Administration Guide
Making Open Source More Inclusive
1. General Directory Server Management Tasks
Expand section "1. General Directory Server Management Tasks" Collapse section "1. General Directory Server Management Tasks"
1. 1.1. System Requirements
2. 1.2. File Locations
3. 1.3. Supported Methods to Configure Directory Server
4. 1.4. Logging Into Directory Server Using the Web Console
5. 1.5. Starting and Stopping a Directory Server Instance
  Expand section "1.5. Starting and Stopping a Directory Server Instance" Collapse section "1.5. Starting and Stopping a Directory Server Instance"
  1. 1.5.1. Starting and Stopping a Directory Server Instance Using the Command Line
  2. 1.5.2. Starting and Stopping a Directory Server Instance Using the Web Console
6. 1.6. Creating a New Directory Server Instance
7. 1.7. Removing a Directory Server Instance
  Expand section "1.7. Removing a Directory Server Instance" Collapse section "1.7. Removing a Directory Server Instance"
  1. 1.7.1. Removing an Instance Using the Command Line
  2. 1.7.2. Removing an Instance Using the Web Console
8. 1.8. Setting Directory Server Configuration Parameters
  Expand section "1.8. Setting Directory Server Configuration Parameters" Collapse section "1.8. Setting Directory Server Configuration Parameters"
  1. 1.8.1. Managing Configuration Parameters
  2. 1.8.2. Where Directory Server Stores its Configuration
  3. 1.8.3. Benefits of Using Default Values
    
    Expand section "1.8.3. Benefits of Using Default Values" Collapse section "1.8.3. Benefits of Using Default Values"
    
    1.8.3.1. Removing a Parameter to Use the Default Value
9. 1.9. Changing the LDAP and LDAPS Port Numbers
  Expand section "1.9. Changing the LDAP and LDAPS Port Numbers" Collapse section "1.9. Changing the LDAP and LDAPS Port Numbers"
  1. 1.9.1. Changing the Port Numbers Using the Command Line
  2. 1.9.2. Changing the Port Numbers Using the Web Console
10. 1.10. Using Directory Server Plug-ins
  Expand section "1.10. Using Directory Server Plug-ins" Collapse section "1.10. Using Directory Server Plug-ins"
  1. 1.10.1. Listing Available Plug-ins
    
    Expand section "1.10.1. Listing Available Plug-ins" Collapse section "1.10.1. Listing Available Plug-ins"
    
    1.10.1.1. Listing Available Plug-ins Using the Command Line
    
    1.10.1.2. Listing Available Plug-ins Using the Web Console
  2. 1.10.2. Enabling Plug-ins Dynamically
  3. 1.10.3. Enabling and Disabling Plug-ins
    
    Expand section "1.10.3. Enabling and Disabling Plug-ins" Collapse section "1.10.3. Enabling and Disabling Plug-ins"
    
    1.10.3.1. Enabling and Disabling Plug-ins Using the Command Line
    
    1.10.3.2. Enabling and Disabling Plug-ins Using the Web Console
  4. 1.10.4. Configuring Plug-ins
    
    Expand section "1.10.4. Configuring Plug-ins" Collapse section "1.10.4. Configuring Plug-ins"
    
    1.10.4.1. Configuring Plug-ins Using the Command Line
    
    1.10.4.2. Configuring Plug-ins Using the Web Console
  5. 1.10.5. Setting the Plug-in Precedence
    
    Expand section "1.10.5. Setting the Plug-in Precedence" Collapse section "1.10.5. Setting the Plug-in Precedence"
    
    1.10.5.1. Setting the Plug-in Precedence Using the Command Line
    
    1.10.5.2. Setting the Plug-in Precedence Using the Web Console
11. 1.11. Creating and Using a .dsrc File to Set Default Options for Directory Server Command-line Utilities
  Expand section "1.11. Creating and Using a .dsrc File to Set Default Options for Directory Server Command-line Utilities" Collapse section "1.11. Creating and Using a .dsrc File to Set Default Options for Directory Server Command-line Utilities"
  1. 1.11.1. How a .dsrc File Simplifies Commands
  2. 1.11.2. Using the dsctl Utility to Create a .dsrc File
2. Configuring Directory Databases
Expand section "2. Configuring Directory Databases" Collapse section "2. Configuring Directory Databases"
1. 2.1. Creating and Maintaining Suffixes
  Expand section "2.1. Creating and Maintaining Suffixes" Collapse section "2.1. Creating and Maintaining Suffixes"
  1. 2.1.1. Creating Suffixes
    
    Expand section "2.1.1. Creating Suffixes" Collapse section "2.1.1. Creating Suffixes"
    
    2.1.1.1. Creating a Root Suffix
    
    Expand section "2.1.1.1. Creating a Root Suffix" Collapse section "2.1.1.1. Creating a Root Suffix"
    
    2.1.1.1.1. Creating a Root Suffix Using the Command Line
    
    2.1.1.1.2. Creating a Root Suffix Using the Web Console
    
    2.1.1.2. Creating a Sub-suffix
    
    Expand section "2.1.1.2. Creating a Sub-suffix" Collapse section "2.1.1.2. Creating a Sub-suffix"
    
    2.1.1.2.1. Creating a Sub-suffix Using the Command Line
    
    2.1.1.2.2. Creating a Sub-suffix Using the Web Console
  2. 2.1.2. Maintaining Suffixes
    
    Expand section "2.1.2. Maintaining Suffixes" Collapse section "2.1.2. Maintaining Suffixes"
    
    2.1.2.1. Viewing the Default Naming Context
    
    2.1.2.2. Disabling a Suffix
    
    Expand section "2.1.2.2. Disabling a Suffix" Collapse section "2.1.2.2. Disabling a Suffix"
    
    2.1.2.2.1. Disabling a Suffix Using the Command Line
    
    2.1.2.3. Deleting a Suffix
    
    Expand section "2.1.2.3. Deleting a Suffix" Collapse section "2.1.2.3. Deleting a Suffix"
    
    2.1.2.3.1. Deleting a Suffix Using the Command Line
    
    2.1.2.3.2. Deleting a Suffix Using the Web Console
2. 2.2. Creating and Maintaining Databases
  Expand section "2.2. Creating and Maintaining Databases" Collapse section "2.2. Creating and Maintaining Databases"
  1. 2.2.1. Creating Databases
    
    Expand section "2.2.1. Creating Databases" Collapse section "2.2.1. Creating Databases"
    
    2.2.1.1. Creating a New Database for a Single Suffix Using the Command Line
    
    2.2.1.2. Adding Multiple Databases for a Single Suffix
  2. 2.2.2. Maintaining Directory Databases
    
    Expand section "2.2.2. Maintaining Directory Databases" Collapse section "2.2.2. Maintaining Directory Databases"
    
    2.2.2.1. Setting a Database in Read-Only Mode
    
    Expand section "2.2.2.1. Setting a Database in Read-Only Mode" Collapse section "2.2.2.1. Setting a Database in Read-Only Mode"
    
    2.2.2.1.1. Setting a Database in Read-only Mode Using the Command Line
    
    2.2.2.1.2. Setting a Database in Read-only Mode Using the Web Console
    
    2.2.2.2. Placing the Entire Directory Server in Read-Only Mode
    
    Expand section "2.2.2.2. Placing the Entire Directory Server in Read-Only Mode" Collapse section "2.2.2.2. Placing the Entire Directory Server in Read-Only Mode"
    
    2.2.2.2.1. Placing the Entire Directory Server in Read-Only Mode Using the Command Line
    
    2.2.2.2.2. Placing the Entire Directory Server in Read-Only Mode Using the Web Console
    
    2.2.2.3. Deleting a Database
    
    Expand section "2.2.2.3. Deleting a Database" Collapse section "2.2.2.3. Deleting a Database"
    
    2.2.2.3.1. Deleting a Database Using the Command Line
    
    2.2.2.3.2. Deleting a Database Using the Web Console
    
    2.2.2.4. Changing the Transaction Log Directory
3. 2.3. Creating and Maintaining Database Links
  Expand section "2.3. Creating and Maintaining Database Links" Collapse section "2.3. Creating and Maintaining Database Links"
  1. 2.3.1. Creating a New Database Link
    
    Expand section "2.3.1. Creating a New Database Link" Collapse section "2.3.1. Creating a New Database Link"
    
    2.3.1.1. Creating a New Database Link Using the Command Line
    
    2.3.1.2. Creating a New Database Link Using the Web Console
    
    2.3.1.3. Managing the Default Configuration for New Database Links
    
    2.3.1.4. Additional Information on Required Settings When Creating a Database Link
  2. 2.3.2. Configuring the Chaining Policy
    
    Expand section "2.3.2. Configuring the Chaining Policy" Collapse section "2.3.2. Configuring the Chaining Policy"
    
    2.3.2.1. Chaining Component Operations
    
    Expand section "2.3.2.1. Chaining Component Operations" Collapse section "2.3.2.1. Chaining Component Operations"
    
    2.3.2.1.1. Chaining Component Operations Using the Command Line
    
    2.3.2.1.2. Chaining Component Operations Using the Web Console
    
    2.3.2.2. Chaining LDAP Controls
    
    Expand section "2.3.2.2. Chaining LDAP Controls" Collapse section "2.3.2.2. Chaining LDAP Controls"
    
    2.3.2.2.1. Chaining LDAP Controls Using the Command Line
    
    2.3.2.2.2. Chaining LDAP Controls Using the Web Console
  3. 2.3.3. Database Links and Access Control Evaluation
4. 2.4. Configuring Cascading Chaining
  Expand section "2.4. Configuring Cascading Chaining" Collapse section "2.4. Configuring Cascading Chaining"
5. 2.5. Using Referrals
  Expand section "2.5. Using Referrals" Collapse section "2.5. Using Referrals"
  1. 2.5.1. Starting the Server in Referral Mode
  2. 2.5.2. Setting Default Referrals
    
    Expand section "2.5.2. Setting Default Referrals" Collapse section "2.5.2. Setting Default Referrals"
    
    2.5.2.1. Setting a Default Referral Using the Command Line
  3. 2.5.3. Creating Smart Referrals
    
    Expand section "2.5.3. Creating Smart Referrals" Collapse section "2.5.3. Creating Smart Referrals"
    
    2.5.3.1. Creating Smart Referrals Using the Command Line
  4. 2.5.4. Creating Suffix Referrals
    
    Expand section "2.5.4. Creating Suffix Referrals" Collapse section "2.5.4. Creating Suffix Referrals"
    
    2.5.4.1. Creating Suffix Referrals Using the Command Line
    
    2.5.4.2. Creating Suffix Referrals Using the Web Console
6. 2.6. Verifying the Integrity of Back-end Databases
3. Managing Directory Entries
Expand section "3. Managing Directory Entries" Collapse section "3. Managing Directory Entries"
1. 3.1. Managing Directory Entries Using the Command Line
  Expand section "3.1. Managing Directory Entries Using the Command Line" Collapse section "3.1. Managing Directory Entries Using the Command Line"
  1. 3.1.1. Providing Input to the ldapadd, ldapmodify, and ldapdelete Utilities
    
    Expand section "3.1.1. Providing Input to the ldapadd, ldapmodify, and ldapdelete Utilities" Collapse section "3.1.1. Providing Input to the ldapadd, ldapmodify, and ldapdelete Utilities"
    
    3.1.1.1. Providing Input Using the Interactive Mode
    
    3.1.1.2. Providing Input Using an LDIF File
  2. 3.1.2. The Continuous Operation Mode
  3. 3.1.3. Adding an Entry
    
    Expand section "3.1.3. Adding an Entry" Collapse section "3.1.3. Adding an Entry"
    
    3.1.3.1. Adding an Entry Using ldapadd
    
    3.1.3.2. Adding an Entry Using ldapmodify
    
    3.1.3.3. Creating a Root Entry
  4. 3.1.4. Updating a Directory Entry
    
    Expand section "3.1.4. Updating a Directory Entry" Collapse section "3.1.4. Updating a Directory Entry"
    
    3.1.4.1. Adding Attributes to an Entry
    
    3.1.4.2. Updating an Attribute's Value
    
    3.1.4.3. Deleting Attributes from an Entry
  5. 3.1.5. Deleting an Entry
    
    Expand section "3.1.5. Deleting an Entry" Collapse section "3.1.5. Deleting an Entry"
    
    3.1.5.1. Deleting an Entry Using ldapdelete
    
    3.1.5.2. Deleting an Entry Using ldapmodify
  6. 3.1.6. Renaming and Moving an Entry
    
    Expand section "3.1.6. Renaming and Moving an Entry" Collapse section "3.1.6. Renaming and Moving an Entry"
    
    3.1.6.1. Considerations for Renaming Entries
    
    3.1.6.2. Renaming Users, Groups, POSIX Groups, and OUs
    
    3.1.6.3. The deleteOldRDN Parameter When Renaming Entries Using LDIF Statements
    
    3.1.6.4. Renaming an Entry or Subtree Using LDIF Statements
    
    3.1.6.5. Moving an Entry to a New Parent Using LDIF Statements
  7. 3.1.7. Using Special Characters
  8. 3.1.8. Using Binary Attributes
  9. 3.1.9. Updating an Entry in an Internationalized Directory
2. 3.2. Managing Directory Entries Using the Web Console
  Expand section "3.2. Managing Directory Entries Using the Web Console" Collapse section "3.2. Managing Directory Entries Using the Web Console"
4. Tracking Modifications to Directory Entries
Expand section "4. Tracking Modifications to Directory Entries" Collapse section "4. Tracking Modifications to Directory Entries"
1. 4.1. Tracking Modifications to the Database through Update Sequence Numbers
  Expand section "4.1. Tracking Modifications to the Database through Update Sequence Numbers" Collapse section "4.1. Tracking Modifications to the Database through Update Sequence Numbers"
  1. 4.1.1. An Overview of the Entry Sequence Numbers
    
    Expand section "4.1.1. An Overview of the Entry Sequence Numbers" Collapse section "4.1.1. An Overview of the Entry Sequence Numbers"
    
    4.1.1.1. Local and Global USNs
    
    4.1.1.2. Importing USN Entries
  2. 4.1.2. Enabling the USN Plug-in
    
    Expand section "4.1.2. Enabling the USN Plug-in" Collapse section "4.1.2. Enabling the USN Plug-in"
    
    4.1.2.1. Enabling the USN Plug-in Using the Command Line
    
    4.1.2.2. Enabling the USN Plug-in Using the Web Console
  3. 4.1.3. Global USNs
    
    Expand section "4.1.3. Global USNs" Collapse section "4.1.3. Global USNs"
    
    4.1.3.1. Identifying Whether Global USNs are Enabled
    
    Expand section "4.1.3.1. Identifying Whether Global USNs are Enabled" Collapse section "4.1.3.1. Identifying Whether Global USNs are Enabled"
    
    4.1.3.1.1. Identifying Whether Global USNs are Enabled Using the Command Line
    
    4.1.3.1.2. Identifying Whether Global USNs are Enabled Using the Web Console
    
    4.1.3.2. Enabling Global USNs
    
    Expand section "4.1.3.2. Enabling Global USNs" Collapse section "4.1.3.2. Enabling Global USNs"
    
    4.1.3.2.1. Enabling Global USNs Using the Command Line
    
    4.1.3.2.2. Enabling Global USNs Using the Web Console
  4. 4.1.4. Cleaning up USN Tombstone Entries
    
    Expand section "4.1.4. Cleaning up USN Tombstone Entries" Collapse section "4.1.4. Cleaning up USN Tombstone Entries"
    
    4.1.4.1. Cleaning up USN Tombstone Entries Using the Command Line
    
    4.1.4.2. Cleaning up USN Tombstone Entries Using the Web Console
2. 4.2. Tracking Entry Modifications through Operational Attributes
  Expand section "4.2. Tracking Entry Modifications through Operational Attributes" Collapse section "4.2. Tracking Entry Modifications through Operational Attributes"
  1. 4.2.1. Entries Modified or Created by a Database Link
  2. 4.2.2. Enabling Tracking of Modifications
    
    Expand section "4.2.2. Enabling Tracking of Modifications" Collapse section "4.2.2. Enabling Tracking of Modifications"
    
    4.2.2.1. Enabling Tracking Of Modifications Using the Command Line
3. 4.3. Tracking the Bind DN for Plug-in Initiated Updates
  Expand section "4.3. Tracking the Bind DN for Plug-in Initiated Updates" Collapse section "4.3. Tracking the Bind DN for Plug-in Initiated Updates"
  1. 4.3.1. Enabling Tracking the Bind DN for Plug-in Initiated Updates Using the Command Line
  2. 4.3.2. Enabling Tracking the Bind DN for Plug-in Initiated Updates Using the Web Console
4. 4.4. Tracking Password Change Times
5. Maintaining Referential Integrity
Expand section "5. Maintaining Referential Integrity" Collapse section "5. Maintaining Referential Integrity"
1. 5.1. How Referential Integrity Works
2. 5.2. Using Referential Integrity with Replication
3. 5.3. Enabling Referential Integrity
  Expand section "5.3. Enabling Referential Integrity" Collapse section "5.3. Enabling Referential Integrity"
  1. 5.3.1. Enabling Referential Integrity Using the Command Line
  2. 5.3.2. Enabling Referential Integrity Using the Web Console
4. 5.4. The Referential Integrity Update Interval
  Expand section "5.4. The Referential Integrity Update Interval" Collapse section "5.4. The Referential Integrity Update Interval"
5. 5.5. Displaying and Modifying the Attribute List
  Expand section "5.5. Displaying and Modifying the Attribute List" Collapse section "5.5. Displaying and Modifying the Attribute List"
6. 5.6. Configuring Scope for the Referential Integrity
  Expand section "5.6. Configuring Scope for the Referential Integrity" Collapse section "5.6. Configuring Scope for the Referential Integrity"
6. Populating Directory Databases
Expand section "6. Populating Directory Databases" Collapse section "6. Populating Directory Databases"
1. 6.1. Importing Data
  Expand section "6.1. Importing Data" Collapse section "6.1. Importing Data"
  1. 6.1.1. Setting EntryUSN Initial Values During Import
  2. 6.1.2. Importing Using the Command Line
    
    Expand section "6.1.2. Importing Using the Command Line" Collapse section "6.1.2. Importing Using the Command Line"
    
    6.1.2.1. Importing Data While the Server is Running
    
    Expand section "6.1.2.1. Importing Data While the Server is Running" Collapse section "6.1.2.1. Importing Data While the Server is Running"
    
    6.1.2.1.1. Importing Using the dsconf backend import Command
    
    6.1.2.1.2. Importing Data Using a cn=tasks Entry
    
    6.1.2.2. Importing Data While the Server is Offline
  3. 6.1.3. Importing Data Using the Web Console
2. 6.2. Exporting Data
  Expand section "6.2. Exporting Data" Collapse section "6.2. Exporting Data"
  1. 6.2.1. Exporting Data into an LDIF File Using the Command Line
    
    Expand section "6.2.1. Exporting Data into an LDIF File Using the Command Line" Collapse section "6.2.1. Exporting Data into an LDIF File Using the Command Line"
    
    6.2.1.1. Exporting a Database While the Server is Running
    
    Expand section "6.2.1.1. Exporting a Database While the Server is Running" Collapse section "6.2.1.1. Exporting a Database While the Server is Running"
    
    6.2.1.1.1. Exporting a Databases Using the dsconf backend export Command
    
    6.2.1.1.2. Exporting a Database Using a cn=tasks Entry
    
    6.2.1.2. Exporting a Database While the Server is Offline
  2. 6.2.2. Exporting a Suffix to an LDIF File Using the Web Console
  3. 6.2.3. Enabling Members of a Group to Export Data and Performing the Export as One of the Group Members
    
    Expand section "6.2.3. Enabling Members of a Group to Export Data and Performing the Export as One of the Group Members" Collapse section "6.2.3. Enabling Members of a Group to Export Data and Performing the Export as One of the Group Members"
    
    6.2.3.1. Enabling a Group to Export Data
    
    6.2.3.2. Performing an Export as a Regular User
3. 6.3. Backing up Directory Server
  Expand section "6.3. Backing up Directory Server" Collapse section "6.3. Backing up Directory Server"
  1. 6.3.1. Backing up All Databases Using the Command Line
    
    Expand section "6.3.1. Backing up All Databases Using the Command Line" Collapse section "6.3.1. Backing up All Databases Using the Command Line"
    
    6.3.1.1. Backing up All Databases While the Server is Running
    
    Expand section "6.3.1.1. Backing up All Databases While the Server is Running" Collapse section "6.3.1.1. Backing up All Databases While the Server is Running"
    
    6.3.1.1.1. Backing up All Databases Using the dsconf backup create Command
    
    6.3.1.1.2. Backing up All Databases Using a cn=tasks entry
    
    6.3.1.2. Backing up All Databases While the Server is Offline
  2. 6.3.2. Backup up all Databases Using the Web Console
  3. 6.3.3. Backing up Configuration Files, the Certificate Database, and Custom Schema Files
  4. 6.3.4. Enabling Members of a Group to Back up Directory Server and Performing the Backup as One of the Group Members
    
    Expand section "6.3.4. Enabling Members of a Group to Back up Directory Server and Performing the Backup as One of the Group Members" Collapse section "6.3.4. Enabling Members of a Group to Back up Directory Server and Performing the Backup as One of the Group Members"
    
    6.3.4.1. Enabling a Group to Back up Directory Server
    
    6.3.4.2. Performing a Backup as a Regular User
4. 6.4. Restoring Directory Server
  Expand section "6.4. Restoring Directory Server" Collapse section "6.4. Restoring Directory Server"
  1. 6.4.1. Restoring All Databases Using the Command Line
    
    Expand section "6.4.1. Restoring All Databases Using the Command Line" Collapse section "6.4.1. Restoring All Databases Using the Command Line"
    
    6.4.1.1. Restoring All Databases While the Server is Running
    
    Expand section "6.4.1.1. Restoring All Databases While the Server is Running" Collapse section "6.4.1.1. Restoring All Databases While the Server is Running"
    
    6.4.1.1.1. Restoring All Databases Using the dsconf backup restore Command
    
    6.4.1.1.2. Restoring all Databases Using a cn=tasks entry
    
    6.4.1.2. Restoring all Databases While the Server is Offline
  2. 6.4.2. Restoring All Databases Using the Web Console
  3. 6.4.3. Restoring Databases That Include Replicated Entries
7. Managing Attributes and Values
Expand section "7. Managing Attributes and Values" Collapse section "7. Managing Attributes and Values"
1. 7.1. Enforcing Attribute Uniqueness
  Expand section "7.1. Enforcing Attribute Uniqueness" Collapse section "7.1. Enforcing Attribute Uniqueness"
  1. 7.1.1. Creating a New Configuration Record of the Attribute Uniqueness Plug-in
  2. 7.1.2. Configuring Attribute Uniqueness over Suffixes or Subtrees
    
    Expand section "7.1.2. Configuring Attribute Uniqueness over Suffixes or Subtrees" Collapse section "7.1.2. Configuring Attribute Uniqueness over Suffixes or Subtrees"
    
    7.1.2.1. Configuring Attribute Uniqueness over Suffixes or Subtrees Using the Command Line
    
    7.1.2.2. Configuring Attribute Uniqueness over Suffixes or Subtrees Using the Web Console
  3. 7.1.3. Configuring Attribute Uniqueness over Object Classes
  4. 7.1.4. Attribute Uniqueness Plug-in Configuration Parameters
2. 7.2. Assigning Class of Service
  Expand section "7.2. Assigning Class of Service" Collapse section "7.2. Assigning Class of Service"
  1. 7.2.1. About the CoS Definition Entry
  2. 7.2.2. About the CoS Template Entry
  3. 7.2.3. How a Pointer CoS Works
  4. 7.2.4. How an Indirect CoS Works
  5. 7.2.5. How a Classic CoS Works
  6. 7.2.6. Handling Physical Attribute Values
  7. 7.2.7. Handling Multi-valued Attributes with CoS
  8. 7.2.8. Searches for CoS-Specified Attributes
  9. 7.2.9. Access Control and CoS
  10. 7.2.10. Managing CoS from the Command Line
    
    Expand section "7.2.10. Managing CoS from the Command Line" Collapse section "7.2.10. Managing CoS from the Command Line"
    
    7.2.10.1. Creating the CoS Definition Entry from the Command Line
    
    7.2.10.2. Creating the CoS Template Entry from the Command Line
    
    7.2.10.3. Example of a Pointer CoS
    
    7.2.10.4. Example of an Indirect CoS
    
    7.2.10.5. Example of a Classic CoS
    
    7.2.10.6. Searching for CoS Entries
    
    7.2.10.7. The costargettree attribute
  11. 7.2.11. Creating Role-Based Attributes
3. 7.3. Linking Attributes to Manage Attribute Values
  Expand section "7.3. Linking Attributes to Manage Attribute Values" Collapse section "7.3. Linking Attributes to Manage Attribute Values"
  1. 7.3.1. About Linking Attributes
  2. 7.3.2. Looking at the Linking Attributes Plug-in Syntax
  3. 7.3.3. Configuring Attribute Links
  4. 7.3.4. Cleaning up Attribute Links
    
    Expand section "7.3.4. Cleaning up Attribute Links" Collapse section "7.3.4. Cleaning up Attribute Links"
    
    7.3.4.1. Regenerating Linked Attributes
    
    7.3.4.2. Regenerating Linked Attributes Using ldapmodify
4. 7.4. Assigning and Managing Unique Numeric Attribute Values
  Expand section "7.4. Assigning and Managing Unique Numeric Attribute Values" Collapse section "7.4. Assigning and Managing Unique Numeric Attribute Values"
  1. 7.4.1. About Dynamic Number Assignments
    
    Expand section "7.4.1. About Dynamic Number Assignments" Collapse section "7.4.1. About Dynamic Number Assignments"
    
    7.4.1.1. Filters, Searches, and Target Entries
    
    7.4.1.2. Ranges and Assigning Numbers
    
    7.4.1.3. Multiple Attributes in the Same Range
  2. 7.4.2. Looking at the DNA Plug-in Syntax
  3. 7.4.3. Configuring Unique Number Assignments
    
    Expand section "7.4.3. Configuring Unique Number Assignments" Collapse section "7.4.3. Configuring Unique Number Assignments"
    
    7.4.3.1. Creating a New Instance of the DNA Plug-in
    
    7.4.3.2. Configuring Unique Number Assignments Using the Command Line
    
    7.4.3.3. Configuring Unique Number Assignments Using the Web Console
  4. 7.4.4. Distributed Number Assignment Plug-in Performance Notes
8. Organizing and Grouping Entries
Expand section "8. Organizing and Grouping Entries" Collapse section "8. Organizing and Grouping Entries"
1. 8.1. Using Groups
  Expand section "8.1. Using Groups" Collapse section "8.1. Using Groups"
  1. 8.1.1. The Different Types of Groups
  2. 8.1.2. Creating a Static Group
    
    Expand section "8.1.2. Creating a Static Group" Collapse section "8.1.2. Creating a Static Group"
    
    8.1.2.1. Creating a Static Group Using the Command Line
  3. 8.1.3. Creating a Dynamic Group
    
    Expand section "8.1.3. Creating a Dynamic Group" Collapse section "8.1.3. Creating a Dynamic Group"
    
    8.1.3.1. Creating a Dynamic Group Using the Command Line
  4. 8.1.4. Listing Group Membership in User Entries
    
    Expand section "8.1.4. Listing Group Membership in User Entries" Collapse section "8.1.4. Listing Group Membership in User Entries"
    
    8.1.4.1. Considerations When Using the memberOf Plug-in
    
    8.1.4.2. Required Object Classes by the memberOf Plug-In
    
    8.1.4.3. The MemberOf Plug-in Syntax
    
    8.1.4.4. Enabling the MemberOf Plug-in
    
    Expand section "8.1.4.4. Enabling the MemberOf Plug-in" Collapse section "8.1.4.4. Enabling the MemberOf Plug-in"
    
    8.1.4.4.1. Enabling the MemberOf Plug-in Using the Command Line
    
    8.1.4.4.2. Enabling the MemberOf Plug-in Using the Web Console
    
    8.1.4.5. Configuring the MemberOf Plug-in on Each Server
    
    Expand section "8.1.4.5. Configuring the MemberOf Plug-in on Each Server" Collapse section "8.1.4.5. Configuring the MemberOf Plug-in on Each Server"
    
    8.1.4.5.1. Configuring the MemberOf Plug-in on Each Server Using the Command Line
    
    8.1.4.5.2. Configuring the MemberOf Plug-in on Each Server Using the Web Console
    
    8.1.4.6. Using the MemberOf Plug-in Shared Configuration
    
    8.1.4.7. Setting the Scope of the MemberOf Plug-in
    
    8.1.4.8. Regenerating memberOf Values
  5. 8.1.5. Automatically Adding Entries to Specified Groups
    
    Expand section "8.1.5. Automatically Adding Entries to Specified Groups" Collapse section "8.1.5. Automatically Adding Entries to Specified Groups"
    
    8.1.5.1. Looking at the Structure of an Automembership Rule
    
    Expand section "8.1.5.1. Looking at the Structure of an Automembership Rule" Collapse section "8.1.5.1. Looking at the Structure of an Automembership Rule"
    
    8.1.5.1.1. The Automembership Configuration Entry
    
    8.1.5.1.2. Additional Regular Expression Entries
    
    8.1.5.2. Configuring Auto Membership Definitions
    
    Expand section "8.1.5.2. Configuring Auto Membership Definitions" Collapse section "8.1.5.2. Configuring Auto Membership Definitions"
    
    8.1.5.2.1. Configuring Auto Membership Definitions Using the Command Line
    
    8.1.5.2.2. Configuring Auto Membership Definitions Using the Web Console
    
    8.1.5.3. Updating Existing Entries to apply Auto Membership Definitions
    
    8.1.5.4. Examples of Automembership Rules
    
    8.1.5.5. Testing Automembership Definitions
    
    8.1.5.6. Canceling the Auto Membership Plug-in Task
2. 8.2. Using Roles
  Expand section "8.2. Using Roles" Collapse section "8.2. Using Roles"
  1. 8.2.1. About Roles
  2. 8.2.2. Managing Roles Using the Command Line
    
    Expand section "8.2.2. Managing Roles Using the Command Line" Collapse section "8.2.2. Managing Roles Using the Command Line"
    
    8.2.2.1. Creating a Managed Role
    
    Expand section "8.2.2.1. Creating a Managed Role" Collapse section "8.2.2.1. Creating a Managed Role"
    
    8.2.2.1.1. Creating Managed Roles through the Command Line
    
    8.2.2.2. Creating a Filtered Role
    
    Expand section "8.2.2.2. Creating a Filtered Role" Collapse section "8.2.2.2. Creating a Filtered Role"
    
    8.2.2.2.1. Creating a Filtered Role through the Command Line
    
    8.2.2.3. Creating a Nested Role
    
    Expand section "8.2.2.3. Creating a Nested Role" Collapse section "8.2.2.3. Creating a Nested Role"
    
    8.2.2.3.1. Creating Nested Role through the Command Line
    
    8.2.2.4. Viewing Roles for an Entry through the Command Line
    
    8.2.2.5. About Deleting Roles
  3. 8.2.3. Managing Roles in Directory Server Using the LDAP Browser
    
    Expand section "8.2.3. Managing Roles in Directory Server Using the LDAP Browser" Collapse section "8.2.3. Managing Roles in Directory Server Using the LDAP Browser"
    
    8.2.3.1. Creating a role in the LDAP browser
    
    8.2.3.2. Modifying a Role in the LDAP browser
    
    8.2.3.3. Deleting a Role in the LDAP browser
  4. 8.2.4. Using Roles Securely
3. 8.3. Automatically Creating Dual Entries
  Expand section "8.3. Automatically Creating Dual Entries" Collapse section "8.3. Automatically Creating Dual Entries"
  1. 8.3.1. About Managed Entries
    
    Expand section "8.3.1. About Managed Entries" Collapse section "8.3.1. About Managed Entries"
    
    8.3.1.1. About the Instance Definition Entry
    
    8.3.1.2. About the Template Entry
    
    8.3.1.3. Entry Attributes Written by the Managed Entries Plug-in
    
    8.3.1.4. Managed Entries Plug-in and Directory Server Operations
  2. 8.3.2. Creating the Managed Entries Template Entry
  3. 8.3.3. Creating the Managed Entries Instance Definition
  4. 8.3.4. Putting Managed Entries Plug-in Configuration in a Replicated Database
4. 8.4. Using Views
  Expand section "8.4. Using Views" Collapse section "8.4. Using Views"
5. 8.5. Managing Organizational Units
9. Configuring Secure Connections
Expand section "9. Configuring Secure Connections" Collapse section "9. Configuring Secure Connections"
1. 9.1. Requiring Secure Connections
2. 9.2. Setting a Minimum Strength Factor
3. 9.3. Managing the NSS Database Used by Directory Server
  Expand section "9.3. Managing the NSS Database Used by Directory Server" Collapse section "9.3. Managing the NSS Database Used by Directory Server"
  1. 9.3.1. Creating a Certificate Signing Request
    
    Expand section "9.3.1. Creating a Certificate Signing Request" Collapse section "9.3.1. Creating a Certificate Signing Request"
    
    9.3.1.1. Creating a Certificate Signing Request Using the Command Line
  2. 9.3.2. Installing a CA Certificate
    
    Expand section "9.3.2. Installing a CA Certificate" Collapse section "9.3.2. Installing a CA Certificate"
    
    9.3.2.1. Installing a CA Certificate Using the Command Line
    
    9.3.2.2. Installing a CA Certificate Using the Web Console
  3. 9.3.3. Importing a Private Key and Server Certificate
  4. 9.3.4. Installing a Server Certificate
    
    Expand section "9.3.4. Installing a Server Certificate" Collapse section "9.3.4. Installing a Server Certificate"
    
    9.3.4.1. Installing a Server Certificate Using the Command Line
    
    9.3.4.2. Installing a Server Certificate Using the Web Console
  5. 9.3.5. Generating and Installing a Self-signed Certificate
  6. 9.3.6. Renewing a Certificate
    
    Expand section "9.3.6. Renewing a Certificate" Collapse section "9.3.6. Renewing a Certificate"
    
    9.3.6.1. Renewing a Certificate Using the Command Line
  7. 9.3.7. Removing a Certificate
    
    Expand section "9.3.7. Removing a Certificate" Collapse section "9.3.7. Removing a Certificate"
    
    9.3.7.1. Removing a Certificate Using the Command Line
    
    9.3.7.2. Removing a Certificate Using the Web Console
  8. 9.3.8. Removing a Private Key
    
    Expand section "9.3.8. Removing a Private Key" Collapse section "9.3.8. Removing a Private Key"
    
    9.3.8.1. Removing a Private Key Using the Command Line
  9. 9.3.9. Changing the CA Trust Options
    
    Expand section "9.3.9. Changing the CA Trust Options" Collapse section "9.3.9. Changing the CA Trust Options"
    
    9.3.9.1. Changing the CA Trust Options Using the Command Line
    
    9.3.9.2. Changing the CA Trust Options Using the Web Console
  10. 9.3.10. Changing the Password of the NSS Database
    
    Expand section "9.3.10. Changing the Password of the NSS Database" Collapse section "9.3.10. Changing the Password of the NSS Database"
    
    9.3.10.1. Changing the Password of the NSS Database Using the Command Line
4. 9.4. Enabling TLS
  Expand section "9.4. Enabling TLS" Collapse section "9.4. Enabling TLS"
  1. 9.4.1. Enabling TLS in Directory Server
    
    Expand section "9.4.1. Enabling TLS in Directory Server" Collapse section "9.4.1. Enabling TLS in Directory Server"
    
    9.4.1.1. Enabling TLS in Directory Server Using the Command Line
    
    9.4.1.2. Enabling TLS in Directory Server Using the Web Console
    
    9.4.1.3. Setting Encryption Ciphers
    
    Expand section "9.4.1.3. Setting Encryption Ciphers" Collapse section "9.4.1.3. Setting Encryption Ciphers"
    
    9.4.1.3.1. Displaying the Default Ciphers
    
    9.4.1.3.2. Displaying and Setting the Ciphers Used by Directory Server Using the Command Line
    
    9.4.1.3.3. Displaying and Setting the Ciphers Used by Directory Server Using the Web Console
    
    9.4.1.4. Starting Directory Server Without a Password File
    
    9.4.1.5. Creating a Password File for Directory Server
    
    9.4.1.6. Managing How Directory Server Behaves If the Certificate Has Been Expired
  2. 9.4.2. Adding the CA Certificate Used By Directory Server to the Trust Store of Red Hat Enterprise Linux
5. 9.5. Displaying the Encryption Protocols Enabled in Directory Server
6. 9.6. Setting the Minimum TLS Encryption Protocol Version
7. 9.7. Setting the Highest TLS Encryption Protocol Version
8. 9.8. Using Hardware Security Modules
9. 9.9. Using Certificate-based Client Authentication
  Expand section "9.9. Using Certificate-based Client Authentication" Collapse section "9.9. Using Certificate-based Client Authentication"
10. 9.10. Setting up SASL Identity Mapping
  Expand section "9.10. Setting up SASL Identity Mapping" Collapse section "9.10. Setting up SASL Identity Mapping"
  1. 9.10.1. About SASL Identity Mapping
  2. 9.10.2. Default SASL Mappings for Directory Server
  3. 9.10.3. Configuring SASL Identity Mapping
    
    Expand section "9.10.3. Configuring SASL Identity Mapping" Collapse section "9.10.3. Configuring SASL Identity Mapping"
    
    9.10.3.1. Configuring SASL Identity Mapping Using the Command Line
    
    9.10.3.2. Configuring SASL Identity Mapping Using the Web Console
  4. 9.10.4. Enabling SASL Mapping Fallback
    
    Expand section "9.10.4. Enabling SASL Mapping Fallback" Collapse section "9.10.4. Enabling SASL Mapping Fallback"
    
    9.10.4.1. Setting SASL Mapping Priorities
11. 9.11. Using Kerberos GSS-API with SASL
  Expand section "9.11. Using Kerberos GSS-API with SASL" Collapse section "9.11. Using Kerberos GSS-API with SASL"
  1. 9.11.1. Authentication Mechanisms for SASL in Directory Server
  2. 9.11.2. About Kerberos in Directory Server
    
    Expand section "9.11.2. About Kerberos in Directory Server" Collapse section "9.11.2. About Kerberos in Directory Server"
    
    9.11.2.1. About Principals and Realms
    
    9.11.2.2. About the KDC Server and Keytabs
  3. 9.11.3. Configuring SASL Authentication at Directory Server Startup
12. 9.12. Setting SASL Mechanisms
13. 9.13. Using SASL with LDAP Clients
10. Configuring Attribute Encryption
Expand section "10. Configuring Attribute Encryption" Collapse section "10. Configuring Attribute Encryption"
1. 10.1. Encryption Keys
2. 10.2. Encryption Ciphers
3. 10.3. Configuring Attribute Encryption
  Expand section "10.3. Configuring Attribute Encryption" Collapse section "10.3. Configuring Attribute Encryption"
4. 10.4. Exporting and Importing an Encrypted Database
  Expand section "10.4. Exporting and Importing an Encrypted Database" Collapse section "10.4. Exporting and Importing an Encrypted Database"
  1. 10.4.1. Exporting an Encrypted Database
  2. 10.4.2. Importing an LDIF File into an Encrypted Database
5. 10.5. Updating the TLS Certificates Used for Attribute Encryption
11. Managing FIPS Mode Support
12. Managing the Directory Schema
Expand section "12. Managing the Directory Schema" Collapse section "12. Managing the Directory Schema"
1. 12.1. Overview of Schema
  Expand section "12.1. Overview of Schema" Collapse section "12.1. Overview of Schema"
  1. 12.1.1. Default Schema Files
  2. 12.1.2. Object Classes
  3. 12.1.3. Attributes
    
    Expand section "12.1.3. Attributes" Collapse section "12.1.3. Attributes"
    
    12.1.3.1. Directory Server Attribute Syntaxes
  4. 12.1.4. Extending the Schema
  5. 12.1.5. Schema Replication
2. 12.2. Managing Object Identifiers
3. 12.3. Creating an Object Class
  Expand section "12.3. Creating an Object Class" Collapse section "12.3. Creating an Object Class"
  1. 12.3.1. Creating an Object Class Using the Command Line
  2. 12.3.2. Creating an Object Class Using the Web Console
4. 12.4. Updating an Object Class
  Expand section "12.4. Updating an Object Class" Collapse section "12.4. Updating an Object Class"
  1. 12.4.1. Updating an Object Class Using the Command Line
  2. 12.4.2. Updating an Object Class Using the Web Console
5. 12.5. Removing an Object Class
  Expand section "12.5. Removing an Object Class" Collapse section "12.5. Removing an Object Class"
  1. 12.5.1. Removing an Object Class Using the Command Line
  2. 12.5.2. Removing an Object Class Using the Web Console
6. 12.6. Creating an Attribute
  Expand section "12.6. Creating an Attribute" Collapse section "12.6. Creating an Attribute"
  1. 12.6.1. Creating an Attribute Using the Command Line
  2. 12.6.2. Creating an Attribute Using the Web Console
7. 12.7. Updating an attribute
  Expand section "12.7. Updating an attribute" Collapse section "12.7. Updating an attribute"
  1. 12.7.1. Updating an Attribute Using the Command Line
  2. 12.7.2. Updating an Attribute Using the Web Console
8. 12.8. Removing an Attribute
  Expand section "12.8. Removing an Attribute" Collapse section "12.8. Removing an Attribute"
  1. 12.8.1. Removing an Attribute Using the Command Line
  2. 12.8.2. Removing an Attribute Using the Web Console
9. 12.9. Creating Custom Schema Files
10. 12.10. Dynamically Reloading Schema
  Expand section "12.10. Dynamically Reloading Schema" Collapse section "12.10. Dynamically Reloading Schema"
11. 12.11. Turning Schema Checking On and Off
  Expand section "12.11. Turning Schema Checking On and Off" Collapse section "12.11. Turning Schema Checking On and Off"
  1. 12.11.1. Turning Schema Checking On and Off Using the Command Line
  2. 12.11.2. Turning Schema Checking On and Off Using the Web Console
12. 12.12. Using Syntax Validation
  Expand section "12.12. Using Syntax Validation" Collapse section "12.12. Using Syntax Validation"
  1. 12.12.1. About Syntax Validation
  2. 12.12.2. Syntax Validation and Other Directory Server Operations
    
    Expand section "12.12.2. Syntax Validation and Other Directory Server Operations" Collapse section "12.12.2. Syntax Validation and Other Directory Server Operations"
    
    12.12.2.1. Turning Syntax Validation On and Off Using the Command Line
    
    12.12.2.2. Turning Syntax Validation On and Off Using the Web Console
  3. 12.12.3. Enabling or Disabling Strict Syntax Validation for DNs
    
    Expand section "12.12.3. Enabling or Disabling Strict Syntax Validation for DNs" Collapse section "12.12.3. Enabling or Disabling Strict Syntax Validation for DNs"
    
    12.12.3.1. Enabling or Disabling Strict Syntax Validation for DNs Using the Command Line
    
    12.12.3.2. Enabling or Disabling Strict Syntax Validation for DNs Using the Web Console
  4. 12.12.4. Enabling Syntax Validation Logging
    
    Expand section "12.12.4. Enabling Syntax Validation Logging" Collapse section "12.12.4. Enabling Syntax Validation Logging"
    
    12.12.4.1. Enabling Syntax Validation Logging Using the Command Line
    
    12.12.4.2. Enabling Syntax Validation Logging Using the Web Console
  5. 12.12.5. Validating the Syntax of Existing Attribute Values
    
    Expand section "12.12.5. Validating the Syntax of Existing Attribute Values" Collapse section "12.12.5. Validating the Syntax of Existing Attribute Values"
    
    12.12.5.1. Creating a Syntax Validation Task Using the dsconf schema validate-syntax Command
    
    12.12.5.2. Creating a Syntax Validation Task Using a cn=tasks Entry
13. Managing Indexes
Expand section "13. Managing Indexes" Collapse section "13. Managing Indexes"
1. 13.1. About Indexes
  Expand section "13.1. About Indexes" Collapse section "13.1. About Indexes"
2. 13.2. Creating Standard Indexes
  Expand section "13.2. Creating Standard Indexes" Collapse section "13.2. Creating Standard Indexes"
  1. 13.2.1. Creating Indexes Using the Command Line
  2. 13.2.2. Creating Indexes Using the Web Console
3. 13.3. Creating New Indexes to Existing Databases
  Expand section "13.3. Creating New Indexes to Existing Databases" Collapse section "13.3. Creating New Indexes to Existing Databases"
  1. 13.3.1. Creating an Index While the Instance is Running
    
    Expand section "13.3.1. Creating an Index While the Instance is Running" Collapse section "13.3.1. Creating an Index While the Instance is Running"
    
    13.3.1.1. Creating an Index Using the dsconf backend index reindex Command
    
    13.3.1.2. Creating an Index Using a cn=tasks Entry
  2. 13.3.2. Creating an Index While the Instance Offline
4. 13.4. Using virtual list view control to request a contiguous subset of a large search result
  Expand section "13.4. Using virtual list view control to request a contiguous subset of a large search result" Collapse section "13.4. Using virtual list view control to request a contiguous subset of a large search result"
5. 13.5. Changing the Index Sort Order
  Expand section "13.5. Changing the Index Sort Order" Collapse section "13.5. Changing the Index Sort Order"
  1. 13.5.1. Changing the Sort Order Using the Command Line
6. 13.6. Changing the Width for Indexed Substring Searches
7. 13.7. Deleting Indexes
  Expand section "13.7. Deleting Indexes" Collapse section "13.7. Deleting Indexes"
  1. 13.7.1. Deleting an Attribute from the Default Index Entry
  2. 13.7.2. Removing an Attribute from the Index
    
    Expand section "13.7.2. Removing an Attribute from the Index" Collapse section "13.7.2. Removing an Attribute from the Index"
    
    13.7.2.1. Removing an Attribute from the Index Using the Command Line
    
    13.7.2.2. Removing an Attribute from the Index Using the Web Console
  3. 13.7.3. Deleting Index Types Using the Command Line
  4. 13.7.4. Removing Browsing Indexes
    
    Expand section "13.7.4. Removing Browsing Indexes" Collapse section "13.7.4. Removing Browsing Indexes"
    
    13.7.4.1. Removing Browsing Indexes Using the Command Line
14. Finding Directory Entries
Expand section "14. Finding Directory Entries" Collapse section "14. Finding Directory Entries"
1. 14.1. Finding Directory Entries Using the Command Line
  Expand section "14.1. Finding Directory Entries Using the Command Line" Collapse section "14.1. Finding Directory Entries Using the Command Line"
2. 14.2. Finding Entries Using the Web Console
3. 14.3. LDAP Search Filters
  Expand section "14.3. LDAP Search Filters" Collapse section "14.3. LDAP Search Filters"
4. 14.4. Examples of Common ldapsearches
  Expand section "14.4. Examples of Common ldapsearches" Collapse section "14.4. Examples of Common ldapsearches"
5. 14.5. Improving Search Performance through Resource Limits
  Expand section "14.5. Improving Search Performance through Resource Limits" Collapse section "14.5. Improving Search Performance through Resource Limits"
6. 14.6. Using Persistent Search
7. 14.7. Searching with Specified Controls
  Expand section "14.7. Searching with Specified Controls" Collapse section "14.7. Searching with Specified Controls"
15. Managing Replication
Expand section "15. Managing Replication" Collapse section "15. Managing Replication"
1. 15.1. Replication Overview
  Expand section "15.1. Replication Overview" Collapse section "15.1. Replication Overview"
2. 15.2. Configuring Bootstrap Credentials
3. 15.3. Single-supplier Replication
  Expand section "15.3. Single-supplier Replication" Collapse section "15.3. Single-supplier Replication"
  1. 15.3.1. Setting up Single-supplier Replication Using the Command Line
  2. 15.3.2. Setting up Single-supplier Replication Using the Web Console
4. 15.4. Multi-Supplier Replication
  Expand section "15.4. Multi-Supplier Replication" Collapse section "15.4. Multi-Supplier Replication"
5. 15.5. Cascading Replication
  Expand section "15.5. Cascading Replication" Collapse section "15.5. Cascading Replication"
  1. 15.5.1. Setting up Cascading Replication Using the Command Line
  2. 15.5.2. Setting up Cascading Replication Using the Web Console
6. 15.6. Configuring Replication Partners to use Certificate-based Authentication
7. 15.7. Promoting a Consumer or Hub to a Supplier
  Expand section "15.7. Promoting a Consumer or Hub to a Supplier" Collapse section "15.7. Promoting a Consumer or Hub to a Supplier"
  1. 15.7.1. Promoting a Consumer or Hub to a Supplier Using the Command Line
  2. 15.7.2. Promoting a Consumer or Hub to a Supplier Using the Web Console
8. 15.8. About Initializing a Consumer
  Expand section "15.8. About Initializing a Consumer" Collapse section "15.8. About Initializing a Consumer"
  1. 15.8.1. When to Initialize a Consumer
  2. 15.8.2. Setting Initialization Timeouts
  3. 15.8.3. Initializing a Consumer
    
    Expand section "15.8.3. Initializing a Consumer" Collapse section "15.8.3. Initializing a Consumer"
    
    15.8.3.1. Initializing a Consumer Using the Command Line
    
    Expand section "15.8.3.1. Initializing a Consumer Using the Command Line" Collapse section "15.8.3.1. Initializing a Consumer Using the Command Line"
    
    15.8.3.1.1. Initializing a Consumer Online
    
    15.8.3.1.2. Initializing a Consumer Offline
  4. 15.8.4. Initializing a Consumer Using the Web Console
9. 15.9. Disabling and Re-enabling Replication
10. 15.10. Removing a Directory Server Instance from the Replication Topology
  Expand section "15.10. Removing a Directory Server Instance from the Replication Topology" Collapse section "15.10. Removing a Directory Server Instance from the Replication Topology"
  1. 15.10.1. Removing a Consumer or Hub from the Replication Topology
  2. 15.10.2. Removing a Supplier from the Replication Topology
11. 15.11. Managing Attributes Within Fractional Replication
  Expand section "15.11. Managing Attributes Within Fractional Replication" Collapse section "15.11. Managing Attributes Within Fractional Replication"
12. 15.12. Managing Deleted Entries with Replication
13. 15.13. Configuring Changelog Encryption
14. 15.14. Removing the Changelog
  Expand section "15.14. Removing the Changelog" Collapse section "15.14. Removing the Changelog"
  1. 15.14.1. Removing the Changelog using the Command Line
  2. 15.14.2. Removing the Changelog using the Web Console
15. 15.15. Exporting the Replication Changelog
16. 15.16. Importing the Replication Changelog from an LDIF-formatted Changelog Dump
17. 15.17. Moving the Replication Changelog Directory
18. 15.18. Trimming the Replication Changelog
  Expand section "15.18. Trimming the Replication Changelog" Collapse section "15.18. Trimming the Replication Changelog"
  1. 15.18.1. Configuring Replication Changelog Trimming
  2. 15.18.2. Manually Reducing the Size of a Large Changelog
19. 15.19. Forcing Replication Updates
20. 15.20. Setting Replication Timeout Periods
21. 15.21. Using the Retro Changelog Plug-in
  Expand section "15.21. Using the Retro Changelog Plug-in" Collapse section "15.21. Using the Retro Changelog Plug-in"
  1. 15.21.1. Enabling the Retro Changelog Plug-in
    
    Expand section "15.21.1. Enabling the Retro Changelog Plug-in" Collapse section "15.21.1. Enabling the Retro Changelog Plug-in"
    
    15.21.1.1. Enabling the Retro Changelog Plug-in Using the Command Line
    
    15.21.1.2. Enabling the Retro Changelog Plug-in Using the Web Console
  2. 15.21.2. Trimming the Retro Changelog
  3. 15.21.3. Searching and Modifying the Retro Changelog
  4. 15.21.4. Retro Changelog and the Access Control Policy
22. 15.22. Displaying the Status of a Specific Replication Agreement
  Expand section "15.22. Displaying the Status of a Specific Replication Agreement" Collapse section "15.22. Displaying the Status of a Specific Replication Agreement"
  1. 15.22.1. Displaying the Status of a Specific Replication Agreement Using the Command-Line
  2. 15.22.2. Displaying the Status of a Specific Replication Agreement Using the Web Console
23. 15.23. Monitoring the Replication Topology
  Expand section "15.23. Monitoring the Replication Topology" Collapse section "15.23. Monitoring the Replication Topology"
  1. 15.23.1. Setting Credentials for Replication Monitoring in the .dsrc File
  2. 15.23.2. Using Aliases in the Replication Topology Monitoring Output
24. 15.24. Comparing Two Directory Server Instances
25. 15.25. Solving Common Replication Conflicts
  Expand section "15.25. Solving Common Replication Conflicts" Collapse section "15.25. Solving Common Replication Conflicts"
26. 15.26. Troubleshooting Replication-Related Problems
  Expand section "15.26. Troubleshooting Replication-Related Problems" Collapse section "15.26. Troubleshooting Replication-Related Problems"
  1. 15.26.1. Possible Replication-related Error Messages
16. Synchronizing Red Hat Directory Server with Microsoft Active Directory
Expand section "16. Synchronizing Red Hat Directory Server with Microsoft Active Directory" Collapse section "16. Synchronizing Red Hat Directory Server with Microsoft Active Directory"
1. 16.1. About Windows Synchronization
2. 16.2. Supported Active Directory Versions
3. 16.3. Synchronizing Passwords
4. 16.4. Setting up Synchronization Between Active Directory and Directory Server
  Expand section "16.4. Setting up Synchronization Between Active Directory and Directory Server" Collapse section "16.4. Setting up Synchronization Between Active Directory and Directory Server"
  1. 16.4.1. Step 1: Enabling TLS on the Directory Server Host
  2. 16.4.2. Step 2: Enabling Password Complexity in the AD Domain
  3. 16.4.3. Step 3: Extracting the CA Certificate from AD
  4. 16.4.4. Step 4: Extracting the CA Certificate from the Directory Server's NSS Database
  5. 16.4.5. Step 5: Creating the Synchronization Accounts
  6. 16.4.6. Step 6: Installing the Password Sync Service
  7. 16.4.7. Step 7: Adding the CA Certificate Directory Server uses to the Password Sync Service's Certificate Database
  8. 16.4.8. Step 8: Adding the CA Certificate AD uses to Directory Server's Certificate Database
  9. 16.4.9. Step 9: Configuring the Database for Synchronization and Creating the Synchronization Agreement
    
    Expand section "16.4.9. Step 9: Configuring the Database for Synchronization and Creating the Synchronization Agreement" Collapse section "16.4.9. Step 9: Configuring the Database for Synchronization and Creating the Synchronization Agreement"
    
    16.4.9.1. Configuring the Database for Synchronization and Creating the Synchronization Agreement Using the Command Line
    
    16.4.9.2. Configuring the Database for Synchronization and Creating the Synchronization Agreement Using the Web Console
5. 16.5. Synchronizing Users
  Expand section "16.5. Synchronizing Users" Collapse section "16.5. Synchronizing Users"
  1. 16.5.1. User Attributes Synchronized between Directory Server and Active Directory
  2. 16.5.2. User Schema Differences between Red Hat Directory Server and Active Directory
    
    Expand section "16.5.2. User Schema Differences between Red Hat Directory Server and Active Directory" Collapse section "16.5.2. User Schema Differences between Red Hat Directory Server and Active Directory"
    
    16.5.2.1. Values for cn Attributes
    
    16.5.2.2. Password Policies
    
    16.5.2.3. Values for street and streetAddress
    
    16.5.2.4. Constraints on the initials Attribute
  3. 16.5.3. Configuring User Synchronization for Directory Server Users
  4. 16.5.4. Configuring User Synchronization for Active Directory Users
6. 16.6. Synchronizing Groups
  Expand section "16.6. Synchronizing Groups" Collapse section "16.6. Synchronizing Groups"
7. 16.7. Configuring Uni-Directional Synchronization
8. 16.8. Configuring Multiple Subtrees and Filters in Windows Synchronization
9. 16.9. Synchronizing POSIX Attributes for Users and Groups
  Expand section "16.9. Synchronizing POSIX Attributes for Users and Groups" Collapse section "16.9. Synchronizing POSIX Attributes for Users and Groups"
10. 16.10. Deleting and Resurrecting Entries
  Expand section "16.10. Deleting and Resurrecting Entries" Collapse section "16.10. Deleting and Resurrecting Entries"
  1. 16.10.1. Deleting Entries
  2. 16.10.2. Resurrecting Entries
11. 16.11. Sending Synchronization Updates
  Expand section "16.11. Sending Synchronization Updates" Collapse section "16.11. Sending Synchronization Updates"
  1. 16.11.1. Performing a Manual Incremental Synchronization
  2. 16.11.2. Performing a Full Synchronization
    
    Expand section "16.11.2. Performing a Full Synchronization" Collapse section "16.11.2. Performing a Full Synchronization"
    
    16.11.2.1. Performing a Full Synchronization Using the Command Line
    
    16.11.2.2. Performing a Full Synchronization Using the Web Console
  3. 16.11.3. Setting Synchronization Schedules
  4. 16.11.4. Changing Synchronization Connections
  5. 16.11.5. Handling Entries That Move Out of the Synchronized Subtree
12. 16.12. Troubleshooting
17. Setting up Content Synchronization Using the SyncRepl Protocol
Expand section "17. Setting up Content Synchronization Using the SyncRepl Protocol" Collapse section "17. Setting up Content Synchronization Using the SyncRepl Protocol"
1. 17.1. Configuring the Content Synchronization Plug-in Using the Command Line
18. Managing Access Control
Expand section "18. Managing Access Control" Collapse section "18. Managing Access Control"
1. 18.1. Access Control Principles
2. 18.2. ACI Placement
3. 18.3. ACI Structure
4. 18.4. ACI Evaluation
5. 18.5. Limitations of ACIs
6. 18.6. How Directory Server Handles ACIs in a Replication Topology
7. 18.7. Managing ACIs using the command line
  Expand section "18.7. Managing ACIs using the command line" Collapse section "18.7. Managing ACIs using the command line"
8. 18.8. Managing ACIs Using the Web Console
  Expand section "18.8. Managing ACIs Using the Web Console" Collapse section "18.8. Managing ACIs Using the Web Console"
9. 18.9. Defining Targets
  Expand section "18.9. Defining Targets" Collapse section "18.9. Defining Targets"
  1. 18.9.1. Frequently Used Target Keywords
    
    Expand section "18.9.1. Frequently Used Target Keywords" Collapse section "18.9.1. Frequently Used Target Keywords"
    
    18.9.1.1. Targeting a Directory Entry
    
    18.9.1.2. Targeting Attributes
    
    18.9.1.3. Targeting Entries and Attributes Using LDAP Filters
    
    18.9.1.4. Targeting Attribute Values Using LDAP Filters
  2. 18.9.2. Further Target Keywords
    
    Expand section "18.9.2. Further Target Keywords" Collapse section "18.9.2. Further Target Keywords"
    
    18.9.2.1. Targeting Source and Destination DNs
  3. 18.9.3. Advanced Usage of Target Rules
    
    Expand section "18.9.3. Advanced Usage of Target Rules" Collapse section "18.9.3. Advanced Usage of Target Rules"
    
    18.9.3.1. Delegating Permissions to Create and Maintain Groups
    
    18.9.3.2. Targeting Both an Entry and Attributes
    
    18.9.3.3. Targeting Certain Attributes of Entries Matching a Filter
    
    18.9.3.4. Targeting a Single Directory Entry
10. 18.10. Defining Permissions
  Expand section "18.10. Defining Permissions" Collapse section "18.10. Defining Permissions"
11. 18.11. Defining Bind Rules
  Expand section "18.11. Defining Bind Rules" Collapse section "18.11. Defining Bind Rules"
  1. 18.11.1. Frequently Used Bind Rules
    
    Expand section "18.11.1. Frequently Used Bind Rules" Collapse section "18.11.1. Frequently Used Bind Rules"
    
    18.11.1.1. Defining User-based Access
    
    Expand section "18.11.1.1. Defining User-based Access" Collapse section "18.11.1.1. Defining User-based Access"
    
    18.11.1.1.1. Using a DN with the userdn Keyword
    
    18.11.1.1.2. Using the userdn Keyword with an LDAP Filter
    
    18.11.1.1.3. Granting Anonymous Access
    
    18.11.1.1.4. Granting Access to Authenticated Users
    
    18.11.1.1.5. Enabling Users to Access Their Own Entries
    
    18.11.1.1.6. Setting Access for Child Entries of a User
    
    18.11.1.2. Defining Group-based Access
    
    Expand section "18.11.1.2. Defining Group-based Access" Collapse section "18.11.1.2. Defining Group-based Access"
    
    18.11.1.2.1. Using a DN with the groupdn Keyword
    
    18.11.1.2.2. Using the groupdn Keyword with an LDAP Filter
  2. 18.11.2. Further Bind Rules
    
    Expand section "18.11.2. Further Bind Rules" Collapse section "18.11.2. Further Bind Rules"
    
    18.11.2.1. Defining Access Based on Value Matching
    
    Expand section "18.11.2.1. Defining Access Based on Value Matching" Collapse section "18.11.2.1. Defining Access Based on Value Matching"
    
    18.11.2.1.1. Using the USERDN Bind Type
    
    18.11.2.1.2. Using the GROUPDN Bind Type
    
    18.11.2.1.3. Using the ROLEDN Bind Type
    
    18.11.2.1.4. Using the SELFDN Bind Type
    
    18.11.2.1.5. Using the LDAPURL Bind Type
    
    18.11.2.1.6. Using the userattr Keyword with Inheritance
    
    18.11.2.2. Defining Access from Specific IP Addresses or Ranges
    
    18.11.2.3. Defining Access from a Specific Host or Domain
    
    18.11.2.4. Requiring a Certain Level of Security in Connections
    
    18.11.2.5. Defining Access at a Specific Day of the Week
    
    18.11.2.6. Defining Access at a Specific Time of Day
    
    18.11.2.7. Defining Access Based on the Authentication Method
    
    18.11.2.8. Defining Access Based on Roles
  3. 18.11.3. Combining Bind Rules Using Boolean Operators
12. 18.12. Checking Access Rights on Entries (Get Effective Rights)
  Expand section "18.12. Checking Access Rights on Entries (Get Effective Rights)" Collapse section "18.12. Checking Access Rights on Entries (Get Effective Rights)"
  1. 18.12.1. Rights Shown with a Get Effective Rights Search
  2. 18.12.2. The Format of a Get Effective Rights Search
  3. 18.12.3. Examples of GER Searches
    
    Expand section "18.12.3. Examples of GER Searches" Collapse section "18.12.3. Examples of GER Searches"
    
    18.12.3.1. General Examples on Checking Access Rights
    
    18.12.3.2. Examples of Get Effective Rights Searches for Non-Existent Attributes
    
    18.12.3.3. Examples of Get Effective Rights Searches for Specific Attributes or Object Classes
    
    18.12.3.4. Examples of Get Effective Rights Searches for Non-Existent Entries
    
    18.12.3.5. Examples of Get Effective Rights Searches for Operational Attributes
    
    18.12.3.6. Examples of Get Effective Rights Results and Access Control Rules
  4. 18.12.4. Get Effective Rights Return Codes
13. 18.13. Logging Access Control Information
14. 18.14. Advanced Access Control: Using Macro ACIs
  Expand section "18.14. Advanced Access Control: Using Macro ACIs" Collapse section "18.14. Advanced Access Control: Using Macro ACIs"
  1. 18.14.1. Macro ACI Example
  2. 18.14.2. Macro ACI Syntax
    
    Expand section "18.14.2. Macro ACI Syntax" Collapse section "18.14.2. Macro ACI Syntax"
    
    18.14.2.1. Macro Matching for ($dn)
    
    18.14.2.2. Macro Matching for [$dn]
    
    18.14.2.3. Macro Matching for ($attr.attrName)
15. 18.15. Setting Access Controls on Directory Manager
  Expand section "18.15. Setting Access Controls on Directory Manager" Collapse section "18.15. Setting Access Controls on Directory Manager"
  1. 18.15.1. About Access Controls on the Directory Manager Account
  2. 18.15.2. Configuring the RootDN Access Control Plug-in
19. Using the Health Check Feature to Identify Problems
Expand section "19. Using the Health Check Feature to Identify Problems" Collapse section "19. Using the Health Check Feature to Identify Problems"
1. 19.1. Running the Directory Server Health Check
20. Managing User Authentication
Expand section "20. Managing User Authentication" Collapse section "20. Managing User Authentication"
1. 20.1. Setting User Passwords
2. 20.2. Setting Password Administrators
3. 20.3. Changing Passwords Stored Externally
4. 20.4. Managing the Password Policy
  Expand section "20.4. Managing the Password Policy" Collapse section "20.4. Managing the Password Policy"
  1. 20.4.1. Configuring the Global Password Policy
    
    Expand section "20.4.1. Configuring the Global Password Policy" Collapse section "20.4.1. Configuring the Global Password Policy"
    
    20.4.1.1. Configuring a Global Password Policy Using the Command Line
    
    20.4.1.2. Configuring a Global Password Policy Using the Web Console
  2. 20.4.2. Using Local Password Policies
    
    Expand section "20.4.2. Using Local Password Policies" Collapse section "20.4.2. Using Local Password Policies"
    
    20.4.2.1. Where Directory Server Stores Local Password Policy Entries
    
    20.4.2.2. Configuring a Local Password Policy
5. 20.5. Configuring temporary password rules
  Expand section "20.5. Configuring temporary password rules" Collapse section "20.5. Configuring temporary password rules"
  1. 20.5.1. Enabling temporary password rules in the global password policy
  2. 20.5.2. Enabling temporary password rules in a local password policy
6. 20.6. Understanding Password Expiration Controls
7. 20.7. Managing the Directory Manager Password
  Expand section "20.7. Managing the Directory Manager Password" Collapse section "20.7. Managing the Directory Manager Password"
  1. 20.7.1. Resetting the Directory Manager Password
  2. 20.7.2. Changing the Directory Manager Password
    
    Expand section "20.7.2. Changing the Directory Manager Password" Collapse section "20.7.2. Changing the Directory Manager Password"
    
    20.7.2.1. Changing the Directory Manager Password Using the Command Line
    
    20.7.2.2. Changing the Directory Manager Password Using the Web Console
  3. 20.7.3. Changing the Directory Manager Password Storage Scheme
    
    Expand section "20.7.3. Changing the Directory Manager Password Storage Scheme" Collapse section "20.7.3. Changing the Directory Manager Password Storage Scheme"
    
    20.7.3.1. Changing the Directory Manager Password Storage Scheme Using the Command Line
    
    20.7.3.2. Changing the Directory Manager Password Storage Scheme Using the Web Console
  4. 20.7.4. Changing the Directory Manager DN
8. 20.8. Checking Account Availability for Passwordless Access
  Expand section "20.8. Checking Account Availability for Passwordless Access" Collapse section "20.8. Checking Account Availability for Passwordless Access"
  1. 20.8.1. Searching for Entries Using the Account Usability Extension Control
  2. 20.8.2. Changing What Users Can Perform an Account Usability Search
9. 20.9. Configuring a Password-Based Account Lockout Policy
  Expand section "20.9. Configuring a Password-Based Account Lockout Policy" Collapse section "20.9. Configuring a Password-Based Account Lockout Policy"
10. 20.10. Configuring Time-Based Account Lockout Policies
  Expand section "20.10. Configuring Time-Based Account Lockout Policies" Collapse section "20.10. Configuring Time-Based Account Lockout Policies"
11. 20.11. Replicating Account Lockout Attributes
  Expand section "20.11. Replicating Account Lockout Attributes" Collapse section "20.11. Replicating Account Lockout Attributes"
12. 20.12. Enabling Different Types of Binds
  Expand section "20.12. Enabling Different Types of Binds" Collapse section "20.12. Enabling Different Types of Binds"
  1. 20.12.1. Requiring Secure Binds
  2. 20.12.2. Disabling Anonymous Binds
  3. 20.12.3. Allowing Unauthenticated Binds
  4. 20.12.4. Configuring Autobind
    
    Expand section "20.12.4. Configuring Autobind" Collapse section "20.12.4. Configuring Autobind"
    
    20.12.4.1. Overview of Autobind and LDAPI
    
    20.12.4.2. Configuring the Autobind Feature
13. 20.13. Using Pass-Through Authentication
  Expand section "20.13. Using Pass-Through Authentication" Collapse section "20.13. Using Pass-Through Authentication"
  1. 20.13.1. PTA Plug-in Syntax
  2. 20.13.2. Configuring the PTA Plug-in
    
    Expand section "20.13.2. Configuring the PTA Plug-in" Collapse section "20.13.2. Configuring the PTA Plug-in"
    
    20.13.2.1. Configuring the Servers to Use a Secure Connection
    
    20.13.2.2. Specifying the Authenticating Directory Server
    
    20.13.2.3. Specifying the Pass-Through Subtree
    
    20.13.2.4. Configuring the Optional Parameters
  3. 20.13.3. PTA Plug-in Syntax Examples
    
    Expand section "20.13.3. PTA Plug-in Syntax Examples" Collapse section "20.13.3. PTA Plug-in Syntax Examples"
    
    20.13.3.1. Specifying One Authenticating Directory Server and One Subtree
    
    20.13.3.2. Specifying Multiple Authenticating Directory Servers
    
    20.13.3.3. Specifying One Authenticating Directory Server and Multiple Subtrees
    
    20.13.3.4. Using Non-Default Parameter Values
    
    20.13.3.5. Specifying Different Optional Parameters and Subtrees for Different Authenticating Directory Servers
14. 20.14. Using Active Directory-formatted User Names for Authentication
15. 20.15. Using PAM for Pass-Through Authentication
  Expand section "20.15. Using PAM for Pass-Through Authentication" Collapse section "20.15. Using PAM for Pass-Through Authentication"
  1. 20.15.1. PAM Pass-Through Authentication Configuration Options
    
    Expand section "20.15.1. PAM Pass-Through Authentication Configuration Options" Collapse section "20.15.1. PAM Pass-Through Authentication Configuration Options"
    
    20.15.1.1. Specifying the Suffixes to Target for PAM PTA
    
    20.15.1.2. Applying Different PAM Pass-Through Authentication Configurations to Different Entries
    
    20.15.1.3. Setting PAM PTA Mappings
    
    20.15.1.4. Configuring General PAM PTA Settings
  2. 20.15.2. Configuring PAM Pass-Through Authentication
  3. 20.15.3. Using PAM Pass-Through Authentication with Active Directory as the Back End
16. 20.16. Manually Inactivating Users and Roles
  Expand section "20.16. Manually Inactivating Users and Roles" Collapse section "20.16. Manually Inactivating Users and Roles"
  1. 20.16.1. Displaying the Status of an Account or Role
  2. 20.16.2. Inactivating and Activating Users and Roles Using the Command Line
21. Monitoring Server and Database Activity
Expand section "21. Monitoring Server and Database Activity" Collapse section "21. Monitoring Server and Database Activity"
1. 21.1. Types of Directory Server Log Files
2. 21.2. Displaying Log Files
  Expand section "21.2. Displaying Log Files" Collapse section "21.2. Displaying Log Files"
  1. 21.2.1. Displaying Log Files Using the Command Line
  2. 21.2.2. Displaying Log Files Using the Web Console
3. 21.3. Configuring Log Files
  Expand section "21.3. Configuring Log Files" Collapse section "21.3. Configuring Log Files"
  1. 21.3.1. Enabling or Disabling Logs
    
    Expand section "21.3.1. Enabling or Disabling Logs" Collapse section "21.3.1. Enabling or Disabling Logs"
    
    21.3.1.1. Enabling or Disabling Logging Using the Command Line
    
    21.3.1.2. Enabling or Disabling Logging Using the Web Console
  2. 21.3.2. Configuring Plug-in-specific Logging
  3. 21.3.3. Disabling High-resolution Log Time Stamps
  4. 21.3.4. Defining a Log File Rotation Policy
    
    Expand section "21.3.4. Defining a Log File Rotation Policy" Collapse section "21.3.4. Defining a Log File Rotation Policy"
    
    21.3.4.1. Defining a Log File Rotation Policy Using the Command Line
    
    21.3.4.2. Defining a Log File Rotation Policy Using the Web Console
  5. 21.3.5. Defining a Log File Deletion Policy
    
    Expand section "21.3.5. Defining a Log File Deletion Policy" Collapse section "21.3.5. Defining a Log File Deletion Policy"
    
    21.3.5.1. Configuring a Log Deletion Policy Using the Command Line
    
    21.3.5.2. Configuring a Log Deletion Policy Using the Web Console
  6. 21.3.6. Manual Log File Rotation
  7. 21.3.7. Configuring the Log Levels
    
    Expand section "21.3.7. Configuring the Log Levels" Collapse section "21.3.7. Configuring the Log Levels"
    
    21.3.7.1. Configuring the Log Levels Using the Command Line
    
    21.3.7.2. Configuring the Log Levels Using the Web Console
    
    21.3.7.3. Logging Internal Operations
4. 21.4. Getting Access Log Statistics
5. 21.5. Monitoring the Local Disk for Graceful Shutdown
6. 21.6. Monitoring Server Activity
7. 21.7. Monitoring Database Activity
8. 21.8. Monitoring Database Link Activity
9. 21.9. Enabling and Disabling Counters
10. 21.10. Monitoring Directory Server Using SNMP
  Expand section "21.10. Monitoring Directory Server Using SNMP" Collapse section "21.10. Monitoring Directory Server Using SNMP"
  1. 21.10.1. About SNMP
  2. 21.10.2. Enabling and Disabling SNMP Support
  3. 21.10.3. Setting Parameters to Identify an Instance Using SNMP
  4. 21.10.4. Setting up an SNMP Agent for Directory Server
  5. 21.10.5. Configuring SNMP Traps
  6. 21.10.6. Using the Management Information Base
    
    Expand section "21.10.6. Using the Management Information Base" Collapse section "21.10.6. Using the Management Information Base"
    
    21.10.6.1. Operations Table
    
    21.10.6.2. Entries Table
    
    21.10.6.3. Entity Table
    
    21.10.6.4. Interaction Table
22. Making a High-availability and Disaster Recovery Plan
Expand section "22. Making a High-availability and Disaster Recovery Plan" Collapse section "22. Making a High-availability and Disaster Recovery Plan"
1. 22.1. Identifying Potential Scenarios
2. 22.2. Defining the Type of Rollover
3. 22.3. Identifying Useful Directory Server Features for Disaster Recovery
  Expand section "22.3. Identifying Useful Directory Server Features for Disaster Recovery" Collapse section "22.3. Identifying Useful Directory Server Features for Disaster Recovery"
4. 22.4. Defining the Recovery Process
5. 22.5. Basic Example: Performing a Recovery
23. Creating Test Entries
Expand section "23. Creating Test Entries" Collapse section "23. Creating Test Entries"
A. Using LDAP Client Tools
Expand section "A. Using LDAP Client Tools" Collapse section "A. Using LDAP Client Tools"
B. LDAP Data Interchange Format
Expand section "B. LDAP Data Interchange Format" Collapse section "B. LDAP Data Interchange Format"
1. B.1. About the LDIF File Format
2. B.2. Continuing Lines in LDIF
3. B.3. Representing Binary Data
  Expand section "B.3. Representing Binary Data" Collapse section "B.3. Representing Binary Data"
  1. B.3.1. Standard LDIF Notation
  2. B.3.2. Base-64 Encoding
4. B.4. Specifying Directory Entries Using LDIF
  Expand section "B.4. Specifying Directory Entries Using LDIF" Collapse section "B.4. Specifying Directory Entries Using LDIF"
5. B.5. Defining Directories Using LDIF
6. B.6. Storing Information in Multiple Languages
C. LDAP URLs
Expand section "C. LDAP URLs" Collapse section "C. LDAP URLs"
D. Internationalization
Expand section "D. Internationalization" Collapse section "D. Internationalization"
1. D.1. About Locales
2. D.2. Supported Locales
3. D.3. Supported Language Subtypes
4. D.4. Searching an Internationalized Directory
  Expand section "D.4. Searching an Internationalized Directory" Collapse section "D.4. Searching an Internationalized Directory"
  1. D.4.1. Matching Rule Formats
    
    Expand section "D.4.1. Matching Rule Formats" Collapse section "D.4.1. Matching Rule Formats"
    
    D.4.1.1. Using an OID for the Matching Rule
    
    D.4.1.2. Using a Language Tag for the Matching Rule
    
    D.4.1.3. Using an OID and Suffix for the Matching Rule
    
    D.4.1.4. Using a Language Tag and Suffix for the Matching Rule
  2. D.4.2. Supported Search Types
  3. D.4.3. International Search Examples
    
    Expand section "D.4.3. International Search Examples" Collapse section "D.4.3. International Search Examples"
    
    D.4.3.1. Less-Than Example
    
    D.4.3.2. Less-Than or Equal-to Example
    
    D.4.3.3. Equality Example
    
    D.4.3.4. Greater-Than or Equal-to Example
    
    D.4.3.5. Greater-Than Example
    
    D.4.3.6. Substring Example
5. D.5. Troubleshooting Matching Rules
E. Revision History
Legal Notice

Language:
Format:

Language:
Format:

9.4. Enabling TLS

Directory Server supports encrypted connections between clients and the server, as well as between servers in a replication environment. For this, Directory Server supports:

The LDAPS protocol: TLS encryption is used directly after the connection has been established.
The STARTTLS command over the LDAP protocol: The connection is unencrypted until the client sends the STARTTLS command.

Important

For security reasons, Red Hat recommends enabling TLS encryption.

You can use TLS with simple authentication using a bind Distinguished Name (DN) and password, or using certificate-based authentication.

Directory Server's cryptographic services are provided by Mozilla Network Security Services (NSS), a library of TLS and base cryptographic functions. NSS includes a software-based cryptographic token which is Federal Information Processing Standard (FIPS) 140-2 certified.

9.4.1. Enabling TLS in Directory Server

This section describes how to enable TLS in Directory Server.

9.4.1.1. Enabling TLS in Directory Server Using the Command Line

To enable TLS using the command line:

Request and install the certificate:
- For a certificate issued by a Certificate Authority (CA):
  1. Create a Certificate Signing Request (CSR). See Section 9.3.1.1, “Creating a Certificate Signing Request Using the Command Line”
  2. Import the CA certificate. See Section 9.3.2.1, “Installing a CA Certificate Using the Command Line”.
  3. Import the server certificate issued by the CA. See Section 9.3.4.1, “Installing a Server Certificate Using the Command Line”.
- For a self-signed certificate, see Section 9.3.5, “Generating and Installing a Self-signed Certificate”.

Enable TLS and set the LDAPS port:

# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-securePort=636 nsslapd-security=on
Successfully replaced "nsslapd-securePort"
Successfully replaced "nsslapd-security"

Display the name of the server certificate in the NSS database:

# dsconf -D "cn=Directory Manager" ldap://server.example.com security certificate list

Certificate Name: Server-Cert
Subject DN: CN=server.example.com
Issuer DN: CN=Example CA
Expires: 2022-07-29 11:10:14
Trust Flags: ,,

You need the nickname in the next step.

To enable the RSA cipher family, setting the NSS database security device, and the server certificate name:
```
# dsconf -D "cn=Directory Manager" ldap://server.example.com security rsa set --tls-allow-rsa-certificates on --nss-token "internal (software)" --nss-cert-name Server-Cert
```
Note
By default, the name of the security device in the NSS database is internal (software).
Optionally, update the list of ciphers Directory Server supports. For details, see Section 9.4.1.3.2, “Displaying and Setting the Ciphers Used by Directory Server Using the Command Line”.
Optionally, enable certificate-based authentication. For details, see Section 9.9, “Using Certificate-based Client Authentication”.
Optionally, create a password file to enable Directory Server to start without prompting for the password of the NSS database. For details, see Section 9.4.1.5, “Creating a Password File for Directory Server”.
Restart the Directory Server instance:
```
# dsctl instance_name restart
```
If you set a password on the NSS database and did not create a password file, Directory Server prompts for the password of the NSS database. For details, see Section 9.4.1.4, “Starting Directory Server Without a Password File”.

9.4.1.2. Enabling TLS in Directory Server Using the Web Console

To enable TLS in Directory Server using the web console:

Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
Select the instance.
Create a CSR. See Section 9.3.1, “Creating a Certificate Signing Request”.
Import the Certificate Authority (CA) certificate. See Section 9.3.2.2, “Installing a CA Certificate Using the Web Console”.
Import the server certificate issued by the CA. See Section 9.3.4.2, “Installing a Server Certificate Using the Web Console”.
Open the Server Settings menu, and select the Security entry.
On the Security Configuration tab:
1. Click Security Enabled.
2. Select the certificate's nickname in the Server Certificate Name field.
3. Optionally, change the settings for the minimum and maximum TLS version that the server should support.
4. Optionally, configure client authentication to enable users to authenticate using certificates. For details, see Section 9.9, “Using Certificate-based Client Authentication”.
Click Save Configuration.
Optionally, create a password file to enable Directory Server to start without prompting for the password of the NSS database. For details, see Section 9.4.1.5, “Creating a Password File for Directory Server”.
Restart the Directory Server instance. See Section 1.5.2, “Starting and Stopping a Directory Server Instance Using the Web Console”
If you set a password on the NSS database and did not create a password file, Directory Server prompts for the password of the NSS database. For details, see Section 9.4.1.4, “Starting Directory Server Without a Password File”.

9.4.1.3. Setting Encryption Ciphers

Directory Server supports different ciphers, and you can enable or disable them. A cipher is the algorithm used in encryption. When a client initiates a TLS connection with a server, the client tells the server what ciphers it prefers to encrypt information. If the server supports at least one of these ciphers, the encrypted connection can be established using this algorithm.

If you enabled encryption according to Section 9.4, “Enabling TLS”, you can display and update the ciphers Directory Server uses.

9.4.1.3.1. Displaying the Default Ciphers

If the nsSSL3Ciphers parameter is not set in the cn=encryption,cn=config entry, Directory Server uses the default ciphers of the Network Security Service (NSS). To display the default ciphers:

# /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"         
TLS_AES_128_GCM_SHA256:
  0x1301 TLS 1.3 TLS 1.3 AES-GCM  128 AEAD   Enabled  FIPS Domestic            
TLS_CHACHA20_POLY1305_SHA256:
  0x1303 TLS 1.3 TLS 1.3 CHACHA20POLY1305 256 AEAD   Enabled       Domestic
...

9.4.1.3.2. Displaying and Setting the Ciphers Used by Directory Server Using the Command Line

Displaying all Available Ciphers

To display the list of all available ciphers supported in Directory Server:

# dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list --supported
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
...

This is only a list of available ciphers you can enable or disable. The list does not display the ciphers Directory Server currently uses.

Displaying the Ciphers Directory Server Uses

To display the ciphers Directory Server currently uses, enter:

# dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list --enabled
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
...

Additionally, you can display the ciphers which are configured to be enabled and disabled:

# dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list
default
+tls_rsa_aes_128_sha
+tls_rsa_aes_256_sha
...

The default keyword refers to the preferred default ciphers provided by the NSS. See Section 9.4.1.3.1, “Displaying the Default Ciphers”.

Important

Directory Server uses the settings from the nsSSL3Ciphers attribute to generate the list of ciphers which are actually used. However, if you enabled weak ciphers in nsSSL3Ciphers, but set the allowWeakCiphers parameter to off, which is the default, Directory Server only uses the strong ciphers and displays them in the nsSSLSupportedCiphers read-only attribute.

Updating the List of Enabled Ciphers

To update the list of enabled ciphers:

Display the list of currently enabled ciphers. See the section called “Displaying the Ciphers Directory Server Uses”.
To enable only specific ciphers, update the nsSSL3Ciphers attribute. For example, to enable only the TLS_RSA_WITH_AES_128_GCM_SHA256 cipher:
```
# dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers set "-all,+TLS_RSA_WITH_AES_128_GCM_SHA256"
```
Restart the Directory Server instance:
```
# dsctl instance_name restart
```
Optionally, display the list of enabled ciphers to verify the result. See the section called “Displaying the Ciphers Directory Server Uses”.

9.4.1.3.3. Displaying and Setting the Ciphers Used by Directory Server Using the Web Console

To select and optionally update the ciphers using the web console:

Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
Select the instance.
Open the Server Settings menu, and select the Security entry.
On the Cipher Preferences tab, Directory Server displays the currently enabled ciphers.
If you use different ciphers than the default, select Default Ciphers in the Ciphers Suite field to automatically enable the default ciphers. For details, see Section 9.4.1.3.1, “Displaying the Default Ciphers”.
Alternatively, you can set Ciphers Suite to:
- All Ciphers to enable all ciphers. Optionally, disable specific ciphers in the Deny Specific Ciphers field.
- No Ciphers to disable all ciphers. Optionally, enable specific ciphers in the Allow Specific Ciphers field.
Click Save Cipher Preferences.
If you updated the list of ciphers, restart the Directory Server instance. See Section 1.5.2, “Starting and Stopping a Directory Server Instance Using the Web Console”

9.4.1.4. Starting Directory Server Without a Password File

If you start Directory Server with encryption enabled and a password set on the NSS database:

If the ns-slapd Directory Server process is started by the systemctl command, systemd prompts for the password and automatically passes the input to the systemd-tty-ask-password-agent utility. For example:
```
# systemctl start dirsrv@instance_name
Enter PIN for Internal (Software) Token:
```

In rare cases, when the ns-slapd Directory Server process is not started by the systemctl utility and is detached from the terminal, a message is send to all terminals using the wall command. For example:

Broadcast message from root@server (Fri 2017-01-01 06:00:00 CET):

Password entry required for 'Enter PIN for Internal (Software) Token:' (PID 1234).
Please enter password with the systemd-tty-ask-password-agent tool!

To enter the password, run:

# systemd-tty-ask-password-agent
Enter PIN for Internal (Software) Token:

9.4.1.5. Creating a Password File for Directory Server

If encryption is enabled and a password set on the NSS database, Directory Server prompts for this password when the service starts. See Section 9.4.1.4, “Starting Directory Server Without a Password File”.

To bypass this prompt, you can store the NSS database password in the /etc/dirsrv/slapd-instance_name/pin.txt file. This enables Directory Server to start automatically without prompting for this password.

Warning

The password is stored in clear text. Do not use a password file if the server is running in an unsecured environment.

To create the password file:

Create the /etc/dirsrv/slapd-instance_name/pin.txt file with the following content:
- If you use the NSS software cryptography module, which is the default:
```
Internal (Software) Token:password
```
- If you use a Hardware Security Module (HSM):
```
name_of_the_token:password
```

Set the permissions:

# chown dirsrv:dirsrv /etc/dirsrv/slapd-instance_name/pin.txt
# chmod 400 /etc/dirsrv/slapd-instance_name/pin.txt

9.4.1.6. Managing How Directory Server Behaves If the Certificate Has Been Expired

By default, if encryption is enabled and the certificate has expired, Directory Server logs a warning and the service starts. To change this behavior, set the nsslapd-validate-cert parameter. You can set it to the following values:

warn: The Directory Server instance starts and log a warning about the expired certificate into the /var/log/dirsrv/slapd-instance_name/error log file. This is the default setting.
on: Directory Server validates the certificate and the instance fails to start if the certificate has expired.
off: Directory Server does not validate the certificate expiration date. The instance starts and no warning will be logged.

Example 9.3. Preventing Directory Server to Start If the Certificate Has Been Expired

To prevent Directory Server from starting if the certificate has expired:

Set the nsslapd-validate-cert parameter to on:

# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-validate-cert=on
Successfully replaced "nsslapd-validate-cert"

Restart the Directory Server instance:
```
# dsctl instance_name restart
```

9.4.2. Adding the CA Certificate Used By Directory Server to the Trust Store of Red Hat Enterprise Linux

When you enabled TLS encryption in Directory Server, you configured the instance to use a certificate issued by a CA. If a client now establishes a connection to the server using the LDAPS protocol or the STARTTLS command over LDAP, Directory Server uses this certificate to encrypt the connection. Client utilities use the CA certificate to verify if the server's certificate is valid. By default, these utilities cancel the connection if they do not trust the certificate of the server.

Example 9.4. Possible Connection Errors If Client Utilities Do Not Use the CA Certificate

If client utilities do not use the CA certificate, the utilities cannot validate the server's certificate when using TLS encryption. As a consequence, the connection to the server fails. For example:

dsconf

# dsconf -D "cn=Directory Manager" ldaps://server.example.com:636 config get
Error: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'}

ldapsearch

# ldapsearch -H ldaps://server.example.com:636 -D "cn=Directory Manager" -W -b "dc=example,dc=com" -x
Enter LDAP Password: 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

To enable client utilities on Red Hat Enterprise Linux to verify the certificate that Directory Server uses, add the CA certificate to the trust store of the operating system:

If you do not have a local copy of the CA certificate used by Directory Server:

List the certificates in the server's NSS database:

# certutil -d /etc/dirsrv/slapd-instance_name/ -L

Certificate Nickname                       Trust Attributes
                                           SSL,S/MIME,JAR/XPI

Example CA                                 C,,  
Server-Cert                                u,u,u

Use the nickname of the CA certificate in the NSS database to export the CA certificate:
```
# certutil -d /etc/dirsrv/slapd-instance_name/ -L -n "Example CA" -a > /tmp/ds-ca.crt
```

Copy the CA certificate to the /etc/pki/ca-trust/source/anchors/ directory. For example:
```
# cp /tmp/ds-ca.crt /etc/pki/ca-trust/source/anchors/
```
Rebuild the CA trust database:
```
# update-ca-trust
```

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

9.4. Enabling TLS

9.4.1. Enabling TLS in Directory Server

9.4.1.1. Enabling TLS in Directory Server Using the Command Line

9.4.1.2. Enabling TLS in Directory Server Using the Web Console

9.4.1.3. Setting Encryption Ciphers

9.4.1.3.1. Displaying the Default Ciphers

9.4.1.3.2. Displaying and Setting the Ciphers Used by Directory Server Using the Command Line

Displaying all Available Ciphers

Displaying the Ciphers Directory Server Uses

Updating the List of Enabled Ciphers

9.4.1.3.3. Displaying and Setting the Ciphers Used by Directory Server Using the Web Console

9.4.1.4. Starting Directory Server Without a Password File

9.4.1.5. Creating a Password File for Directory Server

9.4.1.6. Managing How Directory Server Behaves If the Certificate Has Been Expired

9.4.2. Adding the CA Certificate Used By Directory Server to the Trust Store of Red Hat Enterprise Linux

Language and Page Formatting Options

9.4. Enabling TLS

9.4.1. Enabling TLS in Directory Server

9.4.1.1. Enabling TLS in Directory Server Using the Command Line

9.4.1.2. Enabling TLS in Directory Server Using the Web Console

9.4.1.3. Setting Encryption Ciphers

9.4.1.3.1. Displaying the Default Ciphers

9.4.1.3.2. Displaying and Setting the Ciphers Used by Directory Server Using the Command Line

Displaying all Available Ciphers

Displaying the Ciphers Directory Server Uses

Updating the List of Enabled Ciphers

9.4.1.3.3. Displaying and Setting the Ciphers Used by Directory Server Using the Web Console

9.4.1.4. Starting Directory Server Without a Password File

9.4.1.5. Creating a Password File for Directory Server

9.4.1.6. Managing How Directory Server Behaves If the Certificate Has Been Expired

9.4.2. Adding the CA Certificate Used By Directory Server to the Trust Store of Red Hat Enterprise Linux