816-6696-10

8/8/2019 816-6696-10

1/128

Getting Started Guide

SunTMONE Directory Server

Version 5.2

816-6696-10Jun e 2003

8/8/2019 816-6696-10

2/128

Copyright 2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved . U.S. Governmen t Rights - Commercialsoftware. Governmen t users are subject to the Sun Microsystems, Inc. stand ard license agreement an d app licable provisions of the FAR and its supplem ents. Thisdistribu tion may include m aterials developed by third pa rties.Parts of the produ ct may be derived from Berkeley BSD systems, licensed from the University ofCalifornia. UNIX is a registered tradem ark in the U.S. and in other countries, exclusively licensed throu gh X/ Open Comp any, Ltd.Sun, Sun Microsystems, the Sunlogo, Java, Solaris, SunTone, Sun [tm] ONE, The Network is the Compu ter, the SunTone Certified logo and the Sun[tm ] ONE logo are tradem arks or registeredtrademarks of Sun Microsystems, Inc. in the U.S. and other countries.All SPARC trademarks are used under license and are trademarks or registered trademarks ofSPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon architecture developed by Sun Microsystems, Inc.Mozilla, Netscape, and Netscape N avigator are trademarks or registered trademarks of Netscape Communications Corporation in the United States and othercountries. Produ cts covered by an d informat ion contained in this service manu al are controlled by U.S. Export Control laws and m ay be subject to the export orimpor t laws in other countr ies. Nuclear, missile, chemical biological weap ons or nuclear maritime end u ses or end users, whether d irect or indirect, are strictlyprohibited . Export or reexport to count ries subject to U.S. embargo or t o entities identified on U.S. export exclusion lists, including, but not limited to, the d eniedpersons and specially designa ted nationals lists is strictly p rohibited.DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CON DITIONS,REPRESENTATION S AND WARRANTIES, INCLUDING AN Y IMPLIED WARRANTY OF MERCHAN TABILITY, FITNESS FOR A PA RTICULAR PURPOSE ORNON -INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO TH E EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBE LEGALLY INVALID.

Copyright 2003 Sun M icrosystems, Inc., 4150 Netw ork Circle, Santa Clara, California 95054, Etats-Unis. Tous d roits rservs. Dro its du gouvern ement amricain,utlisateur s gouvernm entau x - logiciel commercial. Les utilisateur s gouvernm entau x sont soumis au contrat de licence standard d e Sun Microsystems, Inc., ainsi quaux dispositions en vigueu r de la FAR [ (Federa l Acquisition Regulations) et des sup plment s celles-ci.Cette distribut ion peut compr endr e des composan tsdvelopp s pard es tierces parties.Des parties de ce pr odu it pourron t tre dr ives des systmes Berkeley BSD licencis par lUniversit de Californie. UNIX est une

marqu e dpose aux Etats-Unis et dans dautres pays et licencie exclusivement par X/ Open Comp any, Ltd.Sun, Sun Microsystems, le logo Sun, Java, Solaris,SunTone, Sun[tm] ONE, The Network is the Compu ter, le logo SunTone Certified et le logo Sun[tm ] ONE sont des marques de fabrique ou des marqu es dposesde Sun Microsystems, Inc. aux Etats-Unis et dans dautres pays.Toutes les marques SPARC sont utilises sous licence et sont des marques de fabrique ou desmarques dposes de SPARC International, Inc. aux Etats-Unis et dans dautres pays. Les produits protant les marques SPARC sont bass sur une architecturedveloppe par Sun Microsystems, Inc. Mozilla, Netscape, et Netscape Navigator sont des marques de Netscape Communications Corporation aux Etats-Unis etdans d autres pays. Les prod uits qui font lobjet de ce manu el dentretien et les informations quil contient sont rgis par la lgislation amricaine en matire d econtrle des exportations et peuvent tre soumis au droit dautres pays dans le domaine des exportations et importations. Les utilisations finales, ou utilisateursfinaux, pour des armes nuclaires, des missiles, des armes biologiques et chimiques ou du nuclaire maritime, directement ou indirectement, sont strictementinterdites. Les exportations ou rexportations vers des pays sous embargo des tats-Unis, ou vers des entits figurant sur les listes dexclusion dexportationamr icaines, y compris, mais de ma nire non exclusive, la liste de personnes qu i font objet dun ord re de ne pa s participer, dune faon directe ou indirecte, auxexportations des produits ou des services qui sont rgi par la lgislation amricaine en matire de contrle des exportations et la liste de ressortissantsspcifiquement dsigns, sont rigoureusement interdites.LA DOCUMENTATION EST FOURNIE "EN LTAT" ET TOUTES AUTRES CONDITIONS,DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE,

Y COMPRIS NOTAMMEN T TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHA NDE, A LAPTITUDE A UN E UTILISATION PARTICULIEREOU A LABSENCE DE CON TREFAON .

8/8/2019 816-6696-10

3/128

3

Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Pu rp ose of This Gu ide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Whats in This Gu ide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Prereq uisite Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Typographical Conven tion s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Default Pa ths an d Filenames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Dow nload ing Directory Server Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Suggested Read ing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 1 Documentation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Directory Server 5.2 Docu mentation Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Docu mentat ion Con tent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Sun O NE Directory Server Gett ing Started Guid e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Sun ON E Directo ry Server Dep loyment Gu ide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Sun O NE Directory Server Installation and Tuning Gu ide (multi-platform ed ition only) . . . . . . 17Sun O NE Directory Server Ad ministration Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Sun ON E Directory Server Reference Man ual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Sun ONE Directory Server 5.2 Plug-In API Programmin g Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Sun ON E Directory Server P lug-In API Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Sun ON E Directory Server Resource Kit Tools Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Sun O NE Server Console Server Managem ent Gu ide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 2 Introduction to Sun ONE Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

What is a Directory Serv ice? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24About Global Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Abou t LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Abou t DSML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Directory Services and Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26What is Sun ON E Directory Server? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Over view of Sun ONE Directory Server Architectu re . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

8/8/2019 816-6696-10

4/128

8/8/2019 816-6696-10

5/128

5

Searching the Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Searching the Directory With ldap sear ch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

ldap sear ch Exam ples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79LDAP Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Search Filter Exam ples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Ad ding, Chang ing and Delet ing Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Add ing an d Changin g Entr ies Using ld apmodify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Delet ing Entr ies Using ldap delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Working With the Schem a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Looking at the Schema En try . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Schem a Violat ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Working With Groups and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Ad d ing a Stat ic Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Ad d ing a Dynamic Grou p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Ad d ing a Managed Role Defin ition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Searching for Role Definit ions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Working With Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Ad d ing a Pointer CoS Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Work ing With ACIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Looking at Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Ad d ing an ACI at th e Command-Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Examinin g th e Log Infor mation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Looking at the Access Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Enhancing the Error Log Inform ation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Searching an Intern ationalized Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Matching Ru le Filter Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Sup ported Search Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Intern ationa l Search Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Appendix A Accessibility Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Console Accessib ility Fea tu res . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Docu mentat ion Accessibility Featu res . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

8/8/2019 816-6696-10

6/128

6 Sun ONE Directory Server Getting Started Guide June 2003

8/8/2019 816-6696-10

7/128

7

About This Guide

Sun ON E Directory Server 5.2 is a pow erful and scalable distributed directoryserver based on the ind ustry-stand ard Lightw eight Directory Access Protocol(LDAP). Sun ON E Directory Server software is part of the Sun Op en N etEnvironmen t (Sun ON E), Sun s stand ard s-based software vision, architecture,platform, and expertise for building and deploying Services On Deman d.

Sun ON E Directory Server is the cornerstone for building a centralized anddistributed data repository that can be u sed in your intranet, over your extranetwith you r trad ing partners, or over the pu blic Internet to reach you r customers.

Purpose of This GuideThis guid e consolidates the information requ ired by readers who are not familiarwith directory service concepts, or w ith p revious versions of Sun ONE DirectoryServer. This is not a reference manu al but a comp rehensive overview th at w illenable you to discover, install and evaluate Sun ONE Directory Server in a shortperiod.

Whats in This GuideThis guid e includ es the following information:

Documentation Overview - describes the documentation set delivered w ith SunON E Directory Server 5.2 and ind icates where you will find specificinformation. It also describes the major changes to the docum entation set toassist users w ho are familiar w ith the d ocum entation delivered in previous

versions of the produ ct

8/8/2019 816-6696-10

8/128

Prerequisite Reading


Introduction to Sun ONE Directory Server- describes the basic concep ts youmu st und erstand before designing and deploying your d irectory.

A Qu ick Look at Directory Server Console - describes how to install Sun ONEDirectory Server for evaluation/ dem onstration p urp oses, and how to use theconsole to examine the features described in the introd uction.

A Quick Look at Directory Server Command-Line Utilities- provides informationon the ldapsearch an d ldapmodify comm and s and d escribes how to u se thecommand -line to examine the features described in the introd uction.

Accessibility Features - describes the accessible features of the Sun ONEDirectory Server 5.2 user interface, includ ing key map pings for the consoles.

Glossary - a global glossary tha t d efines the Sun ON E Directory Serverterminology used throu ghout th e documentation set.

Prerequisite ReadingBefore reading this guide we strongly recommend you r ead the online releasenotes to obtain the latest information abou t new features and enhan cements in thisrelease of Sun ONE Directory Server. The release notes can be found at

http://docs.sun.com/doc/816-6703-10/index.html

Note that this guide d oes not attempt to provide comprehensive installation,

reference or ad ministrative information on Sun ON E Directory Server. For in d epthinformation on these topics, please consult the relevant user gu ide in the Sun ON EDirectory Server d ocumen t set.

Typographical Conventions

This section explains the typograp hical conven tions used in this book.Monospaced font - This typeface is used for literal text, such as th e nam es ofattributes and object classes when they ap pear in text. It is also used for URLs,filenames, and exam ples.

Italic font- This typeface is used for emph asis, for new terms, and for text that youmu st substitute for actual values, such as placeholders in pa th nam es.

The greater-than sym bol (>) is used as a separator when naming an item in a m enuor sub-menu. For example, Object > New > User means that you should select theUser item in the N ew sub-menu of the Object m enu.

8/8/2019 816-6696-10

9/128

Default Paths and Filenames

About This Guide 9

Default Paths and FilenamesAll pa th and filename examp les in the Sun ON E Directory Server produ ctdocum entation are one of the following two forms:

ServerRoot/... - The ServerRoot is the location of the Sun ON E Directory Serverprodu ct. This pa th contains th e shared binary files of Directory Server, SunON E Administration Server, and comm and line tools.

The actua l ServerRootpath depend s on you r platform, your installation, andyour configuration. The d efault path depend s on the p rodu ct platform andpackaging as show n in Table 1.

ServerRoot/slapd-serverID/... - The serverID is the nam e of the Directory Serverinstance that you d efined d uring installation or configuration. This pathcontains da tabase and configu ration files that a re specific to the g iven instance.

NOTE Notes, Cautions, and Tips highlight importan t cond itions or

limitations. Be sure to read this information before continuing.

NOTE Paths specified in this manu al use the forward slash format of UNIXand command s are specified w ithout file extensions. If you areusing a Window s version of Sun ON E Directory Server, use the

equivalent backslash format. Executable files on Wind ows systemsgenerally have the same names w ith the .exe or .bat extension.

Table 1 Default ServerRootPaths

Product Installation ServerRoot Path

Solaris 91 /var/mps/serverroot - After configuration , this directorycontains links to the following locations:

/etc/ds/v5.2 (static configu ration files)

/usr/admserv/mps/admin (Sun ONE Ad ministrationServer binaries)

/usr/admserv/mps/console (Server Con sole binaries)

/usr/ds/v5.2 (Directory Server binaries)

8/8/2019 816-6696-10

10/128

Downloading Directory Server Tools


Directory Server instances are located u nd er ServerRoot/slapd-serverID/, whereserverID represents the server identifier given to the instance on creation. Forexample, if you gave the nam e dirserv to your Directory Server, then the actualpath wou ld appear as shown in Table 2. If you have created a Directory Server

instance in a different location, adap t the path accordingly.

Downloading Directory Server ToolsSome su pp orted platforms p rovide n ative tools for accessing Directory Server.More tools for testing and maintaining LDAP directory servers, dow nload th e SunON E Directory Server Resource Kit (DSRK). This software is available at th efollowing location:

http://wwws.sun.com/software/download/

Installation instru ctions an d reference docum entation for th e DSRK tools is

available in the Sun ON E Directory Server Resource Kit Tools Reference.

Compr essed ArchiveInstallation on Solaris andOther Un ix Systems

/var/Sun/mps

Zip Installation onWindows Systems

C:\Program Files\Sun\MPS

1. If you are working on the Solaris Operating Environment and are unsure w hich version of the Sun ONEDirectory Server software is installed, check for the existence a key package such as SUNWdsvu using the

pkginfo command . For example: pkginfo | grep SUNWdsvu.

Table 2 Default Examp le dirserv Instance Locations

Product Installation Instance Location

Solaris 9 /var/mps/serverroot/slapd-dirserv

Compr essed ArchiveInstallation on Solaris

and Other Unix Systems

/usr/Sun/mps/slapd-dirserv

Zip Installation onWindows Systems

C:\Program Files\Sun\MPS\slapd-dirserv

Table 1 Default ServerRootPaths (Continued)

Product Installation ServerRoot Path

8/8/2019 816-6696-10

11/128

Suggested Reading

About This Guide 11

For developing directory client applications, you may also dow nload th e Sun O NELDAP SDK for C an d the Sun ONE LDAP SDK for Java from the same location.

Add itionally, Java N aming and Directory Interface (JNDI) technology supportsaccessing the Directory Server using LDAP and DSML v2 from Java app lications.Information abou t JNDI is available from:

http://java.sun.com/products/jndi/

The JNDI Tutorial contains d etailed descriptions and examples of how to use JNDI.It is ava ilable at:

http://java.sun.com/products/jndi/tutorial/

Suggested ReadingSun ON E Directory Server prod uct docum entation includes the followingdocuments d elivered in both HTML and PDF:

Sun ONE Directory Server Getting S tarted Guide - Provides a quick look at manykey featu res of Directory Server 5.2.

Sun ONE Directory Server Deployment Guide - Explains how to plan directorytopology, data structu re, security, and mon itoring, and discusses exampledeployments.

Sun ONE Directory Server Installation and Tuning Guide - Covers installation an d

up grad e procedures, and p rovides tips for optimizing Directory Serverperformance.

Sun ONE Directory Server Administration Guide - Gives the p rocedures for u singthe console and command -line to manage your d irectory contents andconfigure every feature of Directory Server.

Sun ON E Directory Server Reference Manual - Details the Directory Serverconfiguration p aram eters, comm and s, files, error m essages, and schema.

Sun ONE Directory Server Plug-In API Programming Guide - Demon strates howto develop Directory Server p lug-ins.

Sun ONE Directory Server Plug-In A PI Reference - Details the da ta structures andfunctions of the Directory Server plug-in API.

Sun ON E Server Console Server M anagement Guide - Discusses how to man ageservers using the Sun ONE Adm inistration Server and Java based console.

8/8/2019 816-6696-10

12/128

Suggested Reading


Sun ONE Directory Server Resource Kit Tools Reference - Covers installation an dfeatures of the Sun ON E Directory Server Resource Kit, includ ing m any u seful

tools.

Other u seful information can be found on the following Web sites:

Product documentation online:http://docs.sun.com/coll/S1_DirectoryServer_52

Sun softw are: http://wwws.sun.com/software/

Su n O NE Services: http://www.sun.com/service/sunps/sunone/ Sun Support Services: http://www.sun.com/service/support/

Sun ONE for Developer s: http://sunonedev.sun.com/

Training: http://suned.sun.com/

8/8/2019 816-6696-10

13/128

13

Chapter 1

Documentation Overview

This chapter d escribes the documen tation set delivered with Sun ONE DirectoryServer 5.2 and indicates where you will find specific inform ation. It also describesthe major changes to the docum entation set to assist users who are familiar w iththe d ocum entation delivered in previous versions of the p rodu ct.

Directory Server 5.2 Documentation SetThe Sun ON E Directory Server 5.2 documen tation is provided in two separateeditions. The d ocum entation set you u se will dep end on wh ether or not you areusing the multi-platform edition.

Both d ocumen tation sets includes the follow ing user gu ides and reference

man uals, delivered in HTML and PDF format: Sun ONE Directory Server Gett ing Started Guide - Consolida tes all the

information requ ired by d irectory service novices, prospective purchasers ofthe prod uct, and read ers who are not completely fam iliar with basic LDAPconcepts. This is not a reference man ual bu t a comprehensive overview th atwill enable you to get up and run ning w ith Sun ON E Directory Server 5.2 in ashort period.

Sun ONE Directory Server Deployment Guide - Provides a found ation forplann ing your d irectory. This guide is intended for directory decision-makers,designers and ad ministrators and should be your starting p oint if you h avedecided to use Sun ON E Directory Server and are in the process of plann ingyour d eployment. The gu ide includes a sample d eployment scenario andseveral architectura l strategies that ind icate how Directory Server can be u sedto answ er specific business requirem ents.

8/8/2019 816-6696-10

14/128

Directory Server 5.2 Documentation Set


Sun ONE Directory Server Administration Guide - Describes the p rocedures formanaging d irectory contents and maintaining Directory Server. The

Adm inistration Guide includ es procedures using the console interface andusing the comm and line interface.

Sun ON E Directory Server Reference Manual - Provides a reference for DirectoryServer configuration and the comm and -line utilities, and describes thestand ard schem a for user d irectories provided with Sun ON E Directory Server5.2. This manu al combines the previous Configuration, Command, and File

Reference an d Schema Reference man uals and includ es a description of the most

significant error messages retu rned by Directory Server, along with theircauses and suggestions on w hat to d o, should they occur.

Sun ONE Directory Server Plug-In A PI Programming Guide - DescribesDirectory Server p lug-ins, libraries registered with Directory Server thatcustomize and extend directory services provided by the prod uct. This guidealso indicates what has changed for this release of the p lug-in API.

Sun ON E Directory Server Plug-In A PI Reference - Describes the d ata d efinitions

and functions available to server plug-in applications that customize andextend d irectory services provided by Sun O NE Directory Server 5.2. Thisreference man ual d oes not cover earlier versions of the API, except to listdeprecated functions.

In add ition to the above d ocum entation, the m ulti-platform documentation setincludes:

The Sun ON E Directory Server Release Notes in H TML format, that containimp ortant information available at the time of the release of Sun ON EDirectory Server 5.2. New features and enhan cements, known limitations, andother late-breaking issues are addr essed here. The latest version of the releasenotes is available online at http:/ / docs.sun.com/ doc/ 816-6703-10/ index.html.

Sun ONE Directory Server Installation and Tuning Guide - Provides informationon h ow to install Sun ON E Directory Server 5.2. This guide r eplaces theprevious Installation Guide and includes ad ditional information on hard ware

sizing, operating system configuration, migration and up grad ing, silentinstallation and un installing. It also provides guid ance on how to tune SunON E Directory Server 5.2 for th e best p erformance.

8/8/2019 816-6696-10

15/128

Directory Server 5.2 Documentation Set

Chapter 1 Documentation Overview 15

Sun ONE Directory Server Resource Kit (DSRK) Reference. The Sun ON E DSRKprov ides tools and APIs for deploying, accessing, tuning, and m aintaining the

Sun ON E Directory Server. These utilities will help you im plemen t andmaintain more robust solutions based on LDAP, the Lightw eight DirectoryAccess Protocol. The LDAP SDKs (Software Dev elopm ent Kits) for C andJava programm ing languages make it easier to write client app lications foryour directory. These APIs expose all the functions for connecting to an LDAPdirectory and accessing or m odifying its entries. Use them to design andintegrate directory fun ctionality into your app lications at the progra mm aticlevel.

Sun ON E Server Console Server M anagment Guide - provides backgroundinformation that system a rchitects and adm inistrators need to successfullyinstall and man age Sun ON E servers in their enterprise.

A detailed d escription of the contents of the different u ser guides and r eferencemanu als is provided in Docum entation Content, on page 16.

8/8/2019 816-6696-10

16/128

Documentation Content


Documentation ContentThis section provides a brief description of each d ocumen t in the Sun ON EDirectory Server d ocumentation set.

Sun ONE Directory Server Getting Started GuideThis guide provides introd uctory information to th e concepts of directory services

in general and of Sun ONE Directory Server 5.2 in particular. It enables you tocomplete a basic installation of Sun ON E Directory Server and to perform the m ostessential admin istrative tasks, using th e console and the comm and -line utilities, forevaluation p urp oses. This guid e includ es the follow ing sections:

Documen ta tion Overview

Introduction to Sun ONE Directory Server

A Quick Look at Directory Server Console

A Quick Look at Directory Server Command -Line Utilities

Accessib ility Features

Glossary

Sun ONE Directory Server Deployment GuideThis gu ide provid es you with a found ation for plann ing your d irectory. It includ essamp le dep loyment scenarios that illustrate how Sun ON E Directory Server 5.2 canbe dep loyed to ad dress a selection of business situations. The informationprov ided here is primarily intended for directory decision-makers, solutiondesigners, and administrators. This guide includ es the following sections:

Directory Server Design and Deployment Overview

Planning and Accessing Directory Data

Design ing the Schema

Designing the Directory Tree

Designing the Directory Topology

Designing the Replication Process

Designing a Secure Directory

8/8/2019 816-6696-10

17/128



Monitor ing Your Directory

A Sample Deployment Scenario Architectura l St ra tegies

Accessing Data Using DSML Over HTTP/ SOAP

Sun ONE Directory Server Installation and

Tuning Guide (multi-platform edition only)This performance tuning guide provides accurate, reproducible recommendationsand guid elines on how to correctly tune Sun ONE Directory Server 5.2 for optimalperformance. This gu ide aims to outline the m ost imp ortant ar eas to be configuredand tun ed, in order to optim ize Directory Server performance. This guid e includ esthe following sections:

Installing Sun ONE Directory Server Upgrading From Previous Versions

Top Tu ning Tip s

H ard ware Sizing

Tuning the Operat ing System

Tu nin g Cach e Sizes Tu ning Ind exing

Tu ning Logging

Managing Use of Other Resources

Installed P roduct Layou t

Using the Sun Crypto Accelerator Board Installing Sun Cluster HA for Directory Server

8/8/2019 816-6696-10

18/128



Sun ONE Directory Server Administration Guide

This guid e describes all of the adm inistration tasks you n eed to perform tomaintain a d irectory service based on th e Sun ON E Directory Server. It describeshow to create directory entries and how to configure and pop ulate directoryda tabases, and covers access control and user account managem ent. This guideinclud es the following sections:

Introduction to Sun ONE Directory Server

Creating Directory Entr ies

Creating Your Directory Tree

Popula ting Directory Contents

Advanced En try Managemen t

Managing Access Control

User Account Managemen t

Manag ing Rep lica tion

Extending the Directory Schema

Man aging Ind exes

Implemen ting Security

Man ag in g Log Files

Monitoring Directory Server Using SNMP

Using the Pass-Through Authentication Plug-In

Using the UID Uniqueness Plug-In

Sun ONE Directory Server Reference ManualThis manual provides comprehensive reference information on the command-lineutilities and scripts p rovided with Sun ON E Directory Server, configurationattributes, file formats, schemas, and error and connection codes. It also provides areference of the information that is migrated wh en u pgrad ing from previousversions of Directory Server. This manu al includes th e following sections:

Command-Line Utilities

Command-Line Scr ip ts

8/8/2019 816-6696-10

19/128



Core Server Configuration

Core Server Configuration Attributes Plug-in Implemented Server Functionality

Migration From Earlier Versions

Server Instance Files

Access Logs and Connection Codes

About Schema Object Class Reference

Attr ibute Reference

Operational Attr ibu tes

Error Codes

ns-slapd and slapd.exe Command-Line Utilities Directory Internationalization

LDAP URLs

LDAP Data In terchange Format

Sun ONE Directory Server 5.2 Plug-In APIProgramming GuideThis guid e shows you how to develop server p lug-ins, libraries registered w ithDirectory Server that custom ize and extend d irectory services offered as p art of theprod uct. This guide also ind icates wh at has changed since the last release, so youcan upg rade plug-ins written for previous versions of the produ ct to function with

the curren t version. This guid e includ es the following sections: Before You Star t

What's New

Getting Started With Directory Server Plug-Ins

Workin g With En tries

Extending Client Request Handling Hand ling Authen tication

8/8/2019 816-6696-10

20/128



Per forming In ternal Operat ions

Writing Entry Store and Entry Fetch Plug-Ins Writing Extended Operation Plug-Ins

Writing Matching Rule Plug-Ins

Writing Password Storage Scheme Plug-Ins

Sun ONE Directory Server Plug-In APIReferenceThis reference manual covers the data typ es and stru ctures, functions andparam eter block data that m ake up th e pub lic Sun O NE Directory Server plug -inAPI. Refer to it as you develop server plu g-ins to extend Sun ON E Directory Serverfunctionality. This manu al includ es the following sections:

Data Type and Structure Reference

Function Reference

Parameter Block Reference

Sun ONE Directory Server Resource Kit Tools

ReferenceThis reference man ual covers the in stallation of the Sun ON E Directory ServerResource Kit (Sun ON E DSRK) and contains the comm and -line reference for all ofits tools. This manua l includ es the following sections:

Getting Started

Directory Access Commands Performance Evaluation Tools

LDIF Dep loymen t Tools

Maintenance and Debugging Tools

Gatew ay Ap plication

Sun ONE LDAP Administrative Shell

8/8/2019 816-6696-10

21/128



Sun ONE Server Console Server Management

GuideThis guid e provides backgrou nd information that system architects andadm inistrators need to successfully install and man age Sun ON E servers in theirenterpr ise. This guide includ es the following sections:

Overview of Sun ONE Server Console

Sun ONE Server Console Basics

Using Sun ONE Administration Server

Advanced Server Managemen t

Public-Key Cryptography and SSL

8/8/2019 816-6696-10

22/128



8/8/2019 816-6696-10

23/128

23

Chapter 2

Introduction to Sun ONE DirectoryServer

Sun O NE Directory Server pr ovides a central repository for storing and m anaginginformation. Almost any kind of information can be stored , from identity p rofilesand access privileges to information abou t app lication and netw ork resources,printers, network d evices and man ufactured parts. Information stored in Sun ON E

Directory Server can be used for the authentication and auth orization of users toenable secure access to enterprise and Internet services and app lications. Sun ON EDirectory Server is extensible, can be integrated with existing systems, and enablesthe consolida tion of emp loyee, customer, supp lier, and p artner informat ion.

This chapter d escribes the basic concepts you m ust und erstand before und ertakingdesign an d d eployment strategies. It includes the following sections:

What is a Directory Service? What is Sun ONE Directory Server?

Whats New in Sun ON E Directory Server 5.2

Note that this chap ter does not a ttemp t to explain in detail all the features of SunONE Directory Server. How ever, it provides you with enough information to startusing Sun ON E Directory Server for evaluation purp oses.

Once you have comp leted this chap ter, you will be able to do the p racticalexamples in the following tw o chap ters, A Quick Look at Directory Server Consolean d A Qu ick Look at Directory Server Command -Line Utilities.

Wh i Di S i ?

8/8/2019 816-6696-10

24/128

What is a Directory Service?


What is a Directory Service?A directory service is the collection of software and processes that storeinformation abou t your enterp rise, subscribers, or both . In th e context of thisdocum entation, a d irectory service consists of at least one Directory Server and oneor more d irectory client program s. Client program s can access names, phon enum bers, add resses, and other data stored in the d irectory, dep ending on th eperm issions that have been set.

An example of a d irectory service is a Dom ain N ame System (DN S) server. A DN S

server m aps a comp uter h ost name to an IP add ress. Thu s, all of the compu tingresources (hosts) become clients of the DN S server. The map ping of host nam esenables users of the compu ting resources to locate compu ters on a network, usinghost nam es rather than complex nu merical IP ad dresses.

The DNS server stores only two types of informat ion: nam es and IP add resses. Ad irectory service stores virtually un limited typ es of information.

Sun ON E Directory Server stores all of these types of information in a single,

netw ork-accessible repository. The following are a few examples of the kind s ofinformation you m ight store in a directory:

Physical device information, such as data about the printers in yourorganization (where they reside, wh ether they are color or black and w hite,their man ufacturer, date of purchase, serial nu mber, IP address, and so forth).

Public employee information, such as name, email address, and department.

Contract or account information, such as the name of a client, final deliverydate, bidd ing information, contract numbers, and project dates.

Information on manufactured products, enabling manufacturing companies tolocate and track their prod ucts more easily.

Authentica tion information.

Sun ON E Directory Server serves the n eeds of a w ide variety of applications. It also

prov ides standard p rotocols and ap plication program ming interfaces (APIs) toaccess the information it contains.

The following sections d escribe global d irectory services, the LightweightDirectory Access Protocol (LDAP) and th e Directory Services Marku p Langu age(DSML).


8/8/2019 816-6696-10

25/128


Chapter 2 Introduction to Sun ONE Directory Server 25

About Global Directory Services

Sun ON E Directory Server p rovides global directory services, meaning it p rovidesinformation to a w ide variety of app lications. Until recently, man y applicationscame bu ndled w ith their own proprietary user databases, with information abou tthe users specific to that ap plication. While a proprietary d atabase can beconvenient if you u se only one app lication, multiple databases become anadm inistrative burden if the databases manage th e same information.

For example, sup pose your network supp orts three different proprietary email

systems, each system w ith its own proprietary d irectory service. If users changetheir passw ords in one d irectory, the changes are not autom atically replicated inthe others. Managing m ultiple instances of the same information results inincreased ha rdware and p ersonnel costs, a problem referred to as the n + 1 directory

problem.

A global directory service solves the n+1 directory problem by prov iding a single,centralized repository of directory information that any application can access.How ever, giving a w ide variety of applications access to the directory requires anetwork-based m eans of comm unicating between th e app lications and thedirectory. Sun ON E Directory Server provides tw o ways in which app lications canaccess its global directory:

Lightweight Directory Access Protocol (LDAP)

Directory Services Markup Language (DSML)

About LDAPLDAP prov ides a comm on language that client app lications and servers use tocommu nicate with one an other. LDAP ap plications can easily search, add , deleteand mod ify d irectory entries. LDAP is a lightweight version of the DirectoryAccess Protocol (DAP) used by the ISO X.500 standard . DAP gives any applicationaccess to the directory via an extensible and robust information framew ork, but at

an expensive adm inistrative cost. DAP does not u se the Internet standard TCP/ IPprotocol, has comp licated d irectory-nam ing conventions, and gen erally has a highreturn on investment.

LDAP preserves the best features of DAP w hile redu cing ad ministrative costs.LDAP uses an open d irectory access protocol running over TCP/ IP and u sessimplified encod ing methods. It retains the X.500 stand ard data mod el and cansupp ort m illions of entries for a comparatively m odest investment in h ardw are

and network infrastructure.


8/8/2019 816-6696-10

26/128



About DSML

DSML is a marku p language that enables you to represent d irectory entries andcommand s in XML. This means tha t XML-based ap plications using H TTP can takeadvan tage of directory services wh ile making full use of the existing w ebinfrastructure. Sun ON E Directory Server 5.2 implements version 2 of the DSMLstand ard (DSMLv2).

The Sun ONE Directory Server implementation of DSMLv2 differs slightly fromthe stand ard . For information on the restrictions in and extensions to the DSML

stand ard , please refer to the Sun ON E Directory Server Reference Manual.

Directory Services and DatabasesWhat is the d ifference between a directory service and a da tabase? A database canbe defined as an o rganized collection of data whose contents can easily be accessed,man aged, and up dated. Although a d irectory service can be considered an

extension of a d atabase, directory services generally have th e followingcharacteristics:

Hierarchical naming modelThis naming m odel un iquely identifies a set of nam es so that there is noambiguity wh en entries that have different origins but the same n ames aremixed together. Directory services operate in h ierarchical nam espaces,logically arranged in an inverse tree. A namespace is also referred to as a suffix.

Extended search capabilityDirectory services provid e robu st search capabilities, allowing searches onindividua l attributes of entries.

Distributed information modelA d irectory service enables directory data to be d istributed across mu ltipleservers within a network.

Shared network accessWhile databases are d efined in terms of APIs, directories are defined in termsof protocols. Directory access imp lies network access by definition. Directoriesare d esigned specifically for sharedaccess am ong ap plications. This is achievedthrou gh th e object-oriented schema m odel. By contrast, most databases aredesigned for use only by particular applications and do n ot encourage d atasharing.

What is Sun ONE Directory Server?

8/8/2019 816-6696-10

27/128

at s Su O ecto y Se e


Replicated dataDirectories sup port r eplication (copies of d irectory data on m ore than one

server) which make information systems more accessible and more resistant tofailure.

Datastore optimized for readsThe storage mechanism in a d irectory service is generally designed to supp orta high ra tio of reads to writes.

Extensible schemaThe schem a d escribes the type of data stored in the d irectory. Directory

services generally sup port th e extension of schem a, meaning that new datatypes can be ad ded to the d irectory.

What is Sun ONE Directory Server?Sun ON E Directory Server includes the d irectory itself, the server-side software

that imp lements the LDAP protocol, and a graphical user interface that allowsusers to search and change entries in the d irectory. Other LDAP clients are alsoavailable, includ ing the d irectory m anagers in the Sun ON E Console. In add ition,you can p urchase other LDAP client p rograms or w rite your own using the LDAPclient SDK includ ed w ith the Sun ON E Directory Server produ ct.

Without ad ding other client program s, Sun ON E Directory Server can provid e thefound ation for an intranet or extranet. Every Sun ON E server uses the directory as

a central repository for shared server information, such as emp loyee, customer,supp lier, and p artner data.

You can u se Sun ON E Directory Server to manage extranet u ser-auth entication,create access control, set up user p references, and centralize user managem ent. Inhosted environments, partners, customers, and supp liers can manage their ownareas of the directory, reducing ad ministrative costs.

When you install Sun ON E Directory Server, the following components are

installed on your machine: An LDAP server with a plug-in interface.

Sun ONE Administ ra tion Server .

Sun ONE Server Console to manage the servers.

Command-line tools for starting and stopping the server, importing andexporting data in the database, database reindexing, account inactivation anddeactivation, LDIF merges, kernel tun ing, and rep lication man agemen t.


8/8/2019 816-6696-10

28/128


For more information abou t the comm and -line tools, refer to A Qu ick Look atDirectory Server Comm and -Line Utilities, on page 69 and to the tools

information in the Sun ON E Directory Server Reference Manual. An SNMP agent

For more information abou t SNMP m onitoring, refer to the Sun ON E DirectoryServer Administration Guide.

The Directory Services Markup Language (DSML).

Overview of Sun ONE Directory ServerArchitectureAt installation, Sun ON E Directory Server contains the following:

Server front-ends responsible for network commu nications.

Plug-ins for server functions, such as access control and replication. A basic directory tree containing server-related data.

The following sections d escribe each comp onent of the d irectory in m ore deta il.

Overview of the Server Front-Ends

The server front-ends of Sun ON E Directory Server manage comm unications with

directory client p rogram s. The Directory Server functions as a d aemon . Multipleclient p rograms can commun icate with th e server using LDAP over TCP/ IP orDSML over H TTP. The connection can be p rotected using Secure Socket Layer overTransport Layer Security (SSL/ TLS), dep end ing on wh ether the client negotiatesthe u se of TLS for the connection.

Comm un ication that takes place with TLS, is usually encryp ted. In the future, ifDNS security is present, TLS used in conjun ction w ith secured DNS will provid e

confirmation to client ap plications that they a re bind ing to the correct server. Ifclients have been issu ed certificates, TLS can be used by Sun ON E Directory Serverto confirm that the client has the righ t to access the server. TLS and its pred ecessor,SSL, are used th rough out Sun ON E Directory Server produ cts to perform othersecurity activities such as m essage integrity checks, digital signatu res, and mu tua lauthentication between servers.


8/8/2019 816-6696-10

29/128


Multiple clients can bind to the server at the same time over the same networkbecause the Sun ON E Directory Server is a mu lti-threaded app lication. As

directory services grow to include larger nu mbers of entries or larger nu mbers ofclients spread out geograph ically, they also includ e mu ltiple Sun ON E DirectoryServers placed in strategic places around the netw ork.

Sun ON E Directory Server imp lements LDAP natively, thereby avoid ing theperformance and managem ent overheads associated w ith having a gateway on topof an X.500 directory, and with relational d atabases.

Server Plug-ins OverviewSun ON E Directory Server relies on plug-ins. A plug-in is a way to ad dfunctionality to the core server. For examp le, the Uid Uniqueness plug-in can beused to ensure th at values given to the u ser id (uid) attribute are u nique in thesuffix configured when installing the d irectory.

A plu g-in can be d isabled. When disabled, the p lug-ins configurat ion informationremains in the d irectory but its fun ction is not used by the server. Depending u pon

wh at you wan t your directory to do, you can choose to enable any of the plug-insprov ided w ith Sun ONE Directory Server.

Sun ON E Professional Services can write custom p lug-ins for any Sun ON EDirectory Server d eploymen t. Contact Sun ONE Professional Services for moreinformation.

Overview of the Directory Tree

The directory tree, also know n as a d irectory information t ree or DIT, mirrors thetree mod el used by most file systems, with the tr ees root, or first entry, app earingat the top of the hierarchy. At installation, Sun ON E Directory Server creates adefault d irectory tree.

Figure 2-1 represents the structure of the default directory tree:

Figure 2-1 Default Directory Tree

The root of the tree is called th e root su ffix.

root suffix

cn=config o=NetscapeRoot o=userRoot


8/8/2019 816-6696-10

30/128


At installation, the d irectory contains three su btrees under the root su ffix:

cn=config

where cn stand s for Comm on Name. This subtree contains information aboutthe servers internal configuration.

o=NetscapeRoot

where o stand s for Organization. This subtr ee contains the configurationinformation of other Sun ON E servers, such as Sun ON E Adm inistrationServer. The Ad min istration Server takes care of au thentication and all actions

that cannot be performed through LDAP (such as starting or stoppingDirectory Server). This subtree n am e originates from a legacy version of theproduct.

o=userRoot

Dur ing installation, a user database is created by default. The default name ofthe user d atabase is o=userRoot. You can choose to pop ulate this database atinstallation, or to popu late it later.

You can build on the default directory tree to add any d ata relevant to yourdirectory installation. In Figure 2-2, the o=userRoot suffix has been renamed todc=example,dc=com, and add itional subtrees have been ad ded to reflect theorganizational hierarchy.

NOTE When you install another instan ce of Directory Server, you canspecify that it does not contain the o=NetscapeRoot information,but th at it uses the configura tion directory (or the o=NetscapeRootsubtree) present on another server. See the Sun ONE Server ConsoleServer Management Guide for more information abou t decidingup on the location of your configuration d irectory.


8/8/2019 816-6696-10

31/128


Figure 2-2 Samp le Directory Tree

In the preceding figure:

dc refers to the d omain component

ou refers to the organ izational unit

uid refers to the user id

Directory Server Data Storage

Directory data is stored in an internal database that is imp lemented as a plug-in.The database plug-in is autom atically installed with the directory and is enabled bydefault.

By d efault, Sun ON E Directory Server uses a single d atabase to store th e d irectorytree. This database can manage m illions of entries. The default da tabase sup portsadvan ced m ethods of backing up and restoring data, so that the data is not at risk.

You can use m ultiple databases to sup port D irectory Server. You can a lso

distribute data across the databases, enabling the server to store more data than canbe held in a single database.

The follow ing sections describe how a d irectory database stores data.

dc=example,dc=com

ou=people ou=groups ou=services

uid=cdaniels uid=rsweeny

cn=Directory Administrators cn=Accounting Managers


8/8/2019 816-6696-10

32/128


About Directory Entries

LDAP Data Interchange Format (LDIF) is a standard text-based format for

describing d irectory ent ries. An entry is a group of lines in an LDIF file thatcontains information about an object, such as a person in your organization or aprinter on you r netw ork. Information about the entry is represented in the LDIFfile by a set of attributes and their valu es. Each entry has an object class attributethat sp ecifies the kind of object the entry d escribes and defines the set of add itionalattributes it contains. Each attribute d escribes a part icular tr ait of an entry.

For examp le, an en try m ight hav e the object class organizationalPerson,

indicating that the entry rep resents a person within a particular organization. Thisobject class allows th e givenname an d telephoneNumber attributes. The valuesassigned to these attributes give the name and ph one num ber of the personrepresented by the entry.

Sun ON E Directory Server also uses read-only attribu tes that are calculated by theserver. These attributes are called operational attributes. There are also someoperationa l attributes that can be set by the ad ministrator, for access control and

other server functions.Entries are stored in a h ierarchical structure in the d irectory tree. In LDAP, you canquery an en try and request all entries below it in the directory tree. This subtree iscalled th e base distinguished nam e, or base DN. For example, if you m ake anLDAP search requ est specifying a base DN ofou=people,dc=example,dc=com, thesearch operation examines only the ou=people subtree in th e dc=example,dc=comdirectory tree.

Note that not all entries are autom atically returned in response to an LDAP search.Entries of the ldapsubentry object class are not returned in resp onse to norm alsearch requests. An ldapsubentry entry rep resents an adm inistrative object, forexample the entries that are u sed internally by Directory Server to define a role or aclass of service. To receive these en tries, clients m ust search sp ecifically for entriesof the ldapsubentry object class.

The LDIF format is described in detail in th e Sun ON E Directory Server Reference

Manual.

Distributing Directory Data

When you store various part s of a tree in separate databases, your d irectory canprocess client requests in pa rallel, improv ing p erformance. You can also storeda tabases on different machines, to imp rove performance fu rther.

To connect distributed d ata, you can create a special entry in a sub tree of your

d irectory. All LDAP operations attem pted below this entry are sent to a remotemachine where the entry is actually stored. This method is called chaining.


8/8/2019 816-6696-10

33/128


Chaining is imp lemented in the server as a plug-in, w hich is enabled by d efault.Using this plug -in, you create database links (special entries that point to data

stored rem otely). When a client ap plication requ ests data from a d atabase link, thedatabase link retrieves the d ata from the rem ote database and returns it to theclient.

Managing Data in Directory ServerThe database is the basic unit of storage, performan ce, replication, and indexing. A

variety of operations can be performed on a d atabase, including importing ,exporting, backing up , restoring, and ind exing.

Importing Data

Sun ONE Directory Server provid es three method s for import ing data :

Importing from the Directory Server Console.

You can u se the Directory Server Console to app end data to all of yourda tabases, includ ing database links.

In it ia liz ing databases.

You can use th e Directory Server Console to imp ort data to on e database. Thismethod overwrites any d ata contained by the d atabase.

Impor ting data from the command l ine.

You can import data u sing the comm and -line utilities ldif2db, ldif2db.pl,an d ldif2ldap. These ut ilities are described in m ore detail in Chap ter 4, AQuick Look at Directory Server Comm and -Line Utilities.

Exporting Data

You can use LDIF to export d atabase entries from your da tabases. LDIF is astand ard format d escribed in RFC 2849, "The LDAP Data Interchange Format(LDIF) - Techn ical Specification ."

Exporting data can be u seful for the following:

Backing up the data in your database

Copying your data to another Directory Server

Exporting your data to another application

Repopulating databases after a change to your directory topology


8/8/2019 816-6696-10

34/128


You can use the Directory Server console or the comm and -line utilities db2ldifan d db2ldif.pl to export d ata.

Backing Up and Restoring Data

You can use Directory Server Console or the db2bak command line utility to backup directory data. Both m ethods allow you to perform a backup w hile the server isrunn ing, which p revents you h aving a period d uring w hich the d irectory is notaccessible.

You can restore data from a p reviously generated backu p u sing Directory Server

Console or the command -line utilities bak2db an d bak2db.pl. Restoring databasesoverw rites any existing d atabase files. While restoring databases, the server m ustbe runn ing. However, the da tabases are un available for processing operationsdu ring the restore.

Indexing Data

Depending on the size of your dat abases, searches performed by client app lications

can take a lot of time and r esources. You can use ind exes to imp rove searchperformance.

Indexes are files stored in the d irectory d atabases. Separa te index files aremaintained for each d atabase in the d irectory. Each file is nam ed according to th eattribute it ind exes. The ind ex file for a p articular a ttribute can contain mu ltipletypes of indexes, allowing you to maintain several types of index for each attr ibute.For example, a file called givenName.db3 contains all the ind exes for the

givenName attribute.Depending on th e types of app lications using your directory, you w ill use d ifferenttypes of index. Different ap plications m ay frequently search for a particularattribute, or may search your directory in a different langu age, or may require d atain a particular format.

Sun ON E Directory Server sup ports th e following types of index:

Presence index

The presence index lists entries that p ossess a par ticular attribute, such as uid.

Equalit y index

The equality ind ex lists entries that contain a specific attribute value, such ascn=Charlene Daniels.

Approximate index


8/8/2019 816-6696-10

35/128


The approximate index allows ap proximate (or "sounds-like") searches. Forexample, an entry contains the attribu te value ofcn=Charlene L. Daniels.

An app roximate search w ould return this value for searches againstcn~=Charlene Daniels, cn~=Charlene, and cn~=Daniels.

Note that approximate ind exes work on ly for English language entries, inASCII characters.

Subst ring index

The substring ind ex allows searches against su bstrings within entries. For

example, a search for cn=*derson w ould m atch common nam es containingthis string (such as Bill And erson, Norm a H enderson, and Steve Sand erson).

International index

Associates the object iden tifier (OID) of a locale with the attribu tes to beindexed to speed up searches in interna tional directories.

Browsing index

The browsing, or virtual list view (VLV), index speed s up the d isplay of entriesin Directory Server Console. You can create a browsing index on any branch inyour directory tree to improve the display performance.

Directory Server SchemaDirectory schema m aintains the integrity of the da ta stored in you r directory byimp osing constraints on th e size, range, and format o f data values. You d ecidewh at typ es of entries your directory contains (people, devices, organizations, andso forth) and the attribu tes available to each entry.

The predefined schema included with Directory Server contains both the stand ardLDAP schem a as well as additional app lication-specific schem a to sup port th efeatures of the server. While this schema m eets most directory needs, you m ayneed to extend it with new object classes and attribu tes to accomm odate the uniqu e

needs of you r d irectory. Refer to the Sun ONE Directory Server Deployment Guide forinformation on extending the schema.

The following sections describe the format, stand ard attributes, and object classesincluded in the Sun ONE standard schema.


8/8/2019 816-6696-10

36/128


Schema Format

Directory Server bases its schem a format on version 3 of the LDAP protocol

(LDAPv3). This protocol requires d irectory servers to p ublish th eir schemasthrou gh LDAP itself, allowing d irectory client app lications to retrieve the schemaand ad apt th eir behavior based on it. The global set of schema for Directory Servercan be found in the entry named cn=schema.

Directory Server schema differs slightly from the LDAPv3 schema, as it uses itsown p roprietary object classes and attributes. In add ition, it uses a pr ivate field inthe schema en tries called X-ORIGIN, w hich describes where th e schem a entry was

defined originally. For examp le, if a schema en try is defined in th e stand ardLDAPv3 schem a, the X-ORIGIN field refers to RFC 2252. If the entry is defined bySun Microsystem s, Inc. for Directory Server's u se, the X-ORIGIN field contains th evalue Sun ONE Directory Server.

For example, the stand ard person object class app ears in th e schema as follows:

objectClasses: ( 2.5.6.6 NAME 'person' DESC 'Standard LDAP

objectclass' SUP top MUST ( sn $ cn ) MAY ( description $ seeAlso

$ telephoneNumber $ userPassword ) X-ORIGIN 'RFC 2256' )

This schem a entry states the object identifier, or OID, for the class (2.5.6.6), thename of the object class (person), a description of the class (Standard PersonObject Class), then lists the required attributes (objectclass, sn, and cn) andthe allowed attributes (description, seealso, telephoneNumber, anduserPassword).

Standard AttributesAttributes hold specific da ta elements such as a name or a fax number. DirectoryServer rep resents data a s attribute-data p airs, a descriptive attribute associatedwith a specific piece of information. For example, the directory can store a p iece ofdata such as a p ersons nam e in a p air with the standard attribute, in th is casecommonName (cn). So, an entry for a person n amed Charlene Daniels has thefollowing attribute-data pair:

cn: Charlene Daniels

In fact, the entire entry is rep resented as a series of attribute-data p airs. The entireentry for Charlene Daniels might ap pear as follows:

dn: uid=cdaniels, ou=people, dc=example,dc=com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

cn: Charlene Daniels


8/8/2019 816-6696-10

37/128


sn: Daniels

givenName: Charlene

givenName: Charlie

mail: [email protected]

Not ice that the entry for Charlene contains mu ltiple values for some of theattributes. The attribu te givenName app ears twice, each time with a unique value.The object classes that ap pear in this example are explained in th e next section,Standard Object Classes."

In the schema, each attribute d efinition contains the following information:

A unique name

An object identifier (OID) for the attribute

A text description of the attribute

The OID of the at tr ibute syntax

Indications of whether the attribute is single-valued or mu lti-valued, whether

the attribu te is for the d irectorys own use, the origin of the attribu te, and an yadd itional matching rules associated with the attribute.

For examp le, the cn attribute d efinition app ears in the schem a as follows:

attributetypes: ( 2.5.4.3 NAME 'cn' DESC 'commonName Standard

Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

The SYN TAX is the OID of the syn tax for values of the attribu te. For a completedescription of the attribute syntax definitions, see About Schem a in th e Sun ONE

Directory Server Reference Manual. For more information abou t the LDAPv3 schem aformat, refer to the LDAPv3 Attribu te Syntax Definitions document (RFC 2252).

Standard Object Classes

Object classes are u sed to grou p related inform ation. Typically, an object classrepresents a real object, such as a person or a fax machine. Before you can use anobject class and its attr ibutes in your d irectory, it must be identified in the schema.

The directory recognizes a stan dard list of object classes by default. For moreinformation , refer to Chapter 10, Object Class Reference in the Sun ONE DirectoryServer Reference Manual.

Each d irectory en try belongs to one or more object classes. Once you place an objectclass identified in your schem a on an en try, you are telling Directory Server thatthe entry can have a certain set of attribute values and must have another, usua llysmaller, set of attribute values.

Object class d efinitions contain the following information:


8/8/2019 816-6696-10

38/128


A unique name

An object identifier (OID) that names the object

A se t of mandatory a tt ributes

A set of a llowed a tt ributes

For an examp le of a stand ard object class as it appears in the schema, refer toSchema Format, on p age 36.

Groups, Roles and Classes of ServiceInformation in th e d irectory is organized hierarchically. This hierarchy is agrouping m echan ism, althou gh it is not w ell suited for associations betweend ispersed entries, for frequently changing organizations, or for data tha t isrepeated in m any entries.

As a solution to, grou ps and roles provide m ore flexible associations between

entries, and class of service simplifies the managemen t of data that is shared w ithinbranches of your d irectory.

Static and Dynamic Groups

A group is an entry that sp ecifies the other entries that are its mem bers. When youknow the name of a group , it is easy to retrieve all of its mem ber entries.

Static groups explicitly name their member entries. Static group s are suitablefor groups with few m embers, such as the group of directory administrators.

Dynamic groups specify a filter, and all entries that match are members of thegroup. These group s are dynam ic because membership is defined every timethe filter is evaluated .

The advan tage of groups is that they make it easy to find all of their mem bers.Static groups m ay simply be enum erated, and th e filters in dyn amic groups m ay

simply be evaluated . The disadvantage of groups is that given an arbitrary entry, itis difficult to name all the grou ps of wh ich it is a member.

Managed, Filtered and Nested Roles

Roles are an alternative entry grouping m echanism that au tomatically iden tifies allroles of which any entry is a mem ber. When you retrieve an entry in the directory,you immed iately know the roles to which it belongs. This overcomes the maindisadvantage of the group m echanism.


8/8/2019 816-6696-10

39/128


Managed roles are the equivalent of static groups, except that membership isdefined in each member entry and n ot in the role definition entry.

Filtered roles are similar to dynamic groups. They define a filter thatdeterm ines the members of the role.

Nested roles name other role definitions, includ ing other nested roles. The setof members of a nested role is the u nion of all mem bers of the roles it contains.Nested roles may also define extend ed scope to includ e the mem bers of roles inother subtrees.

Class of ServiceThe class of service (CoS) mechanism allows attribu tes to be shared betweenentries in a w ay tha t is invisible to app lications. CoS does not define membersh ipbut ra ther allows related entries to share data for coherence and spaceconsiderations.

For example, a directory may contain thousan ds of entries that all have the samevalue for the facsimileTelephoneNumber attribute. Traditionally, to chan ge thefax nu mber, you w ould n eed to up da te each entry ind ividua lly, a large job foradm inistrators that ru ns the risk of not up dat ing all entries. Using CoS, the faxnumber is stored in a single place, and the d irectory server autom atically generatesthe facsimileTelephoneNumber attribute on every concerned entry as it isreturned.

To client app lications, a genera ted CoS attribute is retrieved just as any otherattribute. How ever, directory ad ministrators now have only a single fax value to

man age. In ad dition, because there ar e less values actually stored in the d irectory,the d atabase uses less disk space. In general, a stored at tribute value will takeprecedence over a CoS generated value for the same attribu te. However, the CoSmechan ism can also override stored values, or generate mu ltiple values for thesame attribute.

Security in Directory ServerSun ON E Directory Server provides the following secur ity methods:

Au thentication

A means whereby one p arty verifies another's iden tity. For example, a clientgives a password to Directory Server during a bind op eration (the first requestthe server receives from a client.)

Passw ord p olicy


8/8/2019 816-6696-10

40/128


Defines the criteria that a p assword mu st satisfy to be considered valid, forexample, age, length , and syntax.

Encryption

Protects the privacy of information. When d ata is encrypted , it is convertedinto a form th at only the intended recipient can und erstand .

Access con trol

Controls the access rights gran ted to d ifferent d irectory users, and prov ides ameans of specifying requ ired credentials or bind at tributes.

Accoun t inactivation

Disables a user accoun t, group of accounts or an entire dom ain so that allau thentication attemp ts are autom atically rejected.

Sign ing w ith SSL

Maintains the integrity of information. If information is signed , the recipient

can d etermine that it was not tampered w ith during transit. Aud iting

Allows you to d etermine if the secur ity of your d irectory has beencompromised. For example, you can au dit the log files maintained by you rdirectory.

These tools for ma intaining security can be used in combina tion in your securitydesign. You can also use other featu res of the directory such as replication and da tadistribution to su pp ort your security d esign.

Replication in Directory ServerReplication is the m echanism tha t automatically copies directory data from oneDirectory Server to another. Using rep lication, you can copy any d irectory tree or

subtree (stored in its own database), or specific attributes of entries betweenservers. The Directory Server tha t holds the m aster copy of the information,au tomat ically copies up da tes to the other servers.

Replication enables you to p rovide a highly ava ilable directory service, and togeographically d istribute your d ata. In p ractical terms, replication brings thefollowing benefits:

Fault tolerance/ Failover


8/8/2019 816-6696-10

41/128


By rep licating directory trees to mu ltiple servers, you can ensure you rdirectory is available even if some hardware, software, or netw ork p roblem

preven ts your directory client app lications from accessing a particularDirectory Server. Your clients are referred to another d irectory server for readand write operations. Note that to supp ort write failover you mu st have amu lti-master rep lication environm ent (see the d efinition ofMasters on page 41for more informat ion).

Load balancing

By rep licating your d irectory tree across servers, you can redu ce the access

load on any given machine, thereby imp roving server response time. Higher performance and reduced response times

By rep licating directory entries to a location close to you r u sers, you can vastlyimprove directory response times.

Local d ata man agem en t

Replication allows you to ow n and man age data locally wh ile sharing it withother Directory Servers across your organization.

Replication Concepts

Replica

A replica refers to a d atabase tha t pa rticipates in rep lication. A replica can take onone of the following roles:

MasterA master is a read-w rite database that contains a master copy of the directoryda ta and accepts upd ate requests from directory clients. A master replica canbe one of a set of m ultiple masters, or a single master. Multi-masters acceptreplication from other m asters. Single masters d o not accept replication fromother replicas.

Dedicated Consumer

A ded icated consumer is a read-only database that contains a copy of theinformation held in the m aster replica. Thu s, a consum er replica acceptsreplication from one or m ore masters. A consum er replica can p rocess searchrequests from d irectory clients but refers upda te requests to the master replica.This is know n as referral.

HubA hu b is also a read-only d atabase, like a consum er replica. A hu b accepts

replication from one or m ore masters but is also able to replicate to consu mers.A hu b d oes not accept client u pd ates.


8/8/2019 816-6696-10

42/128


The following figu re show s a basic multi-master rep lication scenario, indicatingthe th ree different roles that a rep lica can have an d th e processes that occur

between r eplicas.

Figure 2-3 Basic Multi-Master Replication Scenario

Supplier Servers and Consumer ServersIn any replication scenario, the replica sending u pd ates is called a sup plier and theserver that r eceives upd ates is called a consum er. Therefore, a server that man agesa m aster replica that it rep licates to other servers is called a sup plier server ormaster server. A server that m anages a consumer replica that is upd ated by ad ifferent server is called a consum er server.

Note that a server can be both a supp lier and a consumer . This is true in the

following cases:

Master 1

Client

Client

Hub

Consumer 1

Master 2

Consumer 3Consumer 2

Update

Update

Rep

licatio

n

ReplicationReplic

ation

Replication

Replic

atio

n

Re

ferr

al

Replication

Replication


8/8/2019 816-6696-10

43/128


When Directory Server manages a combination of master replicas andconsum er replicas.

When Directory Server acts as a hub sup plier, that is, it receives updates from amaster server and r eplicates the changes to consum er servers. This is know n ascascading replication.

When a master replica is mastered on two d ifferent Directory Servers, eachDirectory Server acts as a supp lier and a consumer of the other DirectoryServer. This is know n as multi-master replication.

In Sun ON E Directory Server 5.2, replication is alw ays initiated by the su pp lierserver, never by the consum er server. In other words, replication issupplier-initiated. In setting up rep lication, you configu re one or more supplierservers to pu sh d ata to one or more consumer servers.

For any p articular replica, the supp lier server mu st:

Respond to read, add and modify requests from directory clients.

Maintain state information and a change log for the replica.

Initiate replication to consumer servers.

The supp lier server is always responsible for record ing the changes mad e to thesupplier replicas that it man ages. It makes sure that an y changes are replicated toconsumer servers.

A consum er server m ust:

Respond to r ead r equests. Refer add and modify requests to the supplier server for the replica.

Any time a requ est to add , delete, or change an entry is received by a consum erserver, the request is referred to the su pp lier for the r eplica. The su pp lier serverperforms the requ est, then rep licates the change.

In the special case of cascading rep lication, the hu b sup plier mu st:

Respond to r ead r equests.

Refer add and modify requests to the supplier server for the replica.

Initiate replication to consumer servers.


8/8/2019 816-6696-10

44/128


Change Log

Each supp lier server maintains a change log. A change log is a record that d escribes

the modifications that have occurred on a sup plier replica. The sup plier serverreplays these modifications to the replicas stored on consumer servers, or to othermasters in the case of mu lti-master rep lication.

When an entry is mod ified, add ed or d eleted, a change record describing the LDAPoperation that w as performed is recorded in the change log.

Unit of Replication

In Sun O NE Directory Server 5.2, the sm allest u nit of rep lication is a da tabase. Thereplication m echan ism also requires that one d atabase correspond to one suffix.You cannot replicate a suffix that is distributed over two or more databases.

Fractional Replication

Fractional replication is a n ew feature in Sun ON E Directory Server 5.2 and refersto the a bility to rep licate only certain attribu tes of an entry. In fractional replication,all entries in a database are replicated, but certain attributes of these entries may be

filtered ou t. For examp le, a bank m ay w ish to replicate all the d etails of itscustomers accounts, other than their credit card nu mbers. Using fractionalreplication, the bank can exclud e only the attribute th at relates to the credit cardnum ber from th e data th at is replicated.

Replication Agreement

Directory Server uses replication ag reements to d efine r eplication. A r eplicationagreemen t describes replication between one supp lier and one consumer. The

agreemen t is configured on the sup plier server and identifies the following:

The database to replica te.

The consumer server to which the data is pushed.

The times during which replication can occur.

The DN and credentials the supplier server must use to bind to the consumer,

called the Replication Manager entry or sup plier bind DN. How the connection is secured (SSL, client authentication).

Replication Identity

When replication occurs betw een two servers, the consum er server authen ticatesthe sup plier when it binds to send r eplication up dates. This authen tication processrequires that the entry u sed by the su pp lier to bind to th e consum er is stored on th e

consum er server. This entry is called the Replication Man ager entry, or supp lierbind DN .


8/8/2019 816-6696-10

45/128


The Replication Manager entry, or an y entry you create to fulfill that role, mu stmeet th e following criteria:

There mu st be at least one on every server that manages consumer replicas (orhu b rep licas).

This entry mu st not be part of the replicated d ata for security reasons.

When you configure replication between two servers, you m ust iden tify theReplication Manager (sup p lier bind DN ) on both servers:

On the consumer server or hub supplier, when you configure the consumerreplica or hu b replica, you m ust specify this entry as the one authorized toperform replication up dates.

On the supp lier server, when you configure the replication agreement, youmu st specify the DN of this entry in the rep lication agreemen t.

NOTE This entry has a special user p rofile that bypasses all access controlrules defined on the consum er server.

NOTE In the Directory Server Console, the Replication Manager entry isreferred to as the supplier bind DN, which may be misleading as theentry d oes not exist on the supp lier server. It is called the sup plier

bind DN because it is the entry that m ust be p resent on th econsum er so that it can auth enticate the supplier when it bind s toprovide replication up dates to the consumer.

Whats New in Sun ONE Directory Server 5.2

Wh N i S ONE Di S 5 2

8/8/2019 816-6696-10

46/128



Sun ON E Directory Server 5.2 contains th e following n ew featu res andenhancements:

Updated and improved server management console

Directory Server Console now offers a simplified interface for configuringreplication and provides sup port for IPv6. For details on the new console, referto Using the Directory Server Console in the Sun ONE Directory Server

Administration Guide.

Enhanced replication functionality

New replication features include:

Sup port for 4-way m ulti-master replication

Sup port for mu lti-master rep lication over WAN

Online p romotion and dem otion of servers

Fractional rep lication (the ability to rep licate a subset of attributes)

The following replication m onitoring tools:

insync - ind icates the synchronization state betw een a m aster replica andone or more consum er replicas.

entrycmp - comp ares the attributes and values of the same entry on tw odifferent servers.

repldisc - enables you to discover a rep lication topology, constructing agraph of all know n servers and d isplaying a matrix describing thetopology.

Note that these tools are also comp atible with Directory Server 5.1 ServicePacks 1 and 2.

Improv ed rep lication failover

Improved concurrent replication up dates

Concurren t changes can be received on a single consum er frommu ltiple su pp liers.

Within a rep lication session, mu ltiple up da tes can be rep layedconcurrently.

Directory access through DSMLv2


S t f IP 6

8/8/2019 816-6696-10

47/128


Su pp ort for IPv6

Large cache support (64-bit)

Ability for LDAP clients to obtain their effective access rights

A simplified migration p rocess from version 4.x and 5.x to version 5.2

Mult ip le password policies

An interactive GUI installer

Support for star tTLS on Windows

Improved er ror logging

Flexib le role scope

Ability to use virtual attributes in search filters

The ability to encrypt attributes other than passwords

Supp ort for Sun Crypto Accelerator 1000 Board

Per formance improvemen ts

Ad van ced bin ary cop y

Enables the cloning of master or consum er replicas using the binary backupfiles from one server to restore the id entical directory contents on anotherserver.

These new features are documented in the Sun ONE Directory Server AdministrationGuide and the Sun ONE Directory Server Deployment Guide.


8/8/2019 816-6696-10

48/128


Chapter 3

8/8/2019 816-6696-10

49/128

49

A Quick Look at Directory ServerConsole

This chap ter p rovides p ractical examp les (using Directory Server Console) of thefeatures described in the previous chap ter. It walks you throu gh the essential tasksyou need to perform to have an overview of how Directory Server works.Information on how the command -line utilities are used to perform these tasks is

provided

816-6696-10

Documents