Managing Your Directory Server

his chapter describes basic directory server management. Specifically, this chapter describes:

Viewing the Error Log

The Server Status | View Error Log form contains the following fields:

Lets you specify the number of messages to view. If this field is blank, all available messages are shown. Specify an integer, n, to view the n most recent messages.

Only show entries with:

Provides a searching capability. Only those messages containing the string entered in this field are displayed. When you specify a search string in this field along with an integer, n, in the Number of entries field the server manager searches only the n most recent messages for the specified search string.

Viewing the Access Log

The Server Status | View Access Log form contains the following fields:

Number of entries:

Lets you specify the number of messages to view. If this field is blank, all available messages are shown. Specify an integer, n, to view the n most recent messages.

Only show entries with:

Provides a searching capability. Only those messages containing the string entered in this field are displayed. When you specify a search string in this field along with an integer, n, in the Number of entries field, the server manager searches only the n most recent messages for the specified search string.

Turning Off the Access Log

You can estimate that every 2,000 accesses to your server will grow your access log by approximately 1 MB. Because the access log can grow very quickly, you might want to turn access logging off if you find that it is not useful to you.

To turn access logging off, leave the Access Log parameter in the server manager blank. You can find the Access Log parameter in the server manager by going to Server Preferences |Network. For more information on this form, see "Managing Network Settings".

Alternatively, you can turn off access logging by editing slapd.conf directly. To do so, set the accesslog parameter as follows:


	accesslog ""

For information on changing server parameters from slapd.conf, see "Changing Parameter Values Using slapd.conf".

Log File Rotation

The directory server does not support automatic rotation of log files. You should therefore examine your log files at least once a week to ensure that they are not getting too large. If the files are getting large, you should back up and then delete the current log files, and then clear the contents of the primary files. Do the following:

Shut down the server.
Make a copy of the log file you are rotating.
Empty or truncate the contents of the primary copy of the log file you are rotating.
Restart the server.
Back up the log file copy you made in step 2 for future reference.

The ns-slapd log files can be found at


	<NSHOME>/slapd-<serverID>/logs/errors

and


	<NSHOME>/slapd-<serverID>/logs/access

Monitoring Your Server's Activities

You can monitor your directory server's current activities from either the server manager or from the command line. For information on how to monitor your server's activity from the command line, refer to "Monitoring Your Server from the Command Line".

To monitor your directory server's current activities from the server manager, use the Server Status | Monitor Current Activity form. If the server is currently not running, this form reflects that fact and no further information is given.

If the server is currently on, this form provides server monitor information in the following tables:

There is also a small table at the top of the form that includes:

Server Version--identifies the current server version level
Config DN--identifies the server's machine data tree DN. For information on machine data, see "Machine data".
Data Version--provides identification information for the server's data area. This is shown only if a change log is configured for the server. Usually the information shown here is only relevant if your server is supplying replicated trees to consumer servers. The following information is supplied in the following order:

To update the information shown on this form, click the Redisplay button.

Server Resource Usage Since Startup

This table provides the following time information:

Local startup time

Day and time that the server was started.

GMT startup time

Day and time that the server was started. The value shown is in Greenwich Mean Time.


Resource	Usage since startup	Average per minute
Connections	Total number of connections to this server since server startup.	Average number of connections per minute since server startup.
Operations Initiated	Total number of operations initiated since server startup. Operations are any client requests for server action, such as searches, adds, and modifies in the directory tree. It is likely that multiple operations will be initiated for each connection.	Average number of operations per minute since server startup.
Operations Completed	Total number of operations completed by the server since server startup.	Average number of operations per minute since server startup.
Entries sent to clients	Total number of entries sent to clients since server startup. Entries are sent to clients as the result of search requests.	Average number of entries sent to clients per minute since server startup.
Bytes sent to clients	Total number of bytes sent to clients since server startup.	Average number of bytes sent to clients per minute since server startup.

Current Server Resource Usage

This table provides the following time information:

Current local time

Current time on the server.

Current GMT time

Current time on the server. The value shown is in Greenwich Mean Time.


Resource	Current total
Active Threads	Current number of active threads. Each thread represents a single operation currently active in the server. Additional threads may also be created by internal server housekeeping tasks, such as replication.
Open Connections	Total number of open connections. Each connection can account for multiple operations, and therefore multiple threads.
Remaining available connections	Total number of remaining connections that the server can concurrently open. This number is based on the number of currently open connections, and the total number of concurrent connections that the server is allowed to open. The latter value is determined by the operating system, and is expressed as the number of file descriptors available to a task. Refer to your operating system documentation for more information on file descriptors.
Threads waiting to write to client	Total number of threads waiting to write to the client. This happens anytime the server must pause while sending data to a client. Reasons for this are a slow network, a slow client, or an extremely large amount of information being sent to the client.
Threads waiting to read from client	Total number of threads waiting to read from the client. This happens if the server starts to receive a request from the client and then the transmission of that request is halted for some reason. Generally, threads waiting to read are an indication of a slow network or a slow client.
Thread Concurrency	Meaningful on Solaris 2.x only. Provides an indication of the level of thread concurrency.
Databases in use	Total number of databases being serviced by the server. Currently, this value is always 1.

Connection Resource Usage

This table provides information on the amount of resources in use by each currently open connection. Values are:

Time opened

Indicates the time on the server when the connection was initially opened.

Operations

Indicates the number of operations initiated by this connection, and the number of those operations completed by the server.

Bind DN

Indicates the distinguished name used by the client to connect to the server. If the client has not authenticated to the server, not bound is shown in this field.

Read/Write

Indicates whether the server is currently blocked for read or write access to the client. Possible values are:

Not blocked--Indicates that the server is idle, actively sending data to the client, or actively reading data from the client.
Blocked--Indicates that the server is trying to send data to the client or read data from the client, but the server cannot. The probable cause for being blocked is a slow network or a slow client.

Monitoring Your Server from the Command Line

You can monitor your directory server's current activities from any LDAP client by performing a search against


	objectClass=*

and a search base of


	cn=monitor

and a scope of


	base

For example:


	ldapsearch -h directory.airius.com -s base 
	-b "cn=monitor" (objectclass=*)

For information on searching the directory server, see "Using ldapsearch".

When you monitor your server's activities in this way, you see the following information:


version:

Identifies the directory server's current version number.


threads:

Current number of active threads. Each thread represents a single operation currently active in the server. Additional threads may also be created by internal server housekeeping tasks, such as replication or writing to logs.


connection: fd: opentime: opsinitiated: opscompleted: binddn: [rw]

Provides the following summary information for each open connection:

fd--The file descriptor used for this connection.
opentime--The time this connection was opened.
opsinitiated--The number of operations initiated by this connection.
opscompleted--The number of operations completed.
binddn--The distinguished name used by this connection to connect to the directory server.
rw--Optional field that is shown if the connection is blocked for read or write.


currentconnections:

Identifies the number of connections currently in service by the directory server.


totalconnections:

Identifies the number of connections handled by the directory server since it started.


dtablesize:

Shows the number of file descriptors available to the directory server. Note that each connection requires one file descriptor, one descriptor is required for every open index, one descriptor is required for log file management, and one descriptor is required for ns-slapd itself. Essentially, this value lets you know about how many more concurrent connections can be serviced by the directory server.

For more information on file descriptors, refer to your operating system documentation.


writewaiters:

Identifies the number of threads waiting to write data to a client.


readwaiters:

Identifies the number of threads waiting to read data from a client.


opsinitiated:

Identifies the number of operations ns-slapd has initiated since it started.


opscompleted:

Identifies the number of operations ns-slapd has completed since it started.


entriessent:

Identifies the number of entries sent to clients since ns-slapd started.


bytessent:

Identifies the number of bytes sent to clients since ns-slapd started.


currentime:

Identifies the time when this snapshot of ns-slapd was taken. The time is displayed in Greenwich mean time (GMT) in UTC format.


starttime:

Identifies the time when ns-slapd started. The time is displayed in Greenwich mean time (GMT) in UTC format.


nbackends:

Identifies the number of back ends (databases) ns-slapd services. Currently this value is always one.


concurrency:

Solaris 2.x only. Indicates the current level of thread concurrency.

Monitoring Database Activity

You can monitor your directory server's current activities from the server manager or from the command line. For information on how to monitor your database's activities from the command line, refer to "Monitoring the Database from the Command Line".

To monitor you server from the server manager, do the following:

Go to Server Status | Monitor DB Activity
Select the database that you want to monitor
Click O.K.

There is a small table at the top of the form that provides:

Database

Identifies the type of database that you are monitoring.

Monitor DN

Identifies the distinguished name that you can use to obtain these results using the ldapsearch client. The remainder of the form consists of the following tables:


	objectClass=*

and a search base of


	cn=monitor-back,<your suffix>

and a scope of


	base

For example:


	ldapsearch -h directory.airius.com -s base 
	 -b "cn=monitor-back,o=airius.com" (objectclass=*)

For information on searching the directory server, see "Using ldapsearch".

When you monitor your server's activities in this way, you see the following information:


database

Identifies the type of database that you are currently monitoring.


readonly

Indicates whether the database is in read-only mode. 0 indicates that the server is not in read-only mode, 1 indicates that it is in read-only mode.


entrycachehits

Provides the same information as is described in "Entry Cache Hits".


entrycachetries

Provides the same information as is described in "Entry Cache Tries".


entrycachehitratio

Provides the same information as is described in "Entry Cache Hit Ratio".


currententrycachesize

Provides the same information as is described in "Current Number of Entries in Entry Cache".


maxentrycachesize

Provides the same information as is described in "Maximum Number of Entries in Entry Cache".


dbchehits

Provides the same information as is described in "Hits".


dbcachetries

Provides the same information as is described in "Tries".


dbcachehitratio

Provides the same information as is described in "Hit Ratio".


dbcachepagein

Provides the same information as is described in "Pages Read In".


dbcachepageout

Provides the same information as is described in "Pages Written Out".


dbcacheroevict

Provides the same information as is described in "Read-Only Page Evicts".


dbcacherwevict

Provides the same information as is described in "Read-Write Page Evicts".

Next is displayed the following information for each file that makes up your database:


dbfilename-<number>

Indicates the name of the file. <number> provides a sequential integer identifier (starting at 0) for the file. All associated statistics for the file are given this same numerical identifier.


dbfilecachehit-<number>

Provides the same information as is described in "Cache Hits".


dbfilecachemiss-<number>

Provides the same information as is described in "Cache Misses".


dbfilepagein-<number>

Provides the same information as is described in "Pages Read In".


dbfilepageout-<number>

Provides the same information as is described in "Pages Written Out".

Managing the Root DN

The Root DN is the privileged database user; that is, access control information does not apply to this user.

The password for this user is defined on the Root Password parameter. You can select one of two different password encryption schemes to store this parameter value, or you can choose to store the value in clear text. If you choose to store the value in clear text, you can use the server manager to manage groups, access control lists, and replication without performing any special authentication. While convenient, this strategy creates some obvious security risks in that anyone gaining access to your server manager can discover your Root DN password and have full access to your directory.

If you choose to use an encrypted password, then you must supply that password whenever you manage groups, access control, or replication from the server manager.

You can set your root DN and password and the encryption scheme used for this password from the Server Preferences| Manager Preferences form. After you make any changes to this form, you must click OK, confirm your changes, and restart the server.

Tuning Your Server's Performance

There are several server parameters available to you that allow you to manage server performance. You can view them all together from the server manager by going to Server Preferences |Performance Tuning.

The performance parameters shown on this form are shown in two different groups:

Server parameters--These let you manage your server's performance by limiting the amount of resources the server puts into client search requests. The values set on these three parameters are a hard limit on the resources that the server will apply to each request. Note that LDAP clients can cause the server to actually use smaller values for Size Limit and Time Limit. The three server performance parameters are:
- Size Limit in Entries in Entries--Sets the maximum number of entries the server will return to the client in response to a search operation.
- Time Limit in Seconds in Seconds--Sets the maximum amount of real time the server spends performing a search request.
- Look Through Limit in Entries in Entries--Sets the maximum number of entries the server will check in response to a search request.
For a better understanding of how these parameters impact your server's searching performance, refer to "The Searching Algorithm".
Database parameters--These influence server performance primarily on searches by defining the amount of memory available to the server. The two database performance parameters are:
- Maximum Entries in Cache--Sets the number of entries ns-slapd will keep in memory.
- Maximum DB Cache size in Bytes--Sets the amount of memory available for each open index file. Indexes and index files are described in Chapter 7, "Managing Indexes." For more information on this parameter, see "Maximum DB Cache size in Bytes".
Note that if you are creating a very large database from LDIF, then you want to set this parameter as large as possible. The larger this parameter is, the faster your database will be created. As a rule of thumb, determine how much free memory you have on your system, divide that number by two, reduce this number by about 1 MB, and set that number on this parameter. For example, if you have 50 MB of free memory on your system, divide by 2 (25 MB) and reduce by 1 MB (24 MB). Set your Maximum DB Cache size in bytes parameter to 24 MB.
When you are done creating your database, be sure to set this parameter back to some lower value before you run your server in a production environment (default is 100,000).

Managing Network Settings

The Server Preferences | Network form allows you to view and change the parameters relevant to the server's network settings and log files. After you make any changes to this form, you must click OK, confirm your changes, and restart the server.

You can manage the following parameters from this form:

Port Number--Sets the port used for non-SSL communications.
Encrypted Port Number--Sets the port used for SSL communications.
NT Synchronization Service Enabled--Enables directory server to NT synchronization. Turning this on causes the directory server to start verifying changes made to NT user and group information, and to transmit changes made to NT user and group information to the NT Primary Domain Controller. For information on how directory server to PDC synchronization occurs, see "How Synchronization Occurs".
NT Synchronization Service Port Number--Defines the non-LDAP port over which the directory server will communicate with the NT synchronization service. For more information the NT synchronization service, see Chapter 12, "NT Directory Synchronization."
Access Log--Sets the location used for the access log. For information on managing log files, refer to "Log File Rotation".
Error Log--Sets the location used for the error log.

Managing LDAP Settings

Use the Server Preferences | LDAP form to view and change parameters relevant to general LDAP settings. After you make any changes to this form, you must click OK, confirm your changes, and restart the server.

You can manage the following parameters from this form:

Referral--Sets the LDAP referral used for client requests that are out of bounds for the directory tree(s) serviced by your directory server. This is the referral returned if no relevant smart referrals can be defined for the server. For more information on referrals, see "Managing Referrals".
Audit Log--Specifies the path and filename of the log used to record changes made to each database as well as to the machine data area.
Log Level--Sets the type of logging used by the directory server. Because changing these values from the defaults will cause your error log to grow very rapidly, it is recommended that you do not change your logging level unless you are asked to by Netscape Customer Support.
Track Modifies--Specifies whether modification attributes are maintained for directory server entries.
Schema Checking--Specifies that schema checking is performed when directory entries are created or modified. For more information on this parameter, refer to "Schema Checking".

Managing SSL

To provide secure communications over the network, the Netscape Directory Server provides the LDAPS communications protocol. LDAPS is the standard LDAP protocol, but it runs on top of Secure Sockets Layer (SSL).

To use LDAPS, you have to first setup a certificate database for your directory, and then you have to turn on SSL. You create certificate databases using the Netscape Administration Server.

For a complete description of SSL, internet security, certificates, how to setup certificate databases, and how to obtain certificates, see the Managing Netscape Servers manual. The following sections assume that you understand SSL and that you have already created a certificate database. They describe how to turn SSL on and off in your directory server.

Note

Unlike other Netscape servers, the directory server is capable of simultaneous SSL and non-SSL communications. This means that you do not have to choose between SSL or non-SSL communications for your directory server; you can use both at the same time.

Activating SSL

To turn on SSL communications with your directory server, create a certificate database and then go to the Server Preferences | Encryption On/Off form. Indicate that you want encryption enabled, the port number that you want to use for LDAPS communications, and the Encryption Alias that you want to use for this server's certificate. After you make your changes, you must click OK, confirm your changes, and restart the server.

Note that the encrypted port number that you specify must not be the same port number as you are using for normal LDAP communications.

If encryption is enabled for this server, you will see certificate information at the bottom of this form, including the server's certificate subject DN.

Also, you create the encryption alias when you create your server's certificate database. For more information on creating certificate databases, see the "Enabling SSL Encryption" section in Managing Netscape Servers.

Note

Most of the time, you want your server to run with SSL enabled. You might, at other times, want to disable it. If you temporarily disable SSL, make sure you re-enable it before processing transactions that require confidentiality, authentication, or data integrity.

Setting Security Preferences

You can choose the type of cipher to use for SSL. To do so, choose Server Preferences | Encryption Preferences in the server manager. After you make your changes, you must click OK, confirm your changes, and restart the server.

A cipher is the algorithm used in encryption. Some ciphers are more secure or stronger than others. Generally speaking, the more bits a cipher uses during encryption, the harder it is to decrypt the data. (For a more complete discussion of algorithms and their strength, see the Managing Netscape Servers manual.)

When a client initiates an SSL connection with a server, it lets the server know what ciphers it prefers to use to encrypt information. In any two-way encryption process, both parties must use the same ciphers. Since there are a number of ciphers available, your server needs to be able to use the most popular ones.

To specify which ciphers your server can use, check them in the list. Unless you have a compelling reason to not use a specific cipher, you should check them all.

Warning

You might not want to check none, MD5. If no other ciphers are available on the client side, the server will use this, and no encryption will occur. Another reason you might not want to enable all ciphers is to prevent SSL connections with less than optimal encryption. That is, United States law prohibits the export of products with 128-bit encryption, so overseas clients might only be using 40-bit encryption, which is not as difficult to crack as 128-bit. Unchecking all 40-bit ciphers effectively restricts access to clients available only in the United States.

Domestic versions of the Directory Server provide the following SSL 3.0 ciphers: