Introduction
What Is in This Book?
Conventions Used in This Book
Chapter 1 Administering the Directory Server
Prerequisite Reading
Starting and Stopping the Directory Server
Starting the Server with SSL Enabled
Binding to the Directory
Introducing the Directory Server Manager
Introducing the Directory Server Command-Line
Utilities
Finding the Command-Line Utilities
Setting Environment Variables
Introducing the Directory Server Configuration Files
Finding the Configuration Files
Chapter 2 LDAP Data Interchange Format
The LDIF File Format
Continued Lines
Base 64 Encoding
Creating Directory Entries Using LDIF
Specifying Organization Entries
Organization Example
Organization Name With a Comma Example
Specifying Organizational Unit Entries
Organizational Unit Example
Specifying Organizational Person Entries
OrganizationalPerson Example
Defining Directories Using LDIF
LDIF File Example
Specifying LDIF for an Internationalized Directory
Chapter 3 Extending the Directory Schema
Schema Checking
Turning Schema Checking On and Off
Using the Schema Configuration Forms
Using the Create ObjectClass Form
Using the Edit/View ObjectClasses Form
Using the Edit ObjectClass Form
Using the Manage Attributes Form
Extending Your Directory Schema
Deleting Object Classes and Attributes
Chapter 4 Managing Directory Server Databases
Managing Databases Using LDIF
Importing LDIF Using the Server Manager
Importing LDIF from the Command Line
ns-slapd Parameters Used for LDIF Imports
LDIF to Database Example
Converting Databases to LDIF
Converting to LDIF Using the Server Manager
Converting to LDIF Using ns-slapd
ns-slapd Parameters for Exporting Databases
db2ldif Example
Deleting LDIF Files
Backing Up and Restoring Your Database
Backing Up Your Database
Restoring Your Database
Deleting Database Backups
Restoring Databases That Include Replicated Entries
Managing Database Parameters
Placing Your Database in Read-Only Mode
Setting Suffixes for Your Database
Managing SuiteSpot Integration
Creating SuiteSpot Integration Entries
Using SuiteSpot Settings
Managing the Referential Integrity Plug-in
Disabling the Referential Integrity Plug-in
Changing the Integrity Update Interval
Modifying Which Attributes to Update
Managing Database Transaction Logging
Changing the Location of the Database Transaction Log
Changing the Database Checkpoint Interval
Disabling Durable Transactions
Chapter 5 Managing Access Control
Understanding Access Control
Targets
Targeting a Directory Entry
Targeting Attributes
Targeting using LDAP Filters
Permissions
Allowing or Denying Access
Assigning Rights
Bind Rules
User and Group Access
Access from a Specific Machine or Domain
Access at a Specific Time of Day or Day of Week
Access Based on Authentication Method
Boolean Bind Rules
Using the Access Control Forms
Using the Access Control Rules Form
Access Control Rules Form Buttons
Access Control Rules Form Areas
Applying Changes Made to the Access Control Rules Form
Access Control Field Summary
Setting Access Control Using the Server Manager
Creating a New ACI
Editing an Existing ACI
Deleting an Existing ACI
Usage Examples
Setting Anonymous Access for Read, Search, and Compare
Allowing Users to Modify Their Own Directory Entries
Allowing Users to Change Some of Their Own Attributes
Granting a Group Full Directory Access
Granting a Group Rights to Add and Delete Entries
Allowing Full Access to a Specific Branch Point
Allowing Access at a Specific Time of Day or Day of Week
Allowing Updates Only from a Specific Location
Allowing Access Over SSL Only
Setting a Target Using Filtering
Allowing Users to Add or Remove Themselves from a Group
Setting Access Control Using LDIF Files
The ACI Language Syntax
Setting Targets Using LDIF
Using the target Keyword
Using the targetattr Keyword
Using the targetfilter Keyword
Setting Permissions Using LDIF
Setting Bind Rules Using LDIF
Using the userdn Keyword
Using the groupdn Keyword
Using the userdnattr Keyword
Using the ip Keyword
Using the dns Keyword
Using the timeofday Keyword
Using the dayofweek Keyword
Using the authmethod Keyword
Using Boolean Expressions in LDIF Bind Rules
ACI Usage Examples
Defining Permissions for All Users
Defining Anonymous Access
Defining Permissions for Individual Users
Defining Permissions for a Group of Users
Defining Permissions for a Specific Subtree
Defining Permissions for a Specific Location
Defining Permissions Based on the Day of Week or the Time of Day
Defining Permissions Based on Authentication Method
Defining Permissions for DNs That Contain a Comma
Chapter 6 Managing Password Policies
Understanding Password Policies
Password Expiration
Expiration Warning
Password History
Password Length
Password Syntax Checking
User-Defined Passwords
Password Change After Reset
Account Lockout
Lockout Duration
Password Failure Counter Reset
Password Storage Scheme
Using the Password Policy Form
Managing Password Policies Using the Server Manager
Setting Up a Password Policy
Setting the Password Storage Scheme
Modifying the Password Policy
Setting or Resetting User Passwords
Chapter 7 Managing Indexes
The Searching Algorithm
Types of Indexes
The Presence Index
The Equality Index
The Approximate Index
The Substring Index
The International Index
The Cost of Indexing
Slower Database Modification and Creation Times
Higher System Resource Use
Creating Indexes
Default Indexes
Standard Index Files
Creating Indexes from the Server Manager
Creating Indexes Using slapd.dynamic_ldbm.conf
Indexing Currently Existing Attributes
Creating International Index Entries
Creating International Indexes From the Server Manager
Creating International Indexes Using slapd.dynamic_ldbm.conf
Removing Indexes
Removing Standard Indexes
Chapter 8 Finding Directory Entries
LDAP Search Filters
Search Filter Syntax
Using Attributes in Search Filters
Using Operators in Search Filters
Using Multiple Search Filters
Boolean Operators
Search Filter Examples
Using ldapsearch
Using Special Characters
ldapsearch Command Line Format
Commonly Used ldapsearch Parameters
SSL Parameters
Additional ldapsearch Parameters
ldapsearch Examples
Specifying Search Filters on the Command Line
Searching the DSE Entry
Searching the Schema Entry
Using LDAP_BASEDN
Displaying Subsets of Attributes
Specifying Search Filters Using a File
Specifying DNs that Contain Commas
Searching an Internationalized Directory
Supported Search Types
Matching Rule Filter Syntax
matchingRule Formats
Using Wildcards in Matching Rule Filters
International Search Examples
Less Than Example
Less Than or Equal to Example
Equality Example
Greater Than or Equal to Example
Greater Than Example
Substring Example
Chapter 9 Changing Directory Server Entries
Using the Command-Line Utilities
Using Special Characters
Providing Input from the Command Line
Deleting Entries Using ldapdelete
A Note on Deleting Entries
Commonly Used ldapdelete Parameters
SSL Parameters
Additional ldapdelete Parameters
ldapdelete Examples
Adding Entries
A Note on Adding Entries
Adding Entries Using the Server Manager
Modifying Entries Using ldapmodify
Commonly Used ldapmodify Parameters
SSL Parameters
Additional ldapmodify Parameters
ldapmodify Examples
LDIF Update Statements
Adding an Entry
Using the ldapmodify -a Parameter
Deleting an Entry
Renaming an Entry
A Note on Renaming Entries
Modifying an Entry
Deleting an Attribute
Deleting an Attribute Value
Adding Attributes
Changing an Attribute Value
Modifying an Entry in an Internationalized Directory
Chapter 10 Managing Your Directory Server
Viewing the Error Log
Viewing the Access Log
Turning Off the Access Log
Log File Rotation
Monitoring Your Server's Activities
Server Resource Usage Since Startup
Current Server Resource Usage
Connection Resource Usage
Monitoring Your Server from the Command Line
Monitoring Database Activity
General Information Table
Database Cache Information Table
Database File-Specific Table
Monitoring the Database from the Command Line
Managing the Root DN
Tuning Your Server's Performance
Managing Network Settings
Managing LDAP Settings
Managing SSL
Activating SSL
Setting Security Preferences
Using Certificate-Based Authentication
Chapter 11 Managing Replication and Referrals
Replication
Configuring a Server for Replication
Configuring Servers for Supplier-Initiated Replication
Configuring Servers for Consumer-Initiated Replication
Configuring the Supplier DN
Configuring the Server to Accept Normal Authentication
Configuring the Server to Accept Certificate-Based Authentication
Configuring the Change Log
Providing Consumers Access to the Change Log
Creating Replication Agreements
Managing Supplier-Initiated Agreements
Creating a Supplier-Initiated Agreement
Adding and Editing a Replication Agreement
The Destination Tab
The Content Tab
The Schedule Tab
The Status Tab
Managing Consumer-Initiated Agreements
Creating a Consumer-Initiated Agreement
Adding and Editing a Replication Agreement
The Source Tab
The Content Tab
The Schedule Tab
The Status Tab
Initializing Consumers
When to Initialize a Consumer
Online Consumer Creation
When You Should Use Online Consumer Creation
How to Use Online Consumer Creation
Manual Consumer Creation
How to Perform Manual Consumer Creation
Supplier-Initiated Replication Algorithm
Consumer-Initiated Replication Algorithm
Machine data
Managing Referrals
Creating and Changing Smart Referrals
Chapter 12 NT Directory Synchronization
The Synchronization Service
Synchronization: NT to Directory Server
How NT Directory Changes Are Discovered
Creating User Entries
Creating Group Entries
Initially Creating Entries
Synchronization: Directory Server to NT
How Synchronization Occurs
Creating User Entries
Creating Group Entries
Creating Duplicate Entries
Deleting Entries
Modifying Entries
Concurrently Changing Directory Server and PDC Values
The Synchronization Configuration Tool
About the OK, Cancel, Apply, and Help Buttons
Configuring Synchronization
Configuring Service Settings
Configuring Directory Server Settings
Scheduling Synchronization
Manually Performing Synchronization
Configuring Mail Accounts to be Created on the Directory Server
If the Selected UID is Not Unique
Starting and Stopping the Synchronization Service
Checking Synchronization Status
Chapter 13 Managing SNMP
Understanding SNMP
How does SNMP work?
NMS-Initiated Communication
Managed Device-Initiated Communication
The Directory Server MIB
The Operations Table
The Entries Table
The Interaction Table
Using the SNMP Subagent Configuration Form
Setting Up SNMP
Setting Up SNMP on a Windows NT Machine
Setting Up SNMP on a Unix Machine
Configuring the AIX SNMP Daemon (Unix AIX Platform Only)
Enabling the Subagent
Starting, Stopping, and Restarting the Subagent (Unix Only)
Chapter 14 Configuration Parameters
Changing Configuration Parameter Values
Changing Parameter Values Using the Server Manager
Changing Parameter Values Using slapd.conf
slapd.conf File Format
Changing Parameter Values Using slapd.dynamic_ldbm.conf
Validating Your Server Settings
General Server Parameters
Port Number
Encryption Enabled
Encryption Ciphers
Encrypted Port Number
Audit Log
Access Log
Error Log
Size Limit in Entries
Time Limit in Seconds
Look Through Limit in Entries
Schema Checking
Track Modifies
Log Level
Referral
Supplier DN
Supplier Password
Supplier SSL Clients
Changelog DB Directory
Changelog Suffix
Max Changelog Records
Max Changelog Age
Password Storage Scheme
Certificate and Key Directory
Encryption Alias
attribute
objectClass
threadnumber
maxthreadsperconn
NLS
Password Maximum Age
Password Expiration
Password Minimum Length
Password History
Number of Passwords to Remember
Password Change
Check Password Syntax
Send Warning
Account Lockout
Maximum Password Failures
Reset Password Failure Count After
Unlock Account
Lockout Duration
NT Synchronization Service Enabled
NT Synchronization Service Port Number
orcauto
Database Parameters
Suffix
DB Directory
Root DN
Root Password
Root Password Storage Scheme
Read-only
Maximum Entries in Cache
Maximum DB Cache size in Bytes
Attribute to be Indexed
database
mode
Database Checkpoint Interval
Database Durable Transactions
Database Transaction Log Directory
dynamicconf
Appendix A Object Classes
Groups
groupOfNames
groupOfUniqueNames
NTGroup
Replication
cirReplicaSource
glue
LDAPServer
LDAPReplica
Locations
country
locality
Organizations
organization
organizationalUnit
People
inetOrgPerson
newPilotPerson
nsLicenseUser
ntUser
organizationalPerson
organizationalRole
person
residentialPerson
Calendar Server Extensions
netscapeCalendarServer
nsCalAdmin
nsCalResource
nsCalUser
Certificate Server Extensions
netscapeCertificateServer
Collabra Server Extensions
netscapeNewsServer
nginfo
Compass Server Extensions
netscapeCompassServer
personalInterestProfile
PIPUser
PIPUserInfo
Directory Server Extensions
changeLogEntry
groupOfCertificates
netscapeDirectoryServer
netscapeMachineData
netscapeServer
passwordObject
passwordPolicy
referral
subschema
Media Server Extensions
netscapeMediaServer
Messaging Server Extensions
groupOfMailEnhancedUniqueNames
mailRecipient
mailGroup
netscapeMailServer
Proxy Server Extensions
netscapeProxyServer
Web Server Extensions
netscapeWebServer
Reserved Object Classes
account
alias
applicationEntity
applicationProcess
cacheObject
certificationAuthority
dcObject
device
DNSDomain
document
documentSeries
domain
domainRelatedObject
dSA
friendlyCountry
labeledURIObject
pilotObject
pilotOrganization
RFC822LocalPart
room
simpleSecurityObject
strongAuthenticationUser
top
Appendix C LDAP URLs
Components of an LDAP URL
Escaping Unsafe Characters
Examples of LDAP URLs
Appendix D Internationalization
Identifying Supported Locales