HP-UX Directory Server administrator guide HP-UX Directory Server Version 8.
© Copyright 2009 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 Basic HP-UX Directory Server usage..........................................................................19 1.1 Overview.........................................................................................................................................19 1.2 Directory Server file locations.........................................................................................................19 1.3 Starting and stopping servers.....................................................
2.4.1.1 Creating a new database link using the console.............................................................53 2.4.1.2 Creating a database link from the command line...........................................................57 2.4.1.2.1 Providing suffix information..................................................................................58 2.4.1.2.2 Providing bind credentials......................................................................................58 2.4.1.2.
3.1.3.2 Adding an attribute to an entry....................................................................................107 3.1.3.3 Adding very large attributes ........................................................................................110 3.1.3.4 Adding and removing attribute values.........................................................................111 3.1.3.5 Adding an attribute subtype.........................................................................................111 3.1.3.
3.7.5.2 Specifying one attribute and multiple subtrees............................................................143 3.7.6 Replication and the attribute uniqueness plug-in.................................................................144 3.7.6.1 Simple replication scenario...........................................................................................144 3.7.6.2 Multi-master replication scenario.................................................................................
5.2.1 About CoS..............................................................................................................................188 5.2.1.1 About the CoS definition entry.....................................................................................188 5.2.1.2 About the CoS template entry.......................................................................................188 5.2.1.3 How a pointer CoS works..................................................................................
6.3.3 Defining permissions.............................................................................................................241 6.3.3.1 Allowing or denying access..........................................................................................241 6.3.3.2 Assigning rights............................................................................................................241 6.3.3.3 Rights required for LDAP operations..................................................................
6.9.2 Granting write access to personal entries..............................................................................276 6.9.2.1 ACI "Write example.com"..............................................................................................276 6.9.2.2 ACI "Write Subscribers".................................................................................................277 6.9.3 Restricting access to key roles.....................................................................................
7.4.3 Configuring the PTA plug-in.................................................................................................309 7.4.3.1 Configuring the servers to use a secure connection......................................................310 7.4.3.2 Specifying the authenticating Directory Server............................................................310 7.4.3.3 Specifying the pass-through subtree.............................................................................311 7.4.3.
8.7.5 Initializing consumers online from the command line.........................................................371 8.8 Making a replica updatable...........................................................................................................372 8.9 Deleting the changelog..................................................................................................................372 8.9.1 Removing the changelog.................................................................................
9.3 Synchronizing users......................................................................................................................407 9.3.1 User attributes synchronized between Directory Server and Active Directory...................408 9.3.2 User schema differences between Directory Server and Active Directory...........................409 9.3.2.1 Values for cn attributes..................................................................................................410 9.3.2.
10.4.1 Viewing attributes and object classes..................................................................................435 10.4.2 Creating attributes...............................................................................................................437 10.4.3 Creating object classes.........................................................................................................439 10.4.4 Editing custom schema elements.................................................................
12 Managing SSL..........................................................................................................471 12.1 Introduction to SSL in the Directory Server................................................................................471 12.1.1 Enabling SSL: Summary of steps.........................................................................................471 12.1.2 Command line functions for Start TLS................................................................................
14.1.1 Defining a log file rotation policy........................................................................................511 14.1.2 Defining a log file deletion policy.......................................................................................512 14.1.3 Access log.............................................................................................................................513 14.1.3.1 Viewing the access log....................................................................
17.1.2 How to contact HP technical support.................................................................................543 17.1.3 HP authorized resellers.......................................................................................................543 17.1.4 Documentation feedback.....................................................................................................543 17.2 Related information..........................................................................................
B.5.1.1.4 Using a language tag and suffix for the matching rule........................................565 B.5.1.2 Using wildcards in matching rule filters......................................................................566 B.5.2 Supported search types.........................................................................................................566 B.5.3 International search examples..............................................................................................566 B.5.3.
1 Basic HP-UX Directory Server usage The HP-UX Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.
http://www.pathname.com/fhs/. The files and directories installed with Directory Server are listed in the tables below for each supported platform. In the file locations listed in the following tables, instance is the server instance name that was given during setup. By default, this is the leftmost component of the fully-qualified host and domain name. For example, if the host name is ldap.example.com, the instance name is ldap by default.
/opt/dirsrv/bin/hpds-idm-console 2. In the Tasks tab, click Start the Directory Server, Stop the Directory Server, or Restart the Directory Server. When the Directory Server is successfully started or stopped from the Directory Server Console, the server displays a message box stating that the server has either started or shut down. 1.3.
When the login screen opens, you are prompted for the username, password, and Administration Server location. It is possible to send the Administration Server URL and port with the start script. For example: /opt/dirsrv/bin/hpds-idm-console -a http://localhost:9830 The a option is a convenience, particularly if you are logging into a Directory Server for the first time. On subsequent logins, the URL is saved.
Enter the full distinguished name of the entry with which to bind to the server. For example, to bind as user Barbara Jensen, enter her full DN in the login box: cn=Barbara Jensen, ou=People,dc=example,dc=com 1.4.3 Viewing the current console bind DN To see the bind DN that is currently logged into the Directory Server Console, click the login icon in the lower-left corner of the window. The current bind DN appears next to the login icon. Figure 1-1 Viewing the bind DN 1.
NOTE: Modifying the standard or secure port numbers for a Configuration Directory Server, which maintains the o=NetscapeRoot subtree, should be done through the Directory Server Console. Changing the configuration directory or user directory port or secure port numbers has the following repercussions: • • The Directory Server port number must also be updated in the Administration Server configuration.
NOTE: Do not restart the Directory Server at this point. If you do, you will not be able to make the necessary changes to the Administration Server through the Console. 7. 8. Open the Administration Server Console. In the Configuration tab, select the Configuration DS tab. 9. In the LDAP Port field, type in the new LDAP port number for your Directory Server instance. 10. Check the Secure Connection box if this is a secure port.
12. Open the Configuration DS tab of the Administration Server Console and select Save. A dialog will appear, stating: The Directory Server setting has been modified. You must shut down and restart your Administration Server and all the servers in the Server Group for the changes to take effect. Click OK. 13. In the Tasks tab of the Administration Server Console, click Restart Admin Server. A dialog opens reading that the Administration Server has been successfully restarted. Click Close.
3. Fill in the instance information. • • • • A unique name for the server. This name must have only alphanumeric characters, a dash (-), or an underscore (_). A port number for LDAP communications. The root suffix for the new Directory Server instance. A DN for the Directory Manager. This user has total access to every entry in the directory, without normal usage constraints (such as search timeouts); this is described in “Configuring the Directory Manager”. 1.
• • 4. The password for the Directory Manager. The user ID with which to run the Directory Server daemon. Click OK. A status box appears to confirm that the operation was successful. To dismiss it, click OK. 1.8 Configuring the Directory Manager The Directory Manager is the privileged database administrator, comparable to the root user in UNIX. Access control does not apply to the Directory Manager entry; likewise, limits on searches and other operations do not apply.
1. 2. 3. 4. In the Directory Server Console, select the Configuration tab. Double-click the Plugins folder in the navigation tree. Select the plug-in from the Plugins list. To disable the plug-in, clear the Enabled checkbox. To enable the plug-in, check this checkbox. 5. 6. Click Save. Restart the Directory Server. /opt/dirsrv/slapd-instance_name/restart-slapd To disable or enable a plug-in through the command line, use the ldapmodify utility to edit the value of the nsslapd-pluginEnabled attribute.
2 Configuring directory databases The topics include: • • • • • • Overview “Creating and maintaining suffixes” (page 31) “Creating and maintaining suffixes” (page 31) “Creating and maintaining databases” (page 39) “Creating and maintaining database links” (page 52) “Using referrals” (page 89) 2.1 Overview of directory databases The directory is made up of databases, and the directory tree is distributed across the databases.
2.2.1 Creating suffixes Both root and sub suffixes can be created to organize the contents of the directory tree. A root suffixis the parent of a sub suffix. It can be part of a larger tree designed for the Directory Server. A sub suffix is a branch underneath a root suffix. The data for root and sub suffixes are contained by databases. A directory might contain more than one root suffix. For example, an ISP might host several web sites, one for example.com and one for hp.com.
Figure 2-4 Directory tree with a sub suffix This section describes creating root and sub suffixes for the directory using either the Directory Server Console or the command line. • • • “Creating a new root suffix using the console” “Creating a new sub suffix using the console” “Creating root and sub suffixes from the command line” 2.2.1.1 Creating a new root suffix using the console 1. 2. In the Directory Server Console, select the Configuration tab.
4. Select the Create associated database automatically to create a database at the same time as the new root suffix, and enter a unique name for the new database in the Database name field, such as example2. The name can be a combination of alphanumeric characters, dashes (-), and underscores (_). No other characters are allowed. Deselect the checkbox to create a database for the new root suffix later. This option specifies a directory where the database will be created.
The Create new sub suffix dialog box is displayed. 3. Enter a unique suffix name in the New suffix field. The suffix must be named in line with dc naming conventions, such as ou=groups. The root suffix is automatically added to the name. For example, if the sub suffix ou=groups is created under the dc=example,dc=com suffix, the Console automatically names it ou=groups,dc=example,dc=com. 4.
2.2.1.3 Creating root and sub suffixes from the command line Use the ldapmodify command line utility to add new suffixes to the directory configuration file. The suffix configuration information is stored in the cn=mapping tree,cn=config entry. NOTE: Avoid creating entries under the cn=config entry in thedse.ldif file. The cn=config entry in the simple, flat dse.ldif configuration file is not stored in the same highly scalable database as regular entries.
NOTE: To maintain suffixes using the Directory Server Console, respect the same spacing used to name the root and sub suffixes in the command line. For example, if a root suffix is named ou=groups ,dc=example,dc=com, with two spaces after groups, any sub suffixes created under this root will need to specify two spaces after ou=groups, as well. The following table describes the attributes used to configure a suffix entry: Table 2-1 Suffix attributes Attribute name Value dn Defines the DN for the suffix.
2.2.2.1 Disabling a suffix Sometimes, a database may need taken down for maintenance, but the data the database contains are not replicated. Rather than returning a referral, disable the suffix responsible for the database. After a suffix is disabled, the contents of the database related to the suffix are invisible to client applications when they perform LDAP operations such as search, add, and modify. To disable a suffix: 1. 2. 3. In the Directory Server Console, select the Configuration tab.
4. Select either Delete this suffix and all of its sub suffixes ro Delete this suffix only. 2.3 Creating and maintaining databases After creating suffixes to organizing the directory data, create databases to contain that directory data. Databases are used to store directory data. 2.3.1 Creating databases The directory tree can be distributed over multiple Directory Server databases. There are two ways to distribute data across multiple databases: • One database per suffix.
Three databases are added to store the data contained in separate suffixes. This division of the tree corresponds to three databases. Database one contains the data for ou=people plus the data for dc=example,dc=com, so that clients can conduct searches based at dc=example,dc=com. Database two contains the data for ou=groups, and database three contains the data for ou=contractors. • Multiple databases for one suffix.
DB1 contains people with names from A to K, and DB2 contains people with names from L to Z. DB3 contains the ou=groups data, and DB4 contains the ou=contractors data. Custom distribution plug-in distributes data from a single suffix across multiple databases. Contact HP Professional Services for information on how to create distribution logic for Directory Server. 2.3.1.1 Creating a new database for an existing suffix using the console 1. 2. 3.
The Create database in field is automatically filled with the default database directory (/var/opt/dirsrv/slapd-instance_name/db) and the name of the new database. It is also possible to enter or browse for a different directory location. 2.3.1.2 Creating a new database for a single suffix from the command line Use the ldapmodify command line utility to add a new database to the directory configuration file. This utility is located at /opt/dirsrv/bin directory.
NOTE: After entries have been distributed, they cannot be redistributed. The following restrictions apply: • • • • The distribution function cannot be changed after entry distribution has been deployed. The LDAP modrdn operation cannot be used to rename entries if that would cause them to be distributed into a different database. Distributed local databases cannot be replicated. The ldapmodify operation cannot be used to change entries if that would cause them to be distributed into a different database.
2.3.1.3.2 Adding the custom distribution function to a suffix using the command line 1. Run ldapmodify. The ldapmodify tool is located in the /opt/dirsrv/bin directory. ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com 2.
5. Select the database is read-only checkbox. The change takes effect immediately. Before importing or restoring the database, ensure that the databases affected by the operation are not in read-only mode. To disable read-only mode, open the database up in the Directory Server Console again and uncheck the database is read-only checkbox. 2.3.2.1.2 Making a database read-only from the command line To manually place a database into read-only mode: 1. Run ldapmodify.
3. 4. Select the Make Entire Server Read-Only checkbox. Click Save, then restart the server. 2.3.2.2 Deleting a database Deleting a database deletes the configuration information and entries for that database only, not the physical database itself. 1. 2. 3. 4. 46 In the Directory Server Console, select the Configuration tab. Expand the Data folder, then select the suffix. Select the database to delete. Right-click the database and select Delete from the pop-up menu.
5. Confirm that the database should be deleted in the Delete Database dialog box. 2.3.2.3 Configuring transaction logs for frequent database updates When the server is going to be asked to perform frequent database updates (LDAP adds, modifies, replication), the database transaction log files should be configured to be on a different disk than the primary database files.
2.3.3 Database encryption The Directory Server offers a number of mechanisms to secure access to sensitive data, such as access control rules to prevent unauthorized users from reading certain entries or attributes within entries and SSL to protect data from eavesdropping and tampering on untrusted networks. However, if a copy of the server's database files should fall into the hands of an unauthorized person, they could potentially extract sensitive information from those files.
CAUTION: There is no mechanism for recovering a lost key. Therefore, it is especially important to back up the server's certificate database safely. If the server's certificate were lost, it would not be possible to decrypt any encrypted data stored in its database. CAUTION: If the SSL certificate is expiring and needs to be renewed, export the encrypted back-end instance before the renewal. Update the certificate, then re-import the exported LDIF file. 2.3.3.
NOTE: For existing attribute values to be encrypted, the information must be exported from the database, then re-imported. See “Exporting and importing an encrypted database”. 5. 50 Select which encryption cipher to use.
NOTE: The encryption cipher to use is set separately for each attribute, so attribute encryption is applied to each attribute one at a time. To remove encryption from attributes, select them from the list of encrypted attributes in the Attribute Encryption table, and click the Delete button, then click Save to apply the changes. Any deleted attributes have to be manually re-added after saving. 2.3.3.4 Configuring database encryption using the command line 1.
For more information on database encryption configuration schema, see "Database Attributes under cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm database,cn=plugins,cn=config" in the HP-UX Directory Server configuration, command, and file reference. 2.3.3.5 Exporting and importing an encrypted database Exporting and importing encrypted databases is similar to exporting and importing regular databases.
• • “Tuning database link performance” “Configuring cascading chaining” 2.4.1 Creating a new database link The basic database link configuration requires four pieces of information: • Suffix information A suffix is created in the directory tree that is managed by the database link, not a regular database. This suffix corresponds to the suffix on the remote server that contains the data.
4. 5. 54 Fill in the database link name. The name can be a combination of alphanumeric characters, dashes (-), and underscores (_). No other characters, like spaces, are allowed. Set the radio button for the appropriate method for authentication.
There are four authentication methods: • Simple The server connects over the standard port with no encryption. The only required information is the bind DN and password for the user as whom the server connects to the remote server. • Server TLS/SSL Certificate This uses the local server's SSL certificate to authenticate to the remote server.
NOTE: When the database link and remote server are configured to communicate using SSL, this does not mean that the client application making the operation request must also communicate using SSL. The client can bind using a normal port. • SASL/DIGEST-MD5 This requires the standard port to connect to the server. Like simple authentication, this requires only the bind DN and password to authenticate.
NOTE: The Console provides a checklist of information that needs to be present on the remote server for the database link to bind successfully. To view this checklist, click the new database link, and click the Authentication tab. The checklist appears in the Remote server checklist box. 2.4.1.2 Creating a database link from the command line 1. Use the ldapmodify command line utility to create a new database link from the command line.
database,cn=plugins,cn=config. For more information about configuration attributes, see the HP-UX Directory Server configuration, command, and file reference. • • • • • • • “Providing suffix information” “Providing bind credentials” “Providing an LDAP URL” “Providing a list of failover servers” “Using different bind mechanisms” (page 60) “Summary of database link configuration attributes” “Database link configuration example” 2.4.1.2.
The database link on Server A binds to Server B using a special user as defined in the nsMultiplexorBindDN attribute and a user password as defined in the nsMultiplexorCredentials attribute. In this example, Server A uses the following bind credentials: nsMultiplexorBindDN: cn=proxy admin,cn=config nsMultiplexorCredentials: secret Server B must contain a user entry corresponding to the nsMultiplexorBindDN, and set the proxy authentication rights for this user.
NOTE: When a database link is used by a client application to create or modify entries, the attributes creatorsName and modifiersName do not reflect the real creator or modifier of the entries. These attributes contain the name of the administrative user granted proxied authorization rights on the remote data server. 2.4.1.2.3 Providing an LDAP URL On the server containing the database link, identify the remote server that the database link connects with using an LDAP URL.
Ultimately, there are two connection settings. The TLS/SSL option signifies that both of the servers are configured to run and accept connections over TLS/SSL, but there is no separate configuration attribute for enforcing TLS/SSL. The connection type is identified in the nsUseStartTLS attribute. When this is on, then the server initiates a Start TLS connect over the standard port.
NOTE: If SASL is used, then the local server must also be configured to chain the SASL and password policy components. Add the components for the database link configuration, as described in “Configuring the chaining policy”. For example: ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.
Table 2-2 Database link configuration attributes (continued) Attributes Value nsActiveChainingComponents1 Lists the components using chaining. A component is any functional unit in the server. The value of this attribute in the database link instance overrides the value in the global configuration attribute. To disable chaining on a particular database instance, use the value none. The default policy is not to allow chaining. For more information, see “Chaining component operations”.
1. Run ldapmodify to add a database link to Server A: ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com 2. Specify the configuration information for the database link: dn: cn=DBLink1,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: c=africa,ou=people,dc=example,dc=com nsfarmserverurl: ldap://africa.example.
The second entry creates a new suffix, allowing the server to route requests made to the new database link. The cn attribute contains the same suffix specified in the nsslapd-suffix attribute of the database link. The nsslapd-backend attribute contains the name of the database link. The nsslapd-parent-suffix attribute specifies the parent of this new suffix, "ou=people,dc=example,dc=com". 3.
Additionally, an ACI must be created on the remote server to allow the specified plug-in to perform its operations on the remote server. The ACI must exist in the suffix assigned to the database link.
NOTE: The following components cannot be chained: • • • • Roles plug-in Password policy component Replication plug-ins Referential Integrity plug-in When enabling the Referential Integrity plug-in on servers issuing chaining requests, be sure to analyze performance, resource, and time needs as well as integrity needs. Integrity checks can be time-consuming and draining on memory and CPU. For further information on the limitations surrounding ACIs and chaining, see “ACI limitations”. 2.4.2.1.
6. Restart the server in order for the change to take effect. After allowing the component to chain, create an ACI in the suffix on the remote server to which the operation will be chained. For example, this creates an ACI for the Referential Integrity plug-in: aci: (targetattr "*")(target="ldap:///ou=customers,l=us,dc=example,dc=com") (version 3.0; acl "RefInt Access for chaining"; allow (read,write,search,compare) userdn = "ldap:///cn=referential integrity postoperation,cn=plugins,cn=config";) 2.4.2.1.
2.4.2.2 Chaining LDAP controls It is possible not to chain operation requests made by LDAP controls. By default, requests made by the following controls are forwarded to the remote server by the database link: • Virtual List View (VLV) Provides lists of parts of entries rather than returning all entry information. • Server-side sorting Sorts entries according to their attribute values.
4. 5. Click the Add button in the LDAP Controls forwarded by the database link section to add an LDAP control to the list. Select the OID of a control to add to the list, and click OK. 6. Click Save. 2.4.2.2.2 Chaining LDAP controls from the command line Alter the controls that the database link forwards by changing the nsTransmittedControls attribute of the cn=config,cn=chaining database, cn=plugins,cn=config entry.
1. 2. 3. In the Directory Server Console, select the Configuration tab. In the left pane, expand the Data folder, and select the database link under the suffix. In the right navigation pane, click the Authentication tab. 4. Change the connection information. • The LDAP URL for the remote server. (Unlike the standard LDAP URL format, the URL of the remote server does not specify a suffix. It has the form ldap://hostname:port/.
3. Fill in the new configuration parameters. NOTE: Changes made to the default settings of a database link are not applied retroactively. Only the database links created after changes are made to the default settings will reflect the changes. 2.4.5 Deleting database links To delete a database link, right-click the database link, and select Delete from the pop-up menu. Confirm the delete when prompted. 1. 2. 3. 72 In the Directory Server Console, select the Configuration tab.
2.4.6 Database links and access control evaluation When a user binds to a server containing a database link, the database link sends the user's identity to the remote server. Access controls are always evaluated on the remote server. Every LDAP operation evaluated on the remote server uses the original identity of the client application passed via the proxied authorization control.
NOTE: Directory Server supports both IPv4 and IPv6 IP addresses. The following restrictions apply to the ACIs used with database links: • • • ACIs must be located with any groups they use. If the groups are dynamic, all users in the group must be located with the ACI and the group. If the group is static, it may refer to remote users. ACIs must be located with any role definitions they use and with any users intended to have those roles.
2. Click the Limits and Controls tab in the right navigation pane. 2.
3. In the Connection Management section, make changes to any of the following fields: • Maximum TCP connection(s) The maximum number of TCP connections that the database link establishes with the remote server. The default value is 3 connections. • Bind timeout Amount of time, in seconds, before the database link's bind attempt times out. The default value is 15 seconds. • Maximum binds per connection Maximum number of outstanding bind operations per TCP connection.
connections open, but it uses more resources. For slow connections, it may be desirable to limit the connection time. A value of 0 indicates there is no limit. By default, the value is set to 0. 2.4.7.1.2 Managing connections to the remote server from the command line Use ldapmodify to add connection attributes to the database link entry.
The first attribute, nsMaxResponseDelay, sets a maximum duration for an LDAP operation to complete. If the operation takes more than the amount of time specified in this attribute, the database link's server suspects that the remote server is no longer online. After the nsMaxResponseDelay period has been met, the database link pings the remote server. During the ping, the database link issues another LDAP request, a simple search request for an object that does not exist in the remote server.
2.4.8 Configuring cascading chaining The database link can be configured to point to another database link, creating a cascading chaining operation. A cascading chain occurs any time more than one hop is required to access all the data in a directory tree.
The root suffix dc=example,dc=com and the ou=people and ou=groups sub suffixes are stored on Server A. The l=europe,dc=example,dc=com and ou=groups suffixes are stored in on Server B, and the ou=people branch of the l=europe,dc=example,dc=com suffix is stored on Server C.
First, the client binds to Server A and chains to Server B using Database Link 1. Then Server B chains to the target database on Server C using Database Link 2 to access the data in the ou=people,l=europe,dc=example,dc=com branch. Because at least two hops are required for the directory to service the client request, this is considered a cascading chain. 2.4.8.2 Configuring cascading chaining using the console 1. Select the Configuration tab.
2. 3. 82 Click the Limits and Controls tab in the right navigation pane. Select the Check local ACI checkbox to enable the evaluation of local ACIs on the intermediate database links involved in the cascading chain. Selecting this checkbox may require adding the appropriate local ACIs to the database link.
4. Enter the maximum number of times a database link can point to another database link in the Maximum hops field. By default, the maximum is ten hops. After ten hops, a loop is detected by the server, and an error is returned to the client application. 2.4.8.3 Configuring cascading chaining from the command line To configure a cascade of database links through the command line: 1. Point one database link to the URL of the server containing the intermediate database link.
anonymous and pass a proxy authorization control allowing them more administrative privileges than appropriate. The proxy ACI prevents this security breach. a. b. c. Create a database, if one does not already exist, on the server containing the intermediate database link. This database will contain the admin user entry and the ACI. For information about creating a database, see “Creating databases”. Create an entry that corresponds to the administrative user in the database.
The number of hops allowed is defined using the nsHopLimit attribute. If not specified, the default value is 10. To use the control, add the following OID to the nsTransmittedControl attribute in the cn=config,cn=chaining database,cn=plugins,cn=config entry: nsTransmittedControl: 1.3.6.1.4.1.1466.29539.12 If the control is not present in the configuration file of each database link, loop detection will not be implemented. 2.4.8.
• • • “Configuring Server One” “Configuring Server Two” “Configuring Server Three” 2.4.8.6.1 Configuring Server One 1. Run ldapmodify: ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com 2.
nsmultiplexorbinddn: cn=server1 proxy admin,cn=config nsmultiplexorcredentials: secret cn: DBLink1 nsCheckLocalACI:off dn: cn="c=africa,ou=people,dc=example,dc=com",cn=mapping tree,cn=config objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: DBLink1 nsslapd-parent-suffix: "ou=people,dc=example,dc=com" cn: c=africa,ou=people,dc=example,dc=com The first section creates the entry associated with DBLink1.
nsslapd-parent-suffix: "c=africa,ou=people,dc=example,dc=com" cn: l=Zanzibar,c=africa,ou=people,dc=example,dc=com Because database link DBLink2 is the intermediate database link in the cascading chaining configuration, set the nsCheckLocalACI attribute to on to allow the server to check whether it should allow the client and proxy administrative user access to the database link. 3. The database link on Server 2 must be configured to transmit the proxy authorization control and the loop detection control.
aci:(targetattr="*")(target="l=Zanzibar,c=africa,ou=people,dc=example,dc=com") (version 3.0; acl "Client authorization for database links"; allow (all) userdn = "ldap:///uid=*,c=us,ou=people,dc=example,dc=com";) This ACI allows clients that have a UID in c=us,ou=people,dc=example,dc=com on Server 1 to perform any type of operation on the l=Zanzibar,c=africa,ou=people,dc=example,dc=com suffix tree on server three.
2.5.1 Starting the server in referral mode Referrals are used to redirect client applications to another server while the current server is unavailable or when the client requests information that is not held on the current server. For example, starting Directory Server in referral mode while there are configuration changes being made to the Directory Server will refer all clients to another supplier while that server is unavailable.
Enter multiple referral URLs separated by spaces and in quotes: "ldap://dir1.example.com:389/dc=example,dc=com" "ldap://dir2.example.com/" For more information about LDAP URLs, see Appendix C “LDAP URLs”. 2.5.2.2 Setting a default referral from the command line The ldapmodify command can add a default referral to the cn=config entry in the directory's configuration file. For example, to add a new default referral from one Directory Server, dir1.example.com, to a server named dir2.example.
2.5.3.1 Creating smart referrals using the Directory Server Console 1. 2. 3. 4. 92 In the Directory Server Console, select the Directory tab. Browse through the tree in the left navigation pane, and select the entry for which to add the referral. Right-click the entry, and select Set Smart Referrals. Select the Enable Smart Referral option. (Unchecking the option removes all smart referrals from the entry and deletes the referral object class from the entry.
5. In the Enter a new Smart Referral field, enter a referral in the LDAP URL format, then click Add. The LDAP URL must be in the following format: ldap://hostname:portnumber/[optional_dn] optional_dn is the explicit DN for the server to return to the requesting client application. 2.
To open a wizard to direct the process of adding a referral, click Construct. The Smart Referral List lists the referrals currently in place for the selected entry. The entire list of referrals is returned to client applications in response to a request with the Return Referrals for All Operations or Return Referrals for Update Operations options in the Suffix Settings tab, which is available under the Configuration tab.
7. Click OK. 2.5.3.2 Creating smart referrals from the command line Use the ldapmodify command line utility to create smart referrals from the command line. To create a smart referral, create the relevant directory entry, and add the referral object class. This object class allows a single attribute, ref. The ref attribute must contain an LDAP URL.
objectclass: inetOrgPerson objectclass: referral cn: john doe sn: doe uid: jdoe ref: ldap://directory.europe.example.com/cn=john%20doe,ou=people, l=europe,dc=example,dc=com Use the -M option with ldapmodify when there is already a referral in the DN path. For information about the ldapmodify utility, see the HP-UX Directory Server configuration, command, and file reference. 2.5.4 Creating suffix referrals The following procedure describes creating a referral in a suffix.
of directory data, and that data should be available for searches but not for updates, so it is replicated across several servers. Enabling referrals for that Directory Server only for update requests means that when a client asks to update an entry, the client is referred to the server that owns the data, where the modification request can proceed. 4. Click the Referrals tab. Enter an LDAP URL in the Enter a new referral field, or click Construct to create an LDAP URL.
The nsslapd-state attribute can also be set to referral on update. This means that the database is used for all operations except update requests. When a client application makes an update request to a suffix set to referral on update, the client receives a referral. For more information about the suffix configuration attributes, see Table 2-1 “Suffix attributes”.
3 Creating directory entries This chapter discusses how to use the Directory Server Console and the ldapmodify and ldapdelete command line utilities to modify the contents of your directory. Entries stored in Active Directory can be added to the Directory Server through Windows Sync; For more information on adding or modifying synchronized entries through Windows User Sync, see Chapter 9 “Synchronizing Directory Server with Microsoft Active Directory”.
3. Fill in the new suffix and database information. 4. In the Directory tab, right-click the top object representing the Directory Server, and choose New Root Object.
The secondary menu under New Root Object displays the new suffixes without a corresponding entry. Choose the suffix corresponding to the entry to create. 5. In the New Object window, select the object class corresponding to the new entry. The object class must contain the attribute used to name the suffix. For example, if the entry corresponds to the suffix ou=people,dc=example,dc=com, then choose the organizationalUnit object class or another object class that allows the ou attribute. 6.
Table 3-1 Entry templates and corresponding object classes Template Object Class User inetOrgPerson Group groupOfUniqueNames Organizational Unit organizationalUnit Role nsRoleDefinition Class of Service cosSuperDefinition Another type, Other allows any kind of entry to be created by allowing users to select the specific object classes and attributes to apply. 1. 2. In the Directory Server Console, select the Directory tab.
5. To display the full list of attributes available for the object class (entry type), click the Advanced button. 3.
In the Property Editor, select any additional attributes, and fill in the attribute values. 6. Click OK to save the entry. The new entry is listed in the right pane. 3.1.3 Modifying directory entries Modifying directory entries in Directory Server Console uses a dialog window called the Property Editor.
The Property Editor can be opened in several ways: • • • • From the Directory tab, by right-clicking an entry, and selecting Advanced Properties from the pop-up menu. From the Directory tab, by double-clicking an entry and clicking the Advanced button From the Create... new entry forms, by clicking the Advanced button From the New Object window, by clicking OK 3.1.3.1 Adding or removing an object class to an entry To add an object class to an entry: 1.
The Add Object Class window opens. It shows a list of object classes that can be added to the entry. 3. 106 Select the object class to add, and click OK.
To remove an object class from an entry, click the text box for the object class to remove, then click Delete Value. 3.1.3.2 Adding an attribute to an entry Before you can add an attribute to an entry, the entry must contain an object class that either requires or allows the attribute. See “Adding or removing an object class to an entry” (page 105) and Chapter 10 “Managing the directory schema” for more information. To add an attribute to an entry: 1.
2. Click Add Attribute. 3. Select the attribute to add from the list, and click OK.
NOTE: If the attribute you want to add is not listed, add the object class containing the attribute first, then add the attribute. See “Adding or removing an object class to an entry” for instructions on adding an object class. If you do not know which object class contains the attribute you need, look up the attribute in the HP-UX Directory Server schema reference, which lists the object classes that use that attribute. 4.
To remove the attribute and all its values from the entry, select Delete Attribute from the Edit menu. 3.1.3.3 Adding very large attributes The configuration attribute nsslapd-maxbersize sets the maximum size limit for LDAP requests. The default configuration of Directory Server sets this attribute at 2 megabytes. LDAP add or modify operations will fail when attempting to add very large attributes that result in a request that is larger than 2 megabytes.
3.1.3.4 Adding and removing attribute values Multivalued attributes allow multiple value for one attribute to be added to an entry. 1. In the Directory tab of the Directory Server Console, right-click the entry to modify, and select Advanced from the pop-up menu. 2. Select the attribute to which to add a value, then click Add Value. 3. Type in the new attribute value. To remove an attribute value from an entry, click the text box of the attribute value to remove, and click Delete Value. 3.1.3.
3.1.3.5.1 Language subtype Sometimes a user's name can be more accurately represented in characters of a language other than the default language. For example, a user, Noriko, has a name in Japanese and prefers that her name be represented by Japanese characters when possible. You can select Japanese as a language subtype for the givenname attribute so that other users can search for her name in Japanese as well as English.
Instead, use: cn;lang-ja:ja-value cn;lang-en-GB:value 3.1.3.5.2 Binary subtype Assigning the binary subtype to an attribute indicates that the attribute value is binary, such as user certificates (usercertificate;binary). Although you can store binary data within an attribute that does not contain the binary subtype (for example, jpegphoto), the binary subtype indicates to clients that multiple variants of the attribute type may exist. 3.1.3.5.
CAUTION: The server deletes the entry or entries immediately. There is no way to undo the delete operation. 3.2 Managing entries from the command line The command line utilities allow you to manipulate the contents of your directory. They can be useful to write scripts to perform bulk management of the directory or to test the Directory Server. For example, you might want to ensure that it returns the expected information after you have made changes to access control information.
dn: ou=Group, dc=example,dc=com ...Group subtree entries. ... 3.2.2 Creating a root entry from the command line The ldapmodify command line utility can be used to create a new root entry in a database. For example: ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com The ldapmodify utility binds to the server and prepares it to add an entry.
NOTE: To create the root entry a database suffix (such as dc=example,dc=com) using ldapmodify, you must bind to the directory as the Directory Manager. 3.2.4.1 Adding entries using ldapmodify Typically, to add the entries using ldapmodify, specify the DN and password to bind to the Directory Server, the port and host of the Directory Server, and the LDIF file to use. For example: ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com -f new.
Table 3-3 “ldapmodify options used for modifying entries” describes the ldapmodify options used in the example. Table 3-3 ldapmodify options used for modifying entries Option name Description -D Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to modify the entries. -w Specifies the password associated with the distinguished name specified in the -D option.
Table 3-4 ldapdelete options used for deleting entries Option name Description -D Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to modify the entries. -w Specifies the password associated with the distinguished name specified in the -D option. -h Specifies the name of the host on which the server is running. -p Specifies the port number that the server uses.
1. 2. 3. In the Directory Server Console, select the Configuration tab, then select the top entry in the navigation tree in the left pane. Select the Settings tab in the right pane. Select the Track Entry Modification Times checkbox. The server adds the creatorsName, createTimestamp, modifiersName, and modifyTimestamp attributes to every newly created or modified entry. 4. Open the Tasks tab, and click Restart Directory Server. 3.
NOTE: The Directory Server must be restarted for the changes to take effect. 3.4 LDIF update statements LDIF update statements define how ldapmodify changes the directory entry. In general, LDIF update statements contain the following information: • • • The DN of the entry to be modified. A changetype that defines how a specific entry is to be modified (add, delete, modify, modrdn). A series of attributes and their changed values. A change type is required unless ldapmodify is run with the -a option.
change_operation_identifier: list_of_attributes change_operation_identifier: list_of_attributes A dash (-) must be used to denote the end of a change operation if subsequent change operations are specified.
sn: Jacobs ou: People ou: Marketing uid: sjacobs dn: ou=Groups,dc=example,dc=com changetype: add objectclass: top objectclass: organizationalUnit ou: Groups dn: cn=Administrators,ou=Groups,dc=example,dc=com changetype: add objectclass: top objectclass: groupOfNames member: cn=Sue Jacobs,ou=People,dc=example,dc=com member: cn=Pete Minsky,ou=People,dc=example,dc=com cn: Administrators dn: ou=example.com Bolivia\, S.A.
newrdn: cn=Susan Jacobs deleteoldrdn: 1 3.4.2.1 A Note on Renaming Entries The modrdn change type cannot move an entry to a completely different subtree. To move an entry to a completely different branch, you must create a new entry in the alternative subtree using the old entry's attributes, then delete the old entry. Also, for the same reasons that you cannot delete an entry if it is a branch point, you cannot rename an entry if it has any children.
The following example adds two telephone numbers to the entry: dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify add: telephonenumber telephonenumber: 555-1212 telephonenumber: 555-6789 The following example adds two telephonenumber attributes and a manager attribute to the entry: dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify add: telephonenumber telephonenumber: 555-1212 telephonenumber: 555-6789 add: manager manager: cn=Sally Nixon,ou=People,dc=example,dc=com The foll
telephonenumber: 555-1212 telephonenumber: 555-6789 To change the telephone number 555-1212 to 555-4321, use the following LDIF update statement: dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify delete: telephonenumber telephonenumber: 555-1212 add: telephonenumber telephonenumber: 555-4321 The entry is now as follows: cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife sn: Fife telephonenumber: 555-6789 telephonenumber: 555-4321 3.4.3.
NOTE: You can only delete leaf entries. Therefore, when you delete an entry, make sure that no other entries exist under that entry in the directory tree. That is, you cannot delete an organizational unit entry unless you have first deleted all the entries that belong to the organizational unit.
NOTE: The Referential Integrity Plug-in should only be enabled on one supplier replica in a multi-master replication environment to avoid conflict resolution loops. When enabling the plug-in on servers issuing chaining requests, be sure to analyze performance resource and time needs, as well as your integrity needs. Integrity checks can be time-consuming and draining on memory and CPU.
3. 128 Check the Enable plugin checkbox to enable the plug-in; clear it to disable it.
4. 5. Fill in the correct path to the plug-in by default; plug-ins are located in /opt/dirsrv/lib/ plugins Restart the Directory Server to apply the changes. In the Tasks tab, select Restart the Directory Server. 3.
3.5.4 Modifying the update interval By default, the server makes referential integrity updates immediately after a delete or a modrdn operation. To reduce the impact this operation has on your system, increase the amount of time between updates.
3. Restart the Directory Server to apply the changes. In the Tasks tab, select Restart the Directory Server. 3.5.5 Modifying the attribute list By default, the Referential Integrity Plug-in is set up to check for and update the member, uniquemember, owner, and seeAlso attributes. You can add or delete attributes to be updated through the Directory Server Console, such as adding the nsroledn attribute if roles are being used.
3. Restart the Directory Server to apply the changes. In the Tasks tab, select Restart the Directory Server. NOTE: All attributes used in referential integrity must be indexed for presence and equality; not indexing those attributes results poor server performance for modify and delete operations. For more information about checking and creating indexes, see “Creating indexes”. 3.
For multi-master replication, each supplier can be configured with a threshold, so that when it begins running out of numbers in its range, it can request additional ranges from other suppliers. Each supplier keeps a track of its current range in a separate configuration entry. The configuration entry is replicated to all the other suppliers, so each supplier can check that configuration to find a server to contact for a new range.
then using the magic number automatically triggers the plug-in to generate a new value. For example: ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com dn: uid=jsmith, ou=people, dc=example,dc=com objectClass: top objectClass: person objectClass: posixAccount uid: jsmith cn: John Smith uidNumber: magic .... The magic number is very useful for importing entries from LDIF or for triggering the DNA Plug-in to generate unique numbers for several different attributes.
dnatype: uidNumber dnafilter: (objectclass=posixAccount) dnascope: ou=people, dc=example,dc=com dnaNextValue: 1 If multiple suppliers are configured for distributed numeric assignments, then the entry must contain the required information to transfer ranges: • • • • The maximum number that the server can assign; this sets the upward bound for the range, which is logically required when multiple servers are assigning numbers. This is set in the dnaMaxValue attribute.
Table 3-5 DNA entry attributes (continued) Plug-in attribute Description dnaNextRange Shows the next range of numbers that are available to be transferred. This attribute can be set automatically by the plug-in according to the threshold and shared configuration information; this can also be set manually for an administrator to specifically assign an additional range of values to a server.
dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=example,dc=com dnathreshold: 100 dnaRangeRequestTimeout: 60 dnaMagicRegen: magic 4. Restart the server to load the new plug-in instance. /opt/dirsrv/slapd-instance_name/restart-slapd 3.6.3.2 Editing the DNA plug-in in the console The Directory Server Console can be used to edit the DNA Plug-in instances. 1. 2. 3. Click the Directory tab. Open the config folder, then expand the plugins folder. Click the Distributed Numeric Assignment plug-in folder.
4. 5. Highlight the DNA instance entry, and right-click on the Advanced link to open the property editor. Edit the DNA-related attributes. 3.7 Enforcing attribute uniqueness Attribute uniqueness means that the Directory Server requires that all new or edited attributes always have unique values. Attribute uniqueness is enforced through a plug-in. A new instance of the Attribute Uniqueness Plug-in must be created for every attribute for which values must be unique. 3.7.
The Attribute Uniqueness Plug-in can operate in specific, user-defined ways: • It can check every entry in the specified subtrees. For example, if a company, example.com, hosts the directories for example_a.com and example_b.com, when an entry such as uid=jdoe,ou=people,o=example_a,dc=example,dc=com is added, uniqueness needs to be enforced only in the o=example_a,dc=example,dc=com subtree. This is done by listing the DN of the subtree explicitly in the Attribute Uniqueness Plug-in configuration.
The variable components of the Attribute Uniqueness Plug-in syntax are described in Table 3-6 “Attribute uniqueness plug-in variables”. Use the following syntax to specify to perform the uniqueness check below an entry containing a specified object class: dn: cn=descriptive_plugin_name,cn=plugins,cn=config ... nsslapd-pluginEnabled: state nsslapd-pluginarg0: attribute=attribute_name nsslapd-pluginarg1: markerObjectClass=objectclass1 nsslapd-pluginarg2: requiredObjectClass=objectclass2 ...
The format of the new entry must conform to the syntax described in “Attribute uniqueness plug-in syntax”. NOTE: HP strongly encourages you to copy and paste an existing Attribute Uniqueness Plug-in entry and only modify the attributes listed below. For example, to create an instance the Attribute Uniqueness Plug-in for the mail attribute: 1. Stop the Directory Server. Changes to the dse.ldif file are not saved if it is edited while the server is running. /opt/dirsrv/slapd-instance_name/stop-slapd 2. 3.
Alternate option: In the Directory Server Console, click the Directory tab. In the left navigation tree, expand the config folder, then the Plug-ins folder. Select the plug-in instance. Edit the attribute value fields. 3.7.4.2 Configuring attribute uniqueness plug-ins from the command line This section provides information about configuring the plug-in from the command line. • • “Specifying a suffix or subtree” “Using the markerObjectClass and requiredObjectClass keywords” 3.7.4.2.
Restrict the scope of the check by using the requiredObjectClass keyword, as shown in the following example: dn: cn=mail uniqueness,cn=plugins,cn=config ... nsslapd-pluginEnabled: on nsslapd-pluginarg0: attribute=mail nsslapd-pluginarg1: markerObjectClass=ou nsslapd-pluginarg2: requiredObjectClass=person ... The markerObjectClass or requiredObjectClass keywords cannot be repeated by incrementing the counter in the nsslapd-pluginarg attribute suffix.
l=Boston,dc=example,dc=com subtree. For example, the following two attribute-value settings are allowed: mail=bjensen,l=Chicago,dc=example,dc=com mail=bjensen,l=Boston,dc=example,dc=com To ensure that only one instance of a value exists under both subtrees, configure the plug-in to ensure uniqueness for the entire dc=example,dc=com subtree. 3.7.
4 Populating directory databases Databases contain the directory data managed by the HP-UX Directory Server. Topics include: • • • “Importing data” (page 145) “Exporting data” (page 152) “Backing up and restoring data” (page 157) 4.1 Importing data Directory Server provides three methods for importing data: • Import from the Directory Server Console Use the Directory Server Console to append data to all the databases, including database links.
The following sections describe importing data: • • • “Importing a database from the console” “Initializing a database from the console” “Importing from the command line” CAUTION: All imported LDIF files must also contain the root suffix. 4.1.1 Importing a database from the console When performing an import operation from the Directory Server Console, an ldapmodify operation is executed to append data, as well as to modify and delete entries.
• Add Only The LDIF file may contain modify and delete instructions in addition to the default add instructions. For the server to ignore operations other than add, select the Add only checkbox. • Continue on Error Select the Continue on error checkbox for the server to continue with the import even if errors occur. For example, use this option to import an LDIF file that contains some entries that already exist in the database in addition to new ones.
Alternatively, select Initialize Database from the Object menu. 4. 148 In the LDIF file field, enter the full path to the LDIF file to import, or click Browse.
5. If the Console is running from a machine local to the file being imported, click OK and proceed with the import immediately. If the Console is running from a machine remote to the server containing the LDIF file, select one of the following options, then click OK: • From local machine Indicates that the LDIF file is located on the local machine. • From server machine Indicates that the LDIF file is located on a remote server. The default LDIF directory is /var/opt/dirsrv/slapd-instance_name/ldif.
By default, the script first saves then merges any existing o=NetscapeRoot configuration information with the o=NetscapeRoot configuration information in the files being imported. CAUTION: This script overwrites the data in the database whether the command is successful or not. To import LDIF: 1. Stop the server. For more information about the command to start and stop the HP-UX Directory Server, see“Starting and stopping servers”. /opt/dirsrv/slapd-instance_name/stop-slapd 2.
4.1.3.2 Importing using the ldif2db.pl Perl script As with the ldif2db script, the ldif2db.pl script overwrites the data in the specified database. This script requires the server to be running in order to perform the import. CAUTION: This script overwrites the data in the database whether the command is successful or not. 1. Run the ldif2db.pl script. /opt/dirsrv/slapd-instance_name/ldif2db.pl -D "cn=Directory Manager" -w secret \ -I /var/opt/dirsrv/slapd-instance_name/ldif/demo.
This task entry requires three attributes: • • • A unique name (cn) The file name of the LDIF file to import (nsFilename) The name of the database into which to import the file (nsInstance) It is also possible to supply the DNs of suffixes to include or exclude from the import, analogous to the -s and -x options, respectively, for the ldif2db and ldif2db.pl scripts. The entry is simply added using ldamodify, as described in “Adding and modifying entries using ldapmodify”.
NOTE: The export operations do not export the configuration information (cn=config), schema information (cn=schema), or monitoring information (cn=monitor). Figure 4-1 Splitting a database contents into two databases The Directory Server Console or command line utilities can be used to export data.
Alternatively, select the Configuration tab and click the Export from the Console menu. 2. Enter the full path and file name of the LDIF file in the LDIF File field, or click Browse to locate the file. Browse is not enabled if the Console is running on a remote server. When the Browse button is not enabled, the file is stored in the default directory, /var/opt/dirsrv/slapd-instance_name/ldif. (For a list of Directory Server file locations, see “Directory Server file locations”.) 3.
Alternatively, select Export Database from the Object menu. 4. In the LDIF file field, enter the full path to the LDIF file, or click Browse. When the Browse button is not enabled, the file is stored in the default directory, /var/opt/dirsrv/slapd-instance_name/ldif. 4.
4.2.3 Exporting to LDIF from the command line There are three methods for exporting data through the command line: • Using db2ldif This method runs the command-line utility; unlike the import script, ldif2db, this utility can be run while the server is running. • Using db2ldif.pl This Perl script behaves the same as the db2ldif command-line utility and takes the same options. • Creating a cn=tasks entry This method creates a temporary task entry that automatically launches an export operation.
Table 4-4 db2ldif options Option Description -n Specifies the name of the database from which the file is being exported. -s Specifies the suffix or suffixes to include in the export. If the suffix is a root suffix, such as dc=example,dc=com, then the -n option is not required. There can be multiple -s arguments. -a Defines the output file to which Directory Server exports the LDIF. This file must be an absolute path.
• • • “Restoring a single database” “Restoring databases that include replicated entries” “Restoring the dse.ldif configuration file” CAUTION: Do not stop the server during a backup or restore operation. 4.3.1 Backing up all databases The following procedures describe backing up all the databases in the directory using the Directory Server Console and from the command line.
4.3.1.2 Backing up all databases from the command line Databases can be backed up from the command line using the db2bak command line script. This script works when the server is running or when the server is stopped. Configuration information cannot be backed up using this backup method. For information on backing up the configuration information, see “Backing up all databases from the command line”. To back up the directory from the command line using the db2bak script: 1.
4.3.3 Restoring all databases The following procedures describe restoring all the databases in the directory using the Directory Server Console and from the command line. NOTE: While restoring databases, the server must be running. However, the databases will be unavailable for processing operations during the restore. 4.3.3.1 Restoring all databases from the console If the databases become corrupted, restore data from a previously generated backup using the Directory Server Console.
4.3.3.2 Restoring your database from the command line There are three ways to restore databases from the command line: • • • Using the bak2db command line script. This script requires the server to be shut down. Using the bak2db.pl Perl script. This script works while the server is running. Creating a temporary entry under cn=restore, cn=tasks, cn=config. This method can also be run while the server is running. 4.3.3.2.
nsArchiveDir: /home/backups/ nsDatabaseType: ldbm database As soon as the task is completed, the entry is removed from the directory configuration. The HP-UX Directory Server configuration, command, and file reference has more information on the available attributes for running database restore tasks under the cn=tasks entries. 4.3.4 Restoring a single database It is possible to restore a single database through the command line, but not in the Directory Server Console. To restore a single database: 1.
4.3.6 Restoring the dse.ldif configuration file The directory creates two backup copies of the dse.ldif file in the /etc/opt/dirsrv/slapd-instance_name directory. The dse.ldif.startOK file records a copy of the dse.ldif file at server start up. The dse.ldif.bak file contains a backup of the most recent changes to the dse.ldif file. Use the version with the most recent changes to restore the directory. To restore the dse.ldif configuration file: 1. Stop the server.
5 Organizing entries with roles, class of service, and views Entries contained within the directory can be grouped in different ways to simplify the management of user accounts. HP-UX Directory Server supports a variety of methods for grouping entries and sharing attributes between entries. To take full advantage of the features offered by roles and class of service, determine the directory topology when planning the directory deployment.
Managed roles can do everything that can normally be done with static groups. The role members can be filtered using filtered roles, similarly to the filtering with dynamic groups. Roles are easier to use than groups, more flexible in their implementation, and reduce client complexity. However, evaluating roles is more resource-intensive for the Directory Server than evaluating groups because the server does the work for the client application.
NOTE: The nsAccountLock attribute is an operational attribute and must be explicitly requested in the search command in the list of search attributes. For example: ldapsearch ... args ... “(uid=scarter)” \* nsAccountLock The Console will automatically show the active or inactive status of entries. 5.1.
Alternatively, right-click the entry and select New→Role. 4. 168 Click General in the left pane. Type a name for the new role in the Role Name field. The role name is required.
5. 6. 7. Enter a description of the new role in the Description field. Click Members in the left pane. In the right pane, select Managed Role. Click Add to add new entries to the list of members. 5.
8. In the Search drop-down list, select Users from the Search drop-down list, then click Search. Select one of the entries returned, and click OK. 9. After adding all the entries, click OK.
NOTE: The nsRoleDN attribute is an operational attribute and must be explicitly requested in the search command in the list of search attributes. For example: ldapsearch ... args ... “(uid=scarter)” \* nsRole nsRoleDN The Console will automatically show the nsRoleDN attribute. 5.1.2.2 Creating a filtered role Entries are assigned to a filtered role depending whether the entry possesses a specific attribute defined in the role. The role definition specifies an LDAP filter for the target attributes.
5. 6. Enter a description of the new role in the Description field. Click Members in the left pane. A search dialog box appears briefly. 7. 172 In the right pane, select Filtered Role.
8. Enter an LDAP filter in the text field, or click Construct to be guided through the construction of an LDAP filter. The Construct opens the standard LDAP URL construction dialog. Ignore the fields for LDAP Server Host, Port, Base DN, and Search (because the search scope cannot be set filtered role definitions). • Select the types of entries to filter from the For drop-down list. The entries can be users, groups, or both. • Select an attribute from the Where drop-down list.
• 9. contains, does not contain, is, or is not. Enter an attribute value in the text box. To add additional filters, click More. To remove unnecessary filters, click Fewer. Click OK. Click Test to try the filter. 10. Click OK. NOTE: The nsRoleDN attribute is an operational attribute and must be explicitly requested in the search command in the list of search attributes. For example: ldapsearch ... args ...
To create and add members to a nested role: 1. 2. 3. In the Directory Server Console, select the Directory tab. Browse the tree in the left navigation pane, and select the parent entry for the new role. Go to the Object menu, and select New→Role. 4. Alternatively, right-click the entry and select New→Role. Click General in the left pane. Type a name for the new role in the Role Name field. The role name is required. 5.
5. 6. 176 Click Members in the left pane. In the right pane, select Nested Role.
7. 8. Click Add to add roles to the list. The members of the nested role are members of other existing roles. Select a role from the Available roles list, and click OK. NOTE: The nsRoleDN attribute is an operational attribute and must be explicitly requested in the search command in the list of search attributes. For example: ldapsearch ... args ... “(uid=scarter)” \* nsRole nsRoleDN The Console will automatically show the nsRoleDN attribute. 5.1.2.
4. Select the Managed Roles tab to display the managed roles to which this entry belongs. To add a new managed role, click Add, and select an available role from the Role Selector window. To edit a managed role associated with an entry, click Edit. The Edit Entry dialog box opens. Make any changes to the general information or members. 5. 178 Select the Other Roles tab to view the filtered or nested roles to which this entry belongs.
Click Edit to make changes to any filtered or nested roles associated with the entry. Click OK. 5.1.2.5 Modifying a role entry To edit an existing role: 1. 2. 3. In the Directory Server Console, select the Directory tab. Browse the navigation tree in the left pane to locate the base DN for the role. Roles are listed in the right pane with other entries. Double-click the role. 5.
4.
• • General to change the role name and description. Members to change the members of managed and nested roles or to change the filter of a filtered role. 5.1.2.6 Making a role inactive or active Members of a role can be temporarily disabled by inactivating the role to which they belong. Inactivating a role inactivates the entries possessed by the role, not the role itself. To temporarily disable the members of a role: 1. 2. In the Directory Server Console, select the Directory tab.
3. Double-click the role, open the Account tab, and click the Inactivate button. Alternatively, select the role. Right-click the role and select Inactivate from the menu.
The role is inactivated. To see the inactivated entries, select Inactivation State from the View menu. Members of an inactivated role have a red slash through them. For example, T Morris is a member of the inactive Example Role. To reactivate a disabled role, re-open the role configuration or open the Object menu, and select Activate. All the members of the role are reenabled. 5.1.2.7 Deleting a role Deleting a role deletes the role only, not its members. To delete a role: 1. 2. 3.
A dialog box appears to confirm the deletion. Click Yes. NOTE: Deleting a role deletes the role entry but does not delete the nsRoleDN attribute for each role member. To delete the nsRoleDN attribute for each role member, enable the Referential Integrity plug-in, and configure it to manage the nsRoleDN attribute. For more information on the Referential Integrity plug-in, see “Maintaining referential integrity”. 5.1.
Table 5-1 Object classes and attributes for roles Role type Object classes Attributes Managed Role nsSimpleRoleDefinition nsManagedRoleDefinition description (optional) Filtered Role nsComplexRoleDefinition nsFilteredRoleDefinition nsRoleFilter Description (optional) Nested Role nsComplexRoleDefinition nsNestedRoleDefinition nsRoleDN Description (optional) The attributes nsRole and nsRoleDN are operational attributes.
changetype: modify add: nsRoleDN nsRoleDN: cn=Marketing,ou=people,dc=example,dc=com The nsRoleDN attribute in the entry indicates that the entry is a member of a managed role, cn=Marketing,ou=people,dc=example,dc=com. 5.1.3.2 Example: filtered role definition This example creates a filtered role that is applied to all sales managers 1. Run ldapmodify: ldapmodify -D "cn=Directory Manager" -w secret -h host -p 389 2. Create the filtered role entry.
nsRoleDN: cn=SalesManagerFilter,ou=people,dc=example,dc=com nsRoleDN: cn=Marketing,ou=people,dc=example,dc=com Both the users in the previous examples, Bob and Pat, are members of this new nested role. 5.1.4 Using roles securely Not every role is suitable for use in a security context. When creating a new role, consider how easily the role can be assigned to and removed from an entry.
5.2.1 About CoS Clients of the Directory Server read the attributes in a user's entry. With CoS, some attribute values may not be stored within the entry itself. Instead, these attribute values are generated by class of service logic as the entry is sent to the client application. Each CoS is comprised of two types of entry in the directory: • CoS definition entry The CoS definition entry identifies the type of CoS used. Like the role definition entry, it inherits from the LDAPsubentry object class.
The relative distinguished name (RDN) of the template entry is determined by one of the following: • • • The DN of the template entry alone. This type of template is associated with a pointer CoS definition. The value of one of the target entry's attributes. The attribute used to provide the relative DN to the template entry is specified in the CoS definition entry using the cosIndirectSpecifier attribute. This type of template is associated with an indirect CoS definition.
Figure 5-2 Sample indirect CoS In this example, the target entry for William Holiday contains the indirect specifier, the manager attribute. William's manager is Carla Fuentes, so the manager attribute contains a pointer to the DN of the template entry, cn=Carla Fuentes,ou=people,dc=example,dc=com. The template entry in turn provides the departmentNumber attribute value of 318842. 5.2.1.
Figure 5-3 Sample classic CoS In this example, the CoS definition entry's cosSpecifier attribute specifies the employeeType attribute. This attribute, in combination with the template DN, identify the template entry as cn=sales,cn=exampleUS,cn=data. The template entry then provides the value of the postalCode attribute to the target entry. 5.2.1.6 Searches for CoS-specified attributes CoS definitions provide values for attributes in entries.
Because of the potential issues with running LDAP search requests on CoS-defined attributes, take care when deciding which attributes to generate using a CoS. 5.2.2 Managing CoS using the console This section describes creating and editing CoS through the Directory Server Console: • • • “Creating a new CoS” “Creating the CoS template entry” “Deleting a CoS” 5.2.2.1 Creating a new CoS 1. 2. 3. In the Directory Server Console, select the Directory tab.
5. Click Attributes in the left pane. The right pane displays a list of attributes generated on the target entries. Click Add to browse the list of possible attributes and add them to the list. 5.
6. 194 After an attribute is added to the list, a drop-down list appears in the Class of Service Behavior column.
• • • • Select Does not override target entry attribute to tell the directory to only return a generated value if there is no corresponding attribute value stored with the entry. Select Overrides target entry attribute to make the value of the attribute generated by the CoS override the local value.
• By its DN To have the template entry identified by only its DN (a pointer CoS), enter the DN of the template in the Template DN field. Click Browse to locate the DN on the local server. This will be an exact DN, such as cn=CoS template,ou=People,dc=example,dc=com. • Using the value of one of the target entry's attribute To have the template entry identified by the value of one of the target entry's attributes (an indirect CoS), enter the attribute name in the Attribute Name field.
1. 2. In the Directory Server Console, select the Directory tab. Browse the tree in the left navigation pane, and select the parent entry that contains the class of service. The CoS appears in the right pane with other entries. 3. Right-click the CoS, and select New→Other. Alternatively, select the CoS in the right pane, click Object in the menu at the top, and select New→Other. 4. Select cosTemplate from the list of object classes. 5.
NOTE: The LDAPsubentry object class can be added to a new template entry. Making the CoS template entry an instance of the LDAPsubentry object class allows ordinary searches to be performed unhindered by the configuration entries. However, if the template entry already exists and is used for something else (for example, if it is a user entry), the LDAPsubentry object class does not need to be added to the template entry. 5. 198 Select the object classes attribute, and click Add Value.
6. Add the extensibleObject object class. This makes it possible to add any attribute available in the directory. 5.
7. 200 Click the Add Attribute button.
8. Add the cn attribute, and give it a value that corresponds to the attribute value in the target entry. For example, if the manager attribute is used to set the value for a classic CoS, give the cn a value of a manager's DN, such as uid=bparker,ou=people,dc=example,dc=com. Alternatively, set it to a role, such as cn=QA Role,dc=example,dc=com or a regular attribute value. For example, if the employeeType attribute is selected, it can be full time or temporary. 5.
9. Click the Change button in the lower right corner to change the naming attribute. Use the cn of the entry as the naming attribute instead of cospriority.
10. Click the Add Attribute button, and add the attributes listed in the CoS. The values used here will be used throughout the directory in the targeted entries. 11. Set the cospriority. There may be more than one CoS that applies to a given attribute in an entry; the cospriority attribute ranks the importance of that particular CoS. The higher cospriority will take precedence in a conflict. The highest priority is 0. Templates that contain no cosPriority attribute are considered the lowest priority.
To edit the description or attributes generated on the target entry of an existing CoS, simply double-click the CoS entry listed in the Directory tab, and make the appropriate changes in the editor window. 5.2.2.3 Deleting a CoS 1. 2. In the Directory Server Console, select the Directory tab. Browse the tree in the left navigation pane, and select the parent entry that contains the class of service. The CoS appears in the right pane with other entries. 3. Right-click the CoS, and select Delete.
A pointer CoS uses the cosPointerDefinition object class. This object class identifies the template entry using an entry DN value specified in the cosTemplateDn attribute, as shown in Example 5-1 “An example pointer CoS entry”.
There are four qualifiers: • default Only returns a generated value if there is no corresponding attribute value stored with the entry. • override Always returns the value generated by the CoS, even when there is a value stored with the entry. • operational Returns a generated attribute only if it is explicitly requested in the search. Operational attributes do not need to pass a schema check in order to be returned. When operational is used, it also overrides any existing attribute values.
NOTE: Consider adding the LDAPsubentry object class to a new template entry. Making the CoS template entry an instance of the LDAPsubentry object classes allows ordinary searches to be performed unhindered by the configuration entries. However, if the template entry already exists and is used for something else, such as a user entry, the LDAPsubentry object class does not need to be added to the template entry.
dn: cn=pointerCoS,dc=example,dc=com objectclass: top objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn=exampleUS,ou=data,dc=example,dc=com cosAttribute: postalCode 3. Create the template entry.
objectclass: cosSuperDefinition objectclass: cosClassicDefinition cosTemplateDn: cn=classicCoS,dc=example,dc=com cosSpecifier: businessCategory cosAttribute: postalCode override 3. Create the template entries for the sales and marketing departments. Add the CoS attributes to the template entry.
To create a role-based attribute, use the nsRole attribute as the cosSpecifier in the CoS definition entry of a classic CoS. Because the nsRole attribute can be multivalued, CoS schemes can be defined that have more than one possible template entry. To resolve the ambiguity of which template entry to use, include the cosPriority attribute in the CoS template entry. For example, this CoS allows members of the manager role to exceed the standard mailbox quota.
container entry is added, all the entries that match the view filter instantly populate the view. The target entries only appear to exist in the view; their true location never changes. For example, a view may be created as ou=Location Views, and a filter is set for l=Mountain View. Every entry, such as cn=Jane Smith,l=Mountain View,ou=People,dc=example,dc=com, is immediately listed under the ou=Location Views entry, but the real cn=Jane Smith entry remains in the ou=People,dc=example,dc=com subtree.
4. 212 Select nsview from the New Object menu, and click OK.
5. In the Property Editor window, click the Add Value button, and add the organization unit object class. 5.
6. Name the organization unit according to how to organize the views. For instance, ou=Sunnyvale. Make the ou attribute the naming attribute. 7. Click the Add Attribute button, and add the nsviewfilter attribute.
8. Create a filter that reflects the views, such as .(l=Sunnyvale). 5.
9. Click the Change button in the lower right corner to change the naming attribute. Use the ou of the entry as the naming attribute instead of description. 10. Click OK to close the attributes box, and click OK again to save the new view entry. The new view is immediately populated with any entries matching the search filter, and any new entries added to directory are automatically included in the view.
5.3.2 Deleting views from the Directory Server Console 1. 2. 3. 4. Select the Directory tab. Select the view to delete, such as ou=Sunnyvale,ou=LocationViews,dc=example,dc=com. To delete all the views, delete the entire sub suffix,ou=LocationViews,dc=example,dc=com. Right-click the entry, and select Delete from the drop-down menu. A dialog box appears to confirm the deletion of the entry. Click Yes. 5.3.3 Creating views from the command line 1.
NOTE: Managing groups is significantly easier by using the memberOf attribute to identify in user entries to what groups a user belongs. The memberOf attribute is maintained by the Directory Server and updated automatically on entries as group membership changes. For information on using the memberOf attribute, see “Using the memberOf Attribute to manage group membership information”. 5.4.
Alternatively, go to the Object menu, and select New→Group. 3. Click General in the left pane. Type a name for the new group in the Group Name field (the name is required), and enter a description of the new group in the Description field. 5.
4. 5. 6. 220 Click Members in the left pane. In the right pane, select the Static Group tab. Click Add to add new members to the group. In the Search drop-down list, select what sort of entries to search for (users, groups, or both) then click Search. Select the members from the returned entries, and click OK.
7. Click Languages in the left pane to add language-specific information for the group. 5.
8. Click OK to create the new group. It appears in the right pane. To edit a static group, double-click the group entry, and make the changes in the editor window. To view the changes, go to the View menu, and select Refresh. NOTE: The Console for managing static groups may not display all possible selections during a search operation if there is no VLV index for users' search. This problem occurs only when the number of users is 1000 or more and there is no VLV index for search.
Alternatively, go to the Object menu, and select New→Group. 3. Click General in the left pane. Type a name for the new group in the Group Name field (the name is required), and enter a description of the new group in the Description field. 5.
4. 5. Click Members in the left pane. In the right pane, select the Dynamic Group tab. Click Add to create a LDAP URL for querying the database. Enter an LDAP URL in the text field or select Construct to be guided through the construction of an LDAP URL. The results show the current entries (group members) that correspond to the filter.
6. Click Languages in the left pane to add language-specific information for the group. 7. Click OK. The new group appears in the right pane. To edit a dynamic group, double-click the group entry to open the editor window, and make whatever changes to the dynamic group. To view the changes to the group, go to the View menu, and select Refresh. 5.
NOTE: The Console for managing dynamic groups may not display all possible selections during a search operation if there is no VLV index for users' search. This problem can occur when the number of users is 1000 or more and there is no VLV index for search. To work around the problem, create a VLV index for the users suffix with the filter (objectclass=person) and scope sub-tree. 5.4.
objectClass: top objectClass: groupofuniquenames objectClass: groupofurls cn: dynamic group description: Example dynamic group memberURL: ldap:///dc=example,dc=com??sub?(&(objectclass=person)(cn=*sen*)) 5.4.4 Using the memberOf Attribute to manage group membership information The entries that belong to a group are defined, in some way, in the group entry itself. This makes it very easy to look at a group and see its members and to manage group membership centrally.
Example 5-4 Default MemberOf plug-in entry dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: MemberOf Plugin nsslapd-pluginPath: libmemberof-plugin nsslapd-pluginInitfunc: memberof_postop_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database memberofgroupattr: member memberofattr: memberOf nsslapd-pluginId: memberof nsslapd-pluginVersion: 8.1.
3. Make sure that the plug-in is enabled. This is disabled by default. 5.
4. 5. Click the Advanced button to open the Advanced Properties Editor. The memberofgroupattr attribute sets the attribute in the group entry which the server uses to identify member entries. The memberofattr attribute sets the attribute, which the plug-in creates and manages on user entries. 6. 7. Save the changes. Restart the server to update the plug-in. For example, open the Tasks tab and click the Restart server task. 5.4.4.2.2 Editing the MemberOf Plug-in from the command line 1.
/opt/dirsrv/slapd-instance_name/restart-slapd 5.4.4.3 Synchronizing memberOf values The MemberOf Plug-in automatically manages the memberOf attribute on group member entries, based on the configuration in the group entry itself. However, the memberOf attribute can be edited on a user entry directly (which is improper) or new entries can be imported or replicated over to the server that have a memberOf attribute already set.
6 Managing access control HP-UX Directory Server allows you to control access to your directory. This chapter describes the how to implement access control. To take full advantage of the power and flexibility of access control, while you are in the planning phase for your directory deployment, define an access control strategy as an integral part of your overall security policy.
6.1.2 ACI placement If an entry containing an ACI does not have any child entries, the ACI applies to that entry only. If the entry has child entries, the ACI applies to the entry itself and all entries below it. As a direct consequence, when the server evaluates access permissions to any given entry, it verifies the ACIs for every entry between the one requested and the directory suffix, as well as the ACIs on the entry itself.
For more information on how to chain access control evaluation, see “Database links and access control evaluation”. • Attributes generated by class of service (CoS) cannot be used in all ACI keywords.
NOTE: LDIF ACI statements can be very complex. However, if you are setting access control for a large number of directory entries, using LDIF is the preferred because it is faster than using the Console. To familiarize yourself with LDIF ACI statements, however, you may want to use the Directory Server Console to set the ACI then click the Edit Manually button on the Access Control Editor. This shows you the correct LDIF syntax.
• • • keyword indicates the type of target. equal (=) indicates that the target is the object specified in the expression, and not equal (!=) indicates the target is not the object specified in the expression. expression identifies the target. The quotation marks ("") around expression are required. What you use for expression is dependent upon the keyword that you supply. Table 6-1 “LDIF target keywords” lists each keyword and the associated expressions.
NOTE: If the DN of the entry to which the access control rule applies contains a comma, escape the comma with a single backslash (\), such as (target="ldap:///uid=lfuentes,dc=example.com Bolivia\,S.A."). Wildcards can be used when targeting a distinguished name using the target keyword. The wildcard indicates that any character or string or substring is a match for the wildcard. Pattern matching is based on any other strings that have been specified with the wildcard.
(targetattr = "attribute1 || attribute2 ...|| attributen") attributeX is the name of the targeted attribute. For example, this targets the common name (cn) attribute: (targetattr = "cn") To target an entry's common name, surname, and UID attributes, use the following: (targetattr = "cn || sn || uid") The attributes specified in the targetattr keyword apply to the entry that the ACI is targeting and to all the entries below it.
NOTE: Although using LDAP filters can be useful when you are targeting entries and attributes that are spread across the directory, the results are sometimes unpredictable because filters do not directly name the object for which you are managing access. The set of entries targeted by a filtered ACI is likely to change as attributes are added or deleted.
target ou=people,dc=example,dc=com, and there are not any organizational units (ou) defined below that node, you could specify an ACI that contains targetattr=ou. A safer method is to use the targetfilter keyword and to specify explicitly an attribute value that appears in the entry alone. For example, during the installation of the Directory Server, the following ACI is created: aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.
Rights are granted independently of one another. This means, for example, that a user who is granted add rights can create an entry but cannot delete it if delete rights have not been specifically granted. Therefore, when planning the access control policy for your directory, you must ensure that you grant rights in a way that makes sense for users. For example, it does not usually make sense to grant write permission without granting read and search permissions.
aci: (targetattr = "mail")(version 3.0; acl "self access to mail"; allow (read, search) userdn = "ldap:///self";) The search result list is empty because this ACI does not grant access to the objectclass attribute. If you want the search operation described above to be successful, modify the ACI to allow read and search access for the mail and objectclass attributes. aci: (targetattr = "mail || objectclass")(version 3.0; acl "self access to mail"; allow (read, search) userdn = "ldap:///self";) 6.3.3.
keyword = "expression"; or keyword != "expression"; Equal (=) indicates that keyword and expression must match in order for the bind rule to be true, and not equal (!=) indicates that keyword and expression must not match in order for the bind rule to be true. NOTE: The timeofday keyword also supports the inequality expressions (<, <=, >,>=). This is the only keyword that supports these expressions. The quotation marks ("") around expression and the delimiting semicolon (;) are required.
NOTE: If a DN contains a comma, the comma must be preceded by a backslash (\) escape character. 6.4.2.1 Anonymous access (anyone keyword) Granting anonymous access to the directory means that anyone can access it without providing a bind DN or password and regardless of the circumstances of the bind. You can limit anonymous access to specific types of access (for example, read or search access) or to specific subtrees or individual entries within the directory.
groupdn="ldap:///dc=example,dc=com??sub?(ou=engineering) && ldap:///dc=example,dc=com??sub?(manager="uid=bjensen,ou=managers, dc=example,dc=com")" For more information about LDAP URLs, see Appendix C “LDAP URLs”. 6.4.2.6 Wildcards You can also specify a set of users by using the wildcard character (*). For example, specifying a user DN of uid=u*,dc=example,dc=com indicates that only users with a bind DN beginning with the letter u are allowed or denied access based on the permissions you set.
Table 6-4 userdn keyword examples (continued) Scenario Example Description Userdn keyword containing the all keyword userdn = "ldap:///all"; The bind rule is evaluated to be true for any valid bind DN. To be true, a valid distinguished name must be presented by the user for a successful bind operation. For example, if you want to grant read access to the entire tree to all authenticated users, you would create the following ACI on the dc=example,dc=com node: aci:(version 3.
(groupdn = "ldap:///ou=Groups, dc=example,dc=com??sub?(cn=*s_0)" or groupdn = "ldap:///ou=Groups,dc=example,dc=com??sub?(cn=*s_1)") and groupdn = "ldap:///ou=Groups, dc=example,dc=com??sub?(cn=*s_2)" When stringing multiple groupdn URLs together, the keyword supports pipes to separate the URLs: groupdn = "LDAPURI0 || LDAPURL1 || LDAPURL2" However, it is not permissible to use ampersands (&) as part of the expressions, such as groupdn = "LDAPURI0 && LDAPURL1", or double quotes, such as userdn = "ldap:///cn
6.4.5 Defining access based on value matching You can set bind rules to specify that an attribute value of the entry used to bind to the directory must match an attribute value of the targeted entry. For example, you can specify that the bind DN must match the DN in the manager attribute of a user entry in order for the ACI to apply. In this case, only the user's manager would have access to the entry. This example is based on DN matching.
If you are using static groups that are under the same suffix as the targeted entry, you can use the following expression: userattr = "ldap:///dc=example,dc=com?owner#GROUPDN" In this example, the group entry is under the dc=example,dc=com suffix. The server can process this type of syntax more quickly than the previous example. (By default, owner is not an allowed entry in a user's entry. You would have to extend your schema to allow this attribute in a person object.) 6.4.5.1.
When you use the userattr keyword in association with the parent keyword, the syntax is as follows: userattr = "parent[inheritance_level].attrName#bindType Using an attribute type that requires a value other than a user DN, group DN, role DN, or an LDAP filter, the syntax is as follows: userattr = "parent[inheritance_level].attrName#attrValue • • • inheritance_level is a comma-separated list that indicates how many levels below the target inherits the ACI.
This ACI grants managers all rights on the entries of employees that report to them. However, because access rights are evaluated on the entry being created, this type of ACI would also allow any employee to create an entry in which the manager attribute is set to their own DN. For example, disgruntled employee Joe (cn=Joe,ou=eng,dc=example,dc=com) might want to create an entry in the Human Resources branch of the tree to use (or misuse) the privileges granted to Human Resources employees.
dns = "DNS_Hostname or dns != "DNS_Hostname CAUTION: The dns keyword requires that the naming service used on your machine is DNS. If the name service is not DNS, use the ip keyword instead. The dns keyword requires a fully qualified DNS domain name. Granting access to a host without specifying the domain creates a potential security threat. For example, the following expression is allowed but not recommended: dns = "legend.eng"; Instead, use a fully qualified name: dns = "legend.eng.example.
timeofday = "1200"; • The bind rule is evaluated to be true if the client is accessing the directory at any time other than 1 a.m. timeofday != "0100"; • The bind rule is evaluated to be true if the client is accessing the directory at any time after 8 a.m. timeofday > "0800"; • The bind rule is evaluated to be true if the client is accessing the directory at any time before 6 p.m. timeofday < "1800"; • The bind rule is evaluated to be true if the client is accessing the directory at 8 a.m.
6.4.9.1 Examples The following are examples of the authmethod keyword: • Authentication is not checked during bind rule evaluation. authmethod = "none"; • The bind rule is evaluated to be true if the client is accessing the directory using a username and password. authmethod = "simple"; • The bind rule is evaluated to be true if the client authenticates to the directory using a certificate over LDAPS.
6.5 Creating ACIs from the console You can use the Directory Server Console to view, create, edit, and delete access control instructions for your directory: • • • • “Displaying the Access Control Editor” “Creating a new ACI” “Editing an ACI” “Deleting an ACI” See “Access control usage examples” for a collection of access control rules commonly used in Directory Server security policies, along with step-by-step instructions for using the Directory Server Console to create them.
4. Click New to open the Access Control Editor. 6.
Figure 6-2 Access Control Editor window 6.5.2 Creating a new ACI To create a new ACI in the Directory Server Console: 1. Open the Access Control Editor, as described in “Displaying the Access Control Editor”. If the view displayed is different from Figure 6-2 “Access Control Editor window”, click the Edit Visually button. 2. Type the ACI name in the ACI Name field. The name can be any unique string to identify the ACI. If you do not enter a name, the server uses unnamed ACI. 3.
a. b. c. Select a search area from the drop-down list, enter a search string in the Search field, and click the Search button. You can use wildcards (an asterisk, *) to search for partial usernames. The search results are displayed in the list below. Highlight the entries you want in the search result list, and click the Add button to add them to the list of entries that have access permission. Click OK to dismiss the Add Users and Groups window.
5. 260 Click the Targets tab. Click This Entry to display the current node as the target for the ACI or click Browse to select a different suffix.
NOTE: You can change the value of the target DN, but the new DN must be a direct or indirect child of the selected entry. If you do not want every entry in the subtree under this node to be targeted by the ACI, enter a filter in the Filter for Sub-entries field. The filter applies to every entry below the target entry; for example, setting a filter of ou=Sales means that only entries with ou=Sales in their DN are returned.
You can specify a host name or an IP address. With an IP address, you can use an asterisk (*) as a wildcard. NOTE: Directory Server supports both IPv4 and IPv6 IP addresses. 7. Click the Times tab to display the table showing at what times access is allowed. By default, access is allowed at all times. You can change the access times by clicking and dragging the cursor over the table. You cannot select discrete blocks of time, only continuous time ranges.
8. When you have finished editing the ACI, click OK. The Access Control Editor closes, and the new ACI is listed in the Access Control Manager window. NOTE: For any point of creating the ACI, you can click the Edit Manually button to display the LDIF statement corresponding to the wizard input. You can modify this statement, but your changes may not be visible in the graphical interface. 6.5.3 Editing an ACI To edit an ACI: 1.
1. In the Directory tab, right-click the top entry in the subtree, and choose Set Access Permissions from the pop-up menu. The Access Control Manager window opens with a list of ACIs belonging to the entry. 2. 3. In the Access Control Manager window, select the ACI to delete. Click Remove. The ACI is no longer listed in the Access Control Manager window. 6.6 Viewing ACIs All the ACIs under a single suffix in the directory can be viewed from the command line by using the following ldapsearch command.
A) is the GER subject; their rights are the subject of the search. The entry or entries to which the person has rights (Entry B) is the target of the search or the search base. 6.7.1 Rights shown with a get effective rights search Any get effective rights search, both when viewing an entry in the Directory Server Console and searching for it in the command line, shows the rights that User A has to User B's entry. There are two kinds of access rights that can be allowed to any entry.
base match the filter, then the search returns every matching entry, with the rights for the requester over each entry. • • • • 1.3.6.1.4.1.42.2.27.9.5.2 is the OID for the get effective rights control. criticality specifies whether the search operation should return an error if the server does not support this control (true) or if it should be ignored and let the search return as normal (false). The GER_subject is the person whose rights are being checked.
Example 6-1 Checking personal rights (User A to User A) ldapsearch -p 389 -h localhost -D "uid=tmorris,ou=people,dc=example,dc=com" -w secret -b "uid=tmorris,ou=people,dc=example,dc=com" -J "1.3.6.1.4.1.42.2.27.9.5.2:true:dn: uid=tmorris,ou=people,dc=example,dc=com" "(objectClass=*)" dn: uid=tmorris, ou=People, dc=example,dc=com givenName: Ted sn: Morris ou: IT ou: People l: Santa Clara manager: uid=jsmith, ou=People, dc=example,dc=com roomNumber: 4117 mail: tmorris@example.
Example 6-3 The directory manager's checking the rights of one user over another (User A to User B) ldapsearch -p 389 -h localhost -D "cn=directory manager" -w secret -b "uid=tmorris,ou=people,dc=example,dc=com" -J "1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=jsmith,ou=people,dc=example,dc=com" "(objectClass=*)" dn: uid=tmorris, ou=People, dc=example,dc=com ... snip ...
Using an asterisk (*) with the get effective rights search returns every attribute available for the entry, including attributes not set on the entry. For example: Example 6-5 Returning effective rights for non-existent attributes ldapsearch -D "cn=directory manager" -w secret12 -b "uid=scarter,ou=people,dc=example,dc=com" -J 1.3.6.1.4.1.42.2.27.9.5.
Example 6-6 Get effective rights results for specific attributes ldapsearch -D "cn=directory manager" -w secret12 -b "uid=scarter,ou=people,dc=example,dc=com" -J 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=scarter,ou=people,dc=example,dc=com "(objectclass=*)" cn mail initials dn: uid=scarter, ou=People, dc=redbudcomputer,dc=local cn: Sam Carter mail: scarter@example.
Example 6-9 Get effective rights results for all attribute for an object class ldapsearch -D "cn=directory manager" -w secret12 -b "uid=scarter,ou=people,dc=example,dc=com" -J 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=scarter,ou=people,dc=example,dc=com "(objectclass=*)" *@posixaccount ... snip ...
dn: ou=Accounting, dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Accounting Because the ACL does not include the dc=example,dc=com subtree, the get effective rights search shows that the user does not have any rights to the dc=example,dc=com entry: Example 6-11 Get effective rights results with no ACL Set (directory manager) ldapsearch -D "cn=directory manager" -w secret12 -b "dc=example,dc=com" -J 1.3.6.1.4.1.42.2.27.9.5.
The attribute-level effective rights (r, s, c, w, o) appear next to the attributes. The entry-level rights (v, a, d, n) appear under the full DN for the entry in the lower left-hand corner of the Property Editor. If you check the Show all allowed attributes checkbox, then the effective rights for those attributes appear next to the additional attributes, even though they do not have values. 6.7.
Table 6-8 Returned result codes (continued) Code Description 52 Unavailable. 53 Unwilling to perform. 80 Other. 6.8 Logging access control information To obtain information on access control in the errors log, you must set the appropriate log level. To set the errors log level from the Console: 1. In the Console, click the Directory tab, right-click the config node, and choose Properties from the pop-up menu. This displays the Property Editor for the cn=config entry. 2. 3.
• • Deny individual subscribers access to the billing information in their own entries (“Denying access”). Grant anonymous access to the world to the individual subscribers subtree, except for subscribers who have specifically requested to be unlisted. (This part of the directory could be a consumer server outside of the firewall and be updated once a day.) For more information, see “Granting anonymous access” (page 275) and “Setting a target using filtering”. 6.9.
This example assumes that the ACI is added to the ou=subscribers,dc=example,dc=com entry. It also assumes that every subscriber entry has an unlistedSubscriber attribute that is set to yes or no. The target definition filters out the unlisted subscribers based on the value of this attribute. For details on the filter definition, see “Setting a target using filtering”. From the Console, set this permission by doing the following: 1. 2. 3. 4. 5. 6.
1. 2. 3. In the Directory tab, right-click the example-people entry under the example.com node in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display the Access Control Manager. Click New to display the Access Control Editor. In the Users/Groups tab, in the ACI name field, type Write example.com. In the list of users granted access permission: a. Select and remove All Users, then click Add. The Add Users and Groups dialog box opens. b. c. d. 4. 5.
a. Select and remove All Users, then click Add. The Add Users and Groups dialog box opens. b. c. d. 4. 5. Set the Search area to Special Rights, and select Self from the search results list. Click the Add button to list Self in the list of users who are granted access permission. Click OK to dismiss the Add Users and Groups dialog box. In the Rights tab, select the checkbox for write. Make sure the other checkboxes are clear.
1. 2. 3. In the Directory tab, right-click the example-people entry under the example.com node in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display the Access Control Manager. Click New to display the Access Control Editor. In the Users/Groups tab, in the ACI name field, type Roles. In the list of users granted access permission: a. Select and remove All Users, then click Add. The Add Users and Groups dialog box opens. b. c. d. 4. 5. 6. 7.
1. 2. 3. In the Directory tab, right-click the example-people entry under the example.com node in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display the Access Control Manager. Click New to display the Access Control Editor. In the Users/Groups tab, in the ACI name field, type HR. In the list of users granted access permission: a. Select and remove All Users, then click Add. The Add Users and Groups dialog box opens. b.
1. 2. 3. In the Directory tab, right-click the Social Committee entry under the example.com node in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display the Access Control Manager. Click New to display the Access Control Editor. In the Users/Groups tab, in the ACI name field, type Create Group. In the list of users granted access permission, do the following: a. Select and remove All Users, then click Add. The Add Users and Groups dialog box opens. b. c. d. 4. 5. 6.
example.com has created a directory administrator role for each of its hosted companies, HostedCompany1 and HostedCompany2. It wants these companies to be able to manage their own data and implement their own access control rules while securing it against intruders. For this reason, HostedCompany1 and HostedCompany2 have full rights on their respective branches of the directory tree, provided the following conditions are fulfilled: • • • Connection authenticated using SSL Access requested between 8 a.m.
NOTE: Directory Server supports both IPv4 and IPv6 IP addresses. 7. In the Times tab, select the block time corresponding to Monday through Thursday and 8 a.m. to 6 p.m. A message appears below the table that specifies the selected time block. 8. To enforce SSL authentication from HostedCompany1 administrators, switch to manual editing by clicking the Edit Manually button.
4. 5. In the Rights tab, select the checkboxes for search and read rights. Make sure the other checkboxes are clear. In the Targets tab, click This Entry to display the ou=subscribers, dc=example,dc=com suffix in the Target directory entry field. In the attribute table, select the checkboxes for the connectionTime and accountBalance attributes.
6.9.8 Setting a target using filtering To set access controls that allow access to a number of entries that are spread across the directory, consider using a filter to set the target. NOTE: Because search filters do not directly name the object for which you are managing access, it is easy to allow or deny access to the wrong objects unintentionally, especially as your directory becomes more complex. Additionally, filters can make it difficult to troubleshoot access control problems within your directory.
5. In the Targets tab, type dc=example,dc=com suffix in the Target directory entry field. In the attribute table, select the checkbox for the member attribute. All other checkboxes should be clear; if it is easier, click the Check None button to clear the checkboxes for all attributes in the table, then click the Name header to organize them alphabetically, and select the appropriate ones. 6. Click OK. The new ACI is added to the ones listed in the Access Control Manager window. 6.9.
The client or application (MoneyWizAcctSoftware) binds as itself but is granted the privileges of the proxy entry (AcctAdministrator). The client does not need the password of the proxy entry. NOTE: There are some restrictions on binding with proxy authorization. You cannot use the Directory Manager's DN (root DN) as a proxy DN. Additionally, if Directory Server receives more than one proxied authentication control, an error is returned to the client application, and the bind attempt is unsuccessful. 6.
Figure 6-3 Example directory tree for macro ACIs The following ACI is located on the dc=hostedCompany1,dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,dc=example,dc=com";) The following ACI is located on the dc=subdomain1,dc=hostedCompany1, dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.
In this example, the number of ACIs is reduced from four to one. The real benefit is a factor of how many repeating patterns you have down and across your directory tree. 6.10.2 Macro ACI syntax Macro ACIs include the following types of expressions to replace a DN or part of a DN: • • • ($dn) [$dn] ($attr.
After the macro has been expanded, Directory Server evaluates the ACI following the normal process to determine whether access is granted. 6.10.2.2 Macro matching for [$dn] The matching mechanism for [$dn] is slightly different than for ($dn). The DN of the targeted resource is examined several times, each time dropping the leftmost RDN component, until a match is found.
To evaluate the roledn part of the ACI, the server looks at the ou attribute stored in the targeted entry and uses the value of this attribute to expand the macro. Therefore, in the example, the roledn is expanded as follows: roledn = "ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,dc=example,dc=com" The Directory Server then evaluates the ACI according to the normal ACI evaluation algorithm.
7 Managing user authentication When a user connects to the HP-UX Directory Server, first the user is authenticated. Then, the directory grants access rights and resource limits to the user depending upon the identity established during authentication. This chapter describes tasks for managing users, including configuring the password and account lockout policy for the directory, denying groups of users access to the directory, and limiting system resources available to users depending upon their bind DNs.
The sections that follow describe the procedures for configuring the password policy: • • • • “Configuring a global password policy using the console” “Configuring a subtree/user password policy using the console” “Configuring a global password policy using the command line” “Configuring subtree/user password policy using the command line” NOTE: After configuring the password policy, HP recommends configuring an account lockout policy. For details, see “Configuring the account lockout policy”. 7.1.1.
NOTE: It is not necessary to configure the Directory Server to send a warning to users. The Directory Server automatically issues a warning the next time the user attempts to log into the Directory Server Console that the password will soon expire or has expired. This is analogous to an operating system warning that reads "Warning: password will expire in 7 days" when a user logs in. 11.
This section describes the attributes to create a password policy for the entire server (globally) using ldapmodify to change these attributes in the cn=config entry. Table 7-1 “Password policy attributes” describes the attributes available to configure the password policy. Table 7-1 Password policy attributes Attribute name Definition passwordGraceLimit This attribute indicates the number of grace logins permitted when a user's password is expired.
Table 7-1 Password policy attributes (continued) Attribute name Definition passwordHistory This attribute indicates whether the directory stores a password history. When set to on, the directory stores the number of passwords specified in the passwordInHistory attribute in a history. If a user attempts to reuse one of the passwords, the password will be rejected. When this attribute is set to off, any passwords stored in the history remain there.
Table 7-1 Password policy attributes (continued) Attribute name Definition passwordMin8bit This attribute sets the minimum number of 8-bit characters used in the password. The default number is 0, meaning none are required. passwordStorageScheme This attribute specifies the type of encryption used to store Directory Server passwords. HP-UX Directory Server supports the following encryption types: • SSHA (Salted Secure Hash Algorithm) This method is recommended as it is the most secure.
dn: cn="cn=nsPwPolicyEntry,ou=people,dc=example,dc=com", cn=nsPwPolicyContainer,ou=people,dc=example,dc=com objectclass: top objectclass: extensibleObject objectclass: ldapsubentry objectclass: passwordpolicy • The CoS template entry (nsPwTemplateEntry) that has the pwdpolicysubentry value pointing to the above (nsPwPolicyEntry) entry.
NOTE: The nsslapd-pwpolicy-local attribute of the cn=config entry controls the type of password policy the server enforces. By default, this attribute is disabled (off). When the attribute is disabled, the server only checks for and enforces the global password policy; the subtree and user level password policies are ignored. When the ns-newpwpolicy.pl script runs, it first checks for the specified subtree and user entries and, if they exist, modifies them.
Server does not include a client application for the password change extended operation. However, the ldappasswd utility can be used as follows: ldappasswd -h hostname -p secure_port -Z -P /path/to/cert8.db -D bindDN -w bindPassword [-a oldPassword] -s newPassworduser Table 7-2 ldappasswd options Option Description -h Gives the host name of the Directory Server. -p Gives the port number of the Directory Server.
Configuring the account lockout policy is described in the following sections: • • “Configuring the account lockout policy using the console” “Configuring the account lockout policy using the command line” 7.1.4.1 Configuring the account lockout policy using the console To set up or modify the account lockout policy for the Directory Server: 1. 2. 3. 4. 5. 6. 7. Select the Configuration tab then the Data node. In the right pane, select the Account Lockout tab.
7.1.5 Managing the password policy in a replicated environment Password and account lockout policies are enforced in a replicated environment as follows: • • Password policies are enforced on the data master. Account lockout is enforced on all servers participating in replication. Some of the password policy information in the directory is replicated: • • • passwordMinAge and passwordMaxAge passwordExp passwordWarning However, the configuration information is kept locally and is not replicated.
not expire, add the passwordExpirationTime attribute to the Directory Server entry, and give it a value of 20380119031407Z (the top of the valid range). See Chapter 9 “Synchronizing Directory Server with Microsoft Active Directory” for more information on synchronizing Directory Server and Windows users and passwords. 7.2 Inactivating users and roles A single user account or set of accounts can be temporarily inactivated. After an account is inactivated, a user cannot bind to the directory.
The following table describes the ns-inactivate.pl options used in the example: Option Name Description -D The DN of the directory administrator. -w The password of the directory administrator. -p Port used by the server. -h Name of the server on which the directory resides. -I DN of the user account or role to inactivate. For more information about running the ns-inactivate.pl script, see HP-UX Directory Server configuration, command, and file reference. 7.2.
7.3 Setting resource limits based on the bind DN Server limits for search operations are controlled using special operational attribute values on the client application binding to the directory. You can set the following search operation limits: • Look through limit Specifies how many entries can be examined for a search operation. • Size limit Specifies the maximum number of entries the server returns to a client application in response to a search operation.
Attribute Description nsTimeLimit Specifies the maximum time the server spends processing a search operation. Giving this attribute a value of -1 indicates that there is no time limit. nsIdleTimeout Specifies the time a connection to the server can be idle before the connection is dropped. The value is given in seconds. Giving this attribute a value of -1 indicates that there is no limit.
3. 4. When the user directory is set up on machine B, the setup script prompts for the LDAP URL of the configuration directory on machine A. The setup program enables the PTA Plug-in and configures it to use the configuration directory LDAP URL. This entry contains the LDAP URL for the configuration directory. For example: dn: cn=Pass Through Authentication,cn=plugins, ... nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://configdir.example.com/o=NetscapeRoot ...
Table 7-4 PTA plug-in parameters Variable Definition state Defines whether the plug-in is enabled or disabled. Acceptable values are on or off. ldap|ldaps Defines whether SSL is used for communication between the two Directory Servers. See “Configuring the servers to use a secure connection” for more information. authDS The authenticating directory host name. The port number of the Directory Server can be given by adding a colon, then the port number. For example, ldap://dirserver.example.com:389/.
For more information about the command to start and stop the HP-UX Directory Server, see“Starting and stopping servers”. Before configuring any of the PTA Plug-in parameters, the PTA Plug-in entry must be present in the Directory Server. If this entry does not exist, create it with the appropriate syntax, as described in “PTA plug-in syntax”.
7.4.3.3 Specifying the pass-through subtree The PTA directory passes through bind requests to the authenticating directory from all clients with a DN defined in the pass-through subtree. The subtree is specified by replacing the subtree parameter in the LDAP URL of the PTA directory. The pass-through subtree must not exist in the PTA directory. If it does, the PTA directory attempts to resolve bind requests using its own directory contents and the binds fail. 1.
The default is 0, which means Start TLS is off. To enable Start TLS, set it to 1. To use Start TLS, the LDAP URL must use ldap:, not ldaps:. 1. Use ldapmodify to edit the plug-in entry. ldapmodify -p 389 -D "cn=Directory Manager" -w secret -h example dn: cn=Pass Through Authentication,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginarg0 nsslapd-pluginarg0: ldap://dirserver.example.
nsslapd-pluginarg0: ldap://configdir.example.com:389 config2dir.example.com:1389/o=NetscapeRoot ... NOTE: The nsslapd-pluginarg0 attribute sets the authentication Directory Server; additional nsslapd-pluginargN attributes can set additional suffixes for the PTA Plug-in to use, but not additional hosts. 7.4.4.
The Directory Server uses these LDAPI connections to allow users to bind immediately to the Directory Server or to access the Directory Server using tools which support connections over UNIX sockets. Autobind uses the uid:gid of the UNIX user and maps that user to an entry in the Directory Server, then allows access for that user.
NOTE: Autobind allows a client to send a request to the Directory Server without supplying a bind username and password or using other SASL authentication mechanism. According to the LDAP standard, if bind information is not given with the request, the server processes the request as an anonymous bind. To be compliant with the standard, which requires some kind of bind information, any client that uses autobind should send the request with SASL/EXTERNAL.
The account policy plug-in provides the following functionality: • • • Fine-grained, per-user or per-subtree account inactivity policies that mimic fine-grained password policies Tracking the last login time, recorded in an attribute in each account after successful authentication An enforcement mechanism that compares the inactivity time elapsed since the last login to the maximum allowed inactivity period specified by the policy 7.6.
NOTE: The inactivity limit value is in seconds. So, a 30-day limit is specified as 2592000 seconds (30 days * 24 hours * 60 minutes * 60 seconds). 5. Insert the specifier attribute acctPolicySubentry into entries that should be covered by the policy. The value of the attribute should be the DN of the account policy entry created in the preceding step.
8 Managing replication Replication is the mechanism by which directory data is automatically copied from one HP-UX Directory Server instance to another; it is an important mechanism for extending the directory service beyond a single server configuration. This chapter describes the tasks to be performed on the master and consumer servers to set up single-master replication, multi-master replication, and cascading replication.
8.1.2 Read-write and read-only replicas A database that participates in replication is called a replica. There are two kinds of replicas: read-write or read-only: • • A read-write replica contains master copies of directory information and can be updated. A read-only replica services read, search, and compare requests, but refers all update operations to read-write replicas. A server can hold any number of read-only or read-write replicas. 8.1.
NOTE: In the Directory Server Console, this replication manager entry is referred to as the supplier bind DN, which may be misleading because the entry does not actually exist on the supplier server. It is called the supplier bind DN because it is the entry that the supplier uses to bind to the consumer. This entry actually exists, then, on the consumer. For more information on creating the replication manager entry, see “Creating the supplier bind DN entry”. 8.1.
8.2 Replication scenarios This section describes the most commonly used replication scenarios: • • • “Single-master replication” “Multi-master replication” “Cascading replication” These basic strategies can be combined in a variety of ways to create the best replication environment. NOTE: Whatever replication scenario is implemented, consider schema replication.
For information on setting up a single-master replication environment, see “Configuring single-master replication”. 8.2.2 Multi-master replication Directory Server also supports complex replication scenarios in which the same suffix (database) can be mastered on many servers. This suffix is held in a read-write replica on each server. This means that each server maintains a changelog for the read-write replica. This type of configuration can work with any number of consumer servers.
Figure 8-3 Multi-master replication (four masters) Multi-master configurations have the following advantages: • • Automatic write failover when one supplier is inaccessible. Updates are made on a local supplier in a geographically distributed environment. NOTE: The speed that replication proceeds depends on the speed of the network.
Figure 8-4 Cascading replication For information on setting up cascading replication, see “Configuring cascading replication”. NOTE: Multi-master and cascading replication can be combined. For example, in the multi-master scenario illustrated in Figure 8-2 “Multi-master replication (two masters)”, Server C and Server D could be hub servers that would replicate to any number of consumer servers. 8.
• • • • It must correspond to an actual entry on the consumer server. It must be created on every server that receives updates from another server. It must not be part of the replicated database for security reasons. It must be defined in the replication agreement on the supplier server. For example, the entry cn=Replication Manager,cn=config can be created under the cn=config tree on the consumer server.
8.4 Configuring single-master replication To set up single-master replication such as the configuration shown in Figure 8-1 “Single-master replication”, between supplier Server A, which holds a read-write replica, and the two consumers Server B and Server C, which each hold a read-only replica, there are two major steps: • • • “Configuring the read-write replica on the supplier server” “Configuring the read-only replica on the consumer” “Create the replication agreement” 8.4.
a. In the navigation tree on the Configuration tab, expand the Replication node, and highlight the database to replicate. The Replica Settings tab opens in the right-hand side of the window. b. c. d. Check the Enable Replica checkbox. In the Replica Role section, select the Single Master radio button. In the Common Settings section, specify a Replica ID, which is an integer between 1 and 65534, inclusive.
d. e. In the Replica Role section, select the Dedicated Consumer radio button. In the Common Settings section, specify a purge delay in the Purge delay field. This option indicates how often the state information stored for the replicated entries is purged. f. In the Update Settings section, specify the bind DN that the supplier will use to bind to the replica. Enter the supplier bind DN in the Enter a new Supplier DN field, and click Add. The supplier bind DN appears in the Current Supplier DNs list.
The supplier bind DN should be the entry created in step 2. The supplier bind DN is a privileged user because it is not subject to access control. NOTE: There can be multiple supplier bind DNs per consumer but only one supplier DN per replication agreement. g. Specify the URL for any supplier servers to which to refer updates. By default, all updates are first referred to the supplier servers that are specified here.
• • • Unless there is more than one instance of Directory Server configured, by default, there are no consumers available in the drop-down menu. The port listed is the non-SSL port, even if the Directory Server instance is configured to run over SSL. This port number is used only for identification of the Directory Server instance in the Console; it does not specify the actual port number or protocol that is used for replication.
NOTE: If attribute encryption is enabled, a secure connection must be used for the encrypted attributes to be replicated. 4. Select the connection type. There are three options: • Use LDAP This sets either a standard, unencrypted connection or allows SASL encryption, because Directory Server supports SASL over standard LDAP but not SSL. • Use TLS/SSL This uses a secure connection over the server's secure LDAPS port, such as 636.
NOTE: To safeguard against potential integrity problems, the consumer in fractional replication must be a dedicated consumer, not a multi-master supplier or hub. This is not enforced at the time the replication agreement is made, but replication will fail if the consumer is not a read-only replica. 7. Set the schedule for when replication runs. By default, replication runs continually. 8.
Click Next. 8. 334 Set when the consumer is initialized. Initializing a consumer manually copies all data over from the supplier to the consumer. The default is to create an initialization file (an LDIF of all supplier data) so that the consumer can be initialized later. It is also possible to initialize the consumer as soon as the replication agreement is completed or not at all. For information on initializing consumers, see “Initializing consumers”.
NOTE: Replication does not begin until the consumer is initialized. Click Next. 9. The final screen shows the settings for the replication agreement, as it will be included in the dse.ldif file. Click Done to save the agreement. 8.
The replication agreement is set up. NOTE: After creating a replication agreement, the connection type (SSL or non-SSL) cannot be changed because LDAP and LDAPS connections use different ports. To change the connection type, re-create the replication agreement. 8.5 Configuring multi-master replication This section provides information on configuring multi-master replication. In a multi-master configuration, many suppliers can accept updates, synchronize with each other, and update all consumers.
Directory Server supports 4-way multi-master replication.
f. Set the changelog parameters for the number and age of the log files. Clear the unlimited checkboxes to specify different values. g. 2. Click Save. Create the entry for the supplier bind DN on the consumer server if it does not exist. This is the special entry that the other suppliers will use to bind to this supplier, as in other supplier-consumer relationships. This is described in “Creating the supplier bind DN entry”.
c. d. e. Check the Enable Replica checkbox. In the Replica Role section, select the Multiple Master radio button. In the Common Settings section, specify a Replica ID, which is an integer between 1 and 65534, inclusive. The replica ID must be unique for a given suffix, different from any other ID used for read-write replicas on this server and on other servers. f. In the Common Settings section, specify a purge delay in the Purge delay field.
NOTE: There can be multiple supplier bind DNs per consumer but only one supplier DN per replication agreement. h. Specify the URL for any supplier servers to which to refer updates, such as the other suppliers in the multi-master replication set. Only specify the URL for the supplier server. For clients to bind using SSL, specify a URL beginning with ldaps://. i. Click Save. 8.5.2 Configuring the read-only replicas on the consumer servers First, configure every consumer. 1. 2. 3.
c. d. e. Check the Enable Replica checkbox. In the Replica Role section, select the Dedicated Consumer radio button. In the Common Settings section, specify a purge delay in the Purge delay field. This option indicates how often the state information stored for the replicated entries is purged. f. In the Update Settings section, specify the bind DN that the supplier will use to bind to the replica. Enter the supplier bind DN in the Enter a new Supplier DN field, and click Add.
use this field to specify a referral of the form ldaps://hostname:port, where the s in ldaps indicates a secure connection. 4. Click Save. Repeat these steps for every consumer server in the replication configuration. 8.5.3 Setting up the replication agreements NOTE: 1. Set up replication agreements on a single supplier, the data master, between the other multi-master suppliers, and initialize all the other suppliers. 2.
• • • Unless there is more than one instance of Directory Server configured, by default, there are no consumers available in the drop-down menu. The port listed is the non-SSL port, even if the Directory Server instance is configured to run over SSL. This port number is used only for identification of the Directory Server instance in the Console; it does not specify the actual port number or protocol that is used for replication.
NOTE: If attribute encryption is enabled, a secure connection is required for the encrypted attributes to be replicated. 4. Select the connection type. There are three options: • Use LDAP This sets either a standard, unecrypted connection or allows SASL encryption, because Directory Server supports SASL over standard LDAP but not SSL. • Use TLS/SSL This uses a secure connection over the server's secure LDAPS port, such as 636.
NOTE: To safeguard against potential integrity problems, the consumer in fractional replication must be a dedicated consumer, not a multi-master supplier or hub. This is not enforced at the time the replication agreement is made, but replication will fail if the consumer is not a read-only replica. 8. Set the schedule for when replication runs. By default, replication runs continually. 8.
Click Next. 9. 346 Set when the consumer is initialized. Initializing a consumer manually copies all data over from the supplier to the consumer. The default is to create an initialization file (an LDIF of all supplier data) so that the consumer can be initialized later. It is also possible to initialize the consumer as soon as the replication agreement is completed or not at all.
on initializing consumers, see “Initializing consumers”. For multi-master replication, consider the following: • Ensure one supplier has the complete set of data to replicate to the other suppliers. Use this one supplier to initialize the replica on all other suppliers in the multi-master replication set. • Initialize the replicas on the consumer servers from any of the multi-master suppliers. • Do not try to reinitialize the servers when the replication agreements are set up.
NOTE: Replication will not begin until the consumer is initialized. Click Next. 10. The final screen shows the settings for the replication agreement, as it will be included in the dse.ldif file. Click Done to save the agreement. The replication agreement is set up.
NOTE: At the end of this procedure, all supplier servers will have mutual replication agreements, which means that they can accept updates from each other. NOTE: After creating a replication agreement, the connection type (SSL or non-SSL) cannot be changed because LDAP and LDAPS connections use different ports. To change the connection type, re-create the replication agreement. 8.5.
nsds5ReplicaBusyWaitTime. The longer interval gives waiting suppliers a better chance to gain consumer access before the previous supplier can re-access the consumer. • • If either attribute is specified but not both, nsds5ReplicaSessionPauseTime is set automatically to 1 second more than nsds5ReplicaBusyWaitTime.
d. Check the Enable Changelog checkbox. This activates all the fields in the pane below that were previously grayed out. e. f. Specify a changelog by clicking the Use default button, or click the Browse button to display a file selector. Set the changelog parameters for the number and age of the log files. Clear the unlimited checkboxes to specify different values. g. 2. Click Save. Specify the replication settings required for a read-write replica. a.
8.6.2 Configuring the read-only replica on the consumer server 1. 2. 3. Create the database for the read-only replica if it does not exist. See “Creating suffixes” for instructions on creating suffixes. Create the entry for the supplier bind DN on the consumer server if it does not exist. The supplier bind DN is the special entry that the supplier will use to bind to the consumer. This is described in “Creating the supplier bind DN entry”. Specify the replication settings required for a read-only replica.
NOTE: There can be multiple supplier bind DNs per consumer but only one supplier DN per replication agreement. g. Specify the URL for any supplier servers to which to refer updates. By default, all updates are first referred to the supplier servers that are specified here. If no suppliers are set here, updates are referred to the supplier servers that have a replication agreement that includes the current replica.
d. Check the Enable Changelog checkbox. This activates all the fields in the pane below that were previously grayed out. e. f. Specify a changelog by clicking the Use default button, or click the Browse button to display a file selector. Set the changelog parameters for the number and age of the log files. Clear the unlimited checkboxes to specify different values. g. 4. 354 Click Save. Specify the required hub replica settings. a. In the Directory Server Console, select the Configuration tab. b.
The Replica Settings tab for that database opens in the right-hand side of the window. c. Check the Enable Replica checkbox. 8.
d. e. In the Replica Role section, select the Hub radio button. In the Common Settings section, specify a purge delay in the Purge delay field. This option sets how often the state information stored for the replicated entries is purged.
f. In the Update Settings section, specify the bind DN that the supplier will use to bind to the replica. Enter the supplier bind DN in the Enter a new Supplier DN field, and click Add. The supplier bind DN appears in the Current Supplier DNs list. The supplier bind DN should be the entry created in step 2. The supplier bind DN is a privileged user because it is not subject to access control in the replicated database.
1. In the navigation tree of the Configuration tab, right-click the database to replicate, and select New Replication Agreement. Alternatively, highlight the database, and select New Replication Agreement from the Object menu to start the Replication Agreement Wizard. 2. 3. 358 In the first screen, fill in a name and description for the replication agreement, and clickNext. In the Source and Destination screen, fill in the URL for the consumer and the supplier bind DN and password on that consumer.
• • • Unless there is more than one instance of Directory Server configured, by default, there are no consumers available in the drop-down menu. The port listed is the non-SSL port, even if the Directory Server instance is configured to run over SSL. This port number is used only for identification of the Directory Server instance in the Console; it does not specify the actual port number or protocol that is used for replication.
will not be replicated are listed in the Excluded column on the left, as well as in the summary the replication agreement is complete. 8. 360 Set the schedule for when replication runs. By default, replication runs continually.
Click Next. 9. Set when the consumer is initialized. Initializing a consumer manually copies all data over from the supplier to the consumer. The default is to create an initialization file (an LDIF of all supplier data) so that the consumer can be initialized later. It is also possible to initialize the consumer as soon as the replication agreement is completed or not at all. For information 8.
on initializing consumers, see “Initializing consumers”. For cascading replication, consider the following: • Create the supplier-hub replication agreement on the supplier first, and initialize the hub from the supplier. • Create the hub-consumer replication agreements on the hub, and initialize the consumers from the hub.
NOTE: Replication will not begin until the consumer is initialized. Click Next. 10. The final screen shows the settings for the replication agreement, as it will be included in the dse.ldif file. Click Done to save the agreement. 8.
NOTE: After creating a replication agreement, the connection type (SSL or non-SSL) cannot be change because LDAP and LDAPS connections use different ports. To change the connection type, re-create the replication agreement. 8.7 Configuring replication from the command line Replication can be configured on the command line by creating the appropriate replica and agreement entries on the servers. The process follows the same order as setting up replication through the Directory Server Console: 1. 2. 3. 4. 5.
objectclass: extensibleObject cn: replica nsds5replicaroot: dc=example,dc=com nsds5replicaid: 7 nsds5replicatype: 3 nsds5flags: 1 nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=replication manager,cn=config • • • • • nsds5replicaroot sets the subtree (suffix) that is being replicated. nsds5replicatype sets what kind of replica this database is. For either a single master or a multi-master supplier, this value must be 3. nsds5replicaid sets the replica ID.
Table 8-2 Replica attributes (continued) Object class or attribute Description Values nsds5replicaid: number The ID of the replica. 1 to 65534, inclusive, for suppliers, or 65535 for hubs and consumers. nsds5replicatype: number Sets the type of replica, either read-only or read-write.
objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: dc=example,dc=com nsds5replicatype: 2 nsds5ReplicaBindDN: cn=replication manager,cn=config nsds5flags: 0 The replica entry attributes are described in Table 8-2 “Replica attributes”. These attributes are described in more detail in the HP-UX Directory Server configuration, command, and file reference. 8.7.
• • nsds5ReplicaBindDN give the DN as which the supplier will bind to the hub to make changes. nsds5flags sets whether the replica writes to the changelog. For a hub, this value must be 1. The replica entry attributes are described in Table 8-2 “Replica attributes”. These attributes are described in more detail in the HP-UX Directory Server configuration, command, and file reference. 8.7.
Table 8-3 Replication agreement attributes (continued) Object class or attribute Description Values nsds5replicaport: number Gives the LDAP port for the consumer Any port number. server. To use TLS/SSL, give the secure port number (636 by default) and set the nsds5ReplicaTransportInfo attribute to SSL. To use Start TLS, which initiates a secure connection over a standard port, use the standard port, 389, with the nsds5ReplicaTransportInfo attribute to TLS.
Table 8-3 Replication agreement attributes (continued) Object class or attribute Description nsds5replicabindmethod: type The connection type for replication between the servers. The connection type defines how the supplier authenticates to the consumer. Values SIMPLE SSLCLIENTAUTH SASL/GSSAPI SASL/DIGEST-MD5 Leaving the bind method empty or setting it to SIMPLE means that the server uses basic password-based authentication.
Table 8-3 Replication agreement attributes (continued) Object class or attribute Description Values nsds5replicaupdateschedule: Sets the start and end time for the replication updates and the days on start_time-end_time days which replication occurs. If the schedule is omitted, replication will take place all the time. Has the following value, with the start (SSSS) and end (EEEE) times set in the form HHMM The times are given in 24 hour clock format, so 0000 is midnight and 2359 is 11:59 PM.
changetype: modify replace: nsds5beginreplicarefresh nsds5beginreplicarefresh: start ldapmodify does not prompt for input; simply type in the LDIF statement, then click Enter twice when the LDIF statement is complete. Close the ldapmodify utility by entering Ctrl-C. When the initialization is complete, the nsds5beginreplicarefresh attribute is automatically deleted from the replication agreement entry.
1. 2. 3. In the Directory Server Console, select the Configuration tab. Select the Replication Agreements folder in the left navigation tree, then select the Supplier Server Settings tab in the right pane. Clear the Enable Changelog checkbox. This deletes the changelog. 4. 5. 6. Click Save. Restart the Directory Server. Reinitialize the consumers, as in “Initializing consumers”. NOTE: If the changelog is removed, the consumer servers must be reinitialized. 8.9.
Manual consumer initialization using the command line is a more effective method of initializing a large number of consumers from a single LDIF file. 8.10.2 Online consumer initialization using the console Online consumer initialization using the Console is the easiest way to initialize or reinitialize a consumer. However, for replicating across a slow link, this process can be very time-consuming, and manual consumer initialization using the command line may be a more efficient approach.
ldapmodify does not prompt for input; simply type in the LDIF statement, then click Enter twice when the LDIF statement is complete. Close the ldapmodify utility by entering Ctrl-C. To check the initialization status, perform an ldapsearch for the replication agreement entry.
nsInstance: userRoot nsFilename: /home/files/example.ldif nsExportReplica: true 8.10.4.2 Importing the LDIF file to the consumer server Import the LDIF file that contains the supplier replica contents to the consumer server by using the import features in the Directory Server Console or by using either the ldif2db script or ldif2db.pl script. Both import methods are described in “Importing from the command line”. NOTE: With the ldif2db.
In addition, a new backup can be created by clicking the Back Up Directory Server button in the Tasks tab of the Directory Server Console, then putting the name of the archive directory in the Directory:... field. Alternatively, select any previous backup to initialize the consumer. This backup information is recovered in the destination replica. 6. Restart the source Directory Server. For example: /opt/dirsrv/slapd-instance_name/restart-slapd 7. 8.
This initiates replication toward the server that holds the information that needs to be updated. 8.11.2 Forcing replication updates from the command line From the consumer that requires updating, run a script that prompts the supplier to send replication updates immediately. This script is shown in Example 8-1 “Replicate_Now script example”. Copy this example script and name it something like replicate_now.sh.
8.12 Replicating account lockout attributes Account lockout policies will block a user ID from being able to access the Directory Server if the login attempt fails a set number of times. This prevents hackers or other malicious people from illegitimately accessing the Directory Server by guessing a password. Password policies are set locally, and generally account lockout attributes are local to each replica.
8.13 Replication over SSL The Directory Servers involved in replication can be configured so that all replication operations occur over an SSL connection. To use replication over SSL, first do the following: • • Configure both the supplier and consumer servers to use SSL. Configure the consumer server to recognize the supplier server's certificate as the supplier DN. Do this only to use SSL client authentication rather than simple authentication.
[slapd] ... ConfigFile ConfigFile ConfigFile ConfigFile ... 2. = = = = repluser.ldif example supplier bind DN entry changelog.ldif example changelog entry replica.ldif example replica entry replagreement.ldif example replication agreement entry Install and configure the second Directory Server instance. For the second server, server2.example.com, use the setup-ds.pl command, which installs a Directory Server instance without installing a local Administration Server. /opt/dirsrv/sbin/setup-ds.
1. 2. 3. In the Directory Server Console, click the Configuration tab. Select the Replication node, and click the Legacy Consumer Settings tab in the right pane. Check the Enable Legacy Consumer checkbox. This activates the fields in the Authentication box. 4. Specify the supplier bind DN that the legacy supplier server will use to bind to the consumer. Optionally, specify a password at least 8 characters long. 5. 6. Click Save.
Table 8-5 Attributes of a Retro changelog entry Attribute Definition changeNumber This single-valued attribute is always present. It contains an integer that uniquely identifies each change. This number is related to the order in which the change occurred. The higher the number, the later the change. targetDN This attribute contains the DN of the entry that was affected by the LDAP operation.
Integer is a number, and timeUnit can be s for seconds, m for minutes, h for hours, d for days, or w for weeks. NOTE: There should not be a space between the Integer and timeUnit variables. The space in the syntax above is intended to show that the attribute value is composed of two variable parts, not just one. For example: nsslapd-changelogmaxage: 2d 8.16.
Table 8-6 Directory Server Console replication status Table header Description Agreement The name of the replication agreement. Replica suffix The suffix that is replicated. Supplier The supplier server in the agreement. Consumer The consumer server in the agreement. Number of changes The number of changes sent to this replica since the server started. Last replica update began The time when the most recent replication update started.
1. 2. Prepare a configuration file following the guidelines provided in the "repl-monitor.pl (Monitor replication status)" section of the HP-UX Directory Server configuration, command, and file reference. Open the Administration Server URL in a web browser. http://hostname:admin_port 3. 4. Click HPDS Administration Express, and, when prompted, log in. Select a supplier Directory Server instance, and click Replication Status.
The nsds5ReplConflict attribute is already indexed for presence and equality, but for performance reasons, if there are many conflicting entries every day, index the nsds5ReplConflict attribute in other indexes. For information on indexing, see Chapter 11 “Managing indexes”. This section contains the procedures for the following conflict resolution procedures: • • • “Solving naming conflicts” “Solving orphan entry conflicts” “Solving potential interoperability problems” 8.18.
Changes cannot be saved for entries with multivalued RDNs. Opening the entry in the advanced mode shows that the naming attribute has been set to nsuniqueid uid. However, the entry cannot be changed or corrected by changing the user ID and RDN values to something different. For example, if jdoe was the user ID and it should be changed to jdoe1, it cannot be done from the Console.
Glue entries are temporary entries that include the object classes glue and extensibleObject. Glue entries can be created in several ways: • If the conflict resolution procedure finds a deleted entry with a matching unique identifier, the glue entry is a resurrection of that entry, with the addition of the glue object class and the nsds5ReplConflict attribute.
The cl-dump.pl script, which is explained in detail in the HP-UX Directory Server configuration, command, and file reference can also help troubleshoot replication-related problems. Depending on the usage options, the script can selectively dump a particular replica: • • • Dump the contents of a replication-change-log file and in-memory variables purge RUV and maxRUV. grep and interpret change sequence numbers (CSNs) in the changelog.
Table 8-7 Replication errors (continued) Error/symptom Reason Impact Too much time skew The system clocks on the The system clock is used host machines are extremely to generate a part of the out of sync. CSN. In order to reflect the change sequence among multiple suppliers, suppliers would forward-adjust their local clocks based on the remote clocks of the other suppliers.
Table 8-7 Replication errors (continued) Error/symptom Reason Changelog is getting too big. Either changelog purge is turned off, which is the default setting, or changelog purge is turned on, but some consumers are way behind the supplier. Impact Remedy By default changelog purge is turned off. To turn it on from the command line, run ldapmodify as follows: dn: cn=changelog5,cn=config changetype: modify add: nsslapd-changelogmaxage nsslapd-changelogmaxage: 1d Where 1d means 1 day.
9 Synchronizing Directory Server with Microsoft Active Directory Windows Sync carries over changes in a directory — adds, deletes, and changes in groups, users, and passwords — between Directory Server and Microsoft Active Directory. This makes it much more efficient and effective to maintain consistent information across directories.
Figure 9-1 Active Directory - Directory Server synchronization process Synchronization is configured and controlled by one or more synchronization agreements, which establishes synchronization between sync peers, the directory servers being synchronized. These are similar in purpose to replication agreements and contain a similar set of information, including the host name and port number for Active Directory.
to the Directory Server, and users/groups as they are created are synchronized to the Directory Server. Within the Windows subtree, only entries with user or group object classes can be synchronized to Directory Server. • On the Directory Server, only entries with the ntUser or ntGroup object classes and attributes can be synchronized.
A common user identity, a sync manager, connects to the Windows Sync peer to send updates from the Directory Server and to check for updates to synchronize back to the Directory Server. NOTE: To synchronize passwords (which is the only way for users to be active on both Directory Server and Active Directory), synchronization must be configured to run over TLS/SSL. Therefore, this configuration section assumes that TLS/SSL must also be configured.
c. d. e. Select the Encryption tab in the right pane. Select the Enable SSL for this Server checkbox, then select the certificate to use from the drop-down menu. Click Save. Restart the Directory Server. The Directory Server must be restarted from the command line. /opt/dirsrv/slapd-instance_name/restart-slapd example To restart the Directory Server without the password prompt, create a PIN file or use a hardware crypto device.
;----------------------------------------------- For more information on the .inf request file, see the Microsoft documentation, such as http://technet.microsoft.com/en-us/library/cc783835.aspx. b. Generate the certificate request. certreq -new request.inf request.req c. Submit the request to the Active Directory CA. For example: certreq -submit request.req certnew.cer NOTE: If the command-line tool returns an error message, then use the Web browser to access the CA and submit the certificate request.
/opt/dirsrv/slapd-instance_name/stop-slapd 2. Add a new entry, such as cn=sync user,cn=config, with a password at the end of /etc/opt/dirsrv/slapd-instance_name/dse.ldif. For example: dn: cn=sync user,cn=config objectClass: inetorgperson objectClass: person objectClass: top cn: sync user sn: SU userPassword: secret passwordExpirationTime: 20380119031407Z 3. Restart the Directory Server. /opt/dirsrv/slapd-instance_name/restart-slapd 9.2.
Click Next, then Finish to install Password Sync. 5. Reboot the Windows machine to start Password Sync. NOTE: The Windows machine must be rebooted. Without the rebooting, PasswordHook.dll is not enabled, and password synchronization will not function. The first attempt to synchronize passwords, which happened when the Password Sync application is installed, will always fail because the SSL connection between the Directory Server and Active Directory sync peers.
Table 9-1 Installed Password Sync libraries (continued) Directory Library C:\Program Files\HP-UX Directory Password Synchronization key3.db C:\WINDOWS\system32 nssutil3.dll C:\Program Files\HP-UX Directory Password Synchronization nsldap32v60.dll C:\WINDOWS\system32 softtokn3.dll C:\Program Files\HP-UX Directory Password Synchronization nsldappr32v60.dll C:\WINDOWS\system32 smime3.dll C:\Program Files\HP-UX Directory Password Synchronization nsldapssl32v60.dll C:\WINDOWS\system32 freebl3.
certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i \path\to\dsca.crt NOTE: If any Active Directory user accounts exist when Password Sync is first installed, then the passwords for those user accounts cannot be synchronized until they are changed because Password Sync cannot decrypt a password after it has been hashed in Active Directory. 9.2.
objectclass: top objectclass: extensibleObject cn: changelog5 nsslapd-changelogdir: /var/opt/dirsrv/slapd-instance_name/changelogdb Then, create the supplier replica entry: ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.
4. 5. 404 In the two fields, supply a name and description of the synchronization agreement. Click Next. In the Windows Sync Server Info window, fill in the Active Directory information in the Windows Domain Information area.
• • • • • The name of the Windows domain. What kinds of entries to synchronize; users and groups are synchronized independently. When a type of entry is chosen, then all the entries of that type that are found in the Windows subtree are created in the Directory Server. The Windows and Directory Server subtree information; this is automatically filled in. The host name of the domain controller The Windows server's port number 9.
6. Set the connection type. There are three options: • Use LDAP This sets either a standard, unencrypted connection. • Use TLS/SSL This uses a secure connection over the server's secure LDAPS port, such as 636. Both the Directory Server and the Windows server must be properly configured to run in TLS/SSL for this connection and must have installed each other's CA certificates in order to trust their server certificates.
1. 2. 3. 4. 5. Go to the Configuration tab in the Console. Open the Replication folder and expand the appropriate database. Select the sync agreement. Right-click on the agreement or open the Object menu. Select Initiate Full Re-synchronization. If synchronization stops for any reason, begin another total update (resynchronization) by selecting this from the sync agreement menu. Beginning a total update (resynchronization) will not delete or overwrite the databases. 9.
ntUserCreateNewAccount attribute (even on an existing entry) signals to the syncrhonization plug-in to write the entry over to the Active Directory server. New users that are created on the Directory Server with the ntUser object class are synchronized to the Windows machine at the next regular update, which is a standard poll of entry.
Table 9-2 User schema mapped between Directory Server and Active Directory Directory Server Active Directory cn1 name ntUserDomainId sAMAccountName ntUserHomeDir homeDirectory ntUserScriptPath scriptPath ntUserLastLogon lastLogon ntUserLastLogoff lastLogoff ntUserAcctExpires accountExpires ntUserCodePage codePage ntUserLogonHours logonHours ntUserMaxStorage maxStorage ntUserProfile profilePath ntUserParms userParameters ntUserWorkstations userWorkstations 1 The cn is treated dif
9.3.2.1 Values for cn attributes In Directory Server, the cn attribute can be multi-valued, while in Active Directory this attribute must have only a single value. When the Directory Server cn attribute is synchronized, then, only one value is sent to the Active Directory peer.
9.3.3.1 Configuring user sync in the console 1. 2. In the Directory Server Console, select the Directory tab. For an existing entry, right-click the entry, and click Properties to open the property editor for the entry. For a new entry, right-click the main entry in the left window to add the new entry, select User, then fill in the required entry attributes. 3. 4. On the left side of the Property Editor, click the NT User link. In the NT User tab, check the Enable NT Attributes checkbox. 5.
9.3.3.2 Configuring user sync in the command line To enable synchronization through the command line, add the required sync attributes to an entry or create an entry with those attributes.
3. 4. Open the Connection tab. Check the New Windows User Sync checkbox to enable users sync. To disable sync, uncheck the box. For new synchronization agreements, select the corresponding users sync checkbox in the sync agreement creation wizard. 9.3.4.2 Configuring user sync in the command line The attribute to set Active Directory user sync is nsds7NewWinUserSyncEnabled and is set on the sync agreement.
cn=mapping tree, cn=config changetype: modify replace: nsds7NewWinUserSyncEnabled nsds7NewWinUserSyncEnabled: on To disable user synchronization, set nsds7NewWinUserSyncEnabled: off. 9.4 Synchronizing groups Like user entries, groups are not automatically synchronized between Directory Server and Active Directory.
Some attributes define the same information, but the names of the attributes or their schema definitions are different. These attributes are mapped between Active Directory and Directory Server, so that attribute A in one server is treated as attribute B in the other. For synchronization, many of these attributes relate to Windows-specific information.
5. Setting the ntGroup object class automatically adds the ntUserDomainId attribute. This attribute is required, so add a value. 6. To enable synchronization, click the Add Attribute button, and select the ntGroupCreateNewAccount attribute from the list. Then, set its value to on. This signals to the synchronization plug-in that the entry should be added to the Active Directory directory.
9.4.3.2 Configuring group sync in the command line To enable synchronization through the command line, add the required sync attributes to an entry or create an entry with those attributes. Three schema elements are required for synchronization: • • • The ntGroup object class. The ntUserDomainID attribute, to give the Windows ID for the entry. The ntGroupCreateNewAccount attribute, to signal to the synchronization plug-in to synchronize the Directory Server entry over to Active Directory.
3. 4. Open the Connection tab. Check the New Windows Group Sync checkbox to enable group synchronization. To disable synchronization, uncheck the box. For new synchronization agreements, select the corresponding group sync checkbox in the sync agreement creation wizard. 9.4.4.2 Configuring group sync in the command line The attribute to set Active Directory group sync is nsds7NewWinGroupSyncEnabled and is set on the synchronization agreement.
dn: cn=exampleSyncAgreement, cn=userRoot, cn="dc=example, dc=com", cn=mapping tree, cn=config changetype: modify replace: nsds7NewWinGroupSyncEnabled nsds7NewWinGroupSyncEnabled: on To disable group synchronization, set nsds7NewWinGroupSyncEnabled: off. 9.5 Deleting and resurrecting entries This section describes how enabling synchronization affects deleted entries on the synchonization peers and how resurrected entries are handled. 9.5.
9.6 Sending synchronization updates Synchronization occurs as frequently as is set in the winSyncInterval setting (for retrieving changes from the Active Directory domain) or nsds5replicaupdateschedule setting (for pushing changes from the Directory Server). By default, changes are retrieved from Active Directory every five minutes, and changes from the Directory Server are sent immediately. A sync update can be triggered manually.
9.6.2 Sending a total update (full synchronization) If there have been major changes to data, or synchronization attributes are added to pre-existing Directory Server entries, it is necessary to initiate a resynchronization. Resynchronization is a total update; the entire contents of synchronized subtrees are examined and, if necessary, updated. Resynchronization is done without using the changelog. This is similar to initializing or reinitializing a consumer in replication. 1. 2. 3. 4. 5.
add: nsDS5BeginReplicaRefresh nsDS5BeginReplicaRefresh: true This attribute is removed from the entry as soon as the update is complete. 9.6.4 Checking synchronization status Check synchronization status in the Replication tab in the Status of the Console. Highlight the synchronization agreement to monitor, and the relevant information should appear in the right-hand pane. The Status area shows whether the last incremental and total updates were successful and when they occurred. 1. 2. 3. 4.
9.7.1 Editing the sync agreement in the console Most of the information that can be edited in the Console is limited to connection information, including the protocol to use and the bind credentials. It is also possible to edit the synchronization agreement description. 1. 2. In the Configuration tab, expand the Replication folder. Expand the database being synchronized. All the synchronization agreements are listed below the database. Double-click the synchronized agreement to open it in the main window.
There are three areas of information that can be edited. • • • The connection type (standard, TLS/SSL, and Start TLS). The bind user, both DN and password. Whether to synchronize new Directory Server users and new Directory Server groups automatically.
9.7.2.
NOTE: The synchronization times cannot wrap around midnight, so the setting 2300-0100 is not valid. To change how frequently the Directory Server checks the Active Directory for changes to Active Directory entries, reset the winSyncInterval attribute. This attribute is set in seconds, so the default of 300 means that the Directory Server polls the Active Directory server every 300 seconds, or five minutes.
Table 9-6 Sync agreement attributes (continued) Object class or attribute Description nsds5replicaport Gives the LDAP port for the Windows server. To use TLS/SSL, give the secure port number (636 by default) and set the nsds5ReplicaTransportInfo attribute to SSL. To use Start TLS, which initiates a secure connection over a standard port, use the standard port, 389, with the nsds5ReplicaTransportInfo attribute to TLS. nsds5replicatransportinfo To use TLS/SSL, set this parameter to SSL.
Windows Users Sync and New Windows Groups Sync attributes in the synchronization agreement. NOTE: A synchronization agreement needs to be configured for both kinds of unidirectional synchronization. To only synchronize Directory Server entries, then do not set the Active Directory sync attributes in the sync agreement. Likewise, to only synchronize Active Directory over to Directory Server, do not add any sync attributes to Directory Server entries. 9.
Enable replication logging for more detailed information on synchronization to be recorded in the errors log. Replication log levels produces more verbose logs from the sync code that can help in diagnosing problems. 1. 2. In the Console, click the Configuration tab, select Logs from the navigation menu on the right, and open the errors log. Scroll down to errors log level, and select Replication from the menu. Click save.
10 Managing the directory schema HP-UX Directory Server comes with a standard schema that includes hundreds of object classes and attributes. While the standard object classes and attributes should meet the requirements of most deployments, it may be necessary to extend the schema for specific directory data. Extending the schema is done by creating new (custom) object classes and attributes.
Example 10-1 person object class schema entry objectClasses: ( 2.5.6.6 NAME 'person' DESC 'Standard LDAP objectclass' SUP top MUST ( sn $ cn ) MAY ( description $ seeAlso $ telephoneNumber $ userPassword ) X-ORIGIN 'RFC 2256' ) Every object class defines a number of required attributes and of allowed attributes.
2. 3. Server itself does not manage OIDs, but there are some best practices described in “Managing object identifiers”. Create the new attributes. Attribute definitions require a name, a syntax (the allowed format of the values), an OID, and a description of whether the attribute can only be used once per entry or multiple times. Create an object class to contain the new attributes. An object class lists the required attributes for that entry type and the allowed (permissible) attributes.
In order to load those schema files on any other servers, the schema has to be copied over, then a local reload task has to be run. 10.2 Managing object identifiers Each LDAP object class or attribute must be assigned a unique name and object identifier (OID). An OID is a dot-separated number that identifies the schema element to the server. OIDs can be hierarchical, with a base OID that can be expanded to accommodate different branches.
Table 10-1 LDAP attribute syntax (continued) Name OID Definition OctetString 1.3.6.1.4.1.1466.115.121.1.40 Indicates that values for this attribute are binary; this is the same as using the binary synatx. Postal Address 1.3.6.1.4.1.1466.115.121.1.41 Indicates that values for this attribute are encoded in the format postal-address =dstring* ("$"dstring). For example: 1234 Main St.$Raleigh, NC 12345$USA Each dstring component is encoded as a DirtectoryString value.
3. There are three tabs that display the schema elements loaded in Directory Server: Object Class, Attributes, and Matching Rules. The Attributes tab is broken into two sections for default and custom attributes. Both sections show the attribute name, OID, syntax, and whether the attribute is multi-valued. The Object Classes tab shows the list of object classes on the left.
10.4.2 Creating attributes NOTE: After adding new attributes to the schema, create a new object class to contain them, as described in “Creating object classes”. 1. 2. Select the Configuration tab. In the left navigation tree, select the Schema folder, then select the Attributes tab in the right pane. 10.
3. Click Create. 4. Fill in the information for the new attribute. • • 438 The attribute name; this must be unique. The OID; this is not required, but for compatibility and server performance, assigning a unique numeric OID is strongly recommended.
• • 5. The syntax; this is the allowed format for the attributes values. Whether the attribute is multi-valued; by default, all attributes can be used more than once in an entry, but deselecting the checkbox means the attribute can be used only once. Click OK. 10.4.3 Creating object classes A new object class must be created with a unique name, a parent object, and required and optional attributes. To create an object class: 1. 2. In the Directory Server Console, select the Configuration tab.
4. 440 Fill in the information about the new object class.
• • • • The name; this must be unique. The OID; this is not required, but for compatibility and server performance, assigning a unique numeric OID is strongly recommended. The superior object class for the entry. The default is top; selecting another object class means that the new object class inherits all the required and allowed attributes from the parent, in addition to its own defined attributes. Required and allowed attributes.
10.4.4 Editing custom schema elements Only user-created attributes or object classes can be edited; standard schema elements cannot be edited. 1. 2. In the Directory Server Console, select the Configuration tab. In the left navigation tree, select the Schema folder. 3. 4. Open the Object Classes or Attributes tab. Select the schema element to edit from the list. Only custom (user-defined) schema can be edited in the Directory Server Console. Click the Edit button at the bottom of the window. 5.
6. Edit any of the schema information. 10.4.5 Deleting schema Only user-created attributes or object classes can be deleted; standard schema elements cannot be deleted. 1. 2. In the Directory Server Console, select the Configuration tab. In the left navigation tree, select the Schema folder. 3. Open the Object Classes or Attributes tab. 10.
4. 5. Select the schema element to delete from the list. Only custom (user-defined) schema can be deleted in the Directory Server Console. Click the Delete button at the bottom of the window. 6. Confirm the deletion. CAUTION: The server immediately deletes the schema element. There is no undo. 10.5 Managing schema using ldapmodify As with the Directory Server Console, ldapmodify can be used to add, edit, and delete custom schema elements.
The object class definition contains several components: • • • • • • • An OID, usually a dot-separated number A unique name, in the form NAME name A description, in the form DESC description The superior, or parent, object class for this object class, in the form SUP object_class; if there is no related parent, use SUP top The word AUXILIARY, which gives the type of entry to which the object class applies; AUXILIARY means it can apply to any entry A list of required attributes, preceded by the word MUST; t
10.6 Creating custom schema files Schema files are simple LDIF files that define the cn=schema entry. Each attribute and object class is added as an attribute to that entry. Here are the requirements for creating a schema file: • • • • • The first line must be dn: cn=schema. The schema file can include both attributes and object classes; alternatively, it can include only one or the other.
Example 10-3 “Example schema file” shows a simplified schema file. Example 10-3 Example schema file dn: cn=schema attributetypes: ( 2.16.840.1133730.1.123 NAME 'dateofbirth' DESC 'For em\ ployee birthdays' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Example defined') objectclasses: ( 2.16.840.1133730.2.
10.7.2 Reloading schema using ldapmodify The schema-reload.pl script creates a special task entry in a Directory Server instance that reloads schema files; it is also possible to reload schema by creating the task entry directly. Task entries occur under the cn=tasks configuration entry in the dse.ldif file, so it is also possible to initiate a task by adding the entry using ldapmodify. As soon as the task is complete, the entry is removed from the directory.
[06/Jan/2009:17:52:04 -0500] schemareload - Schema validation passed. [06/Jan/2009:17:52:04 -0500] schemareload - Schema reload task finished. If there is a failure, then the log shows which step failed and why. [..] ... [..] [..] [..] schemareload - Schema reload task starts (schema dir: /bogus) schema - No schema files were found in the directory /bogus schema_reload - schema file validation failed schemareload - Schema validation failed. 10.
4. Click Save. To turn schema checking on and off using LDAP commands, edit the value of the nsslapd-schemacheck attribute. For example: ldapmodify -h myserver -p 389 -D "cn=directory manager" -w secret dn: cn=config changetype: modify replace: nsslapd-schemacheck: on nsslapd-schemacheck: off For information, see the HP-UX Directory Server configuration, command, and file reference.
11 Managing indexes Indexing makes searching for and retrieving information easier by classifying and organizing attributes or values. This chapter describes the searching algorithm itself, placing indexing mechanisms in context, then describes how to create, delete, and manage indexes.
• International index speeds up searches for information in international directories. The process for creating an international index is similar to the process for creating regular indexes, except that it applies a matching rule by associating an object identifier (OID) with the attributes to be indexed. The supported locales and their associated OIDs are listed in Appendix D “Internationalization”.
11.1.2.2 Overview of system indexes System indexes cannot be deleted or modified. They are required by the directory to function properly. Table 11-2 “System indexes” lists the system indexes included with the directory. Table 11-2 System indexes Attribute Eq Pres Purpose aci Allows the Directory Server to quickly obtain the access control information maintained in the database. objectClass Used to help accelerate subtree searches in the directory.
to see if any match the search criteria. The directory returns matching entries to the client as each is found. The directory continues until either it has examined all candidate entries or it reaches the limit set in one of the following attributes: • • • • nsslapd-sizelimit, which specifies the maximum number of entries to return from a search operation. If this limit is reached, the directory returns any entries it has located that match the search request, as well as an exceeded size limit error.
11.1.5 Balancing the benefits of indexing Before creating new indexes, balance the benefits of maintaining indexes against the costs. • • • • • • Approximate indexes are not efficient for attributes commonly containing numbers, such as telephone numbers. Substring indexes do not work for binary attributes. Equality indexes should be avoided if the value is big (such as attributes intended to contain photographs or passwords containing encrypted data).
As this example shows, the number of actions required to create and maintain databases for a large directory can be resource-intensive. 11.2 Creating indexes This section describes how to create presence, equality, approximate, substring, and international indexes for specific attributes using the Directory Server Console and the command line. NOTE: Because Directory Server 8.
To index the attribute using multiple languages, list multiple OIDs separated by commas, but no white space. For a list of languages, their associated OIDs, and further information regarding collation orders, see Appendix D “Internationalization”. 8. 9. Click Save. The Indexes dialog box appears, displaying the status of the index creation and informing you when the indexes have been created. Click the Status Logs box to view the status of the indexes created. After the indexing is complete, click Close.
dn: cn=sn,cn=index,cn=Example1,cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:nsIndex cn:sn nsSystemIndex:false nsIndexType:pres nsIndexType:eq nsIndexType:sub nsMatchingRule:2.16.840.1.113730.3.3.2.3.1 The cn attribute contains the name of the attribute to index, in this example the sn attribute. The entry is a member of the nsIndex object class. The nsSystemIndex attribute is false, indicating that the index is not essential to Directory Server operations.
Table 11-6 “db2index options” describes the db2index.pl options: Table 11-3 db2index.pl options Option Description -D Specifies the DN of the administrative user. -w Specifies the password of the administrative user. -n Specifies the name of the database being indexed. -t Specifies the name of the attribute contained by the index. 11.2.
For more information on how to change the VLV search information or the access control rules that are set by default for VLV searches, see “Adding a browsing index entry” and “Setting access control for VLV information”. 11.2.5 Creating browsing indexes from the command line Creating a browsing index or virtual list view (VLV) index from the command line has these steps: 1. 2. Using ldapmodify to add new browsing index entries or edit existing browsing index entries. See “Adding a browsing index entry”.
• • • 3. browsing indexes from being created. The entry is a member of the vlvSearch object class. The vlvbase attribute value specifies the entry on which you want to create the browsing index; in this example, the ou=People,dc=example,dc=com entry (the browsing index identifier). The vlvscope attribute is 1, indicating that the scope for the search you want to accelerate is 1.
Table 11-4 vlvindex options Option Description -n Name of the database containing the entries to index. -T Browsing index identifier to use to create browsing indexes. 11.2.5.3 Using a cn=tasks entry to create a browsing index As an alternative to running the vlvindex script, it is possible to initiate an indexing task directly. NOTE: Running the indexing task is the same as running the vlvindex script.
To improve search performance, particularly for sites with many wildcard searches, the search string length for indexed searches can be changed. Directory Server has three attributes that allow you to change the minimum number of characters required for an indexed search: • The nsSubStrBegin attribute sets the required number of characters for an indexed search for the beginning of a search string, before the wildcard.
• • “Deleting browsing indexes from the server console” “Deleting browsing indexes from the command line” CAUTION: Do not delete system indexes because deleting them can significantly affect Directory Server performance. System indexes are located in the cn=index,cn=instance,cn=ldbm database,cn=plugins,cn=config entry and the cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config entry. Also, be cautious when deleting default indexes because this can also affect how Directory Server works.
11.4.2.1 Deleting an index entry Use the ldapdelete command line utility to delete either the entire indexing entry or the unwanted index types from an existing entry. • • 1. To delete the indexes for a particular database, remove the index entry from the cn=index,cn=database_name,cn=ldbm database,cn=plugins,cn=config entry, where cn=database_name corresponds to the name of the database. To delete a default index, remove it from the cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config entry.
Table 11-6 db2index options Option Description -D Specifies the DN of the administrative user. -w Specifies the password of the administrative user. -n Specifies the name of the database into which you are importing the data. 11.4.3 Deleting browsing indexes from the server console To delete a browsing index through the Directory Server Console: 1. 2. Select the Directory tab.
For full information on ldapdelete options, see the HP-UX Directory Server configuration, command, and file reference. 2.
objectClass: extensibleObject cn: example VLV index nsIndexVLVAttribute: "by MCC ou=people,dc=example,dc=com" As soon as the task is completed, the entry is removed from the directory configuration. The HP-UX Directory Server configuration, command, and file reference has more information on running Directory Server tasks under the cn=tasks entries. 11.5 Managing indexes Each index that the directory uses is composed of a table of index keys and matching entry ID lists.
Because maintaining large ID lists in memory can affect performance, the All IDs Threshold set a limit on how large a single entry ID list could get. When a list reaches a certain predetermined size, the search would treat it as if the index contained the entire directory. The difficulty in setting the All IDs Threshold hurt performance. If the threshold was too low, too many searches examined every entry in the directory. If it was too high, too many large ID lists had to be maintained in memory.
Also, the index sizes can be larger than in older releases, so you may want to increase your database cache size. To reconfigure your cache size, look up the nsslap-dbcachesize entry in the HP-UX Directory Server configuration, command, and file reference. 11.6 Attribute name quick reference table Table 11-7 “Attribute name quick reference table” lists all attributes which have a primary or real name as well as an alias. When creating indexes be sure to use the primary name.
12 Managing SSL To provide secure communications over the network, HP-UX Directory Server includes the LDAPS communications protocol. LDAPS is the standard LDAP protocol, running over Transport Layer Security (TLS, formerly Secure Sockets Layer or SSL). Directory Server also allows spontaneous secure connections over otherwise-insecure LDAP ports, using the Start TLS LDAP extended operation. This chapter describes how to use TLS/SSL with Directory Server.
1. Obtain and install a certificate for the Directory Server, and configure the Directory Server to trust the certification authority's (CA's) certificate. For information, see “Obtaining and installing server certificates”. 2. Turn on TLS/SSL in the directory. For information, see “Starting the server with TLS/SSL enabled”. 3. 4. Configure the Administration Server connect to an SSL-enabled Directory Server.
With the -ZZZ option, the following errors could occur, causing the Start TLS operation to fail: • • • If there is no certificate database. See “Obtaining and installing server certificates” for information on using certificates. If the certificate database does not have the certificate authority (CA) certificate. See “Obtaining and installing server certificates” for information on using certificates. The server does not support Start TLS as an extended operation.
12.2.1 Step 1: Generate a certificate request Generate a certificate request, and send it to a CA. The Directory Server Console has a tool, the Certificate Request Wizard, which generates a valid certificate request to submit to any certificate authority (CA). 1. 2. 3. 4. 474 In the Directory Server Console, select the Tasks tab, and click Manage Certificates. Select the Server Certs tab, and click the Request button. Click Next. Enter the Requester Information in the blank text fields, then click Next.
• Server Name Enter the fully qualified host name of the Directory Server as it is used in DNS and reverse DNS lookups; for example, dir.example.com. The server name is critical for client-side validation to work, which prevents man-in-the-middle attacks. • Organization Enter the legal name of the company or institution. Most CAs require this information to be verified with legal documents such as a copy of a business license. • Organizational Unit Optional.
The Next button is grayed out until a password is supplied. 7. 476 The Request Submission dialog box provides two ways to submit a request: directly to the CA (if there is one internally) or manually. To submit the request manually, select Copy to Clipboard or Save to File to save the certificate request that will be submitted to the CA.
8. Click Done to dismiss the Certificate Request Wizard. After generating the certificate request, send it to the CA. 12.2.2 Step 2: Send the certificate request After the certificate request is generated, send it to a certificate authority (CA); the CA will generate return a server certificate. 1. 2. Most certificate requests are emailed to the CA, so open a new message. Copy the certificate request information from the clipboard or the saved file into the body of the message.
12.2.3 Step 3: Install the certificate 1. 2. 3. In the Directory Server Console, select the Tasks tab, and click Manage Certificates. Select the Server Certs tab, and click Install. Give the certificate location or paste the certificate text in the text box, then click Next. • • 4. 5. 6. In this file. Enter the absolute path to the certificate in this field. In the following encoded text block. Copy the text from the CA's email or from the created text file, and paste it in this field.
5. 6. Name the certificate, and click Next. Select the purpose of trusting this certificate authority; it is possible to select both options: • Accepting connections from clients (Client Authentication). The server checks that the client's certificate has been issued by a trusted certificate authority.
nobody, and it must be set as readonly for the Directory Server user and allow no access to anyone else (mode 0400). HP recommends that you have a secure backup of this file. 4. Set the environment variable for the shell to include the certutil directory path. For example: export PATH=/opt/dirsrv/bin/:$PATH The command varies depending on the shell. 5. Create the key and certificate databases databases. certutil -N -d . -f ./pwdfile 6. Generate the self-signed CA certificate.
9. Use pk12util to export other server certificates and keys created with certutil so that they can be used on a remote server. pk12util -d . -o ldap1.p12 -n Server-Cert1 -w /tmp/pwdfile -k ./pwdfile The -w argument is the password used to encrypt the .p12 file for transport. The -k argument specifies the password for the key database containing the server certificate being exported to .p12. 10. If the Directory Server will run with TLS/SSL enabled, then create a password file (pin.
Table 12-1 certutil options (continued) Options Description -o The output file to which to save the certificate request. -I An input file containing a certificate. -f The path to a password file for the security databases password. Table 12-2 “certutil examples” has some common uses for the certutil command. Table 12-2 certutil examples Example Description certutil -L -d . Lists the certificates in the database. certutil -N -d . Creates new key (key3.db) and certificate (cert8.db) databases.
NOTE: On SSL-enabled servers, be sure to check the file permissions on certificate database files, key database files, and PIN files to protect the sensitive information they contain. Because the server does not enforce read-only permissions on these files, check the file modes to protect the sensitive information contained in these files. The files must be owned by the Directory Server user, such as the default nobody.
matching the host name against the value assigned to the common name (cn) attribute of the subject name in the being presented for authentication. By default, this feature is disabled. If it is enabled and if the host name does not match the cn attribute of the certificate, appropriate error and audit messages are logged.
8. Click Cipher Settings. The Cipher Preference dialog box opens. By default, all ciphers are selected. 9. Set the preferences for client authentication. • Do not allow client authentication With this option, the server ignores the client's certificate. This does not mean that the bind will fail. • Allow client authentication This is the default setting. With this option, authentication is performed on the client's request.
To restart the Directory Server without the password prompt, create a PIN file or use a hardware crypto device. For information on how to create a PIN file, see “Creating a password file for the Directory Server”. For more information about the commands to start, stop, and restart the Directory Server, see “Starting and stopping servers”.
NOTE: To find out what the Administration Server user ID is, run grep in the Administration Server configuration directory: cd /etc/opt/dirsrv/admin-serv grep \^User console.conf 3. In the /etc/opt/dirsrv/admin-serv directory, edit the nss.conf file to point to the location of the new password file. # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program ('builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout.
use the same ciphers. There are a number of ciphers available. The server needs to be able to use the ciphers that will be used by client applications connecting to the server. 12.6.1 Available ciphers This section lists information about the available ciphers for Directory Server encryption. Each cipher has the following information: • Directory Server name The name of the cipher suite used when configuring the Directory Server.
Table 12-4 SSLv3 ciphers Directory Server name Key exchange Encryption algorithm Symmetric key bit size Message authentication dhe_rsa_3des_sha DHE with RSA 3DES 168 SHA dhe_rsa_des_sha DHE with RSA DES 56 SHA dhe_dss_3des_sha DHE with DSS 3DES 168 SHA dhe_dss_des_sha DHE with DSS DES 56 SHA rsa_des_sha RSA DES 56 SHA rsa_3des_sha RSA 3DES 168 SHA rsa_fips_des_sha RSA DES 56 SHA rsa_fips_3des_sha RSA 3DES 168 SHA rsa_rc4_128_md5 RSA RC4 128 MD5 rsa_rc4_40_md
5. In the Cipher Preference dialog box, specify which ciphers for the Directory Server to use by selecting them from the list, and click OK. Unless there is a security reason not to use a specific cipher, select all the ciphers, except for none,MD5. 6. In the Encryption tab, click Save. CAUTION: Avoid selecting the none,MD5 cipher because the server will use this option if no other ciphers are available on the client, instead of refusing the connection.
stored in the user's directory entry. By comparing the certificate, the server determines whether to allow access or whether to revoke a certificate by removing it from the user's entry. If more than one directory entry contains the information in the user's certificate, the server can examine all matching entries in order to determine which user is trying to authenticate. When examining a directory entry, the server compares the presented certificate with the one stored in the entry.
NOTE: Do not map a certificate-based authentication certificate to a distinguished name under cn=monitor. Mapping a certificate to a DN under cn=monitor causes the bind operation to fail. Map the certificate to a target located elsewhere in the directory information tree. Make sure that the verifyCert parameter is set to on in the certmap.conf file. If this parameter is not set to on, Directory Server simply searches for an entry in the directory that matches the information in the certmap.conf file.
The default mapping specifies what the server should do if a client certificate was issued by a CA that is not listed in certmap.conf. The mappings for specific CAs specify what the server should do for client certificates issued by those CAs.
FilterComps FilterComps is a comma-separated list of RDN keywords used to create a filter by gathering information from the user's DN in the client certificate. The server uses the values for these keywords to form the search criteria for matching entries in the LDAP directory. If the server finds one or more entries in the directory that match the user's information gathered from the certificate, the search is successful and the server performs a verification (if verifycert is set to on).
12.7.3 Editing the certmap.conf file 1. 2. In a text editor, open /etc/opt/dirsrv/slapd-instance/certmap.conf If necessary, make changes to the default mapping. For example, change the value for DNComps or FilterComps. To comment out a line, insert a # before it. 3. If desired, create a mapping for a specific CA. The mapping should take the form certmap mappingName issuerDN.
Example 12-2 An additional mapping certmap default default:DNComps default:FilterComps certmap MyCA MyCA:DNComps MyCA:FilterComps MyCA:verifycert default e, uid ou=MySpecialTrust,o=MyOrg,c=US ou,o,c e on When the server gets a certificate from a CA other than MyCA, the server uses the default mapping, which starts at the top of the directory tree and searches for an entry matching the client's email address (e) and user ID (uid).
• Do not allow client authentication With this option, the server ignores the client's certificate. This does not mean that the bind will fail. • Allow client authentication This is the default setting. With this option, authentication is performed on the client's request. • Require client authentication With this option, the server requests authentication from the client.
The nsSSLClientAuth parameter can be set to off, allowed, and required. 12.7.6 Connecting to the Directory Server with certificate-based authentication The Directory Server can connect to another Directory Server instance for chaining or replication using certificate-based authentication, as configured in the database link or replication agreement. Users can connect to the Directory Server with certificate-based authentication when using LDAP tools such as ldapsearch.
4. 5. Click the Edit Trust button. Set the CA trust options. • Accepting connections from clients (Client Authentication) This option sets whether to accept client, or user, certificates issued by the CA. • Making connections to other servers (Server Authentication) This option sets whether to accept server certificates issued by the CA. • Click OK. 12.8.3 Changing security device passwords Periodically change the settings for the security databases or devices. 1. 2. 3. 4. 5. 6.
13 Managing SASL HP-UX Directory Server supports LDAP client authentication through the Simple Authentication and Security Layer (SASL), an alternative to TLS/SSL and a native way for some applications to share information securely. The SASL framework allows different mechanisms to be used to authenticate a user to the server, depending on what mechanism is enabled in both client and server applications. SASL also creates a layer for encrypted (secure) sessions.
13.1.1 About SASL identity mapping When processing a SASL bind request, the server matches, or maps, the SASL authentication ID used to authenticate to the Directory Server with an LDAP entry stored within the server. When using Kerberos, the SASL user ID usually has the format userid@REALM, such as scarter@EXAMPLE.COM. This ID must be converted into the DN of the user's Directory Server entry, such as uid=scarter,ou=people,dc=example,dc=com.
dn: cn=example map,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: example map nsSaslMapRegexString: \(.*\) nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com nsSaslMapFilterTemplate: (cn=\1) This matches any user ID and map it an entry under the ou=People,dc=example,dc=com subtree that meets the filter cn=userId. Mappings can be confined to a single realm by specifying the realm in the nsSaslMapRegexString attribute.
TIP: SASL mappings can be added when an instance is created during a silent installation by specifying the mappings in an LDIF file and adding the LDIF file with the ConfigFile directive. Using silent installation is described in the HP-UX Directory Server installation guide. 13.1.2 Default SASL mappings for Directory Server The Directory Server has pre-defined SASL mapping rules to handle some of the most common usage.
13.1.3 Authentication mechanisms for SASL in Directory Server Directory Server support the following SASL encryption mechanisms: • EXTERNAL EXTERNAL, as with TLS/SSL, performs certificate-based authentication. This method uses public keys for strong authentication. • CRAM-MD5 CRAM-MD5 is a simple challenge-response authentication method. It does not establish any security layer, unlike GSS-API. Both DIGEST-MD5 and GSS-API are much more secure, so both of those methods are recommended over CRAM-MD5.
and can be distributed across either a single server or a single domain across multiple machines. A single server instance can also support multiple realms. NOTE: Kerberos realms are only supported for GSS-API authentication and encryption, not for DIGEST-MD5.
When the Directory Server authenticates to the server, it is as if it is running a kinit command to initiate the connection: kinit -k -t /etc/opt/dirsrv/ds.keytab ldap/FQDN@REALM The Directory Server uses the service name ldap. Its Kerberos principal is ldap/host-fqdn@realm, such as ldap/host1.corp.example.com/EXAMPLE.COM. The host-fqdn must be the fully-qualified host and domain name, which can be resolved by all LDAP and Kerberos clients through both DNS and reverse DNS lookups.
• Name This field sets the unique name of the SASL mapping. • Regular expression This field sets the regular expression used to match the DN components, such as \(.*\). This field corresponds to the nsSaslMapRegexString value in the SASL mapping LDIF entry. • Search base DN This field gives the base DN to search to map entries, such as ou=People,dc=example,dc=com. This field corresponds to the nsSaslMapBaseDNTemplate value in the SASL mapping LDIF entry.
NOTE: When SASL maps are added over LDAP, they are not used by the server until it is restarted. Adding the SASL map with ldapmodify adds the mapping to the end of the list, regardless of its ASCII order. 13.3 Configuring SASL authentication at Directory Server startup SASL GSS-API authentication has to be activated in Directory Server so that Kerberos tickets can be used for authentication.
14 Monitoring server and database activity This chapter describes monitoring database and HP-UX Directory Server logs. For information on using SNMP to monitor the Directory Server, see Chapter 15 “Monitoring Directory Server using SNMP”.
7 Read, write, and execute In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, keep in mind that 000 will not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
NOTE: The log deletion policy only makes sense if there is already a defined log file rotation policy. Log file deletion will not work if there is just one log file. The server evaluates the log file deletion policy at the time of log rotation. The log file deletion policy can be configured with the following parameters: • The maximum size of the combined archived logs When the maximum size is reached, the oldest archived log is automatically deleted. To avoid setting a maximum size, type -1 in this field.
1. 2. In the Directory Server Console, select the Configuration tab. In the navigation tree, expand the Log folder, and select the Access Log icon. The access log configuration attributes are displayed in the right pane. 3. To enable access logging, select the Enable Logging checkbox. Clear this checkbox to keep the directory from maintaining an access log. Access logging is enabled by default. 4. 5. Enter the full path and file name for the directory to use for the access log in the Log File field.
1. 2. In the Directory Server Console, select the Configuration tab. In the navigation tree, expand the Logs folder, and select the Errors Log icon. The errors log configuration attributes are displayed in the right pane. 3. 4. Select the Errors Log tab in the right pane. To enable error logging, select the Enable Logging checkbox. Clear this checkbox to keep the directory from maintaining an errors log. Error logging is enabled by default. 5. 6.
• • To display a different number of messages, enter the number of lines to view in the Lines to show text box, and click Refresh. To display messages containing a specified string, enter the string in the Show only lines containing text box, and click Refresh. 14.1.5.2 Configuring the audit log The Directory Server Console can be used to enable and disable audit logging and to specify where the audit log file is stored. To configure audit logging: 1. 2.
NOTE: Some of the counters for Directory Server database attributes monitored by server use 64-bit integers, even on 32-bit systems: • • • • • opsinitiated opscompleted entriessent bytessent totalconnections Enabling 64-bit integers for counters is set through the nsslapd-counters configuration attribute, as described in “Enabling and disabling 64-bit integers for counters”.
Table 14-1 General information (server) Field Description Server Version Identifies the current server version. Configuration DN Identifies the distinguished name that must be used as a search base to obtain these results using the ldapsearch command line utility. This field should read cn=monitor. Data Version Provides identification information for the server's data. Usually the information shown here is only relevant if the server supplies replicas to consumer servers.
Table 14-2 Resource summary Resource Usage since startup Average per minute Connections The total number of connections to this server since server startup. Average number of connections per minute since server startup. Operations Initiated The total number of operations initiated Average number of operations per minute since server startup. Operations include since server startup. any client requests for server action, such as searches, adds, and modifies.
Table 14-4 Connection status (continued) Table header Description Bound as The distinguished name used by the client to bind to the server. If the client has not authenticated to the server, the server displays not bound in this field. Read/Write Indicates whether the server is currently blocked for read or write access to the client. There are two possible values: Not blocked Means that the server is idle, actively sending data to the client, or actively reading data from the client.
14.3.2 Monitoring the Directory Server from the command line The Directory Server's current activities can be monitored using LDAP tools such as ldapsearch, with the following characteristics: • • • Search with the attribute filter objectClass=*. Use the search base cn=monitor; the monitoring attributes for the server are found in the cn=monitor entry. Use the search scope base. For example: ldapsearch -h directory.example.
Table 14-6 Server monitoring attributes (continued) Attribute Description nbackends Identifies the number of back-ends (databases) the server services. backendmonitordn Identifies the DN of each directory database. 14.4 Monitoring database activity The database's current activities can be monitored through Directory Server Console or from the command line.
3. Click Refresh to refresh the currently displayed information. For the directory to continuously update the displayed information, select the Continuous checkbox, then click Refresh. Table 14-7 General information (database) Field Description Database Identifies the type of database being monitored. Configuration DN Identifies the distinguished name that must be used as a search base to obtain these results using the ldapsearch command line utility.
Table 14-8 Summary information (continued) Performance metric Current total Entry Cache Hit Ratio Ratio that indicates the number of entry cache tries to successful entry cache lookups. This number is based on the total lookups and hits since the directory was last started. The closer this value is to 100%, the better. Whenever a search operation attempts to find an entry that is not present in the entry cache, the directory has to perform a disk access to obtain the entry.
Table 14-10 Database file-specific Performance metric Current total Cache Hits The number of times that a search result resulted in a cache hit on this specific file. That is, a client performs a search that requires data from this file, and the directory obtains the required data from the cache. Cache Misses The number of times that a search result failed to hit the cache on this specific file.
Table 14-11 Directory server monitoring attributes (continued) Attribute Description maxentrycachesize The maximum number of directory entries that can be maintained in the entry cache. This value is managed by the Maximum Entries in Cache setting. See “Tuning database performance” for information on changing this value using the Directory Server Console. dbcachehits The number of times the server could process a request by obtaining data from the cache rather than by going to the disk.
Table 14-12 Database link monitoring attributes Attribute Name Description nsAddCount The number of add operations received. nsDeleteCount The number of delete operations received. nsModifyCount The number of modify operations received. nsRenameCount The number of rename operations received. nsSearchBaseCount The number of base-level searches received. nsSearchOneLevelCount The number of one-level searches received. nsSearchSubtreeCount The number of subtree searches received.
By default, using 64-bit integers with counters is already enabled. To enable or disable using 64-bit integers, use ldapmodify: ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.
15 Monitoring Directory Server using SNMP The server and database activity monitoring log setup described in Chapter 14 “Monitoring server and database activity” is specific to Directory Server. You can also monitor your Directory Server using Simple Network Management Protocol (SNMP), which is a management protocol used for monitoring network activity that can be used to monitor a wide range of devices in real time. Directory Server can be monitored with SNMP through an AgentX subagent.
15.2 Configuring the master agent To use the subagent, you must have a master agent that supports AgentX. A common agent is Net-SNMP master agent, which may be available through your operating system vendor or can be downloaded from the Net-SNMP website: http://www.net-snmp.org. The SNMP subagent included with Directory Server uses the AgentX protocol to communicate with the SNMP master agent running on your system. You must make sure that you enable AgentX support on your master agent.
To monitor multiple Directory Server instances, an additional server parameter in the subagent configuration file for each instance. server slapd-phonebook server slapd-example server slapd-directory 15.3.2 Starting the subagent After your master agent is running and you have created your subagent configuration file, start the subagent. To start your subagent, run the ldap-agent program, specifying the absolute path to the subagent configuration file as an argument.
dsEntityContact variable for one instance while sending a notification to a pager number in the dsEntityContact variable for another instance. There are two traps supported by the subagent: • Directory ServerDown This trap is generated whenever the subagent detects the Directory Server is potentially not running.
NOTE: All the Directory Server attributes monitored by SNMP use 64-bit integers for the counters, even on 32-bit systems. Enabling 64-bit integers for counters are configured with the nsslapd-counters configuration attribute, as described in “Enabling and disabling 64-bit integers for counters”. The counters that use 64-bit integers are not configurable; the 64-bit integers are either enabled for all the allowed counters or disabled for all allowed counters. 15.6.
Table 15-1 Operations table: managed objects and descriptions (continued) Managed object Description dsReferrals The number of referrals returned by this directory in response to client requests since server startup. dsSecurityErrors The number of operations forwarded to this directory that did not meet security requirements. dsErrors The number of requests that could not be serviced due to errors (other than security or referral errors).
15.6.4 Interaction table NOTE: The Interaction Table is not supported by the subagent. The subagent can query the table, but it will not ever be updated with valid data. Table 15-4 “Interaction table: managed objects and descriptions” describes the managed objects stored in the Interaction Table of the hpds-directory.mib file.
16 Tuning Directory Server performance This chapter describes the tools provided with HP-UX Directory Server to help optimize performance. It also provides tips to improve the performance of the directory. Topics include: • • • “Tuning server performance” (page 537) “Tuning database performance” (page 537) “Managing special entries” (page 541) 16.
• • • • “Changing the location of the database transaction log” “Changing the database checkpoint interval” “Disabling durable transactions” “Specifying transaction batching” 16.2.1 Optimizing search performance Improve server performance on searches by tuning database settings. The database attributes that affect performance mainly define the amount of memory available to the server. There are two kinds of database caches, one for the default database cache and the other for the entry cache.
attribute as large as possible, depending on the memory available on the machine. The larger this parameter, the faster the database is created. To keep from setting a limit, type -1 in this text box. If a user binds to the directory as the Directory Manager, by default the look-through limit is unlimited and overrides any settings specified here. To configure the attributes of each database that stores the directory data: 5.
16.2.4 Changing the database checkpoint interval At regular intervals, the Directory Server writes operations logged in the transaction log to the disk and logs a checkpoint entry in the database transaction log. By indicating which changes have already been written to the directory, checkpoint entries indicate where to begin recovery from the transaction log, thus speeding up the recovery process.
16.3 Managing special entries The cn=config entry in the simple, flat dse.ldif configuration file is not stored in the same highly scalable database as regular entries. As a result, if many entries, particularly entries that are likely to be updated frequently, are stored under cn=config, performance will probably suffer.
17 Support and other resources 17.1 Contacting HP 17.1.1 Information to collect before contacting HP Be sure to have the following information available before you call contact HP: • • • • • • Software product name Hardware product model number Operating system type and version Applicable error message Third-party hardware or software Technical support registration number (if applicable) 17.1.
• HP-UX Directory Server administration server guide The Administration Server is a support server that drives access to the Directory Server Console , provides a web server for Directory Server web applications, and stores some Directory Server configuration. This guide covers how to manage the Administration Server through the Console, through the command line, and through the web services. It also covers basic Administration Server concepts.
17.2.3 Troubleshooting resources • You can search a technical knowledge database available on the HP IT Resource Center (ITRC) website at: http://itrc.hp.com/ • To seek solutions to problems, you can post messages on the ITRC Forums page at the following website (select the HP-UX area in the Areas of peer problem solving section): http://forums.itrc.hp.
A LDAP data interchange format HP-UX Directory Server (Directory Server) uses the LDAP Data Interchange Format (LDIF) to describe a directory and directory entries in text format. LDIF is commonly used to build the initial directory database or to add large numbers of entries to the directory all at once. In addition, LDIF is also used to describe changes to directory entries. For this reason, most of Directory Server's command line utilities rely on LDIF for either input or output.
Table A-1 LDIF fields (continued) Field Definition attribute_type Specifies a descriptive attribute to use with the entry. The attribute should be defined either in the schema. See Chapter 10 “Managing the directory schema” for information on customizing the schema. [subtype] Optional. Specifies subtype, language, binary, or pronunciation.
A.3.2 Base-64 encoding Binary data can be converted to base-64, which can be used in LDIF files, for a variety of data, from images to SSL certificates. Base 64-encoded data are identified by using the :: symbol. For example: jpegPhoto::encoded_data In addition to binary data, other values that must be base-64 encoded include the following: • Any value that begins with a colon (:) or a space. • Any value that contains non-ASCII data, including new lines.
Table A-2 LDIF elements in domain entries LDIF element Description dn: distinguished_name Required. Specifies the distinguished name for the entry. objectClass: top Required. Specifies the top object class. objectClass: domain Specifies the domain object class. This line defines the entry as a domain or domain component. dc: domain_component Attribute that specifies the domain's name.
A.4.3 Specifying organizational person entries The majority of the entries in the directory represent organizational people.
To create a directory using LDIF: 1. Create an ASCII file containing the entries to add in LDIF format. Make sure each entry is separated from the next by an empty line. Use just one line between entries, and make sure the first line of the file is not be blank, or else the ldapmodify utility will exit. For more information, see “Specifying directory entries Using LDIF”. 2. Begin each file with the topmost, or root, entry in the database.
dn: ou=People,dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: People description: Fictional example organizational unit tel: 555-5559 dn: cn=June Rossi,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: June Rossi sn: Rossi givenName: June mail: rossi@example.
information in multiple languages so that users in different locales can view directory information in their own language. When information in the directory is represented in multiple languages, the server associates language tags with attribute values. When a new entry is added, the attribute values used in the RDN (relative distinguished name, the naming attribute) must be provided without any language codes. Multiple languages can be stored for a single attribute.
B Finding directory entries Entries in the directory can be searched for and found using any LDAP client. Most clients provide some form of search interface so that the directory can be searched easily and entry information can be easily retrieved. NOTE: Users cannot search the directory unless the appropriate access control has been set in the directory. For information on setting access control in the directory, see Chapter 6 “Managing access control”.
Figure B-2 Searching for entries CAUTION: Do not modify the contents of the o=NetscapeRoot suffix using the Directory tab unless instructed to do so by HP technical support. TIP: For information on using the search form, click Help. B.2 Using ldapsearch The ldapsearch command line utility can locate and retrieve directory entries. This tool is located at the /opt/dirsrv/bin directory.
B.2.2 ldapsearch command-line format The ldapsearch command must use the following format: ldapsearch [optional_options] [optional_search_filter] [optional_list_of_attributes] • • • optional_options is a series of command line options. These must be specified before the search filter, if any are used. optional_search_filter is an LDAP search filter as described in “LDAP search filters”. Do not specify a separate search filter if search filters are specified in a file using the -f option.
Option Description -s Specifies the scope of the search. The scope can be one of the following: base searches only the entry specified in the -b option or defined by the LDAP_BASEDN environment variable. one searches only the immediate children of the entry specified in the -b option. Only the children are searched; the actual entry specified in the -b option is not searched.
ldapsearch -h mozilla -b "" -s base "objectclass=*" B.2.4.4 Searching the schema entry Directory Server stores all directory server schema in the special cn=schema entry. This entry contains information on every object class and attribute defined for the Directory Server. The following command searches the contents of the cn=schema entry: ldapsearch -h mozilla -b "cn=schema" -s base "objectclass=*" B.2.4.
ldapsearch -h mozilla -f searchdb sn givenname B.2.4.8 Specifying DNs that contain commas in search filters When a DN within a search filter contains a comma as part of its value, the comma must be escaped with a backslash (\). For example, to find everyone in the example.com Bolivia, S.A. subtree, use the following command: ldapsearch -h mozilla -s base -b "l=Bolivia\,S.A.,dc=example,dc=com" "objectclass=*" B.2.4.
B.3.2 Using operators in search filters The operators that can be used in search filters are listed in Table B-1 “Search filter operators”. In addition to these search filters, special filters can be specified to work with a preferred language collation order. For information on how to search a directory with international charactersets, see “Searching an internationalized directory”.
manager=* The following filter searches for entries containing the common name Ray Kultgen. This is also known as an equality search: cn=Ray Kultgen The following filter returns all entries that do not contain the common name Ray Kultgen: (!(cn=Ray Kultgen)) The following filter returns all entries that contain a description attribute that contains the substring X.500: description=*X.
B.4.1 An overview of persistent searches The purpose of a persistent search is to provide a continuous list of changes to the directory entries as well as the complete entries themselves, something like a hybrid search and changelog. Therefore, the search command must specify what entries to return (the search parameters) and what changes cause an entry to be returned (entry change parameters).
description: test uid: scarter givenName: scott objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: carter cn: scott carter In the access logs, a persistent search is identifies with the tag options=persistent. [12/Jan/2009:12:51:54 -0500] conn=19636710736396323 op=0 SRCH base="dc=example,dc=com" scope=2 filter="(objectClass=person)" attrs=ALL options=persistent B.
The syntax for each of these options is discussed in the following sections: • “Using an OID for the matching rule” • “Using a language tag for the matching rule” • “Using an OID and suffix for the matching rule” • “Using a language tag and suffix for the matching rule” B.5.1.1.1 Using an OID for the matching rule Each locale supported by the Directory Server has an associated collation order OID.
For a list of locales supported by the Directory Server and their associated language tags, see Table D-1 “Supported locales”. For a list of relational operators and their equivalent suffixes, see Table B-3 “Search types, operators, and suffixes”. B.5.1.2 Using wildcards in matching rule filters When performing a substring search using a matching rule filter, use the asterisk (*) character as a wildcard to represent zero or more characters.
For example, to search for all surnames that come before the surname Marquez in the Spanish collation order, any of the following matching rule filters would work: sn:2.16.840.1.113730.3.3.2.15.1:=< Marquez ... sn:es:=< Marquez ... sn:2.16.840.1.113730.3.3.2.15.1.1:=Marquez ... sn:es.1:=Marquez B.5.3.2 Less-than or equal-to example Performing a locale-specific search using the less-than or equal-to operator (<=), or suffix (.
mailHost:2.16.840.1.113730.3.3.2.5.1:=> schranka4 ... mailHost:cs:=> schranka4 ... mailHost:2.16.840.1.113730.3.3.2.5.1.5:=schranka4 ... mailHost:cs.5:=schranka4 B.5.3.6 Substring example Performing an international substring search searches for all values that match the given pattern in the specified collation order. For example, to search for all user IDs that end in ming in the Chinese collation order, any of the following matching rule filters would work: uid:2.16.840.1.113730.3.3.2.49.1:=* *ming ...
C LDAP URLs LDAP URLs identify the HP-UX Directory Server instance, similarly to the way site URLs identify a specific web site or web page. There are three common times when the LDAP URL of the Directory Server instance is used: • The LDAP URL is used to identify the specific Directory Server instance when the Directory Server is accessed using a web-based client such as Administration Express. • LDAP URLs are used to configure Directory Server referrals.
Table C-1 LDAP URL components (continued) Component Description scope The scope of the search, which can be one of these values: • base retrieves information only about the distinguished name (base_dn) specified in the URL. • one retrieves information about entries one level below the distinguished name (base_dn) specified in the URL. The base entry is not included in this scope. • sub retrieves information about entries at all levels below the distinguished name (base_dn) specified in the URL.
• • • Because no port number is specified, the standard LDAP port number (389) is used. Because no attributes are specified, the search returns all attributes. Because no search scope is specified, the search is restricted to the base entry dc=example,dc=com. • Because no filter is specified, the directory uses the default filter (objectclass=*). Example 2 The following LDAP URL retrieves the postalAddress attribute of the entry with the DN dc=example,dc=com: ldap://ldap.example.
D Internationalization HP-UX Directory Server allows users to store, manage, and search for entries and their associated attributes in a number of different languages. An internationalized directory can be an invaluable corporate resource, providing employees and business partners with immediate access to the information they need in languages they understand. Directory Server supports all international character sets by default because directory data is stored in UTF-8.
Because a locale describes cultural, customary, and regional differences in addition to mechanical language differences, the directory data can both be translated into the specific languages understood by users as well as be presented in a way that users in a given region expect. D.2 Identifying supported locales When performing directory operations that require that a locale be specified, such as a search operation, use a language tag or a collation order object identifier (OID).
Table D-1 Supported locales (continued) Locale Language tag Collation order object identifiers (OIDs) Korean ko 2.16.840.1.113730.3.3.2.29.1 Latvian, Lettish lv 2.16.840.1.113730.3.3.2.31.1 Lithuanian lt 2.16.840.1.113730.3.3.2.30.1 Macedonian mk 2.16.840.1.113730.3.3.2.32.1 Norwegian no 2.16.840.1.113730.3.3.2.35.1 Polish pl 2.16.840.1.113730.3.3.2.38.1 Romanian ro 2.16.840.1.113730.3.3.2.39.1 Russian ru 2.16.840.1.113730.3.3.2.40.1 Serbian (Cyrillic) sr 2.16.840.1.113730.3.3.
Table D-2 Supported language subtypes (continued) Language tag Language Language tag Language fr French sr Serbian ga Irish sv Swedish gl Galician tr Turkish hr Croatian uk Ukrainian hu Hungarian zh Chinese id Indonesian D.4 Troubleshooting matching rules International collation order matching rules may not behave consistently. Some forms of matching-rule invocation do not work correctly, producing incorrect search results.
Glossary A access control instruction See ACI. access control list See ACL. access rights In the context of access control, specify the level of access granted or denied. Access rights are related to the type of operation that can be performed on the directory. The following rights can be granted or denied: read, write, add, delete, search, compare, selfwrite, proxy, and all.
bind distinguished name See bind DN. bind DN Distinguished name used to authenticate to Directory Server when performing an operation. bind rule In the context of access control, the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information. branch entry An entry that represents the top of a subtree in the directory.
CoS definition entry Identifies the type of CoS you are using. It is stored as an LDAP subentry below the branch it affects. CoS template entry Contains a list of the shared attribute values. D daemon A background process on a UNIX machine that is responsible for a particular system task. Daemon processes do not need human intervention to continue functioning. DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory.
file type The format of a given file. For example, graphics files are often saved in GIF format, while a text file is usually saved as ASCII text format. File types are usually identified by the file extension (for example, .GIF or .HTML). filter A constraint applied to a directory query that restricts the information returned. filtered role Allows you to assign entries to the role depending upon the attribute contained by each entry. You do this by specifying an LDAP filter.
L LDAP Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms. LDAP client Software used to request and view LDAP entries from an LDAP Directory Server. See also browser. LDAP Data Interchange Format See LDAP Data Interchange Format. LDAP URL Provides the means of locating Directory Servers using DNS then completing the query via LDAP. A sample LDAP URL is ldap://ldap.example.com.
are automatically replicated to the other server. In case of conflict, a time stamp is used to determine which server holds the most recent version. multiplexor The server containing the database link that communicates with the remote server. N n + 1 directory problem The problem of managing multiple instances of the same information in different directories, resulting in increased hardware and personnel costs. name collisions Multiple entries with the same distinguished name.
presence index Allows searches for entries that contain a specific indexed attribute. protocol A set of rules that describes how devices on a network exchange information. protocol data unit See PDU. proxy authentication A special form of authentication where the user requesting access to the directory does not bind with its own DN but with a proxy DN. proxy DN Used with proxied authorization.
S SASL An authentication framework for clients as they attempt to bind to a directory. Also Simple Authentication and Security Layer . schema Definitions describing what types of information can be stored as entries in the directory. When information that does not match the schema is stored in the directory, clients attempting to access the directory may be unable to display the proper results. schema checking Ensures that entries added or modified in the directory conform to the defined schema.
superuser The most privileged user available on UNIX machines. The superuser has complete access privileges to all files on the machine. Also called root. supplier Server containing the master copy of directory trees or subtrees that are replicated to replica servers. supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica.
Index A access control ACI attribute, 233 ACI syntax, 236 allowing or denying access, 241 and replication, 291 and schema checking, 238 anonymous access, 245 bind rules, 243 access at specific time or day, 253 access based on value matching, 249 general access, 245 user and group access, 244 Boolean bind rules, 255 compatibility with earlier versions, 291 creating from console, 256 dynamic targets, 245 from specific domain, 252 from specific IP address, 252 logging information, 274 overview, 233 permissions
viewing current, 264 wildcard in target, 238 wildcards, 246 ACI attribute default index for, 453 overview, 233 ACI placement, 234 ACI targets, 237 ACL, 233 activating accounts from command line, 305 from console, 305 Active Directory schema differences between Directory Server, 409, 415 add right, 241 adding directory entries, 116 Administration Server starting and stopping, 21 algorithm metaphone phonetic algorithm, 454 search, 453 All IDs Threshold, 468 all keyword, 245 allowing access, 241 anonymous acce
B backing up data, 157 all, 158 cn=tasks, 159 db2bak, 159 dse.ldif, 159 bak2db script, 161 bak2db.
overview, 487 selecting, 487 cl-dump.
backup files, 158 backup from console, 158 creating from command line, 42 creating from console, 41 creating multiple, 42 creating using LDIF, 551 deleting, 46 export, 152 cn=tasks, 157 db2ldif, 156 db2ldif.pl, 156 encrypted database, 52 export from console, 153 import, 145 cn=tasks, 151 encrypted database, 52 ldif2db, 149 ldif2db.
data, 145 databases, 31 deleting entries, 113 file locations, 19 importing data, 145 international character sets, 573 login, 22 managing entries, 99 MIB, 532 modifying entries, 104 monitoring, 511 monitoring from command line, 521 monitoring with SNMP, 529 overview, 19 performance counters, 516 64-bit, 517, 522, 533 64-bit integers, 527 reloading schema, 447 cn=schema reload task, 448 schema-reload.
F failover servers for database links, 60 feedback email address for documentation, 543 File locations, 19 files access log, 513 database backup, 158 EOF marker, 114 errors log, 514 id2entry.db4, 453 Filesystem Hierarchy Standard, 19 filesystem replica initialization, 376 filtered role creating, 171 example, 186 finding attributes, 560 entries, 556 fixup-memberof.
less than or equal to, 567 matching rule filter syntax, 564 substring, 568 using OIDs, 565 internationalization character type, 573 collation order, 573 country code, 574 date format, 573 language tag, 574 locales and, 573 location of files, 574 matching rule filters, 564 modifying entries, 126 monetary format, 573 object identifiers and, 574 of LDIF files, 553 search filters and, 564 supported locales, 574 time format, 573 ip keyword, 252 J jpeg images, 548 K Kerberos, 505 realms, 505 L language code in
internationalization and, 553 LDIF files continued lines, 548 creating directory using, 551 creating multiple entries, 115 example, 552 importing from Server Console, 115 internationalization and, 553 LDIF format, 547 LDIF update statements, 120 adding attributes, 123 adding entries, 121 continued lines, 121 deleting attribute values, 125 deleting attributes, 125 deleting entries, 125 modifying attribute values, 124 modifying entries, 123 syntax, 120 ldif utility converting binary data to LDIF, 549 ldif2db
in replication, 387 nested role creating, 174 example, 186 nsds5ReplicaBusyWaitTime, 349 nsds5ReplicaSessionPauseTime, 349 nsRole, 166 nsslapd-db-checkpoint-interval, 540 nsslapd-db-durable-transactions, 540 nsslapd-db-logdirectory, 539 nsslapd-idlistscanlimit, 454 nsslapd-lookthroughlimit attribute role in searching algorithm, 454 nsslapd-maxbersize, 110 nsslapd-schemacheck attribute, 450 nsslapd-sizelimit attribute role in searching algorithm, 454 nsslapd-timelimit attribute role in searching algorithm, 4
64-bit database attributes, 527 server attributes, 527 configuring 64-bit, 517, 522, 533 configuring 64-bit integers, 527 monitoring the server with, 516 performance tuning database, 537 server, 537 permissions ACI syntax, 236 allowing or denying access, 241 assigning rights, 241 overview, 241 precedence rule, 234 plug-ins disabling, 28 distributed number assignment, 132 configuring, 136, 137 overview, 132 syntax, 134, 135 enabling, 28 pointer CoS example, 189 overview, 189 port number Directory Server conf
solving conflicts, 386 supplier bind DN, 320 supplier server, 320 supplier-initiated, 320 troubleshooting, 389 unit of, 319 using cl-dump.pl script, 389 using repl-monitor.pl script, 385 replication agreement, 321 replication manager, 320 reporting documentation errors email address, 543 requiredObjectClass keyword, 142 resource limits, 306 setting using command line, 306 using console, 306 Resource Summary viewing, 518 resource use connections, 519 monitoring, 519 restoring data, 157 bak2db, 161 bak2db.
schema-reload.pl, 447 scripts cl-dump.pl, 389 repl-monitor.
subtypes of attributes, 111 suffix and associated database, 31 configuration attributes, 37 creating, 99 creating from command line, 36 creating root suffix, 33 creating sub suffix, 34 custom distribution function, 43 custom distribution logic, 43 disabling, 38 in Directory Server, 31 using referrals, 96 on update only, 96 with multiple databases, 42 suffix referrals creating, 96 creating from command line, 97 creating from console, 96 supplier bind DN, 320 supplier server, 320 symbols '', in ldapsearch, 55
groups, 414 logging levels, 428 manually updating, 420 Password Sync service, 399, 428 modifying, 428 setting up SSL, 401 starting and stopping, 428 uninstalling, 428 resurrecting deleted entries, 419 schema differences, 409, 415 troubleshooting, 428 users, 407 write performance, 468 write right, 241 601
