Red Hat Directory Server 8.1 Using the Admin Server with Red Hat Directory Server Edition 8.1.
Red Hat Directory Server 8.1 Using the Admin Server with Red Hat Directory Server Edition 8.1.1 Landmann rlandmann@redhat.
Legal Notice Copyright © 2009 Red Hat, Inc.. T his document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Table of Contents Table of Contents .Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. . . . . . . . . . 1. Examples and Formatting 4 1.1. Command and File Examples 4 1.2. T ool Locations 4 1.3. LDAP Locations 4 1.4. T ext Formatting and Styles 4 2. Additional Reading 5 3. Giving Feedback 6 4. Documentation History 7 . . . . . . . . . 1. Chapter . . .Introduction . .
Red Hat D irectory Server 8.1 Using the Admin Server 3.2.2.3. Files for the Server Information Page 3.2.2.4. Files for the Server Logs Page 3.2.3. Admin Express Directives 41 42 43 .Chapter ........4 . ...Admin . . . . . . .Server . . . . . . . Command-Line . . . . . . . . . . . . . . . .T . .ools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4. .6. . . . . . . . . . 4.1. sec-activate 46 4.2. modutil 46 .Index . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents 3
Red Hat D irectory Server 8.1 Using the Admin Server Preface T he Admin Server Guide provides information on using a support administrative server with identity management projects including Red Hat Directory Server and Red Hat Certificate System. T he Admin Server runs the Java consoles used by those servers, as well as providing web services and storing configuration information for those services. T he Admin Server is installed and configured automatically with Red Hat Directory Server.
Preface displayed in a prompt. Monospace with a background T his type of formatting is used for anything entered or returned in a command prompt. Italicized text Any text which is italicized is a variable, such as instance_name or hostname. Occasionally, this is also used to emphasize a new term or other phrase. Bolded text Most phrases which are in bold are application names, such as Cygwin, or are fields or options in a user interface, such as a User Nam e Here: field or Save button.
Red Hat D irectory Server 8.1 Using the Admin Server administer Directory Server. T he document set for Directory Server contains the following guides: Red Hat Directory Server Release Notes contain important information on new features, fixed bugs, known issues and workarounds, and other important deployment information for this specific version of Directory Server. Red Hat Directory Server Deployment Guide provides an overview for planning a deployment of the Directory Server.
Preface 4. Documentation History Revision 8.1.1 September 9, 2009 Ella Deon Lackey Removing any references to the Directory Server Gateway or Org Chart. Revision 8.1.0 Initial draft for version 8.1.
Red Hat D irectory Server 8.1 Using the Admin Server Chapter 1. Introduction to Red Hat Admin Server Identity management and directory services with Red Hat Directory Server use three components, working in tandem: A Java-based management console An administration server which also functions as a web server An LDAP directory server Figure 1.1.
Chapter 1. Introduction to Red Hat Admin Server When Red Hat Directory Server or Red Hat Certificate System (which depends on Red Hat Directory Server) is installed, then the Admin Server is automatically installed and configured as well. T here can be multiple Directory Server instances and multiple Certificate System subsystems on a single machine, and all use the same instance of Admin Server. T here can be only one Admin Server per machine.
Red Hat D irectory Server 8.1 Using the Admin Server Chapter 2. Admin Server Configuration T he Admin Server is a separate server from Red Hat Directory Server or Red Hat Certificate System, although they work interdependently. T he Admin Server processes, file locations, and configuration options are also separate.
Chapter 2. Admin Server Configuration 2.2. Starting and Stopping the Admin Server T he Admin Server is running when the setup-ds-adm in.pl configuration script completes. Avoid stopping and starting the server to prevent interrupting server operations. When starting in SSL, the start script prompts for the password for the security (SSL certificate) database. It is possible to restart in SSL without being prompted for a password by using a password file. See Section 2.8.
Red Hat D irectory Server 8.1 Using the Admin Server T here are scripts in the /usr/sbin directory. /usr/sbin/{start|stop|restart}-ds-admin T he Admin Server service can also be stopped and started using system tools on Red Hat Enterprise Linux 5 (32-bit) using the service command. For example: service dirsrv-admin {start|stop|restart} NOTE T he service name for the Admin Server process on Red Hat Enterprise Linux 5 (32-bit) is dirsrv-adm in. 2.3.
Chapter 2. Admin Server Configuration TIP It is possible to send the Admin Server URL and port with the start script. For example: /usr/bin/redhat-idm-console -a http://localhost:9830 T he a option is a convenience, particularly for logging into a Directory Server for the first time. On subsequent logins, the URL is saved. If the Admin Server port number is not passed with the redhat-idm -console command, then the server prompts for it at the Console login screen. T his opens the main Console window.
Red Hat D irectory Server 8.1 Using the Admin Server Admin Server generates two kinds of logs: Access logs. Access logs show requests to and responses from the Admin Server. By default, the file is located at /var/log/dirsrv/adm in-serv/access. Error logs. Error logs show messages for errors which the server has encountered since the log file was created. It also contains informational messages about the server, such as when the server was started and who tried unsuccessfully to log on to the server.
Chapter 2. Admin Server Configuration Example 2.1. Example Access Logs 127.0.0.1 - cn=directory manager [23/Dec/2008:19:32:52 -0500] "GET /adminserv/authenticate HTTP/1.0" 200 338 192.168.123.121 - cn=directory manager [23/Dec/2008:19:33:14 -0500] "POST /admin-serv/tasks/Configuration/ServerSetup HTTP/1.0" 200 244 192.168.123.121 - cn=directory manager [23/Dec/2008:19:33:16 -0500] "GET /admin-serv/tasks/Configuration/ReadLog?op=count&name=access HTTP/1.
Red Hat D irectory Server 8.1 Using the Admin Server WARNING T he path to the log file is absolute and cannot be changed. 5. Click OK to save the changes. 6. Open the T asks tab, and click the Restart Server button to restart the server and apply the changes. 2.4.4. Changing the Log Location in the Command Line T he access and error log files' names and locations can be changed to rotate the files. T his rotation has to be done manually to create new files if the existing log files become too large.
Chapter 2. Admin Server Configuration /usr/lib/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com dn: cn=configuration, cn=admin-serv-example, cn=Red Hat Administration Server, cn=Server Group, cn=server.example.com, ou=example.com, o=NetscapeRoot changetype:modify replace:nsAccessLog nsAccessLog:/var/log/dirsrv/admin-serv//access_new Hit Enter twice to submit the operation, and then Control+C to close ldapm odify. 2. Open the Admin Server configuration directory.
Red Hat D irectory Server 8.1 Using the Admin Server is in use, then the setup program will use a randomly-generated number larger than 1024 or one can assign any port number between 1025 and 65535. 2.5.1. Changing the Port Number in the Console 1. Open the Admin Server management window. 2. Click the Configuration tab. 3. Click the Network tab. 4. Enter the port number for the Admin Server instance in the Port field. T he Admin Server port number has a default number of 9830. 5. Click OK. 6.
Chapter 2. Admin Server Configuration /usr/lib/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389 -h server.example.com -b "o=NetscapeRoot" "(objectclass=nsAdminConfig)" dn version:1 dn: cn=configuration, cn=admin-serv-example, cn=Red Hat Administration Server, cn=Server Group, cn=server.example.com, ou=example.com, o=NetscapeRoot b. T he Admin Server entry can be edited using ldapm odify. T he port number is set in the nsServerPort attribute.
Red Hat D irectory Server 8.1 Using the Admin Server 5. Click the Add button to add another host to the list of allowed computers. T o add a hostname, make sure the drop-down list at the top reads Host Nam es to allow; to add an IP address, select IP Addresses to allow. 6. Fill in the host information. T he * wildcard can be used to specify a group of hosts. For instance, * .exam ple.com allows all machines in the exam ple.com domain to access the instance. Entering 205.12.* .
Chapter 2. Admin Server Configuration NOTE T he Admin Server supports both IPv4 and IPv6 addresses. T he Admin Server entry can be edited using ldapm odify. T o set host restrictions: 1. Get the name of the Admin Server entry. Since the Admin Server entry has a special object class, nsAdm inConfig, it is possible to search for the entry using that object class to retrieve the DN. /usr/lib/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389 -h server.example.
Red Hat D irectory Server 8.1 Using the Admin Server 4. Restart the Admin Server to apply the changes. service dirsrv-admin restart 2.7. Changing the Admin User's Name and Password During installation, you are asked to enter a username and password for the Configuration Administrator, the user authorized to access and modify the entire configuration directory.
Chapter 2. Admin Server Configuration 5. Click Save. 2.8. Working with SSL T he Admin Server can run over HT T PS (secure HT T P) if SSL is enabled on the server. T here are steps to enabling SSL: 1. Generating and submitting a certificate request. 2. Receiving and installing the certificate. 3. T rusting the certificate authority (CA) which issued the certificate. 4. Changing the Admin Server configuration to allow SSL connections. 2.8.1.
Red Hat D irectory Server 8.1 Using the Admin Server Server Name. T he fully qualified hostname of the Directory Server as it is used in DNS and reverse DNS lookups; for example, server.exam ple.com . T he server name is critical for client-side validation to work, which prevents man-in-the-middle attacks. IMPORTANT T his must be a valid hostname that can be resolved correctly by all Admin Server clients, or T LS/SSL will not work. Organization. T he legal name of the company or institution.
Chapter 2. Admin Server Configuration T he Next button is grayed out until a password is supplied. 3. T he Request Subm ission dialog box provides two ways to submit a request: directly to the CA (if there is one internally) or manually. T o submit the request manually, select Copy to Clipboard or Save to File to save the certificate request which will be submitted to the CA. T o submit the request to a CA manually, either email it or use the web form for the CA, if one is available.
Red Hat D irectory Server 8.1 Using the Admin Server b. Select the Server Certs tab, and click Install. c. Give the absolute path to the certificate (In this file radio button) or paste the certificate text in the text box (In the following encoded text block radio button), then click Next. d. Check that the certificate information displayed is correct, and click Next. e. Name the certificate, and click Next. f. Provide the password that protects the private key.
Chapter 2. Admin Server Configuration After receiving the CA certificate, use the Certificate Install Wizard to configure the Admin Server to trust the CA. 1. In the Admin Server Console, select the T asks tab, and click Manage Certificates. 2. Go to the CA Certs tab, and click Install. 3. If the CA's certificate is saved to a file, enter the path in the field provided. Alternatively, copy and paste the certificate, including the headers, into the text box. Click Next.
Red Hat D irectory Server 8.1 Using the Admin Server 4. Click Next to move through the panels that show the CA certificate information and the certificate name. 5. Select the purpose of trusting this certificate authority; it is possible to select both options: Accepting connections from clients (Client Authentication). T he server checks that the client's certificate has been issued by a trusted certificate authority. Accepting connections to other servers (Server Authentication).
Chapter 2. Admin Server Configuration 1. Open the Admin Server management window. 2. Click the Configuration tab. 3. Click the Encryption tab. 4. Select the Enable SSL for this server checkbox. 5. Select the Use this cipher fam ily: RSA checkbox. 6. Choose the security device where the key is stored. By default, the key is stored in the local key database, Internal (Software-based). If the key is stored on an external device (such as a smart card), select that device from the menu. 7.
Red Hat D irectory Server 8.1 Using the Admin Server restarted: Starting dirsrv-admin: Please enter password for "internal" token: T he Admin Server can use a password file when T LS/SSL is enabled so that the server restarts silently, without prompting for the security password. WARNING T his password is stored in clear text within the password file, so its usage represents a significant security risk. Do not use a password file if the server is running in an unsecured environment. 1.
Chapter 2. Admin Server Configuration After T LS/SSL is enabled, then the Admin Server can only be connected to using HT T PS. All of the previous HT T P (standard) URLs for connecting to the Admin Server and its services no longer work. T his is true whether connecting to the Admin Server using the Console or using a web browser. 2.9.
Red Hat D irectory Server 8.1 Using the Admin Server T here can be multiple user directories in a single deployment because using multiple user directories enhances overall performance for organizations which are geographically spread out, which have high usage, or have discrete divisions which benefit from individual directories. Admin Server can be configured to authenticate users against multiple user directories. T o change the information for the user directory: 1.
Chapter 2. Admin Server Configuration Every location listed in the LDAP Host and Port field must contain that subtree and the subtree must contain the user information. Optionally, enter the Bind DN and Bind Password for the user which connects to the user directory. 6. Click Save. [1] The c o mmand s to s tart, s to p , and res tart the Ad min Server o n p latfo rms o ther than Red Hat Enterp ris e Linux 5 (32-b it) are d es c rib ed in Sec tio n 2.2.
Red Hat D irectory Server 8.1 Using the Admin Server Chapter 3. Admin Express 3.1. Managing Servers in Admin Express Admin Express provides a quick, simple web-based gateway to do basic management of servers. T here are three tasks that can be performed through Admin Express: Stopping and starting the server Checking the server access, error, and audit logs Monitoring the progress and information for replication between Directory Servers 3.1.1.
Chapter 3. Admin Express 3.1.3. Viewing Server Logs Admin Express can show and search the access and error logs for Directory Server and Admin Server and the audit logs for the Directory Server. 1. In the Admin Express page, click the Logs link by the server name. 2. Select which log type to view, how many lines to return, and any string to search for, and click OK. Figure 3.2. Checking Logs 3.1.4.
Red Hat D irectory Server 8.1 Using the Admin Server 3.1.5. Monitoring Replication from Admin Express Admin Express has an option to monitor replication status in real-time, meaning that it shows the number of updates, times the most recent updates were sent, error and success messages, replication schedule, the replicated directory suffix, and other information.
Chapter 3. Admin Express grep \^User /etc/dirsrv/admin-serv/console.conf T he configuration file should be readable by the Admin Server user and no other users, so consider resetting the permissions on the file: chmod 0400 filename 2. In the Admin Server web page, click the Adm in Express link, and log in. 3. Click the Replication Status link by the supplier server name. 4. T ype the path to the configuration file in the Configuration file field.
Red Hat D irectory Server 8.1 Using the Admin Server updates from the supplier; this is the time difference between the supplier and the consumer's max CSNs. When a consumer is in sync with its supplier, the time lag is 0. Last Modify T ime Gives the time of the last update for the consumer (the time the last CSN entry was sent).
Chapter 3. Admin Express 3.2.2. Admin Express Configuration Files T he behavior for Admin Express is mostly set through the web server configuration and should not be edited. T he other Admin Express configuration is set through directives which insert data or form fields. T here is not cascading style sheet (CSS) file to centralize the formatting for pages in Admin Express. All formatting is done inline with the tags or through
