Administration Guide
Making Open Source More Inclusive
1. General Directory Server Management Tasks
Expand section "1. General Directory Server Management Tasks" Collapse section "1. General Directory Server Management Tasks"
1. 1.1. System Requirements
2. 1.2. File Locations
3. 1.3. Supported Methods to Configure Directory Server
4. 1.4. Logging Into Directory Server Using the Web Console
5. 1.5. Starting and Stopping a Directory Server Instance
  Expand section "1.5. Starting and Stopping a Directory Server Instance" Collapse section "1.5. Starting and Stopping a Directory Server Instance"
  1. 1.5.1. Starting and Stopping a Directory Server Instance Using the Command Line
  2. 1.5.2. Starting and Stopping a Directory Server Instance Using the Web Console
6. 1.6. Creating a New Directory Server Instance
7. 1.7. Removing a Directory Server Instance
  Expand section "1.7. Removing a Directory Server Instance" Collapse section "1.7. Removing a Directory Server Instance"
  1. 1.7.1. Removing an Instance Using the Command Line
  2. 1.7.2. Removing an Instance Using the Web Console
8. 1.8. Setting Directory Server Configuration Parameters
  Expand section "1.8. Setting Directory Server Configuration Parameters" Collapse section "1.8. Setting Directory Server Configuration Parameters"
  1. 1.8.1. Managing Configuration Parameters
  2. 1.8.2. Where Directory Server Stores its Configuration
  3. 1.8.3. Benefits of Using Default Values
    
    Expand section "1.8.3. Benefits of Using Default Values" Collapse section "1.8.3. Benefits of Using Default Values"
    
    1.8.3.1. Removing a Parameter to Use the Default Value
9. 1.9. Changing the LDAP and LDAPS Port Numbers
  Expand section "1.9. Changing the LDAP and LDAPS Port Numbers" Collapse section "1.9. Changing the LDAP and LDAPS Port Numbers"
  1. 1.9.1. Changing the Port Numbers Using the Command Line
  2. 1.9.2. Changing the Port Numbers Using the Web Console
10. 1.10. Using Directory Server Plug-ins
  Expand section "1.10. Using Directory Server Plug-ins" Collapse section "1.10. Using Directory Server Plug-ins"
  1. 1.10.1. Listing Available Plug-ins
    
    Expand section "1.10.1. Listing Available Plug-ins" Collapse section "1.10.1. Listing Available Plug-ins"
    
    1.10.1.1. Listing Available Plug-ins Using the Command Line
    
    1.10.1.2. Listing Available Plug-ins Using the Web Console
  2. 1.10.2. Enabling Plug-ins Dynamically
  3. 1.10.3. Enabling and Disabling Plug-ins
    
    Expand section "1.10.3. Enabling and Disabling Plug-ins" Collapse section "1.10.3. Enabling and Disabling Plug-ins"
    
    1.10.3.1. Enabling and Disabling Plug-ins Using the Command Line
    
    1.10.3.2. Enabling and Disabling Plug-ins Using the Web Console
  4. 1.10.4. Configuring Plug-ins
    
    Expand section "1.10.4. Configuring Plug-ins" Collapse section "1.10.4. Configuring Plug-ins"
    
    1.10.4.1. Configuring Plug-ins Using the Command Line
    
    1.10.4.2. Configuring Plug-ins Using the Web Console
  5. 1.10.5. Setting the Plug-in Precedence
    
    Expand section "1.10.5. Setting the Plug-in Precedence" Collapse section "1.10.5. Setting the Plug-in Precedence"
    
    1.10.5.1. Setting the Plug-in Precedence Using the Command Line
    
    1.10.5.2. Setting the Plug-in Precedence Using the Web Console
11. 1.11. Creating and Using a .dsrc File to Set Default Options for Directory Server Command-line Utilities
  Expand section "1.11. Creating and Using a .dsrc File to Set Default Options for Directory Server Command-line Utilities" Collapse section "1.11. Creating and Using a .dsrc File to Set Default Options for Directory Server Command-line Utilities"
  1. 1.11.1. How a .dsrc File Simplifies Commands
  2. 1.11.2. Using the dsctl Utility to Create a .dsrc File
2. Configuring Directory Databases
Expand section "2. Configuring Directory Databases" Collapse section "2. Configuring Directory Databases"
1. 2.1. Creating and Maintaining Suffixes
  Expand section "2.1. Creating and Maintaining Suffixes" Collapse section "2.1. Creating and Maintaining Suffixes"
  1. 2.1.1. Creating Suffixes
    
    Expand section "2.1.1. Creating Suffixes" Collapse section "2.1.1. Creating Suffixes"
    
    2.1.1.1. Creating a Root Suffix
    
    Expand section "2.1.1.1. Creating a Root Suffix" Collapse section "2.1.1.1. Creating a Root Suffix"
    
    2.1.1.1.1. Creating a Root Suffix Using the Command Line
    
    2.1.1.1.2. Creating a Root Suffix Using the Web Console
    
    2.1.1.2. Creating a Sub-suffix
    
    Expand section "2.1.1.2. Creating a Sub-suffix" Collapse section "2.1.1.2. Creating a Sub-suffix"
    
    2.1.1.2.1. Creating a Sub-suffix Using the Command Line
    
    2.1.1.2.2. Creating a Sub-suffix Using the Web Console
  2. 2.1.2. Maintaining Suffixes
    
    Expand section "2.1.2. Maintaining Suffixes" Collapse section "2.1.2. Maintaining Suffixes"
    
    2.1.2.1. Viewing the Default Naming Context
    
    2.1.2.2. Disabling a Suffix
    
    Expand section "2.1.2.2. Disabling a Suffix" Collapse section "2.1.2.2. Disabling a Suffix"
    
    2.1.2.2.1. Disabling a Suffix Using the Command Line
    
    2.1.2.3. Deleting a Suffix
    
    Expand section "2.1.2.3. Deleting a Suffix" Collapse section "2.1.2.3. Deleting a Suffix"
    
    2.1.2.3.1. Deleting a Suffix Using the Command Line
    
    2.1.2.3.2. Deleting a Suffix Using the Web Console
2. 2.2. Creating and Maintaining Databases
  Expand section "2.2. Creating and Maintaining Databases" Collapse section "2.2. Creating and Maintaining Databases"
  1. 2.2.1. Creating Databases
    
    Expand section "2.2.1. Creating Databases" Collapse section "2.2.1. Creating Databases"
    
    2.2.1.1. Creating a New Database for a Single Suffix Using the Command Line
    
    2.2.1.2. Adding Multiple Databases for a Single Suffix
  2. 2.2.2. Maintaining Directory Databases
    
    Expand section "2.2.2. Maintaining Directory Databases" Collapse section "2.2.2. Maintaining Directory Databases"
    
    2.2.2.1. Setting a Database in Read-Only Mode
    
    Expand section "2.2.2.1. Setting a Database in Read-Only Mode" Collapse section "2.2.2.1. Setting a Database in Read-Only Mode"
    
    2.2.2.1.1. Setting a Database in Read-only Mode Using the Command Line
    
    2.2.2.1.2. Setting a Database in Read-only Mode Using the Web Console
    
    2.2.2.2. Placing the Entire Directory Server in Read-Only Mode
    
    Expand section "2.2.2.2. Placing the Entire Directory Server in Read-Only Mode" Collapse section "2.2.2.2. Placing the Entire Directory Server in Read-Only Mode"
    
    2.2.2.2.1. Placing the Entire Directory Server in Read-Only Mode Using the Command Line
    
    2.2.2.2.2. Placing the Entire Directory Server in Read-Only Mode Using the Web Console
    
    2.2.2.3. Deleting a Database
    
    Expand section "2.2.2.3. Deleting a Database" Collapse section "2.2.2.3. Deleting a Database"
    
    2.2.2.3.1. Deleting a Database Using the Command Line
    
    2.2.2.3.2. Deleting a Database Using the Web Console
    
    2.2.2.4. Changing the Transaction Log Directory
3. 2.3. Creating and Maintaining Database Links
  Expand section "2.3. Creating and Maintaining Database Links" Collapse section "2.3. Creating and Maintaining Database Links"
  1. 2.3.1. Creating a New Database Link
    
    Expand section "2.3.1. Creating a New Database Link" Collapse section "2.3.1. Creating a New Database Link"
    
    2.3.1.1. Creating a New Database Link Using the Command Line
    
    2.3.1.2. Creating a New Database Link Using the Web Console
    
    2.3.1.3. Managing the Default Configuration for New Database Links
    
    2.3.1.4. Additional Information on Required Settings When Creating a Database Link
  2. 2.3.2. Configuring the Chaining Policy
    
    Expand section "2.3.2. Configuring the Chaining Policy" Collapse section "2.3.2. Configuring the Chaining Policy"
    
    2.3.2.1. Chaining Component Operations
    
    Expand section "2.3.2.1. Chaining Component Operations" Collapse section "2.3.2.1. Chaining Component Operations"
    
    2.3.2.1.1. Chaining Component Operations Using the Command Line
    
    2.3.2.1.2. Chaining Component Operations Using the Web Console
    
    2.3.2.2. Chaining LDAP Controls
    
    Expand section "2.3.2.2. Chaining LDAP Controls" Collapse section "2.3.2.2. Chaining LDAP Controls"
    
    2.3.2.2.1. Chaining LDAP Controls Using the Command Line
    
    2.3.2.2.2. Chaining LDAP Controls Using the Web Console
  3. 2.3.3. Database Links and Access Control Evaluation
4. 2.4. Configuring Cascading Chaining
  Expand section "2.4. Configuring Cascading Chaining" Collapse section "2.4. Configuring Cascading Chaining"
5. 2.5. Using Referrals
  Expand section "2.5. Using Referrals" Collapse section "2.5. Using Referrals"
  1. 2.5.1. Starting the Server in Referral Mode
  2. 2.5.2. Setting Default Referrals
    
    Expand section "2.5.2. Setting Default Referrals" Collapse section "2.5.2. Setting Default Referrals"
    
    2.5.2.1. Setting a Default Referral Using the Command Line
  3. 2.5.3. Creating Smart Referrals
    
    Expand section "2.5.3. Creating Smart Referrals" Collapse section "2.5.3. Creating Smart Referrals"
    
    2.5.3.1. Creating Smart Referrals Using the Command Line
  4. 2.5.4. Creating Suffix Referrals
    
    Expand section "2.5.4. Creating Suffix Referrals" Collapse section "2.5.4. Creating Suffix Referrals"
    
    2.5.4.1. Creating Suffix Referrals Using the Command Line
    
    2.5.4.2. Creating Suffix Referrals Using the Web Console
6. 2.6. Verifying the Integrity of Back-end Databases
3. Managing Directory Entries
Expand section "3. Managing Directory Entries" Collapse section "3. Managing Directory Entries"
1. 3.1. Managing Directory Entries Using the Command Line
  Expand section "3.1. Managing Directory Entries Using the Command Line" Collapse section "3.1. Managing Directory Entries Using the Command Line"
  1. 3.1.1. Providing Input to the ldapadd, ldapmodify, and ldapdelete Utilities
    
    Expand section "3.1.1. Providing Input to the ldapadd, ldapmodify, and ldapdelete Utilities" Collapse section "3.1.1. Providing Input to the ldapadd, ldapmodify, and ldapdelete Utilities"
    
    3.1.1.1. Providing Input Using the Interactive Mode
    
    3.1.1.2. Providing Input Using an LDIF File
  2. 3.1.2. The Continuous Operation Mode
  3. 3.1.3. Adding an Entry
    
    Expand section "3.1.3. Adding an Entry" Collapse section "3.1.3. Adding an Entry"
    
    3.1.3.1. Adding an Entry Using ldapadd
    
    3.1.3.2. Adding an Entry Using ldapmodify
    
    3.1.3.3. Creating a Root Entry
  4. 3.1.4. Updating a Directory Entry
    
    Expand section "3.1.4. Updating a Directory Entry" Collapse section "3.1.4. Updating a Directory Entry"
    
    3.1.4.1. Adding Attributes to an Entry
    
    3.1.4.2. Updating an Attribute's Value
    
    3.1.4.3. Deleting Attributes from an Entry
  5. 3.1.5. Deleting an Entry
    
    Expand section "3.1.5. Deleting an Entry" Collapse section "3.1.5. Deleting an Entry"
    
    3.1.5.1. Deleting an Entry Using ldapdelete
    
    3.1.5.2. Deleting an Entry Using ldapmodify
  6. 3.1.6. Renaming and Moving an Entry
    
    Expand section "3.1.6. Renaming and Moving an Entry" Collapse section "3.1.6. Renaming and Moving an Entry"
    
    3.1.6.1. Considerations for Renaming Entries
    
    3.1.6.2. Renaming Users, Groups, POSIX Groups, and OUs
    
    3.1.6.3. The deleteOldRDN Parameter When Renaming Entries Using LDIF Statements
    
    3.1.6.4. Renaming an Entry or Subtree Using LDIF Statements
    
    3.1.6.5. Moving an Entry to a New Parent Using LDIF Statements
  7. 3.1.7. Using Special Characters
  8. 3.1.8. Using Binary Attributes
  9. 3.1.9. Updating an Entry in an Internationalized Directory
2. 3.2. Managing Directory Entries Using the Web Console
  Expand section "3.2. Managing Directory Entries Using the Web Console" Collapse section "3.2. Managing Directory Entries Using the Web Console"
4. Tracking Modifications to Directory Entries
Expand section "4. Tracking Modifications to Directory Entries" Collapse section "4. Tracking Modifications to Directory Entries"
1. 4.1. Tracking Modifications to the Database through Update Sequence Numbers
  Expand section "4.1. Tracking Modifications to the Database through Update Sequence Numbers" Collapse section "4.1. Tracking Modifications to the Database through Update Sequence Numbers"
  1. 4.1.1. An Overview of the Entry Sequence Numbers
    
    Expand section "4.1.1. An Overview of the Entry Sequence Numbers" Collapse section "4.1.1. An Overview of the Entry Sequence Numbers"
    
    4.1.1.1. Local and Global USNs
    
    4.1.1.2. Importing USN Entries
  2. 4.1.2. Enabling the USN Plug-in
    
    Expand section "4.1.2. Enabling the USN Plug-in" Collapse section "4.1.2. Enabling the USN Plug-in"
    
    4.1.2.1. Enabling the USN Plug-in Using the Command Line
    
    4.1.2.2. Enabling the USN Plug-in Using the Web Console
  3. 4.1.3. Global USNs
    
    Expand section "4.1.3. Global USNs" Collapse section "4.1.3. Global USNs"
    
    4.1.3.1. Identifying Whether Global USNs are Enabled
    
    Expand section "4.1.3.1. Identifying Whether Global USNs are Enabled" Collapse section "4.1.3.1. Identifying Whether Global USNs are Enabled"
    
    4.1.3.1.1. Identifying Whether Global USNs are Enabled Using the Command Line
    
    4.1.3.1.2. Identifying Whether Global USNs are Enabled Using the Web Console
    
    4.1.3.2. Enabling Global USNs
    
    Expand section "4.1.3.2. Enabling Global USNs" Collapse section "4.1.3.2. Enabling Global USNs"
    
    4.1.3.2.1. Enabling Global USNs Using the Command Line
    
    4.1.3.2.2. Enabling Global USNs Using the Web Console
  4. 4.1.4. Cleaning up USN Tombstone Entries
    
    Expand section "4.1.4. Cleaning up USN Tombstone Entries" Collapse section "4.1.4. Cleaning up USN Tombstone Entries"
    
    4.1.4.1. Cleaning up USN Tombstone Entries Using the Command Line
    
    4.1.4.2. Cleaning up USN Tombstone Entries Using the Web Console
2. 4.2. Tracking Entry Modifications through Operational Attributes
  Expand section "4.2. Tracking Entry Modifications through Operational Attributes" Collapse section "4.2. Tracking Entry Modifications through Operational Attributes"
  1. 4.2.1. Entries Modified or Created by a Database Link
  2. 4.2.2. Enabling Tracking of Modifications
    
    Expand section "4.2.2. Enabling Tracking of Modifications" Collapse section "4.2.2. Enabling Tracking of Modifications"
    
    4.2.2.1. Enabling Tracking Of Modifications Using the Command Line
3. 4.3. Tracking the Bind DN for Plug-in Initiated Updates
  Expand section "4.3. Tracking the Bind DN for Plug-in Initiated Updates" Collapse section "4.3. Tracking the Bind DN for Plug-in Initiated Updates"
  1. 4.3.1. Enabling Tracking the Bind DN for Plug-in Initiated Updates Using the Command Line
  2. 4.3.2. Enabling Tracking the Bind DN for Plug-in Initiated Updates Using the Web Console
4. 4.4. Tracking Password Change Times
5. Maintaining Referential Integrity
Expand section "5. Maintaining Referential Integrity" Collapse section "5. Maintaining Referential Integrity"
1. 5.1. How Referential Integrity Works
2. 5.2. Using Referential Integrity with Replication
3. 5.3. Enabling Referential Integrity
  Expand section "5.3. Enabling Referential Integrity" Collapse section "5.3. Enabling Referential Integrity"
  1. 5.3.1. Enabling Referential Integrity Using the Command Line
  2. 5.3.2. Enabling Referential Integrity Using the Web Console
4. 5.4. The Referential Integrity Update Interval
  Expand section "5.4. The Referential Integrity Update Interval" Collapse section "5.4. The Referential Integrity Update Interval"
5. 5.5. Displaying and Modifying the Attribute List
  Expand section "5.5. Displaying and Modifying the Attribute List" Collapse section "5.5. Displaying and Modifying the Attribute List"
6. 5.6. Configuring Scope for the Referential Integrity
  Expand section "5.6. Configuring Scope for the Referential Integrity" Collapse section "5.6. Configuring Scope for the Referential Integrity"
6. Populating Directory Databases
Expand section "6. Populating Directory Databases" Collapse section "6. Populating Directory Databases"
1. 6.1. Importing Data
  Expand section "6.1. Importing Data" Collapse section "6.1. Importing Data"
  1. 6.1.1. Setting EntryUSN Initial Values During Import
  2. 6.1.2. Importing Using the Command Line
    
    Expand section "6.1.2. Importing Using the Command Line" Collapse section "6.1.2. Importing Using the Command Line"
    
    6.1.2.1. Importing Data While the Server is Running
    
    Expand section "6.1.2.1. Importing Data While the Server is Running" Collapse section "6.1.2.1. Importing Data While the Server is Running"
    
    6.1.2.1.1. Importing Using the dsconf backend import Command
    
    6.1.2.1.2. Importing Data Using a cn=tasks Entry
    
    6.1.2.2. Importing Data While the Server is Offline
  3. 6.1.3. Importing Data Using the Web Console
2. 6.2. Exporting Data
  Expand section "6.2. Exporting Data" Collapse section "6.2. Exporting Data"
  1. 6.2.1. Exporting Data into an LDIF File Using the Command Line
    
    Expand section "6.2.1. Exporting Data into an LDIF File Using the Command Line" Collapse section "6.2.1. Exporting Data into an LDIF File Using the Command Line"
    
    6.2.1.1. Exporting a Database While the Server is Running
    
    Expand section "6.2.1.1. Exporting a Database While the Server is Running" Collapse section "6.2.1.1. Exporting a Database While the Server is Running"
    
    6.2.1.1.1. Exporting a Databases Using the dsconf backend export Command
    
    6.2.1.1.2. Exporting a Database Using a cn=tasks Entry
    
    6.2.1.2. Exporting a Database While the Server is Offline
  2. 6.2.2. Exporting a Suffix to an LDIF File Using the Web Console
  3. 6.2.3. Enabling Members of a Group to Export Data and Performing the Export as One of the Group Members
    
    Expand section "6.2.3. Enabling Members of a Group to Export Data and Performing the Export as One of the Group Members" Collapse section "6.2.3. Enabling Members of a Group to Export Data and Performing the Export as One of the Group Members"
    
    6.2.3.1. Enabling a Group to Export Data
    
    6.2.3.2. Performing an Export as a Regular User
3. 6.3. Backing up Directory Server
  Expand section "6.3. Backing up Directory Server" Collapse section "6.3. Backing up Directory Server"
  1. 6.3.1. Backing up All Databases Using the Command Line
    
    Expand section "6.3.1. Backing up All Databases Using the Command Line" Collapse section "6.3.1. Backing up All Databases Using the Command Line"
    
    6.3.1.1. Backing up All Databases While the Server is Running
    
    Expand section "6.3.1.1. Backing up All Databases While the Server is Running" Collapse section "6.3.1.1. Backing up All Databases While the Server is Running"
    
    6.3.1.1.1. Backing up All Databases Using the dsconf backup create Command
    
    6.3.1.1.2. Backing up All Databases Using a cn=tasks entry
    
    6.3.1.2. Backing up All Databases While the Server is Offline
  2. 6.3.2. Backup up all Databases Using the Web Console
  3. 6.3.3. Backing up Configuration Files, the Certificate Database, and Custom Schema Files
  4. 6.3.4. Enabling Members of a Group to Back up Directory Server and Performing the Backup as One of the Group Members
    
    Expand section "6.3.4. Enabling Members of a Group to Back up Directory Server and Performing the Backup as One of the Group Members" Collapse section "6.3.4. Enabling Members of a Group to Back up Directory Server and Performing the Backup as One of the Group Members"
    
    6.3.4.1. Enabling a Group to Back up Directory Server
    
    6.3.4.2. Performing a Backup as a Regular User
4. 6.4. Restoring Directory Server
  Expand section "6.4. Restoring Directory Server" Collapse section "6.4. Restoring Directory Server"
  1. 6.4.1. Restoring All Databases Using the Command Line
    
    Expand section "6.4.1. Restoring All Databases Using the Command Line" Collapse section "6.4.1. Restoring All Databases Using the Command Line"
    
    6.4.1.1. Restoring All Databases While the Server is Running
    
    Expand section "6.4.1.1. Restoring All Databases While the Server is Running" Collapse section "6.4.1.1. Restoring All Databases While the Server is Running"
    
    6.4.1.1.1. Restoring All Databases Using the dsconf backup restore Command
    
    6.4.1.1.2. Restoring all Databases Using a cn=tasks entry
    
    6.4.1.2. Restoring all Databases While the Server is Offline
  2. 6.4.2. Restoring All Databases Using the Web Console
  3. 6.4.3. Restoring Databases That Include Replicated Entries
7. Managing Attributes and Values
Expand section "7. Managing Attributes and Values" Collapse section "7. Managing Attributes and Values"
1. 7.1. Enforcing Attribute Uniqueness
  Expand section "7.1. Enforcing Attribute Uniqueness" Collapse section "7.1. Enforcing Attribute Uniqueness"
  1. 7.1.1. Creating a New Configuration Record of the Attribute Uniqueness Plug-in
  2. 7.1.2. Configuring Attribute Uniqueness over Suffixes or Subtrees
    
    Expand section "7.1.2. Configuring Attribute Uniqueness over Suffixes or Subtrees" Collapse section "7.1.2. Configuring Attribute Uniqueness over Suffixes or Subtrees"
    
    7.1.2.1. Configuring Attribute Uniqueness over Suffixes or Subtrees Using the Command Line
    
    7.1.2.2. Configuring Attribute Uniqueness over Suffixes or Subtrees Using the Web Console
  3. 7.1.3. Configuring Attribute Uniqueness over Object Classes
  4. 7.1.4. Attribute Uniqueness Plug-in Configuration Parameters
2. 7.2. Assigning Class of Service
  Expand section "7.2. Assigning Class of Service" Collapse section "7.2. Assigning Class of Service"
  1. 7.2.1. About the CoS Definition Entry
  2. 7.2.2. About the CoS Template Entry
  3. 7.2.3. How a Pointer CoS Works
  4. 7.2.4. How an Indirect CoS Works
  5. 7.2.5. How a Classic CoS Works
  6. 7.2.6. Handling Physical Attribute Values
  7. 7.2.7. Handling Multi-valued Attributes with CoS
  8. 7.2.8. Searches for CoS-Specified Attributes
  9. 7.2.9. Access Control and CoS
  10. 7.2.10. Managing CoS from the Command Line
    
    Expand section "7.2.10. Managing CoS from the Command Line" Collapse section "7.2.10. Managing CoS from the Command Line"
    
    7.2.10.1. Creating the CoS Definition Entry from the Command Line
    
    7.2.10.2. Creating the CoS Template Entry from the Command Line
    
    7.2.10.3. Example of a Pointer CoS
    
    7.2.10.4. Example of an Indirect CoS
    
    7.2.10.5. Example of a Classic CoS
    
    7.2.10.6. Searching for CoS Entries
    
    7.2.10.7. The costargettree attribute
  11. 7.2.11. Creating Role-Based Attributes
3. 7.3. Linking Attributes to Manage Attribute Values
  Expand section "7.3. Linking Attributes to Manage Attribute Values" Collapse section "7.3. Linking Attributes to Manage Attribute Values"
  1. 7.3.1. About Linking Attributes
  2. 7.3.2. Looking at the Linking Attributes Plug-in Syntax
  3. 7.3.3. Configuring Attribute Links
  4. 7.3.4. Cleaning up Attribute Links
    
    Expand section "7.3.4. Cleaning up Attribute Links" Collapse section "7.3.4. Cleaning up Attribute Links"
    
    7.3.4.1. Regenerating Linked Attributes
    
    7.3.4.2. Regenerating Linked Attributes Using ldapmodify
4. 7.4. Assigning and Managing Unique Numeric Attribute Values
  Expand section "7.4. Assigning and Managing Unique Numeric Attribute Values" Collapse section "7.4. Assigning and Managing Unique Numeric Attribute Values"
  1. 7.4.1. About Dynamic Number Assignments
    
    Expand section "7.4.1. About Dynamic Number Assignments" Collapse section "7.4.1. About Dynamic Number Assignments"
    
    7.4.1.1. Filters, Searches, and Target Entries
    
    7.4.1.2. Ranges and Assigning Numbers
    
    7.4.1.3. Multiple Attributes in the Same Range
  2. 7.4.2. Looking at the DNA Plug-in Syntax
  3. 7.4.3. Configuring Unique Number Assignments
    
    Expand section "7.4.3. Configuring Unique Number Assignments" Collapse section "7.4.3. Configuring Unique Number Assignments"
    
    7.4.3.1. Creating a New Instance of the DNA Plug-in
    
    7.4.3.2. Configuring Unique Number Assignments Using the Command Line
    
    7.4.3.3. Configuring Unique Number Assignments Using the Web Console
  4. 7.4.4. Distributed Number Assignment Plug-in Performance Notes
8. Organizing and Grouping Entries
Expand section "8. Organizing and Grouping Entries" Collapse section "8. Organizing and Grouping Entries"
1. 8.1. Using Groups
  Expand section "8.1. Using Groups" Collapse section "8.1. Using Groups"
  1. 8.1.1. The Different Types of Groups
  2. 8.1.2. Creating a Static Group
    
    Expand section "8.1.2. Creating a Static Group" Collapse section "8.1.2. Creating a Static Group"
    
    8.1.2.1. Creating a Static Group Using the Command Line
  3. 8.1.3. Creating a Dynamic Group
    
    Expand section "8.1.3. Creating a Dynamic Group" Collapse section "8.1.3. Creating a Dynamic Group"
    
    8.1.3.1. Creating a Dynamic Group Using the Command Line
  4. 8.1.4. Listing Group Membership in User Entries
    
    Expand section "8.1.4. Listing Group Membership in User Entries" Collapse section "8.1.4. Listing Group Membership in User Entries"
    
    8.1.4.1. Considerations When Using the memberOf Plug-in
    
    8.1.4.2. Required Object Classes by the memberOf Plug-In
    
    8.1.4.3. The MemberOf Plug-in Syntax
    
    8.1.4.4. Enabling the MemberOf Plug-in
    
    Expand section "8.1.4.4. Enabling the MemberOf Plug-in" Collapse section "8.1.4.4. Enabling the MemberOf Plug-in"
    
    8.1.4.4.1. Enabling the MemberOf Plug-in Using the Command Line
    
    8.1.4.4.2. Enabling the MemberOf Plug-in Using the Web Console
    
    8.1.4.5. Configuring the MemberOf Plug-in on Each Server
    
    Expand section "8.1.4.5. Configuring the MemberOf Plug-in on Each Server" Collapse section "8.1.4.5. Configuring the MemberOf Plug-in on Each Server"
    
    8.1.4.5.1. Configuring the MemberOf Plug-in on Each Server Using the Command Line
    
    8.1.4.5.2. Configuring the MemberOf Plug-in on Each Server Using the Web Console
    
    8.1.4.6. Using the MemberOf Plug-in Shared Configuration
    
    8.1.4.7. Setting the Scope of the MemberOf Plug-in
    
    8.1.4.8. Regenerating memberOf Values
  5. 8.1.5. Automatically Adding Entries to Specified Groups
    
    Expand section "8.1.5. Automatically Adding Entries to Specified Groups" Collapse section "8.1.5. Automatically Adding Entries to Specified Groups"
    
    8.1.5.1. Looking at the Structure of an Automembership Rule
    
    Expand section "8.1.5.1. Looking at the Structure of an Automembership Rule" Collapse section "8.1.5.1. Looking at the Structure of an Automembership Rule"
    
    8.1.5.1.1. The Automembership Configuration Entry
    
    8.1.5.1.2. Additional Regular Expression Entries
    
    8.1.5.2. Configuring Auto Membership Definitions
    
    Expand section "8.1.5.2. Configuring Auto Membership Definitions" Collapse section "8.1.5.2. Configuring Auto Membership Definitions"
    
    8.1.5.2.1. Configuring Auto Membership Definitions Using the Command Line
    
    8.1.5.2.2. Configuring Auto Membership Definitions Using the Web Console
    
    8.1.5.3. Updating Existing Entries to apply Auto Membership Definitions
    
    8.1.5.4. Examples of Automembership Rules
    
    8.1.5.5. Testing Automembership Definitions
    
    8.1.5.6. Canceling the Auto Membership Plug-in Task
2. 8.2. Using Roles
  Expand section "8.2. Using Roles" Collapse section "8.2. Using Roles"
  1. 8.2.1. About Roles
  2. 8.2.2. Managing Roles Using the Command Line
    
    Expand section "8.2.2. Managing Roles Using the Command Line" Collapse section "8.2.2. Managing Roles Using the Command Line"
    
    8.2.2.1. Creating a Managed Role
    
    Expand section "8.2.2.1. Creating a Managed Role" Collapse section "8.2.2.1. Creating a Managed Role"
    
    8.2.2.1.1. Creating Managed Roles through the Command Line
    
    8.2.2.2. Creating a Filtered Role
    
    Expand section "8.2.2.2. Creating a Filtered Role" Collapse section "8.2.2.2. Creating a Filtered Role"
    
    8.2.2.2.1. Creating a Filtered Role through the Command Line
    
    8.2.2.3. Creating a Nested Role
    
    Expand section "8.2.2.3. Creating a Nested Role" Collapse section "8.2.2.3. Creating a Nested Role"
    
    8.2.2.3.1. Creating Nested Role through the Command Line
    
    8.2.2.4. Viewing Roles for an Entry through the Command Line
    
    8.2.2.5. About Deleting Roles
  3. 8.2.3. Managing Roles in Directory Server Using the LDAP Browser
    
    Expand section "8.2.3. Managing Roles in Directory Server Using the LDAP Browser" Collapse section "8.2.3. Managing Roles in Directory Server Using the LDAP Browser"
    
    8.2.3.1. Creating a role in the LDAP browser
    
    8.2.3.2. Modifying a Role in the LDAP browser
    
    8.2.3.3. Deleting a Role in the LDAP browser
  4. 8.2.4. Using Roles Securely
3. 8.3. Automatically Creating Dual Entries
  Expand section "8.3. Automatically Creating Dual Entries" Collapse section "8.3. Automatically Creating Dual Entries"
  1. 8.3.1. About Managed Entries
    
    Expand section "8.3.1. About Managed Entries" Collapse section "8.3.1. About Managed Entries"
    
    8.3.1.1. About the Instance Definition Entry
    
    8.3.1.2. About the Template Entry
    
    8.3.1.3. Entry Attributes Written by the Managed Entries Plug-in
    
    8.3.1.4. Managed Entries Plug-in and Directory Server Operations
  2. 8.3.2. Creating the Managed Entries Template Entry
  3. 8.3.3. Creating the Managed Entries Instance Definition
  4. 8.3.4. Putting Managed Entries Plug-in Configuration in a Replicated Database
4. 8.4. Using Views
  Expand section "8.4. Using Views" Collapse section "8.4. Using Views"
5. 8.5. Managing Organizational Units
9. Configuring Secure Connections
Expand section "9. Configuring Secure Connections" Collapse section "9. Configuring Secure Connections"
1. 9.1. Requiring Secure Connections
2. 9.2. Setting a Minimum Strength Factor
3. 9.3. Managing the NSS Database Used by Directory Server
  Expand section "9.3. Managing the NSS Database Used by Directory Server" Collapse section "9.3. Managing the NSS Database Used by Directory Server"
  1. 9.3.1. Creating a Certificate Signing Request
    
    Expand section "9.3.1. Creating a Certificate Signing Request" Collapse section "9.3.1. Creating a Certificate Signing Request"
    
    9.3.1.1. Creating a Certificate Signing Request Using the Command Line
  2. 9.3.2. Installing a CA Certificate
    
    Expand section "9.3.2. Installing a CA Certificate" Collapse section "9.3.2. Installing a CA Certificate"
    
    9.3.2.1. Installing a CA Certificate Using the Command Line
    
    9.3.2.2. Installing a CA Certificate Using the Web Console
  3. 9.3.3. Importing a Private Key and Server Certificate
  4. 9.3.4. Installing a Server Certificate
    
    Expand section "9.3.4. Installing a Server Certificate" Collapse section "9.3.4. Installing a Server Certificate"
    
    9.3.4.1. Installing a Server Certificate Using the Command Line
    
    9.3.4.2. Installing a Server Certificate Using the Web Console
  5. 9.3.5. Generating and Installing a Self-signed Certificate
  6. 9.3.6. Renewing a Certificate
    
    Expand section "9.3.6. Renewing a Certificate" Collapse section "9.3.6. Renewing a Certificate"
    
    9.3.6.1. Renewing a Certificate Using the Command Line
  7. 9.3.7. Removing a Certificate
    
    Expand section "9.3.7. Removing a Certificate" Collapse section "9.3.7. Removing a Certificate"
    
    9.3.7.1. Removing a Certificate Using the Command Line
    
    9.3.7.2. Removing a Certificate Using the Web Console
  8. 9.3.8. Removing a Private Key
    
    Expand section "9.3.8. Removing a Private Key" Collapse section "9.3.8. Removing a Private Key"
    
    9.3.8.1. Removing a Private Key Using the Command Line
  9. 9.3.9. Changing the CA Trust Options
    
    Expand section "9.3.9. Changing the CA Trust Options" Collapse section "9.3.9. Changing the CA Trust Options"
    
    9.3.9.1. Changing the CA Trust Options Using the Command Line
    
    9.3.9.2. Changing the CA Trust Options Using the Web Console
  10. 9.3.10. Changing the Password of the NSS Database
    
    Expand section "9.3.10. Changing the Password of the NSS Database" Collapse section "9.3.10. Changing the Password of the NSS Database"
    
    9.3.10.1. Changing the Password of the NSS Database Using the Command Line
4. 9.4. Enabling TLS
  Expand section "9.4. Enabling TLS" Collapse section "9.4. Enabling TLS"
  1. 9.4.1. Enabling TLS in Directory Server
    
    Expand section "9.4.1. Enabling TLS in Directory Server" Collapse section "9.4.1. Enabling TLS in Directory Server"
    
    9.4.1.1. Enabling TLS in Directory Server Using the Command Line
    
    9.4.1.2. Enabling TLS in Directory Server Using the Web Console
    
    9.4.1.3. Setting Encryption Ciphers
    
    Expand section "9.4.1.3. Setting Encryption Ciphers" Collapse section "9.4.1.3. Setting Encryption Ciphers"
    
    9.4.1.3.1. Displaying the Default Ciphers
    
    9.4.1.3.2. Displaying and Setting the Ciphers Used by Directory Server Using the Command Line
    
    9.4.1.3.3. Displaying and Setting the Ciphers Used by Directory Server Using the Web Console
    
    9.4.1.4. Starting Directory Server Without a Password File
    
    9.4.1.5. Creating a Password File for Directory Server
    
    9.4.1.6. Managing How Directory Server Behaves If the Certificate Has Been Expired
  2. 9.4.2. Adding the CA Certificate Used By Directory Server to the Trust Store of Red Hat Enterprise Linux
5. 9.5. Displaying the Encryption Protocols Enabled in Directory Server
6. 9.6. Setting the Minimum TLS Encryption Protocol Version
7. 9.7. Setting the Highest TLS Encryption Protocol Version
8. 9.8. Using Hardware Security Modules
9. 9.9. Using Certificate-based Client Authentication
  Expand section "9.9. Using Certificate-based Client Authentication" Collapse section "9.9. Using Certificate-based Client Authentication"
10. 9.10. Setting up SASL Identity Mapping
  Expand section "9.10. Setting up SASL Identity Mapping" Collapse section "9.10. Setting up SASL Identity Mapping"
  1. 9.10.1. About SASL Identity Mapping
  2. 9.10.2. Default SASL Mappings for Directory Server
  3. 9.10.3. Configuring SASL Identity Mapping
    
    Expand section "9.10.3. Configuring SASL Identity Mapping" Collapse section "9.10.3. Configuring SASL Identity Mapping"
    
    9.10.3.1. Configuring SASL Identity Mapping Using the Command Line
    
    9.10.3.2. Configuring SASL Identity Mapping Using the Web Console
  4. 9.10.4. Enabling SASL Mapping Fallback
    
    Expand section "9.10.4. Enabling SASL Mapping Fallback" Collapse section "9.10.4. Enabling SASL Mapping Fallback"
    
    9.10.4.1. Setting SASL Mapping Priorities
11. 9.11. Using Kerberos GSS-API with SASL
  Expand section "9.11. Using Kerberos GSS-API with SASL" Collapse section "9.11. Using Kerberos GSS-API with SASL"
  1. 9.11.1. Authentication Mechanisms for SASL in Directory Server
  2. 9.11.2. About Kerberos in Directory Server
    
    Expand section "9.11.2. About Kerberos in Directory Server" Collapse section "9.11.2. About Kerberos in Directory Server"
    
    9.11.2.1. About Principals and Realms
    
    9.11.2.2. About the KDC Server and Keytabs
  3. 9.11.3. Configuring SASL Authentication at Directory Server Startup
12. 9.12. Setting SASL Mechanisms
13. 9.13. Using SASL with LDAP Clients
10. Configuring Attribute Encryption
Expand section "10. Configuring Attribute Encryption" Collapse section "10. Configuring Attribute Encryption"
1. 10.1. Encryption Keys
2. 10.2. Encryption Ciphers
3. 10.3. Configuring Attribute Encryption
  Expand section "10.3. Configuring Attribute Encryption" Collapse section "10.3. Configuring Attribute Encryption"
4. 10.4. Exporting and Importing an Encrypted Database
  Expand section "10.4. Exporting and Importing an Encrypted Database" Collapse section "10.4. Exporting and Importing an Encrypted Database"
  1. 10.4.1. Exporting an Encrypted Database
  2. 10.4.2. Importing an LDIF File into an Encrypted Database
5. 10.5. Updating the TLS Certificates Used for Attribute Encryption
11. Managing FIPS Mode Support
12. Managing the Directory Schema
Expand section "12. Managing the Directory Schema" Collapse section "12. Managing the Directory Schema"
1. 12.1. Overview of Schema
  Expand section "12.1. Overview of Schema" Collapse section "12.1. Overview of Schema"
  1. 12.1.1. Default Schema Files
  2. 12.1.2. Object Classes
  3. 12.1.3. Attributes
    
    Expand section "12.1.3. Attributes" Collapse section "12.1.3. Attributes"
    
    12.1.3.1. Directory Server Attribute Syntaxes
  4. 12.1.4. Extending the Schema
  5. 12.1.5. Schema Replication
2. 12.2. Managing Object Identifiers
3. 12.3. Creating an Object Class
  Expand section "12.3. Creating an Object Class" Collapse section "12.3. Creating an Object Class"
  1. 12.3.1. Creating an Object Class Using the Command Line
  2. 12.3.2. Creating an Object Class Using the Web Console
4. 12.4. Updating an Object Class
  Expand section "12.4. Updating an Object Class" Collapse section "12.4. Updating an Object Class"
  1. 12.4.1. Updating an Object Class Using the Command Line
  2. 12.4.2. Updating an Object Class Using the Web Console
5. 12.5. Removing an Object Class
  Expand section "12.5. Removing an Object Class" Collapse section "12.5. Removing an Object Class"
  1. 12.5.1. Removing an Object Class Using the Command Line
  2. 12.5.2. Removing an Object Class Using the Web Console
6. 12.6. Creating an Attribute
  Expand section "12.6. Creating an Attribute" Collapse section "12.6. Creating an Attribute"
  1. 12.6.1. Creating an Attribute Using the Command Line
  2. 12.6.2. Creating an Attribute Using the Web Console
7. 12.7. Updating an attribute
  Expand section "12.7. Updating an attribute" Collapse section "12.7. Updating an attribute"
  1. 12.7.1. Updating an Attribute Using the Command Line
  2. 12.7.2. Updating an Attribute Using the Web Console
8. 12.8. Removing an Attribute
  Expand section "12.8. Removing an Attribute" Collapse section "12.8. Removing an Attribute"
  1. 12.8.1. Removing an Attribute Using the Command Line
  2. 12.8.2. Removing an Attribute Using the Web Console
9. 12.9. Creating Custom Schema Files
10. 12.10. Dynamically Reloading Schema
  Expand section "12.10. Dynamically Reloading Schema" Collapse section "12.10. Dynamically Reloading Schema"
11. 12.11. Turning Schema Checking On and Off
  Expand section "12.11. Turning Schema Checking On and Off" Collapse section "12.11. Turning Schema Checking On and Off"
  1. 12.11.1. Turning Schema Checking On and Off Using the Command Line
  2. 12.11.2. Turning Schema Checking On and Off Using the Web Console
12. 12.12. Using Syntax Validation
  Expand section "12.12. Using Syntax Validation" Collapse section "12.12. Using Syntax Validation"
  1. 12.12.1. About Syntax Validation
  2. 12.12.2. Syntax Validation and Other Directory Server Operations
    
    Expand section "12.12.2. Syntax Validation and Other Directory Server Operations" Collapse section "12.12.2. Syntax Validation and Other Directory Server Operations"
    
    12.12.2.1. Turning Syntax Validation On and Off Using the Command Line
    
    12.12.2.2. Turning Syntax Validation On and Off Using the Web Console
  3. 12.12.3. Enabling or Disabling Strict Syntax Validation for DNs
    
    Expand section "12.12.3. Enabling or Disabling Strict Syntax Validation for DNs" Collapse section "12.12.3. Enabling or Disabling Strict Syntax Validation for DNs"
    
    12.12.3.1. Enabling or Disabling Strict Syntax Validation for DNs Using the Command Line
    
    12.12.3.2. Enabling or Disabling Strict Syntax Validation for DNs Using the Web Console
  4. 12.12.4. Enabling Syntax Validation Logging
    
    Expand section "12.12.4. Enabling Syntax Validation Logging" Collapse section "12.12.4. Enabling Syntax Validation Logging"
    
    12.12.4.1. Enabling Syntax Validation Logging Using the Command Line
    
    12.12.4.2. Enabling Syntax Validation Logging Using the Web Console
  5. 12.12.5. Validating the Syntax of Existing Attribute Values
    
    Expand section "12.12.5. Validating the Syntax of Existing Attribute Values" Collapse section "12.12.5. Validating the Syntax of Existing Attribute Values"
    
    12.12.5.1. Creating a Syntax Validation Task Using the dsconf schema validate-syntax Command
    
    12.12.5.2. Creating a Syntax Validation Task Using a cn=tasks Entry
13. Managing Indexes
Expand section "13. Managing Indexes" Collapse section "13. Managing Indexes"
1. 13.1. About Indexes
  Expand section "13.1. About Indexes" Collapse section "13.1. About Indexes"
2. 13.2. Creating Standard Indexes
  Expand section "13.2. Creating Standard Indexes" Collapse section "13.2. Creating Standard Indexes"
  1. 13.2.1. Creating Indexes Using the Command Line
  2. 13.2.2. Creating Indexes Using the Web Console
3. 13.3. Creating New Indexes to Existing Databases
  Expand section "13.3. Creating New Indexes to Existing Databases" Collapse section "13.3. Creating New Indexes to Existing Databases"
  1. 13.3.1. Creating an Index While the Instance is Running
    
    Expand section "13.3.1. Creating an Index While the Instance is Running" Collapse section "13.3.1. Creating an Index While the Instance is Running"
    
    13.3.1.1. Creating an Index Using the dsconf backend index reindex Command
    
    13.3.1.2. Creating an Index Using a cn=tasks Entry
  2. 13.3.2. Creating an Index While the Instance Offline
4. 13.4. Using virtual list view control to request a contiguous subset of a large search result
  Expand section "13.4. Using virtual list view control to request a contiguous subset of a large search result" Collapse section "13.4. Using virtual list view control to request a contiguous subset of a large search result"
5. 13.5. Changing the Index Sort Order
  Expand section "13.5. Changing the Index Sort Order" Collapse section "13.5. Changing the Index Sort Order"
  1. 13.5.1. Changing the Sort Order Using the Command Line
6. 13.6. Changing the Width for Indexed Substring Searches
7. 13.7. Deleting Indexes
  Expand section "13.7. Deleting Indexes" Collapse section "13.7. Deleting Indexes"
  1. 13.7.1. Deleting an Attribute from the Default Index Entry
  2. 13.7.2. Removing an Attribute from the Index
    
    Expand section "13.7.2. Removing an Attribute from the Index" Collapse section "13.7.2. Removing an Attribute from the Index"
    
    13.7.2.1. Removing an Attribute from the Index Using the Command Line
    
    13.7.2.2. Removing an Attribute from the Index Using the Web Console
  3. 13.7.3. Deleting Index Types Using the Command Line
  4. 13.7.4. Removing Browsing Indexes
    
    Expand section "13.7.4. Removing Browsing Indexes" Collapse section "13.7.4. Removing Browsing Indexes"
    
    13.7.4.1. Removing Browsing Indexes Using the Command Line
14. Finding Directory Entries
Expand section "14. Finding Directory Entries" Collapse section "14. Finding Directory Entries"
1. 14.1. Finding Directory Entries Using the Command Line
  Expand section "14.1. Finding Directory Entries Using the Command Line" Collapse section "14.1. Finding Directory Entries Using the Command Line"
2. 14.2. Finding Entries Using the Web Console
3. 14.3. LDAP Search Filters
  Expand section "14.3. LDAP Search Filters" Collapse section "14.3. LDAP Search Filters"
4. 14.4. Examples of Common ldapsearches
  Expand section "14.4. Examples of Common ldapsearches" Collapse section "14.4. Examples of Common ldapsearches"
5. 14.5. Improving Search Performance through Resource Limits
  Expand section "14.5. Improving Search Performance through Resource Limits" Collapse section "14.5. Improving Search Performance through Resource Limits"
6. 14.6. Using Persistent Search
7. 14.7. Searching with Specified Controls
  Expand section "14.7. Searching with Specified Controls" Collapse section "14.7. Searching with Specified Controls"
15. Managing Replication
Expand section "15. Managing Replication" Collapse section "15. Managing Replication"
1. 15.1. Replication Overview
  Expand section "15.1. Replication Overview" Collapse section "15.1. Replication Overview"
2. 15.2. Configuring Bootstrap Credentials
3. 15.3. Single-supplier Replication
  Expand section "15.3. Single-supplier Replication" Collapse section "15.3. Single-supplier Replication"
  1. 15.3.1. Setting up Single-supplier Replication Using the Command Line
  2. 15.3.2. Setting up Single-supplier Replication Using the Web Console
4. 15.4. Multi-Supplier Replication
  Expand section "15.4. Multi-Supplier Replication" Collapse section "15.4. Multi-Supplier Replication"
5. 15.5. Cascading Replication
  Expand section "15.5. Cascading Replication" Collapse section "15.5. Cascading Replication"
  1. 15.5.1. Setting up Cascading Replication Using the Command Line
  2. 15.5.2. Setting up Cascading Replication Using the Web Console
6. 15.6. Configuring Replication Partners to use Certificate-based Authentication
7. 15.7. Promoting a Consumer or Hub to a Supplier
  Expand section "15.7. Promoting a Consumer or Hub to a Supplier" Collapse section "15.7. Promoting a Consumer or Hub to a Supplier"
  1. 15.7.1. Promoting a Consumer or Hub to a Supplier Using the Command Line
  2. 15.7.2. Promoting a Consumer or Hub to a Supplier Using the Web Console
8. 15.8. About Initializing a Consumer
  Expand section "15.8. About Initializing a Consumer" Collapse section "15.8. About Initializing a Consumer"
  1. 15.8.1. When to Initialize a Consumer
  2. 15.8.2. Setting Initialization Timeouts
  3. 15.8.3. Initializing a Consumer
    
    Expand section "15.8.3. Initializing a Consumer" Collapse section "15.8.3. Initializing a Consumer"
    
    15.8.3.1. Initializing a Consumer Using the Command Line
    
    Expand section "15.8.3.1. Initializing a Consumer Using the Command Line" Collapse section "15.8.3.1. Initializing a Consumer Using the Command Line"
    
    15.8.3.1.1. Initializing a Consumer Online
    
    15.8.3.1.2. Initializing a Consumer Offline
  4. 15.8.4. Initializing a Consumer Using the Web Console
9. 15.9. Disabling and Re-enabling Replication
10. 15.10. Removing a Directory Server Instance from the Replication Topology
  Expand section "15.10. Removing a Directory Server Instance from the Replication Topology" Collapse section "15.10. Removing a Directory Server Instance from the Replication Topology"
  1. 15.10.1. Removing a Consumer or Hub from the Replication Topology
  2. 15.10.2. Removing a Supplier from the Replication Topology
11. 15.11. Managing Attributes Within Fractional Replication
  Expand section "15.11. Managing Attributes Within Fractional Replication" Collapse section "15.11. Managing Attributes Within Fractional Replication"
12. 15.12. Managing Deleted Entries with Replication
13. 15.13. Configuring Changelog Encryption
14. 15.14. Removing the Changelog
  Expand section "15.14. Removing the Changelog" Collapse section "15.14. Removing the Changelog"
  1. 15.14.1. Removing the Changelog using the Command Line
  2. 15.14.2. Removing the Changelog using the Web Console
15. 15.15. Exporting the Replication Changelog
16. 15.16. Importing the Replication Changelog from an LDIF-formatted Changelog Dump
17. 15.17. Moving the Replication Changelog Directory
18. 15.18. Trimming the Replication Changelog
  Expand section "15.18. Trimming the Replication Changelog" Collapse section "15.18. Trimming the Replication Changelog"
  1. 15.18.1. Configuring Replication Changelog Trimming
  2. 15.18.2. Manually Reducing the Size of a Large Changelog
19. 15.19. Forcing Replication Updates
20. 15.20. Setting Replication Timeout Periods
21. 15.21. Using the Retro Changelog Plug-in
  Expand section "15.21. Using the Retro Changelog Plug-in" Collapse section "15.21. Using the Retro Changelog Plug-in"
  1. 15.21.1. Enabling the Retro Changelog Plug-in
    
    Expand section "15.21.1. Enabling the Retro Changelog Plug-in" Collapse section "15.21.1. Enabling the Retro Changelog Plug-in"
    
    15.21.1.1. Enabling the Retro Changelog Plug-in Using the Command Line
    
    15.21.1.2. Enabling the Retro Changelog Plug-in Using the Web Console
  2. 15.21.2. Trimming the Retro Changelog
  3. 15.21.3. Searching and Modifying the Retro Changelog
  4. 15.21.4. Retro Changelog and the Access Control Policy
22. 15.22. Displaying the Status of a Specific Replication Agreement
  Expand section "15.22. Displaying the Status of a Specific Replication Agreement" Collapse section "15.22. Displaying the Status of a Specific Replication Agreement"
  1. 15.22.1. Displaying the Status of a Specific Replication Agreement Using the Command-Line
  2. 15.22.2. Displaying the Status of a Specific Replication Agreement Using the Web Console
23. 15.23. Monitoring the Replication Topology
  Expand section "15.23. Monitoring the Replication Topology" Collapse section "15.23. Monitoring the Replication Topology"
  1. 15.23.1. Setting Credentials for Replication Monitoring in the .dsrc File
  2. 15.23.2. Using Aliases in the Replication Topology Monitoring Output
24. 15.24. Comparing Two Directory Server Instances
25. 15.25. Solving Common Replication Conflicts
  Expand section "15.25. Solving Common Replication Conflicts" Collapse section "15.25. Solving Common Replication Conflicts"
26. 15.26. Troubleshooting Replication-Related Problems
  Expand section "15.26. Troubleshooting Replication-Related Problems" Collapse section "15.26. Troubleshooting Replication-Related Problems"
  1. 15.26.1. Possible Replication-related Error Messages
16. Synchronizing Red Hat Directory Server with Microsoft Active Directory
Expand section "16. Synchronizing Red Hat Directory Server with Microsoft Active Directory" Collapse section "16. Synchronizing Red Hat Directory Server with Microsoft Active Directory"
1. 16.1. About Windows Synchronization
2. 16.2. Supported Active Directory Versions
3. 16.3. Synchronizing Passwords
4. 16.4. Setting up Synchronization Between Active Directory and Directory Server
  Expand section "16.4. Setting up Synchronization Between Active Directory and Directory Server" Collapse section "16.4. Setting up Synchronization Between Active Directory and Directory Server"
  1. 16.4.1. Step 1: Enabling TLS on the Directory Server Host
  2. 16.4.2. Step 2: Enabling Password Complexity in the AD Domain
  3. 16.4.3. Step 3: Extracting the CA Certificate from AD
  4. 16.4.4. Step 4: Extracting the CA Certificate from the Directory Server's NSS Database
  5. 16.4.5. Step 5: Creating the Synchronization Accounts
  6. 16.4.6. Step 6: Installing the Password Sync Service
  7. 16.4.7. Step 7: Adding the CA Certificate Directory Server uses to the Password Sync Service's Certificate Database
  8. 16.4.8. Step 8: Adding the CA Certificate AD uses to Directory Server's Certificate Database
  9. 16.4.9. Step 9: Configuring the Database for Synchronization and Creating the Synchronization Agreement
    
    Expand section "16.4.9. Step 9: Configuring the Database for Synchronization and Creating the Synchronization Agreement" Collapse section "16.4.9. Step 9: Configuring the Database for Synchronization and Creating the Synchronization Agreement"
    
    16.4.9.1. Configuring the Database for Synchronization and Creating the Synchronization Agreement Using the Command Line
    
    16.4.9.2. Configuring the Database for Synchronization and Creating the Synchronization Agreement Using the Web Console
5. 16.5. Synchronizing Users
  Expand section "16.5. Synchronizing Users" Collapse section "16.5. Synchronizing Users"
  1. 16.5.1. User Attributes Synchronized between Directory Server and Active Directory
  2. 16.5.2. User Schema Differences between Red Hat Directory Server and Active Directory
    
    Expand section "16.5.2. User Schema Differences between Red Hat Directory Server and Active Directory" Collapse section "16.5.2. User Schema Differences between Red Hat Directory Server and Active Directory"
    
    16.5.2.1. Values for cn Attributes
    
    16.5.2.2. Password Policies
    
    16.5.2.3. Values for street and streetAddress
    
    16.5.2.4. Constraints on the initials Attribute
  3. 16.5.3. Configuring User Synchronization for Directory Server Users
  4. 16.5.4. Configuring User Synchronization for Active Directory Users
6. 16.6. Synchronizing Groups
  Expand section "16.6. Synchronizing Groups" Collapse section "16.6. Synchronizing Groups"
7. 16.7. Configuring Uni-Directional Synchronization
8. 16.8. Configuring Multiple Subtrees and Filters in Windows Synchronization
9. 16.9. Synchronizing POSIX Attributes for Users and Groups
  Expand section "16.9. Synchronizing POSIX Attributes for Users and Groups" Collapse section "16.9. Synchronizing POSIX Attributes for Users and Groups"
10. 16.10. Deleting and Resurrecting Entries
  Expand section "16.10. Deleting and Resurrecting Entries" Collapse section "16.10. Deleting and Resurrecting Entries"
  1. 16.10.1. Deleting Entries
  2. 16.10.2. Resurrecting Entries
11. 16.11. Sending Synchronization Updates
  Expand section "16.11. Sending Synchronization Updates" Collapse section "16.11. Sending Synchronization Updates"
  1. 16.11.1. Performing a Manual Incremental Synchronization
  2. 16.11.2. Performing a Full Synchronization
    
    Expand section "16.11.2. Performing a Full Synchronization" Collapse section "16.11.2. Performing a Full Synchronization"
    
    16.11.2.1. Performing a Full Synchronization Using the Command Line
    
    16.11.2.2. Performing a Full Synchronization Using the Web Console
  3. 16.11.3. Setting Synchronization Schedules
  4. 16.11.4. Changing Synchronization Connections
  5. 16.11.5. Handling Entries That Move Out of the Synchronized Subtree
12. 16.12. Troubleshooting
17. Setting up Content Synchronization Using the SyncRepl Protocol
Expand section "17. Setting up Content Synchronization Using the SyncRepl Protocol" Collapse section "17. Setting up Content Synchronization Using the SyncRepl Protocol"
1. 17.1. Configuring the Content Synchronization Plug-in Using the Command Line
18. Managing Access Control
Expand section "18. Managing Access Control" Collapse section "18. Managing Access Control"
1. 18.1. Access Control Principles
2. 18.2. ACI Placement
3. 18.3. ACI Structure
4. 18.4. ACI Evaluation
5. 18.5. Limitations of ACIs
6. 18.6. How Directory Server Handles ACIs in a Replication Topology
7. 18.7. Managing ACIs using the command line
  Expand section "18.7. Managing ACIs using the command line" Collapse section "18.7. Managing ACIs using the command line"
8. 18.8. Managing ACIs Using the Web Console
  Expand section "18.8. Managing ACIs Using the Web Console" Collapse section "18.8. Managing ACIs Using the Web Console"
9. 18.9. Defining Targets
  Expand section "18.9. Defining Targets" Collapse section "18.9. Defining Targets"
  1. 18.9.1. Frequently Used Target Keywords
    
    Expand section "18.9.1. Frequently Used Target Keywords" Collapse section "18.9.1. Frequently Used Target Keywords"
    
    18.9.1.1. Targeting a Directory Entry
    
    18.9.1.2. Targeting Attributes
    
    18.9.1.3. Targeting Entries and Attributes Using LDAP Filters
    
    18.9.1.4. Targeting Attribute Values Using LDAP Filters
  2. 18.9.2. Further Target Keywords
    
    Expand section "18.9.2. Further Target Keywords" Collapse section "18.9.2. Further Target Keywords"
    
    18.9.2.1. Targeting Source and Destination DNs
  3. 18.9.3. Advanced Usage of Target Rules
    
    Expand section "18.9.3. Advanced Usage of Target Rules" Collapse section "18.9.3. Advanced Usage of Target Rules"
    
    18.9.3.1. Delegating Permissions to Create and Maintain Groups
    
    18.9.3.2. Targeting Both an Entry and Attributes
    
    18.9.3.3. Targeting Certain Attributes of Entries Matching a Filter
    
    18.9.3.4. Targeting a Single Directory Entry
10. 18.10. Defining Permissions
  Expand section "18.10. Defining Permissions" Collapse section "18.10. Defining Permissions"
11. 18.11. Defining Bind Rules
  Expand section "18.11. Defining Bind Rules" Collapse section "18.11. Defining Bind Rules"
  1. 18.11.1. Frequently Used Bind Rules
    
    Expand section "18.11.1. Frequently Used Bind Rules" Collapse section "18.11.1. Frequently Used Bind Rules"
    
    18.11.1.1. Defining User-based Access
    
    Expand section "18.11.1.1. Defining User-based Access" Collapse section "18.11.1.1. Defining User-based Access"
    
    18.11.1.1.1. Using a DN with the userdn Keyword
    
    18.11.1.1.2. Using the userdn Keyword with an LDAP Filter
    
    18.11.1.1.3. Granting Anonymous Access
    
    18.11.1.1.4. Granting Access to Authenticated Users
    
    18.11.1.1.5. Enabling Users to Access Their Own Entries
    
    18.11.1.1.6. Setting Access for Child Entries of a User
    
    18.11.1.2. Defining Group-based Access
    
    Expand section "18.11.1.2. Defining Group-based Access" Collapse section "18.11.1.2. Defining Group-based Access"
    
    18.11.1.2.1. Using a DN with the groupdn Keyword
    
    18.11.1.2.2. Using the groupdn Keyword with an LDAP Filter
  2. 18.11.2. Further Bind Rules
    
    Expand section "18.11.2. Further Bind Rules" Collapse section "18.11.2. Further Bind Rules"
    
    18.11.2.1. Defining Access Based on Value Matching
    
    Expand section "18.11.2.1. Defining Access Based on Value Matching" Collapse section "18.11.2.1. Defining Access Based on Value Matching"
    
    18.11.2.1.1. Using the USERDN Bind Type
    
    18.11.2.1.2. Using the GROUPDN Bind Type
    
    18.11.2.1.3. Using the ROLEDN Bind Type
    
    18.11.2.1.4. Using the SELFDN Bind Type
    
    18.11.2.1.5. Using the LDAPURL Bind Type
    
    18.11.2.1.6. Using the userattr Keyword with Inheritance
    
    18.11.2.2. Defining Access from Specific IP Addresses or Ranges
    
    18.11.2.3. Defining Access from a Specific Host or Domain
    
    18.11.2.4. Requiring a Certain Level of Security in Connections
    
    18.11.2.5. Defining Access at a Specific Day of the Week
    
    18.11.2.6. Defining Access at a Specific Time of Day
    
    18.11.2.7. Defining Access Based on the Authentication Method
    
    18.11.2.8. Defining Access Based on Roles
  3. 18.11.3. Combining Bind Rules Using Boolean Operators
12. 18.12. Checking Access Rights on Entries (Get Effective Rights)
  Expand section "18.12. Checking Access Rights on Entries (Get Effective Rights)" Collapse section "18.12. Checking Access Rights on Entries (Get Effective Rights)"
  1. 18.12.1. Rights Shown with a Get Effective Rights Search
  2. 18.12.2. The Format of a Get Effective Rights Search
  3. 18.12.3. Examples of GER Searches
    
    Expand section "18.12.3. Examples of GER Searches" Collapse section "18.12.3. Examples of GER Searches"
    
    18.12.3.1. General Examples on Checking Access Rights
    
    18.12.3.2. Examples of Get Effective Rights Searches for Non-Existent Attributes
    
    18.12.3.3. Examples of Get Effective Rights Searches for Specific Attributes or Object Classes
    
    18.12.3.4. Examples of Get Effective Rights Searches for Non-Existent Entries
    
    18.12.3.5. Examples of Get Effective Rights Searches for Operational Attributes
    
    18.12.3.6. Examples of Get Effective Rights Results and Access Control Rules
  4. 18.12.4. Get Effective Rights Return Codes
13. 18.13. Logging Access Control Information
14. 18.14. Advanced Access Control: Using Macro ACIs
  Expand section "18.14. Advanced Access Control: Using Macro ACIs" Collapse section "18.14. Advanced Access Control: Using Macro ACIs"
  1. 18.14.1. Macro ACI Example
  2. 18.14.2. Macro ACI Syntax
    
    Expand section "18.14.2. Macro ACI Syntax" Collapse section "18.14.2. Macro ACI Syntax"
    
    18.14.2.1. Macro Matching for ($dn)
    
    18.14.2.2. Macro Matching for [$dn]
    
    18.14.2.3. Macro Matching for ($attr.attrName)
15. 18.15. Setting Access Controls on Directory Manager
  Expand section "18.15. Setting Access Controls on Directory Manager" Collapse section "18.15. Setting Access Controls on Directory Manager"
  1. 18.15.1. About Access Controls on the Directory Manager Account
  2. 18.15.2. Configuring the RootDN Access Control Plug-in
19. Using the Health Check Feature to Identify Problems
Expand section "19. Using the Health Check Feature to Identify Problems" Collapse section "19. Using the Health Check Feature to Identify Problems"
1. 19.1. Running the Directory Server Health Check
20. Managing User Authentication
Expand section "20. Managing User Authentication" Collapse section "20. Managing User Authentication"
1. 20.1. Setting User Passwords
2. 20.2. Setting Password Administrators
3. 20.3. Changing Passwords Stored Externally
4. 20.4. Managing the Password Policy
  Expand section "20.4. Managing the Password Policy" Collapse section "20.4. Managing the Password Policy"
  1. 20.4.1. Configuring the Global Password Policy
    
    Expand section "20.4.1. Configuring the Global Password Policy" Collapse section "20.4.1. Configuring the Global Password Policy"
    
    20.4.1.1. Configuring a Global Password Policy Using the Command Line
    
    20.4.1.2. Configuring a Global Password Policy Using the Web Console
  2. 20.4.2. Using Local Password Policies
    
    Expand section "20.4.2. Using Local Password Policies" Collapse section "20.4.2. Using Local Password Policies"
    
    20.4.2.1. Where Directory Server Stores Local Password Policy Entries
    
    20.4.2.2. Configuring a Local Password Policy
5. 20.5. Configuring temporary password rules
  Expand section "20.5. Configuring temporary password rules" Collapse section "20.5. Configuring temporary password rules"
  1. 20.5.1. Enabling temporary password rules in the global password policy
  2. 20.5.2. Enabling temporary password rules in a local password policy
6. 20.6. Understanding Password Expiration Controls
7. 20.7. Managing the Directory Manager Password
  Expand section "20.7. Managing the Directory Manager Password" Collapse section "20.7. Managing the Directory Manager Password"
  1. 20.7.1. Resetting the Directory Manager Password
  2. 20.7.2. Changing the Directory Manager Password
    
    Expand section "20.7.2. Changing the Directory Manager Password" Collapse section "20.7.2. Changing the Directory Manager Password"
    
    20.7.2.1. Changing the Directory Manager Password Using the Command Line
    
    20.7.2.2. Changing the Directory Manager Password Using the Web Console
  3. 20.7.3. Changing the Directory Manager Password Storage Scheme
    
    Expand section "20.7.3. Changing the Directory Manager Password Storage Scheme" Collapse section "20.7.3. Changing the Directory Manager Password Storage Scheme"
    
    20.7.3.1. Changing the Directory Manager Password Storage Scheme Using the Command Line
    
    20.7.3.2. Changing the Directory Manager Password Storage Scheme Using the Web Console
  4. 20.7.4. Changing the Directory Manager DN
8. 20.8. Checking Account Availability for Passwordless Access
  Expand section "20.8. Checking Account Availability for Passwordless Access" Collapse section "20.8. Checking Account Availability for Passwordless Access"
  1. 20.8.1. Searching for Entries Using the Account Usability Extension Control
  2. 20.8.2. Changing What Users Can Perform an Account Usability Search
9. 20.9. Configuring a Password-Based Account Lockout Policy
  Expand section "20.9. Configuring a Password-Based Account Lockout Policy" Collapse section "20.9. Configuring a Password-Based Account Lockout Policy"
10. 20.10. Configuring Time-Based Account Lockout Policies
  Expand section "20.10. Configuring Time-Based Account Lockout Policies" Collapse section "20.10. Configuring Time-Based Account Lockout Policies"
11. 20.11. Replicating Account Lockout Attributes
  Expand section "20.11. Replicating Account Lockout Attributes" Collapse section "20.11. Replicating Account Lockout Attributes"
12. 20.12. Enabling Different Types of Binds
  Expand section "20.12. Enabling Different Types of Binds" Collapse section "20.12. Enabling Different Types of Binds"
  1. 20.12.1. Requiring Secure Binds
  2. 20.12.2. Disabling Anonymous Binds
  3. 20.12.3. Allowing Unauthenticated Binds
  4. 20.12.4. Configuring Autobind
    
    Expand section "20.12.4. Configuring Autobind" Collapse section "20.12.4. Configuring Autobind"
    
    20.12.4.1. Overview of Autobind and LDAPI
    
    20.12.4.2. Configuring the Autobind Feature
13. 20.13. Using Pass-Through Authentication
  Expand section "20.13. Using Pass-Through Authentication" Collapse section "20.13. Using Pass-Through Authentication"
  1. 20.13.1. PTA Plug-in Syntax
  2. 20.13.2. Configuring the PTA Plug-in
    
    Expand section "20.13.2. Configuring the PTA Plug-in" Collapse section "20.13.2. Configuring the PTA Plug-in"
    
    20.13.2.1. Configuring the Servers to Use a Secure Connection
    
    20.13.2.2. Specifying the Authenticating Directory Server
    
    20.13.2.3. Specifying the Pass-Through Subtree
    
    20.13.2.4. Configuring the Optional Parameters
  3. 20.13.3. PTA Plug-in Syntax Examples
    
    Expand section "20.13.3. PTA Plug-in Syntax Examples" Collapse section "20.13.3. PTA Plug-in Syntax Examples"
    
    20.13.3.1. Specifying One Authenticating Directory Server and One Subtree
    
    20.13.3.2. Specifying Multiple Authenticating Directory Servers
    
    20.13.3.3. Specifying One Authenticating Directory Server and Multiple Subtrees
    
    20.13.3.4. Using Non-Default Parameter Values
    
    20.13.3.5. Specifying Different Optional Parameters and Subtrees for Different Authenticating Directory Servers
14. 20.14. Using Active Directory-formatted User Names for Authentication
15. 20.15. Using PAM for Pass-Through Authentication
  Expand section "20.15. Using PAM for Pass-Through Authentication" Collapse section "20.15. Using PAM for Pass-Through Authentication"
  1. 20.15.1. PAM Pass-Through Authentication Configuration Options
    
    Expand section "20.15.1. PAM Pass-Through Authentication Configuration Options" Collapse section "20.15.1. PAM Pass-Through Authentication Configuration Options"
    
    20.15.1.1. Specifying the Suffixes to Target for PAM PTA
    
    20.15.1.2. Applying Different PAM Pass-Through Authentication Configurations to Different Entries
    
    20.15.1.3. Setting PAM PTA Mappings
    
    20.15.1.4. Configuring General PAM PTA Settings
  2. 20.15.2. Configuring PAM Pass-Through Authentication
  3. 20.15.3. Using PAM Pass-Through Authentication with Active Directory as the Back End
16. 20.16. Manually Inactivating Users and Roles
  Expand section "20.16. Manually Inactivating Users and Roles" Collapse section "20.16. Manually Inactivating Users and Roles"
  1. 20.16.1. Displaying the Status of an Account or Role
  2. 20.16.2. Inactivating and Activating Users and Roles Using the Command Line
21. Monitoring Server and Database Activity
Expand section "21. Monitoring Server and Database Activity" Collapse section "21. Monitoring Server and Database Activity"
1. 21.1. Types of Directory Server Log Files
2. 21.2. Displaying Log Files
  Expand section "21.2. Displaying Log Files" Collapse section "21.2. Displaying Log Files"
  1. 21.2.1. Displaying Log Files Using the Command Line
  2. 21.2.2. Displaying Log Files Using the Web Console
3. 21.3. Configuring Log Files
  Expand section "21.3. Configuring Log Files" Collapse section "21.3. Configuring Log Files"
  1. 21.3.1. Enabling or Disabling Logs
    
    Expand section "21.3.1. Enabling or Disabling Logs" Collapse section "21.3.1. Enabling or Disabling Logs"
    
    21.3.1.1. Enabling or Disabling Logging Using the Command Line
    
    21.3.1.2. Enabling or Disabling Logging Using the Web Console
  2. 21.3.2. Configuring Plug-in-specific Logging
  3. 21.3.3. Disabling High-resolution Log Time Stamps
  4. 21.3.4. Defining a Log File Rotation Policy
    
    Expand section "21.3.4. Defining a Log File Rotation Policy" Collapse section "21.3.4. Defining a Log File Rotation Policy"
    
    21.3.4.1. Defining a Log File Rotation Policy Using the Command Line
    
    21.3.4.2. Defining a Log File Rotation Policy Using the Web Console
  5. 21.3.5. Defining a Log File Deletion Policy
    
    Expand section "21.3.5. Defining a Log File Deletion Policy" Collapse section "21.3.5. Defining a Log File Deletion Policy"
    
    21.3.5.1. Configuring a Log Deletion Policy Using the Command Line
    
    21.3.5.2. Configuring a Log Deletion Policy Using the Web Console
  6. 21.3.6. Manual Log File Rotation
  7. 21.3.7. Configuring the Log Levels
    
    Expand section "21.3.7. Configuring the Log Levels" Collapse section "21.3.7. Configuring the Log Levels"
    
    21.3.7.1. Configuring the Log Levels Using the Command Line
    
    21.3.7.2. Configuring the Log Levels Using the Web Console
    
    21.3.7.3. Logging Internal Operations
4. 21.4. Getting Access Log Statistics
5. 21.5. Monitoring the Local Disk for Graceful Shutdown
6. 21.6. Monitoring Server Activity
7. 21.7. Monitoring Database Activity
8. 21.8. Monitoring Database Link Activity
9. 21.9. Enabling and Disabling Counters
10. 21.10. Monitoring Directory Server Using SNMP
  Expand section "21.10. Monitoring Directory Server Using SNMP" Collapse section "21.10. Monitoring Directory Server Using SNMP"
  1. 21.10.1. About SNMP
  2. 21.10.2. Enabling and Disabling SNMP Support
  3. 21.10.3. Setting Parameters to Identify an Instance Using SNMP
  4. 21.10.4. Setting up an SNMP Agent for Directory Server
  5. 21.10.5. Configuring SNMP Traps
  6. 21.10.6. Using the Management Information Base
    
    Expand section "21.10.6. Using the Management Information Base" Collapse section "21.10.6. Using the Management Information Base"
    
    21.10.6.1. Operations Table
    
    21.10.6.2. Entries Table
    
    21.10.6.3. Entity Table
    
    21.10.6.4. Interaction Table
22. Making a High-availability and Disaster Recovery Plan
Expand section "22. Making a High-availability and Disaster Recovery Plan" Collapse section "22. Making a High-availability and Disaster Recovery Plan"
1. 22.1. Identifying Potential Scenarios
2. 22.2. Defining the Type of Rollover
3. 22.3. Identifying Useful Directory Server Features for Disaster Recovery
  Expand section "22.3. Identifying Useful Directory Server Features for Disaster Recovery" Collapse section "22.3. Identifying Useful Directory Server Features for Disaster Recovery"
4. 22.4. Defining the Recovery Process
5. 22.5. Basic Example: Performing a Recovery
23. Creating Test Entries
Expand section "23. Creating Test Entries" Collapse section "23. Creating Test Entries"
A. Using LDAP Client Tools
Expand section "A. Using LDAP Client Tools" Collapse section "A. Using LDAP Client Tools"
B. LDAP Data Interchange Format
Expand section "B. LDAP Data Interchange Format" Collapse section "B. LDAP Data Interchange Format"
1. B.1. About the LDIF File Format
2. B.2. Continuing Lines in LDIF
3. B.3. Representing Binary Data
  Expand section "B.3. Representing Binary Data" Collapse section "B.3. Representing Binary Data"
  1. B.3.1. Standard LDIF Notation
  2. B.3.2. Base-64 Encoding
4. B.4. Specifying Directory Entries Using LDIF
  Expand section "B.4. Specifying Directory Entries Using LDIF" Collapse section "B.4. Specifying Directory Entries Using LDIF"
5. B.5. Defining Directories Using LDIF
6. B.6. Storing Information in Multiple Languages
C. LDAP URLs
Expand section "C. LDAP URLs" Collapse section "C. LDAP URLs"
D. Internationalization
Expand section "D. Internationalization" Collapse section "D. Internationalization"
1. D.1. About Locales
2. D.2. Supported Locales
3. D.3. Supported Language Subtypes
4. D.4. Searching an Internationalized Directory
  Expand section "D.4. Searching an Internationalized Directory" Collapse section "D.4. Searching an Internationalized Directory"
  1. D.4.1. Matching Rule Formats
    
    Expand section "D.4.1. Matching Rule Formats" Collapse section "D.4.1. Matching Rule Formats"
    
    D.4.1.1. Using an OID for the Matching Rule
    
    D.4.1.2. Using a Language Tag for the Matching Rule
    
    D.4.1.3. Using an OID and Suffix for the Matching Rule
    
    D.4.1.4. Using a Language Tag and Suffix for the Matching Rule
  2. D.4.2. Supported Search Types
  3. D.4.3. International Search Examples
    
    Expand section "D.4.3. International Search Examples" Collapse section "D.4.3. International Search Examples"
    
    D.4.3.1. Less-Than Example
    
    D.4.3.2. Less-Than or Equal-to Example
    
    D.4.3.3. Equality Example
    
    D.4.3.4. Greater-Than or Equal-to Example
    
    D.4.3.5. Greater-Than Example
    
    D.4.3.6. Substring Example
5. D.5. Troubleshooting Matching Rules
E. Revision History
Legal Notice

Language:
Format:

Language:
Format:

20.15. Using PAM for Pass-Through Authentication

Many systems already have authentication mechanisms in place for Unix and Linux users. One of the most common authentication frameworks is Pluggable Authentication Modules (PAM). Since many networks already existing authentication services available, administrators may want to continue using those services. A PAM module can be configured to tell Directory Server to use an existing authentication store for LDAP clients.

PAM pass-through authentication in Red Hat Directory Server uses the PAM Pass-Through Authentication Plug-in, which enables the Directory Server to talk to the PAM service to authenticate LDAP clients.

Figure 20.3. PAM Pass-Through Authentication Process

Note

PAM pass-through authentication works together with account inactivation when authenticating users, assuming that the appropriate mapping method (ENTRY) is used. However, PAM pass-through authentication does not validate passwords against password policies set either globally or locally, because the passwords are set and stored in the PAM module, not in the Directory Server.

20.15.1. PAM Pass-Through Authentication Configuration Options

PAM pass-through authentication is configured in child entries beneath the PAM Pass-Through Authentication plug-in container entry. There can be multiple PAM pass-through authentication policies, applied to different suffixes or to different entries within suffixes.

There are several different areas that can be configured for PAM pass-through:

The suffixes that are controlled by the PAM pass-through authentication plug-in. This covers suffixes to exclude, suffixes to include, and how to handle a missing suffix.
Individual entries within the configured suffixes which are the target of the authentication configuration. By default, all entries within a suffix are included in the authentication scope, but it is possible to configure multiple, different PAM Pass-Through Auth plug-in instances and then apply different plug-in configuration to different users.
The PAM attribute mapping. The credentials that are offered to the Directory Server have to be mapped in some way to an LDAP entry and then, back to the credentials in the PAM service. This is done by defining a mapping method and then, optionally, which LDAP attribute to use to match the credentials.
General configuration such as using TLS connections, the PAM service to use, and whether to fallback to LDAP authentication if PAM authentication fails.

Note

There can be multiple configuration instances of the PAM Pass-Through Authentication plug-in. An instance of the PAM Pass-Through Authentication plug-in can be applied to a subset of user entries by using the pamFilter attribute to set an LDAP filter to search for the specific entries to use with the plug-in.

For a list of attributes you can set, see the PAM Pass Through Auth Plug-in Attributes section in the Red Hat Directory Server Configuration, Command, and File Reference.

20.15.1.1. Specifying the Suffixes to Target for PAM PTA

The PAM PTA plug-in is applied globally, to all suffixes, by default unless they are explicitly excluded. Excluding and including suffixes can help target what areas in the directory use PAM authentication instead of LDAP authentication.

Note

The target of a PAM pass-through authentication entry must be a suffix, not an arbitrary subtree. As described in Section 2.1, “Creating and Maintaining Suffixes”, a suffix is a subtree which is associated with a specific back end database, such as cn=config which is associated with the root suffix dc=example,dc=com which is associated with userRoot.

The pamExcludeSuffix attribute excludes a suffix. By default, only the configuration subtree (cn=config) is excluded. Alternatively, the PAM PTA plug-in can be applied to a suffix with the pamIncludeSuffix attribute. Both of these attributes are multi-valued.

If the include attribute is set, for example, all other suffixes are automatically excluded. Likewise, if an exclude attribute is set, all other suffixes are automatically included.

pamExcludeSuffix: cn=config

With pamIncludeSuffix, only the given suffix is included and all others are automatically excluded. Since this attribute is multi-valued, more than one suffix can be included in the PAM evaluation by explicitly listing the suffixes.

pamIncludeSuffix: ou=Engineering,dc=example,dc=com
pamIncludeSuffix: ou=QE,dc=example,dc=com

The pamMissingSuffix attribute tells the server how to handle a failure if the specified suffix (include or exclude) does not exist. If it is set to IGNORE, then if the suffix does not exist, the plug-in simply skips that suffix and tries the next.

pamMissingSuffix: IGNORE
pamIncludeSuffix: ou=Engineering,dc=example,dc=com
pamIncludeSuffix: ou=Not Real,dc=example,dc=com

20.15.1.2. Applying Different PAM Pass-Through Authentication Configurations to Different Entries

By default, a PAM pass-through authentication policy applies to all entries within the designated suffixes. However, it is possible to specify an LDAP filter in the pamFilter attribute which identifies specific entries within the suffix to which to apply the PAM pass-through authentication policy.

This is useful for applying different PAM configurations or mapping methods to different user types, using multiple PAM pass-through authentication policies.

20.15.1.3. Setting PAM PTA Mappings

There has to be a way to connect the LDAP identity to the PAM identity. The first thing to define is the method to use to map the entries. There are three options: DN, RDN, and ENTRY. ENTRY uses a user-defined attribute in the entry.

Multiple mapping methods can be supplied in an ordered, space-separated list. The plug-in attempts to use each mapping method in the order listed until authentication succeeds or until it reaches the end of the list.

For example, this mapping method first maps the RDN method, then ENTRY, then DN, in the order the methods are listed:

pamIDMapMethod: RDN ENTRY DN

The different mapping methods are listed in Table 20.4, “Mapping Methods for PAM Authentication”.

Note

Directory Server user account inactivation is only validated using the ENTRY mapping method. With RDN or DN, a Directory Server user whose account is inactivated can still bind to the server successfully.

Table 20.4. Mapping Methods for PAM Authentication

Mapping	Description
RDN	This method uses the value from the leftmost RDN in the bind DN. The mapping for this method is defined by Directory Server. This is the default mapping method, if none is given.
ENTRY	This method pulls the value of the PAM identity from a user-defined attribute in the bind DN entry. The identity attribute is defined in the `pamIDAttr` attribute. For example: `pamIDAttr: customPamUid`
DN	This method uses the full distinguished name from the bind DN. The mapping for this method is defined by Directory Server.

20.15.1.4. Configuring General PAM PTA Settings

Three general configuration settings can be set for PAM authentication:

The service name to send to PAM (pamService); this is the name of the configuration file to use in /etc/pam.d
Whether to require a secure connection (pamSecure)
Whether to fall back to LDAP authentication if PAM authentication fails (pamFallback)

pamFallback: false
pamSecure: false
pamService: ldapserver

20.15.2. Configuring PAM Pass-Through Authentication

Note

PAM pass-through authentication is configured through the command line.

Make sure the PAM service is fully configured.
Remove the pam_fprintd.so module from the PAM configuration file.
Important
The pam_fprintd.so module cannot be in the configuration file referenced by the pamService attribute of the PAM Pass-Through Authentication Plug-in configuration. Using the PAM fprintd module causes the Directory Server to hit the max file descriptor limit and can cause the Directory Server process to abort.

Enable the plug-in:

# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin set "PAM Pass-Through Auth Plugin" --enabled on

Create the PAM Pass-Through Auth plug-in configuration entry. For example:

# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin pass-through-auth pam-config "Admin PAM PTA Config" add --exclude-suffix="cn=config" --id_map_method="RDN ENTRY" --id-attr="customPamUid" --filter="(manager=uid=example_user,ou=people,dc=example,dc=com pamFallback: FALSE" --secure="TRUE" --service="ldapserver"

Restart the instance:
```
# dsctl instance_name restart
```

20.15.3. Using PAM Pass-Through Authentication with Active Directory as the Back End

PAM pass-through authentication forwards the credentials from the Directory Server to the PAM service. One option is to set up and configure PAM modules specifically for Directory Server. Another option — and one which may be more repeatable and more convenient in some infrastructures — is to use the System Security Services Daemon (SSSD) to configure PAM. Because SSSD can use a variety of different identity stores, a lot of different servers or services can be used to provide credentials, including Active Directory.

Using pass-through authentication through SSSD is a daisy chain of services. The PAM PTA Plug-in is configured as normal. It points to the given PAM service file to use. This service file is managed by SSSD, and SSSD is configured to connect with whatever identity provider is required, even multiple providers.

Figure 20.4. PAM Pass-Through Authentication with SSSD

To configure PAM pass-through authentication with Active Directory:

Configure SSSD to use the Active Directory server as one of its identity providers.
This configuration is covered in the Using Active Directory as an Identity Provider for SSSD section in the Windows Integration Guide.

Enable the PAM Pass-Through Auth plug-in:

# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin set "PAM Pass-Through Auth Plugin" --enabled on

Create the PAM Pass-Through Auth plug-in configuration entry. For example:

# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin pass-through-auth pam-config "AD PAM PTA Config" add --id_map_method="ENTRY" --id-attr="sAMAccountName" --service="system-auth"

Restart the server to load the plug-in configuration.
```
# dsctl instance_name restart
```

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

20.15. Using PAM for Pass-Through Authentication

20.15.1. PAM Pass-Through Authentication Configuration Options

20.15.1.1. Specifying the Suffixes to Target for PAM PTA

20.15.1.2. Applying Different PAM Pass-Through Authentication Configurations to Different Entries

20.15.1.3. Setting PAM PTA Mappings

20.15.1.4. Configuring General PAM PTA Settings

20.15.2. Configuring PAM Pass-Through Authentication

20.15.3. Using PAM Pass-Through Authentication with Active Directory as the Back End

Language and Page Formatting Options

20.15. Using PAM for Pass-Through Authentication

20.15.1. PAM Pass-Through Authentication Configuration Options

20.15.1.1. Specifying the Suffixes to Target for PAM PTA

20.15.1.2. Applying Different PAM Pass-Through Authentication Configurations to Different Entries

20.15.1.3. Setting PAM PTA Mappings

20.15.1.4. Configuring General PAM PTA Settings

20.15.2. Configuring PAM Pass-Through Authentication

20.15.3. Using PAM Pass-Through Authentication with Active Directory as the Back End