E.2. Administration Server Configuration
E.2.1. File Locations
E.2.2. Opening the Administration Server Console
# /usr/bin/redhat-idm-console
http:
prefix for a standard HTTP protocol. If TLS is enabled, then this uses the https:
prefix for the secure HTTPS protocol.

Figure E.2. Login Box
Note
# /usr/bin/redhat-idm-console -a http://localhost:9830
a
option is a convenience, particularly for logging into a Directory Server for the first time. On subsequent logins, the URL is saved. If the Administration Server port number is not passed with the redhat-idm-console
command, then the server prompts for it at the Console login screen.

Figure E.3. The Administration Server Console
Note
PATH
before launching the Console. Run the following to see if the Java program is in the PATH
and to get the version and vendor information:
java -version
E.2.3. Viewing Logs
- Access logs. Access logs show requests to and responses from the Administration Server. By default, the file is located at
/var/log/dirsrv/admin-serv/access
. - Error logs. Error logs show messages for errors which the server has encountered since the log file was created. It also contains informational messages about the server, such as when the server was started and who tried unsuccessfully to log on to the server. By default, the file is located at
/var/log/dirsrv/admin-serv/error
.
E.2.3.1. Viewing the Logs through the Console
- Open the Administration Server management window.
- Click the Configuration tab.
- Expand the Logs directory, and click the log file name, either Accesses or Error.

E.2.3.2. Viewing Logs in the Command Line
/var/log/dirsrv/admin-serv/error
. To view the access log, open it in an editor such as vi
.
ip_address - bind_DN [timestamp -0500] "GET|POST cgi" HTTP_response bytes
Example E.1. Example Access Logs
127.0.0.1 - cn=Directory Manager [23/Dec/2008:19:32:52.157345975 -0500] "GET /admin-serv/authenticate HTTP/1.0" 200 338 192.168.123.121 - cn=Directory Manager [23/Dec/2008:19:33:14.453724501 -0500] "POST /admin-serv/tasks/Configuration/ServerSetup HTTP/1.0" 200 244 192.168.123.121 - cn=Directory Manager [23/Dec/2008:19:33:16.573485244 -0500] "GET /admin-serv/tasks/Configuration/ReadLog?op=count&name=access HTTP/1.0" 200 10
/var/log/dirsrv/admin-serv/errors
. To view the error log, open it in an editor such as vi
.
[timestamp] [severity] [client ip_address error_message
[warning]
, [error]
, and [critical]
require immediate administrator action. Any other severity means the error is informational or for debugging.
Example E.2. Example Error Logs
[24/Mar/2017:11:14:27.110314677 +0100] - NOTICE - ldbm_back_start - total cache size: 417775616 B; [24/Mar/2017:11:14:27.165466639 +0100] - INFO - dblayer_start - Resizing db cache size: 1519206400 -> 132562944 [24/Mar/2017:11:14:27.650899322 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [24/Mar/2017:11:14:29.620268885 +0100] - WARN - modify_config_dse - Modification of attribute "aci" is not allowed, ignoring!
E.2.3.3. Changing the Log Name in the Console
- Open the Administration Server management window.
- Click the Configuration tab.
- Click Logs in the left panel.
- In the Logs window on the right, enter the new log file name.
Warning
The path to the log file is absolute and cannot be changed. - Click OK to save the changes.
- Open the Tasks tab, and click the button to restart the server and apply the changes.
E.2.3.4. Changing the Log Location in the Command Line
/var/log/dirsrv/admin-serv
does not meet the application needs.
o=NetscapeRoot
database. The other is the console.conf
file. Changing the log settings requires changing both settings.
- Edit the Administration Server configuration entry in the Configuration Directory Server.
- Get the name of the Administration Server entry. Since the Administration Server entry has a special object class,
nsAdminConfig
, it is possible to search for the entry using that object class to retrieve the DN.# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
-b "o=NetscapeRoot" "(objectclass=nsAdminConfig)" dn
version:1 dn: cn=configuration,cn=admin-serv-example,cn=Red Hat Administration Server,cn=Server Group,cn=server.example.com,ou=example.com,o=NetscapeRoot - The Administration Server entry can be edited using
ldapmodify
. The access and error log settings are stored in thensAccessLogs
andnsErrorLogs
attributes, respectively. For example:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=configuration,cn=admin-serv-example,cn=Red Hat Administration Server,cn=Server Group,cn=server.example.com,ou=example.com,o=NetscapeRoot changetype:modify replace:nsAccessLog nsAccessLog:/var/log/dirsrv/admin-serv/access_new
Hit Enter twice to submit the operation, and then Control+C to closeldapmodify
.
- Open the Administration Server configuration directory.
# cd /etc/dirsrv/admin-serv
- Edit the
console.conf
file. For the access log, edit the path and filename in theCustomLog
parameter. For the error log, edit the path and filename in theErrorLog
parameter.CustomLog /var/log/dirsrv/admin-serv/access_new common ErrorLog /var/log/dirsrv/admin-serv/error_new
Leave the termcommon
after the access log path; this means that the access log is in the Common Log Format. - Restart the Administration Server.
# systemctl restart dirsrv-admin.service
E.2.3.5. Setting the Logs to Show Hostnames Instead of IP Addresses
- Edit the
console.conf
file for the Administration Server.# cd /etc/dirsrv/admin-serv # vim console.conf
- Set the
HostnameLookups
parameter toon
. By default, this is turned off, so that IP addresses are recorded in logs instead of host names.HostnameLookups on
E.2.4. Changing the Port Number
setup-ds-admin.pl
, is run. The default port number is 9830
, although if that number is in use, then the setup program will use a randomly-generated number larger than 1024
or one can assign any port number between 1025
and 65535
.
E.2.4.1. Changing the Port Number in the Console
- Open the Administration Server management window.
- Click the Configuration tab.
- Click the Network tab.
- Enter the port number for the Administration Server instance in the Port field. The Administration Server port number has a default number of
9830
. - Click OK.
- Open the Tasks tab, and click the button to restart the server and apply the changes.
- Close the Console, and then restart the Console, specifying the new Administration Server port number in the connection URL.
E.2.4.2. Changing the Port Number in the Command Line
9830
by default.
o=NetscapeRoot
database. The other is the console.conf
file. Changing the port number requires changing both settings.
- Edit the Administration Server configuration entry in the Configuration Directory Server.
- Get the name of the Administration Server entry. Since the Administration Server entry has a special object class,
nsAdminConfig
, it is possible to search for the entry using that object class to retrieve the DN.# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
-b "o=NetscapeRoot" "(objectclass=nsAdminConfig)" dn
version:1 dn: cn=configuration,cn=admin-serv-example,cn=Red Hat Administration Server,cn=Server Group,cn=server.example.com,ou=example.com,o=NetscapeRoot - The Administration Server entry can be edited using
ldapmodify
. The port number is set in thensServerPort
attribute. For example:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=configuration,cn=admin-serv-example,cn=Red Hat Administration Server,cn=Server Group,cn=server.example.com,ou=example.com,o=NetscapeRoot changetype:modify replace:nsServerPort nsServerPort:10030
Hit Enter twice to submit the operation, and then Control+C to closeldapmodify
.
- Open the Administration Server configuration directory.
# cd /etc/dirsrv/admin-serv
- Edit the
Listen
parameter in theconsole.conf
file.Listen 0.0.0.0:10030
- Restart the Administration Server.
# systemctl restart dirsrv-admin.service
E.2.5. Setting Host Restrictions
E.2.5.1. Setting Host Restrictions in the Console
- Open the Administration Server management window.
- Click the Configuration tab.
- Click the Network tab.
- The Connection Restrictions area displays a list of hosts allowed to connect to the Administration Server. The drop-down list specifies whether the list entries are added by DNS name or by IP address. The list is evaluated first by host names, and then by IP addresses.
- Click the Add button to add another host to the list of allowed computers. To add a host name, make sure the drop-down list at the top reads Host Names to allow; to add an IP address, select IP Addresses to allow.
- Fill in the host information, either the host name or an IPv4 or IPv6 address.The
*
wildcard can be used to specify a group of hosts. For instance,*.example.com
allows all machines in theexample.com
domain to access the instance. Entering205.12.*.
allows all hosts whose IP addresses begin with205.12
to access the instance.When specifying IP address restrictions, include all three separating dots. If you do not, the Administration Server returns an error message. - Click OK to close the Add... dialog box, and then click the Save button to save the new host.
- Open the Tasks tab, and click the button to restart the server and apply the changes.
E.2.5.2. Setting Host Restrictions in the Command Line
o=NetscapeRoot
database. There are two attributes for setting host restrictions, nsAdminAccessAddresses
and nsAdminAccessHosts
for IP addresses and host names, respectively.
Note
ldapmodify
.
- Get the name of the Administration Server entry. Since the Administration Server entry has a special object class,
nsAdminConfig
, it is possible to search for the entry using that object class to retrieve the DN.# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
-b "o=NetscapeRoot" "(objectclass=nsAdminConfig)" dn
version:1 dn: cn=configuration,cn=admin-serv-example,cn=Red Hat Administration Server,cn=Server Group,cn=server.example.com,ou=example.com,o=NetscapeRoot - To set IP address-based restrictions, edit the
nsAdminAccessAddresses
attribute. Either IPv4 or IPv6 addresses can be used.# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=configuration,cn=admin-serv-example,cn=Red Hat Administration Server,cn=Server Group,cn=server.example.com,ou=example.com,o=NetscapeRoot changetype:modify replace:nsAdminAccessAddresses nsAdminAccessAddresses:72.5.*.*
Hit Enter twice to submit the operation, and then Control+C to closeldapmodify
.ThensAdminAccessAddresses
value can use wildcards to allow ranges. Either IPv4 or IPv6 addresses can be used.For example, to allow all IP addresses:nsAdminAccessAddresses:*
To allow only a subset of addresses on a local network:nsAdminAccessAddresses:192.168.123.*
- To set host name or domain-based restrictions, edit the
nsAdminAccessHosts
attribute.# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=configuration,cn=admin-serv-example,cn=Red Hat Administration Server,cn=Server Group,cn=server.example.com,ou=example.com,o=NetscapeRoot changetype:modify replace:nsAdminAccessHosts nsAdminAccessHosts:*.example.com
Hit Enter twice to submit the operation, and then Control+C to closeldapmodify
. - Restart the Administration Server to apply the changes.
# systemctl restart dirsrv-admin.service
E.2.6. Changing the Admin User's Name and Password
uid=userID,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
/etc/dirsrv/admin-serv/admpw
.
Note
/etc/dirsrv/admin-serv/admpw
file. For example:
admin:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
admpw
file. The user name can be changed in this file, but cannot be used to log into the Console unless the password is updated in the Console first. For this reason, it is better to edit the Administration Server Administrator user name and password only through the Administration Server Console.
- Open the Administration Server management window.
- Click the Configuration tab.
- Click the Access tab.
- Change the admin user's name or password. The user name is the ID given for logging into the Administration Server.
- Click Save.
E.2.7. Working with TLS
- Generating and submitting a certificate request.
- Receiving and installing the certificate.
- Trusting the certificate authority (CA) which issued the certificate.
- Changing the Administration Server configuration to allow TLS connections.
E.2.7.1. Managing Certificates for Administration Server
- To use the same certificate for Directory Server as for the Administration Server, see Section E.2.7.1.1, “Using the Directory Server Private Key and Certificate for the Admin Server”.
- To use the same certificate for Directory Server as for the Administration Server, see Section E.2.7.1.1, “Using the Directory Server Private Key and Certificate for the Admin Server”.
Important
- The graphical user interface, perform the steps in the Manage Certificates menu of the Administration Server Console instead of the Directory Server Console.
- The command line, use the
/etc/dirsrv/admin-serv/
instead of the/etc/dirsrv/slapd-instance_name/
directory when you manage the Network Security Services (NSS) database.
E.2.7.1.1. Using the Directory Server Private Key and Certificate for the Admin Server
Certificate Request Wizard
for the Directory Server is passed through, the automatically generated private key is stored in the Directory Server's PKI database. However, because the same private key does not exist in both databases, a certificate issued for one cannot be installed in the other database.
- Shut down the Administration Server:
# systemctl stop dirsrv-admin
- Shut down the Directory Server:
# systemctl stop dirsrv@instance
- List the contents of the Directory Server NSS database:
# certutil -L -d /etc/dirsrv/admin-serv/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Demo CA CT,, server-cert u,u,u
- Export the private key and certificate with the name server-cert from the Directory Server's PKI database:
# pk12util -o /tmp/keys.pk12 -n server-cert -d /etc/dirsrv/slapd-instance/ Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL
Enter the Directory Server's key store password, and optionally a new password for the temporarily exported file when prompted. - Import the private key and certificate into the Administration Server's PKI database:
# pk12util -i /tmp/keys.pk12 -d /etc/dirsrv/admin-serv/ Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util
asks you to set a password for the Administration Server's key store. If you already had set one to this database before, you are prompted to enter this password instead. If you set a password on the exported file in the previous step, you are additionally asked to enter this one as well. - Delete the temporarily exported file:
# rm /tmp/keys.pk12
- Trust the Demo CA:
# certutil -M -d /etc/dirsrv/admin-serv/ -n "Demo CA" -t CT,,
- Start the Directory Server:
# systemctl start dirsrv@instance
- Start the Administration Server:
# systemctl start dirsrv-admin
E.2.7.3. Creating a Password File for the Administration Server
Starting dirsrv-admin: Please enter password for "internal" token:
Warning
- Create the
/etc/dirsrv/admin-serv/password.conf
file with the following contents:- For a system with Federal Information Processing Standard (FIPS) mode disabled:
internal:password
- For a system with FIPS mode enabled:
internal:password NSS FIPS 140-2 Certificate DB:password
Lines in this file use the following format:token_name:password
.For the NSS software crypto module (the default software database), the token is always calledinternal
. If FIPS mode is enabled, the additional token for the certificate database is always calledNSS FIPS 140-2 Certificate DB
. - The password file should be owned by the Administration Server user and set to read-only by the Administration Server user, with no access to any other user (mode
0400
).Note
To find out what the Administration Server user ID is, rungrep
in the Administration Server configuration directory:# grep "^User" /etc/dirsrv/admin-serv/console.conf User dirsrv
To set the permissions, enter:# chown dirsrv:root /etc/dirsrv/admin-serv/password.conf # chmod 0400 /etc/dirsrv/admin-serv/password.conf
- Edit the
/etc/dirsrv/admin-serv/nss.conf
file to point to the location of the new password file.# Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. NSSPassPhraseDialog file://etc/dirsrv/admin-serv/password.conf
- Restart the Administration Server:
# systemctl restart dirsrv-admin.service
E.2.8. Changing Directory Server Settings
E.2.8.1. Changing the Configuration Directory Host or Port
o=NetscapeRoot
in the Configuration Directory. The configuration database contains server settings such as network topology information and server instance entries. When server configuration changes are stored in the configuration directory subtree.
Warning
- Open the Administration Server management window.
- Click the Configuration tab.
- Click the Configuration DS tab.
- Set the Configuration Directory Server connection information.
- The LDAP Host is the host name, IPv4, or IPv6 address of the Configuration Directory Server machine.
- The LDAP Port is the port number to use for the Directory Server instance. The regular LDAP port is
389
; the default LDAPS (secure) port number is636
. - Check the Secure Connection check box to use the secure port. Before checking this box, make sure that the Configuration Directory Server has enabled TLS.
- Click Save.
E.2.8.2. Changing the User Directory Host or Port
- Open the Administration Server management window.
- Click the Configuration tab.
- Click the User DS tab.
- Set the User Directory Server connection information.
- Edit the user directory information.The Use Default User Directory radio button uses the default user directory associated with the domain. To use multiple Directory Server instances or to use a different instance, select the Set User Directory radio button and set the required information:
- The LDAP Host and Port field specifies the location of the user directory instance, using the format hostname:port or ip_address:port, with an IPv4 or IPv6 address.It is possible to configure multiple locations for the user directory for authentication and other directory functions; separate each location with a space. For example:
server.example.com:389 alt.example.com:389
Note
If more than one location is given in the LDAP Host and Port field, the settings for the remaining fields will apply to all of those instances. - Check the Secure Connection box to use TLS to connect to the user directory. Only select this if the Directory Server is already configured to use TLS.
- Give the User Directory Subtree. For example:
dc=example,dc=com
Every location listed in the LDAP Host and Port field must contain that subtree and the subtree must contain the user information. - Optionally, enter the Bind DN and Bind Password for the user which connects to the user directory.
- Click Save.