Red Hat Directory Server 8.1

Administration Guide

Administering Red Hat Directory Server 8.1

Edition 8.1.15

Ella Deon Lackey 

Legal Notice

Copyright © 2009 Red Hat, Inc..
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
April 28, 2009, updated on July 29, 2010


This Administrator's Guide describes all of the administration tasks you need to perform to maintain Directory Server.
1. Directory Server Overview
2. Examples and Formatting
2.1. Command and File Examples
2.2. Tool Locations
2.3. LDAP Locations
2.4. Text Formatting and Styles
3. Additional Reading
4. Giving Feedback
5. Documentation History
1. Basic Red Hat Directory Server Settings
1.1. Directory Server File Locations
1.2. LDAP Tool Locations
1.3. Starting and Stopping Servers
1.3.1. Starting and Stopping Directory Server from the Console
1.3.2. Starting and Stopping Directory Server from the Command Line
1.3.3. Starting and Stopping Administration Server
1.4. Starting the Console
1.4.1. Starting the Directory Server Console
1.4.2. Logging into Directory Server
1.4.3. Changing Login Identity
1.4.4. Viewing the Current Console Bind DN
1.5. Enabling LDAPI
1.6. Changing Directory Server Port Numbers
1.7. Creating a New Directory Server Instance
1.8. Configuring the Directory Manager
1.9. Enabling Plug-ins
2. Configuring Directory Databases
2.1. Creating and Maintaining Suffixes
2.1.1. Creating Suffixes
2.1.2. Maintaining Suffixes
2.2. Creating and Maintaining Databases
2.2.1. Creating Databases
2.2.2. Maintaining Directory Databases
2.2.3. Configuring Attribute Encryption
2.3. Creating and Maintaining Database Links
2.3.1. Creating a New Database Link
2.3.2. Configuring the Chaining Policy
2.3.3. Maintaining Database Links
2.3.4. Configuring Database Link Defaults
2.3.5. Deleting Database Links
2.3.6. Database Links and Access Control Evaluation
2.3.7. Tuning Database Link Performance
2.4. Configuring Cascading Chaining
2.4.1. Overview of Cascading Chaining
2.4.2. Configuring Cascading Chaining Using the Console
2.4.3. Configuring Cascading Chaining from the Command Line
2.4.4. Detecting Loops
2.4.5. Summary of Cascading Chaining Configuration Attributes
2.4.6. Cascading Chaining Configuration Example
2.5. Using Referrals
2.5.1. Starting the Server in Referral Mode
2.5.2. Setting Default Referrals
2.5.3. Creating Smart Referrals
2.5.4. Creating Suffix Referrals
3. Creating Directory Entries
3.1. Managing Entries from the Directory Console
3.1.1. Creating a Root Entry
3.1.2. Creating Directory Entries
3.1.3. Modifying Directory Entries
3.1.4. Deleting Directory Entries
3.2. Managing Entries from the Command Line
3.2.1. Providing Input from the Command Line
3.2.2. Creating a Root Entry from the Command Line
3.2.3. Adding Entries Using LDIF
3.2.4. Adding and Modifying Entries Using ldapmodify
3.2.5. Deleting Entries Using ldapdelete
3.2.6. Using Special Characters
3.3. Tracking Modifications to Directory Entries
3.4. LDIF Update Statements
3.4.1. Adding an Entry Using LDIF
3.4.2. Renaming an Entry Using LDIF
3.4.3. Modifying an Entry Using LDIF
3.4.4. Deleting an Entry Using LDIF
3.4.5. Modifying an Entry in an Internationalized Directory
3.5. Maintaining Referential Integrity
3.5.1. How Referential Integrity Works
3.5.2. Using Referential Integrity with Replication
3.5.3. Enabling and Disabling Referential Integrity
3.5.4. Modifying the Update Interval
3.5.5. Modifying the Attribute List
3.6. Assigning and Managing Unique Numeric Attribute Values
3.6.1. Overview of Unique Number Assignments
3.6.2. Looking at the DNA Plug-in Syntax
3.6.3. Configuring Unique Number Assignments
3.7. Enforcing Attribute Uniqueness
3.7.1. Overview of Attribute Uniqueness
3.7.2. Attribute Uniqueness Plug-in Syntax
3.7.3. Creating an Instance of the Attribute Uniqueness Plug-in
3.7.4. Configuring Attribute Uniqueness
3.7.5. Attribute Uniqueness Plug-in Syntax Examples
3.7.6. Replication and the Attribute Uniqueness Plug-in
4. Populating Directory Databases
4.1. Importing Data
4.1.1. Importing Entries with Large Attributes
4.1.2. Importing a Database from the Console
4.1.3. Initializing a Database from the Console
4.1.4. Importing from the Command Line
4.2. Exporting Data
4.2.1. Exporting Directory Data to LDIF Using the Console
4.2.2. Exporting a Single Database to LDIF Using the Console
4.2.3. Exporting to LDIF from the Command Line
4.3. Backing up and Restoring Data
4.3.1. Backing up All Databases
4.3.2. Backing up the dse.ldif Configuration File
4.3.3. Restoring All Databases
4.3.4. Restoring a Single Database
4.3.5. Restoring Databases That Include Replicated Entries
4.3.6. Restoring the dse.ldif Configuration File
5. Organizing Entries with Roles, Class of Service, and Views
5.1. Using Roles
5.1.1. About Roles
5.1.2. Managing Roles Using the Console
5.1.3. Managing Roles Using the Command Line
5.1.4. Using Roles Securely
5.2. Assigning Class of Service
5.2.1. About CoS
5.2.2. Managing CoS Using the Console
5.2.3. Managing CoS from the Command Line
5.2.4. Creating Role-Based Attributes
5.2.5. Access Control and CoS
5.3. Using Views
5.3.1. Creating Views in the Console
5.3.2. Deleting Views from the Directory Server Console
5.3.3. Creating Views from the Command Line
5.3.4. Deleting Views from the Command Line
5.4. Using Groups
5.4.1. Managing Static Groups
5.4.2. Managing Dynamic Groups
5.4.3. Creating and Managing Groups in the Command Line
5.4.4. Using the memberOf Attribute to Manage Group Membership Information
6. Managing Access Control
6.1. Access Control Principles
6.1.1. ACI Structure
6.1.2. ACI Placement
6.1.3. ACI Evaluation
6.1.4. ACI Limitations
6.2. Default ACIs
6.3. Creating ACIs Manually
6.3.1. The ACI Syntax
6.3.2. Defining Targets
6.3.3. Defining Permissions
6.4. Bind Rules
6.4.1. Bind Rule Syntax
6.4.2. Defining User Access - userdn Keyword
6.4.3. Defining Group Access - groupdn Keyword
6.4.4. Defining Role Access - roledn Keyword
6.4.5. Defining Access Based on Value Matching
6.4.6. Defining Access from a Specific IP Address
6.4.7. Defining Access from a Specific Domain
6.4.8. Defining Access at a Specific Time of Day or Day of Week
6.4.9. Defining Access Based on Authentication Method
6.4.10. Using Boolean Bind Rules
6.5. Creating ACIs from the Console
6.5.1. Displaying the Access Control Editor
6.5.2. Creating a New ACI
6.5.3. Editing an ACI
6.5.4. Deleting an ACI
6.6. Viewing ACIs
6.7. Checking Access Rights on Entries (Get Effective Rights)
6.7.1. Rights Shown with a Get Effective Rights Search
6.7.2. The Format of a Get Effective Rights Search
6.7.3. Using Get Effective Rights from the Console
6.7.4. Get Effective Rights Return Codes
6.8. Logging Access Control Information
6.9. Access Control Usage Examples
6.9.1. Granting Anonymous Access
6.9.2. Granting Write Access to Personal Entries
6.9.3. Restricting Access to Key Roles
6.9.4. Granting a Group Full Access to a Suffix
6.9.5. Granting Rights to Add and Delete Group Entries
6.9.6. Granting Conditional Access to a Group or Role
6.9.7. Denying Access
6.9.8. Setting a Target Using Filtering
6.9.9. Allowing Users to Add or Remove Themselves from a Group
6.9.10. Defining Permissions for DNs That Contain a Comma
6.9.11. Proxied Authorization ACI Example
6.10. Advanced Access Control: Using Macro ACIs
6.10.1. Macro ACI Example
6.10.2. Macro ACI Syntax
6.11. Access Control and Replication
6.12. Compatibility with Earlier Releases
7. Managing User Authentication
7.1. Managing the Password Policy
7.1.1. Configuring the Password Policy
7.1.2. Setting User Passwords
7.1.3. Password Change Extended Operation
7.1.4. Configuring the Account Lockout Policy
7.1.5. Managing the Password Policy in a Replicated Environment
7.1.6. Synchronizing Passwords
7.2. Inactivating Users and Roles
7.2.1. Inactivating User and Roles Using the Console
7.2.2. Inactivating User and Roles Using the Command Line
7.2.3. Activating User and Roles Using the Console
7.2.4. Activating User and Roles Using the Command Line
7.3. Setting Resource Limits Based on the Bind DN
7.3.1. Setting Resource Limits Using the Console
7.3.2. Setting Resource Limits Using the Command Line
7.4. Using Pass-through Authentication
7.4.1. How Directory Server Uses PTA
7.4.2. PTA Plug-in Syntax
7.4.3. Configuring the PTA Plug-in
7.4.4. PTA Plug-in Syntax Examples
7.5. Configuring Autobind
7.5.1. Overview of Autobind and LDAPI
7.5.2. Configuring Autobind
7.6. Allowing Unauthenticated Binds
8. Managing Replication
8.1. Replication Overview
8.1.1. What Directory Units Are Replicated
8.1.2. Read-Write and Read-Only Replicas
8.1.3. Suppliers and Consumers
8.1.4. Changelog
8.1.5. Replication Identity
8.1.6. Replication Agreement
8.1.7. Replicating Attributes with Fractional Replication
8.1.8. Compatibility with Earlier Versions of Directory Server
8.2. Replication Scenarios
8.2.1. Single-Master Replication
8.2.2. Multi-Master Replication
8.2.3. Cascading Replication
8.3. Creating the Supplier Bind DN Entry
8.4. Configuring Single-Master Replication
8.4.1. Configuring the Read-Write Replica on the Supplier Server
8.4.2. Configuring the Read-Only Replica on the Consumer
8.4.3. Create the Replication Agreement
8.5. Configuring Multi-Master Replication
8.5.1. Configuring the Read-Write Replicas on the Supplier Servers
8.5.2. Configuring the Read-Only Replicas on the Consumer Servers
8.5.3. Setting up the Replication Agreements
8.5.4. Preventing Monopolization of the Consumer in Multi-Master Replication
8.6. Configuring Cascading Replication
8.6.1. Configuring the Read-Write Replica on the Supplier Server
8.6.2. Configuring the Read-Only Replica on the Consumer Server
8.6.3. Configuring the Read-Only Replica on the Hub
8.6.4. Setting up the Replication Agreements
8.7. Configuring Replication from the Command Line
8.7.1. Configuring Suppliers from the Command Line
8.7.2. Configuring Consumers from the Command Line
8.7.3. Configuring Hubs from the Command Line
8.7.4. Configuring Replication Agreements from the Command Line
8.7.5. Initializing Consumers Online from the Command Line
8.8. Making a Replica Updatable
8.9. Deleting the Changelog
8.9.1. Removing the Changelog
8.9.2. Moving the Changelog to a New Location
8.10. Initializing Consumers
8.10.1. When to Initialize a Consumer
8.10.2. Online Consumer Initialization Using the Console
8.10.3. Initializing Consumers Online Using the Command Line
8.10.4. Manual Consumer Initialization Using the Command Line
8.10.5. Filesystem Replica Initialization
8.11. Forcing Replication Updates
8.11.1. Forcing Replication Updates from the Console
8.11.2. Forcing Replication Updates from the Command Line
8.12. Replicating Account Lockout Attributes
8.12.1. Configuring Directory Server to Replicate Password Policy Attributes
8.12.2. Configuring Fractional Replication for Password Policy Attributes
8.13. Replication over SSL
8.14. Setting Replication Timeout Periods
8.15. Replicating o=NetscapeRoot for Administration Server Failover
8.16. Replication with Earlier Releases
8.16.1. Using Legacy Replication
8.16.2. Legacy Replication and Parent Object Classes
8.16.3. Configuring Legacy Replication
8.17. Using the Retro Changelog Plug-in
8.17.1. Enabling the Retro Changelog Plug-in
8.17.2. Trimming the Retro Changelog
8.17.3. Searching and Modifying the Retro Changelog
8.17.4. Retro Changelog and the Access Control Policy
8.18. Monitoring Replication Status
8.18.1. Monitoring Replication Status from the Directory Server Console
8.18.2. Monitoring Replication Status from Administration Express
8.19. Solving Common Replication Conflicts
8.19.1. Solving Naming Conflicts
8.19.2. Solving Orphan Entry Conflicts
8.19.3. Solving Potential Interoperability Problems
8.20. Troubleshooting Replication-Related Problems
9. Synchronizing Red Hat Directory Server with Microsoft Active Directory
9.1. About Windows Sync
9.2. Configuring Windows Sync
9.2.1. Step 1: Configure SSL on Directory Server
9.2.2. Step 2: Configure the Active Directory Domain
9.2.3. Step 3: Select or Create the Sync Identity
9.2.4. Step 4: Install the Password Sync Service
9.2.5. Step 5: Configure the Password Sync Service
9.2.6. Step 6: Configure the Directory Server Database for Synchronization
9.2.7. Step 7: Create the Synchronization Agreement
9.2.8. Step 8: Configure Directory Server User and Group Entries for Synchronization
9.2.9. Step 9: Begin Synchronization
9.3. Synchronizing Users
9.3.1. User Attributes Synchronized between Directory Server and Active Directory
9.3.2. User Schema Differences between Red Hat Directory Server and Active Directory
9.3.3. Configuring User Sync for Directory Server Users
9.3.4. Configuring User Sync for Active Directory Users
9.4. Synchronizing Groups
9.4.1. About Windows Group Types
9.4.2. Group Attributes Synchronized between Directory Server and Active Directory
9.4.3. Group Schema Differences between Red Hat Directory Server and Active Directory
9.4.4. Configuring Group Sync for Directory Server Groups
9.4.5. Configuring Group Sync for Active Directory Groups
9.5. Deleting and Resurrecting Entries
9.5.1. Deleting Entries
9.5.2. Resurrecting Entries
9.6. Sending Synchronization Updates
9.6.1. Performing a Manual Sync Update
9.6.2. Sending a Total Update (Full Synchronization)
9.6.3. Sending Sync Updates in the Command Line
9.6.4. Checking Synchronization Status
9.7. Modifying the Sync Agreement
9.7.1. Editing the Sync Agreement in the Console
9.7.2. Adding and Editing the Sync Agreement in the Command Line
9.8. Configuring Unidirectional Synchronization
9.9. Password Sync Service
9.9.1. Modifying Password Sync
9.9.2. Starting and Stopping the Password Sync Service
9.9.3. Uninstalling Password Sync Service
9.9.4. Upgrading Password Sync
9.10. Troubleshooting
10. Managing the Directory Schema
10.1. Overview of Schema
10.1.1. Default Schema Files
10.1.2. Object Classes
10.1.3. Attributes
10.1.4. About Extending the Schema
10.1.5. Schema Replication
10.2. Managing Object Identifiers
10.3. Attribute Syntax
10.4. Managing Custom Schema in the Console
10.4.1. Viewing Attributes and Object Classes
10.4.2. Creating Attributes
10.4.3. Creating Object Classes
10.4.4. Editing Custom Schema Elements
10.4.5. Deleting Schema
10.5. Managing Schema Using ldapmodify
10.5.1. Creating Attributes
10.5.2. Creating Object Classes
10.5.3. Deleting Schema
10.6. Creating Custom Schema Files
10.7. Dynamically Reloading Schema
10.7.1. Reloading Schema Using
10.7.2. Reloading Schema Using ldapmodify
10.7.3. Reloading Schema with Replication
10.7.4. Schema Reload Errors
10.8. Turning Schema Checking On and Off
11. Managing Indexes
11.1. About Indexes
11.1.1. About Index Types
11.1.2. About Default, System, and Standard Indexes
11.1.3. Overview of the Searching Algorithm
11.1.4. Approximate Searches
11.1.5. Indexing Performance
11.1.6. Balancing the Benefits of Indexing
11.2. Creating Standard Indexes
11.2.1. Creating Indexes from the Server Console
11.2.2. Creating Indexes from the Command Line
11.3. Applying New Indexes to Existing Databases
11.3.1. Running the Script
11.3.2. Using a cn=tasks Entry to Create an Index
11.4. Creating Browsing (VLV) Indexes
11.4.1. Creating Browsing Indexes from the Server Console
11.4.2. Creating Browsing Indexes from the Command Line
11.4.3. Setting Access Control for VLV Information
11.5. Changing the Index Sort Order
11.5.1. Changing the Sort Order in the Console
11.5.2. Changing the Sort Order in the Command Line
11.6. Changing the Width for Indexed Substring Searches
11.7. Deleting Indexes
11.7.1. Deleting Indexes from the Server Console
11.7.2. Deleting Indexes from the Command Line
11.7.3. Deleting Browsing Indexes from the Server Console
11.7.4. Deleting Browsing Indexes from the Command Line
12. Managing SSL
12.1. Introduction to TLS/SSL in the Directory Server
12.1.1. Enabling SSL: Summary of Steps
12.1.2. Command-Line Functions for Start TLS
12.2. Obtaining and Installing Server Certificates
12.2.1. Step 1: Generate a Certificate Request
12.2.2. Step 2: Send the Certificate Request
12.2.3. Step 3: Install the Certificate
12.2.4. Step 4: Trust the Certificate Authority
12.2.5. Step 5: Confirm That The New Certificates Are Installed
12.3. Using certutil
12.3.1. Creating Directory Server Certificates through the Command Line
12.3.2. certutil Usage
12.4. Starting the Server with TLS/SSL Enabled
12.4.1. Enabling TLS/SSL Only in the Directory Server
12.4.2. Enabling TLS/SSL in the Directory Server, Administration Server, and Console
12.4.3. Creating a Password File for the Directory Server
12.4.4. Creating a Password File for the Administration Server
12.5. Updating Attribute Encryption for New SSL/TLS Certificates
12.6. Using External Security Devices
12.6.1. Installing PKCS#11 Modules Through the Directory Server Console
12.6.2. Installing PKCS#11 Modules Through the Command Line
12.7. Setting Security Preferences
12.7.1. Available Ciphers
12.7.2. Selecting the Encryption Cipher
12.8. Using Certificate-Based Authentication
12.8.1. Configuring Directory Server to Accept Certificate-Based Authentication from LDAP Clients
12.8.2. Mapping DNs to Certificates
12.8.3. Editing the certmap.conf File
12.8.4. Example certmap.conf Mappings
12.8.5. Allowing and Requiring Client Authentication to the Console
12.8.6. Connecting to the Directory Server with Certificate-Based Authentication
12.9. Managing Certificates for the Directory Server
12.9.1. Renewing Certificates
12.9.2. Changing the CA Trust Options
12.9.3. Changing Security Device Passwords
12.9.4. Managing Certificate Lists
13. Managing SASL
13.1. Overview of SASL in Directory Server
13.1.1. About SASL Identity Mapping
13.1.2. Default SASL Mappings for Directory Server
13.1.3. Authentication Mechanisms for SASL in Directory Server
13.1.4. About Kerberos with Directory Server
13.2. Configuring SASL Identity Mapping
13.2.1. Configuring SASL Identity Mapping from the Console
13.2.2. Configuring SASL Identity Mapping from the Command Line
13.3. Configuring SASL Authentication at Directory Server Startup
13.4. Using an External Keytab
14. Monitoring Server and Database Activity
14.1. Viewing and Configuring Log Files
14.1.1. Defining a Log File Rotation Policy
14.1.2. Defining a Log File Deletion Policy
14.1.3. Access Log
14.1.4. Error Log
14.1.5. Audit Log
14.2. Manual Log File Rotation
14.3. Monitoring Server Activity
14.3.1. Monitoring the Server from the Directory Server Console
14.3.2. Monitoring the Directory Server from the Command Line
14.4. Monitoring Database Activity
14.4.1. Monitoring Database Activity from the Directory Server Console
14.4.2. Monitoring Databases from the Command Line
14.5. Monitoring Database Link Activity
14.6. Enabling and Disabling Counters
15. Monitoring Directory Server Using SNMP
15.1. About SNMP
15.2. Configuring the Master Agent
15.3. Configuring the Subagent
15.3.1. Subagent Configuration File
15.3.2. Starting the Subagent
15.3.3. Testing the Subagent
15.4. Configuring SNMP Traps
15.5. Configuring the Directory Server for SNMP
15.6. Using the Management Information Base
15.6.1. Operations Table
15.6.2. Entries Table
15.6.3. Entity Table
15.6.4. Interaction Table
16. Tuning Directory Server Performance
16.1. Tuning Server Performance
16.2. Tuning Database Performance
16.2.1. Optimizing Search Performance
16.2.2. Tuning Transaction Logging
16.2.3. Changing the Location of the Database Transaction Log
16.2.4. Changing the Database Checkpoint Interval
16.2.5. Disabling Durable Transactions
16.2.6. Specifying Transaction Batching
16.3. Tuning the Database Cache Settings
16.3.1. Tuning Entry Cache
16.3.2. Tuning Database Cache
16.4. Managing Special Entries
A. LDAP Data Interchange Format
A.1. About the LDIF File Format
A.2. Continuing Lines in LDIF
A.3. Representing Binary Data
A.3.1. Standard LDIF Notation
A.3.2. Base-64 Encoding
A.4. Specifying Directory Entries Using LDIF
A.4.1. Specifying Domain Entries
A.4.2. Specifying Organizational Unit Entries
A.4.3. Specifying Organizational Person Entries
A.5. Defining Directories Using LDIF
A.5.1. LDIF File Example
A.6. Storing Information in Multiple Languages
B. Finding Directory Entries
B.1. Finding Entries Using the Directory Server Console
B.2. Using ldapsearch
B.2.1. Using Special Characters
B.2.2. ldapsearch Command-Line Format
B.2.3. Commonly Used ldapsearch Options
B.2.4. ldapsearch Examples
B.3. LDAP Search Filters
B.3.1. Using Attributes in Search Filters
B.3.2. Using Operators in Search Filters
B.3.3. Using Compound Search Filters
B.3.4. Search Filter Examples
B.4. Using Persistent Search
B.4.1. An Overview of Persistent Searches
B.4.2. Running a Persistent Search
B.5. Searching an Internationalized Directory
B.5.1. Matching Rule Filter Syntax
B.5.2. Supported Search Types
B.5.3. International Search Examples
C.1. Components of an LDAP URL
C.2. Escaping Unsafe Characters
C.3. Examples of LDAP URLs
D. Internationalization
D.1. About Locales
D.2. Identifying Supported Locales
D.3. Supported Language Subtypes
D.4. Troubleshooting Matching Rules