.4. Interaction Table
15. Tuning Directory Server Performance
15.1. Tuning Server Performance
15.2. Tuning Database Performance
15.2.1. Optimizing Search Performance
15.2.2. Tuning Transaction Logging
15.2.3. Changing the Location of the Database Transaction Log
15.2.4. Changing the Database Checkpoint Interval
15.2.5. Disabling Durable Transactions
15.2.6. Specifying Transaction Batching
15.3. Miscellaneous Tuning Tips
15.3.1. Avoid Creating Entries Under the cn=config Entry in the dse.ldif File
16. Administering Directory Server Plug-ins
16.1. Server Plug-in Functionality Reference
16.1.1. 7-Bit Check Plug-in
16.1.2. ACL Plug-in
16.1.3. ACL Preoperation Plug-in
16.1.4. Binary Syntax Plug-in
16.1.5. Boolean Syntax Plug-in
16.1.6. Case Exact String Syntax Plug-in
16.1.7. Case Ignore String Syntax Plug-in
16.1.8. Chaining Database Plug-in
16.1.9. Class of Service Plug-in
16.1.10. Country String Syntax Plug-in
16.1.11. Distinguished Name Syntax Plug-in
16.1.12. Generalized Time Syntax Plug-in
16.1.13. Integer Syntax Plug-in
16.1.14. Internationalization Plug-in
16.1.15. ldbm Database Plug-in
16.1.16. Legacy Replication Plug-in
16.1.17. Multi-Master Replication Plug-in
16.1.18. Octet String Syntax Plug-in
16.1.19. CLEAR Password Storage Plug-in
16.1.20. CRYPT Password Storage Plug-in
16.1.21. NS-MTA-MD5 Password Storage Plug-in
16.1.22. SHA Password Storage Plug-in
16.1.23. SSHA Password Storage Plug-in
16.1.24. Postal Address String Syntax Plug-in
16.1.25. PTA Plug-in
16.1.26. Referential Integrity Postoperation Plug-in
16.1.27. Retro Changelog Plug-in
16.1.28. Roles Plug-in
16.1.29. Space Insensitive String Syntax Plug-in
16.1.30. State Change Plug-in
16.1.31. Telephone Syntax Plug-in
16.1.32. UID Uniqueness Plug-in
16.1.33. URI Plug-in
16.2. Enabling and Disabling Plug-ins
17. Using the Pass-through Authentication Plug-in
17.1. How Directory Server Uses PTA
17.2. PTA Plug-in Syntax
17.3. Configuring the PTA Plug-in
17.3.1. Turning the Plug-in On or Off
17.3.2. Configuring the Servers to Use a Secure Connection
17.3.3. Specifying the Authenticating Directory Server
17.3.4. Specifying the Pass-through Subtree
17.3.5. Configuring the Optional Parameters
17.4. PTA Plug-in Syntax Examples
17.4.1. Specifying One Authenticating Directory Server and One Subtree
17.4.2. Specifying Multiple Authenticating Directory Servers
17.4.3. Specifying One Authenticating Directory Server and Multiple Subtrees
17.4.4. Using Non-Default Parameter Values
17.4.5. Specifying Different Optional Parameters and Subtrees for Different Authenticating Directory Servers
18. Using the Attribute Uniqueness Plug-in
18.1. Overview of the Attribute Uniqueness Plug-in
18.2. Attribute Uniqueness Plug-in Syntax
18.3. Creating an Instance of the Attribute Uniqueness Plug-in
18.4. Configuring Attribute Uniqueness Plug-ins
18.4.1. Viewing Plug-in Configuration Information
18.4.2. Configuring Attribute Uniqueness Plug-ins from the Directory Server Console
18.4.3. Configuring Attribute Uniqueness Plug-ins from the Command-Line
18.5. Attribute Uniqueness Plug-in Syntax Examples
18.5.1. Specifying One Attribute and One Subtree
18.5.2. Specifying One Attribute and Multiple Subtrees
18.6. Replication and the Attribute Uniqueness Plug-in
18.6.1. Simple Replication Scenario
18.6.2. Multi-Master Replication Scenario
19. Synchronizing Red Hat Directory Server with Microsoft Active Directory
19.1. About Windows Sync
19.2. Configuring Windows Sync
19.2.1. Step 1: Configure SSL on Directory Server
19.2.2. Step 2: Configure the Active Directory Domain
19.2.3. Step 3: Select or Create the Sync Identity
19.2.4. Step 4: Install and Configure the Password Sync Service
19.2.5. Step 5: Configure the Directory Server Database for Synchronization
19.2.6. Step 6: Create the Synchronization Agreement
19.2.7. Step 7: Begin Synchronization
19.3. Using Windows Sync
19.3.1. Synchronizing Users
19.3.2. Synchronizing Groups
19.3.3. Deleting Entries
19.3.4. Resurrecting Entries
19.3.5. Manually Updating and Resynchronizing Entries
19.3.6. Checking Synchronization Status
19.3.7. Modifying the Sync Agreement
19.4. Schema Differences
19.4.1. Password Policies
19.4.2. Groups
19.4.3. Values for street and streetAddress
19.4.4. Contraints on the initials attribute
19.5. Password Sync Service
19.5.1. Modifying Password Sync
19.5.2. Starting and Stopping the Password Sync Service
19.5.3. Uninstalling Password Sync Service
19.6. Troubleshooting
A. LDAP Data Interchange Format
A.1. About the LDIF File Format
A.2. Continuing Lines in LDIF
A.3. Representing Binary Data
A.3.1. Standard LDIF Notation
A.3.2. Base-64 Encoding
A.4. Specifying Directory Entries Using LDIF
A.4.1. Specifying Domain Entries
A.4.2. Specifying Organizational Unit Entries
A.4.3. Specifying Organizational Person Entries
A.5. Defining Directories Using LDIF
A.5.1. LDIF File Example
A.6. Storing Information in Multiple Languages
B. Finding Directory Entries
B.1. Finding Entries Using the Directory Server Console
B.2. Using ldapsearch
B.2.1. Using Special Characters
B.2.2. ldapsearch Command-Line Format
B.2.3. Commonly Used ldapsearch Options
B.2.4. ldapsearch Examples
B.3. LDAP Search Filters
B.3.1. Search Filter Syntax
B.4. Searching an Internationalized Directory
B.4.1. Matching Rule Filter Syntax
B.4.2. Supported Search Types
B.4.3. International Search Examples
C.1. Components of an LDAP URL
C.2. Escaping Unsafe Characters
C.3. Examples of LDAP URLs
D. Internationalization
D.1. About Locales
D.2. Identifying Supported Locales
D.3. Supported Language Subtypes
D.4. Troubleshooting Matching Rules

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.