Red Hat Directory Server 8.2

Deployment Guide

Deploying Red Hat Directory Server 8.2

Edition 8.2.1

Legal Notice

Copyright © 2010 Red Hat, Inc..
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
August 2, 2010, updated on October 12, 2010


This manual covers the basic considerations that should be addressed before deploying Red Hat Directory Server. The decisions made during this phase can have a significant and lasting affect on the effectiveness, efficiency, and scalability of your Directory Server. You should have a good understanding of your Directory Server requirements before moving on to the installation phase.
1. Directory Server Overview
2. Examples and Formatting
2.1. Command and File Examples
2.2. Tool Locations
2.3. LDAP Locations
2.4. Text Formatting and Styles
3. Additional Reading
4. Giving Feedback
5. Documentation History
1. Introduction to Directory Services
1.1. About Directory Services
1.1.1. About Global Directory Services
1.1.2. About LDAP
1.2. Introduction to Directory Server
1.2.1. Overview of the Server Frontend
1.2.2. Server Plug-ins Overview
1.2.3. Overview of the Basic Directory Tree
1.3. Directory Server Data Storage
1.3.1. About Directory Entries
1.3.2. Distributing Directory Data
1.4. Directory Design Overview
1.4.1. Design Process Outline
1.4.2. Deploying the Directory
1.5. Other General Directory Resources
2. Planning the Directory Data
2.1. Introduction to Directory Data
2.1.1. Information to Include in the Directory
2.1.2. Information to Exclude from the Directory
2.2. Defining Directory Needs
2.3. Performing a Site Survey
2.3.1. Identifying the Applications That Use the Directory
2.3.2. Identifying Data Sources
2.3.3. Characterizing the Directory Data
2.3.4. Determining Level of Service
2.3.5. Considering a Data Master
2.3.6. Determining Data Ownership
2.3.7. Determining Data Access
2.4. Documenting the Site Survey
2.5. Repeating the Site Survey
3. Designing the Directory Schema
3.1. Schema Design Process Overview
3.2. Standard Schema
3.2.1. Schema Format
3.2.2. Standard Attributes
3.2.3. Standard Object Classes
3.3. Mapping the Data to the Default Schema
3.3.1. Viewing the Default Directory Schema
3.3.2. Matching Data to Schema Elements
3.4. Customizing the Schema
3.4.1. When to Extend the Schema
3.4.2. Getting and Assigning Object Identifiers
3.4.3. Naming Attributes and Object Classes
3.4.4. Strategies for Defining New Object Classes
3.4.5. Strategies for Defining New Attributes
3.4.6. Deleting Schema Elements
3.4.7. Creating Custom Schema Files
3.4.8. Custom Schema Best Practices
3.5. Maintaining Consistent Schema
3.5.1. Schema Checking
3.5.2. Syntax Validation
3.5.3. Selecting Consistent Data Formats
3.5.4. Maintaining Consistency in Replicated Schema
3.6. Other Schema Resources
4. Designing the Directory Tree
4.1. Introduction to the Directory Tree
4.2. Designing the Directory Tree
4.2.1. Choosing a Suffix
4.2.2. Creating the Directory Tree Structure
4.2.3. Naming Entries
4.3. Grouping Directory Entries
4.3.1. About Groups
4.3.2. About Roles
4.3.3. Deciding Between Roles and Groups
4.4. Virtual Directory Information Tree Views
4.4.1. About Virtual DIT Views
4.4.2. Advantages of Using Virtual DIT Views
4.4.3. Example of Virtual DIT Views
4.4.4. Views and Other Directory Features
4.4.5. Effects of Virtual Views on Performance
4.4.6. Compatibility with Existing Applications
4.5. Directory Tree Design Examples
4.5.1. Directory Tree for an International Enterprise
4.5.2. Directory Tree for an ISP
4.6. Other Directory Tree Resources
5. Defining Dynamic Attribute Values
5.1. Introduction to Attributes
5.2. About Attribute Uniqueness
5.3. About Classes of Service
5.3.1. About a Pointer CoS
5.3.2. About an Indirect CoS
5.3.3. About a Classic CoS
5.4. About Linking Attributes
5.4.1. Schema Requirements for Linking Attributes
5.4.2. Using Linked Attributes with Replication
5.5. About Dynamically Assigning Unique Number Values
5.5.1. How the Directory Server Manages Unique Numbers
5.5.2. Using DNA to Assign Values to Attributes
5.5.3. Using the DNA Plug-in with Replication
6. Designing the Directory Topology
6.1. Topology Overview
6.2. Distributing the Directory Data
6.2.1. About Using Multiple Databases
6.2.2. About Suffixes
6.3. About Knowledge References
6.3.1. Using Referrals
6.3.2. Using Chaining
6.3.3. Deciding Between Referrals and Chaining
6.4. Using Indexes to Improve Database Performance
6.4.1. Overview of Directory Index Types
6.4.2. Evaluating the Costs of Indexing
7. Designing the Replication Process
7.1. Introduction to Replication
7.1.1. Replication Concepts
7.1.2. Data Consistency
7.2. Common Replication Scenarios
7.2.1. Single-Master Replication
7.2.2. Multi-Master Replication
7.2.3. Cascading Replication
7.2.4. Mixed Environments
7.3. Defining a Replication Strategy
7.3.1. Conducting a Replication Survey
7.3.2. Replicate Selected Attributes with Fractional Replication
7.3.3. Replication Resource Requirements
7.3.4. Managing Disk Space Required for Multi-Master Replication
7.3.5. Replication Across a Wide-Area Network
7.3.6. Using Replication for High Availability
7.3.7. Using Replication for Local Availability
7.3.8. Using Replication for Load Balancing
7.4. Using Replication with Other Directory Server Features
7.4.1. Replication and Access Control
7.4.2. Replication and Directory Server Plug-ins
7.4.3. Replication and Database Links
7.4.4. Schema Replication
7.4.5. Replication and Synchronization
8. Designing Synchronization
8.1. Windows Synchronization Overview
8.1.1. Synchronization Agreements
8.1.2. Changelogs
8.1.3. Controlling Synchronization
8.2. Planning Windows Synchronization
8.2.1. Resource Requirements
8.2.2. Managing Disk Space for the Changelog
8.2.3. Defining the Connection Type
8.2.4. Considering a Data Master
8.2.5. Determining the Subtree to Synchronize
8.2.6. Interaction with a Replicated Environment
8.2.7. Identifying the Directory Data to Synchronize
8.2.8. Synchronizing Passwords and Installing Password Services
8.2.9. Defining an Update Strategy
8.2.10. Editing the Sync Agreement
8.3. Schema Elements Synchronized Between Active Directory and Directory Server
8.3.1. User Attributes Synchronized Between Directory Server and Active Directory
8.3.2. User Schema Differences between Red Hat Directory Server and Active Directory
8.3.3. Group Attributes Synchronized Between Directory Server and Active Directory
8.3.4. Group Schema Differences between Red Hat Directory Server and Active Directory
9. Designing a Secure Directory
9.1. About Security Threats
9.1.1. Unauthorized Access
9.1.2. Unauthorized Tampering
9.1.3. Denial of Service
9.2. Analyzing Security Needs
9.2.1. Determining Access Rights
9.2.2. Ensuring Data Privacy and Integrity
9.2.3. Conducting Regular Audits
9.2.4. Example Security Needs Analysis
9.3. Overview of Security Methods
9.4. Selecting Appropriate Authentication Methods
9.4.1. Anonymous and Unauthenticated Access
9.4.2. Simple Binds and Secure Binds
9.4.3. Certificate-Based Authentication
9.4.4. Proxy Authentication
9.4.5. PAM Pass-through Authentication
9.5. Preventing Authentication by Account Deactivation
9.6. Designing a Password Policy
9.6.1. How Password Policy Works
9.6.2. Password Policy Attributes
9.6.3. Designing an Account Lockout Policy
9.6.4. Designing a Password Policy in a Replicated Environment
9.7. Designing Access Control
9.7.1. About the ACI Format
9.7.2. Setting Permissions
9.7.3. Viewing ACIs: Get Effective Rights
9.7.4. Using ACIs: Some Hints and Tricks
9.8. Database Encryption
9.9. Securing Server Connections
9.10. Other Security Resources
10. Directory Design Examples
10.1. Design Example: A Local Enterprise
10.1.1. Local Enterprise Data Design
10.1.2. Local Enterprise Schema Design
10.1.3. Local Enterprise Directory Tree Design
10.1.4. Local Enterprise Topology Design
10.1.5. Local Enterprise Replication Design
10.1.6. Local Enterprise Security Design
10.1.7. Local Enterprise Tuning and Optimizations
10.1.8. Local Enterprise Operations Decisions
10.2. Design Example: A Multinational Enterprise and Its Extranet
10.2.1. Multinational Enterprise Data Design
10.2.2. Multinational Enterprise Schema Design
10.2.3. Multinational Enterprise Directory Tree Design
10.2.4. Multinational Enterprise Topology Design
10.2.5. Multinational Enterprise Replication Design
10.2.6. Multinational Enterprise Security Design