eTrust Directory Administrator Guide

Transcription

eTrust Directory Administrator Guide
eTrust Directory

Administrator Guide
r8, Service Pack 1
G00505-4E
This documentation and related computer software program (hereinafter referred to as the “Documentation”) is for
the end user’s informational purposes only and is subject to change or withdrawal by Computer Associates
International, Inc. (“CA”) at any time.
This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without
the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright
laws of the United States and international treaties.
Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for
their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only
authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the
license for the software are permitted to have access to such copies.
This right to print copies is limited to the period during which the license for the product remains in full force and
effect. Should the license terminate for any reason, it shall be the user’s responsibility to return to CA the reproduced
copies or to certify to CA that same have been destroyed.
To the extent permitted by applicable law, CA provides this documentation “as is” without warranty of any kind,
including without limitation, any implied warranties of merchantability, fitness for a particular purpose or
noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or
indirect, from the use of this documentation, including without limitation, lost profits, business interruption,
goodwill, or lost data, even if CA is expressly advised of such loss or damage.
The use of any product referenced in this documentation and this documentation is governed by the end user’s
applicable license agreement.
The manufacturer of this documentation is Computer Associates International, Inc.
Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or
DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.
 2005 Computer Associates International, Inc.
All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Contents
Chapter 1: Introduction
eTrust Directory Modules .....................................................................
DXserver .................................................................................
The Relational Database Management System (RDBMS) ......................................
Configuration Files ........................................................................
DXtools ..................................................................................
Samples ..................................................................................
RDBMS Tools .............................................................................
DXwebserver .............................................................................
eTrust Directory Glossary .....................................................................
1-2
1-2
1-3
1-3
1-3
1-4
1-5
1-5
1-6
Chapter 2: DXserver Overview
What is DXserver? ............................................................................ 2-1
DXserver Configuration Files .................................................................. 2-2
DXserver File Directories .................................................................. 2-2
Sample Configuration Files ................................................................ 2-4
Configuration File Types .................................................................. 2-4
The Initialization File ...................................................................... 2-5
Configuration Grouping Files .............................................................. 2-6
Knowledge Files .......................................................................... 2-7
DXserver Commands ......................................................................... 2-9
The dxserver Command - Install, Start, or Stop the DXserver .................................. 2-9
DXserver Script Language .................................................................... 2-11
Configuration Files ....................................................................... 2-11
Command Syntax ........................................................................ 2-12
Script Files .............................................................................. 2-13
Script File Errors and Debugging .......................................................... 2-13
DXconsole .................................................................................. 2-14
DXconsole Security....................................................................... 2-14
Opening DXconsole ...................................................................... 2-14
Contents
iii
Closing DXconsole........................................................................ 2-15
Configuring DXconsole ................................................................... 2-16
Help Command .......................................................................... 2-21
Command Shortcuts ...................................................................... 2-22
Databases ................................................................................... 2-23
Multiple DSA Processes to One DIT/DIB ................................................... 2-23
Multiple Directory Databases on One Machine .............................................. 2-24
Hot Swap ................................................................................ 2-24
Port Numbers Used by eTrust Directory ........................................................ 2-25
Ports Used by eTrust Directory Components ................................................ 2-25
Ports Used by Sample Tools and Sample DSAs .............................................. 2-26
Chapter 3: General Administration
Defining DSAs with the set dsa Command ....................................................... 3-1
The set dsa Command Syntax ............................................................... 3-2
The set dsa Command Parameters .......................................................... 3-3
Setting DSA Port Numbers ................................................................. 3-4
Viewing Communications Settings .......................................................... 3-4
Alarms, Traces, and Logs ...................................................................... 3-5
Alarms ................................................................................... 3-5
Traces .................................................................................... 3-5
Logs...................................................................................... 3-8
Associations ................................................................................. 3-13
The assoc Command Options .............................................................. 3-13
Viewing Association Configuration ........................................................ 3-15
Viewing Associations ..................................................................... 3-16
Tracing Associations ...................................................................... 3-16
Stopping a DSA .......................................................................... 3-16
Association Times ........................................................................ 3-17
Controlling Binds ......................................................................... 3-17
Aborting Associations .................................................................... 3-18
Concurrent Associations .................................................................. 3-18
Association Queues ....................................................................... 3-19
Local Operations ............................................................................. 3-20
The oper Commands...................................................................... 3-20
Viewing Operation Configuration .......................................................... 3-22
Viewing Operation Statistics ............................................................... 3-22
Concurrent Operations .................................................................... 3-23
Administration Limits .................................................................... 3-23
Operational Attributes .................................................................... 3-23
iv
eTrust Directory Administrator Guide
Access Controls ..........................................................................
Read Only ...............................................................................
Abandoning Operations ..................................................................
The Directory Information Base ...............................................................
Viewing DIB Configuration ...............................................................
Database Name ..........................................................................
Manage Connections to the Database ......................................................
Alias Integrity ...........................................................................
Counting Entries .........................................................................
Rejecting All list Commands ..............................................................
Rejecting All Unfiltered Searches ..........................................................
Password Storage ........................................................................
Indexing Options ........................................................................
DXcache ....................................................................................
How DXcache Works .....................................................................
Design the DXcache System ...............................................................
Enable and Configure DXcache ............................................................
View the DXcache Configuration ..........................................................
Keep DXcache Synchronized with the Database .............................................
Use eTrust Directory in Cache-Only Mode..................................................
Virtual Attributes ............................................................................
Dynamic Groups .........................................................................
Class of Service Templates ................................................................
Knowledge Flags ............................................................................
The Three Kinds of Knowledge Flags ......................................................
List of all DSA Flags ......................................................................
List of all Trust Flags .....................................................................
List of all Link Flags ......................................................................
3-23
3-24
3-24
3-25
3-26
3-26
3-27
3-27
3-28
3-28
3-29
3-29
3-30
3-32
3-32
3-33
3-33
3-37
3-37
3-38
3-40
3-40
3-43
3-48
3-48
3-52
3-53
3-54
Chapter 4: Schema Definition
Configuring Schema ..........................................................................
Grouping Schema .........................................................................
Managing Schema ........................................................................
Schema Commands .......................................................................
Viewing Schema ..........................................................................
Schema Prefixes...........................................................................
Attributes ....................................................................................
Attribute Syntaxes ........................................................................
Attribute Checking ........................................................................
Syntax Aliases for Unsupported Attribute Syntax ............................................
Contents
4-2
4-2
4-3
4-3
4-4
4-4
4-5
4-6
4-7
4-7
v
Attribute Sets ............................................................................. 4-8
Attribute Names .......................................................................... 4-8
Unique Attributes ......................................................................... 4-9
Changing the Schema Definition for Attributes in Use........................................ 4-12
Object Classes ................................................................................ 4-14
Object Class Kind ......................................................................... 4-14
Object Class Checking .................................................................... 4-15
Object Class Storage ...................................................................... 4-16
Name Bindings .............................................................................. 4-18
Name Binding Checks .................................................................... 4-18
Name Bindings and Structural Object Classes ............................................... 4-19
Name Bindings and Aliases ............................................................... 4-19
Considerations for Schemas that Do Not Support Name Binding .............................. 4-19
Defining Local Schema........................................................................ 4-20
Chapter 5: Distribution and DSP
Managing DSP ................................................................................ 5-2
DSP Command Options .................................................................... 5-2
Knowledge References ..................................................................... 5-3
Remote Operations ........................................................................ 5-4
Limiting Remote Operations ................................................................ 5-4
Remote Connections ....................................................................... 5-5
Unbinding Remote Connections ............................................................ 5-5
Incoming DSP Credentials .................................................................. 5-6
Outgoing DSP Credentials.................................................................. 5-6
Distributed Searches (Multi-Chaining) ....................................................... 5-6
Limiting Multi-Chaining ................................................................... 5-6
Viewing DSP Configuration ................................................................ 5-7
Configuring a DSA ............................................................................ 5-8
Configuring a Subordinate DSA ............................................................ 5-8
Proxy DSAs ............................................................................... 5-9
Configuring Another DXserver ................................................................ 5-10
Configuring Alternative Network Addresses ................................................ 5-10
Configuring a Third-party DSA ............................................................ 5-11
DXlink .................................................................................. 5-11
Configuring Multiple Local DSAs .......................................................... 5-12
Configuring a Domain of DXservers ........................................................... 5-13
A Domain of DXservers ................................................................... 5-13
Sharing DXserver Configuration ........................................................... 5-14
Configuring a First-level DSA.............................................................. 5-14
vi
eTrust Directory Administrator Guide
Configuring a Router DSA ................................................................
Transparent Routing .....................................................................
Configuring a Relay DSA .................................................................
Caching Entries from Subordinate DSAs ...................................................
Alternative DSAs ............................................................................
DSA Failover ............................................................................
DSA Load-Sharing .......................................................................
DSA Query Streaming ....................................................................
5-15
5-15
5-16
5-16
5-17
5-18
5-20
5-24
Chapter 6: Security
Secure Socket Layer (SSL) Encryption ........................................................... 6-2
About the SSL Protocol .................................................................... 6-2
SSL Encryption and Authentication Using SSLD ............................................. 6-3
DXserver Personality Certificates ........................................................... 6-5
Setting Up SSL For DXserver ............................................................... 6-6
Client Encryption ........................................................................ 6-11
DSA-to-DSA Encryption (DSP and DISP) ................................................... 6-11
Authentication .............................................................................. 6-12
Setting the Minimum Authentication Level ................................................. 6-12
Anonymous Authentication ............................................................... 6-13
Simple Authentication .................................................................... 6-13
SSL Authentication ....................................................................... 6-14
Distributed User Authentication ........................................................... 6-16
DSP Simple Authentication ............................................................... 6-17
DSP SSL Authentication .................................................................. 6-19
DISP Authentication ..................................................................... 6-19
Bypassing Mutual Authentication ......................................................... 6-20
Conveying User Authentication ........................................................... 6-21
DSP Link Authentication ................................................................. 6-22
Impersonation Protection ................................................................. 6-23
Managing Passwords ........................................................................ 6-24
How Password Rules Are Applied......................................................... 6-24
Password Protection ..................................................................... 6-25
Password Command Options ............................................................. 6-25
Enabling or Disabling Password Management .............................................. 6-28
Checking Password Quality ............................................................... 6-28
Setting the Life Span of Passwords ......................................................... 6-29
Resetting a Password ..................................................................... 6-30
Locking an Account after Incorrect Login Attempts ......................................... 6-31
Suspending an Account Manually ......................................................... 6-31
Contents
vii
Preventing Users from Re-using Passwords ................................................. 6-32
Some Password Controls Require an LDAP Client ........................................... 6-32
Example Password Policy ................................................................. 6-33
Access Control Overview ..................................................................... 6-34
Access Control Policies .................................................................... 6-34
Access Control Rules...................................................................... 6-35
Designing Your Access Control Scheme .................................................... 6-35
Working with Access Controls ............................................................. 6-37
Static Access Controls......................................................................... 6-38
Overview of Static Access Control Rules .................................................... 6-38
Setting Up Static Access Controls .......................................................... 6-40
Defining Superusers ...................................................................... 6-42
Defining Administrative Users ............................................................. 6-43
Defining Registered Users ................................................................. 6-45
Defining Public Users ..................................................................... 6-47
Protecting Items .......................................................................... 6-48
Dynamic Access Controls ..................................................................... 6-51
Enabling and Disabling Dynamic Access Controls ........................................... 6-51
Dynamic Access Control Rules ............................................................. 6-52
Groups, Roles, and Proxies .................................................................... 6-53
Defining Groups of Users ................................................................. 6-53
Role-Based Access Controls ............................................................... 6-54
Secure Proxies ............................................................................ 6-56
Access Controls and Aliases ............................................................... 6-57
Access-Controlled Routing .................................................................... 6-58
Chapter 7: Replication
Replication Concepts .......................................................................... 7-2
Compare Distribution and Replication ....................................................... 7-2
Compare Multimaster and Master–Slave Replication .......................................... 7-2
Compare Real-Time and Write-Behind Replication ........................................... 7-3
Compare Replay-Based and State-Based Replication .......................................... 7-3
Three Types of Replication Used with eTrust Directory ....................................... 7-4
Keep System Clocks Synchronized .......................................................... 7-4
Multiwrite Replication ......................................................................... 7-5
How Multiwrite Replication Works ......................................................... 7-5
Multiwrite Can Work Asynchronously ...................................................... 7-6
How Multiwrite Groups Work .............................................................. 7-7
Set Up a Multiwrite System ................................................................ 7-10
Recovering a Multiwrite System Using Queues .............................................. 7-12
viii
eTrust Directory Administrator Guide
Recovering a Multiwrite System Using DISP ................................................
Multiwrite Replication to an LDAP Directory ...............................................
Multiwrite and DXcache ..................................................................
Re-synchronize Databases Manually .......................................................
Example: Multiwrite Replication ..........................................................
DISP Replication .............................................................................
Configuring a DISP Responder ............................................................
DISP Agreements ........................................................................
Setting DISP Agreements .................................................................
Viewing DISP Agreements ................................................................
Shared DISP Configuration ...............................................................
Manual Initiation of DISP .................................................................
Shadow DSAs ...........................................................................
DISP Routing ............................................................................
Selective Shadowing .....................................................................
Manually Synchronizing Replicas Using Database Tools .........................................
How Manual Synchronization Works ......................................................
How to Manually Synchronize eTrust Directory Databases ...................................
7-14
7-17
7-17
7-18
7-19
7-21
7-21
7-21
7-22
7-23
7-23
7-24
7-24
7-24
7-25
7-27
7-27
7-27
Chapter 8: LDAP and DXlink
LDAP Clients................................................................................. 8-2
Defining the LDAP Port ................................................................... 8-2
Configuring LDAP Names ................................................................. 8-2
Handling LDAP Strings ................................................................... 8-3
Transparent Routing ...................................................................... 8-3
Schema Publishing ............................................................................ 8-4
Integrating Other LDAP Servers................................................................ 8-6
User Credentials on DXlink Binds .......................................................... 8-7
Prefix Mapping ........................................................................... 8-9
Working with Microsoft Exchange ......................................................... 8-10
Chapter 9: Monitoring the Directory
General Monitoring ...........................................................................
DXconsole ................................................................................
Log Files .................................................................................
Databases ................................................................................
Disk Space ...............................................................................
9-2
9-2
9-2
9-3
9-3
Contents
ix
SNMP and the Directory Monitoring MIB ....................................................... 9-4
Configuring the SNMP Agent .............................................................. 9-5
SNMP Monitor Utility ..................................................................... 9-6
Configuring the SNMP Trap Destination..................................................... 9-8
CMIP and X.700 Management .................................................................. 9-9
Configuring the CMIP Agent ............................................................... 9-9
CMIP Monitor Utility ...................................................................... 9-9
Chapter 10: Using DXtools
Database Tools ............................................................................... 10-2
Creating a DSA: DXnewdsa ............................................................... 10-4
Creating a Database: DXnewdb ............................................................ 10-5
Extending a Database: DXextenddb ........................................................ 10-5
Destroying a Database: DXdestroydb ....................................................... 10-6
Emptying a Database: DXemptydb ......................................................... 10-6
Backing Up a Database: DXbackupdb ...................................................... 10-7
Restoring a Database: DXrestoredb ......................................................... 10-8
Tuning a Database: DXtunedb ............................................................. 10-9
Managing Indexes: DXindexdb ........................................................... 10-10
Displaying Database Statistics: DXstatdb................................................... 10-13
Listing Existing Databases: DXlistdb ...................................................... 10-14
Adding a Database User: DXadduser ...................................................... 10-14
Deleting a Database User: DXdeluser ...................................................... 10-15
Loading a Database: DXloaddb ........................................................... 10-16
Dumping a Database: DXdumpdb ........................................................ 10-18
Granting Access to a Database: DXgrantdb ................................................. 10-19
Revoking Access to a Database: DXrevokedb ............................................... 10-19
Upgrading Previous Versions of a Database: DXupgradedb ................................. 10-20
Initializing Multiwrite–DISP Recovery: DXdisp............................................. 10-20
Reporting On and Generating Certificates: DXcertgen ....................................... 10-21
LDIF Tools ................................................................................. 10-27
CSV Source Data ........................................................................ 10-27
Template Files (LDT) .................................................................... 10-28
LDIF Files .............................................................................. 10-29
Converting CSV Data to LDIF Format: csv2ldif ............................................. 10-30
Sorting an LDIF File: ldifsort .............................................................. 10-31
Calculating the Change Between Two LDIF Files: ldifdelta .................................. 10-33
DAP Tools .................................................................................. 10-35
Common Command Options ............................................................. 10-36
Searching a Directory: DXsearch .......................................................... 10-37
x
eTrust Directory Administrator Guide
Reporting on Certificate and CRL Indexes: DXcert .........................................
Modifying a Directory: DXmodify ........................................................
Loading Binary Files: DXmodify ..........................................................
Renaming a Directory Entry: DXrename ...................................................
Deleting a Directory Entry: DXdelete......................................................
Bulk Loading Options ...................................................................
Schema Tools...............................................................................
Extracting Schema in LDIF Format: DXschemaldif .........................................
Converting Schema from LDIF to DXserver Format: ldif2dxc ................................
Converting Schema from DXserver Format to DXtools Format: DXschematxt .................
Directory Administration Tools ..............................................................
Checking DSA configuration: DXsyntax ...................................................
10-38
10-39
10-40
10-41
10-42
10-42
10-43
10-44
10-45
10-49
10-50
10-50
Chapter 11: Using JXplorer
The JXplorer Browser ........................................................................ 11-2
Menu Bar ............................................................................... 11-3
Button Bar ............................................................................... 11-5
Quick Search Bar ......................................................................... 11-6
Displaying the Directory Tree ............................................................. 11-6
Browsing a Directory ......................................................................... 11-7
Starting JXplorer ......................................................................... 11-7
Connecting to a Directory ................................................................. 11-7
Reading Schema ......................................................................... 11-8
Navigating the Directory Tree ............................................................. 11-8
Displaying an Entry ...................................................................... 11-9
Refreshing Entries....................................................................... 11-11
Searching .............................................................................. 11-11
Exploring Schema ....................................................................... 11-14
Editing the Directory ........................................................................ 11-16
Directory Tree Operations ............................................................... 11-16
Modifying Attributes in an Entry ......................................................... 11-18
Using Binary Values ..................................................................... 11-20
Adding a New Entry .................................................................... 11-23
Submitting an Entry to the Directory ...................................................... 11-24
Using LDIF Files ............................................................................ 11-25
Importing and Exporting an LDIF File .................................................... 11-25
Using an LDIF File Without a Directory ................................................... 11-25
Binary Values in LDIF Files .............................................................. 11-26
Using SSL and SASL ........................................................................ 11-27
Server Authenticated SSL ................................................................ 11-27
Contents
xi
Client Authenticated SSL and SASL ....................................................... 11-27
Managing Certificates and Keystores ...................................................... 11-28
Online Help ................................................................................ 11-28
Configuring JXplorer ........................................................................ 11-29
View Menu ............................................................................. 11-29
Options Menu ........................................................................... 11-29
Creating HTML Viewing Templates ....................................................... 11-34
Configuring Tree Icons ................................................................... 11-35
Extending the Java Binary Editor .......................................................... 11-35
Internationalization ...................................................................... 11-35
Troubleshooting ......................................................................... 11-36
Other LDAP and Directory Resources ..................................................... 11-36
Chapter 12: Using DXmanager
How DXmanager Works ...................................................................... 12-2
How You Can Use DXmanager ................................................................ 12-3
Monitor DSA Status ...................................................................... 12-3
Check DSA Configuration ................................................................. 12-3
Track DSA Statistics ...................................................................... 12-3
Check Namespace Design ................................................................. 12-3
How DXmanager Presents Information ......................................................... 12-4
Starting DXmanager .......................................................................... 12-4
Troubleshooting ............................................................................. 12-5
Connectivity ............................................................................. 12-5
DXwebserver Port Numbers ............................................................... 12-5
Chapter 13: Using JXweb
Connecting to JXweb ......................................................................... 13-2
Connecting to a Directory ..................................................................... 13-3
The JXweb Environment ...................................................................... 13-4
Customizing JXweb .......................................................................... 13-4
Using JXweb in Languages Other Than English ................................................. 13-5
Displaying Non-English Characters in Internet Explorer...................................... 13-5
Displaying Non-English Characters in Mozilla Browsers ..................................... 13-5
Online Help ................................................................................. 13-5
xii
eTrust Directory Administrator Guide
Chapter 14: Using The UDDI Server
About UDDI Registries .......................................................................
What a UDDI Registry Can Do ............................................................
About the eTrust Directory UDDI Server ...................................................
eTrust Directory UDDI Server.................................................................
Connecting to the UDDI Client ................................................................
Connecting to a UDDI Registry ...............................................................
Using tModels ...............................................................................
Using the UDDI Client in Languages Other Than English ........................................
Displaying Non-English Characters in Internet Explorer .....................................
Displaying Non-English Characters in Mozilla Browsers .....................................
14-2
14-2
14-2
14-3
14-4
14-5
14-5
14-6
14-6
14-6
Chapter 15: Using the Sample DSAs, Applications, and Tools
Implementing the Samples ................................................................... 15-2
The Sample DSAs ............................................................................ 15-3
What the Sample DSAs Are Useful For ..................................................... 15-3
When the Sample DSAs Are Installed ...................................................... 15-3
How the Sample DSAs Work Together ..................................................... 15-3
The Democorp DSAs ..................................................................... 15-4
The UNSPSC DSAs ...................................................................... 15-5
The Router DSAs ........................................................................ 15-6
Sample Web Applications .................................................................... 15-7
Customized Version of JXweb: democorp .................................................. 15-7
Sample DSML Server: dsml ............................................................... 15-8
Sample SAML Server: saml-sample ........................................................ 15-9
Sample SPML Server: spml-sample ....................................................... 15-10
Sample Use of UDDI: uddiv3-demo ....................................................... 15-11
Sample Configuration Files .................................................................. 15-13
Sample Tools ............................................................................... 15-13
The DXcmip Tool ....................................................................... 15-13
The dua Tool ........................................................................... 15-14
The DXtoolsgui Tool .................................................................... 15-14
The ldua Tool ........................................................................... 15-15
The schema Tool ........................................................................ 15-15
The snmp Tool .......................................................................... 15-17
The soak Tool ........................................................................... 15-18
The ssl Tool ............................................................................ 15-21
The test Tool............................................................................ 15-23
The DXtrap Tool ........................................................................ 15-25
Contents
xiii
Chapter 16: Deploying a Directory
Directory Design ............................................................................. 16-2
Requirements Analysis .................................................................... 16-2
Service Definition......................................................................... 16-2
Schema Design ........................................................................... 16-2
Directory Enabled Applications ............................................................ 16-3
Namespace Design ....................................................................... 16-3
Security ................................................................................. 16-3
Dimensioning ............................................................................ 16-4
Performance ............................................................................. 16-4
Availability .............................................................................. 16-4
Synchronization .......................................................................... 16-5
Scalability and Distribution ................................................................ 16-5
Complexity .............................................................................. 16-5
Operations and Practices ...................................................................... 16-6
Management ............................................................................. 16-6
Monitoring .............................................................................. 16-6
Capacity Planning ........................................................................ 16-6
Backup and Restore ....................................................................... 16-7
Journaling ............................................................................... 16-7
Database Tuning ......................................................................... 16-8
Change Control .......................................................................... 16-8
Upgrades ................................................................................ 16-9
Maintenance ............................................................................. 16-9
Troubleshooting ............................................................................ 16-10
Optimizing Performance ................................................................. 16-10
Managing Large Numbers of Users........................................................ 16-10
Managing Large Numbers of Entries ...................................................... 16-11
Limiting Users .......................................................................... 16-11
Appendix A: Tailoring the RDBMS
Changing the Default Page Size ................................................................
Increasing the Number of Cache Pages .........................................................
Increasing the Number of Database Connections ................................................
Step 1. Increase the Shared Memory Maximum (Optional) ....................................
Step 2. Increase the Database Connection Limit ..............................................
Other Customizations ........................................................................
xiv
eTrust Directory Administrator Guide
A-2
A-3
A-4
A-4
A-5
A-5
Appendix B: DXserver Command Language
Command Categories ......................................................................... B-1
Add Command ............................................................................... B-2
Clear Commands ............................................................................. B-2
Close Commands ............................................................................. B-2
Set Commands ............................................................................... B-3
The set admin-user Command ............................................................. B-8
The set agreement Command .............................................................. B-8
The set attribute Command ................................................................ B-9
The set dsa Command ..................................................................... B-9
The set name-binding Command .......................................................... B-11
The set object-class Command ............................................................. B-11
The set protected-items Command ......................................................... B-12
The set public-user Command ............................................................. B-12
The set reg-user Command ............................................................... B-13
The set super-user Command ............................................................. B-13
Source Commands ........................................................................... B-14
Trace Commands ............................................................................ B-15
Appendix C: Messages and Logs
UNIX System Error Log ....................................................................... C-1
Windows Event Log .......................................................................... C-1
DXserver Logs ................................................................................ C-2
Advantage Ingres Logs ........................................................................ C-3
DXserver Alarm Messages ..................................................................... C-7
DXserver Warning Messages.................................................................. C-13
Alias Errors ................................................................................. C-16
Service Errors ............................................................................... C-17
Advantage Ingres Errors ..................................................................... C-17
Appendix D: Installing eTrust Directory for Windows
Installation Overview ......................................................................... D-2
eTrust Directory Components .............................................................. D-2
Default Installation Locations .............................................................. D-3
The %DXHOME% Location ................................................................ D-3
Installation Logging ....................................................................... D-3
Upgrade eTrust Directory .................................................................. D-4
Upgrade Advantage Ingres ................................................................ D-4
Contents
xv
Embedded eTrust Identity and Access Management ......................................... D-5
Install eTrust Directory Using the Product Explorer.............................................. D-6
Step 1. Check System and Disk Requirements ............................................... D-6
Step 2. Install eTrust Directory ............................................................. D-7
Step 3. (Optional) Install eTrust Directory Web Components .................................. D-8
Step 4. (Optional) Install the Samples and Technology Previews............................... D-9
Install eTrust Directory Using Commands ..................................................... D-11
Install eTrust Directory Silently ............................................................... D-14
Install Silently Using Commands .......................................................... D-14
Install Silently Using Response Files ....................................................... D-15
Embed eTrust Directory in Another CA Product ............................................... D-17
How Installation Codes Work ............................................................ D-17
Install eTrust Directory as an Embedded Module ........................................... D-17
Uninstall eTrust Directory After an Embedded Installation .................................. D-18
Troubleshooting ............................................................................ D-19
Appendix E: Installing eTrust Directory for UNIX
Installation Overview .......................................................................... E-2
eTrust Directory Components .............................................................. E-2
Default Installation Locations ............................................................... E-3
The $DXHOME Location ................................................................... E-3
Installation Logging ....................................................................... E-3
Upgrade eTrust Directory .................................................................. E-4
Upgrade Advantage Ingres ................................................................. E-4
User Accounts............................................................................. E-5
Install eTrust Directory Using the Installation Program ........................................... E-6
Step 1. Check System and Disk Requirements ................................................ E-6
Step 2. Install eTrust Directory ............................................................. E-10
Step 3: (Optional) Install the Web Components .............................................. E-16
Step 4: (Optional) Install the Technology Previews and Sample Tools .......................... E-17
Install eTrust Directory Using Commands ...................................................... E-19
The dxsetup Command ................................................................... E-19
The dxwebsetup Command ............................................................... E-20
Install eTrust Directory Silently ................................................................ E-21
Install Using Commands .................................................................. E-21
Install Using Response Files ............................................................... E-22
Embed eTrust Directory in Another CA Product ................................................ E-24
How Installation Codes Work ............................................................. E-24
Install the Main eTrust Directory Components as an Embedded Module ....................... E-24
Install the Web Components as an Embedded Module ....................................... E-24
xvi
eTrust Directory Administrator Guide
Uninstall eTrust Directory after an Embedded Installation ................................... E-25
Troubleshooting ............................................................................. E-26
Appendix F: Licenses for Third-Party Products
Apache ...................................................................................... F-1
Morten’s JavaScript Tree Menu v2.3.2 ........................................................... F-3
OpenLDAP .................................................................................. F-4
The OpenLDAP Public License ............................................................. F-4
The OpenLDAP Copyright Notice .......................................................... F-5
OpenSSL ..................................................................................... F-6
Sun Microsystems, Inc. Java Web Services Developer Pack ........................................ F-8
Tom Sawyer Layout Assistant................................................................. F-13
Contents
xvii
Chapter
1
Introduction
The eTrust™ Directory consists of a suite of products that lets you build an
industrial-strength directory service for directory-enabled applications. The
product suite includes a high performance, state-of-the-art Directory server,
graphical Directory browsers, and a set of tools for importing, exporting, and
synchronizing data with other information systems.
eTrust Directory advanced features are:
■
■
■
Lightweight Directory Access Protocol (LDAP) support for access and the
X.500 distributed directory model for distribution, which lets you build highcapacity global directory systems
Its underlying information repository (on each server) that uses a relational
database to apply a patented meta-data design, thus ensuring reliability and
data integrity
Its unique ability to connect and integrate smaller scale LDAP Servers to
create a unified directory backbone service with legacy directory servers
The system is highly scalable and robust, and meets the needs of large corporate
organizations, Internet Service Providers (ISPs), carriers, the military, and the
smaller office automation directory applications.
Introduction
1–1
eTrust Directory Modules
eTrust Directory Modules
The following diagram shows the relationships between the major components
of eTrust Directory:
JXplorer
SPML
ne
t
DXconsole
te
l
Web Services
Examples
SAML
SSL SNMP
TLS CMIP
AP
LD
DSML
LDAP DSP
DAP DISP
UDDI Server
DXserver
LDAP
UDDI
SQL
DXmanager
HTTP
JXweb
UDDI Client
LDAP
DXwebserver
DA
P
Config
. Files
DXadmind
SSLD
Ingres
Database
SQL
DXtools
DXserver
The DXserver process uses highly efficient techniques for managing directory
information and processing the directory protocols. The eTrust Directory
supports the following protocols:
Protocol
Description
LDAP
Lightweight Directory Access Protocol
DAP (X.511)
Directory Access Protocol
DSP (X.518)
Directory System Protocol
DISP (X.525)
Directory Information Shadowing Protocol
CMIP (X.700)
Common Management Information Protocol
SNMP
Simple Network Management Protocol
The DSA fully supports all mandatory requirements of the approved protocols.
See the appendix Supported Standards in the eTrust Directory Getting Started
guide for a list of all standards supported by eTrust Directory.
1–2
eTrust Directory Administrator Guide
eTrust Directory Modules
The Relational Database Management System (RDBMS)
The RDBMS stores and maintains the Directory Information Base (DIB) within
specially designed tables. Each DIT or DIB image stores its own set of tables in
the RDBMS’s portion of the file system.
The RDBMS contributes to the performance, reliability, and management of the
DXserver system with the following features:
■
Caching
■
Query optimization
■
Multiprocessing and locking
■
Check-pointing and recovery
■
International character sets and collating sequences
■
Database table and indexing management
■
Housekeeping and tuning utilities
Unlike other X.500 and LDAP implementations, particularly in-memory
implementations, the DXserver does not load directory information and other
indexes into memory on startup, unless DXcache is configured. See the chapter
“General Administration” for more information about DXcache.
Configuration Files
When a DSA starts up, it initializes with commands stored in configuration files.
The configuration files are organized into logical groups corresponding to their
function (for example, logging, schema, knowledge).
DXtools
The DXtools provide general data management facilities, including:
■
Managing databases
■
Tuning and backing up directory data
■
Importing and exporting directory data
■
Bulk loading databases from a prepared LDIF file
■
Bulk extracting a database to an LDIF file for comparison
■
LDIF sorting and comparison
For descriptions of these tools, see the chapter "Using DXtools".
Introduction
1–3
eTrust Directory Modules
Samples
A number of sample configurations and utilities are provided for testing and
demonstration purposes. These reside in the ../dxserver/samples subdirectories:
Subdirectory
Purpose
cmip
An executable to request CMIP counters from the directory.
democorp
DemoCorp example, run the setup script to automatically
configure the DemoCorp DSA.
dua
Sample text-based Directory User Agent (DUA) that runs
over DAP
dxtoolsgui
Java GUI interface to the DXtools—run dxtoolsgui.bat on
Windows or dxtoolsgui.sh on UNIX.
Note: This requires Java Runtime Environment (JRE).
ldua
Sample text-based DUA that runs over LDAP
router
An example router DSA that does not use a database and has the
prefix c = AU, and is aware of the DemoCorp and UNSPSC DSAs.
schema
A Perl schema translation tool to update schema.txt for the
DXtools
snmp
An executable to request SNMP information from the directory.
soak
An executable to measure the throughput (in searches per
second) of a DSA.
ssl
Examples of using DUA-DSA and DSA-DSA SSL
authentication and encryption.
test
A selection of Directory scripts to modify the directory
using the supplied DUA or LDUA clients. Run the setup
script to automatically configure the Test DSA and execute
the DUA and LDUA client scripts.
trap
Information and an example program that can receive
triggers from the directory.
unspsc
United Nations Standard Product and Services Classification
(UNSPSC) Code System. Run the setup script to automatically
configure the UNSPSC DSA and populate it with UNSPSC data.
For more information see .../dxserver/samples/README.TXT, and the
README.TXT files within each sample sub-directory.
1–4
eTrust Directory Administrator Guide
eTrust Directory Modules
RDBMS Tools
The RDBMS tools provide support for the RDBMS. See the Advantage Ingres
product documentation set for further details.
DXwebserver
The DXwebserver enables access to the DXserver process through web-based
GUIs, including:
DXmanager
A graphical, web-based eTrust Directory administration tool
JXweb
A graphical web-based LDAP directory browser and editor
UDDI Client
A graphical web-based browser for a UDDI Server
You can also create your own web-based GUIs to suit your organization.
Three technology previews are also provided for testing and demonstration
purposes. These reside in the ../dxwebserver/samples subdirectories:
democorp
This is a version of JXweb that has been customized to work well with the
fictional company Democorp.
dsml
This is a sample DSML server that converts DSML to LDAP and vice versa.
This allows client applications that use DSML (including web services) to
communicate with eTrust Directory without using LDAP directly.
uddi
This is a demonstration of a typical application of a UDDI server. It shows a
web site that compares prices on airline flights by looking up the prices on
different web servers, which are registered with a UDDI server.
Each sample includes a Readme that describes how to install the sample.
Introduction
1–5
eTrust Directory Glossary
eTrust Directory Glossary
This section defines some terms that are commonly used in this guide.
Attribute
Entries are comprised of attributes. Each attribute consists of a type and a
value.
For example, in a staff directory, each entry would include attributes that
defines the person’s name, phone number, office location, etc.
Distinguished name (DN)
A name that uniquely identifies an entry. The DN includes the name of the
entry, plus the names of all superior entries and domains. Thus, the DN
identifies the entry, and its location within the directory information tree
(DIT).
Directory system agent (DSA)
A hierarchy of parent-child entries, built from the data stored in the
directory. One unified directory might actually consist of many linked DSAs.
Directory system protocol (DSP)
A server-to-server protocol used by X.500 for distributed operations. This is
the protocol used for chaining. LDAP does not have a DSP equivalent.
Entry
The basic unit of information storage in a directory. All information in a
directory is stored in the form of entries. Also sometimes named objects.
For example, in a directory listing all staff members at a company, each staff
member would have an entry.
Latency
The delay caused by the round-trip time taken between sending a network
packet and receiving a response.
Multiwrite
A mechanism for replicating updates to a number of DSAs to ensure they are
synchronized. When DXserver receives an update, this will be written to
itself and then its peers. If a peer DSA cannot be reached, the updates will be
queued and replayed when the DSA becomes available.
Multiwrite groups
Tiered replication will be implemented using multi-write groups. DSAs on
either side of a slow link (e.g. different continents) can be grouped.
Replication will occur in the group and sent to elected hubs from another
group asynchronously.
Namespace
A namespace is a set of names in which all names are unique. Each name
contains enough information to identify where the named entry appears in
the structure of all entries.
1–6
eTrust Directory Administrator Guide
eTrust Directory Glossary
Replicating hub
In a tiered replication scheme, a hub given responsibility for cascading
updates to its peers. The DSA that originated the update offloads replicating
responsibility to the hub.
Schema
A formal definition of the contents and structure of the directory data. This
governs where each entry can be placed within the directory structure, how
entries are to be named, and what attributes each entry can contain.
Tiered replication
During normal replication of an update, an entity will cycle through and
update all mates. In a tiered model the update will be passed on to a mate
outside the group, which will write to its mates.
Introduction
1–7
Chapter
2
DXserver Overview
This chapter describes how the eTrust Directory server component works.
What is DXserver?
The eTrust Directory server component is named DXserver.
DXserver can be operated as a directory in a standalone mode similar to other
LDAP servers. DXserver can also be configured to operate in a distributed
environment as a full featured X.500 Directory System Agent (DSA) supporting
all the powerful X.500 features such as chaining, parallel searching, distributed
management and advanced security.
DXserver supports many communications protocols and management facilities,
including:
■
User access protocols (DAP, LDAP)
■
System (inter server) protocols (DSP, DISP)
■
Management protocols (SNMP, CMIP)
■
Input commands (from script files or management console)
■
Logging Services (alarms, traces, management responses)
DXserver Overview
2–1
DXserver Configuration Files
DXserver Configuration Files
DXserver stores configuration information in a structured directory tree. The
easy-to-use, hierarchical tree defines the conventions and the strategy for
managing the directory system that can extend to multiple servers, multiple
machines, and multiple platforms.
The configuration files should be managed from a central station. The directories
are shared across all servers to ensure consistency in system operation. This
architecture also lets you manage version of the configuration files, because you
can store these files in a document or source control system.
DXserver File Directories
After installation, DXserver uses the following directories:
DXserver
|__ bin
|__ config
|
|__ access
|
|__ autostart (UNIX only)
|
|__ database
|
|__ knowledge
|
|__ limits
|
|__ logging
|
|__ replication
|
|__ schema
|
|__ servers
|
|__ settings
|
|__ ssld
|__ logs
|__ samples
|__ pid
|__ install
(UNIX only)
|__ uninstall (UNIX only)
bin
This directory holds all binary executables and batch files for the product.
config
This directory holds the current configuration files, and some Readme files
for your reference. DXserver always starts with the configuration
information stored in this directory. We recommend that you give read-only
permissions to files in these directories to prevent accidental overwriting.
Each subdirectory contains the configuration file(s) that deal with a
component of the DXserver configuration.
access
Access control rules.
autostart
(UNIX only) DXserver uses the autostart directory to track the servers
that must start at the same time as the operating system.
2–2
eTrust Directory Administrator Guide
DXserver Configuration Files
database
Database name information.
knowledge
Access-point information for all DSAs.
limits
Administrative limits, such as size limits and time limits.
logging
Trace levels and log file names.
replication
Replication agreements.
schema
Schema definitions.
servers
Startup information for each server. An initialization file must exist for
each defined DSA.
settings
Operational settings and controls.
ssld
Trusted CA and server certificates.
logs
This directory is the default log output directory for DXserver, which
generates all log files at this location unless you specify another directory.
samples
This directory contains demonstration utilities and test script files. Each
sample has its own subdirectory and associated README file.
pid
This directory is for DXserver use only, and contains information about
currently running processes. The pid directory does not contain any files
after an installation, but when the services are run, files are created in that
directory.
install
(UNIX only) This directory is for DXserver use only, and contains installation
files and environment information.
uninstall
(UNIX only) This directory contains uninstallation scripts..
DXserver Overview
2–3
DXserver Configuration Files
Sample Configuration Files
DXserver contains a working example DSA configuration. You can use the
example server without modification as described in the appendixes “Installing
DXserver for Windows” and “Installing DXserver for UNIX.” The example
contains three DXserver configurations—Router, DemoCorp and UNSPSC.
Configuration File Types
You can identify file types within the directory configuration structure by their
file name extensions. It is important to use the correct file name extensions when
creating new files.
Use the following file types in a DXserver configuration set:
2–4
Extension
File type
Description
.dxc
Configuration
Contains one or more commands that set
configuration parameters.
.dxg
Group
Groups a selection of one or more .dxc
files (in the current directory) using the
DXserver source command.
.dxi
Initialization
DXserver initialization file. A .dxi file
contains commands to source other (.dxg
and .dxc) files.
.dxs
Script
Contains commands supported by the
DXcli. You usually use script files for
testing.
eTrust Directory Administrator Guide
DXserver Configuration Files
The Initialization File
Each server’s initialization file sources (refers to and reads) selected files from the
config subdirectories.
Important points to notice are:
■
■
The initialization file is a template in which the DSA sources a single file
from each of the config subdirectories appropriately.
You can organize the contents of the config directories as required—from
one file to many files—typically creating a specific file in each of the config
directories for each new DSA definition.
Here is the DemoCorp initialization file:
# Computer Associates DXserver/config/servers
#
# DXserver initialization file.
#
# logging and tracing
close summary-log;
close trace-log;
source "../logging/default.dxc";
# schema
clear schema;
source "../schema/default.dxg";
# access controls
clear access;
# source "../access/";
# knowledge
clear dsas;
source "../knowledge/sample.dxg";
# operational settings
source "../settings/default.dxc";
# service limits
source "../limits/default.dxc";
# database
source "../database/democorp.dxc";
# replication agreements (rarely used)
# source "../replication/";
DXserver Overview
2–5
DXserver Configuration Files
Configuration Grouping Files
Each component directory can consist of one or more configuration (.dxc) files.
For complex configurations typically involving multiple DSAs, you might need a
number of configuration files, grouped in a convenient manner using grouping
(.dxg) files:
Group 1
commands A
Group 2
commands B
commands C
As an example, suppose the DSAs TestCorp1, TestCorp2, and TestCorp3 all
require the schema files x500.dxc, cosine.dxc, and inetop.dxc. Rather than
“sourcing” each of these files from each of the DSA initialization files, it is more
convenient to create a TestCorp.dxg file containing the following lines:
source “x500.dxc”;
source “cosine.dxc”;
source “inetop.dxc”;
Each DSA initialization file would then contain the following line:
source “../schema/TestCorp.dxg”;
The advantage of this approach is that, if these DSAs require additional schema,
only a single file—TestCorp.dxg—needs editing.
Reasons for grouping files are:
■
■
To present a view that abstracts any internal organization within the
component
To manage ordering of the configuration files—especially important in
schema where definitions in one file depend on definitions in another file
Typically the schema and knowledge files are grouped.
2–6
eTrust Directory Administrator Guide
DXserver Configuration Files
Knowledge Files
This section describes what knowledge files are, and how to use them.
Knowledge files are text files that include commands that affect how DSAs work.
Each DSA has a single knowledge file, which is named dsaname.dxc, where
dsaname is the case-insensitive name of the DSA. These knowledge files are kept
in the config/knowledge directory.
Each DSA must source its own knowledge file, which includes what operations
from remote DSAs are to be permitted or denied.
Each DSA can also source the knowledge files for other, remote DSAs. These files
define how the local DSA works with the remote DSA.
For information about knowledge flags, see Knowledge Flags in the chapter
General Administration.
Using Knowledge Files in a Single-Server Environment
If your directory includes more than one DSA, you need to consider how you
work with your knowledge files.
If all of the DSAs happen to be one the same computer, they can all source the
same copy of the knowledge files.
Router DSA
Server A
router.dxc
unspsc.dxc
democorp
.dxc
Democorp
DSA
UNSPSC DSA
Three DSAs on one server, sharing the same knowledge files
DXserver Overview
2–7
DXserver Configuration Files
Using Knowledge Files in a Distributed Environment
However, it is more likely that the DSAs in a distributed system are on different
computers. To make sure that operations are not slowed down by network
limitations, each DSA should use its own local copy of the knowledge files.
We recommend that you make any changes to only one of these sets of
knowledge files, and then copy the changed files to the other locations.
This will help you keep the knowledge files synchronized.
For example, in the system shown here, you could use the knowledge files on
Server A as the master copies. Whenever you need to change a knowledge file,
you would make the change on Server A. You could then copy the changed files
to the other two servers.
Server A
router.dxc
Router DSA
unspsc.dxc
democorp
.dxc
router.dxc
Democorp
DSA
router.dxc
unspsc.dxc
democorp
.dxc
Server B
Server C
unspsc.dxc
UNSPSC DSA
democorp
.dxc
Three DSAs on separate servers, using local copies of the same knowledge files
2–8
eTrust Directory Administrator Guide
DXserver Commands
DXserver Commands
When a server starts up, it reads an initialization file (.dxi) from the servers
subdirectory. The initialization file name is derived from the DSA name. For
example, democorp.dxi defines a DSA named DemoCorp. Thus, the following
command causes DXserver to search the servers subdirectory for a file called
democorp.dxi:
dxserver start democorp
When found, it is read and the commands are executed (usually instructions to
read other files in the other subdirectories of the config tree).
See the appendixes “Installing eTrust Directory for Windows” and “Installing
eTrust Directory for UNIX” for information about starting and stopping a
DXserver process.
The dxserver Command - Install, Start, or Stop the DXserver
You can run the DXserver from the command line using the following command:
dxserver options
Important! You must start the RDBMS before starting DXserver. If an error occurs
while reading the configuration files, DXserver cannot start. You can find information
about this error in both the operating system error log and the DXserver alarm and trace
log files in the dxserver/logs directory.
The options of the dxserver command are:
Option
Meaning
init serverName
Signals serverName to reread its configuration files (if
running). For example:
dxserver init democorp
init all
Signals all DSAs to reread its configuration files
install serverName
Adds serverName to the list of servers to start at system
startup. For example:
dxserver install democorp
Note: On Windows, the dxserver start command implicitly
installs eTrust Directory
remove serverName
Removes serverName from the auto-startup list, for example:
dxserver remove democorp
start serverName
Starts the DXserver serverName. For example:
dxserver start democorp
DXserver Overview
2–9
DXserver Commands
Option
Meaning
start all
Starts all DSAs.
status serverName
Reports the running status of serverName. For example:
dxserver status democorp
If you omit the serverName, the status of all servers is
reported.
stop serverName
Stops the DXserver serverName. For example:
dxserver stop democorp
2–10
stop all
Stops all DSAs
version
Displays version information
eTrust Directory Administrator Guide
DXserver Script Language
DXserver Script Language
You can use the DXserver commands to control every aspect of DXserver
operation. The DSA supports an extensive set of configuration and management
commands that you can use in configuration files or enter interactively through
the management console.
The complete command language is defined in the appendix “DXserver
Command Language.”
You can organize commands into script files. Script files have the following
general uses:
■
Configuration—A group of DSAs can share the same configuration
information.
■
Prototyping—X.500 operations you can automate.
■
Testing—The command language supports conditional statements.
■
Shortcuts—Storage of often used commands.
Configuration Files
In order to describe the large number of DXserver commands, you can separate
commands into individual files according to their function. These separate files
should then reside in the appropriate config subdirectory.
A description of each set of related commands is in subsequent chapters:
■
General administrative commands—see the chapter “General
Administration”
■
Schema commands—see the chapter “Schema Definition”)
■
DSA and distribution commands—see the chapter “Distribution and DSP”
■
Security commands—see the chapter “Security”
■
Replication commands—see the chapter “Replication”
■
X.500 commands—see the appendix “DXconsole DUA”
DXserver Overview
2–11
DXserver Script Language
Command Syntax
Typically, commands have one of the following formats:
set item = value;
get item;
action parameters;
■
■
■
Some commands are hyphenated (for example, add-entry-req). You can spread
each command over many lines. You must terminate each command with a
semicolon.
You do not need to quote simple (one-word) strings. You must quote more
complex (many-word) strings. Within a quoted string, you can use a backslash
(\) as an escape mechanism for the following cases:
Case
Example
String
Quote
my “favorite” car
"my \"favorite\" car"
Backslash
c:\myfile
"c:\\myfile"
Hex number
touché
"Touch\xC2e"
There is often a need to specify attribute values in character sets other than
ASCII. For example, you can perform the following modification:
mod-entry-req entry=<c au><o democorp> add-attr { description "a description" };
But how is this done in other languages?
LDAPv3 has standardized on UTF-8 for internationalization. An example, using
UTF-8, is now:
mod-entry-req entry=<c au><o democorp> add-attr { description utf8 "touch\xC3\xA9" };
The Latin-1 character e-acute (E9) in UTF-8 (C3A9) has been encoded. The
following example would search for all entries with common names beginning
with e-acute.
search-req base-object=<> whole-subtree filter = { attr = commonName substrings [
initial utf8 "\xC3\xA9" };
Commands can continue over multiple lines. If you enter an incomplete
command at the management console, a continuation prompt, as shown below,
displays until you enter a semicolon:
--->
Tip: You can interrupt the execution of a script file from the management
console using the telnet commands Ctrl-c or Ctrl-x. (See DXconsole in this
chapter.)
2–12
eTrust Directory Administrator Guide
DXserver Script Language
Script Files
Script files store frequently used or complex commands (such as schema
initialization commands). You can then execute these files from the management
console or from inside other command files using the command:
source "script-file";
or the short form of the command:
! "script-file";
Tip: A configuration file (.dxi, .dxc, or .dxg) is a special form of script file.
Within a script file, the # sign introduces a comment. DXserver treats the # and
all text after it, to the end of the line, as a comment.
A script file can source other script files. The source command is relative to the
file that invokes it. For example, when you source the file schema.dxg using the
command:
source "../schema/schema.dxg";
then the schema.dxg script can source a file in its own directory using the
command:
source "attr.dxc";
Script File Errors and Debugging
Usually the system does not echo commands in script files before they are
executed. If there is an error in the script file, a message similar to the following
is displayed:
>>>> set allow-binds = 1;
-----------------------^ (line 12 in ‘test.dxc’)
Syntax Error: Expected ‘true’ or ‘false’
Tip: To obtain a full log of every command executed in a script file, set the
first lines of the script file to:
echo-on;
set trace-file = "script.log";
After running the script file, you can examine the log file to locate any failed
command and the reason for the failure.
DXserver Overview
2–13
DXconsole
DXconsole
The management console, DXconsole, lets you enter commands interactively. It
lets you monitor users, modify administrative controls, and perform actions.
DXconsole also includes a powerful co-resident directory client (DUA)
command-line interface, which you can use to enter user queries for diagnostic
or prototyping tasks.
For more information about the DUA, see the eTrust Directory SDK Developer
Guide.
DXconsole Security
For security reasons, DXconsole is only accessible from the local computer.
The management console only accepts one telnet session. To prevent anyone else
from starting up DXconsole, make sure you keep DXconsole always running.
To prevent attacks from remote telnet sessions, define a console port in the DSA
knowledge. This scheme uses the local host security. An administrator must have
an account on the local computer to communicate with the DSA through this
port.
You can use the console remotely when you set the remote-console-port flag. You
can attach a password, and SSL may be required. See Configuring DXconsole for
more information.
Opening DXconsole
Open DXconsole
To open DXconsole, use the telnet command to connect to the local host with
the console-port number:
% telnet localhost 19390;
Trying 127.0.0.1...
Connected to localhost.
Escape character is ‘^]’.
Welcome to the DSA Management Console
dsa>
Open Remotely
To open DXconsole remotely, use the telnet command to connect to the remote
machine with the remote-console-port:
% telnet eagle 19392
Note: You should enable local echo on the local telnet client.
2–14
eTrust Directory Administrator Guide
DXconsole
Closing DXconsole
Close DXconsole
The usual way to close DXconsole is to log out. This closes the telnet session
from the DSA:
dsa> logout;
Close Locally
You can close DXconsole locally from the local telnet session:
<control-]>
telnet> quit
The telnet session closes automatically when the DSA shuts down.
DXserver Overview
2–15
DXconsole
Configuring DXconsole
DXconsole can be enabled either locally or remotely.
The remote DXconsole provides the DSA administrator with a means of
managing the DSA. The access protocol is telnet. To remotely manage a DSA
using DXconsole, either log on to the machine running the DSA and open
DXconsole using the console port, or use a remote telnet connection that uses the
remote console port.
telnet
Window
DSA
By default, DXconsole is only accessible from localhost for security reasons.
To enable DXconsole, you must define the console port in the knowledge file of
the DSA. For more information, see the section Defining DSAs in the chapter
“General Administration.”
For a list of all ports in a default installation of eTrust Directory, see the section
Port Numbers Used by eTrust Directory in the chapter DXserver Overview.
2–16
eTrust Directory Administrator Guide
DXconsole
The DXconsole Command Options
To configure DXconsole, include the following options in the DSA knowledge
file:
Option
Parameter
Description
console-port
Port number
Allows DXconsole to accept connections from the local computer.
When this is not specified, the DSA does not have a local console.
remote-console-port
Port number
Allows DXconsole to accept a connection from a remote
computer on this port. When this is not specified, there is no
remote console for the DSA.
console-password
Password
The password required for connections from a remote computer.
This password is transmitted in clear text.
remote-console-ssl
Boolean
Forces DXconsole to encrypt sessions when it runs remotely.
Configuring DXconsole to Run Locally
To enable DXconsole locally, use the following command:
set dsa dsaname =
{
...
console-port = port_number
...
};
DXconsole: Local
Configuration
In the following sample configuration, the line console-port = 19390 defines the
port that DXconsole will use to accept connections from the same machine only:
set dsa DEMOCORP =
{
prefix
dsa-name
dsa-password
address
disp-psap
cmip-psap
snmp-port
console-port
ssld-port
auth-levels
trust-flags
};
=
=
=
=
=
=
=
=
=
=
=
<c AU><o DEMOCORP>
<c AU><o DEMOCORP><cn DXserver>
"secret"
tcp "hostname.ca.com" port 19389
DISP
CMIP
19389
19390
1112
anonymous, clear-password, ssl-auth
allow-check-password, trust-conveyed-originator
DXserver Overview
2–17
DXconsole
Configuring DXconsole to Run Remotely
You can connect to DXconsole from a remote computer, using a password for
authentication. This is configured by adding the "remote-console-port = 19395"
and "console-password = "password"" lines to the DSA knowledge file.
Although this method allows remote access and some security, the password
that is sent to DXconsole from the client is transmitted in clear text. This poses a
moderate security risk on unsecured networks.
To provide security, you can specify a console password. When this is set, the
user is prompted for a password before a connection is made.
Important! If you do not want the password to be displayed when it is entered, you must
turn local echo OFF on the telnet session.
To enable DXconsole remotely, use the following commands:
set dsa dsaname =
{
...
remote-console-port = port_number
console-password = password_string
...
};
DXconsole: Remote
Configuration
2–18
set dsa DEMOCORP =
{
prefix
= <c AU><o DEMOCORP>
dsa-name
= <c AU><o DEMOCORP><cn DXserver>
dsa-password = "secret"
address
= tcp "hostname.ca.com" port 19389
disp-psap
= DISP
cmip-psap
= CMIP
snmp-port
= 19389
console-port = 19390
remote-console-port = 19395
console-password = "password"
ssld-port
= 1112
auth-levels
= anonymous, clear-password, ssl-auth
trust-flags
= allow-check-password, trust-conveyed-originator
};
eTrust Directory Administrator Guide
DXconsole
Configuring DXconsole to Run Securely and Remotely
You can force the remote console connection to run over TLS by adding the
"remote-console-ssl = true" line to the DSA knowledge file. This ensures that
console commands and passwords are not transmitted in-the-clear over public
networks.
Only one console session can be active at any one time, even if both the consoleport and remote-console-port flags are set.
To force DXconsole to use SSL/TLS when it is running remotely, add the
following settings:
set dsa dsaname =
{
...
remote-console-port = port_number
remote-console-ssl = true
console-password = password_string
...
}
DXconsole: Secure
Remote
Configuration
In the following sample configuration, the console is running remotely, and
SSL-encrypted:
set dsa DEMOCORP =
{
prefix
= <c AU><o DEMOCORP>
dsa-name
= <c AU><o DEMOCORP><cn DXserver>
dsa-password = "secret"
address
= tcp "hostname.ca.com" port 19389
disp-psap
= DISP
cmip-psap
= CMIP
snmp-port
= 19389
console-port = 19390
remote-console-port = 19395
remote-console-ssl = true
console-password = "password"
ssld-port
= 1112
auth-levels
= anonymous, clear-password, ssl-auth
trust-flags
= allow-check-password, trust-conveyed-originator
};
DXserver Overview
2–19
DXconsole
Testing the Secure Remote DXconsole Using TLSclient
The TLSclient utility establishes an encrypted tunnel between the remote console
client and the DSA. The steps to configure the DSA and TLSclient are as follows:
Create the TLSclient
Configuration File
1.
Create the TLSclient configuration file on the client machine
2.
Configure the DSA for SSL connections to DXconsole on the server machine
3.
Start TLSclient on the client
4.
Start the DSA on the server
5.
Test the connection
To configure TLSclient, you will need to create the following file on the client
machine:
■
Windows: %DXHOME%\config\tlsclient\tlsclient.cfg
■
UNIX: $DXHOME/config/tlsclient/tlsclient.cfg
This implies that eTrust Directory is also installed on the client machine,
although this may not be required. The only requirement should be that the
environment variable DXHOME is set and the trusted root certificate is available.
The format for tlsclient.cfg is:
inPort outPort remoteAddress
Where inPort is the port on the client machine that will be used for tunneling,
outPort is the DXconsole remote-console-port on the server and remoteAddress
is the hostname of the server running the DXconsole you wish to connect to.
Here is an example for the sample DemoCorp DSA running on the server
machine:
19390 19395 hostname.ca.com
Start TLSclient
TLSclient can be installed to the system services using the command:
tlsclient install <tlsclient-server-name> -ca <file>
Here is an example for the DemoCorp DSA:
tlsclient install democorp -ca config/ssld/trusted.pem
You can then start the TLSclient instance with:
tlsclient start <tlsclient-server-name>
For the DemoCorp DSA example, this would be:
tlsclient start Democorp
2–20
eTrust Directory Administrator Guide
DXconsole
Starting DXserver
Testing the
connection
To start DXserver, do the following:
1.
Ensure that the DSA is stopped using: dxserver stop dsaname
2.
Start the DSA using: dxserver start dsaname
To test this connection, do the following:
1.
Open the DXconsole client, or your favourite Telnet program, on the client
machine
2.
Connect to the inPort (defined in tlsclient.cfg) on the local machine (19390 in
the DemoCorp sample)
3.
Enter the DXconsole password when prompted
You now have a fully-functioning SSL-encrypted connection to DXconsole on the
server machine.
To verify this, start TLSclient with the debug option, or set "trace all;" on the
DSA, or use a packet-snooping application.
Help Command
The help command lists the outer-level commands for the DSA administration
modules, X.500 services, and management scripts.
When you enter the help command at the console, the response is similar to:
Enter one of the following keywords:
(modules)
trace, log, stack, assoc, oper, schema, dsp, disp,
dib, access
(services) bind-req, unbind-req, abort-req, abandon-req,
read-req, compare-req, list-req, search-req,
add-entry-req, rem-entry-req, mod-entry-req, mod-dn-req
(scripts)
open-log, close-log, flush-log, source, !,
echo, echo-on, echo-off, wait, if-reply, goto
When you are not sure of the syntax, try a nonsense word for the missing part, or
leave the command incomplete and let the resulting error message tell you what
is expected:
>>>> oper get fred;
-----------------^
Syntax Error: Expecting “config” or “stats”.
DXserver Overview
2–21
DXconsole
Command Shortcuts
If you frequently use a command, or a set of commands, then store the
commands in a file and execute that file. For example, a script file called List can
contain the following command:
list-req entry = <c AU><o DemoCorp>;
You can execute it from DXconsole using the command:
dsa> !list;
2–22
eTrust Directory Administrator Guide
Databases
Databases
eTrust Directory consists of two major components. These are the DSA process
and its underlying database. The DSA process is the X.500/LDAP directory
object and protocol processing system and the database is used to store and
retrieve the dismantled directory objects (entries) in the specially designed
database tables.
You can use the DSA process as a router engine, or configure it to be responsible
for a portion (or all) of the DIT. When a DSA process is not acting just as a
directory protocol router (for distribution or alternate, load balancing DSAs), it
should be considered as a process that is responsible for a DIT Namespace.
Set Database Name
When starting, the DSA process needs to know the name of the database it
should access. This value is usually set in a database initialization file using the
command:
set database-name = databaseName;
where databaseName is the name of an RDBMS database.
See The Directory Information Base in the chapter “General Administration” for
more information about setting database names.
Multiple DSA Processes to One DIT/DIB
More than one DSA can access the same X.500 DIT/DIB database (for example,
to provide load sharing and increased user counts). There is no possibility of
database inconsistency because the database management system enforces full
locking controls.
When multiple DSAs on the same machine access the same database, you must
configure each DSA with unique listening addresses within their knowledge
files. For more information, see the section Defining DSAs in the chapter
“General Administration”.
DXserver Overview
2–23
Databases
Multiple Directory Databases on One Machine
A single machine can host many discrete directory images. This is useful for
testing on separately managed production and testing databases or for
partitioning your directory into separate databases.
Hot Swap
Change Database
Name While DSA
Active
You can change the database name while the DSA is active without
disconnecting or disrupting directory clients, using the following command:
set database-name = newdb;
where newdb is the name of another RDBMS database, which must already
exist.
You can switch to a newly reorganized database, a hot standby copy, or a
restored copy by using the hot swap of a database.
2–24
eTrust Directory Administrator Guide
Port Numbers Used by eTrust Directory
Port Numbers Used by eTrust Directory
This section lists the port numbers used in a default eTrust Directory installation.
If one of these port numbers is also used by another application on the same
computer, you may need to change the port number used by eTrust Directory.
Most of the port numbers listed here are configurable.
Ports Used by eTrust Directory Components
The following table lists the port numbers used by the eTrust Directory
components in a default installation.
Component
Protocol Port
Description of Port
Number
DXwebserver TCP
(Tomcat)
8080
Accepts
SSL
Requests
The port on which Tomcat No
listens for requests.
If you change this, the
DSML, SAML, and SPML
samples won’t work.
SSLD
TCP
8005
The port on which Tomcat Yes
listens for the shutdown
command
TCP
8009
The Coyote/JK2 1.3
connector port
TCP
8443
Yes
The port to which SSL
requests are redirected if
they come in on a non-SSL
port
TCP
1112
The listen ports which
DXserver uses when
connecting to SSLD
1113
iTechPoz
data DSA
Configuration
See the following site for
descriptions of these ports,
and instructions for
changing them:
http://www.onjava.com/
pub/a/onjava/2002/07/3
1/tomcat.html
See the SSL section in the
chapter “Security”
UDP
509
SNMP port
No
DXHOME/config/
knowledge/iTechPoz.dxc
TCP
509
DSA listen address port
Yes
TCP
10510
Local console port (Telnet) Yes
This DSA is only to be used
by eIAM.
UDDIV3 data UDP
DSA
TCP
31389
SNMP port
No
31389
DSA listen address port
Yes
DXHOME/config/
knowledge/uddiv3.dxc
TCP
31390
Local console port (Telnet) Yes
This DSA is only to be used
by the UDDI Server.
DXserver Overview
2–25
Port Numbers Used by eTrust Directory
Ports Used by Sample Tools and Sample DSAs
The following table lists the port numbers used by a sample tool and the sample
DSAs installed during a default eTrust Directory installation.
Any extra DSAs that you add will take up additional ports.
For information about how to set the port number of a DSA, see the section
Setting DSA Port Numbers in the chapter “General Administration.”
Sample
Protocol Port
Description of Port
Number
DXtrap
sample tool
UDP
162
The port on which DXtrap
receives SNMP traps
Democorp
sample DSA
UDP
19389
SNMP port
No
TCP
19389
DSA listen address port
Yes
TCP
19390
Local console port (Telnet)
Yes
UDP
19289
SNMP port
No
TCP
19289
DSA listen address port
Yes
TCP
19290
Local console port (Telnet)
Yes
UDP
19489
SNMP port
No
TCP
19489
DSA listen address port
Yes
TCP
19490
Local console port (Telnet)
Yes
Router
sample DSA
UNSPSC
sample DSA
2–26
eTrust Directory Administrator Guide
Accepts
SSL
Requests
Configuration
See the section The
DXtrap Tool in the
chapter “Samples”
DXHOME/config/
knowledge/democorp.dx
c
DXHOME/config/
knowledge/router.dxc
DXHOME/config/
knowledge/unspsc.dxc
Chapter
3
General Administration
This chapter describes the commands you use to set up and maintain the general
behavior of DXserver.
Defining DSAs with the set dsa Command
The set dsa command defines the basic properties of each DSA or LDAP server in
the system. These DSAs include the local DSA itself, any remote DSAs (either on
the same system or on other systems), and other X.500 or LDAP servers.
Information about other directories, how to connect to them, their role (for
example, Replicas) and the entry namespace they manage is referred to as
knowledge. The total “knowledge” of the system is used to form a backbone of
directory servers to which each DSA belongs (a directory system).
The DSA is defined in a configuration file (.dxc) in the knowledge directory
(along with other DSA definitions). A DXserver determines its own entry
(identity) by looking for its own name among all the set dsa definitions.
Important! A DSA must use its own name (case insensitive) from the initialization file;
for example, the initialization file for the DSA illustrated below is serverName.dxi.
General Administration
3–1
Defining DSAs with the set dsa Command
The set dsa Command Syntax
The set dsa command has the following format:
set dsa serverName =
{
prefix
native-prefix
dsa-name
dsa-password
ldap-dsa-name
ldap-dsa-password
};
=
=
=
=
=
=
<DN>
<DN>
<DN>
"string"
<DN>
"string"
address
= tcp hostname port portNumber [ ,tcp host2 port port2 ]
tsap
ssap
osi-psap
= tsel
= ssel
= psel
disp-psap
cmip-psap
snmp-port
console-port
remote-console-port
remote-console-ssl
console-password
ssld-port
=
=
=
=
=
=
=
=
auth-levels
dsp-idle-time
= authLevelList
= number
dsa-flags
trust-flags
link-flags
= dsaFlagList
= trustFlaglist
= linkFlagList
dispsap
cmipsap
portNumber
portNumber
portNumber
boolean
"string"
portNumber
Important! You must declare the parameters in the order shown. Only prefix, dsa-name,
and address are mandatory.
3–2
eTrust Directory Administrator Guide
Defining DSAs with the set dsa Command
The set dsa Command Parameters
The parameters of the dsa set command are:
Parameter
Value
serverName
Name of the DXserver—must be less than or equal to 31 characters.
prefix
Distinguished name of the local root entry, for example, <c AU><o Democorp>.
native-prefix
(Optional) Distinguished name for an LDAP server, other DSA, or agent that
should be specified when using prefix mapping.
dsa-name
Distinguished name that identifies the DSA.
dsa-password
(Optional) String used in DSP authentication.
ldap-dsa-name
(Optional) Distinguished name used when binding to an LDAP server.
ldap-dsa-password
(Optional) String used in LDAP authentication.
address
DXserver Listen address: TCP address and listen port number
tsap
(Optional) Transport SAP (not recommended).
ssap
(Optional) Session SAP (not recommended).
osi-psap
(Optional) Presentation SAP (service access point) (not recommended).
disp-psap
(Optional) DISP presentation SAP; when absent, DISP is disabled.
cmip-psap
(Optional) CMIP presentation SAP; when absent, CMIP is disabled.
snmp-port
(Optional) SNMP port; when absent, SNMP is disabled.
console-port
(Optional) Management console port address. When this and the remote console
port address are absent, the management console is disabled.
remote-console-port
(Optional) Remote console port address.
remote-console-ssl
(Optional) Encrypts console sessions where the console may be attached to from a
remote host
console-password
(Optional) String used in console authentication.
ssld-port
(Optional) SSL port; used for SSL authentication.
auth-levels
(Optional) List of authorization levels supported by this DSA. See the chapter
“Security” for more information.
dsp-idle-time
(Optional) Maximum time in seconds a DSP connection can be idle before it is
disconnected. The default is 600 (10 minutes).
dsa-flags
(Optional) Comma-separated list of DSA flags; see DSA Knowledge Flags in this
chapter for more information.
trust-flags
(Optional) Comma-separated list of trust flags; see DSA Knowledge Flags in this
chapter for more information.
link-flags
(Optional) Comma-separated list of link flags; see DSA Knowledge Flags in this
chapter for more information.
General Administration
3–3
Defining DSAs with the set dsa Command
Setting DSA Port Numbers
When you are running eTrust Directory on Windows , you usually use a port
number between 1700 and 64K (65536). When you are running eTrust Directory
on a UNIX platform, your system administrator will allocate available port
numbers. On most systems, the port numbers also go up to 64K (65536).
Port numbers are used differently from one DSA to another. For example,
DXserver listens for connections on ports defined in its knowledge file, but
communicates to other DSAs on ports defined in their knowledge files. Some
parameters, for example, console-port, are only meaningful to the DXserver. No
other servers use these parameters.
For a list of all port numbers used in a default installation, see the section Port
Numbers Used by eTrust Directory in the chapter “DXserver Overview”.
Example DSA
Configuration
The following is an example of a DSA configuration:
set dsa DemoCorp =
{
prefix
dsa-name
dsa-password
};
= <c AU><o DemoCorp>
= <c AU><o DemoCorp><cn DXserver>
= "secret"
address
= tcp Eagle port 19389
snmp-port
console-port
ssld-port
= 19389
= 19390
= 1112
auth-levels
= anonymous, clear-password, ssl-auth
trust-flags
= allow-check-password
Viewing Communications Settings
You can view the listen addresses of the DXserver using the following command
at the DXconsole:
get stack;
An example output from this command is:
dap-psap
= ""
dsp-psap
= ""
disp-psap
= "DISP"
cmip-psap
= "CMIP"
address
= 207.2.6.99 port 19389
snmp-port
= 19389
ssld-port
= 1112
console-port
= 19390
snmp-description
= CA eTrust DXserver
snmp-contact
= [email protected]
snmp-name
= democorp
snmp-location = http://www.ca.com
3–4
eTrust Directory Administrator Guide
Alarms, Traces, and Logs
Alarms, Traces, and Logs
Output from the DSA can result from:
■
Responses to X.500 requests as entered from DXconsole
■
Echoing of input commands from the console or a script file
■
Trace information
■
Alarm information
The output from the DSA appears on DXconsole when it is open. It can also be
captured in a log file.
Alarms
Alarms report serious problems. Some triggers of alarms are:
■
A configuration problem—For example, a DSA fails to start because it has
the same listen address as one already running.
■
A usage problem, such as sending a DAP request to an LDAP port.
■
A system problem, such as running out of memory or disk space.
Unlike tracing and logging, alarm messages cannot be suppressed:
■
Alarm messages are always written to the alarm-log (which cannot be
closed).
■
When a console is open, alarm messages are sent to it.
■
When an snmp-log is open, an SNMP trap is raised for every alarm.
Traces
Tracing provides debugging information and analyzes service requests.
Tracing does not control what is logged to the summary, query, or stats logs.
In the DSA, the trace command controls the amount of tracing that is sent to the
DXconsole and trace-log file (if open).
General Administration
3–5
Alarms, Traces, and Logs
The Trace Command
DXserver supports various forms of tracing. The trace options can be turned on
using the command:
set trace = option, option;
Multiple trace options can be specified.
Trace options in the set trace command are not cumulative and override options
set in previous set trace commands. In the following example, the final trace
option is summary:
set trace = time, error;
set trace = summary;
The time and error options are turned off by the second set trace command. The
none option turns all tracing options off.
Tip: Full tracing degrades performance, so you should use it only during
testing.
The following trace options are supported:
Trace Option
Meaning
alert
Displays authentication errors.
cert
Displays certificate operations.
connect
Displays connections.
diag
Traces local DXserver operations that were refused.
disp
Traces warnings during DISP recovery. See the chapter Replication for more information.
dsa
This option is similar to the x500 trace, but it also includes tracing of the module flow
inside the DSA.
error
Reports events that may impact on the ability of DXserver to perform a requested
operation. These events are usually more serious than those reported under warn. This is
the default trace level.
ldap
This traces detailed LDAP operations. The output can become quite large when searches
return a large number of entries.
none
Turns off all tracing .
query
Displays a one-line summary containing the request and a one-line summary of the
result.
stack
Displays detailed protocol tracing. The output can become quite large.
3–6
eTrust Directory Administrator Guide
Alarms, Traces, and Logs
Trace Option
Meaning
stats
Displays statistical information for each minute the DSA is not idle.
summary
Displays a one-line summary containing the service request and result.
time
Displays the start time, end time, and elapsed time of an operation with a brief summary
of the operation.
update
Displays update operations—add, delete, modify, and rename.
warn
Displays a message when an X.500 service is not successful. For example, an object class
violation diagnostic might indicate that a mandatory attribute such as surname is
missing.
Warn messages usually represent a user error, rather than a problem with DXserver. This
is no longer the default trace level: see error.
x500
Displays the full detail of the service request, confirmation, or error. This traces DAP,
DSP, and LDAP operations. The output can become quite large when searches return a
large number of entries
We recommend that the error trace option is included in the set trace command
during normal operation.
Tracing Protocol
Low-level protocol can be traced. The protocol trace is written to the trace log, if
open. This tracing is only for debugging purposes. To enable protocol tracing,
use this command:
set trace = stack;
Tracing Statistics
The stats trace option enables you to retrieve the following minute-by-minute
statistical information about a DSA:
Label
Description
Assocs
Displays the number of current associations.
NilCredit
Displays the number of times flow control was applied (to any association).
NoTicks
Displays the number of times per second processing did not occur because the DSA was
too busy. When the number is more than 10, the DSA is very busy. The largest value is 60.
Queue
Displays the number of current outstanding operations.
Active
Displays the percentage of the time during the last minute that there was activity.
Activity covers local operations and chained operations. If Active is 0 it is safe to shut
down the DSA.
Ops
Displays the number of operations processed in the last minute.
General Administration
3–7
Alarms, Traces, and Logs
Logs
The logs contain the output from a DSA.
Controlling Logging
The following commands control output:
■
trace options;
■
set trace = options;
■
set logType = filename;
■
close logType;
■
flush logType;
■
echo string;
■
echo-on;
■
echo-off;
These commands can be used in two ways. You can define these commands in
the configuration file (.dxc) in the logging directory, and you can also enter them
manually on DXconsole.
Log Types
DXserver supports the independent log types listed in the following table.
Log Type
Records
Description
alarm-log
Alarms
■
■
■
alert-log
All
authorization
errors
■
■
■
3–8
The alarm log is always open when a DSA is running. It cannot be
closed with the close command.
It has a default value of serverName_alarm.log.
All alarms are written to the alarm log, regardless of the tracing
level set or whether a DXconsole is open.
The alert log is only written if it has been opened with the set alertlog command. Writing to the alert log is not affected by the trace
setting.
When an alert log is open, the system records all authorization
errors. It can be used to show attempts at unauthorized access to
the DXserver.
It is time and date stamped, and a new one is written daily.
eTrust Directory Administrator Guide
Alarms, Traces, and Logs
Log Type
Records
cert-log
Specific
certificate
operations
Description
■
■
■
connect-log
All released
connections
■
■
■
diag-log
Refused
DXserver
operations
■
■
■
The cert log is only written if it has been opened with the set certlog command. Writing to the certificate log is not affected by the
trace setting.
When a certificate log is open, the system records all add or modify
operations that include a userCertificate, caCertificate, or
certificateRevocationList attribute. In addition, any read or search,
or any search filter that returns one of these attributes, is recorded.
It is time and date stamped, and a new one is written daily.
The connect log is only written if it has been opened with the set
connect-log command. Writing to the connect log is not affected by
the trace setting.
When a connect log is open, the system writes a line for each
connection made when the connection is released.
It is time and date stamped, and a new one is written daily.
This log (or trace log if diag tracing enabled) will contain the reason
why local DXserver operations have been refused.
There are a number of situations where this may occur depending
on a DSAs configuration and data. An example would be if search
was performed with an invalid DN. The operation, affected entry
and diagnostic message will appear.
To enable this log, use the following commands:
set trace +diag;
set diag-log = "logs/$s_diag.log";
query-log
Search activity
■
■
■
stats-log
Summary of
operational
statistics
■
■
■
The query log is only written if it has been opened with the set querylog command. Writing to the query log is not affected by the trace
setting.
When a query log is open, the system writes a one-line summary of
the operation requested, which includes a time and date stamp.
It is time and date stamped, and a new one is written daily.
The stats log is only written if it has been opened with the set statslog command. Writing to the stats log is not affected by the trace
setting.
When a statistics log is open, a one-line entry is added to the
statistics log file for every minute that the DSA is active. When the
DSA is not active, no information is written to the stats log; this
prevents the stats log from growing during inactivity.
It is time and date stamped, and a new one is written daily.
General Administration
3–9
Alarms, Traces, and Logs
Log Type
Records
summary-log Summary of
daily activity
Description
■
■
■
trace-log
Diagnostic
tracing
■
■
update-log
All add, delete,
modify, and
rename
operations
■
■
■
warn-log
Errors and
warnings
■
When a summary log is open, the system writes the summary
tracing for all operations to the summary log regardless of the
tracing level set or whether DXconsole is open.
It is time and date stamped, and a new one is written daily.
When a trace log is open, tracing for all operations is written to the
trace log.
The level of tracing written to a trace log is dependent on the level
of tracing set on the DSA.
The update log is only written if it has been opened with the set
update-log command. Writing to the update log is not affected by
the trace setting.
When an update log is open, the system records all add, modify,
rename, and delete operations.
It is time and date stamped, and a new one is written daily.
When a warn log is open, all errors and warnings are written to the
warn log.
■
Warnings are only listed if the tracing level is set to 'warn'.
■
Errors are only listed if the tracing level is set to 'error'.
■
3–10
The summary log is only written if it has been opened with the set
summary-log command. Writing to the summary log is not
affected by the trace setting.
Each warning or error written to the log is time- and date-stamped,
and a new log is written daily.
eTrust Directory Administrator Guide
Alarms, Traces, and Logs
Log File Commands
Open a Log File
To open a log file, use the command:
set logType = "filename";
If a log file does not exist when opened, it is created. If it already exists, the DSA
appends the output.
If the log file name contains the string $S then the system substitutes the name
of the DSA. For example, when the name of the DXserver is DemoCorp, the
following command opens a log file named ../logs/DemoCorp.log:
set trace-log = "logs/$S.log";
Flush a Log File
To force all buffered output to a particular log file, use the flush command. This
feature is provided so you can examine a current log file off-line while the
normal log file is still open. To flush a log file, use the command:
flush logType;
Note: Alarm logs are always flushed.
Close a Log File
The close command stops output to the log file by closing it. When the DSA
shuts down, it automatically closes any open log file. To close a log file, use the
command:
close logType;
Inspect Names of Log
Files
To inspect the names of each of the enabled log files (including the snmp-log
file), use the following command:
get log;
The following is an example of the output:
alarm-log
summary-log
stats-log
trace-log
query-log
update-log
alert-log
cert-log
connect-log
snmp-log
=
=
=
=
=
=
=
=
=
=
logs/democorp_alarm.log
logs/democorp_20010122.log
logs/democorp_stats_20010122.log
logs/democorp_trace.log
logs/democorp_query_20010122.log
logs/democorp_update_20010122.log
logs/democorp_cert_20010122.log
logs/democorp_connect_20010122.log
udp eagle port 9999
General Administration
3–11
Alarms, Traces, and Logs
History Files
Most of the log files, once opened, start afresh each day.
For example, the following command produces a log file in the logs directory of
the form serverName_yyyymmdd.log for each day there is activity on the DSA.:
set summary-log = "logs/$S.log";
You can use these history files to inspect auditing, accounting, billing, and
statistical information.
Echoing
Echoing is the process of displaying the commands in a script file before
executing them..
There are three echo commands:
■
echo-off;
■
echo-on;
■
echo "string";
The output of echoed commands goes to DXconsole (if connected) and the tracelog file (if open).
To prevent the display of commands in a script file during startup, echo is off by
default. (See the chapter “DXserver Overview”) To view each command before it
is executed, use the echo-on command.
Messages on the console can be displayed using the echo command, for example:
echo "Initializing ...";
Turning echo-on in a script might slow the execution of the script slightly.
3–12
eTrust Directory Administrator Guide
Associations
Associations
An association is a connection to a DSA. The number of DSA associations can be
managed using the assoc module commands.
The association commands have the following forms:
■
set parameter = value;
■
get parameter;
■
assoc action;
The assoc Command Options
The following are the parameters of the assoc set command:
Keyword
Parameter
Description
allow-binds
Boolean
When FALSE, new associations are rejected. Use this to
perform a graceful shutdown.
auth-trap
Boolean
Turns on raising an authentication trap whenever an
authentication failure occurs.
min-auth
none,
clear-password, or
ssl-auth
The minimum authentication level required on a bind.
credits
Integer
The maximum number of concurrent operations the DSA
processes for each user association.
force-encrypt-anon
Boolean
Forces SSL encryption on anonymous binds.
When this setting is on, if a user attempts to create an
anonymous bind without SSL, the DSA will disallow the
bind and return an "Inappropriate authentication" error.
force-encrypt-auth
Boolean
Forces SSL encryption on authenticated binds.
When this setting is on, if a user attempts to create an
authenticated bind without SSL, the DSA will disallow the
bind and return an "Inappropriate authentication" error.
hold-ldap-connections
Boolean
When TRUE, prevents a DSA from clearing the underlying
TCP/IP connection after a bind refusal.
max-bind-time
Integer or none
The maximum time, in seconds, that any particular
association can last (a value of 0 or none means
unlimited).
General Administration
3–13
Associations
Keyword
Parameter
Description
max-pdu-size
Integer
The largest size (in bytes) that a protocol data unit may be
to be accepted by DXserver. The default value is 0,
meaning unlimited.
This value may be retrieved with the 'get assoc;'
command, if the value has been set.
max-users
Integer or none
The maximum number of current associations (number of
users bound to the DSA).
op-error-trap
Boolean
Turns on raising an operation error trap whenever an
operation error occurs.
password-age
Integer
The number of days a password is valid. By default, this
feature is disabled (0).
password-history
Integer
The maximum number of entries to retain in the history.
By default, this feature is disabled (0).
password-last-use
Integer
The number of days a password remains valid when it is
not used. When the value is exceeded, the password
expires. By default, this feature is disabled (0).
password-length
Integer
The minimum length of a password. The default is 6
characters.
password-maxsuspension
Integer
The number of seconds after which a suspended password
reactivates. By default, this feature is disabled (0).
password-min-age
Integer
The number of days that transpire between changing a
password (lockout period). By default, this feature is
disabled (0).
password-non-alphanum
Integer
The minimum number of nonalphanumeric characters a
password must contain. The default is 0.
password-numeric
Integer
The minimum number of numeric characters a password
must contain. The default is 0.
password-policy
Boolean
Enables or disables password management. See Password
Management in the chapter “Security.”
password-retries
Integer
The number of consecutive failed logon attempts before a
password is suspended. The default is 3.
role-subtree
DN
The DN of the subtree that stores the roles. Together with
use-roles, it is used to set role-based access controls. For
information about roles, see Role-based Access Controls in
the chapter “Security.”
ssl-auth-bypass-entrycheck
Boolean
Turns off automatic checking for the existence of an entry
named by the subject held in the certificate.
3–14
eTrust Directory Administrator Guide
Associations
Keyword
Parameter
Description
trap-on-update
Boolean
Turns on raising an SNMP trap whenever an update
occurs.
trust-sasl-proxy
DN
The distinguished name of the trusted proxy.
use-roles
Boolean
Enables or disables role-based access control.
user-idle-time
Integer
The maximum idle time in seconds. When a user is idle for
user-idle-time seconds, that user is disconnected. This
reduces the number of users connected and lets new users
connect to the DSA.
The following are the parameters of the assoc get command:
Parameter
Description
assoc
Shows the current association configuration values of the
DSA.
users
Provides information about currently bound users.
The following is the action of the assoc command:
Value
Description
abort
Abort one or all associations.
Viewing Association Configuration
To inspect the current association configuration, use the command:
get assoc;
This command shows the current association configuration values of the DSA.
Details of the sample of output from this command are below:
max-users
max-bind-time
user-idle-time
allow-binds
min-auth
credits
trap-on-update
auth-trap
op-error-trap
ssl-auth-bypass-entry-check
use-roles
hold-ldap-connections
password-policy
=
=
=
=
=
=
=
=
=
=
=
=
=
255
0
3600
TRUE
none
5
0
0
0
FALSE
FALSE
FALSE
FALSE
General Administration
3–15
Associations
Viewing Associations
The assoc module maintains information about all associations. This includes
connection information, connect times, idle times, and so on. The command get
users returns a list of currently bound users. A sample of output from this
command follows:
Association 0: connected for 240 seconds, idle for 5 seconds
Association 0: bound using *UNKNOWN* from TCP 0.0.0.0 as ANONYMOUS
Association 1: connected for 111 seconds, idle for 24 seconds
Association 1: bound using DAP from TCP 172.24.131.145 as PASSWORD AUTH user:
<countryName "US">
<organizationName "CA">
<commonName "Berndt Stark">
Tracing Associations
The association trace facility controls the X.500/LDAP operation tracing of
individual users through the DXconsole. Users are assigned association numbers
in the order in which they bind to the DSA. The first user to bind to the DSA
receives association number 0, the second user receives association number 1,
and so on.
Control Association
Tracing
To control the association tracing, use the command:
trace enable assoc = association_number
For example, to trace a specific association, first open a DXconsole session using
telnet. Set the tracing to error only:
set trace = error
Determine the association number of the user that requires tracing with the get
user command (see Viewing Associations in this chapter) and supply that
number to the trace enable command.
Disable Association
Tracing
To disable the association tracing, use the command:
trace disable assoc = association_number
Stopping a DSA
To shut down the DSA with DXconsole, use the command:
dsa> shutdown;
3–16
eTrust Directory Administrator Guide
Associations
Association Times
User connections can be unconditionally aborted by setting a maximum bind
time. Any user bound to the directory for longer than the maximum bind time
automatically has their association aborted. To set the maximum bind time, use
the command:
set max-bind-time = 3600;
The value is the maximum number of seconds a user can be bound to the DSA
(the example shows 3,600 seconds, or one hour). 0 = no limit.
Controlling Binds
Two assoc module commands control the bind operation. The first is allowbinds. When set to false, the system rejects all binds. The second, min-auth, sets
the minimum authentication level required on a bind. When set to clearpassword, a user name and password must be provided with the bind request.
The system checks this user name and password against an existing entry in the
directory database before allowing the bind. For example:
Allow Binds
Disable New Binds
set allow-binds = true;
set min-auth = clear-password;
To shut down the DSA gracefully, the administrator can disable new users
binding to the DSA and then wait until each association unbinds or times out.
To disable new binds, use the command:
set allow-binds = false;
Any new user that attempts to bind to the DSA receives a bind-refuse with the
following error:
Bind-Error: Service Error: Directory unavailable
Monitor Active Users
Before allowing or disabling binds, you may want to see who is currently
bound to the DSA. To monitor active users, use the command:
get users;
The command displays the number of users, their connection time, connection
address, and user name.
See the chapter “Security” for more information about authentication and binds.
General Administration
3–17
Associations
Aborting Associations
As described previously, to obtain information about currently connected users,
use the command:
get users;
You can abort all or some associations by using this information and one of the
following commands (assuming 131072 is a valid association).
abort all-users;
abort user 131072;
Concurrent Associations
You can configure the maximum number of users that can be bound to the DSA.
For example, to set this value to 100, use the command:
set max-users = 100;
Note: The operating system sets an upper limit of allowed associations per DSA,
which relates to the maximum number of file descriptors per process. The maxusers value can be set to 0 to prevent any users from binding to the DSA.
Set Maximum Idle
Time
To increase availability of the directory, you should set the maximum idle time
parameter. The idle time for a user is the time elapsed since the DSA performed
the last operation on that user’s association. Any connected user idle for longer
than the maximum idle time automatically has the association aborted. The
maximum idle time is set with the command:
set user-idle-time = 600;
The value is the number of seconds a user connection can be idle before risking
a disconnection (the previous example shows 600 seconds, or 10 minutes).
The system rejects an association when the number of current associations is at
the specified max-users limit, and no user has exceeded his or her maximum
bind time or maximum idle time.
3–18
eTrust Directory Administrator Guide
Associations
Association Queues
The maximum number of DSA operations in progress at the same time on a peruser basis can be set using the credit limit, for example:
set credits = 5
To determine the maximum number of concurrent operations you can perform,
multiply the number of credits by the maximum number of users. When the
credit value is exceeded, the DSA delays the receipt of any new requests from the
DUA.
There is a difference between this value and the max-local-ops value (see Local
Operations in this chapter). The credits parameter provides a mechanism to
govern how many client requests are outstanding at any given time for each
association and to delay new requests. Conversely, the max-local-ops value
rejects new operations above its limit.
General Administration
3–19
Local Operations
Local Operations
You can manage local operations using the oper module commands. The
operation commands have the following form:
■
set parameter = value;
■
get parameter;
■
oper action;
The commands are defined in the configuration file (.dxc) in the limits directory.
The oper Commands
The following are the parameters of the operation set command:
Keyword
Parameter
Description
access-controls
Boolean
TRUE enables access controls; FALSE disables access controls.
add-oc-parents
Boolean
When set to TRUE, it causes DXserver to add superior object
classes even if the client did not specify these while adding an
entry. It complements the prune-oc-parents and return-oc-parents
flags and is added for Netscape compatibility.
dynamic-access-control Boolean
Used to enable or disable dynamic access controls. For more
information, see the chapter “Security.”
ignore-name-bindings
Boolean
When set to TRUE, it lets the DXserver operate without name
bindings. This can be useful when the schema is imported
from a directory that does not support name bindings. For
more information, see the chapter “Schema Definition.”
max-local-ops
Integer
The maximum number of concurrent operations the DSA
processes for all users.
max-op-size
Integer or the
keyword none
The maximum number of entries that a search or list can
return (a value of 0 or the keyword none means unlimited).
This value overrides a user-requested size limit service control
when the max-op-size is less than the one requested by the
user.
max-op-time
Integer or the
keyword none
The maximum time (s) that any particular operation can last (a
value of 0 or the keyword none means unlimited). This value
overrides a user-requested time limit service control when the
max-op-time is less than the one requested by the user.
op-attrs
Boolean
When set to TRUE, operational attributes are added
automatically to each entry by the DSA; when set to FALSE,
operational attributes are treated like regular attributes.
prune-oc-parents
Boolean
For more information, see the chapter “Schema Definition.”
3–20
eTrust Directory Administrator Guide
Local Operations
Keyword
Parameter
Description
return-oc-parents
Boolean
For more information, see the chapter “Schema Definition.”
role-subtree
DN
The distinguished name of the subtree used to store roles.
For more information, see the chapter “Security.”
trust-sasl-proxy
DN
The distinguished name of the trusted proxy.
For more information, see the chapter “Security.”
use-roles
Boolean
Used to enable and disable role-based access controls.
For more information, see the chapter “Security.”
The following DSA flag identifies a DSA as a read-only (no updates permitted)
DSA. You can set this flag in the set dsa command in the knowledge directory.
dsa-flags = read-only
The following are the parameters of the operation get command:
Parameter
Description
oper
Shows the current operation configuration values of the
DSA.
stats
Returns a list of operation statistics.
The following are the actions of the oper command:
Value
Description
abandon
Abandons one or all operations on a particular association.
reset
Resets the statistics counters.
General Administration
3–21
Local Operations
Viewing Operation Configuration
The following command shows the current operation configuration values of the DSA:
get oper;
Here is an example of the output of this command:
max-local-ops
max-op-time
max-op-size
access-controls
op-attrs
read-only
prune-oc-parents
return-oc-parents
add-oc-parents
dynamic-access-control
modify-on-add
unique-attrs
ignore-name-bindings
=
=
=
=
=
=
=
=
=
=
=
=
=
200
120
200
FALSE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
attr1, attr2
FALSE
Viewing Operation Statistics
List Operation
Statistics
The oper module maintains statistics about all operations, including events,
services, errors, timeouts. The following command returns a list of operation
statistics:
get stats;
An example of the output of a get stats command is given below
anonymous binds = 43
in ops = 789
read ops = 350
add entry ops = 1
modify entry ops = 3
modify-dn ops = 1
list ops = 371
search ops = 6
whole tree search ops = 6
errors = 2
name errors = 1
found local entries = 187
no such object = 1
DSA statistics can be read using SNMP or CMIP. The Management Information
Base (MIB) being read defines the names displayed from those actions. For
example, noSuchObject displays as “no such object.”
Reset Counters
The statistics are stored in counters. To reset these counters, use this command:
reset stats;
3–22
eTrust Directory Administrator Guide
Local Operations
Concurrent Operations
To restrict the maximum number of DSA operations in progress at the same time,
use the following command:
set max-local-ops = 100;
Administration Limits
To restrict the maximum time that the list and search services can run and the
maximum number of entries these operations can return, use the following
command:
set max-op-time = 20;
set max-op-size = 100;
If an operation exceeds either of these limits, the error “Administration limit
exceeded” is returned.
Operational Attributes
To control the automatic creation and updating of operational attributes (for
example, last modified time) on entries in the DSA, use the following command:
set op-attrs = true;
If it is set to true, the DSA will automatically control the creation and updating of
operational attributes.
The op-attrs parameter should normally be set on each DSA.
Note: If the multi-write-disp-recovery flag is set, the op-attrs parameter must be true.
If the op-attrs parameter is set to false, then:
■
■
The DSA will not create or update operational attributes
All no-user-modification schema settings will be overridden. This means that
an administrator will be able to update any operational attributes manually.
Access Controls
To control the level of security available on the DSA, use this command:
set access-controls = true;
When access controls are enabled and no rules are defined, no entries are visible
and the directory cannot be viewed or updated. However, it is still possible to
load the directory using the bulk load tools. For more information about access
controls, see the chapter “Access Controls.”
General Administration
3–23
Local Operations
Read Only
To reject all updates, set the read-only DSA flag in the configuration file (.dxc) in
the knowledge directory, using the set dsa command:
dsa-flags = read-only
This guarantees update security and over-ride any access controls. It is very
useful for public DSAs. In conjunction with a public DSA, an administrator can
start up a local DSA that connects to the same database to perform updates.
Abandoning Operations
To obtain information about the current users, use the command:
get users;
You can abandon any outstanding operations using this information and one of
the following commands (assuming 131072 is a valid association and 2 is a valid
operation):
abandon all on association 131072;
abandon operation 2 on association 131072;
When an operation is abandoned, the targeted service returns the following
error:
Service error: operation abandoned
The abandoned operation itself returns an abandon confirm. If the operation
cannot be abandoned, it returns an abandon-refused message with the
appropriate error.
A DSA can truncate processing an operation when it exceeds the global
configuration values, for example:
set max-op-time = 60;
set max-op-size = 100;
Tip: Services that exceed global limits are not abandoned; rather they return
an error or partial result.
The result returned by an abandoned operation depends on how far the
operation progressed before being abandoned. The display shows either the
following error message:
Service error: administration limit exceeded
or partial results (with the partial outcome qualifier set to the appropriate
problem). An update operation cannot be abandoned.
3–24
eTrust Directory Administrator Guide
The Directory Information Base
The Directory Information Base
To manage the DIB, use the commands:
■
set parameter = value;
■
get parameter;
The following are the parameters of the DIB set command:
Keyword
Parameter Description
alias-integrity
Boolean
Enables or disables alias integrity checking.
See the section Alias Integrity.
database-name
String
The database that is connected to the server.
dbconnection
A compound value, which consists of database-name, databaseuser, and user-password.
eis-count-attr
Attribute
An attribute name.
index-reverse
Attributes
List of attributes to be reverse-indexed.
See the section Indexing Options.
index-wide
Attributes
List of attributes to be wide-indexed.
See the section Indexing Options.
not-searchable
Attributes
List of attributes to be marked as not searchable.
See the section Indexing Options.
password-storage
The method used to store user passwords. See the section
Password Storage for the list of password storage methods.
shutdown-on-sql-error Boolean
Sets the DSA to shut down whenever an untrapped database error
occurs. See the section Manage Connections to the Database
Two flags in the knowledge directory affect operations on the database. These
are the limit-list and limit-search flags.
set dsa DemoCorp = {
...
DSA flags = limit-list, limit-search, ...
...};
The following is the parameter of the DIB get command:
Keyword
Value
dib
Shows the DSA configuration values of the directory information processor.
See the appendix “DXserver Command Language” for information about
grouping commands accurately.
General Administration
3–25
The Directory Information Base
Viewing DIB Configuration
To monitor the database management settings, use the DIB module’s get
commands at DXconsole.
To view the DIB configuration variables and their values, use the command:
get dib;
Example output of this command is shown below:
alias-integrity= TRUE
database-name
database-user
database-password
eis-count-attr
limit-search
limit-list
password-storage
=
=
=
=
=
=
=
demo
fred
*****
dxEntryCount
FALSE
FALSE
sha-1
Database Name
The DSA must know the name of the database it accesses. This value is usually
set in the initialization file (.dxi) through the database configuration file (.dxc),
for example:
set database-name = demo;
where demo is the name of an Advantage Ingres database.
In certain situations, because of the access controls required to access Advantage
Ingres databases, it may be necessary to supply a user name and password.
Database applications, in this case the eTrust Directory DXserver process, must
supply these credentials to Advantage Ingres when accessing the database. If this
situation arises, use the alternate form of the database configuration command as
shown below:
set dbconnection = { db-name = demo, db-user = ingres, db-password = secret };
where demo is the name of the database, ingres is the user name and secret is the
password.
Tip: Throughout this guide, references to Advantage Ingres include both
Ingres II and OpenIngres, unless one or the other is explicitly specified.
See Databases in the chapter “DXserver Overview” for more information about
databases.
3–26
eTrust Directory Administrator Guide
The Directory Information Base
Manage Connections to the Database
eTrust Directory manages problems with the DSA connection to the database in
two ways:
■
If a DSA cannot connect to a database, it raises an alarm and shuts down.
■
You can set each DSA to shut down when a database error occurs
DSA Shuts Down If Database Connection Lost
If a DSA cannot connect to a database, it raises an alarm and shuts down. For a
description of the alarms, see the section DXserver Alarm Messages in the
appendix “Messages and Logs”.
If a DSA shuts down due to an Ingres error, you should check the Ingres logs to
find out what the problem was. For more information about Ingres logs, see the
section Advantage Ingres Logs in the appendix “Messages and Logs”.
Shut Down DSA If a Database Error Occurs
You can set each DSA to shut down if the database produces an error. By default,
this option is off.
If you are concerned that a DSA may
It is possible that a database could To set a DSA to shut down if the database
produces an error, use the following command:
set shutdown-on-sql-error = true;
Alias Integrity
When an entry that has one or more aliases pointing to it is removed, the aliases
are also removed. This occurs regardless of the setting of the alias-integrity flag.
When alias integrity is turned on, invalid aliases (where no referenced entry
exists) cannot be added.
To disable the alias integrity feature, use the command:
set alias-integrity = false;
See Aliases in the appendix “DXconsole DUA” for more information about
aliases.
General Administration
3–27
The Directory Information Base
Counting Entries
It is often useful to know how many entries in the directory satisfy a specific set
of search criteria. However, performing such a search and counting the entries
returned is not feasible in an automated system or in a system where the search
returns large numbers of entries.
Searches can return the number of entries that satisfy the search rather than the
entries themselves using the eis-count-attr parameter. This parameter can be set
to an unused attribute. We recommend that you use the attribute dxEntryCount
in the database settings file database/default.dxc:
set eis-count-attr = dxEntryCount;
To enable a search to return the number of entries satisfying a search filter
simply set the attributes to be returned by the search to the eis-count-attr
attribute:
search-req
base-object = <c "AU"><o "Democorp">
whole-subtree
filter = { attr = surname substrings [ initial "C" ] }
attrs = dxEntryCount;
The resulting search returns a single entry with a dxEntryCount attribute. This
attribute is set to the number of entries found that satisfy the search filter. For
example:
SEARCH-CONFIRM
...
Entry:
<countryName "AU">
<organizationName "Democorp">
Content:
(dxEntryCount 98)
This search result indicates that there are 98 entries with a surname beginning
with "C" in the DemoCorp directory.
Rejecting All list Commands
There can be instances where a DIT has a very flat structure and there are many
thousands of entries under one node. In this case, the list operation is not useful.
The DSA can be set to reject all list requests by setting the limit-list DSA flag in
the knowledge directory, using the set dsa command:
dsa-flags = limit-list
For information about using the limit-list flag to set up query streaming, see
Query Streaming in the chapter “Distribution and DSP.”
3–28
eTrust Directory Administrator Guide
The Directory Information Base
Rejecting All Unfiltered Searches
There may be instances where a DSA is set up to handle large numbers of simple
lookup searches, and a high throughput is very important. Large complex
searches can put unwanted pressure on the performance of the DSA.
It is possible to limit the types of searches processed by setting the limit-search
DSA flag in the knowledge directory, using the set dsa command:
dsa-flags = limit-search
This flag causes searches with no filter or with a filter containing an attribute
present, substrings any, or a range of values (>=, <=) to be rejected. Only simple
(or exact) searches are accepted.
For example, if you want to search for all people with a surname of Smith and
enter sn=smith, your request is processed; however, if you search for all
surnames that sound like Smith, and enter sn~=smith, your request is rejected.
For information about using the limit-search flag to set up query streaming, see
Query Streaming in the chapter “Distribution and DSP.”
For more information about phonetic match searching, see Chapter 13 in the
eTrust Directory User Guide.
Password Storage
To check a password, an application requests a compare operation. The DSA will
then hash/encrypt the candidate password, and compare it with the value saved
in the directory.
The DXserver can store user passwords in a number of formats:
■
■
sha-1—This is the default
ssha-1—This format implements the SHA-1 algorithm used by Netscape,
iPlanet, and Sun.
■
oem-hash
■
oem-encrypt—This is a reversible format
■
crypt
■
md5
General Administration
3–29
The Directory Information Base
Indexing Options
Indexing helps with the search process.
Indexing options can appear anywhere in the database configuration after the
schema definitions. If they appear after the database definition, then warning
messages for items already indexed in the database will be produced. This
database configuration file must come after the schema configuration file in the
server initialization file.
You can use the tool dxindexdb to set up the index. For more information, see
Managing Indexes: DXindexdb in the chapter ‘Using DXtools’.
Important! If you have indexed the database with DXtools (for example, dxindexdb),
ensure that the attributes indexed here match those in the database.
Indexing Commands
Use the following commands to set the options:
set not-searchable = attribute-1[, attribute-2…]
set index-wide = attribute-1[, attribute-2…]
set index-reverse = attribute-1[, attribute-2…]
clear indexes
where attribute-n is an attribute name that is either an LDAP or alternate name,
but not an OID.
The following table describes the index settings:
Keyword
Parameter Description
index-reverse
Attributes
Lists attributes which will be indexed in reverse order. This is useful for
attributes which begin with the same prefix.
For example, you could reverse-index a list of the physical addresses of
network cards (44-45-53-54-42-00, 44-45-53-54-42-01, and so on).
index-wide
Attributes
Lists attributes which will be given a wide index. Use wide indexing for
attributes whose values you expect to be longer than 106 characters.
not-searchable
Attributes
Lists attributes which are to be marked as not searchable. This is useful for
increasing the speed of operations (updates, searches etc).
Search operations containing these attributes will return the message
“Unwilling to perform.” The list of attributes must match those set in the
database configuration file.
Important! If a DSA has either DISP replication or multiwrite recovery set (see
the chapter “Replication”), do not set the createTimestamp, modifyTimestamp, or
deleteTimestamp attributes as not searchable.
3–30
eTrust Directory Administrator Guide
The Directory Information Base
Creating Additional Wide Indexes
To create additional wide indexes for some attributes without changing any wide
indexes that have already been set up, use the add command at the bottom of
each schema for which the wide index is required:
add index-wide = attribute-1[, attribute-2…]
One set index-xxxx command initializes all xxxx indexes, so if you specify two
commands for the same special index, only the attributes of the second
command will be indexed.
For information about using these options, see the eTrust Directory User Guide.
Warning Message: “Attribute (attrname) exceeds searchable size limit (size)”
You may see the following warning message from DXserver:
Attribute [attrname] exceeds searchable size limit [size] where:
■
attrname is an attribute, and
■
size is the size limit that has been exceeded.
This message means that you stored a value in the attribute that exceeds the
normkey. That value cannot be successfully searched for after the limit.
The limit for the search table is 106 bytes, and for the wide index is 1900 bytes.
If you need accurate search results for this attribute you need to create a wide
index for it.
If users rarely or never perform a search on this attribute, then you should turn
the indexing for this attribute off.
General Administration
3–31
DXcache
DXcache
DXcache uses in-memory techniques to make lookups on indexed attributes even
faster.
In a system with DXcache running, some or all attributes are preloaded into
memory. When a search request involving one of these preloaded attributes is
sent to the directory, the request is directed to the cache.
Example: Using
DXcache to speed
up lookups of
customer details
You are setting up a directory of customer details for the call center of a phone
company. The call center staff usually look up customer details using the
customer’s account number, and they usually want to see the customer’s name
and account balance. To speed up these lookups, you should index the account
number attribute, and cache the attributes for the account number, the customer
name, and the account balance.
How DXcache Works
When DXserver starts up, it looks in the DXI configuration file to work out which
attributes should be indexed or cached. It caches and indexes those attributes.
When a search request is sent to the directory, it might be directed to the cache,
or it might go to the database:
■
■
If a search is a simple lookup of an indexed attribute in the cache, requesting
attributes that are in the cache, it is directed to the cache.
If a search uses attributes that are not cached, it is sent to the database. This
means that DXserver’s proven superior performance for complex searches is
maintained.
The following table shows what kinds of search DXcache can handle in different
situations:
Attributes in Search
Filter
Attributes to be
Returned after a Search
Search
Indexed
Cached
The search will be
performed in the cache.
Cached
Cached
The search will be
performed in the cache.
No filter
Cached
The search will be
performed in the cache.
Some of these attributes are not cached
3–32
eTrust Directory Administrator Guide
The search will be
performed in the directory.
DXcache
Design the DXcache System
If you plan to use DXcache, you need to decide which attributes your users are
likely to search on, and which attributes they are likely to want to return. Then,
set up the following:
■
■
Index the attributes that users are likely to enter in the search filter.
Cache the indexed attributes, and the attributes that users are likely to
request.
You can load all attributes into the cache, to make all searches faster. This would
make the cache much larger than if you only cached some attributes.
DXcache also supports base-object searches, in which the search is restricted to
objects below the object specified as the base object.. For base-object searches, the
filter is not required, but all the other DXcache conditions must be met.
Note: Multiwrite–DISP recovery cannot be used in conjunction with the cache
where more than one DSA is attached to the same database.
Note: The DSA start time depends on the number and size of the attributes that
are to be loaded into the cache.
Enable and Configure DXcache
To enable caching, add the following command to the DXI initialization file:
set lookup-cache = true;
This command must appear after the cache and database definitions in the
initialization file. DXserver loads the cache as soon as it reads the set lookup-cache
command.
To configure DXcache, you need to add further commands to the initialization
file. These commands include::
set
set
set
set
set
set
cache-attrs
cached-only-attrs
cache-index
cache-load-all
cache-reverse
max-cache-size
=
=
=
=
=
=
{attribute1 [, attribute2 …] | all-attributes};
{attribute1 [, attribute2 …] | all-attributes};
attribute1 [, attribute2 …];
boolean;
{attribute1 [, attribute2 …] | all-attributes};
number;
General Administration
3–33
DXcache
DXcache Settings
The following table describes the DXcache settings:
DXcache Setting
Description
cache-attrs
Defines the attributes that are returned.
Use the value all-attributes to ensure that all attributes are cached; however, when
a large number of attributes are used, this requires a large amount of memory.
cached-only-attrs
Specifies the attributes that will be stored in the cache only.
cache-index
Defines which attributes will be indexed.
The cache responds to a search filter that uses one of these attributes. You can
define as many as you like, separated by commas. Memory requirements are
affected.
cache-load-all
Forces DXcache to load all entries in the database into the cache.
DXcache can only handle searches where the filter does not reference an indexed
attribute if it knows that all the entries have been loaded into the cache.
cache-reverse
Sets the cache to reverse-index the attributes.
lookup-cache
Enables or disables DXcache.
max-cache-size
Sets the maximum amount of memory (in MB) that the cache is permitted to use.
This setting depends on how much memory your computer has. We recommend
that you set this to 50% to 70% of your machine’s total memory, depending on
other programs’ memory requirements on the same computer.
Note: The cache uses the minimum amount of memory required to store the
indexes and results. An alarm is raised and the cache is disabled when the cache
requires more memory than defined with max-cache-size.
Index the Attributes To Be Used in the Search Filters
The following command indexes the attributes that appear in the search filters:
set cache-index = attribute [, attribute …];
The cache holds all entries that contain one or more of these attributes. Entries
that contain none of the attributes in this list are not loaded into the cache. The
choice of indexed attributes directly affects the number of entries in the cache.
3–34
eTrust Directory Administrator Guide
DXcache
Index the Attributes To Be Returned by Search Requests
The following command specifies the attributes that will be returned by the
search request:
set cache-attrs = {attribute1 [, attribute2 …] | all-attributes};
The indexed attributes are already cached so you only need to specify any
additional attributes.
Search requests that do not specifically request particular attributes to be returned
are actually implicitly requesting the return of all attributes. To cater for this type
of request, you can use the following command to cache all attributes:
set cache-attrs = all-attributes;
If you cache all attributes, DXcache will require more memory than if you cached
only some attributes.
Set the Maximum Cache Size
To set the cache size, use the following command:
set max-cache-size = number;
You must specify the maximum memory that the cache may use. The cache
always uses the minimum amount possible.
The cache is designed to be memory-resident, so make sure that the maximum
cache size is less than the RAM available. For example, if the cache size is 2 GB
but there is only 500 MB of RAM, the cache has not been configured correctly.
One million entries, including their attributes, occupy about 2GB of memory.
DXserver and other 32-bit Windows applications each have a virtual address
space limitation of 2GB, regardless of the amount of memory in the system.
UNIX-like operating systems have a limit of 4 GB.
Do not set the cache size equal to the memory available. You should leave some
RAM for the operation system. For example, if your operating system uses
250 MB on a 1 GB computer, do not set the max-cache-size to more that 750 MB.
General Administration
3–35
DXcache
Set DXcache to Process All Search Requests
The cache does not help with some types of search request. For example, the
following requests will be directed to the database, not to the cache:
■
commonname=*smith*
■
Search requests where the filter does not specify an indexed attribute.
■
One-level searches without filters (or with the filter (objectclass=*)
To set the cache to process all search requests, add the following commands:
set cache-load-all = true;
set cache-attrs = all-attributes;
The first command ensures that all entries are loaded into the cache, while the
second ensures that all attributes in each entry are loaded. Each of them increases
the amount of memory used by the cache, so make sure that you only use them if
required.
Generally, NOTs can only be processed if all entries are in the cache.
Reverse-Index Cached Attributes
If the users use searches of the form (telephonenumber=*1234), you may index
some attributes so they index the values after reversing the order of the bytes.
Use the following command to reverse-index a cached attribute:
set cache-reverse = attribute
For example, 123-4567 will be indexed as if it were 7654-321.
Example DXcache Configuration
You are running DXserver on a 2GB system, and you want to use a 1.5 GB cache.
You know that users often search on the attributes commonName and
organizationalUnitName, and they often want to return the attributes commonName
and description.
To configure DXcache for this situation, add the following commands to the end
of the servername.dxi file.
set database-name = database;
:
set
set
set
set
3–36
lookup-cache = true;
cache-attrs = description;
cache-index = commonName, organizationalUnitName;
max-cache-size = 1500;
eTrust Directory Administrator Guide
DXcache
View the DXcache Configuration
To view the cache configuration variables and their values, use the command:
get cache;
This command displays whether the cache is enabled and provides some
statistical information about the cache configuration. Example output of this
command is shown below:
Cache enabled
max-cache-size = 1000 (MB)
entry hash size 2550, maxp 10
cache-attrs = postalCode cosineUserid
cache-index =
surname(0/0)
commonName(0/0)
Memory used by cache: 1008316/1183947
Keep DXcache Synchronized with the Database
Updates received by a DSA running DXserver are applied first to the database
and then to the DXcache.
All updates successfully applied to the database are applied to the cache.
Therefore, if no other DXserver is updating the database, the cache will remain
synchronized.
If the database is updated by other instances of DXservers, you should configure
the DXservers to keep their caches synchronized. To achieve this, set the
following:
■
■
All DXservers that update the database must belong to a multiwrite group
(see the chapter Replication for more information about multiwrite groups.)
All DXservers that update the database must have the DSA flag multi-writenotify set in their knowledge file.
The effect of this is that multiwrite updates are sent to the cache but they will
update only the cache contents—they are not reapplied to the database. Thus, the
cache remains synchronized with the database.
General Administration
3–37
DXcache
Use eTrust Directory in Cache-Only Mode
You can run eTrust Directory in cache-only (memory-resident) mode. In this
mode, eTrust Directory uses DXcache as its repository, rather than a database.
Traditional directories were designed with the following assumptions:
■
Persistent data storage
■
Data is read much more often than it is written to
However, with the advent of web applications and web services, there is a
growing need for a directory service with the following characteristics:
■
Transient data storage
■
Data is read about the same number of times it is written to
Configure Cache-Only Mode
To create a cache-only DXserver, simply remove all references to database and
database settings, and add the following to your configuration:
set cache-only = true;
Of course none of the database DXtools can be used with a cache-only DXserver.
You must use the DXmodify or ldapmodify tools to load the cache and the
DXsearch or ldapsearch tools to dump its contents.
How eTrust Directory Works in Cache-Only Mode
A cache-only DXserver reads and writes data extremely quickly. It can service
thousands of updates per second, rather than the tens or hundreds of updates
per second for traditional directories.
This update speed is achieved because the data in the repository is never written
to disk. There is no write-behind strategy of any kind. A cache-only DXserver
does not even require Ingres or any other database to be running.
If a cache-only DXserver is shut down or is stopped by a software or hardware
problem, all data is lost and cannot be recovered. Thus it is ideally suited for
storing short-lived data that needs to be updated frequently.
3–38
eTrust Directory Administrator Guide
DXcache
Example of a Cache-Only Directory
You could use a cache-only directory to store web session objects.
These objects are only required for a short time and may be updated repeatedly,
and have no long-term value. There may be thousands of these objects in use at
peak times and so an application still requires the scalability and availability
offered by traditional directories. However, storing such objects in a traditional
directory is prohibitively expensive because of the cost of updates which must
eventually be written to disk.
In this situation, a cache-only DXserver could be used to manage only the session
objects, leaving a traditional directory to manage the persistent data.
General Administration
3–39
Virtual Attributes
Virtual Attributes
This section describes two different kinds of virtual attributes:
Dynamic groups
These can reduce the time you spend updating the membership of groups.
Class of Service templates
These can reduce the size of the directory, reduce the time you spend doing
bulk updates, and help keep information consistent.
Dynamic Groups
eTrust Directory supports static, dynamic, and hybrid groups.
Static groups are useful for directories when the members of groups do not
change often.
Dynamic groups are useful when you know that you will often need to change
the membership of a group, because there is no overhead involved in
maintaining the group data.
Hybrid groups allow you to use the features of both static and dynamic groups.
How Static Groups Work
Users and other entries can be grouped in the directory using a static group
entry. A static group entry contains a list of member DNs. The static group entry
usually has an object class of “groupOfNames” and an attribute “member” that
has one value for each of the members in the group.
If a user is removed from the directory, then the user must also be removed from
any static groups that they belonged to. This must be done manually by
removing the user’s member DN from each group that the user was a member
of.
How Dynamic Groups Work
A dynamic group does not store each member DN in its directory entry. Instead,
it stores an LDAP search request that is executed when a base-object search is
performed on the dynamic group entry. This LDAP search finds all the members
that satisfy the search filter and return the DNs of those members.
If a user is removed from the directory, then their user entry will not be found by
the LDAP search, so the user will have been automatically removed from the
dynamic group.
3–40
eTrust Directory Administrator Guide
Virtual Attributes
How Hybrid Groups Work
It is possible to create a hybrid group. This is a group entry that contains both an
LDAP search attribute and a list of one or member DNs.
To create a hybrid group, make sure that the “member-attr” in the dynamic
group definition is the same as the attribute used to store the static members.
This means that the static and dynamic members will be combined when a baseobject search is performed on the entry.
Enabling Dynamic Groups
To turn on dynamic groups, add the following to the DSA configuration file.
clear dynamic-group;
set dynamic-group GROUP = {
object class = groupOfURLs
url-attr
= memberURL
member-attr = member
};
You can also use other object classes and attributes than those shown above.
However, the “url-attr” must have a string syntax and must be a MUST or MAY
container attribute of the object class. The “member-attr” must have a
distinguishedName syntax, because it is used to return the DNs of the members.
Creating a Dynamic Group
To create a dynamic group, add an entry to the directory that has an object class
as defined in the dynamic group configuration and an attribute as defined by the
“url-attr” in the dynamic group configuration.
The value of the “url-attr” in the dynamic group entry is an LDAP search which
has the following form:
ldap:///Base DN of Search??Scope?Filter
The Scope value is optional. It has three possible values:
■
■
■
sub—searches the entire subtree
base—searches the base DN only. This is the default, but it is the least useful
option.
one—searches the top level of the subtree only
The Filter value is also optional. The value is any LDAP search filter string. The
default value is OC present.
For example, to search for all people in the Finance department in either the
Payroll or Accounts groups:
ldap:///ou-finance,o=democorp,c=au??sub?
(|(organizationalUnitName=payroll)(organizationalUnitName=accounts))
General Administration
3–41
Virtual Attributes
Viewing Dynamic Groups
The dynamic group configuration in use in a DSA can be viewed using the
console command:
get dynamic-groups;
This will produce a listing of each dynamic-group in use, with the group label at
the top. A sample configuration follows:
************** GROUP **************
Group object class : groupOfURLs
Group Search URL : memberURL
Member to Append : member
3–42
eTrust Directory Administrator Guide
Virtual Attributes
Class of Service Templates
When directory information needs to be shared across multiple entries, the
shared information can be stored in a Class of Service (CoS) template.
Then, when a search returns an entry that contains a Class of Service attribute,
the attributes and values from the associated template are included in the entry.
This means that the information in CoS templates is only stored once, which is
good for three reasons:
■
Directory size is reduced
■
Simple bulk updates are faster
■
Information is consistent
The shared information is usually a level of service, such as a standard or
premium subscription to an internet service provider.
How Class of Service Templates Work
The virtual attributes and values are stored in templates, which are kept in a
DXserver configuration file.
When a search returns an entry that contains the CoS attribute, the attributes and
values from the associated template are presented.
A template can have multiple attributes and values. All attributes in a template
will be added to the entry.
If an entry already has an value for an attribute in a template, the attribute in the
template can either over-write the value, or the value can be left untouched. This
is controlled by the disposition of the template attribute. The two possible
dispositions are:
■
■
default—The value from the template replaces the existing value
override—If the entry already contains this attribute, the existing value will
persist. Use this when a customer requires special treatment.
The attributes that are stored in CoS templates are not searchable.
General Administration
3–43
Virtual Attributes
Example: The Excellent ISP Company
The company Excellent ISP is an internet service provider. The customers of
Excellent ISP can subscribe for one of two classes of service:
Standard
Premium
Mail Storage
20 MB
30 MB
Web Space
20 MB
30 MB
Hours per Month
15 hr
Unlimited
Cost per Month
$19.95
$29.95
Cost of Extra Hours
$1.00/hr
$0.00/hr
The Excellent ISP customer directory includes the subscription information in
each customer entry.
Entries Without Class
of Service Virtual
Attributes
Before CoS is introduced, this information is stored in each entry. If there are
one million users, then these attributes appear one million times. If Excellent
ISP increases its fees, then a large global update is required.
Here is an example entry for an Excellent ISP customer who has the standard
class of service:
dn: cn=John Smith, o=Excellent ISP, c=US
oc: inetOrgPerson
oc: excellentISPuser
cn: John Smith
sn: Smith
excellentISPmailQuotaMB: 20
excellentISPwebSpaceMB: 20
excellentISPaccessHours: 15
excellentISPprice: 19.95
excellentISPextraHoursPrice: 1.00
excellentISPpackage: Standard
Here is an example entry for an Excellent ISP customer who has the premium
class of service:
dn: cn=Mary Chen, o=Excellent ISP, c=US
oc: inetOrgPerson
oc: excellentISPuser
cn: Mary Chen
sn: Chen
excellentISPmailQuotaMB: 30
excellentISPwebSpaceMB: 30
excellentISPaccessHours: Unlimited
excellentISPprice: 29.95
excellentISPextraHoursPrice: 0
excellentISPpackage: Premium
3–44
eTrust Directory Administrator Guide
Virtual Attributes
Entries With Class of
Service Virtual
Attributes
To save space and time, the shared information in these entries can be moved
into a template. The shared information in the entries is then replaced with a
new attribute, whose value indicates which CoS template to use.
The attributes from the CoS template will be added to the entry on a search.
dn: cn=John Smith, o=Excellent ISP, c=US
oc: inetOrgPerson
oc: excellentISPuser
cn: John Smith
sn: Smith
excellentISPpackage: Standard
dn: cn=Mary Chen, o=Excellent ISP, c=US
oc: inetOrgPerson
oc: excellentISPuser
cn: Mary Chen
sn: Chen
excellentISPpackage: Premium
Class of Service
Templates
The Excellent ISP company would need to use two templates. The standardlevel template would appear as follows:
set class-of-service standard = {
object class = excellentISPuser
cos-attr
= excellentISPpackage
cos-value
= "Standard"
attribute-values = {
(type
= excellentISPmailQuotaMB
value
= "20"
disposition = default),
(type
= excellentISPwebSpaceMB
value
= "20"
disposition = default),
(type
= excellentISPaccessHours
value
= "15"
disposition = override),
(type
= excellentISPprice
value
= "19.95"
disposition = default),
(type
= excellentISPextraHoursPrice
value
= "1.00"
disposition = default)
};
}
General Administration
3–45
Virtual Attributes
The premium-level template would appear as follows:
set class-of-service premium = {
object class = excellentISPuser
cos-attr
= excellentISPpackage
cos-value
= "Premium"
attribute-values = {
(type
= excellentISPmailQuotaMB
value
= "30"
disposition = default),
(type
= excellentISPwebSpaceMB
value
= "30"
disposition = default),
(type
= excellentISPaccessHours
value
= "Unlimited"
disposition = override),
(type
= excellentISPprice
value
= "29.95"
disposition = default),
};
}
(type
= excellentISPextraHoursPrice
value
= "0.00"
disposition = default)
Configuring Class of Service Virtual Attributes
When the shared attribute values change, they can be updated in the
configuration files. Therefore, make sure that configuration files are stored in a
source code control system to allow for rollbacks.
Distribution of CoS entries is achievable, but requires the DSA configuration to
be manually copied to all nodes.
Configure the DSA
Add the following line to the local DSA configuration to clear any currently
cached CoS information.
clear class-of-service;
This allows CoS attribute modifications to be made which can be included while
the DSA is still running using the command dxserver init.
Make sure that the template configuration file is sourced after the schema is
sourced. The template uses attributes that are defined in the schema
configuration.
Add CoS Attributes to
Entries
3–46
To use CoS templates with an entry, add the cos-attr attribute to the entry.
eTrust Directory Administrator Guide
Virtual Attributes
Create Class of
Service Templates
Templates can be stored in any directory. However, if there are many
templates, you should store them in separate files in the
DXHOME/config/settings directory.
The Class of Service templates use the following syntax:
<cosTemplate>
::= set class-of-service <cosLabel> = { <operCos> };
<cosLabel>
::= <string>
<operCos>
::= object-class = <attrOid> cos-attr = <attrOid> cos-value =
<value> attribute-values = { <cosTemplateList> }
<cosTemplateList> ::= <cosTemplate> | <cosTemplate>, <cosTemplateList>
<cosTemplate>
::= ( type = <attrOid> value = <cosValueList> disposition =
<cosDisposition> )
<cosValueList>
::= value | value, <cosValueList>
<cosDisposition> ::= default | override
Note: The cos-attr used in a Class of Service template must be a single-valued
attribute.
Viewing Class of Service Templates
The templates in use in a DSA can be viewed using the console command:
get class-of-service;
This will produce a listing of each class of service template in use, with the
template label at the top. For example, the template for the standard class of
service at the company Excellent ISP discussed in the example above would
appear like this:
************** standard **************
class-of-service =
target object class : excellentISPUser
target attribute
: excellentISPPackage
target value
: "Standard"
attribute list =
attribute
: excellentISPmailQuotaMB
value/s
: "20"
disposition : default
attribute
: excellentISPwebSpaceMB
value/s
: "20"
disposition : default
attribute
: excellentISPaccessHours
value/s
: "15"
disposition : override
attribute
: excellentISPprice
value/s
: "19.95"
disposition : default
attribute
: excellentISPextraHoursPrice
value/s
: "1.00"
disposition : default
General Administration
3–47
Knowledge Flags
Knowledge Flags
This section describes how to use knowledge flags to define the configuration,
security, and interoperability of DSAs. This section also includes tables that list
all of the possible knowledge flags.
For information about how knowledge files work, see Knowledge Files in the
chapter DXserver Overview.
The Three Kinds of Knowledge Flags
The DXserver uses three sets of flags to define the configuration, security, and
interoperability of DSAs:
DSA Flags
DSA flags define which operations that can be performed on the local DSA.
These flags can be used by the local DSA to determine which operations it
can process. They can also be used by remote DSAs to determine which
operation the local DSA will process..
Trust Flags
Trust flags define how a DSA works with a remote DSA. Trust flags only
affect how a remote DSA works.
Link Flags
Link flags define any special conditions for linking to the remote DSA,
including the protocol, encryption level, and any interoperability
requirements for specific applications.
Example: Flags in a Knowledge File
The following example knowledge file includes all three types of flags:
set dsa democorp =
{
...
dsa-flags
= multi-write, shadow, load-share, no-routing-ac, limit-search,
limit-list
trust-flags
= allow-check-password, trust-conveyed-originator, allowupgrading, allow-downgrading, no-server-credentials
link-flags
= dsp-ldap, ssl-encryption-remote, ms-ad
};
The DSA flags will be used by the Democorp DSA when a client or another
DSA attempts to run an operation on it. Also, other (remote) DSAs can use the
DSA flags to check which operations can be sent to the Democorp DSA.
The trust flags will be used by remote DSAs to check how much they should
trust the Democorp DSA.
The link flags will be used by remote DSAs to define how they should link to the
Democorp DSA.
3–48
eTrust Directory Administrator Guide
Knowledge Flags
Example: How the limit-search DSA Flag Works
DSA flags are used by a DSA to define how it responds to operations that other
DSAs or clients attempt to perform on it.
The following example shows how the limit-search DSA flag works:
1.
The UNSPSC receives an unfiltered search request from a client.
The UNSPSC DSA cannot fulfill the search request, but it knows that the
Company A DSA can.
2.
The UNSPSC DSA checks the Company A knowledge file to see whether
there are any conditions for searching the Company A DSA.
The flag limit-search indicates that the Company A DSA will reject any
unfiltered or complex searches.
3.
The UNSPSC DSA returns a Search Refused response to the client.
set dsa
companya = {
dsa-flags =
limit-search
2. Check Company A
DSA flags
};
companya.dxc
Client
Application
(JXplorer)
1. Search request
o=”Company A”
UNSPSC DSA
Company A
DSA
3. Search response
Using DSA flags to define how a DSA responds to requests
For information about particular DSA flags, see List of all DSA Flags in this
chapter.
General Administration
3–49
Knowledge Flags
Example: How the allow-check-password Trust Flag Works
Remote DSAs use trust flags to define how much they should trust a DSA.
By default, security is tight. The trust flags provide a mechanism to selectively
relax security between DSAs.
The following example shows how a DSA uses the trust flag allow-checkpassword:
1.
The UNSPSC DSA receives a bind request from a user whose credentials are
stored in the Democorp DSA. The UNSPSC DSA cannot check the user’s
credentials, but it knows that the Democorp DSA can.
2.
The UNSPSC DSA checks the Democorp knowledge file to see whether it can
trust the Democorp DSA to authenticate a user. The flag allow-check-password
indicates that this is permissible.
3.
The UNSPSC DSA requests the Democorp DSA to authenticate the user.
4.
The Democorp DSA responds with the user’s authentication.
5.
The UNSPSC DSA returns the bind confirmation to the client.
set dsa
democorp = {
trust-flags =
allow-checkpassword
2. Check Democorp
trust flags
dn=<c=au><o=democorp>
<cn=”Bob Smith”
};
democorp.dxc
Client
Application
(JXplorer)
1. Bind request
3. Authentication request
UNSPSC DSA
5. Bind response
Democorp
DSA
4. Authentication response
Using Trust Flags to Trust Another DSA to Authenticate a User
For information about particular trust flags, see List of all Trust Flags in this
chapter.
3–50
eTrust Directory Administrator Guide
Knowledge Flags
Example: How the dsp-ldap Link Flag Works
Remote DSAs use link flags to define any special conditions for a link to another
DSA.
The following example shows how the dsp-ldap flag works.
1.
The UNSPSC DSA receives a request to search the remote DSA named
Company A, which happens to be an LDAP server.
2.
The UNSPSC DSA checks the Company A knowledge file to see whether
there are any special conditions for linking to that DSA. The flag dsp-ldap
indicates that the Company A DSA requires that any links use LDAP.
3.
The UNSPSC DSA uses DXlink to make an LDAP search request of the
Company A DSA.
4.
The Company A DSA responds with the search result (also using LDAP).
5.
The UNSPSC DSA returns the search result to the client.
set dsa
companya = {
link-flags =
dsp-ldap
2. Check Company A
link flags
};
companya.dxc
Client
Application
(JXplorer)
1. Search request
o=”Company A”
3. Search request (LDAP)
UNSPSC DSA
5. Search response
Company A
LDAP server
4. Search response (LDAP)
Using Link Flags to Define the Nature of a Link Between DSAs
For information about particular link flags, see List of all Link Flags in this
chapter.
General Administration
3–51
Knowledge Flags
List of all DSA Flags
The following table lists and describes all of the available DSA flags:
DSA Flag
Description
limit-list
Disables the list operation on the DSA.
For more information, see Query Streaming in the chapter Distribution and
DSP, and Limit List in this chapter.
limit-search
Restricts complex searches or searches with no filter on the DSA.
For more information, see Query Streaming in the chapter Distribution and
DSP, and Limit Search in this chapter.
load-share
Marks a DSA as part of a load share group. The DSA should have other peer
DSAs with the same prefix, which are also marked as load-share. A router DSA
shares operations over each DSA in the load share group.
See the section Load Sharing DSAs in the chapter Distribution and DSP.
ms-ad
Active Directory - The DSA is treated as a Microsoft Active Directory server. Set
this flag if you observe any problems with linking to Active Directory.
See also Connecting to Active Directory in Chapter 11 of the User Guide.
multi-write
Marks a DSA as part of a multiwrite group. The DSA should have other peer
DSAs, with the same prefix, which are also marked as multiwrite. Updates are
automatically propagated to all peer DSAs marked as multiwrite.
See the chapter Replication for more information.
multi-write-async
Makes the DSA update asynchronously, even though it is in a multiwrite group.
See Asynchronous Multiwrite Behavior in the Replication chapter.
multi-write-disp-queue Allows multiwrite queues while DISP is in progress. Multiwrite DISP recovery
cannot be used where more than one DSA is attached to the same database.
See Multiwrite Recovery With DISP in the Replication chapter.
multi-write-notify
Sends multiwrite updates to DXcache.
no-routing-ac
Permits forwarding of a request to another DSA regardless of access control
constraints.
See Access-Controlled Routing in the chapter Security for more information.
read-only
Disables update operations on the DSA.
See also Query Streaming in the chapter Distribution and DSP.
relay
Permits a router DSA to exist without consuming a level of the DIT.
See Configuring a Relay DSA in the chapter Distribution and DSP.
shadow
Permits a DSA to be updated by DISP or multiwrite, but prevents any other
updates (for example, through DAP or LDAP) from occurring.
See the chapter Replication.
3–52
eTrust Directory Administrator Guide
Knowledge Flags
List of all Trust Flags
The following table lists and describes all of the available trust flags:
Trust Flag
Description
allow-check-password
Permits a DSA, while processing a bind request from a user who is not local, to
pass a name and password-compare request to this DSA. The result of the
compare request is then used to authenticate the user.
See Distributed User Authentication in the chapter Security for more
information.
trust-conveyed-originator Signifies that a DSA treats the originator and authentication level passed in DSP
chaining arguments as if that user and authentication level were authenticated
locally.
See Distributed User Authentication in the chapter Security for more
information.
allow-upgrading
Lets the DSA pass an anonymous user request across an authenticated DSP link.
See Authentication in the chapter Security for more information.
allow-downgrading
Lets the DSA pass an authenticated user request across an anonymous DSP link.
See Authentication in the chapter Security for more information.
no-server-credentials
Removes the requirement for mutual authentication and permits a link to be set
up if the remote DSA does not send credentials in the bind response.
See User Credentials on the DXlink Binds in the chapter LDAP and DXlink for
more information.
General Administration
3–53
Knowledge Flags
List of all Link Flags
The following table lists and describes all of the available link flags:
Link Flag
Description
dsp-ldap
The DSA is treated as an LDAP server that supports LDAP 3.0. Other DSAs will
send requests to the DSA using DXlink.
When dsp-ldap is configured, there will be no COMPARE operation on the
userPassword attribute, following a bind over DXlink. If the same user connects
more than once, that user will use the same link, and dxserver will check that
the user and the password are the same.
See Integrating Other LDAP Servers in the chapter LDAP and DXlink for more
information.
dsp-ldap-proxy
Causes the last DSA in the chain to use the authorization of the originating user
to perform operations on the LDAP server.
See Automatically Authorizing LDAP Operations in the chapter LDAP and
DXlink for more information.
dsp-ldapv2
The DSA is treated as an LDAP server that supports LDAP 2.0. Other DSAs will
send requests to the DSA using DXlink.
See Integrating Other LDAP Servers in the chapter LDAP and DXlink for more
information.
ms-ad
The DSA is treated as an Active Directory service. If you observe any problems
with linking to Active Directory, set this flag. See Connecting to Active
Directory in the chapter “Connecting to Other Applications and LDAP” in the
User Guide for more information.
ms-exchange
The DSA is treated as a Microsoft Exchange server to overcome limitations in
Exchange’s version of LDAP.
See Integrating Other LDAP Servers in the chapter LDAP and DXlink for more
information.
ssl-encryption
Any DSA DSA-to to-DSA communication to the DSA with this link flag will be
made using SSL encryption.
See DSA-to-DSA Encryption (DSP and DISP) in the chapter Security for more
information.
ssl-encryption-remote
It is similar to ssl-encryption, but SSL encryption is not used if the target
DXserver is on the same host.
unavailable
Marks a DSA as unavailable. A DSA will not forward requests to a DSA marked
as unavailable.
3–54
eTrust Directory Administrator Guide
Chapter
4
Schema Definition
The directory schema is a set of configurable rules that a DSA enforces on the
data created within the directory. These rules define:
■
The names of the various types of attributes that can exist in an entry
■
The syntax (or data type) of each of these attributes
■
■
■
Which attributes in each object class (a defined group of attributes) are
mandatory and which are optional
How each directory entry is named (for example, a person is named by his or
her common-name attribute)
Where the directory entry can be created in the DIT (for example, an
OrganizationalUnit entry can only exist under an Organization entry)
eTrust Directory provides a full directory schema definition starter kit, including:
■
OSI (X.500, X.400, X.435 [EDI] )
■
Internet (LDAP, Inet, Cosine, Quipu, Thorn)
■
Industry (JNDI, DADF, Mosaic, UNSPSC)
■
Organizations (DMS, Umich, Entrust, RSA, Netscape)
This chapter includes information about schema files, attribute definitions,
schema prefixes, object class definitions, and name bindings. Name bindings are
an implementation of the X.500 DIT Structure Rules.
The schema of a running directory is available to LDAP clients via the LDAP
Version 3 mechanism of schema publishing. See Schema Publishing in the
chapter LDAP and DXlink for more information.
Schema Definition
4–1
Configuring Schema
Configuring Schema
DXserver checks and validates schema rules on every update operation to
maintain directory integrity.
All aspects of X.500 schema are fully configurable, down to the attribute syntaxes
(basic directory information types) compiled in the entry.
You should create the schema within configuration files (that is, in the
DXHOME/config/schema directory) rather than dynamically using the console
interface, as the latter will only remain in effect while that DSA is running.
Important! The DXtools require a separate schema file, schema.txt. If you add or change
the schema definition for DXserver, you must also update schema.txt for the tools. For
information about how to update schema.txt, see SCHEMA Tools in the chapter "Using
DXtools."
Grouping Schema
You usually define schema in a single definition file. All schema definition files
reside in the schema configuration directory. When building your directory
schema, you typically need definitions from several schema definition files. You
can group these schema definition files together in a single file using the source
command. The following is an example schema.dxg file:
# Schema definition file – schema.dxg
source “x500.dxc”;
source “cosine.dxc”;
source “mhs.dxc”;
source “quipu.dxc”;
The DXserver initialization (for instance, democorp.dxi) file sources this schema
definition.
# DSA initialization file – democorp.dxi
...
# SCHEMA
source “../schema/schema.dxg”;
...
4–2
eTrust Directory Administrator Guide
Configuring Schema
Managing Schema
There are a number of parameters to the schema module set commands that let
you change the schema configuration. You can view them by the schema module
get command. The following tables summarize these commands and the
following sections explain them in more detail.
You can manage and monitor schema configuration using the commands:
■
■
set parameter = value;
get schema for parameter;
Schema Commands
The following are the parameters for the set schema command:
Parameter
Value
oid-prefix
Defines an object identifier (OID) prefix. An OID prefix consists of a name used
to represent the portion of the object identifier common to multiple schema
definition statements.
attribute
Defines an attribute. An attribute consists of an attribute name, alternate name,
syntax, single-valued flag, and a description.
attr-set
Defines an attribute set. An attribute set consists of an attribute set name and a
list of previously defined attributes or attribute sets.
object-class
Defines an object class. An object class consists of an object class name, an
alternate name, a subclass definition, an object class kind, a must-contain list of
previously defined attributes or attribute sets, a may-contain list of previously
defined attributes or attribute sets, and a description.
name binding
Defines a name binding between two previously defined object classes. A name
binding consists of a name for the name binding, an object and its allowable
parent, and an attribute that names the object.
The following is the parameter of the get schema command:
Parameter
Value
for
Item; a name or an object identifier of any schema definition (an attribute, object
class, name binding, prefix, or attribute set).
Schema Definition
4–3
Configuring Schema
Viewing Schema
Example: Viewing
Schema Definition
To retrieve the definition of commonName, use the command:
get schema for commonName; or
get schema for (2.5.4.3);
An example output of this command is:
Attribute (2.5.4.3)
name = commonName
ldap-names = cn
syntax = caseIgnoreString
You can use the name, ldap-names, or object identifier with this command.
Schema Prefixes
All attribute, attribute set, object class, and name binding definitions have a
unique object identifier (for example, 2.5.4.6) that uniquely identifies that object.
When defining a schema, you can find many definitions on the same branch of
the schema definition tree. You can define a schema prefix that replaces the
branch of the tree in all subsequent definitions.
Example: Schema
Prefix Definition
set
set
set
set
oid-prefix
oid-prefix
oid-prefix
oid-prefix
x500attr =
x500oc
=
x500aset =
x500nbind =
(2.5.4);
(2.5.6);
(2.5.7);
(2.5.15);
set attribute x500attr:3 = {
name = commonName
ldap-names = cn
syntax = caseIgnoreString };
Given the previous definition, the prefix x500attr can replace any occurrence of
the 2.5.4 portion of an object identifier. Thus, an attribute with the object
identifier of 2.5.4.6 can also be represented as x500attr:6.
Without schema prefixes, the previous definition would read:
set attribute (2.5.4.3) = {
name = commonName
ldap-names = cn
syntax = caseIgnoreString ;
Schema prefixes improve readability and reduce the chance of errors in the
definition, especially when the object identifiers are long. For example, the object
identifiers of each of the Quipu attributes are of the form
0.9.2342.19200300.99.1.x, making a prefix desirable.
4–4
eTrust Directory Administrator Guide
Attributes
Attributes
An attribute is the foundation of directory information. It consists of a type, for
example, commonName, and one or more values, for example, Rick, Richard.
You define an attribute in the configuration file with information about its object
identifier (OID), name, LDAP names, syntax, whether it is single-valued,
whether its value can be modified, and a description.
You can define more than one LDAP name for each attribute. The LDAP name
defaults to the attribute name, so typically you only need to define the LDAP
name when it is different from the attribute name.
There is no limit to the number of attributes or rules that you can define for a
DSA or on the size of the attributes you can store in the DSA.
Example: Attribute
Definition
Example: Read-Only
Attribute Definition
set attribute x500attr:3 = {
name
= commonName
ldap-names = cn
syntax
= caseIgnoreString
description = "Common Name attribute"
};
schema set attribute (2.5.18.1) = {
name = createTimestamp
syntax = generalizedTime
no-user-modification
};
Schema Definition
4–5
Attributes
Attribute Syntaxes
Attribute syntaxes define the format of basic information types. All attribute
syntaxes defined in X.520 are supported:
■
audio
■
generalizedTime
■
octetString
■
binary
■
fax
■
postalAddress
■
boolean
■
guide
■
preferredDelivery
■
caseExactString
■
integer
■
presentationAddress
■
caseExactStringIA5
■
jpeg
■
printableString
■
caseIgnoreIA5String
■
mhsORAddress
■
telephoneNumber
■
caseIgnoreList
■
mhsORName
■
teletexTerminalId
■
caseIgnoreString
■
numericString
■
telexNumber
■
distinguishedName
■
objectIdentifier
■
UTCTime
■
facsimileNumber
As more applications become directory-enabled, you can define new attribute
syntaxes.
To support these new syntaxes, particularly with their search matching rules,
you may need special syntax coding and decoding functions. Generally this
requires a software update to the DSA and DUA processes. However, to more
readily support new attribute syntaxes on demand in operational systems, the
DXserver has a feature for using unknown syntaxes.
The undefined attribute syntax lets the DXserver DSA accept any unknown
attribute syntaxes and store them in the directory. Intelligent matching rules are
applied so you can search for them.
Tip: See the configuration files (.dxc) in the schema directory for the latest
supported syntaxes.
To ensure DIT data integrity over configuration changes, the DSA stores the
names of its current attributes and attribute syntaxes securely within the
directory. The list names the ones that have been used to create directory entries.
This list is not the same as that of all possible attribute names and syntaxes.
When you attempt to change the syntax of an attribute after an instance of that
attribute exists, the following message occurs:
** ALARM **: Database attribute attribute has different syntax than schema
4–6
eTrust Directory Administrator Guide
Attributes
Attribute Checking
When you load attributes (by using set attribute), they inherit certain rules from
their syntax (for example, caseIgnoreString). When attempting to add attributes
with values that do not comply with these rules, they are considered invalid.
When the DSA encounters an invalid attribute (for example, on updates), it
returns an error containing the attribute and the associated problem.
Tip: In the search service, the system ignores invalid attributes after the base
object is found.
The DSA always returns attributes exactly as you stored them. For example, a
commonName stored as JohN citiZen matches John Citizen and JOHN CITIZEN
but the value JohN citiZen is always returned. Similarly, when you received the
original string as an IA5 string, you store it as an IA5 string even though it
contains only printable characters.
The DSA permits attributes of any size, so you do not have to define any
attribute bound limits.
Syntax Aliases for Unsupported Attribute Syntax
Syntax aliasing is useful if you add a new schema object definition that uses an
attribute syntax that is not supported by eTrust Directory. The command for
setting up a syntax alias is:
[ schema ] set syntax alias <oid> = { name = <string> alias-for = <string> };
For example,
set syntax-alias (1.3.6.1.4.1.1466.115.121.1.18) = {
name = dlSubmitPermissions
alias-for = caseIgnoreString
};
Schema Definition
4–7
Attributes
Attribute Sets
Attribute sets let you easily group attribute definitions under a label so you can
use them later in object class and other definitions.
Define attribute sets in the configuration file using the set attr-set command. The
attribute set is given an object identifier and a definition. The definition consists
of a name and a list of attributes or attribute sets that are contained in the
attribute set being defined.
Example: Attribute Set
Definition
set attr-set x500aset:3 = {
name = organizationalAttributeSet
description,
localeAttributeSet,
postalAttributeSet,
telecommunicationAttributeSet,
businessCategory,
seeAlso,
searchGuide,
userPassword
};
Attribute sets are a convenient way of grouping large numbers of attributes
together for use in object class definitions. Attribute sets can contain other
previously defined attribute sets.
Attribute Names
A schema defines the basic information types and rules in a directory, so a
schema is a central part of most directory services.
When defining a schema, you must supply a name. You can also supply a
number of LDAP names in the definition. Use either the schema name or one of
the LDAP names as a keyword in other management console commands.
For example, when you define an attribute using the following command, you
can use organizationName or the shorter LDAP name, o, in other commands that
need to reference the attribute:
set attribute (2.5.4.10) = {
name
= organizationName
ldap-names = o
syntax
= caseIgnoreString
};
LDAP names are most convenient when defining Distinguished Names (DN).
The following DN:
<c AU><o “Computer Associates”><ou Sales><cn "Jim Smith">
is equivalent to:
<countryName "AU">
<organizationName "Computer Associates">
<organizationalUnitName "Sales">
<commonName "Jim Smith">
4–8
eTrust Directory Administrator Guide
Attributes
Unique Attributes
Some applications that use eTrust Directory as a repository may require that the
value of some attributes are unique across the repository. Information such as
user name, user ID, or key may need to be unique for correct operation of a
service. For example, an e-mail service will not operate effectively if a user
chooses an ID that is already in existence.
The benefits of this change will be to push uniqueness checking from the
application to the directory. This removes the potential for attributes existing
with duplicate values.
Distribution and Replication
Unique attributes cannot be used in a distributed environment, because there is
no way of ensuring that attribute values across multiple DSAs are not being
updated concurrently.
This means that the attribute value check will only apply to the local DSA. Make
sure that the DSA design does not assume that the attribute value check will be
performed across multiple DSAs.
In a replicated environment, unique attributes can be used in a single master
scenario only. This is also because of the issue of concurrent updates.
Unique Attribute Flag
Set the unique attributes using the DSA set command:
set unique-attrs = attr1, attr2, …;
To see a list of all of the unique attributes in a DSA, use the DSA console to issue
a get oper command.
Implementing Unique Attributes
Before you implement unique attributes:
■
■
Choose the attributes carefully.
Make sure you understand how client applications handle problems when
trying to add or modify attribute values that already exist.
During operation, take care to not inadvertently switch off this feature if it is still
required.
Schema Definition
4–9
Attributes
How Unique Attributes Work
When a client application tries to update an attribute that is set to be unique,
eTrust Directory checks that the attribute value is not already in existence. If the
value does already exist, an error message is sent back to the client application. If
the value does not yet exist, the client request is confirmed.
Limitation: Access Controls Bypassed
If these attributes have access controls imposed, the triggered search will bypass
these to ensure uniqueness. This means that a user may be able to write a client
application to determine these values. If the unique attributes contain sensitive
information, then this may be an issue.
Limitation: Uniqueness Cannot Be Restricted to a Sub-Tree
If attribute value uniqueness is required, but only need to be unique for a
particular sub-tree, then separate DSAs will be required.
Limitation: Uniqueness Not Enforced In Pre-Existing Data
We recommend that this feature be enabled on empty directories or new
attributes. This will ensure uniqueness.
There is no DSA mechanism for finding duplicates. If this feature is being
enabled on a running system, the administrator should perform checks for
duplicate attribute values.
Uniqueness will not be enforced on back-end loads. This has a similar impact as
turning on this feature with an existing set of data.
The following example shell script shows how to find duplicates. This script is
restricted to values to length 106.
#!/bin/sh
if [ $# -ne 2 ]; then
echo "Usage: sql.sh database attribute"
exit 1
fi
DATABASE=$1
ATTRIBUTE=$2
OUTPUT=`sql $DATABASE <<EOF
SELECT aid
FROM
attr
WHERE description = '$ATTRIBUTE';\g
\q
EOF`
4–10
eTrust Directory Administrator Guide
Attributes
# Process output to get Aid
AID=`echo "$OUTPUT" | grep -v aid | awk -F'|' '{ print $2 }'`
sql $DATABASE <<EOF >/dev/null 2>&1
CREATE VIEW findDuplicates(aid, norm, count) AS
SELECT aid, norm, count(norm)
FROM
search
WHERE aid = $AID
GROUP BY aid, norm;\g
\q
EOF
sql $DATABASE <<EOF | tr -d " " | grep $ATTRIBUTE | awk -F'|' '{ print $2 " = "
$3 ", occurrences = " $4 }'
SELECT a.description, f.norm, f.count
FROM
findDuplicates f,
attr a
WHERE f.aid = a.aid;\g
\q
EOF
sql $DATABASE <<EOF >/dev/null 2>&1
DROP findDuplicates;\g
\q
EOF
Schema Definition
4–11
Attributes
Changing the Schema Definition for Attributes in Use
Important! Never change database tables manually unless CA Technical Serves direct
you to do this.
If an attribute, object class or name binding has never been used in the directory,
then you can change or remove the schema definition by modifying the schema
configuration file.
If the attribute has been used before, but is no longer in use, then you should
dump the database to LDIF and then reload it before you modify the schema.
If an attribute has at any time been used within the directory, you can only
change its schema definition using these instructions.
Important! You cannot simply delete all the entries that have the attributes to be
changed, change schema, and import back the data.
Important! A single schema file may be used by many different DSAs, which may use
many different databases. If you change a schema file, check that it will work correctly
with all of the DSAs that use that file.
Remember to regenerate the schema.txt file for the DAP tools after changing the
DXserver schema configuration.
Changing LDAP Attribute Names
If an attribute is in use, but you wish to change its name for clients connecting to
the directory via LDAP, then simply alter the "ldap-names" part of the schema
definition.
Changing Schema Definitions for Attributes in Use
If an attribute has at any time been used within the directory, you cannot simply
delete all the entries that have the attributes you want to change, change the
schema, and import back the data. This will not work.
Instead, you must reload the database with DXloaddb to remove the old schema
definitions from the database.
To change the schema definition for attributes in use, do the following to every
databases and DXservers that uses the schema definition to be changed:
4–12
1.
Stop all related DSAs.
2.
Back up the system (data and configuration).
eTrust Directory Administrator Guide
Attributes
3.
Dump the database to to an LDIF file:
dxdumpdb olddbname
4.
Sort the LDIF file. To do this, use the following command:
ldifsort old.ldif old_sorted.ldif
5.
Change the schema definitions .
6.
Load the database from the sorted LDIF file with DXloaddb
7.
Start all the DXservers
8.
Verify the changes
This can be done without taking the eTrust Directory service offline by using the
database hot-swap feature:
1.
Turn off DXcache.
2.
Mark the DSA as read-only. To do this, add the following DSA flag to the
configuration file:
dsa-flags = read-only
3.
Dump the database to to an LDIF file:
dxdumpdb olddbname
4.
Sort the LDIF file to ensure that it will load successfully. To do this, use the
following command:
ldifsort old.ldif old_sorted.ldif
5.
Change the attribute syntax in the schema configuration
dxnewdb newdbname
6.
Change the database name in the DSA configuration
dxloaddb newdbname
7.
Initialize the DSA.
dxserver init dsa-name
If you do not change the DSA configuration before running DXloaddb, then
DXloaddb will use the schema.txt file which does not have the changed attribute
definitions.
Schema Definition
4–13
Object Classes
Object Classes
Object classes specify which attributes (and attribute sets) you can have in an
entry.
You define an object class by specifying its object identifier, a name, an alternate
name, a subclass, an object class kind, a list of must-contain and a list of maycontain attributes or attribute sets, and a description.
Example: Object Class
Definition
set object-class x500oc:5 = {
name = organizationalUnit
subclass-of top
kind = structural
must-contain
organizationalUnitName
may-contain
organizationalAttributeSet
description = "X.500 Organizational Unit Object Class"
};
The organizationalAttributeSet referred to in this example was defined in
Schema Example 3—Attribute Definition.
Object Class Kind
Within the X.500/LDAP standards, there are three kinds of object classes:
■
Abstract classes (for example, the object class top)
■
Structural classes (for example, the object class inetOrgPerson)
■
Auxiliary classes
The kind keyword defines the type of object class. The kind keyword is optional,
but if it is missing, DXserver derives the object class kind using the following
rule: when the object class inherits top, it is assumed to be structural; otherwise, it
is auxiliary.
Abstract Classes
The abstract object class determines the structure of an LDAP directory. The
object class top, for example, is the root object class from which all structural
object classes are derived. It contains one mandatory attribute, objectClass, and
because all entries inherit its attributes, it ensures that an object class defines
these entries. An abstract object class cannot stand alone in an entry. The entry
must also contain a structural object class.
4–14
eTrust Directory Administrator Guide
Object Classes
Structural Classes
Most of the object classes in a directory are structural, because they define what
an entry is. They also impose rules on the entries that are stored beneath them.
For example, the object class organization (o) may require that all objects stored
beneath it belong to the object class organizationalUnit (ou). Other examples of
structural object classes are groupOfNames, inetOrgPerson, and person.
Auxiliary Classes
The LDAP rules require each entry to belong to only one structural object class,
but an entry can also belong to one or more auxiliary object classes. An auxiliary
object class adds attributes to entries already defined by a structural object class.
An auxiliary object class cannot stand on its own in an entry. The entry must
contain a structural object class. Unlike structural object classes, auxiliary object
classes place no restrictions on storing an entry.
Object Class Checking
When adding an entry, the DSA automatically includes all the attributes from
any superclasses of the new entry's object class. For example, when an entry is
created with the object class inetOrgPerson, it includes attributes from the
inherited object classes (organizationalPerson, Person, top).
Important! DXserver supports multiple inheritance of object class. This means that an
object class can inherit attributes from more than one parent object class.
Schema Definition
4–15
Object Classes
Object Class Storage
By definition, the object class attribute used by every object or entry in the
directory can have multiple values of object identifiers. This enables object
classes to indicate their refinement (for example, through the use of object class
refinement or the addition of auxiliary object classes).
Configuring how the OC Attribute is Stored
You can configure how the object class attribute (single value or multiple values)
is stored within the directory.
By default, the DSA adds the object classes to the entry exactly as specified in the
LDAP or DAP add request (for example, the object class attribute may have
multiple OIDs). However, directory performance improves slightly when the
object class attribute only contains a single value (the OID of the refined OC).
However, this should not be the main influence over the object class design of
attributes.
Where entries contain a single inherited object class and explicitly list all its
superiors (their OC OIDs), the superiors can be removed, leaving the lowestlevel object class in the hierarchy as a single OID value. Similarly, when entries
are returned, the object class attribute can be automatically modified by the DSA
to contain all the superior object classes.
This OC refinement information can be returned (as OC OIDs) because the
directory maintains the object class structure rules that have been configured (in
its internal schema management control system).
For example, suppose that the directory contained entries corresponding to
people. Each entry can explicitly contain the following object classes within the
database:
4–16
■
inetOrgPerson
■
organizationalPerson
■
Person
■
top
eTrust Directory Administrator Guide
Object Classes
Pruning and Replacing Object Classes
It is more space-efficient to configure the DSA to prune all object classes, except
the lowest (inetOrgPerson), when creating the entry and to replace all the
superior object classes (organizationalPerson, Person, and top) when returning
the entry as a result of a client search.
The following configuration settings control the pruning and replacing of object
classes:
Setting
Parameter Description
set prune-oc-parents
Boolean
Removes redundant superior object classes
when new entries are created.
set return-oc-parents
Boolean
Replaces the superior object classes to
entries retrieved when searching.
set add-oc-parents
Boolean
Causes parent objectclasses to be added
when entries are added. e.g. Consider
adding a democorp entry with the classes:
inetOrgPerson
This control adds the parent (top-personorganizationalPerson) classes. This makes
the directory entry hold the following
classes:
■
top
■
person
■
organizationalPerson
■
inetOrgPerson
Important! When these settings are configured, searching entries using an object class
filter (for example, oc=Person) does not return any entries, because the specified object
class of Person is not present in the data; it is only added to search results that contain
the inetOrgPerson object class.
Schema Definition
4–17
Name Bindings
Name Bindings
Name bindings define where entries appear in the DIT. DXserver requires a
separate name binding for each allowable parent-object and child-object
relationship in the directory.
Example: Name
Binding Definitions
set name-binding x500nbind:2 = {
name = org-top
organization allowable-parent top
named-by organizationName
};
set name-binding x500nbind:3 = {
name = org-country
organization allowable-parent country
named-by organizationName
};
In this example, a new definition (arbitrarily named org-country) states that you
can place an organization object under a country object and that you must name
it by the organizationName attribute. The definition org-top states that you can
also place an organization object under a top object (that is, the root of the DIT)
named by the organizationName attribute.
Multiple attributes can name an object, in which case you separate the attributes
by commas. Additional naming attributes are optional when the keyword
optional precedes them.
Example: Advanced
Name Binding
Definition
set name-binding x500nbind:22 = {
name = orgUnit-orgPerson
organization allowable-parent organizationalUnit
named-by commonName optional surname
};
Name Binding Checks
The DSA checks name binding rules whenever you add or rename an entry. To
enforce both the parent-child relationships in the directory, and the naming
attributes used by a particular entry, name bindings are necessary. The system
reports any name binding errors as:
Update Error: Naming Violation.
When you enable warnings (set trace = warn,…;), the system sends a message
describing the reason for the name binding failure to the console.
There is one exception regarding name binding checks. When an object is added
under the naming context (or prefix) of a DXserver, then no name bindings need
exist. This facilitates the changing of the directory’s naming context without the
need to change associated name binding definitions. In this situation, DXserver
will give the following message:
Relaxed name bindings under root.
4–18
eTrust Directory Administrator Guide
Name Bindings
Name Bindings and Structural Object Classes
When an entry has more than one object class, the DSA looks through its list of
name bindings to ensure that one exists between one of the structural object
classes of the parent and one of the structural object classes of the entry
containing the appropriate naming attribute. It then uses this structural object
class to find a name binding and ignores all other auxiliary object classes.
The DSA permits modification of the structural object class only when a name
binding satisfies the parent-object relationship and the object is a leaf entry.
Name Bindings and Aliases
Name bindings for aliases are automatic, and you do not configure them
manually. The DSA lets you create an alias entry in place of any valid object
provided that you name it using the same attribute that an equivalent name
binding rule permits.
For example, when there is an org-orgUnit name binding, the DSA lets you place
an alias under an organization object when you name it using an
organizationalUnitName attribute.
Thus, you do not need to define an object-alias name binding for every part of
the DIT where you can place an alias.
Considerations for Schemas that Do Not Support Name Binding
When a schema is imported from a directory that does not support name
bindings or structure rules, it is possible for eTrust Directory to operate without
name bindings. To enable this functionality, add the following command to the
settings file:
set ignore-name-bindings = true;
You can retrieve the state of this flag by using the get oper; command.
Schema Definition
4–19
Defining Local Schema
Defining Local Schema
The X.500 standards enable the definition of local attributes, attribute sets, object
classes, and name bindings in the schema in much the same way as previously
described in Name Bindings and Aliases in this chapter.
Before defining local schema, you should check the existing published schema to
determine whether the required attribute, object class, and name binding
definitions already exist.
When you need to define additional schema, create an object identifier arc
(1.3.6.1.4.1.3327.1 in the following example) and add the new schema under this
arc. Use the set commands described previously to define the schema, and then
include the newly created configuration file (.dxc) in the schema group
configuration file (.dxg), used by the DSA.
The following example describes a single object class that can contain three
attributes. Computer Associates created the object class so that you could add the
additional attributes to an organizationalPerson object.
All the names in the schema definition below have the prefix ca. The use of an
object identifier prefix in the name helps simplify attribute references by
replacing the common portion of a complicated object identifier with a simple
character string and helps identify related attributes.
Example: Local
Attribute, Attribute
Set, Object Class, and
Name Binding
Definitions
set
set
set
set
set
set
set
set
set
set
4–20
oid-prefix caAttr
= (1.3.6.1.4.1.3327.1.4);
oid-prefix caOclass = (1.3.6.1.4.1.3327.1.6);
oid-prefix caAset
= (1.3.6.1.4.1.3327.1.7);
oid-prefix caNbind = (1.3.6.1.4.1.3327.1.14);
attribute caAttr:0 = {
name = caNearestPrinter
syntax = caseIgnoreString
description = "Local Printer Attribute" };
attribute caAttr:1 = {
name = caMobilePhone
syntax = caseIgnoreString
description = "Mobile Phone Attribute" };
attribute caAttr:3 = {
name = caAlternateContact
syntax = caseIgnoreString
description = "Local Contact Attribute" };
attr-set caAset:0 = {
name = caAttributeSet
caNearestPrinter,
caMobilePhone,
caAlternateContact };
object-class caOclass:0 = {
name = caOrgPerson
subclass-of organizationalPerson
kind = structural
may-contain caAttributeSet
description = "CA Organizational Person Object Class"
name-binding caNbind:0 = {
name = caOrgPerson-org
caOrgPerson allowable-parent organization
named-by commonName };
eTrust Directory Administrator Guide
};
Chapter
5
Distribution and DSP
In a distributed environment, a number of different Directory System Agents
(DSAs) manage a different part of the Directory Information Tree (DIT).
There needs to be a DSA-to-DSA protocol, such as the X.500 Directory Systems
Protocol (DSP), that lets the DSAs cooperate to resolve queries on any area of the
DIT.
DXserver fully supports the X.500 directory systems protocol, including:
■
Chaining—Performing queries through other DSAs
■
Multi-chaining—Performing distributed searches across many DSAs
■
Referrals—Informing clients where to find information
DXserver greatly simplifies the configuration of arbitrarily distributed DSAs by
providing the following unique features:
■
■
Prefix-based knowledge—Each DSA is identified by a name and its base
prefix. All superior, subordinate, and peer references are automatically
inferred.
Shared configuration—You define all the knowledge files once, which are
then used by any DSA.
The benefits of these features are:
■
■
■
Shortest-path routing—Each DSA has knowledge of other DSAs so requests
are chained directly to the DSA that processes the request.
Integrated security—See the chapter “Security” for more information about
DSA to DSA security.
High speed switching—Knowledge information is cached in each DXserver.
Distribution and DSP
5–1
Managing DSP
Managing DSP
You can manage DSP configuration using the DSP module commands at the
DXconsole. The DSP module commands let an administrator set and clear DSP
configuration management variables.
You can manage DSP configuration using the commands:
■
set parameter = value;
■
get parameter;
■
clear dsas;
■
unbind parameter;
DSP Command Options
A number of parameters of the DSP module commands let you change the DSP
configuration. The following tables summarize these parameters, and the
subsequent sections explain them in more detail.
The following are the parameters of the dsp set command:
Parameter
Value
always-chain-down
Value is TRUE or FALSE; when set to TRUE, the DSA overrides chainingprohibited controls when you need to chain the request to a subordinate
DSA.
dsa
The configuration details of a remote directory server.
max-dsp-ops
The maximum number of concurrent remote operations supported by the
server.
multi-chaining
Value is TRUE or FALSE; when set to TRUE, the DSA can multi-chain
searches to other DSAs.
multi-write-disp-recovery
Value is TRUE or FALSE; when set to TRUE, the DSA disables offline
multiwrite queuing. DSAs that cannot be contacted are dropped
immediately from the multiwrite set, and DISP is used to resynchronize the
DSAs when they come back online. Multiwrite DISP recovery cannot be used
where more than one DSA is attached to the same database. For more
information, see Multiwrite Replication the chapter “Replication.”
multi-write-queue
The maximum number of multiwrite operations that are queued when a
peer DSA cannot be reached. For more information, see the chapter
“Replication.”
5–2
eTrust Directory Administrator Guide
Managing DSP
The following are the parameters of the dsp get command:
Parameter
Value
dsp
Shows the current DSP configuration values of the DSA.
online-dsas
Provides information about current outgoing connections
to other DSAs.
dsas
Provides information about all known DSAs.
The following are the additional commands of the DSP module:
Command
Meaning
clear dsas
Removes all remote-DSA definitions from the DSA.
unbind
Unbind one, or all, outgoing connections to other DSAs.
Knowledge References
The information in a set dsa definition is called a knowledge reference. A
knowledge reference provides the address of another DSA and an entry point,
represented by the DSA’s prefix, into the part of the directory tree that the DSA
controls. A DXserver is identified by its name and prefix. References appear as
entries to a DUA (see List Service in the appendix “DXconsole DUA” for more
information).
Access controls can hide the presence of a subordinate DSA, making that subtree
invisible to a list service or any other service. (See Access-Controlled Routing in
the chapter “Security” for more information).
The DSA dynamically determines the type of reference (superior, subordinate, or
cross-reference). When the reference is a cross-reference, the ancestors of the
cross-reference are visible to the list service.
Distribution and DSP
5–3
Managing DSP
Remote Operations
Each DSA has a context prefix that defines the base of the DIT controlled by that
DSA.
When the DSA receives an incoming operation, it services the request locally
when it is in the DSA’s own DIT. When the operation is not local, it chains the
operation to a remote DSA unless:
■
■
■
■
■
One (user) service control—chainingProhibited or localScope—is set. You
can override this service control. (See Proxy DSAs in this chapter for more
information.)
Access controls hide the existence of the remote DSA. (See Access-Controlled
Routing in the chapter “Security” for more information.)
The remote DSA is unavailable.
You cannot establish a link of the appropriate authentication level to the
remote DSA. (See Other Security Features in the chapter “Security” for more
information.)
There is no DSA knowledge configured for the area of the operation.
Depending on the circumstance, the remote operation returns a:
■
Result
■
Referral
■
Service error
■
Security error
See the X.500 standards for a complete specification of how distributed DSAs
cooperate to resolve a query.
Limiting Remote Operations
In a multi-DSA environment a DSA may have to forward requests to other DSAs
to process. You can limit the maximum number of concurrent remote operations
that a DSA manages by setting max-dsp-ops in the configuration file (.dxc) in the
limits directory.
Example: Limiting the
Number of Remote
Operations to 100
5–4
set max-dsp-ops = 100;
eTrust Directory Administrator Guide
Managing DSP
Remote Connections
The DSA dynamically binds to and unbinds from remote DSAs. A DSA
maintains at most one connection per security level (set by the auth-levels list in
the DSA definition) to a remote DSA. When a DSA has an established DSP
connection of the correct security level to a remote DSA, it uses this connection.
A second connection of the same security level is not set up.
The DSA definition supports trust flags that enable a DSA to upgrade or
downgrade a link between DSAs. For example, when a link between two DSAs
supports only anonymous connections, a credentialed user can access the link
when the receiving DSA supports the allow-downgrading trust flag. Conversely,
when the only allowed DSP link is a clear-password link, an anonymous user can
access the link only when there is support for the allow-upgrading trust flag (see
DSA Knowledge Flags in the chapter “General Administration” for more
information).
A DSP connection to a remote DSA unbinds after the dsp-idle-time is exceeded.
Remove Remote DSA
Knowledge
You can remove all knowledge of remote DSAs using the command:
clear dsas;
Unbinding Remote Connections
Display Outgoing
Connections
When a DSA communicates with a remote DSA using DSP, it sets up a
connection (bind) to the remote DSA. You cannot abort this connection using
the abort user command described previously because it is an outgoing
connection. You can obtain information about outgoing connections with the
command:
get online-dsas;
Unbind All or Some
Connections
You can unbind all or some connections using this information and one of the
following commands (assuming 3 is a valid connection identifier):
unbind all;
unbind dsa 3;
Unbind Outgoing
Connections That
Exceed Global
Values
A DSA can automatically unbind outgoing connections when they exceed
global values set in the remote-DSA definition, for example:
set dsa “Eagle” = {
...
dsp-idle-time = 60
...
};
Distribution and DSP
5–5
Managing DSP
Incoming DSP Credentials
When a local DSA receives a bind with credentials from a remote DSA, it checks
the credentials against a matching (remote) DSA configuration. When you do not
configure a relevant remote DSA, the system rejects the incoming bind.
See DSA-to-DSA Encryption (DSP and DISP) in the chapter “Security” for more
information.
Outgoing DSP Credentials
If a remote DSA requires authentication, the local DSA must send credentials
when binding to the remote DSA. To be able to do this, the local DSA must have
credentials (user name and password) defined in its own set dsa definition (see
Configuring a DSA in this chapter for more information).
Distributed Searches (Multi-Chaining)
Searches can span multiple DSAs. A subtree search searches all entries below
and including the base-object of the search. Some entries can reside on a different
DSA from the base-object. When you enable multi-chaining, the DSA searches for
immediate subordinate DSAs after you find the base-object and then forwards
the search to these DSAs. Results from all subordinate DSAs and the local DSA
(the DSA containing the base-object) are collated before being returned.
Limiting Multi-Chaining
In a multi-DSA environment the DIT is controlled by multiple DSAs. A search
area can span part of the DIT that is controlled by more than one DSA. In this
case the DSA containing the base object of the search will multi-chain the request
to the other relevant DSAs. You can disable multi-chaining in two ways:
■
■
The originator of the request can disable multi-chaining by specifying localscope in the common arguments of the search.
The DSA administrator can disable multi-chaining by using the command:
set multi-chaining = false;
The DSA prevents multi-chaining to any DSA having a presence hidden by
access controls. (See Access-Controlled Routing in the chapter “Security” for
more information.)
5–6
eTrust Directory Administrator Guide
Managing DSP
Viewing DSP Configuration
You can monitor DSP connections using the dsp module get command at the
DXconsole. You can view the DSP configuration values and details of current
outgoing connections.
View DSP
Configuration
To view the DSP configuration, use the command:
get dsp;
This is a sample of the output from this command:
max-dsp-ops
local-prefix
local-dsa
multi-chaining
always-chain-down
multi-write-queue
View Online
Connections
=
=
=
=
=
=
100
<countryName AU><organizationName “DemoCorp”>
“DemoCorp”
FALSE
TRUE
200 (current 0)
To view the DSP connections that are currently active, use the command:
get online-dsas;
This is a sample of the output from this command:
dsa> get online-dsas;
Remote: DSA 2 (DEMOCORP)
Association: state 3, idle for 2 seconds, 0 operations waiting
0 operations abandoned
prefix:
<countryName “AU”>
<organizationName “DEMOCORP”>
dsaName:
<countryName “AU”>
<organizationName “DEMOCORP”>
<commonName “DXserver”>
dsaPassword: ?
hostname: EAGLE
OSI PSAP:
address: 208.12.151.204:19389
address: 127.0.0.1:19389
dispPsap: DISP
cmipPsap: CMIP
snmpPort: 19389
consolePort: 19390
ssldPort: 1112
DEMOCORP:next_distinct: (none) (precedence 3)
:next_similar: (none)
:children: (none)
refType: cross
auth-levels: anonymous clear-password ssl-auth
dsa-flags:
trust-flags: allow-check-password
link-flags:
maxIdleTime: 60
credit: 5
precedence: 3
Display Each DSA for
Which the Current
DSA Has Knowledge
Use the following command to display information about each DSA for which
the current DSA has knowledge, including itself:
get dsas;
Distribution and DSP
5–7
Configuring a DSA
Configuring a DSA
You can configure all DSAs, including the local one, using the set dsa command
(see Defining DSAs in the chapter General Administration for more information).
You can dynamically issue the set dsa command from the DXconsole, but it is
recommended that you include it in a DSA definition file (.dxc) in the knowledge
directory. You then source this file from another configuration file, either a .dxg
file in the knowledge directory or a .dxi file in the servers directory.
Configuring a Subordinate DSA
The following example defines a DSA called DemoResearch, which is
subordinate to the pre-configured DemoCorp DSA in the standard version.
Example
set dsa “DemoResearch” = {
prefix
= <c AU><o DemoCorp><ou Research>
dsa-name = <c AU><o DemoCorp><ou Research><cn DXserver>
dsa-password
= “demo”
address = tcp Eagle port 389
disp-psap = DISP
cmip-psap = CMIP
snmp-port = 1950
console-port
= 1952
auth-levels
= anonymous, clear-password
dsp-idle-time
= 10000
credits = 5
};
The DSA definition contains a prefix that defines the area of the DIT that is
covered by this DSA:
prefix
= <c AU><o DemoCorp><ou Research>
The DSA administers the prefix and the entries below, except for any areas of the
DIT below the prefix that are covered by another DSA.
Every object within the directory has a unique distinguished name (DN), which
directs it to an entry in the directory. The complete directory tree is called the
Directory Information Tree (DIT) and can comprise a number of independent
X.500 DSAs or LDAP servers that, between them, hold all the various branches of
the directory tree.
The naming context (which is also a DN) of an X.500 or LDAP server defines the
branch that server owns.
The X.500 and LDAP communities differ in the way they write their DNs. Within
X.500, DNs are written from the top of the tree down (for example, c=US,
o=Computer Associates, and so forth). Within the LDAP community, DNs are
written from the leaf entry up (for example, cn=John Smith, ou=Sales, and so forth).
5–8
eTrust Directory Administrator Guide
Configuring a DSA
Proxy DSAs
There are a number of situations where a group of DSAs must appear to the
outside world as a single DSA.
External
DUA or DSA
Proxy DSA
Internal
DSA 2
Internal
DSA 1
Internal
DSA 3
Internal
DSA 4
For example, an organization can make a single DSA visible through an Internet
firewall, but internally let that DSA send DSP requests to other internal DSAs
that control subtrees subordinate to the visible DSA. This configuration fails
when the external DUA sets the local-scope or chaining-prohibited service
controls. In this case, the visible DSA returns a referral, but the DUA cannot
connect to the referred DSA because there is no access to this DSA through the
firewall.
The solution to this problem is overriding the local-scope and chainingprohibited service controls using the command:
set always-chain-down = true;
When you enable this feature in the visible DSA, requests are chained to the
relevant DSA regardless of the request’s service controls. Also, subtree searches
are always multi-chained to subordinate DSAs.
A proxy DSA is also useful if an X.500 guard wants to hide the address of DSAs
inside the enclave that it is guarding.
Distribution and DSP
5–9
Configuring Another DXserver
Configuring Another DXserver
To configure the knowledge of a remote DSA, use the set dsa command (see
Defining DSAs in the chapter “General Administration” for more information).
Local DSA
Remote DSA
A DXserver is identified by its name and prefix. The relationship between two
DXservers is represented by the corresponding relationship between the prefixes.
See A Domain of DXservers in this chapter for more information.
Configuring Alternative Network Addresses
You can configure knowledge of more than one network address for a DSA. This
is used where you want to distribute the directory over more than one physical
or logical network. This facilitates increased network availability by using
additional networks between DSAs.
To configure knowledge of more than one network address for a DSA, use the set
dsa command:
set dsa “DualNetwork” = {
…
address
= tcp “dnet1” port 389, tcp “dnet2” port 1900
…
};
NET 1
DSA Dual
Network
NET 2
Handling Firewall Address Translation
If your firewall translates remote addresses, your DSA may not recognize the
remote DSA because of the changed address. You must configure alternative
network addresses in the knowledge file of the remote DSA by specifying the
address of the remote DSA followed by the address of the firewall.
5–10
eTrust Directory Administrator Guide
Configuring Another DXserver
Configuring a Third-party DSA
To configure the knowledge of third-party DSAs, use the set dsa command.
Example: Setting a
Remote DSA
Reference
set dsa “DemoUni” = {
prefix
= <c AU><o DemoUni>
dsa-name
= <c AU><o DemoUni><cn DSA>
};
address
= tcp “demouni.edu” port 389
auth-levels
dsp-idle-time
= anonymous
= 10000
Note: This DSA does not support DISP, CMIP, or SNMP and has only
anonymous access.
DXlink
A third-party DSA can be an LDAP server. DXserver has a feature, DXlink,
which treats a remote LDAP server as another DSA. To activate DXlink, set the
dsp-ldap link flag in the set dsa command in the knowledge directory of the
LDAP server:
link-flags = dsp-ldap
Note: When you are using LDAP Version 3, use the dsp-ldap link flag. When you
are using LDAP version 2, use dsp-ldapv2.
For more information about DXlink, see Integrating Other LDAP Servers in the
chapter “LDAP and DXlink.”
Distribution and DSP
5–11
Configuring Another DXserver
Configuring Multiple Local DSAs
To support large databases, parallel processing, or independent subtrees (for
example, for performance or security reasons), you can run a number of
DXserver DSAs on the same machine. You configure each DSA with its own
definition and connect the DSAs together using DSP.
Example: Setting Two
DSA References on
the Same Machine
# Knowledge configuration file: localTwo.dxc
set dsa “LocalTwo” =
{
prefix
= <c "AU"><o "DemoCorp"><ou "Sales">
...
address
= tcp "Eagle" port 1910
...
};
# Knowledge configuration file: localThree.dxc
set dsa “LocalThree” =
{
prefix
= <c "AU"><o "DemoCorp"><ou "Support">
...
address
= tcp "Eagle" port 1920
...
};
In this example, you can see that two local subtree DSAs are accessible:
AU/DemoCorp/Sales and AU/DemoCorp/Support. They each listen on
separate ports—1910 and 1920—although they have the same TCP/IP address.
If the underlying RDBMS supports load sharing across multiple CPUs, each
DSA process inherits this capability.
5–12
eTrust Directory Administrator Guide
Configuring a Domain of DXservers
Configuring a Domain of DXservers
A typical directory installation will include a number of DSAs, which together
control the DIT. These DSAs will usually control different portions of the DIT
and they need to cooperate in order to process client requests. This section shows
how a group of DSAs share DXserver knowledge.
A Domain of DXservers
The following diagram shows how to configure five DSAs to control a DIT. Each
DSA has control over a portion of the DIT, represented by its prefix, and a
relationship with the other DSAs in the domain. For instance DSA1 is the
superior DSA of DSA2 and DSA3, while DSA4 and DSA5 are subordinates of
DSA3.
DSA 1
DSA 3
DSA 2
DSA 4
DSA 5
A request received by one DSA that requires an operation on an entry that is not
contained in that DSA’s area of control, is chained (forwarded) to the relevant
DSA. A request may be chained through a number of DSAs before finding the
DSA capable of processing the request. When a domain of DSAs has shared
knowledge, a DSA receiving a request is able to forward that request directly to
any other DSA within the domain.
A search request can require a subtree search spread over more than one DSA. In
this case, the DSA containing the base object of the search performs the search
locally and multi-chains the search to any DSAs that control part of the subtree to
be searched. These DSAs will then return the search results back to the
originating DSA, which will collate them and return the result back to the client.
Distribution and DSP
5–13
Configuring a Domain of DXservers
Sharing DXserver Configuration
You should include each DSA definition in its own configuration file (.dxc) in the
knowledge directory. You can group together a number of DSA definitions into a
domain by creating a group file (.dxg) in the knowledge directory that sources
each required configuration (.dxc) file. You can then include the group file in a
server initialization file (.dxi) in the server’s directory.
If you change a reference or add a new DSA to the network, you can generate a
new configuration file and send a copy to each DSA that uses the reference.
DSA A
DsaA.dxi
dom.dxg
(Copy)
.dxc
(Copies)
DsaA.dxc
dom.dxg
DsaB.dxc
DSA B
DsaB.dxi
dom.dxg
(Copy)
.dxc
(Copies)
Each DXserver recognizes its own set dsa definition so that it can determine
whether or not an operation is local.
Configuring a First-level DSA
When the local prefix contains only one Relative Distinguished Name (RDN) in
its DN, the DSA is a first-level DSA. Usually there is no actual root-level DSA, so
each first-level DSA must handle lists and searches from the root. This means
that a first-level DSA multi-chains a search from root to other first-level DSAs.
5–14
eTrust Directory Administrator Guide
Configuring a Domain of DXservers
Configuring a Router DSA
It is possible to start a DSA without connecting to a database. In this
configuration, the DSA (known as a router DSA) simply forwards requests to
other DSAs. To do this, comment out or remove the line in the DSA initialization
file that sets the database name, as follows:
...
# DATABASE
# source “../database/dbname.dxc”;
...
A DSA without a database is used to pass on requests to one of a number of
DSAs known to the router DSA. The router DSA determines which DSA can best
process the client’s request. See Alternative DSAs in this chapter for more
information.
A router DSA consumes a level of the DIT. In the following example of a router
DSA’s knowledge file, c=au is the level of the DIT consumed by the router DSA.
set dsa ROUTER =
{
prefix
dsa-name
dsa-password
address
disp-psap
cmip-psap
snmp-port
console-port
ssld-port
auth-levels
dsp-idle-time
};
=
=
=
=
=
=
=
=
=
=
=
<c AU>
<c AU><CN DXserver>
“secret”
tcp “hostname” port 19289
DISP
CMIP
19289
19290
1112
anonymous, clear-password, ssl-auth
60
Transparent Routing
A router DSA can be used to link clients to a number of external LDAP servers,
using DXlink. In this case, the LDAP clients and the LDAP server may have
schema that are not known by the router DSA.
This means that the router DSA may receive requests and responses that contain
unknown schema. Normally, the router cannot process such queries. However, if
transparent routing is enabled, the router can pass LDAP requests and responses
without requiring the controlling schema.
Transparent routing only works with LDAP clients.
To enable transparent routing, use the following command:
set transparent-routing = true;
By default, transparent routing is set to FALSE.
Distribution and DSP
5–15
Configuring a Domain of DXservers
Configuring a Relay DSA
You can configure a DSA as a relay DSA so that it forwards requests. A relay
DSA does not occupy a level of the DIT. This is useful for router DSAs (such as
load balancers) or proxy DSAs (such as firewalls), because you can effectively
insert them without affecting the DIT. A relay DSA always forwards requests;
therefore it cannot have a local database.
A relay DSA only adds to the DSP trace information if the incoming request was
from a DUA.
To create a DSA as a relay DSA, add relay to its DSA flags:
set dsa DemoCorp = {
...
dsa-flags = relay, ...
...
};
Caching Entries from Subordinate DSAs
Unlike DAP, LDAP does not have a LIST operation. So, when LDAP clients want
to browse a directory, they invoke one-level searches that return object class
only. These one-level searches become a problem when there are many
subordinate DSAs because a one-level search must be broadcast to each of the
DSAs (whereas a LIST simply returns the names of the DSAs). To stop the
flooding effect that this creates, especially at first-level DSAs, the DXserver caches
the replies to one-level-search queries and makes them available to subsequent
similar requests. Only one-level searches returning object class are cached—these
are the searches commonly used to browse the directory.
5–16
eTrust Directory Administrator Guide
Alternative DSAs
Alternative DSAs
If you define more than one DSA with the same prefix (naming context) and
data, these DSAs can be used to improve the performance and availability of the
directory service.
This section describes three ways that groups of DSAs with the same prefix and
the same data can be used:
■
■
■
Failover—To improve the availability of the service, when one DSA fails,
another automatically takes over its request load.
Load sharing—To improve performance, read requests are divided between
two or more DSAs.
Query streaming—To improve performance, requests of different types are
routed to different DSAs.
Distribution and DSP
5–17
Alternative DSAs
DSA Failover
The purpose of failover is to improve the availability of the directory service.
In the following example, the router DSA usually sends requests to DSA 1. If
DSA 1 fails, the router DSA automatically sends all requests to DSA 2. This
change is invisible to the clients. In this system, DSA 2 is simply a backup: it is
only used if DSA 1 fails.
Router DSA
DSA 1
Database
DSA 2
Replication
Computer A
Database
Computer B
Failing Over to a Backup DSA
In the following example, the San Diego and Tokyo offices each use local replica
DSAs, to improve performance. During normal operation, each local router DSA
sends requests to the local data DSA. If either of the local data DSAs fails, the
routers automatically fail over to the remote data DSA.
San Diego
Router DSA
Tokyo
Router DSA
DSA 1
DSA 2
Database
Replication
Computer A
(San Diego)
Failing Over to a Remote DSA
5–18
eTrust Directory Administrator Guide
Database
Computer B
(Tokyo)
Alternative DSAs
Set the DSA Precedence For Failover
When more than one data DSA fails, the router DSA fails over to other DSAs in
their order of occurrence in the configuration files.
You can override this order with the following commands:
set precedence
set write-precedence
= dsaname1 [, dsaname2, dsaname3… ] ;
= dsaname1 [, dsaname2, dsaname3… ] ;
The command set precedence defines the order of the DSAs that the router DSA
fails over to.
The command set write-precedence defines the order in which DSAs are chosen to
perform updates. You can use it to direct the write requests from a failover
computer to a preferred master. If the set write-precedence command is not
present, updates follow the normal precedence, which is defined by the order of
the DSAs in the configuration file, or the set precedence command.
The DSAs in these lists have precedence over those that are not listed, and DSAs
earlier in the lists have precedence over those later in the lists.
When these commands occur in a configuration file, source them after the
knowledge.
To maximize performance, in general you should give faster DSAs precedence
over slower DSAs, and local DSAs precedence over remote DSAs.
Example: Using
precedence for
geographically
separated DSAs
The DSAs EAST, WEST, NORTH and SOUTH contain the same information. The
following command ensures that DSAs in the east fail over to EAST before
WEST:
set precedence = EAST, WEST;
The DSAs NORTH and SOUTH are not listed, so if both EAST and WEST are
unavailable, DSAs will fail over to them in the order that they are listed in the
configuration file.
Example: Using write
precedence
set write-precedence = home-dsa,work-dsa;
Distribution and DSP
5–19
Alternative DSAs
DSA Load-Sharing
Load-sharing is a way to use a router DSA and multiple data DSAs to improve
performance.
In a system with load-sharing, the router uses a least-busy algorithm to send
read requests to the DSA with the least load at the time.
In the example load-sharing configuration shown below, DSA2 has the smallest
queue of outstanding queries, so the router DSA will send the next query to that
DSA.
Queries
Router DSA
Queue:
Queue:
20 queries
0 queries
DSA 1
DSA 2
Queue:
10 queries
DSA 3
Database
Example Load-Sharing Configuration
When the router DSA is checking the DSAs, it only considers requests that it has
sent, and it does not assess the load that might be caused by the request about to
be sent, or the effect of requests that are being sent from other DSAs.
You can examine the statistics logs of the data DSAs to understand how often the
load is such that all three are busy. If all three are often busy, you might need
more data DSAs.
5–20
eTrust Directory Administrator Guide
Alternative DSAs
Load-Sharing Groups
In a load-sharing system, DSAs work to balance the number of read requests.
You can use load-sharing groups to constrain load-sharing to a sub-set of the DSAs
that have the same prefix.
The following example shows a router DSAs and three data DSAs with the same
prefix. Two of these data DSAs are in a load-sharing group, and the router shares
the load of read requests between these two DSAs. The third DSA is ignored
because it is not in the load-sharing group.
Read
Requests
Load-sharing
group
Router DSA
DSA 1
DSA 2
DSA 3
Database
Computer A
Using a Load-Sharing Group to Limit Load-sharing to Particular DSAs
Distribution and DSP
5–21
Alternative DSAs
In the following example, the San Diego and Tokyo offices each use local loadsharing groups of DSAs, to improve performance. During normal operation,
each local router DSA sends requests to the local group. If all of the DSAs in one
local load-sharing group fail, the router can fail over to the remote load-sharing
group.
During normal operation, the router shares the load of read requests between the
DSAs in the first load-sharing group. If all of the DSAs in this group are
unavailable, the router will fail over to the second load-sharing group.
Read
Requests
Read
Requests
San Diego
Router DSA
Tokyo
Router DSA
DSA 1
DSA 2
DSA 3
DSA 4
Load-sharing
groups
Database
Database
Replication
Computer A (San Diego)
Example System with Two Load-Sharing Groups
5–22
eTrust Directory Administrator Guide
Computer B (Tokyo)
Alternative DSAs
Set the DSA Precedence For Failover with Load-Sharing Groups
You can use precedence rules to affect how failover works with load-sharing
groups. For information about setting precedence, see the section Set the DSA
Precedence For Failover in this chapter.
If you use the set precedence command to list DSAs that are also in load-sharing
groups, then a load-sharing group has the precedence of the highest DSA in that
group.
For example, consider the following command:
set precedence DSA1, DSA2, DSA3, DSA4;
A load-sharing group that includes DSA1 and DSA4 has precedence over a
group that includes DSA2 and DSA3.
Also, a load-sharing group that includes DSA4 has precedence over a group that
includes no listed DSAs.
Set Up a Load-Sharing System
To set DSAs to share the load for a particular context prefix, do the following:
1.
Decide how many DSAs you will use to share the load of read requests.
2.
Set up these DSAs with the same prefix and the same data.
3.
Set each DSA to share the same knowledge information.
4.
Add the load-share DSA flag to the shared knowledge:
set dsa dsaname = {
...
dsa-flags = load-share, ...
... };
5.
In the router DSA’s group knowledge file (.dxg), list the load-sharing DSAs
consecutively.
6.
(Optional) To create a load-sharing group, add the load-share-group item to
the knowledge for the DSAs in the group:
set dsa dsaname = {
...
load-share-group = group-name
dsa-flags = load-share, ...
... };
Distribution and DSP
5–23
Alternative DSAs
DSA Query Streaming
Query streaming is a way to send particular types of queries to different DSAs.
This allows you to dedicate DSAs to particular types of operations, which can
improve performance consistency.
You can use query streaming with load sharing, to direct queries to different
load-sharing groups.
How Query Streaming Works
Query streaming is somewhat like checkout lanes in a supermarket. In a
supermarket, the express lanes are reserved for small sales, to allow people with
only a few items to be served quickly.
In a supermarket without an express lane, people with only a few items can be
stuck behind people with many items.
Similarly, you can dedicate some DSAs to small, fast queries (for example,
authentications) so that they are not held up by complex queries (for example,
reports).
In the following example, the Router DSA sends queries in the following manner:
■
Simple searches only go to DSA 1 and DSA 2
■
Complex searches only go to DSA 3
■
Update requests only go to DSA 4
Queries
Router DSA
Simple
queries
DSA 1
load-share
limit-search
read-only
Simple
queries
DSA 2
load-share
limit-search
read-only
Complex
queries
DSA 3
Update
requests
DSA 4
read-only
Example of a Distributed System Set Up to Allow Query Streaming
5–24
eTrust Directory Administrator Guide
Alternative DSAs
Set Up Query Streaming
To set up query streaming, follow these steps:
1.
Decide how many data DSAs your distributed system will include.
2.
Decide what queries each data DSA will accept.
3.
For each data DSA, set one or more of the following flags in the DSA
knowledge file:
The read-only flag
A router will not forward update requests to a DSA that has the flag
read-only set in its knowledge file. This routes update requests to any
DSAs without the flag read-only.
The limit-list flag
A router DSA will not forward any list requests to a DSA that has the
flag limit-list set in its knowledge file.
The limit-search flag
A router DSA will not forward any complex searches to a DSA that has
the flag limit-search set in its knowledge file.
For more information about the limit-search flag, see the section Example:
How the limit-search DSA Flag Works in the chapter “General
Administration.”
What Is a Simple Search?
This section describes simple and complex searches. If a DSA includes the limitsearch flag in its knowledge file, no complex searches will be sent to that DSA.
The following searches are simple:
■
Exact match searches—For example, cn=john smith
■
Initial substring searches—For example, cn=john s*
■
■
Searches that include exact-match and initial-substring searches combined
with simple ANDs or ORs,—For example, (&(cn=john smith)(cn=john s*))
All base-object searches (reads), regardless of the filter
The following searches are complex:
(objectclass=*)
(!(cn~=john smith))
(&(objectclass=*)(cn~=john smith))
(|(cn=jon*)(cn=john*))
These complex searches could only be sent to a DSA that does not have the limitsearch flag set.
Distribution and DSP
5–25
Chapter
6
Security
This chapter describes the following areas of eTrust Directory security:
■
Secure Socket Layer (SSL) encryption
■
Authentication
■
Password management
■
Access controls
Security
6–1
Secure Socket Layer (SSL) Encryption
Secure Socket Layer (SSL) Encryption
This section describes how to use SSL to protect link connections to or from
DXserver.
About the SSL Protocol
SSL is a protocol for providing link-level security. SSL has virtually become the
industry standard for encryption, integrity, and authentication. For more
information about SSL, see http://home.netscape.com/eng/ssl3/index.html.
SSL and Certificates
SSL uses X.509 certificates. When you use SSL, you must properly manage these
certificates through a certification authority or appropriate software.
JXplorer lets you manage certificates, private keys, and keystores. See the chapter
“Using JXplorer” for more information about managing certificates and enabling
SSL authentication.
eTrust Directory and SSL
DXserver supports SSL as both an encryption method and an authentication
method. We refer to this as SSL encryption and SSL authentication.
Note: SSL authentication always uses SSL encryption.
6–2
eTrust Directory Administrator Guide
Secure Socket Layer (SSL) Encryption
SSL Encryption and Authentication Using SSLD
You can protect any link connection to or from DXserver with SSL encryption.
eTrust Directory implements SSL encryption and authentication as a companion
process to the DSA. This process is called SSLD. SSLD is based on OpenSSL.
For security, SSLD must run on the same computer as the DXserver.
SSLD is multithreaded, which means that one SSLD process can serve multiple
DXservers simultaneously. There is no need to run multiple SSLD processes on
the same computer.
The SSLD server supports:
■
SSL (both version 2 and 3)
■
Transport Layer Security (TLS)
How the SSLD Works with Certificates
SSLD uses the following types of certificates, which are stored in its
configuration directory:
■
■
Trusted root certificates (“trusted.pem”) that contain one or more
certificates of trusted Certification Authorities.
Personality certificates that identify the one or more DXservers that are
communicating with the SSL server. There is one per DSA (dsaName.pem),
and each one contains a private key.
The following diagram displays this:
Directory
Client
DB
DSA
SSLD
Personality
Certs
HSM
Trusted
Certs
Security
6–3
Secure Socket Layer (SSL) Encryption
How DXserver Works with SSL Binds
Unlike other directory implementations, the eTrust Directory DSA handles DAP,
LDAP, DSP and DISP protocols through a single port in SSL-encrypted and
unencrypted forms. When SSL encryption or decryption is required, the DSA
passes the packets to the SSLD to perform the SSL operation.
When a client binds to a DXserver using SSL, the following happens:
1.
If the DXserver is not already connected, it connects to the SSLD, assuming it
is running.
Note: If the SSLD is not running or is not configured properly, possibly with
a different port, the DSA refuses the client connection (fails the bind request).
2.
DXserver passes all SSL handshaking to the SSLD to establish the SSL
connection with the client.
3.
DXserver uses SSLD to decrypt requests and encrypt responses.
The following diagram displays this:
Directory
Client
DB
DSA
1
2
3
SSLD
6–4
eTrust Directory Administrator Guide
Secure Socket Layer (SSL) Encryption
DXserver Personality Certificates
When a DSA connects to SSLD it passes the DSA server name as its SSLD
personality. The server name is the name specified by the set dsa dsaName
command in the DSA configuration file in the knowledge directory. For example,
for the Democorp DSA, the SSLD personality name is democorp.
This personality determines the certificate file that the SSLD uses to support
authentication of the DSA.
The personality name passed to the SSL server is mapped to a file name of the
form personality.pem (the personality string is converted to lowercase). This file
contains a certificate and private key in PEM format (the private key is what
gives the DSA its identity) unless a HSM is in use, in which case it is a hardware
reference. For information about DXserver HSM support, contact Computer
Associates at http://supportconnect.ca.com.
Generating Personality Certificates
You must not simply rename the personality files that come with eTrust
Directory (for example, from democorp.pem to mydsaname.pem) and edit the
subject lines. This text is just comments for the real certificate—changing the text
does not alter the certificate. You must generate a new certificate.
To generate personality certificates, use separate certificate authority software.
The popular certification authority software OpenSSL is available from
http://www.openssl.org/. You can either build the package from the source
code (which requires a compiler) or locate a binary (precompiled) package for
your operating system.
When you are generating a personality certificate, ensure the following:
■
■
Make sure that the DSA name in the subject field of the certificate matches
the DSA name in the DSA knowledge. For example, for the Democorp DSA,
this is <c AU><o Democorp><cn DXserver>.
Add the root certificates of the certificate authorities that you use to generate
your DXserver personality certificates to the end of the trusted.pem file.
Security
6–5
Secure Socket Layer (SSL) Encryption
Setting Up SSL For DXserver
This section describes what you have to do to set up SSL for DXserver. You will
need a root certificate, a DSA personality certificates and an SSLD instance to
service DSA requests.
Configuring DXserver for SSL Operation
DXserver needs to know which port the SSLD is using for connections. This is
configured in the DSA configuration file (.dxc) in the knowledge directory.
For example:
set dsa Democorp =
{
...
ssld-port = port_number
...
};
If the SSLD port number is not specified, it defaults to port 1112.
For a list of all ports in a default installation of eTrust Directory, see the section
Port Numbers Used by eTrust Directory in the chapter DXserver Overview.
Configuring the SSLD
To configure SSLD, you need a root certificate, DSA personality certificates and a
SSLD instance to service DSA requests.
The format of the SSLD command is as follows:
ssld action [arguments]
The following table lists the SSLD actions available:
Action
Description
install
Saves the startup arguments and options and sets the SSLD to start
automatically at system startup.
ssld install ssld-server-name -certfiles path -ca file [options]
start
Starts the SSLD:
ssld start ssld-server-name [-certfiles path -ca file [options]]
If you have already installed the SSLD, you can omit the arguments and options.
To start all previously installed SSLDs, use the command:
ssld start all
6–6
eTrust Directory Administrator Guide
Secure Socket Layer (SSL) Encryption
Action
Description
stop
Stops the specified SSLD:
ssld stop ssld-server-name
To stop all SSLDs, use the command:
ssld stop all
remove
Removes the specified SSLD from the list of automatically restarting SSLDs so
that it does not restart at the next system startup.
ssld remove ssld-server-name
To remove all SSLDs, use the command:
ssld remove all
status
Displays the status of all configured SSLDs:
ssld status
-ciphers
Prints a list of all ciphers that can be used for SSL/TLS connections:
ssld -ciphers
The following table describes the parameters of these commands.
Parameter
Meaning
-certfiles path
The directory that contains certificate and private-key files in PEM format.
This parameter is required by the install action. It is also required by the start
action if the SSLD server has not already been installed.
-ca file
A file that contains trusted certification authority certificates in PEM format.
This parameter is required by the install action. This parameter is also required
by the start action if the SSLD server has not already been installed.
The arguments of the ssld install and the ssld start commands are:
Argument
Values
-hsm_pin pin
The hardware security module (HSM) user PIN. If specified, the private key is
used through the HSM.
-hsm_lib file
File containing the pks#11 library supplied by the HSM vendor.
-hsm_slot n
The HSM slot number.
-cipher string
Specifies the ciphers that will be used for SSL/TLS connections.
-help
Displays command usage.
-port n
The listen port, which DXserver uses when connecting to the SSL daemon. If not
specified, it defaults to port 1112.
-tls
Instructs SSLD to use TLS instead of SSL 3.0.
Security
6–7
Secure Socket Layer (SSL) Encryption
Argument
Values
-nologo
Do not show the banner.
-debug n
Sets a debugging level (0-9).
-threads n
Specifies the number of extra threads. The default is 2, which makes the SSLD
multi-threaded by default.
Resetting SSLD Parameters
The parameters of the ssld start command are stored. This means that even if you
stop and restart the SSLD, it continues to use the parameters that you set when
you first started the SSLD.
For example, if you run the following commands, the logging level set in the first
line is not reset:
ssld start xxx -debug 9
ssld stop xxx
ssld start xxx
There are two ways to reset SSLD parameters:
■
Reset the parameter directly
You can stop and start the SSLD again, making sure that you explicitly re-set
all parameters. For example, to re-set the logging parameter:
ssld stop xxx
ssld start xxx -debug 0
■
Install the SSLD again, with the new parameters
Another way to reset SSLD parameters is to remove and re-install the SSLD.
The installation re-sets the parameters:
ssld
ssld
ssld
ssld
stop xxx
remove xxx
install xxx [arguments]
start xxx
The parameters are stored in the following locations:
■
■
6–8
Windows—The following registry variable :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ssld_ins
tancename\Parameters
UNIX and Linux—The ssld_name.args file in $DXHOME/config/ssld
eTrust Directory Administrator Guide
Secure Socket Layer (SSL) Encryption
SSLD Is Multi-Threaded
SSLD can be configured to run more than one instance on each computer.
However, we recommend that you use only one instance of SSLD per computer.
You should only run one instance of SSLD on each computer because SSLD
cannot determine if there is another SSLD instance on the same port when it
starts up. This is due to the way Windows allocates TCP ports. This limitation
means that two SSLD instances might be running on the same port, with
unpredictable results, including "Assertion Error" messages and SSLD hanging
and refusing to accept new requests.
Instead of running multiple instances of SSLD, use the -threads parameter to set the
required number of threads. We recommend that you set the number of threads to
twice the number of CPUs, unless you have a large number of CPUs. If you have
many CPUs, then set the number of threads to the number of CPUs plus five.
In the following example, the SSLD process uses four CPUs, and is started
automatically when the Democorp DSA is started. The certificate and private key
files are in the directory DXHOME/config/ssld/personalities, and the trusted
Certification Authority (CA) certificate is in config/ssld/trusted.pem.
ssld install democorp –certfiles config/ssld/personalities –ca config/ssld/trusted.pem –threads 4
SSLD Example: Specifying the Cipher for SSL/TSL Connections
You can specify which cipher is to be used for SSL/TLS connections. When you
start the server, use the -cipher option, as in this example:
ssld start democorp –certfiles config/ssld/personalities –ca
config/ssld/trusted.pem -cipher RC4-MD5
To list all the available ciphers, use the -ciphers action:
ssld -ciphers
A list of ciphers appears, as in the following example:
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH(1024) Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=3DES(168) Mac=SHA1
DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(128) Mac=MD5
EXP1024-DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=RC4(56) Mac=SHA1 export
EXP1024-RC4-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Mac=MD5
export
Security
6–9
Secure Socket Layer (SSL) Encryption
For more information about ciphers, see http://www.openssl.org/.
6–10
eTrust Directory Administrator Guide
Secure Socket Layer (SSL) Encryption
Client Encryption
DXserver automatically detects an SSL session from an LDAP client or DAP
DUA. If the SSLD is running, it manages all the session establishment and
encryption. If the SSLD is not running, the connection is refused.
The only way to force a client to use SSL encryption is by enforcing SSL
authentication.
DSA-to-DSA Encryption (DSP and DISP)
To enable a DXserver to use encryption when communicating with a remote
DSA, set the link flags to ssl-encryption in the knowledge file of the remote DSA.
For example, to enable encryption from a Democorp DSA to a UNSPSC DSA,
ensure that, in the knowledge, the UNSPSC link flag is set to ssl-encryption.
set dsa UNSPSC =
…
link-flags = ssl-encryption
…
DUA
OP
DemoCorp
DSA
BIND
UNSPSC
DSA
Note: The previous DSAs share the same configuration, but the Democorp
directory must look up the capabilities of the other directories to decide whether
to use SSL encryption.
Security
6–11
Authentication
Authentication
Authentication is the process of validating users. During authentication, the
server asks itself, “Is the user who they say they are?”
DXserver supports three levels of authentication:
■
Anonymous (no credentials)
■
Simple (name and password)
■
SSL (certificate-based authentication)
Authentication is performed on all incoming binds from a client or server. When
certificate-based authentication is used, then all communication on the
association set up by the bind will use SSL encryption.
Setting the Minimum Authentication Level
You can set the minimum authentication level on a DXserver using the
set min-auth command. This sets the minimum requirements for a successful
bind to the DXserver.
No Authentication
Setting no authentication permits any type of authentication (including
anonymous). To permit any authentication, use the following command in the
initialization script or at the management console:
set min-auth = none;
Name and Password Authentication
To force authentication of at least a name and password, set min-auth to
clear-password. This ensures that a user provides a user name and clear-text
password or provide a certificate (to be checked using SSL authentication) on a
bind.
set min-auth = clear-password;
Certificate Authentication
To force authentication by certificate, set the following command:
set min-auth = ssl-auth;
6–12
eTrust Directory Administrator Guide
Authentication
Anonymous Authentication
When no credentials are provided or only simple credentials are provided
without a password (for instance, just a name), then the bind is treated as
anonymous. An anonymous bind is accepted only when the minimum
authentication level is none.
Simple Authentication
When a name and password are supplied with the following conditions, the bind
is treated as simple.
■
The name corresponds to a real entry in the directory.
■
That entry has a password attribute.
■
The supplied password matches it.
■
The min-auth flag does not include the value ssl-auth.
For simple authentication, all users must have corresponding directory entries
containing the password attribute.
Authentication fails and the bind is refused when:
■
The entry named by the user cannot be found.
■
The entry named by the user name does not contain a password attribute.
■
The password provided does not match the password value of the attribute
in the entry named by the user name.
When the user does not provide a user name and password or only provides a
user name, and if the minimum authentication level is set to “none,” the bind is
accepted as anonymous.
You can add the password attribute to an object with a remote DUA. When
access controls are in force, users can add or change a password only when they
have the appropriate privilege, for example:
■
■
Superuser
Administrator of a subtree (only for entries in the subtree and only when the
administrator has privileges on the password attribute)
■
Administrators of their own entry
■
Registered user with update permissions on the password attribute
Security
6–13
Authentication
SSL Authentication
SSL authentication has two parts:
1.
2.
Establish the SSL connection.
Establish the directory connection (using a bind).
Establishing the SSL Connection
The SSL client provides a certificate with the SSL connection:
SSL
Client
DemoCorp
DSA
The DXserver/SSLD validates the certificate by checking the validity dates and
checking the issuer of the certificate against the configured trusted roots.
SSLD
SSL
Client
Trusted
Certs
DemoCorp
DSA
The SSL connection is then established.
SSL
Client
SSL
DemoCorp
DSA
Establishing the Directory Connection
The SSL client uses the SSL bind procedure. In LDAP, this is known as
SASL/EXTERNAL. (In X.500, we use the Bind External Procedure.) This tells the
directory to use the certificate from the link layer.
6–14
eTrust Directory Administrator Guide
Authentication
SSL
Client
BIND
SSL
DemoCorp
DSA
The DSA checks the entry named by the subject DN contained in the certificate.
In the case of DAP or LDAP (clients), the DSA verifies that the entry exists. In the
case of DSP or DISP, the DSA will check the dsa-name in its knowledge.
To bypass this last check of the certificate’s subject DN, use the command:
set ssl-auth-bypass-entry-check = TRUE;
This establishes the directory connection.
X.500/
LDAP
SSL
Client
SSL
DemoCorp
DSA
Restricted Chaining
If a DSA receives a bind request and passes a compare request to a remote DSA,
then the compare request will have a chaining-prohibited control set.
This prevent the remote DSA from passing the compare request to another DSA
and ensures that the compare is only processed by a trusted DSA.
If users are storing a hierarchy of DSAs, then it is a good idea for the DSAs to
share knowledge so that compare requests can be sent straight to the DSA that
contains the entry.
Overriding Restricted Chaining
It is possible for a DSA to override the chaining-prohibited control by setting
always-chain-down to true.
This can be useful when you want to configure proxy DSAs. For information
about proxy DSAs, see the section Proxy DSAs in chapter 5.
However, we recommend that you do not override the chaining-prohibited
control, because this breaks the trust relationship between DSAs.
Security
6–15
Authentication
Bypassing the Entry Check
Usually, during SSL authentication, the DSA verifies that the entry exists. This
can be bypassed with the command:
set ssl-auth-bypass-entry-check = TRUE;
In this case, when authenticating the client, the DSA will not check that an entry
with a distinguished name matching the subject field in the certificate of the
client exists in the directory.
Distributed User Authentication
A user can bind to one DSA when their entry is held on another DSA. When the
bind is made, the DXserver can forward a check to another DSA when certain
distributed authentication parameters are set.
During simple authentication, the local DSA can forward the password check to
a remote DSA only when the local DSA can make an authenticated connection to
the remote DSA. The remote DSA must have the correct trust-flags set in the
DSA definition.
For example, to enable the Democorp DSA to forward a password check on to
the UNSPSC DSA, the Democorp DSA must check its knowledge of the UNSPSX
DSA. If the UNSPSC knowledge file contains the trust flag allow-check-password,
then the Democorp DSA can pass the password compare request to the UNSPSC
DSA.
set dsa UNSPSC =
...
trust-flags = allow-check-password
...
bind request
DUA
bind response
Democorp
DSA
compare request
compare response
UNSPSC
DSA
If the DSA receiving the bind request passes a compare request of the password
value to the remote DSA, and this returns a compare confirm with assertion true,
then the DSA returns a bind-confirm to the user.
6–16
eTrust Directory Administrator Guide
Authentication
DSP Simple Authentication
DSP and DISP binds are subject to the min-auth setting. This means that if the
local DSA has enabled authentication, an incoming DSP or DISP bind request
must have valid bind credentials.
Authenticated DSP binds use mutual authentication. During the bind process,
each DSA supplies its own credentials to the other DSA, and each DSA also
checks the credentials supplied to it by the other DSA.
Credentials Used During DSA Binds
An incoming bind is accepted only when there is a DSA knowledge
configuration that meets all the following conditions:
■
The distinguished name of the credentials matches the remote DSA dsaname.
■
The password in the credentials matches the remote DSA password.
■
The address of the binding DSA matches the address of the remote DSA.
We recommend that the DSAs in a DSP-meshed network share the same group
knowledge configuration file so that all the combinations of names and
passwords are known to each DSA.
See Managing DSP in the chapter “Distribution and DSP” for more information
about sending credentials with a DSP bind request.
Security
6–17
Authentication
How Mutual Authentication Works
This section describes the mutual authentication process.
1.
The DSA sending the bind request includes its credentials with the bind
request. It gets these credentials from its own knowledge file.
2.
The DSA receiving the bind request checks the credentials against its
knowledge of the sending DSA.
In this example, the UNSPSC DSA receives a bind request from the
Democorp DSA, and checks its credentials:
set dsa Democorp =
...
dsa-name = <c CA><o UNSPSC<>cn DXserver>
dsa-password = …
address = …
...
Democorp
DSA
bind request
UNSPSC
DSA
3.
The DSA that received the bind requests now sends a bind response back,
including its own credentials in this bind response.
4.
The DSA that sent the bind request checks the credentials of the other DSA
against its knowledge of the other DSA.
In the following example, the UNSPSC DSA receives a bind response from
the Democorp DSA, and checks its credentials:
set dsa UNSPSC =
...
dsa-name = <c CA><o UNSPSC<>cn DXserver>
dsa-password = …
address = …
...
Democorp
DSA
5.
6–18
bind response
UNSPSC
DSA
If all the credential checks match, the bind succeeds.
eTrust Directory Administrator Guide
Authentication
DSP SSL Authentication
To enable SSL authentication between DSAs, the auth-levels flag of the receiving
DSA must include the value ssl-auth.
If you simply want DSA-to-DSA connections to be encrypted, SSL authentication
is unnecessary. Instead, set the link-flags element in the DSA knowledge to sslencryption.
How DSP SSL Authentication Works
This section describes the DSP SSL authentication process.
1.
The DSA sending the bind request checks its own knowledge file to
determine if it can use SSL.
2.
The sending DSA then checks the knowledge file of the receiving DSA to see
if it can accept an SSL connection. If it cannot, the bind attempt is aborted. If
it can, the DSA sends the SSL bind request.
In this example, the Democorp DSA finds the ssl-auth flag in its copy of the
UNSPSC knowledge file, so it sends the SSL bind request:
set dsa UNSPSC =
…
auth-levels = ssl-auth
…
DemoCorp
DSA
BIND
UNSPSC
DSA
DISP Authentication
DISP authentication is controlled by the DISP agreement. See DISP Agreements
in the chapter “Replication” for more information about DISP agreements.
Depending on the setting of auth-level in the agreement, the authentication
method follows the DSP simple or DSP SSL procedures outlined previously.
Security
6–19
Authentication
Bypassing Mutual Authentication
In the case of simple authentication, DSAs always exchange name and password
if configured. Not all third party DSAs or LDAP servers support the returning of
credentials on bind confirm. You can set a trust flag in the knowledge file of the
third-party DSA to bypass the return credentials check:
set dsa UNSPSC =
…
trust-flags = no-server-credentials
…
DemoCorp
DSA
BIND
RESPONSE
UNSPSC
rd
3 PARTY
DSA
In the case of SSL authentication, certificates are always exchanged and the
subject DN is always checked against the DSA name in the knowledge
configuration file. You cannot bypass mutual authentication when using SSL
authentication.
6–20
eTrust Directory Administrator Guide
Authentication
Conveying User Authentication
In a networked system of DSAs, a user can bind to a DSA, and then request
information that is held on another DSA.
You can use the trust-conveyed-originator flag to allow the first DSA to convey the
user’s authentication to the second DSA.
How User Authentication Is Conveyed Between DSAs
1.
A user binds to a DSA. The bind request includes the user’s DN, and the
user’s credentials.
2.
The DSA authenticates the user.
3.
The user makes another request which the current DSA cannot fulfill.
4.
The DSA passes the request to another DSA that will be able to fulfill the
request. The request includes the user’s DN and authentication
5.
The receiving DSA must decided whether to trust the user’s authentication.
To do this, it looks at the knowledge file of the first DSA for the trustconveyed-originator flag.
6.
If the receiving DSA finds the trust-conveyed-originator flag, it accepts the
request. Even though the user was authenticated on Democorp, it will be
treated as if it had been authenticated on UNSPSC.
7.
The receiving DSA uses the DN of the originating user to determine what
access controls to apply to the request.
In this example, the UNSPSC DSA trusts the user authentication of the request
that has been passed to it by the Democorp DSA:
set dsa DemoCorp =
…
trust-flags = trust-conveyed-originator
…
DUA
OP
DemoCorp
DSA
OP
UNSPSC
DSA
Security
6–21
Authentication
DSP Link Authentication
Traffic on any link is generally carried at the same security level. That is:
■
High security—SSL authentication is carried on an SSL bind
■
Medium security—simple authentication is carried on a simple bind
■
Low security—anonymous authentication is carried on an anonymous bind
SSL authentication
DSA
Simple authentication
DSA
No authentication
Possible Problems with Link Authentication
This can present problems if a user makes a successful simple bind to a directory,
but is refused any distributed operations because all distributed links have a
minimum authentication level of ssl-auth.
Similarly, a user might make a successful SSL authenticated bind to a directory,
only to be refused distributed operations because the distributed directories
cannot support SSL authentication.
In either case, the error reported is “No compatible link type.”
Possible Solutions to the “No compatible link type” Error
One solution is to change the “auth-levels” so that a compatible DSP link can be
established.
Another solution is to either upgrade or downgrade the trust levels on the link
between distributed DSAs. A user who makes a successful simple bind can be
upgraded to allow distributed operations over an SSL link; a user who makes a
successful SSL bind can be downgraded to allow distributed operations over an
anonymous or simple link.
This should not be undertaken lightly. The only reasonable use is to permit
unauthenticated DSA links within the one organization (or on the one host), or to
grant access to a public server. You can use downgrading and upgrading on
inter-office links, but the use of encryption should suffice.
6–22
eTrust Directory Administrator Guide
Authentication
Examples: Upgrading and Downgrading the Link Type
The following example demonstrates the upgrade of anonymous bind user on a
simple link between a Democorp DSA and a UNSPSC DSA:
set dsa UNSPSC =
…
trust-flags = allow-upgrading
…
DUA
anon
DemoCorp
DSA
simple
UNSPSC
DSA
The following example demonstrates the downgrade of an SSL bind user on a
simple link between a Democorp DSA and a UNSPSC DSA:
set dsa UNSPSC =
…
trust-flags = allow-downgrading
…
SSL
DUA
DemoCorp
DSA
simple
UNSPSC
DSA
Impersonation Protection
DSA authentication is completely separate from DUA authentication. This means
that a DUA cannot gain access using the credentials of a DSA, and a DSA cannot
gain access using the credentials of a DUA.
DSA authentication checks network addresses and credentials. This makes it
difficult for one DSA to impersonate another DSA.
Security
6–23
Managing Passwords
Managing Passwords
A policy is a set of rules that defines behavior.
In eTrust Directory, you can define a policy for passwords. This password policy
controls the password that users enter to bind to a DSA.
There are two kinds of password rules:
■
Password quality checking rules
■
Password management rules
Password quality checking rules define the quality of a new password. The
rules are applied when a user changes their own password. The rules include:
■
Setting the length of the password:
■
Setting the minimum number of particular types or characters:
■
Limiting repetition within the password:
■
Preventing the user from including their own user name in the password
■
Preventing the user from re-using a recent password
Password management rules define how to deal with passwords during
operation, including:
■
Life span of passwords
■
Suspending user accounts manually
■
Locking user accounts after incorrect login attempts
■
Resetting passwords
■
Grace logins after the password has expired
How Password Rules Are Applied
Password rules (except vetting checks) are only applied when operations are
being performed by the user that owns the password. For example, if an
administrator updates the password then no history check will occur. This
effectively resets the password.
Each DSA can have a single set of password rules. You cannot apply different
password policies to users stored within the same DSA.
You can apply different policies to different groups of users by splitting the users
up by sub-tree and having each sub-tree serviced by a separate DSA. Each DSA
can then have its own set of password policies.
6–24
eTrust Directory Administrator Guide
Managing Passwords
Password Protection
You cannot read passwords directly. An attempt to read a password attribute
results in the return of the encrypted value. See Password Storage in the chapter
“General Administration” for more information about encryption algorithms.
Passwords are always single-valued. This means that an administrator cannot
add a secret value and use this as an unpublished entry point into the DSA.
Passwords are encrypted before they are stored in the database. This prevents
the possibility of interrogating the database directly for the value of any
passwords.
Password logins are secure only if each person can change only their own
password. Make sure that you set access controls so that each user can update
only their own password. Also make sure that administrators are allowed to
update any user password.
Password Command Options
The following table briefly describes each of the password settings. The default
for most values is 0, which means that the option is off:
Keyword
Parameter
Description
password-age
Number of days | 0
(Default: 0)
The number of days for which a password will
remain valid
See the section Setting the Life Span of Passwords.
password-allow-ignoreexpired
True | False
(Default: False)
The password-allow-ignore-expired option bypasses
the expiration check of the password.
This only takes effect for entries that include the
attribute dxPwdIgnoreExpire.
See the section Setting Passwords to Never Expire.
password-allow-locking
True | False
(Default: False)
Allows a user’s account to be locked.
This only takes effect for entries that include the
attribute dxPwdLocked.
See the section Locking an Account after Incorrect
Login Attempts.
password-alpha
Num. chars | 0
(Default: 0)
The minimum number of alphabetic characters in the
password
See the section Checking Password Quality .
Security
6–25
Managing Passwords
Keyword
Parameter
Description
password-alpha-num
Num. chars | 0
(Default: 0)
The minimum number of alphanumeric characters in
the password
See the section Checking Password Quality .
password-force-change
True | False
(Default: False)
Forces users to change their passwords after their
passwords have been reset
See the section Forcing Password Changes after
Reset.
password-grace-logins
Number of logins | 0
(Default: )
The maximum number of times that the user can
log in with their password after it has expired
See the section Setting the Number of Grace Logins.
password-history
Number of entries | 0
(Default: 0)
The maximum number of entries to retain in the
history. This prevents the user from re-using these
passwords.
See the section Preventing Users from Re-using
Passwords.
password-last-use
Number of days | 0
(Default: 0)
The number of days a password remains valid if it
is not used. If the value is exceeded, the password
expires.
See the section Setting the Maximum Life Span of
Passwords.
password-lowercase
Num. chars | 0
(Default: 0)
The minimum number of lowercase characters in the
password
See the section Checking Password Quality .
password-max-length
Num. chars | 0
The maximum length of the password
See the section Checking Password Quality .
password-max-repetition
Num. chars | 0
(Default: 0)
The maximum number of single characters that can
be repeated in a password
See the section Checking Password Quality .
password-max-substringrepetition
Number of reps | 0
(Default: 0)
The password-max-substring-repetition option sets
the maximum repetitions of a substring within a
password
See the section Checking Password Quality .
password-max-suspension
Number of secs | 0
(Default: 0)
The number of seconds after which a locked
password reactivates
See the section Locking an Account after Incorrect
Login Attempts.
6–26
eTrust Directory Administrator Guide
Managing Passwords
Keyword
Parameter
Description
password-min-age
Number of days | 0
(Default: 0)
The number of days since a password was changed
until it can be changed again
See the section Setting the Minimum Life Span of
Passwords.
password-min-length
password-min-lengthrepeated-substring
Num. chars | 0
(Default: 6)
The minimum length of a password
Integer ≥2 | 0
(Default: 0)
The password-min-length-repeated-substring option
sets the minimum length of substrings that will be
checked.
This only takes effect for entries that include the
attribute maxSubstrRep.
See the section Checking Password Quality .
See the section Checking Password Quality .
password-non-alpha
Num. chars | 0
(Default: 0)
The minimum number of non-alphabetic
characters in the password
See the section Checking Password Quality .
password-non-alpha-num
Num. chars | 0
(Default: 0)
The minimum number of non-alphanumeric
characters in the password
See the section Checking Password Quality .
password-numeric
Num. chars | 0
(Default: 0)
The minimum number of numeric characters in the
password
See the section Checking Password Quality .
password-policy
True | False
(Default: False)
Enable password management
password-retries
Integer | 0
(Default: 0)
The number of consecutive failed logon attempts
before a password is locked
See the section Locking an Account after Incorrect
Login Attempts.
password-uppercase
Num. chars | 0
(Default: 0)
The minimum number of uppercase characters in the
password
See the section Checking Password Quality .
password-usernamesubstring
True | False
(Default: False)
The password-username-substring option sets
whether the password can contain the user’s RDN
When this is set to true, the password must not
contain the user’s last RDN.
See the section Checking Password Quality .
Security
6–27
Managing Passwords
Enabling or Disabling Password Management
Even if you have other password options set, they will only take effect if you set
the password-policy option to true.
To enable or disable password management, set the following option:
set password-policy = true | false;
Checking Password Quality
You can set up rules to make sure that users only choose strong passwords.
If you have set rules about password quality, these rules are applied when a user
attempts to change their own password. If the new password does not pass the
tests, the user will have to try again with a new password.
When an administrator changes a password for a user, the password policy rules
are not applied. The rules will be applied the next time that the user changes
their own password.
Set the length of the password:
set password-min-length = number-of-characters | 0;
set password-max-length = number-of-characters | 0;
Set the minimum number of particular types of characters:
set
set
set
set
set
set
password-alpha = number-of-characters | 0;
password-alpha-num = number-of-characters | 0;
password-lowercase = number-of-characters | 0;
password-non-alpha = number-of-characters | 0;
password-non-alpha-num = number-of-characters | 0;
password-numeric = number-of-characters | 0;
Limit repetition within the password:
set password-max-repetition = number-of-characters | 0;
set password-max-substring-repetition = number-of-characters | 0;
set password-min-length-repeated-substring = number-of-characters | 0;
Note: The password-min-length-repeated-substring option only affects those users
whose entries include the attribute maxSubstrRep.
Prevent the user from including their own user name in the password:
set password-username-substring = true | false;
6–28
eTrust Directory Administrator Guide
Managing Passwords
Setting the Life Span of Passwords
Use the following commands to control password expirations.
Setting the Maximum Life Span of Passwords
Set the number of days for which a password will remain valid:
set password-age = number-of-days | 0;
Set the number of days a password remains valid if it is not used. If the value is
exceeded, the password expires:
set password-last-use = number-of-days | 0;
Example: Making
passwords valid
indefinitely
You want passwords to be valid indefinitely except when they are not used for
30 days. Set the parameters as follows:
set password-policy = TRUE;
set password-last-use = 30;
You do not need to use the set password-age option because you are using its
default value of 0 (off).
Setting the Minimum Life Span of Passwords
You can also set the minimum life span of a password. This is the number of
days since a password was changed until it can be changed again.
You can use this to prevent people from changing their password many times to
fill up the password history. To do this, use the following command:
set password-min-age = number-of-days | 0;
Setting Passwords to Never Expire
Accounts can be made to never expire. This is useful for accounts shared by
many users. To set a user’s password to never expire:
1.
Set the password-allow-ignore-expired option to true:
set password-allow-ignore-expired = true;
2.
Add the attribute dxPwdIgnoreExpire to the user’s entry.
To check which user passwords are set to never expire:
■
Search for all user accounts with the attribute dxPwdIgnoreExpire.
You can only find out if entries have this attribute by searching for it
explicitly.
Security
6–29
Managing Passwords
Setting the Number of Grace Logins
In a grace login system, passwords expire but users can use an expired password
for limited number of times. This gives them the opportunity to change the
password.
If the number of grace logins is exceeded, the account will behave as if it were
expired.
The number of grace logins remaining will be sent back to the binding client in
the presence of the password policy request control.
To set the number of grace logins, use the following command:
set password-grace-logins = number-of-grace-logins | 0;
Resetting a Password
Whenever an administrator updates a user password, the password policy
attributes for that entry are reset. These attributes include:
■
Any password history
■
The time of the last use of the password
■
The time the password was created
For example, if password-age is set to 30 days and a user has not logged in for
more than 30 days, the administrator can update that user's password to enable
that user to log in again.
Forcing Password Changes after Reset
You can force users to change their passwords after their passwords have been
reset. To do this, use the following command:
set password-force-change = true;
When a user logs in with their new password, the only operation the user can
perform is to change their password. After the user has changed their password,
their normal operations are restored.
This password control can only be used with LDAP clients that are aware of
LDAP password policy controls (for example, LDUA and the PAM-LDAP client).
6–30
eTrust Directory Administrator Guide
Managing Passwords
Locking an Account after Incorrect Login Attempts
You can set accounts to be locked if someone has made too many unsuccessful
attempts to log in. To set accounts to be locked after a certain number of
attempts to log in, use the following command:
set password-retries = number-of-attempts;
To allow users to attempt to log on again after a certain amount of time has
passed, use the following command:
set password-max-suspension = time-in-seconds | 0;
Example:
Limiting the number
of logon attempts
You want to allow users attempt to log on only two times before their account
is locked, and you want to allow them to try to log on again after six hours. To
do this, use the following commands:
set password-policy = TRUE;
set password-retries = 2;
set password-max-suspension = 21600;
Suspending an Account Manually
You can suspend a user’s account manually by locking their password. You can
later remove the suspension, and the user can continue to use that password.
Note: This only works with LDAP clients that are aware of LDAP password
policy controls (for example, LDUA and the PAM-LDAP client).
To suspend a user’s account, you need to do the following:
1.
Set access controls as required (see the other sections in this chapter).
2.
Enable password locking. To do this, use the following command:
set password-allow-locking = true;
3.
Lock the user’s password. To do this, add the attribute dxPwdLocked to the
user’s entry.
To unlock the account:
■
Remove the attribute dxPwdLocked from the user’s entry.
Do not set the value to 0. If this attribute is present, the account will still be
locked.
To check which user accounts are locked:
■
Search for all user accounts with the attribute dxPwdLocked.
The only way to find out if entries have this attribute if you search for it
explicitly.
Security
6–31
Managing Passwords
Preventing Users from Re-using Passwords
Set the maximum number of entries to retain in the history. By default, this
feature is disabled (0). If you do not want to check a changed password against
old passwords, set the value to 0:
set password-history = maximum-number | 0;
Some Password Controls Require an LDAP Client
Some password controls can only be used with LDAP clients that are aware of
LDAP password policy controls (for example, LDUA and the PAM-LDAP client).
This section of the eTrust Directory password policy follows the proposed
standard described in section 5 of this draft document:
http://www.ietf.org/internet-drafts/draft-behera-ldap-password-policy-07.txt.
Note: This document may be renamed in the future.
PasswordPolicyResponseValue ::= SEQUENCE {
warning [0] CHOICE {
timeBeforeExpiration
[0] INTEGER (0 .. maxInt),
graceLoginsRemaining
[1] INTEGER (0 .. maxInt) } OPTIONAL,
error
[1] ENUMERATED {
passwordExpired
(0),
accountLocked
(1),
changeAfterReset
(2),
passwordModNotAllowed
(3),
mustSupplyOldPassword
(4), <== Not required (handled by bind)
insufficientPasswordQuality
(5),
passwordTooShort
(6),
passwordTooYoung
(7),
passwordInHistory
(8) } OPTIONAL }
timeBeforeExpiration and graceLoginsRemaining are provided where
appropriate. For example, password policy must be enabled in DXserver.
Account Management
The following command does not require the control but is handy for informing
the user:
set password-allow-locking = true or false;
This feature requires the control
set password-force-change = true or false;
6–32
eTrust Directory Administrator Guide
Managing Passwords
Example Password Policy
This section describes a sample password policy, and then lists the commands to
create that policy.
For this policy, you want to set up the following rules:
■
■
■
■
Passwords can be reused. You do not want to keep a history of old
passwords.
A password must be at least eight characters in length with at least one
numeral.
If a user’s password is ever reset, you want the user to change the password
immediately after their first login.
If a password is not used for sixty days, you want the account to be locked.
To set up this policy, set the following password rules:
set
set
set
set
set
password-policy = true;
password-min-length = 8;
password-numeric = 1;
password-force-change = true;
password-min-age = 60;
Security
6–33
Access Control Overview
Access Control Overview
Access controls protect data from unauthorized access or modification.
Access controls work by asking this question before performing an operation:
Is this client permitted to perform this operation, on this data, in this subtree, at
this time?
where:
-
A client is a user, a role, a group of users, or a subtree of users.
-
An operation is one of the usual directory services, such as compare, list,
search, read, add, remove, modify, or modify-dn.
-
The data (protected item) is an entry, attribute, or attribute value.
-
A subtree is a particular area of the DIT.
-
The time is a particular minute of the day or a particular day of the week.
When the answer to this question is yes, the operation can proceed. When the
answer is no, the operation is refused.
Access Control Policies
A number of access controls are usually in place. The net effect is known as an
access control policy. By definition, only one access control policy is in place at any
given time.
An access control policy can change periodically, for example, there can be one
for business hours and another for after hours. You can set the DXserver access
controls to activate at certain times, so a single policy could contain different
rules for different times of the day or week.
To define your access control policy, you define a set of rules access control.
During operation, DXserver maps these rules onto 1993 X.500 access controls.
6–34
eTrust Directory Administrator Guide
Access Control Overview
Access Control Rules
DXserver manages access controls by letting you define rules. There are two
types of rules:
Static rules—These apply to individuals and groups of individuals, and are
stored as text files in the DXserver configuration files, or run as commands
on DXconsole.
Dynamic rules—These are stored in an attribute in the directory, and can be set
by anyone who has the power to delegate the permissions being created.
In addition, eTrust Directory lets you define users groups and roles, which can
help you apply access controls to many users at once.
Important! The 1993 X.500 access controls are not exposed directly; rather they are
defined by rules. This is because the 1993 X.500 Access Controls are difficult to
understand (defining such things as userFirst, itemFirst, precedence, protectedItems, and
so on) and because the definitions of DXserver rules are mathematically proven not to
have security loopholes.
Designing Your Access Control Scheme
We recommend that you use these principles while you are developing your
access control scheme:
■
Plan your access control scheme before you start implementing it
■
Use domains to limit the range of your access controls
■
Grant access rather than denying access
■
Keep access control schemes simple
Plan Your Access Control Scheme
Before you start setting access controls, plan your access control scheme. To do
this, write your scheme out carefully. Here is an example of a set of access
control rules written in plain language:
■
The DSA manager has all privileges.
■
Authenticated users can update their own entries.
■
PABX operators can update all telephone numbers.
■
■
Public (anonymous) users can view only name, e-mail addresses, and
telephone numbers of staff, but they can view anything in the public subtree.
Passwords must be invisible to everyone except DSA administrators.
Security
6–35
Access Control Overview
Use Domains to Limit the Range of Access Controls
A static access control policy can apply to a single DSA, or a group of DSAs that
share the same (or have copies of) group configuration files.
Sharing the same access control configuration across many (or all) DSAs makes
administration easier, and enables access-controlled routing.
Grant Access Rather than Denying Access
In general, you should grant rather than deny access to data.
If you grant access to all data and then deny access to portions of the data,
sensitive data that you have protected can become visible inadvertently.
For example, when items within a subtree are protected and the root of the
subtree (or a parent) is renamed, the protection no longer exists. Any new
attributes are also automatically visible, unless specific denials are implemented.
Keep Access Control Schemes Simple
You should design your access control scheme to be as simple as possible. This
might involve re-designing your DSAs.
This is important because overly complex access control scheme can lead to the
following problems:
Security breaches—If you define many different groups with different subtrees,
you must maintain careful control of valid users and subtrees. If you lose
track of valid users and subtrees, this will eventually cause a security
problem.
Performance—Complex access control schemes can result in performance
degradation. This is because the DSA may need to evaluate every control for
every piece of information returned, depending on the circumstance and
privileges of the user in question.
6–36
eTrust Directory Administrator Guide
Access Control Overview
Working with Access Controls
Enabling Access Controls
1.
Enable access controls:
set access-controls = true;
2.
Set static or dynamic access control rules.
Clearing Access Controls
To reset all access controls, use the following command:
clear access;
Displaying Access Controls
To display the 1993 X.500 access control details, use the following command:
get access;
For full details of access controls, see the 1993 X.500 standard
Security
6–37
Static Access Controls
Static Access Controls
Static access controls are applied to individuals or groups of individuals.
Overview of Static Access Control Rules
This section describes static access controls and how they work
Static Rule Components
A static access control rule can include the following information:
■
The rule type
■
Which user, groups, or roles it applies to
■
Which area of the directory it applies to
■
What attributes it applies to
■
What additional permissions it gives
■
What authentication level it requires
■
When it applies
Because all rules are cumulative, you can define very complex access control
polices.
Hierarchy of Rules
The static access control rules have a hierarchy of power. Here are the rules listed
from superior to inferior:
■
Superuser
■
Administrative user
■
Protected item
■
Registered user
■
Public user
A superior rule always overrides an inferior user rule. For example, a superuser
rule always overrides any administrative user rule.
6–38
eTrust Directory Administrator Guide
Static Access Controls
Rule Inheritance
Rules are inherited:
Grants are inherited above
If a grant is defined for a given level, then all levels above inherit that grant.
For example, if all registered users are granted read/write permission to
their password, then superusers and administrative users are granted the
same permission automatically.
Denies are inherited below
If a deny is defined for a given level, then all levels below inherit the deny.
For example, if a registered user is denied access to home address, then all
public users are denied the same.
Running Static Access Control Commands
You can run access control commands from DXconsole, or you can include them
in a DXserver configuration file (.dxc) in the access directory.
If you issue these commands using DXconsole, the commands are not stored in
the configuration files. This means that they are only valid for the run-time of the
DSA.
If you include static access control rules in the DXserver configuration file, they
are activated when DXserver is initialized. This occurs when DXserver starts up,
and when an administrator reinitializes the system.
Generally, you group these files together by using a group configuration file
(.dxg), which constitutes an access control policy. You can share policies among a
number of DSAs.
Security
6–39
Static Access Controls
Setting Up Static Access Controls
This section shows the command for setting access control rules, and describes
the options you can use with these rules.
The command for setting static access control rules has the following format:
set rule-type tag = {
own-entry | user = DN | role = DN | user-subtree = DN | group = string
DN
subtree
=
attrs
=
attr1 [, attr2 ...]
perm1 [, perm2 ...]
perms
=
auth-level =
simple | ssl-auth
validity
=
start hhmm end hhmm on daystring
};
where:
rule-type
Defines the action of the set command. These actions include:
super-user
Grants unlimited access to particular users.
admin-user
Grants read and update privileges to particular users.
reg-user
Grants read privileges to particular users.
public-user
Grants read privileges to all users
protected-items
Protects a subtree, entry, or attribute.
tag
A human-readable name for the access control rule.
own-entry | user = DN | role = DN | user-subtree = DN | group = string
Defines the users that this rule applies to, with the following possible values:
own-entry
A user’s own entry
user = DN
A user’s distinguished name
role = DN
A role’s distinguished name
user-subtree = <DN>
The distinguished name of a user-subtree
group = string
The name of a predefined group of users
subtree
Defines the part of the directory to which the rule applies, with the following
possible values:
6–40
eTrust Directory Administrator Guide
Static Access Controls
entry = <DN>
The distinguished name of an individual entry
subtree = <DN>
The distinguished name of a user-subtree
attrs
Defines the attributes to which you want to limit access.
You can give the name of an attribute set in place of the attribute name. See
Attribute Sets in the chapter “Schema Definition” for more information.
perms
Applies permissions to a particular rule type, with these possible values:
read
Permits the user to read the defined attributes or entries. The other
permission levels all include read access.
add
Permits the user to add new defined attributes or entries
remove
Permits the user to delete the defined attributes or entries
modify
Permits the user to modify the defined attributes or entries
modify-dn
Permits the user to modify the DN the defined attributes or entries
rename
Permits the user to rename the defined attributes or entries
all
Permits the user to carry out all operations on the defined attributes or
entries
auth-level
Defines the authentication level at which the user must bind. The following
table lists the available values:
simple
(Default) The user must bind using simple authentication
ssl-auth
The user must bind using SSL authentication
validity
Defines the times when the rule applies. The following table lists the
available values:
start
Is the time at which this rule becomes valid
end
Is the time at which this rule is no longer valid
on
Is a string that defines the days on which this rule is valid. Each day of
the week is represented by a number, starting with 1 for Monday. For
example, 45 represents Thursday and Friday. The default is any time.
Security
6–41
Static Access Controls
Defining Superusers
Superusers have unrestricted read and update access to all parts of the DSA. Add
users to the list of superusers either as single users, groups of users, roles, or all
users in a specified subtree.
The command has the format:
set super-user tag = {
own-entry | user = DN | role = DN | user-subtree = DN | group = string
[auth-level =
simple | ssl-auth ]
[validity
=
start hhmm end hhmm on daystring ]
};
where:
tag
(Optional) Is the name you define for this rule
own-entry | user = DN | role = DN | user-subtree = DN | group = string
Identifies the user, group, or subtree of users that is to have superuser access
auth-level
(Optional) The authentication level at which the listed users must bind
validity
(Optional) Is the days and times on which this rule is valid
Example: Adding
Superusers
The following command defines a single user with superuser privileges across
the domain of the Democorp DSA:
set super-user “dsa-manager” = {
user = <c “AU”><o “Democorp”><commonName “DSA manager”>
};
Example: Being a
Superuser of One’s
Own Entry
The following command gives all users in the domain of this DSA superuser
privileges on their own entry from 0800 hours to 1800 hours on Monday to Friday:
set super-user “self” = { own-entry
validity = ( start 0800 end 1800 on 12345 ) };
When you include this command in an access.dxc file that multiple DSAs
source, all users in the domains of those DSAs will have superuser privileges on
their own entries.
This is the only type of superuser rule that does not grant the user access to all
parts of the DSA,
6–42
eTrust Directory Administrator Guide
Static Access Controls
Defining Administrative Users
Within a specified subtree, you can assign administrator authority to users.
Administrative users have read and update privileges over a specified
administrative scope. This scope is a subtree, entry, or designated attributes in an
entry or subtree. The administrative user can view and update protected items
within the administrative scope.
Add users to the list of administrative users either as single users, groups of
users, roles, or all users in a specified subtree.
Note: Administrative user definitions are effective only when you enable access
controls. An administrator with access to only selected attributes within a subtree
cannot add or remove entries.
The command has the format:
set admin-user tag = {
own-entry | user = DN | role = DN | user-subtree = DN | group = string
DN
subtree
=
[ attrs
=
attr1 [, attr2 …] ]
perm1 [, perm2 ...] ]
[ perms
=
[ auth-level =
simple | ssl-auth ]
[ validity =
start hhmm end hhmm on daystring ]
};
where:
tag
(Optional) Is the name you define for this rule
own-entry | user = DN | role = DN | user-subtree = DN | group = string
Identifies the user, group, or subtree of users that are to be administrative
users
subtree
Contains a list of the distinguished names of one or more subtrees that the
listed users can administer
attrs
(Optional) Restricts update permissions to only those attributes listed. Users
cannot delete any entry if attributes are listed here.
perms
(Optional) Contains the level of permission that this rule grants to the listed
users over the listed subtree
auth-level
(Optional) The authentication level at which the listed users must bind
validity
(Optional) Is the days and times on which this rule is valid
Security
6–43
Static Access Controls
Example: Adding
Administrative Users
In the following example, there is one specified subtree: AU/DemoCorp. This
subtree has administrators defined by the group admin-user-group.
set admin-user “administrators” = {
group = “admin-user-group”
subtree = <c “AU”><o “DemoCorp”>
};
Example: Allowing
Update Privileges on
a Role
In the following example, all users in the role project-leader-group have read and
update privileges on the entry AU/DemoCorp/R&D/Technology SIG if they
bind to the DSA using SSL authentication.
set admin-user “project-leaders” = {
role = <c “AU”><o “Democorp”><ou “roles”><cn “project-leader-group”>
entry = <c “AU”><o “DemoCorp”><ou “R&D”><listName “Technology SIG”>
auth-level = ssl-auth
};
Example: Allowing
Update Privileges on
a Single Attribute
In the following example, all users in the group pabx-mgmt-group have update
privileges on the attribute workPhone in the subtree AU/Democorp/R&D.
Example: Allowing
Users Update
Privileges on Specific
Attributes in Their
Own Entry
In the following example, all users in the subtree AU/Democorp/R&D have
update privileges on the attributes workPhone and description in their own entry.
6–44
set admin-user “work-phone” = {
group = “pabx-mgmt-group”
subtree = <c “AU”><o “DemoCorp”><ou “R&D”>
attrs = workPhone
};
set admin-user “my-own-work-details” = {
own-entry
subtree = <c “AU”><o “DemoCorp”><ou “R&D”>
attrs = workPhone, description
};
eTrust Directory Administrator Guide
Static Access Controls
Defining Registered Users
In a specified subtree, you can assign users the authority of a registered user.
Registered users have read privileges over a specified scope: a subtree, entry, or
the designated attributes in an entry or subtree. Protected items in the scope are
invisible.
Note: Registered user definitions are effective only when you enable access
controls.
The command has the format:
set reg-user tag
= {
own-entry | user = DN | role = DN | user-subtree = DN | group = string
DN
subtree
=
[ attrs
=
attr1 [, attr2 …] ]
perm1 [, perm2 ...] ]
[ perms
=
[ auth-level =
simple | ssl-auth ]
[ validity =
start hhmm end hhmm on daystring ]
};
where:
tag
(Optional) Is the name you define for this rule
own-entry | user = DN | role = DN | user-subtree = DN | group = string
Contains a list of the distinguished names of the users, groups of users, roles,
or all users in a specified subtree that are to be registered users
subtree
Contains a list of the distinguished names of one or more subtrees that the
listed users can read
attrs
(Optional) Contains a list of attributes for which the listed users have the
permissions listed in the perms parameter.
perms
(Optional) Contains the level of permission that this rule grants to the listed
users over the listed attributes
auth-level
(Optional) The authentication level at which the listed users must bind
validity
(Optional) Is the days and times on which this rule is valid
Example: Adding
Registered Users
In the following example, all the users in the subtree AU/DemoCorp/R&D can
read the subtree AU/DemoCorp.
set reg-user “R&D-Users”= {
user-subtree = <c “AU”><o “DemoCorp”><ou “R&D”>
subtree = <c “AU”><o “DemoCorp”>
};
Security
6–45
Static Access Controls
Example: Allowing
Read Privileges on an
Entry
In the following example, all users in the group staff have read privileges on the
entry AU/DemoCorp.
Example: Allowing
Read and Modify
Privileges on a
Number of Attributes
In this example, all DemoCorp users can browse all entries in the subtree
DemoCorp; however, when they read or search for an entry in the subtree, only
those attributes that you declare are visible. The users also have modify
privileges on the listed attributes for all entries in the subtree.
set reg-user “democorp-staff” = {
group = “staff”
entry = <c “AU”><o “DemoCorp”>
};
set reg-user “self-view” = {
user-subtree = <c AU><o DemoCorp>
subtree = <c “AU”><o “DemoCorp”>
attrs = telephoneNumber, commonName, surname, title, mhsORAddresses, dcEmail
perms = modify
};
Example: Allowing
Users Read Privileges
on Particular
Attributes in Their
Own Entry
The following example lets any user in the subtree AU/DemoCorp view only
the selected attributes in their entry.
set reg-user = {
own-entry
subtree = <c “AU”><o “DemoCorp”>
attrs = telephoneNumber, commonName, surname, title, mhsORAddresses, odEmail
};
This differs from the previous example where all users in the subtree
DemoCorp can view all entries in that subtree.
6–46
eTrust Directory Administrator Guide
Static Access Controls
Defining Public Users
You can make specific subtrees available to public (anonymous) users.
Public users have read-only access to all entries and attributes within the
specified public range. This range is a subtree, entry, or the designated attributes
in an entry or subtree.
Any permission granted to public users is also automatically granted to
authenticated users. Protected items within the specified public range are
invisible to public users.
Note: Public user definitions are effective only when you enable access controls.
Public ranges are made available to public users with the following command:
set public-user
subtree
[ attrs
[ perms
[ validity
};
tag
=
=
=
=
= {
DN
attr1 [, attr2 …] ]
perm1 [, perm2 ...] ]
start hhmm end hhmm on daystring ]
where:
tag
(Optional) Is the name you define for this rule
subtree
Contains a list of the distinguished names of one or more subtrees that all
users can read
attrs
(Optional) Contains a list of attributes for which all users have the
permissions listed in the perms parameter.
perms
(Optional) Contains the level of permission that this rule grants to all users
over the listed attributes
validity
(Optional) Is the days and times on which this rule is valid
Example: Adding a
Public Subtree
In the following example, all users can view the name, telephone number, and
X.400 mail addresses in the subtree AU/DemoCorp/Phone List. The access
control rule is tagged with the name public-attr.
set public-user “public-attr” = {
subtree = <c “AU”><o “DemoCorp”><ou “Phone List”>
attrs = telephoneNumber, commonName, surname, mhsORAddresses
};
Security
6–47
Static Access Controls
Protecting Items
You can protect specific subtrees, entries, or particular attributes in a subtree or
entry. For a protected item:
■
■
■
Superusers have read and update privileges
Administrative users have read and update privileges if the subtree is in the
user’s administrative area
Other users do not see the items
Some limitations on this command:
■
■
■
This command does not protect naming attributes.
If you rename a protected subtree or entry, or any of its parents, the
permissions rule no longer protects the item.
Protected item definitions are effective only when you enable access controls.
The command that protects items has the following format:
set protected-items tag = {
own-entry | user = DN | role = DN | user-subtree = DN | group = string
DN
subtree
=
[ attrs
=
attr1 [, attr2 …] ]
perm1 [, perm2 ...] ]
[ perms
=
[ validity =
start hhmm end hhmm on daystring ]
};
where:
tag
(Optional) Is the name you define for this rule
own-entry | user = DN | role = DN | user-subtree = DN | group = string
Contains a list of the distinguished names of the users, groups of users, roles,
or all users in a specified subtree that are to be registered users
subtree
Contains a list of the distinguished names of one or more subtrees that the
listed users can read
attrs
(Optional) Contains a list of attributes for which the listed users have the
permissions listed in the perms parameter
perms
(Optional) Contains the level of permission that this rule denies to the listed
users over the listed attributes.
Unlike the other access control commands, any permissions listed in the set
protected-items command are denied.
validity
Is the days and times on which this rule is valid
6–48
eTrust Directory Administrator Guide
Static Access Controls
Protecting Entries and Subtrees
There is a subtle difference between protecting entries and protecting subtrees.
When you protect an entry, neither a registered, nor public user can read it. It
can, however, appear in a list result if the user can access the parent. This occurs
because the protected entry may have subordinates that are visible to the user.
If the same entry has protection as a subtree, a registered or public user cannot
read it, and it does not appear in a list result as a subordinate entry.
Protecting Passwords
Protecting a password makes the password attribute invisible to unauthorized
users. Because authentication requires the name of an entry, and that entry must
contain a password, hiding the password makes login entries indistinguishable
from other entries.
Examples of set protected-items Commands
Example: Protecting
a Subtree
Protecting a subtree from registered users also makes it invisible to public
users, as described in the section Hierarchy of Rules.
set protected-items “hide-finance-from-employees” = {
group
=
“employees”
subtree
=
<c “AU”><o “DemoCorp”><ou “Finance”>
};
Example: Protecting
an Entry
You could use the following rule to hide the existence of some management
information about a DSA definition stored within the directory:
set protected-items “hide-schema-from-employees” = {
group
=
“employees”
entry
=
<c “AU”><o “DemoCorp”><ou “Schema”>
};
Example: Protecting
Attributes
In this example, all entries in the subtree AU/DemoCorp have protection for
their homePhone and password attributes (if they have these attributes).
However, these attributes are visible to superusers and administrative users in
their scope.
set protected-items “hide-passwords-and-home-phone” = {
subtree
=
<c “AU”><o “DemoCorp”>
attrs
=
homePhone, userPassword
};
Security
6–49
Static Access Controls
Example: Giving a
User Permission to
Modify All Attributes
in Their Own Entry
Except "Role"
In this example, the reg-user rule gives the user permission to modify all
attributes in their own entry, and the protected-items rule denies the user
modification rights to the role attribute in the user’s own entry if it has a higher
precedence than the reg-user rule.
set reg-user = {
own-entry
subtree
=
perms
=
};
<o Democorp>
modify
set protected-items = {
own-entry
subtree
=
<o DemoCorp>
attrs
=
role
perms
=
modify
};
Without the "perms = modify" in the protected-items rule the user would be
denied all access to the role attribute (including read access).
Example: Allowing
users to view a whole
entry and modify
some attributes
A common task with access controls is to provide update access to most
attributes within an entry but to prevent the update of a small number of
attributes. This problem is more complex if the list of attributes that can be
updated can grow - for example, as more attributes are added to the entry.
■
Providing "reg-user" access to the entry will give read-only access.
■
Providing "admin-user" access will give update access.
■
Setting "protected-items" on some attributes will prevent updates, but not
by users with "admin-user" rights. It will also prevent reads by users with
"public-user" or "reg-user" rights.
A solution to this problem is to use the optional permissions in the access
control rules. The following access rule will allow all users in the subtree to
modify all attributes in their own entry.
set reg-user = {
own-entry
subtree = <o test>
perms = modify
};
To prevent update access to some of these attributes, use:
set protected-items = {
own-entry
subtree = <o test>
attrs = attr1, attr2, ...
perms = modify
};
This prevents the user modifying the attributes listed, but it does not prevent
read access. This is because the only permission denied is modify.
6–50
eTrust Directory Administrator Guide
Dynamic Access Controls
Dynamic Access Controls
Dynamic access controls enable run-time management of access controls. This is
useful for automated provisioning systems in ISP environments, and where the
directory is used as an authorization engine.
Dynamic access controls specify a subject (an identity or a role), a permission,
and a list of attributes that are the target of the control. They also contain a tag
that is transparent to DXserver. Adding a rule to the dxDynamicAccess attribute
in an entry creates the access control rule. The subtree in which dynamic access
controls are active is the local naming context; therefore, only attributes stored
locally are affected by access control decisions.
dxDynamicAccess is an operational attribute; it is not controlled by schema. Any
user can add, delete, or modify a rule, provided they have write access over the
subtree defined by the entry containing the dxDynamicAccess attribute, and the
privilege in the attribute is in the user’s power.
Important: In the configuration files, make sure that the database is defined (using "set
database=<database_name>") before the directory reads the "set dynamic-accesscontrol=true" directive.
This is because the "set dynamic-access-control=true" directive causes the directory to
perform a search on the database, so it needs to know the database name.
Note: Dynamic access controls are limited to local DSAs, which means that they
cannot be used in a distributed environment. This even applies to a router DSA
on the local computer.
Dynamic rules apply downwards from the entry in the DIT where the
dxDynamicAccess attribute is stored.
Enabling and Disabling Dynamic Access Controls
To enable dynamic access controls:
1.
Enable access controls:
set access-controls = true;
2.
Enable dynamic access controls:
set dynamic-access-control = true;
To disable dynamic access controls, enter the following command:
set dynamic-access-control = false;
Security
6–51
Dynamic Access Controls
Dynamic Access Control Rules
The rules governing dynamic access controls take the following form:
<tag> {all| roles <dn>| user <dn>} {read | write | deny} <attr>…
where tag is an identifier used for documentation purposes, dn is a distinguished
name, and attr is an attribute.
When creating rules, remember that a rule specified for a particular user prevails
over one specified for a role, and that both prevail over all. Also, when creating
the rule, the user or role need not exist.
Example: Letting all
read one attribute
The following command gives everyone permission to read the commonName
attribute. The tag Joe is to help you with maintenance and problem analysis;
DXserver does not interpret it.
Joe all read commonName
Example: Letting all
read all attributes
The following command gives everyone permission to read all attributes:
Example: Denying
permission for roles to
read an attribute
The following command denies the roles of CEO and AdminFinance within
Democorp access to the ssoHelicopter attribute:
Example: Letting one
user write to an
attribute
The following command lets a user with the common name Craig write to the
ssoHelicopter attribute:
6–52
Joe all read all
Joe role cn=ceo,o=Democorp deny ssoHelicopter
Joe user cn=Craig,o=Democorp write ssoHelicopter
eTrust Directory Administrator Guide
Groups, Roles, and Proxies
Groups, Roles, and Proxies
This section describes how groups, roles, and proxies work.
Defining Groups of Users
You can define groups of users to make it easier to manage those users. Define
groups such that you can use it in other access control commands.
Note: Group definitions are effective only when you enable access controls.
The command has the format:
set group tag
users
name
};
= {
DN1 [, DN2 …]
=
GroupName
=
where:
users
Is a list of the distinguished names of one or more users in the new group
name
Is the name you give to the group.
Example: Forming a
Group
The following command defines a group containing two users. The group is
named admin-user-group, suggesting that the users have administrative user
privileges.
set group = {
name
= "admin-user-group"
users = <c “AU”><o “DemoCorp”> <ou “Services”><ou “Networks”><cn “Anna
HAWKINS”>,
<c “AU”><o “DemoCorp”> <ou “Services”><ou “Networks”><cn Brendan
RANDALL”>
};
Security
6–53
Groups, Roles, and Proxies
Role-Based Access Controls
When access control rules are applied to a role, they are known as role-based
access controls.
A role is a directory entry that can be associated with user entries. These
associated user entries are member entries.
A role may contain any number of members. This can be useful in a large
distributed directory environment where people change their roles frequently,
and when the directory is to be used as an authorization engine.
Both static and dynamic rules support roles.
Roles are maintained in a subtree of the directory information tree (DIT), using
the object class groupOfNames. You can control access to the role subtree using
access controls.
How Role-Based Access Controls Work
When a user binds to DXserver, the user’s credentials are verified. A search is
initiated for the user’s distinguished name in the member attribute of any entry
with the object class groupOfNames. The name(s) returned by this search are
stored as the roles pertaining to the connection, and then used in access control
decisions.
Note: Role-based access controls are limited to local DSAs, which means that
they cannot be used in a distributed environment. This even applies to a router
DSA on the local computer.
Enabling and Disabling Role-Based Access Controls
To add a user entry to a role, enter the distinguished name of the user entry to
the role entry, as an attribute value of the member attribute type.
To activate role-based access controls, enter the following commands:
set role-subtree = <dn>;
set use-roles = true;
where dn is the distinguished name of the subtree used to store the roles.
To disable role-based access controls, enter the following command:
set use-roles = false;
6–54
eTrust Directory Administrator Guide
Groups, Roles, and Proxies
Example: Activating
role-based access
control
In the following example, when a user binds to DXserver, DXserver searches
the member attribute of the entries with oc in the groupofNames in the subtree
c=au, o=Democorp, ou=Roles for that user’s distinguished name. The entries
which contain that member identify the roles of the member.
To activate role-based access controls:
set role-subtree = <c “au”> <o “Democorp”> <ou “Roles”>;
set use-roles = true;
Example: Add a new
role with two users
This example shows how to add the new role AdminFinance with the two
members, Noelene Correa and Linda Deacon.
add-entry-req
entry = <countryName "AU">
<organizationName "Democorp">
<organizationalUnitName "Roles">
<commonName "AdminFinance">
contents = {
(objectClass groupOfNames )
(member <c au><o Democorp><ou Clerical><cn "Noelene Correa">,
<c au><o Democorp><ou Finance><ou Budgets><cn "Linda Deacon"> )
Security
6–55
Groups, Roles, and Proxies
Secure Proxies
The secure proxy feature lets an authorized user (or process) impersonate a user
or role for whom it has responsibility, and bind to DXserver to elicit access
control decisions (for example, when the directory is used as an authorization
engine, such as a web server).
The proxy must bind to DXserver using certificate-based authentication. Those
users permitted to proxy (impersonate someone else) are identified to DXserver
as a list of distinguished names held in the trust-sasl-proxy list.
When using a proxy, the impersonating user can never obtain more power than
they already have. In other words, in assuming the identity of another user, they
may not obtain all the privileges of that user.
Once bound to DXserver, the proxy may change identity by changing the value
of dxProxyUser in the entry cn=roles to the distinguished name of the new
identity. This has the effect of evaluating the roles for the new identity. An
exception is, where the proxy also changes the value of dxProxyRole in cn=roles.
In this case, roles are taken directly from the attribute value, not by accessing role
entries in the directory.
The entry cn=roles is a magic entry, and does not appear in the DIT.
To permit the proxy to impersonate users not in the directory (external users),
the proxy replaces the value of the dxProxyUser attribute in the magic entry with
the distinguished name of the new identity, and at the same time replaces the
value of the dxProxyRole attribute with the roles of the new identity. In this
instance, the roles provided in the replace operation are used directly, provided
set ssl-auth-bypass-entry-check = true;
Activate Secure Proxy
To activate proxy access, enter the following command:
set trust-sasl-proxy = <dn>, …
where dn is the distinguished name of a trusted proxy. The proxy must bind
using SASL/EXTERNAL over SSL.
6–56
eTrust Directory Administrator Guide
Groups, Roles, and Proxies
Access Controls and Aliases
When a user binds with a user name and password, the system checks the
password supplied with the bind against the password in the database for the
specified user. When the user name is an alias, the system checks the password
against the password in the entry to which the alias points, but the user name
associated with the bind is the alias name. This means that a user can bind with
more than one user name, and each user name can have different access controls
associated with it.
Security
6–57
Access-Controlled Routing
Access-Controlled Routing
This section describes how access controls work in a distributed environment. If
the DSA determines that it needs to chain or multicast an operation to a remote
DSA but the area controlled by that DSA is completely invisible because of static
access controls, the DSA refuses to route the request to the remote DSA.
By default, a DSA prevents the forwarding of a request to another DSA
according to its static access controls.
To permit the forwarding of a request regardless of access control constraints, set
the no-routing-ac DSA flag in the configuration file (.dxc) in the knowledge
directory. This lets a DSA pass a request to another DSA even when the user’s
access controls on the local DSA do not permit access to the particular entry or
subtree in the request.
For example, to let a DemoCorp DSA pass a request to a UNSPSC DSA
regardless of the user's local static access control constraints, you must set the
DSA flags in UNSPSC’s knowledge configuration:
set dsa UNSPSC=
…
dsa-flags=no-routing-ac
…
DemoCorp
DSA
6–58
eTrust Directory Administrator Guide
UNSPSC
DSA
Chapter
7
Replication
This chapter describes the replication schemes you can use with eTrust Directory.
In a replicated directory, information stored in one part of the directory is also
stored elsewhere as one or more copies.
Replication is deployed for one or both of the following reasons:
■
■
Improved availability—Replication can make a system more robust by
enabling the directory on one server to fail over to an alternative server.
Applications can continue working as there are alternate DSAs/servers in
the network which can serve the same parts of the namespace.
Improved performance—Replication can place frequently accessed
information closer to where is it needed, which improves response times.
Replication involves copying data, and whenever data is copied, you must
ensure that the copies are synchronized. Developing and maintaining replicated
systems can be expensive, and you should weigh these costs against the benefits
of performance and recovery in the event of failure.
Replication
7–1
Replication Concepts
Replication Concepts
This section describes some important concepts about replication. These concepts
are used in explanations of the three different types of replication that you use
with eTrust Directory.
Compare Distribution and Replication
Distribution differs from replication.
In a distributed directory, each piece of data is stored on only one server. The
directory information tree (DIT) it split and each section is stored a different
server.
In a replicated directory, each piece of data is held on more than one server. The
entire DIT is stored in more than one place.
You can use both replication and distribution in the same system. The DIT is split
and stored in many different servers, and at least some of those sections of the
DIT are also copied and stored in more than one place.
Compare Multimaster and Master–Slave Replication
In a system with multimaster replication, all DSAs are masters. Data is copied
between all DSAs. The master DSAs are also called peer DSAs.
In a system with master–slave replication, data is always copied in one direction,
from a master DSA to one or more slave DSAs.
Read and Update
Requests
Read and Update
Requests
Master DSA
Updates
Read and Update
Requests
Master DSA
Updates
Updates
Master DSA
Update
Update
Update
Master DSA
Slave DSA
Slave DSA
Read and Update
Requests
Multimaster Replication
7–2
eTrust Directory Administrator Guide
Master-Slave Replication
Slave DSA
Replication Concepts
Compare Real-Time and Write-Behind Replication
In a system with real-time replication, data is replicated to other servers as soon as
an update request is received from a client.. The update confirmation is not sent
to the client until each of the slave or peer DSAs has sent an update confirmation
message.
In a system with write-behind replication, data is replicated periodically,
independent of the client update. The update confirmation is sent as soon as the
operation completes locally. Write-behind replication can in these two ways:
■
■
On-demand write-behind replication—The updates are transferred
immediately after they occur
Scheduled write-behind replication—The updates are transferred according
to a periodic schedule.
Latency is the time for which the shadow servers are out-of-date with respect to a
master server. For many applications, such as an authentication service, any
latency is unacceptable. To overcome the problem of latency, use a real-time
replication system rather than write-behind replication.
Compare Replay-Based and State-Based Replication
In a replay-based system, every update applied to a master is subsequently
applied to the slaves.
This system is simple and can operate in real time, but it is not robust when
something goes wrong with the replay or when conflicting updates occurred in a
system with many masters.
In a state-based system, a difference is calculated between the current state of the
master system and some previous state of the slave system. The calculated
difference between these two states is then sent across to the slave. If conflict
resolution is built in, then this mechanism can also reconcile a system with many
masters.
A state-based system deals very efficiently with repeated updates. For example,
even if an entry were modified 100 times since the last update, only one update is
transferred. In a replay-based system, 100 updates would be sent. However,
state-based systems are generally not designed to operate in real-time.
Replication
7–3
Replication Concepts
The following table summarizes the two schemes:
Replication Type
Advantages
Disadvantages
Example
Replay-based
Simple
Can be real-time
Poor recoverability
Multiwrite
State-based
Efficient
High recoverability
Cannot be real-time
DISP
Three Types of Replication Used with eTrust Directory
eTrust Directory supports three standards-based mechanisms of replication:
Replication Characteristics
Scheme
Most Suitable Deployment
Multiwrite
Where network links, computers, and
Multimaster
power supplies are reliable
Real-time
Simple configuration
High performance
Replay-based
DISP
Master–slave
Write-behind
High flexibility
State-based
Where interoperability is required with
another vendor’s X.500 directory
DXtools
Batch mode
High traceability
Where synchronization is required between
two directories or with a legacy system
Keep System Clocks Synchronized
For any replication system, synchronize the operating system clocks regularly. If
the system clocks are not set at the same time, replication will not work as you
expect, because conflict resolution is time-based—the most recent update wins.
7–4
eTrust Directory Administrator Guide
Multiwrite Replication
Multiwrite Replication
Multiwrite replication is a good choice for a system that includes applications
that require real-time replication.
Multiwrite replication uses the fast, efficient Directory System Protocol (DSP) to
chain updates between servers in real time.
To use multiwrite replication successfully, your network links, computers, and
power supplies should be reliable. Treat system crashes and unreliable networks
as disaster recovery scenarios that involve reconciliation between databases
using DXtools.
You can configure DSAs into multiwrite groups. When an update is applied to a
DSA in a group, it passes these updates on to the other DSAs in the group.
How Multiwrite Replication Works
Multiwrite replication uses DSP chaining to apply updates to all replication peers
in real-time. When a client makes an update request, that update is applied
immediately to the local DSA, and then to all other DSAs. The client receives the
confirmation response only after all DSAs have successfully applied the update.
The following diagram shows these steps:
1.
Write to self—A client sends an update request to DSA1, and this DSA
applies the update to itself.
2.
Write to peers—If the local update succeeds, DSA1 sends the request to its
peer DSAs. If these updates succeed, the peers send confirmations to DSA1.
3.
Send response to client—When DSA1 has received confirmation from each
peer, it sends the confirmation response to the client.
2
2
1
2
Client
DSA 1
DSA 2
3
DSA 3
2
1
1
2
2
2
2
Update Request
Update Confirmation
Database
1
Database
2
Database
3
The Three Phases of Multiwrite Replication
When a multiwrite update fails, the system must be recovered. See the sections
Replication
7–5
Multiwrite Replication
Recovering a Multiwrite System Using Queues and Recovering a Multiwrite
System Using DISP.
Multiwrite Can Work Asynchronously
Multiwrite is usually synchronous: an update operation is not confirmed until all
the multiwrite peers have applied it. This provides for load-sharing and failover.
However, this synchronous behavior may not be desirable if peer DSAs are
connected by slow links, or if latency is not an issue.
If a DSA is set to multiwrite asynchronously, when other DSAs multiwrite to this
DSA, they will not wait for a confirmation before they to hold the confirmation
on account of this DSA. The confirmation is returned once all the multiwrite
peers not marked multi-write-async have applied the update.
To set a DSA to multiwrite asynchronously, add the DSA flag multi-write-async to
the DSA’s knowledge.
7–6
eTrust Directory Administrator Guide
Multiwrite Replication
How Multiwrite Groups Work
In a system that includes at least one slow network link between DSAs, delays
caused by this slow link can slow down the whole multiwrite system. Multiwrite
groups let you avoid delays due to a slow network link.
How A Slow Network Link Causes Delays
A single slow link can delay a multiwrite system because the DSA making the
update must wait for confirmation from all DSAs before sending confirmation
back to the client. This can cause a bottleneck if many updates are made each
second.
The following diagram shows a multiwrite system in which three of the DSAs
are connected by slow network links. In this system, DSA 1 must wait until it has
received confirmation from these three DSAs before it can send the update
confirmation back to the client. From the client’s point of view, each update takes
much longer than it should.
DSA 2
DSA 3
2
2
1
Client
DSA 1
2
DSA 4
3
2
2
Update Request
Update Confirmation
DSA 6
DSA 5
Slow Network Link
A Multiwrite System with Slow Network Links
Replication
7–7
Multiwrite Replication
How Multiwrite Groups Avoid Bottlenecks
To avoid delays due to slow network connections, you can put the DSAs on each
side of a slow link into separate groups.
Each group has one hub DSA. This is the DSA that will accept multiwrite
requests from DSAs in other groups.
The following diagram shows these steps:
7–8
1.
Write to self—A client sends an update request to DSA1, and this DSA
applies the update to itself.
2.
Write to peers in group—If the local update succeeds, DSA1 sends the
request to its peer DSAs in the same multiwrite group. If these updates
succeed, the peers send confirmations to DSA1.
3.
Send response to client—When DSA1 has received confirmation from each
peer in its multiwrite group, it sends the confirmation response to the client.
4.
Write to hub DSAs in other multiwrite groups—DSA1 sends the request to
the hub DSAs in each of the other multiwrite groups.
5.
Hub DSAs write to peers—Each hub DSA sends the request to the other
DSAs in its group. When each hub DSA has received confirmation from each
peer in its multiwrite group, it sends the confirmation response to the first
DSA. The client confirmation will not be affected by the slow links, because
the updates over these links are asynchronous.
eTrust Directory Administrator Guide
Multiwrite Replication
Multiwrite
Group C
DSA 9
5
Multiwrite
Group A
DSA 2
DSA 8
(Hub)
DSA 3
5
5
DSA 11
4
2
DSA 10
2
DSA 1
1
3
Client
4
DSA 5
5
DSA 4
(Hub)
5
DSA 6
5
Multiwrite
Group B
DSA 7
Multiwrite Hub Failover
If an update sent to a hub fails because the hub DSA cannot be reached, then the
DSA tries the next hub in the list.
If all hubs fail, then the update will be queued against the first hub DSA. This
DSA takes care of queuing for the offline DSAs.
Replication
7–9
Multiwrite Replication
Set Up a Multiwrite System
You can set up a multiwrite replication system in many different configurations,
including master–slave, primary-backup, multimaster, or multiwrite groups.
You can also use other DSA flags to support load balancing and query streaming.
Multiwrite replication is simple to implement. Because multiwrite replication is built
into DXserver, you do not need to use a separate product or additional licensing.
Enable Multiwrite Replication
To enable multiwrite replication, do the following:
1.
Decide which DSAs will be included in the multiwrite system.
2.
Configure these DSAs with the same context prefix.
3.
Connect each DSA to a database holding synchronized information.
4.
Set each DSA to share the same knowledge information.
5.
Add the DSA flag multi-write to the shared knowledge, as follows:
set dsa dsaname = {
...
dsa-flags = multi-write, ...
... };
Note: Place DSA flags after dsp-idle-time and before any trust and link flags.
Set Up a Multiwrite Group
To set up multiwrite groups, do the following:
1.
Decide which DSAs will be included in the multiwrite system.
2.
Decide how many multiwrite groups you need, and which DSAs will be
grouped together.
3.
For each groups of DSAs, choose a hub DSA.
4.
Configure all DSAs with the same context prefix.
5.
Connect each DSA to a database holding synchronized information.
6.
Set each DSA to share the same knowledge information.
7.
Add the multi-write DSA flag to the shared knowledge:
set dsa dsaname = {
...
dsa-flags = multi-write, ...
... };
8.
In the knowledge for each DSA, define the multiwrite group:
set multi-write-group = group-name
7–10
eTrust Directory Administrator Guide
Multiwrite Replication
Define the Hub DSA for a Multiwrite Group
To set a DSA as the hub for a multiwrite group, list it first in the list of DSA
knowledge files.
Set the Retry Interval
To define the frequency at which DXserver will attempt to bind to a multiwrite
peer which cannot be contacted:
set multi-write-retry-time = <seconds>;
If you don’t set this time, the default value of 60 seconds will be used.
Replication
7–11
Multiwrite Replication
Recovering a Multiwrite System Using Queues
With multiwrite replication, you can choose between two methods of recovery:
queues or DISP. This section describes how queues work.
How Multiwrite Queues Work
Multiwrite DSAs are usually online. If one of the DSAs in the group goes offline,
the update is queued in memory until the DSA becomes available again.
After queuing, a confirmation is sent to the directory client. In effect, multiwrite
converts into a write-behind scheme until the offline DSA becomes available.
Increase the Queue Size
The queue pool has a default size of 200 updates for each peer. To change the
queue pool size, use the following command:
set multi-write-queue = n;
where n is the size of the update queue.
You can gauge the required size from, for example, the size of the updates in
your LDIF file.
View the Size of a Multiwrite Queue
To see the current size of the multiwrite queue, use the following command:
get dsp;
Here is a sample of the output from this command:
max-dsp-ops
= 100
local-prefix
=
<countryName "AU">
<organizationName "CA">
<organizationalUnitName "Test">
<organizationalUnitName "mwrite">
local-dsa
= dsa-1
multi-chaining
= TRUE
always-chain-down
= FALSE
multi-write-disp-recovery = FALSE
multi-write-queue
= 200
...
7–12
eTrust Directory Administrator Guide
Multiwrite Replication
Multiwrite Queue Alarms
While a peer DSA is offline, new updates are queued and, periodically, an
attempt is made to connect to the offline DSA.
When the peer DSA comes back online, the queued requests are sent in the order
that they are processed locally. Consequently, multiwrite copes well with a DSA
that is offline for a short period of time.
However, if the peer DSA remains offline for an extended period, the multiwrite
queues build up. Alarms are raised at 60%, 70%, 80%, 90%, and 100% of queue
capacity, and written to the alarm log.
If the queue becomes full, DXserver ignores the unavailable DSA. It discards all
the queued requests for the peer and drops the peer from the multiwrite set. You
must then resynchronize the databases and restart the DSAs.
If multiwrite has occurred, the get dsp command returns one of the following
statuses:
Status
Description
Failed
Indicates that the multiwrite peer is not responding to an update.
Updates for that server are held in the multiwrite queue until the
server responds. The queue is retained until the multiwrite queue
size is exceeded.
Recovering
Indicates that the multiwrite peer has become available and still
has old updates in its queue.
OK
Is the normal multiwrite server status.
Replication
7–13
Multiwrite Replication
Recovering a Multiwrite System Using DISP
With multiwrite replication, you can choose between two methods of recovery:
queues or DISP. This section describes how DISP recovery works with multiwrite
replication.
Enabling DISP recovery generally avoids manual resynchronization of the
databases.
DISP recovery works in concert with multiwrite by handling all the recovery. In
effect, fast multiwrite is used during uptime and DISP is only used for recovery
after a downtime.
DISP recovery has the following features:
Database tables
All information is derived from database tables instead of in-memory
queues. This means that recovery can survive restarts of a master (whereas
you can lose the in-memory queues).
State-based
Resynchronization uses efficient state-based deltas. This is usually superior
to replay-based recovery.
Reconciliation
The DISP processing supports automatic conflict resolution using a last write
wins rule. Managing conflicts is often a problem for replay-based systems
because the order of updates from different masters can be critical.
Important! If you configure multiwrite DISP recovery, you should specify the ssl-auth
authentication level only if you have set up SSL certificates for the DSAs in the
multiwrite group. This is because DISP recovery uses the highest available
authentication level.
Note: Multiwrite–DISP recovery cannot be used where more than one DSA is
attached to the same database.
7–14
eTrust Directory Administrator Guide
Multiwrite Replication
Enable Multiwrite-DISP
To turn on multiwrite with DISP recovery, use the following command:
set multi-write-disp-recovery = TRUE;
The effect of turning on this flag is to disable offline multiwrite queuing, so that
when a DSA cannot be contacted, it is immediately dropped from the multiwrite
set. However, DISP periodically probes the unavailable DSA.
When the unavailable DSA comes online, the following occurs:
1.
The multiwrite queue is enabled.
2.
DISP performs the resynchronization (by sending a delta for the period in
which the DSA was offline). While this is occurring, any updates are queued.
3.
When the DISP update completes, the multiwrite queue is replayed to the
new DSA.
4.
Multiwrite operation resumes.
Note: There are no explicit DISP agreements—all resynchronization and
reconciliation is automatic.
Queueing Multiwrite-DISP
If the following configuration flag is set to true, a multiwrite master will only
start DISP recovery after it has been down or its multiwrite queues had reached
their limits:
multi-write-disp-queue = <boolean>
In all other cases it replays its queue content to any peer that was unavailable for
a while.
Consistency During Recovery
The following setting guarantees consistency during recovery:
disable-non-peer-binds = <boolean>
If a DSA goes offline in a multiwrite DISP scenario, and this is set to true, only
binds from multiwrite peers are allowed. This stops the recovering DSA from
receiving non-peer (client, relay, router, or chained) requests that may provide
inconsistent results.
When the DSA has been synchronized (get dsp; or snmp shows multiwrite
queues ok) then this setting can be set back to false. The DSA will accept binds
after a few minutes.
Replication
7–15
Multiwrite Replication
Granularity of DISP Reconciliation
When DISP resynchronization starts it propagates all changes to the DSA since
the last successful multiwrite update.
In a multimaster system, it is possible that some of the changes can clash.
Resolution of these conflicts is automatic and is done on a last write wins rule,
with the smallest element being an X.500 object.
For example, when DSA1 updates an object’s surname attribute at time T, and
DSA2 updates an object’s phoneNumber attribute at time T+1, then the final
object after resynchronization is the object contained in DSA2, and does not have
the changes to the surname.
Add a Database Replica
To add a database replica:
1.
Follow the instruction in Manually Synchronizing Replicas Using Database
Tools in this chapter. This creates another database containing the same data
as the source.
2.
Create a new peer DSA that will use the new populated database.
3.
Change the DSA flags in the knowledge file to contain the multi-write flag for
both the source and target DSAs.
4.
Use the following command for all multiwrite DSAs running multiwrite
DISP recovery, that is, where multi-write-disp-recovery = TRUE
For example, on the Source DSA use the command:
dxdisp -clear targetDSA sourceDB
This clears the time of the last DISP update to the target DSA from the source
DSAs internal database tables. When the source DSA starts, it sets this time
to the source DSAs startup time and then only sends DISP updates
containing changes since that time.
5.
7–16
Start the source and target DSAs.
eTrust Directory Administrator Guide
Multiwrite Replication
Remove a Database Replica
To remove a replica:
1.
Shut down all the peers within the replication set.
2.
Edit the initialization file or the knowledge group file (if applicable) to delete
the knowledge of the DSA being removed.
3.
Clear the time of the last DISP update from each of the remaining DSAs in
the replication set for the DSA being removed using tool DXdisp tool.
For example, if Apple, Banana, and Pear are DSAs in a replication set and
you remove the Pear DSA, issue the following commands:
On the system running the Apple DSA:
dxdisp –clear Pear AppleDB
On the system running the Banana DSA:
dxdisp –clear Pear BananaDB
Multiwrite Replication to an LDAP Directory
You can use multiwrite replication to replicate updates applied to eTrust
Directory to an LDAP server.
To forward all updates on an eTrust Directory server to an LDAP server, include
the following line in the knowledge of the LDAP server:
dsa-flags = multi-write
Multiwrite and DXcache
If you are using DXcache to increase search performance to a shared database,
you can still send multiwrite updates to only update DXcache by including
the DSA flag multi-write-notify in the knowledge:
dsa-flags = multi-write-notify
In this mode, the cache is updated but the database is not. Configure at least one
DXserver connected to the database so that the database remains updated and
synchronized.
See the chapter “General Administration” for more information about DXcache.
Replication
7–17
Multiwrite Replication
Re-synchronize Databases Manually
Regardless of the amount of automatic recovery in place, it is always necessary to
have procedures in place that use tools to resynchronize databases.
If a DSA is offline for a long period of time, then a large number of updates may
be required to synchronize that DSA with the master. When this is the case, it can
be quicker to reload the data from a snapshot of the master database. If you do
this, you must also inform the master and other peers that a manual
resynchronization has taken place.
To take a snapshot of the master and reloading it on the slave, use the
DXdumpdb and DXloaddb tools
To inform a peer that a particular DSA has been manually resynchronized, use
the following command:
dxdisp -clear dsaname dbname
where
■
dsaname is the name of the slave DSA
■
dbname is the name of the database associated with the peer DSA
To manually resynchronize master and slave DSAs:
7–18
1.
Shut down the master DSA.
2.
Dump the master database using the DXdumpdb tool.
3.
Inform the master (and any other peer DSA) that a manual resynchronization
has occurred using the DXdisp tool.
4.
Restart the master DSA.
5.
Copy the LDIF file to the slave machine.
6.
Reload the slave database using the DXloaddb tool.
7.
Start the slave DSA.
eTrust Directory Administrator Guide
Multiwrite Replication
Example: Multiwrite Replication
The system shown in this diagram has the following properties:
■
■
■
■
All read operations (read, list, search, compare) are load-shared between the
two machines (according to the order that the DSAs are defined). Making use
of both machines can double the system throughput.
All write operations (modify, rename, add, delete) occur in real time using
multiwrite. This ensures that both machines are synchronized at the time the
update-confirm is sent back to the client.
The primary router (R1) can automatically redirect/retry any queries sent to
a data DSA (RO1, RW1, RO2, RW2) that unexpectedly shuts down. When
this DSA is returned to operation, it is automatically resynchronized.
The client application should fail over to the backup router (R2) in the event
that Machine 1 (or R1) unexpectedly shuts down. If the client retries (to R2)
any queries outstanding (on R1), then there is no possibility of the system
losing transactions.
This configuration can be summarized in the following table:
DSA
Function
Prefix
DSA flags
R1, R2
Router DSA
<c US>
-
RO1, RO2
Read DSA
<c US><o CA>
read-only, load-share
RW1, RW2
Read/Write DSA
<c US><o CA>
multi-write
This diagram shows the effective combining of distribution and replication. The
prefix of the routers (R1, R2) is one level less than that of the data DSAs (RO1,
RW1, RO2, RW2). A query is routed to a data DSA when the base object of the
query is within the subtree of the data DSA.
Replication
7–19
Multiwrite Replication
You can configure the system shown this diagram to have the immediacy of the
multiwrite replay system with the recoverability of the state-based system. In
this case, DSP is used to chain requests in real time to peer/slave DSAs while
DISP can be used to recover requests if any DSAs are restarted.
7–20
eTrust Directory Administrator Guide
DISP Replication
DISP Replication
X.500 defines a master–slave replication scheme using DISP (Directory
Information Shadowing Protocol). In this scheme, any update that succeeds
locally is forwarded to other DSAs according to any controlling bilateral
agreement with those other DSAs.
The DXserver DSA implements the 1993 Directory Information Shadowing
Protocol (DISP), which lets you replicate information in OSI-conformant
directories. This implementation is very flexible and supports:
■
DISP routing
■
Shared configuration
■
On-demand and periodic updates
Configuring a DISP Responder
To configure the DISP responder module, enter a listening address in the DSA
definition in the configuration file (.dxc), in the knowledge directory.
Example: Configuring
the DISP Responder
# Sample DSA Knowledge configuration file: DemoCorp.dxc
set dsa “DemoCorp” =
{
prefix
= <c AU><o DemoCorp>
dsa-name
=
<c AU><o DemoCorp><cn “DXserver”>
dsa-password
= “demo”
address
= tcp eagle port 1900
disp-psap
= DISP
...
auth-levels
= anonymous, clear-password
dsp-idle-time
= 3600
};
This responder remains active, awaiting incoming DISP protocol requests.
DISP Agreements
Agreements form the basis of all replication transfers. You direct and validate
DISP updates between DSAs using agreements. A DSA can have a number of
agreements relating to one or more remote DSAs.
You can manage DISP agreements using the commands:
■
set agreement id.ver = agreement;
■
get agreement
An agreement is a set of statements that defines a replication strategy. Define
each agreement with an agreement identifier and an agreement version.
Replication
7–21
DISP Replication
Setting DISP Agreements
You can set agreements using the set command, which the following form:
set agreement id.ver =
{
initiator = name mode
responder = name authlevel
[relay = name authlevel ]
area = <DN>
[filter = { searchFilter }]
[attributes = { attrSelectionList }]
[strategy = frequency time type]
};
The following are the parameters of the set agreement command:
Parameter
Value
id.ver
The agreement identification and version numbers (for example, 1.2).
initiator
The DSA initiating the DISP update:
name—DSA name as defined in a set dsa definition
mode—either supplier or consumer
responder
The DSA receiving the DISP update:
name—DSA name as defined in a set dsa definition
authlevel—anonymous, clear-password, or ssl-auth
relay
(Optional) An intermediate DSA used to relay the DISP update:
name—DSA name as defined in a set dsa definition
authlevel—either anonymous or clear-password
area
The top of the subtree being replicated; the value is the distinguished name of the
entry at the top of the subtree.
strategy
(Optional) Enables automatic DISP update to be performed. The strategy either
has the keyword value on-change or has the following three values:
frequency—has one of the keyword values hourly, daily, weekly, or monthly
time—either dd:hh:mm or hh:mm
type—either incremental or full
Filter
A search filter restricting the entries to be included in the DISP update
searchFilter—an X.500 filter
attributes
A list of attributes to include and/or exclude from a DISP update.
attrSelectionList ::= attrSelection | attrSelection attrSelectionList
attrSelection ::= { [object-class = objectClass,] IncludeExclude }
IncludeExclude ::= [all-attributes] | [include = attrTypeList] | [exclude =
attrTypeList]
attrTypeList ::= attributeName [, attributeName]
7–22
eTrust Directory Administrator Guide
DISP Replication
Example: A DISP
Agreement
set agreement 0.0 =
{
initiator = EAGLE supplier
responder = BACKUP anonymous
area
= <c AU><o DemoCorp>
strategy = daily 03:00 incremental
};
Viewing DISP Agreements
You can monitor DISP configuration using the get disp command. To view
details of an agreement, use the following command:
get agreement 1.0;
where 1 is the agreement identifier and 0 is the agreement version. The output of
this command looks similar to:
Agreement 1.0
initiator
responder
area
= EAGLE supplier
= BACKUP
= <countryName AU>
<organizationName DemoCorp>
- last update at Thu Jul 9 09:53:47 1998
Shared DISP Configuration
You can achieve replication between two DSAs using point-to-point DISP.
DB
DSA
(Supplier)
DISP
DSA
DB
(Consumer)
Share the DISP configuration between the DSAs. When two DSAs share an
agreement that includes a strategy (see DISP Agreements in this chapter for more
information), where one of the DSAs is an initiator and the other a responder, the
system performs automatic DISP updates as determined by the strategy.
Replication
7–23
DISP Replication
Manual Initiation of DISP
You can manually perform a DISP update, even when there is a strategy, using
the command:
disp update agreement 1.0;
The strategy in the agreement defines the mode of the update. When there is no
strategy, the update defaults to full.
An incremental update updates all entries that changed since the last DISP
update or since the DSA started.
Shadow DSAs
You can mark a slave DSA as a shadow. This means the DSA will act as a read
only DSA and will not grant updates, except via DISP or Multiwrite. The master
DSA can update the slave using DISP. Clients can query, but not update, the
DSA using DAP or LDAP.
set dsa ShadowDSA = {
...
dsa-flags = shadow, ...
...
};
DISP Routing
DXserver supports the concept of a DISP relay that lets you route DISP through
one or more intermediate DSAs. This is especially useful for firewall and X.500
Guard applications.
DB
DSA
Routing
DSA
DSA
DB
To include a relay DSA in a DISP replication process, all three DSAs must have
an agreement that identifies the relay. All three DSAs can share the same DISP
configuration.
Example: A DISP
Agreement with Relay
7–24
set agreement 0.0 =
{
initiator = EAGLE supplier
responder = BACKUP anonymous
relay
= DSA-RELAY anonymous
area
= <c AU><o DemoCorp>
};
eTrust Directory Administrator Guide
DISP Replication
Selective Shadowing
The DXserver supports three methods of restricting the data that a supplier
replicates to a shadow consumer. These methods are:
■
Specifying the replicated area
■
Specifying a subtree filter for the replication area
■
Specifying the set of attributes to be shadowed.
Each of these refinements to the shadowed data are defined below.
Specifying the Replicated Area
This is defined by the area parameter in the DISP agreement. It specifies the top
of the subtree to be replicated.
Specifying a Subtree Filter
This is defined by the optional filter parameter in the DISP agreement. This
specifies a filter that is applied to entries in under the area context prefix. The
filter parameter is defined as:
filter = { <filter> } | NULL
<filter>
::= and { <filterSet> } | or { <filterSet> } | not { <filter> }
| <filterItem>
<filterSet>
::= <filter> | <filter> , <filterSet>
<filterItem>
::= attr = <attrOid> <filterExist>
<filterExist>
::= present | value <filterComp> <value> | substrings [<substrings>]
<filterComp>
::= = | <= | >= | ~=
<subStrings>
::= <subStr> | <subStr> , <subStrings>
<subStr>
::= <subStrPortion> <string>
<subStrPortion> ::= initial | final | any
Using the subtree filter may cause problems when shadowing to other vendors
directories. This is the case when a full refresh is requested, or if an entry is
shadowed, but its parent entry does not exist on the shadow consumer. eTrust
directory overcomes these problem by the shadow consumer automatically
creating glueDSEs for the missing entries. A glueDSE is a DSE (Directory Specific
Entry) that has a name but no attributes including objectclass.
If the subtree filter contains anything other than comparisons on object class
values, for example a filter that matches all surnames of smith, then it is possible
for an replicated entry to be modified on the master DSA such that the entry no
longer matches the search filter. Subsequent DISP updates will not contain this
entry but the shadow DSA will still contain the unmodified attribute and value.
This is not a problem if the whole entry is deleted. For this reason it is not
recommended to use anything other than restrictions based on object class.
Replication
7–25
DISP Replication
Specifying a Selection of Attributes
This is defined by the optional attributes parameter in the DISP agreement. This
specifies the set of attributes that are shadowed.
Each element of attrSelectionList is an attrSelection element, which specifies the
attributes that the shadow supplier is to select for shadowing. Specification of
attributes for an object superclass also applies to any subclasses of the named
class. If the class is omitted, the selection applies to all classes.
When using the exclude specification, any attributes contained in an entry which
are not explicitly excluded are implicitly included. Attributes are implicitly
included in the case where all-attributes is specified.
The attribute object class, all attributes that are described in the schema as must
contain, and all operational attributes will be replicated unless they are explicitly
excluded (that is, listed in an exclude list).
Where entries belong to more than one of the specified classes, the specifications
are cumulative. In the case of conflicting specifications include has priority over
explicitly excluded attributes and exclude has priority over implicitly included
attributes.
It is possible for a selective DISP update to contain add entry requests that do not
satisfy the schema requirements of the shadow consumer. For example, all
mandatory attributes may not be present in the entry contained in the DISP
update. With eTrust Directory, such an update is allowed, because it is assumed
that the master DSA has verified the schema of the complete entry and allowed a
partial replication to the shadow (or slave) DSA. The shadow DSA should be a
read-only DSA so the fact that not all attributes are present in the entry should
not be of consequence. This may cause problems when replicating to other
vendors’ directories.
Example: Selective
Shadowing Example
Agreement
7–26
set agreement 2.1 =
{
initiator = EAGLE supplier
responder = BACKUP anonymous
area = <c AU><o Democorp>
filter = { attr = objectClass value = organizationalPerson }
attributes = { { exclude = title, description, telephoneNumber } }
strategy = on-change
};
eTrust Directory Administrator Guide
Manually Synchronizing Replicas Using Database Tools
Manually Synchronizing Replicas Using Database Tools
eTrust Directory databases should be manually synchronized when:
■
■
The DXstatdb tool shows differing numbers of entries between databases in a
replication set when the system is quiet. In this case, it usually makes sense
to resynchronize all the directory databases to have the same number as the
master database.
There is a large mismatch between directory entries, perhaps because a
multiwrite peer or DISP responder is unavailable for a long period of time
while updates are applied to other systems in the replication set.
How Manual Synchronization Works
eTrust Directory provides a powerful set of database tools that can be used for
resynchronization.
This technique extracts directory information directly from the directory
database into an intermediate LDIF file and then populates the target directory
database directly from this file.
Note: Both the source and target DSAs should be shut down during these
operations.
Source
DB
dxdumpdb
LDIF
ldifsort
File
LDIF
File
dxloaddb
Target
DB
How to Manually Synchronize eTrust Directory Databases
To manually resynchronize eTrust Directory databases:
1.
Dump the source database and use the DXdumpdb tool to produce an LDIF
file.
2.
Use the ldifsort tool to sort the source LDIF file into DIT depth order.
3.
If the databases are on different systems, copy the LDIF file from the source
system to the target system.
4.
Use the DXloaddb tool to load the target database with the LDIF data.
5.
Start the source and target DSAs.
Replication
7–27
Chapter
8
LDAP and DXlink
DXserver supports Lightweight Directory Access Protocol (LDAP), which
enables any LDAP-conformant client access to DXserver. LDAP is fully
integrated with DXserver and provides greater performance and efficiency than
gateway approaches. Another advantage of integrated LDAP is that it obeys the
DSA schema. This means that you only configure new schema once because both
LDAP and DAP protocols share the same configuration.
DXserver also supports the integration of LDAP servers into a distributed
directory backbone. DXlink lets DXserver send requests to one or more LDAP
servers and process the results returned from them as if they were normal X.500
directory servers. This enables LDAP servers to be integrated into a fully
distributed directory framework.
LDAP and DXlink
8–1
LDAP Clients
LDAP Clients
DXserver can be accessed from LDAP clients, such as web browsers, address
books, and Lightweight Directory User Agents (LDUAs).
DXserver
LDAP
LDAP
Server
Client
DXserver
Defining the LDAP Port
You define the LDAP address using the set dsa command, which contains a port
number that listens for LDAP requests, as follows:
set dsa “Eagle” = {
...
address = tcp “eagle” port 389
...
};
This address definition is mandatory; it automatically enables LDAP as the
DXserver listens for different protocols on the same port. For more information,
see the section Defining DSAs in the chapter “General Administration” for more
information.
For a list of all ports in a default installation of eTrust Directory, see the section
Port Numbers Used by eTrust Directory in the chapter DXserver Overview.
Configuring LDAP Names
You configure LDAP names along with the usual schema attribute and object
class definitions:
set attribute 2.5.4.3 = {
name
= commonName
ldap-names = cn
syntax
= caseIgnoreString
};
LDAP names are integrated into the DXserver schema. See the chapter “Schema
Definition” for more information.
8–2
eTrust Directory Administrator Guide
LDAP Clients
Handling LDAP Strings
LDAP uses only string labels for information, so DXserver resolves them to their
true object and attribute identifiers by looking up their schema information. For
each object and attribute label specified in the LDAP service requests, DXserver
looks first for matching ldap-names, and then for a name.
LDAP is a string-handling protocol only; therefore, a number of restrictions are
implicit:
■
■
■
Developers of directory clients must ensure the DXserver receives an
appropriately formatted LDAP message because the LDAP syntax is highly
dependent on appropriate punctuation, white space, and so forth.
Developers of LDAP directory clients must define locally customized
attributes and objects through the DXserver schema definition process.
Developers should remember that LDAP names are not necessarily unique.
For example, two organizations can define the string mail, but have different
syntaxes and uses for it.
Transparent Routing
When using DXserver to route client requests to external LDAP directories using
DXlink, it may not be feasible or convenient to include all third-party schema.
See the Transparent Routing section in the Distribution and DSP chapter for
more information.
LDAP and DXlink
8–3
Schema Publishing
Schema Publishing
eTrust Directory supports schema publishing through LDAP Version 3. This
enables LDAP directory clients to read the directory schema dynamically from
the DXserver using LDAP Version 3. For further information, see section 3.2.2
Subschema Entries and Subentries of RFC 2251 LDAPv3.
The following information is published through the cn=schema subschema
subentry using LDAP Version 3:
■
Attributes
■
Object Classes
■
Attribute Types
■
Syntaxes
■
Name Forms
■
Structure Rules
This can be retrieved by performing a base object search of the cn=schema
subentry with a search filter of objectClass present. The following is an extract of
the LDAP trace of such a search:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
<-- LDAP MESSAGE messageID 2
SearchRequest
baseObject: cn=schema
scope: baseObject
derefAliases: derefAlways
sizeLimit: 0
timeLimit: 0
typesOnly: false
filter:
present: objectClass
attributes:
--> LDAP MESSAGE messageID 2
SearchResultEntry
objectName: cn=schema
attributes
type: objectClass
value: top
value: subschema
type: cn
value: schema
>
type: attributeTypes
>
value: (2.5.4.0 NAME 'objectClass'SYNTAX 1.3.6.1.4.1.1466.115.121.1.38)
>
value: (2.5.4.1 NAME 'aliasedObjectName'SYNTAX
1.3.6.1.4.1.1466.115.121.1.12)
. . .
>
value: (1.3.6.1.4.1.3327.77.4.1.9 NAME 'uNSPSCdateto' SYNTAX
1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
>
type: objectClasses
>
value: (2.5.6.0 NAME 'top' ABSTRACT MUST (objectClass))
>
value: (2.5.6.1 NAME 'alias' SUP (top) STRUCTURAL MUST (aliasedObjectName))
. . .
>
value: (1.3.6.1.4.1.3327.77.4.2.1 NAME 'uNSPSC' SUP (top) STRUCTURAL MUST
(uNSPSCCode$uNSPSCTitle) MAY
(uNSPSCContractManager$uNSPSCContractID$uNSPSCContractAuth$uNSPSCContractSupplie
8–4
eTrust Directory Administrator Guide
Schema Publishing
r$uNSPSCdateissued$uNSPSCdatefrom$uNSPSCdateto))
>
type: ldapSyntaxes
>
value: (1.3.6.1.4.1.1466.115.121.1.4 DESC 'Audio')
>
value: (1.3.6.1.4.1.1466.115.121.1.5 DESC 'Binary')
. . .
>
value: (1.3.6.1.4.1.1466.115.121.1.53 DESC 'UTC Time')
>
type: nameForms
>
value: (1.3.6.1.4.1.3327.7.1 NAME 'country-top-NF' OC country MUST
(countryName))
>
value: (1.3.6.1.4.1.3327.7.2 NAME 'o-top-NF' OC organization MUST
(organizationName ))
. . .
>
value: (1.3.6.1.4.1.3327.77.4.14.3 NAME 'uNSPSC-uNSPSC-NF' OC uNSPSC MUST
(uNSPSCTitle) MAY (uNSPSCCode$uNSPSCContractID))
>
type: dITStructureRules
>
value: (1 NAME 'country-top-SR' FORM country-top-NF)
>
value: (2 NAME 'o-top-SR' FORM o-top-NF)
. . .
>
value: (38 NAME 'uNSPSC-uNSPSC-SR' FORM uNSPSC-uNSPSC-NF SUP (36 37 38))
LDAP and DXlink
8–5
Integrating Other LDAP Servers
Integrating Other LDAP Servers
LDAP servers do not support the DSP protocol. This means that you cannot
perform a distributed search over a number of LDAP directory servers. eTrust
Directory has a facility called DXlink that lets LDAP servers link into an X.500
backbone. The DXserver can send requests to one or more LDAP directories and
process the results returned from them as if they were X.500 directory servers.
DXserver
LDAP
DXserver
DXlink
To configure DXlink, configure the LDAP server as if it is a DXserver, and add
the dsp-ldap link-flags to the dsa definition as follows:
set dsa “LDAPserver” = {
prefix
= <c AU><o DemoCorp><ou email>
dsa-name
= <c US><o DemoCorp><ou email><cn LDAPserver>
address
= tcp Eagle port 389
...
link-flags
= dsp-ldap
}
Note: When you are using LDAP Version 3, use the dsp-ldap link flag; however,
when you are using LDAP version 2, use dsp-ldapv2.
8–6
eTrust Directory Administrator Guide
Integrating Other LDAP Servers
User Credentials on DXlink Binds
LDAP servers expect connections from only LDAP users; therefore, DXlink must
make the X.500 backbone look like an ordinary LDAP user.
A complication arises with name and password security (simple credentials). In
DSP, a single link between DSAs can support any number of users, because user
information is passed with each DSP request. However, in LDAP, links cannot be
shared, so DXserver must set up separate links for every LDAP user.
When the DSA is acting as a direct pass-through from a user to an LDAP server
and the user's name resides on the LDAP server, then the DSA sets up a separate
link for that user and uses their credentials in that link:
User=J. Bloggs
password = yellow
Client
User=J. Bloggs
password = yellow
DSA
LDAP
Server
Setting User Credentials for LDAP Operations
However, if either of the following is true, you can set the credentials used in the
DXlink connections in the LDAP server configuration file:
■
■
The user invoking the request is authenticated using a DN that is outside the
LDAP server.
More than one DSA is in the path to the LDAP server.
For example:
set dsa LDAP1 = {
...
ldap-dsa-name
= <c US><o “Ace Industry”><cn “Fred Smith”>
ldap-dsa-password = fredspassword
...
};
The ldap-dsa-name must be a valid entry on the LDAP server because all
requests from the backbone use the permissions that are granted to this entry.
The DSA in the previous example expects credentials to be returned on the bind
confirm sent by the LDAP server. If no credentials are returned then the bind is
rejected.
The knowledge reference of the LDAP server can include the trust flag no-servercredentials, which indicates to the DSA that the LDAP server will not return
credentials on a bind.
LDAP and DXlink
8–7
Integrating Other LDAP Servers
When this flag is set, then the DSA will accept a bind confirm result returned
from the LDAP server if it does not include credentials.
set dsa LDAP1 = {
...
trust-flags = no-server-credentials
...
};
Automatically Authorizing LDAP Operations
When a directory backbone performs operations over DXLINK, some operations
on the target LDAP server may require that the user be authorized for that
operation.
You can include the dsp-ldap-proxy link flag in the DXLINK knowledge, to cause
the last DSA in the chain to use the authorization of the originating user to
perform operations on the LDAP server.
Important! This may compromise security, because the originating user is never
authenticated by the LDAP server.
Usually, the last DSA in the chain binds to the LDAP server using the credentials
specified in the ldap-dsa-name and ldap-dsa-password flags.
If the dsp-ldap-proxy flag is also set, then the DN of the user that made the initial
bind is added to the following subsequent requests:
■
search
■
compare
■
modify
■
add
■
delete
■
modify DN
If the initial bind was anonymous, no DN is added to subsequent requests.
This is achieved by the DSA chaining the operation over DXLINK adding the
originator DN to a LDAP proxy control on the request. The LDAP server will
need to allow the DN specified ldap-dsa-name authorization to proxy all users.
Note: The dsp-ldap-proxy link flag can only be used if the target LDAP server
supports the LDAP Proxy Authorization control.
8–8
eTrust Directory Administrator Guide
Integrating Other LDAP Servers
Prefix Mapping
Prefix mapping lets LDAP servers, other DSAs, or agents map into an area of the
DIT. Prefix mapping is useful for collecting disjointed subtrees under a common
node. Applications include transient groupings (such as task forces) or logical
groupings (such as libraries where individual libraries are spread across an
organization or location tree).
Prefix mapping is also useful for DXlink because an LDAP server may not be
able to change its prefix. Because LDAP servers have no concept of distribution,
their DITs usually contain the first- or second-level nodes. This makes it hard to
integrate them into a host DIT.
An example is an X.500 directory system that controls the nodes c=US and c=US,
o=CAI. There is also an LDAP server with the X.500 naming context:
“c=US, o=CA”
The LDAP server does not contain the c=US node but controls the tree beneath
the c=US node that starts with the o=CA entry. It was set up to control the North
American part of CA but is now required to be incorporated into the entire CA
directory. This context can be mapped into the host's X.500 naming context
“c=US, o=CAI” as:
“c=US, o=CAI, ou=CA North America”
Thus, a subtree search of “c=US, o=CAI, ou=CA North America” is mapped to a
subtree search of “c=US, o=CA” before being forwarded to the LDAP server. The
results are mapped back into the host DIT space.
C=US
O=CAI
O=CA North
America
You can enable prefix mapping by defining a native-prefix in the server
definition:
set dsa LDAP1 = {
...
prefix
= <c US><o CAI><ou “CA North America”>
native-prefix = <c US><o “CA”>
...
};
LDAP and DXlink
8–9
Integrating Other LDAP Servers
Working with Microsoft Exchange
An example Microsoft Exchange knowledge file is shown below:
set dsa EXCHANGE = {
prefix
= <c AU><o Exchange>
native-prefix = <o “Computer Associates”><ou TEST><cn Recipients>
dsa-name
= <c US><o Exchange>
address
= tcp “currawong” port 389
auth-levels
= anonymous
dsp-idle-time = 60
trust-flags
= no-server-credentials, allow-downgrading, allow-upgrading
link-flags
= dsp-ldap, ms-exchange
};
The native prefix is determined by the following entries that can be found in
Microsoft Exchange Administrator. See the example shown in the following
dialog, where:
o = the Exchange Address Book name
ou = the domain name
cn = the recipients container (usually named “recipients”)
8–10
eTrust Directory Administrator Guide
Chapter
9
Monitoring the Directory
We recommend that you monitor the directory to detect operational problems as
early as possible.
DXserver supports both Internet and OSI protocols for monitoring server
operations. These protocols are:
■
The Internet Simple Network Management Protocol (SNMP)
■
The X.700 Common Management Information Protocol (CMIP)
■
Telnet—used by the management console
General monitoring facilities, and DXadmind, the eTrust Directory
administration daemon, are also available.
Monitoring the Directory
9–1
General Monitoring
General Monitoring
During normal operation of a directory:
■
Data is added to and deleted from the directory.
■
User and other DSA connections are made and released.
■
Log files are generated.
You should review DXserver operation periodically to ensure DXserver
continues to run smoothly.
DXconsole
You can perform special-case checking of operational parameters and server
usage with management commands.
To view the number and type of operations performed by the DSA:
get stats;
To view current DSP connections to other DSAs:
get online-dsas;
To view current user connections to the DSA:
get users;
To view the names of the currently enabled log files:
get log;
Log Files
We recommend that you maintain log files to record a DSA’s activity. You can
then postprocess these files to obtain:
■
Statistics
■
Billing
■
Auditing
We also recommend that you periodically monitor the alarm log to check for
operation errors.
9–2
eTrust Directory Administrator Guide
General Monitoring
Databases
The DXtools DXstatdb command prints a summary of a given database. The
database itself has monitoring facilities. See the chapter “Using DXtools” for
more information.
Disk Space
As a directory grows, it consumes more disk space. Disk space is used for:
■
Directory data
■
Backups (database checkpoints)
■
Log files
When the directory contains a large amount of data, the database checkpoint files
can become large. You can either delete old checkpoint files or move them to
storage areas.
Monitoring the Directory
9–3
SNMP and the Directory Monitoring MIB
SNMP and the Directory Monitoring MIB
DXserver has a built-in SNMP agent to monitor operations of the DSA. This
management agent implements the RFC1567 Directory Monitoring Management
Information Base (MIB) and includes information such as:
dsaOpsTable
Provides summary statistics on the directory accesses, operations, and errors
dsaEntriesTable
Provides summary statistics on the entries held by the DSA and on cache
performance
dsaIntTable
Provides useful information about the interaction of the monitored DSA with
peer DSAs
The SNMP agent can also monitor information that is specific to eTrust
Directory. These monitoring options are described in
/samples/snmp/dxmib.asn1. The SNMP can monitor:
■
Multiwrite replication
■
DXserver statistics
■
DXcache
You can use any third-party SNMP manager, provided it supports the RFC1567
MIB. Because this is a read-only MIB, you cannot use it for configuring the DSA.
9–4
eTrust Directory Administrator Guide
SNMP and the Directory Monitoring MIB
Configuring the SNMP Agent
Configure the SNMP agent (via DXconsole or in the DSA configuration file (.dxc)
in the knowledge directory), using the set dsa command.
Example:Configuring
the SNMP Agent
set dsa “DEMOCORP” = {
...
snmp-port = 19389
...
};
Define the UDP/IP port that listens for incoming SNMP requests by setting the
snmp-port. This is the only UDP port that the DSA uses, so it can accept any
value and it does not interfere with TCP port numbers.
You can set the following SNMP parameters:
■
snmp-description
■
snmp-contact
■
snmp-name
■
snmp-location
set
set
set
set
snmp-description = “SNMP monitor”
snmp-contact = “[email protected]”
snmp-name = myDXserver
snmp-location = myOffice
For a list of all ports in a default installation of eTrust Directory, see the section
Port Numbers Used by eTrust Directory in the chapter DXserver Overview.
Monitoring the Directory
9–5
SNMP and the Directory Monitoring MIB
SNMP Monitor Utility
eTrust Directory supplies a sample SNMP MIB walker utility called dxsnmp in
the samples/snmp directory. The SNMP utility polls the server periodically and
prints nonzero parameters.
To start the SNMP utility, use the following command:
dxsnmp -r[n] ipaddress/port
The -r option is the refresh rate (in seconds). You can enter a number after the -r
to indicate the number of seconds between each refresh. The default value is 5.
Example: Starting the
SNMP MIB Walker
dxsnmp –r localhost/19389
The following is a sample output:
$ dxsnmp localhost/19389
sysDescr
sysObjectID
sysUpTime
sysContact
sysName
sysLocation
sysServices
dsaAnonymousBinds.1
dsaUnauthBinds.1
dsaSimpleAuthBinds.1
dsaStrongAuthBinds.1
dsaBindSecurityErrors.1
dsaInOps.1
dsaReadOps.1
dsaCompareOps.1
dsaAddEntryOps.1
dsaRemoveEntryOps.1
dsaModifyEntryOps.1
dsaModifyRDNOps.1
dsaListOps.1
dsaSearchOps.1
dsaOneLevelSearchOps.1
dsaWholeTreeSearchOps.1
dsaReferrals.1
dsaChainings.1
dsaSecurityErrors.1
dsaErrors.1
dsaMasterEntries.1
dsaCopyEntries.1
dsaCacheEntries.1
dsaCacheHits.1
dsaSlaveHits.1
Example: Monitoring
multiwrite replication
CA eTrust DXserver
1.3.6.1.4.1.3327.20.0.0
8323.00
[email protected]
democorp
http://www.ca.com
0
11
0
0
8
0
99
0
0
0
0
0
0
0
30
20
0
0
0
0
11
0
0
0
0
0
This is only displayed if multiwrite replication is enabled. The following is a
sample output:
dxRemoteDsaName.1
dxRemoteDsaName.2
dxRemoteDsaName.3
dxMWQueueLength.1
dxMWQueueLength.2
dxMWQueueLength.3
dxMWStatus.1
dxMWStatus.2
dxMWStatus.3
dxMWPendingRemote.1
dxMWPendingRemote.2
9–6
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
eTrust Directory Administrator Guide
:
:
:
:
:
:
:
:
:
:
:
DEMOCORP2
DEMOCORP3
DEMOCORP4
0
1
0
1 (ok)
2 (failed)
1 (ok)
0
0
SNMP and the Directory Monitoring MIB
dxMWPendingRemote.3
dxMWConfirmedLocal.1
dxMWConfirmedLocal.2
dxMWConfirmedLocal.3
Example: Monitoring
DXserver statistics
:
:
:
:
0
0
1
0
The dxStatsNoTicks and dxStatsBusy items only appear if stats logging is
enabled.
The following is a sample output:
dxStatsAssocs
dxStatsNilCredit
dxStatsNoTicks
dxStatsQueue
dxStatsBusy
dxStatsOps
Example: Monitoring
Dxcache
:
:
:
:
:
:
1
0
1
3
2
11
This option always appears, but will only show information when DXcache is
enabled.
The dxCacheSearchHits value increments whenever a seach is resolved within
the cache. The dxCacheSearchMisses value increments whenever a search has to
be passed to the back end.
The following is a sample output:
dxCacheStatus
dxCacheSize
dxCacheSearchHits
dxCacheMisses
:
:
:
:
3 (cache_ok)
456789
15
10
Monitoring the Directory
9–7
SNMP and the Directory Monitoring MIB
Configuring the SNMP Trap Destination
Deliver Alarms as
SNMP Traps
To configure the delivery of alarms as SNMP traps, use the following console
command:
set snmp-log = udp host port portnumber;
You can place this command in the appropriate configuration file (.dxc) within
the logging directory.
Disable Feature
To disable the feature:
close snmp-log;
Tip: The trap contains three variables: sysName, sysDescr, and sysLocation.
sysName contains the name of the DXserver sending the trap, sysDescr
contains sufficient information to reconstruct the actual update operation,
and sysLocation contains the actual alarm text.
Send Traps About
Any Update
Operations
By default, all alarms are sent to the trap destination. However, you can
configure the DXserver to send traps that contain information about any update
operations it receives. To do this, set an associated Boolean setting,
trap-on-update, as follows:
set trap-on-update = true;
Typically, you set this in the DXserver settings configuration file (.dxc) in the
settings directory.
9–8
eTrust Directory Administrator Guide
CMIP and X.700 Management
CMIP and X.700 Management
The DXserver DSA has an integral CMIP management agent for monitoring the
operation of the DSA.
The DSA provides limited support for ISO 9594-10 (Committee Draft April 1995)
as follows:
■
■
The MIB fully supports the DSA-managed object definitions. You can
determine its structure and naming by setting scope=wholeSubTree or
scope=baseObject.
eTrust Directory supports all packages of the DSA-managed object. Each
component of each package is read-only because the intended use is for
monitoring.
Configuring the CMIP Agent
You configure the listening address for the CMIP agent through the management
console or in the DSA initialization scripts.
Example: Configuring
the CMIP Agent
set dsa “DEMOCORP” = {
...
cmip-psap = CMIP
...
};
The cmip-psap command defines the address, which this instance of the DSA
listens on for OSI management requests.
If required, you can input hexadecimal values in the syntax 0x1234 in place of
characters or text.
CMIP Monitor Utility
eTrust Directory supplies a sample CMIP monitoring utility called DXcmip in the
samples/cmip directory. This very simple CMIP manager performs periodic get
requests on the DSA.
You can start the CMIP utility using the following command:
dxcmip -r[n] ipaddress/portnumber
[psel]
The -r option is the refresh rate (in seconds). You can enter a number after the -r
to indicate the number of seconds between each refresh. The default value is five.
Monitoring the Directory
9–9
CMIP and X.700 Management
Example: Starting the
CMIP Monitoring
Application
dxcmip -r localhost/19389
This example starts the CMIP monitor. It monitors operations on the server
configured in SNMP Example 1—Configuring the SNMP Agent.
The following is a sample output:
$ dxcmip localhost/19389
objectClass
nameBinding
packages
commonName
accessPoint
masterEntries
copyEntries
loopsDetected
securityErrors
nameErrors
foundLocalEntries
referrals
serviceErrors
aliasDereferences
chainings
invalidReferences
unableToProceed
outOfScope
noSuchObject
aliasProblem
aliasDereferencingProblem
affectsMultipleDSAs
unavailableCriticalExtension
timeLimitExceeded
sizeLimitExceeded
adminLimitExceeded
maxSizeLimit
maxTimeLimit
prohibitChaining
readOpsProc
compareOpsProc
abandonOpsProc
listOpsProc
searchOpsProc
search1levelOpsProc
searchSubtreeOpsProc
addOpsProc
removeOpsProc
modifyOpsProc
modifyDNOpsProc
readOpsProc
compareOpsProc
abandonOpsProc
listOpsProc
searchOpsProc
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
2.5.30.2.0
2.5.30.3.0
(Not decoded)
DSA
(Not decoded)
0
0
0
0
1
41
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
False
0
0
38
0
30
20
0
0
0
0
0
0
0
0
0
0
search1levelOpsProc : 0
searchSubtreeOpsProc
addOpsProc
removeOpsProc
modifyOpsProc
modifyDNOpsProc
dSAScopeOfReferral
dSAScopeOfChaining
peerEntityAuthenticationPolicy
requestAuthenticationPolicy
resultAuthenticationPolicy
dSPAssociationEstablishment
dOPAssociationEstablishment
dISPAssociationEstablishment
maxDAPAssociations
maxDSPAssociations
9–10
eTrust Directory Administrator Guide
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
CMIP and X.700 Management
maxDOPAssociations
maxDISPAssociations
dAPAssociationTimeout
dSPAssociationTimeout
dOPAssociationTimeout
dISPAssociationTimeout
dSAActiveAssociations
pagedResultsMaxIDs
pagedResultsTimer
supportedApplicationContexts
:
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
(Not decoded)
sdfasf : -0
Monitoring the Directory
9–11
Chapter
10
Using DXtools
The DXtools provide a sophisticated set of utilities that simplify the management
of directory data and databases. These utilities can be divided into the following
general categories:
Database Tools
Simplify the management of the underlying Advantage Ingres databases and
the tables used by the DSAs, and provide a high performance, high volume
data import and export capability.
LDIF Tools
Convert and manipulate data using a format appropriate for import to the
directory.
DAP Tools
Provide an X.500 DAP interface for importing and exporting data to/from a
directory.
Schema Tools
Simplify the extraction of schema from LDAP directories, and the conversion
of schema into a format appropriate for eTrust Directory and for use by the
DXtools.
Note: Throughout this guide, references to Advantage Ingres include both
Ingres II and OpenIngres, unless one or the other is explicitly specified.
Together, these tools:
■
■
■
■
■
Provide a fast start to any directory project, letting you easily load existing
data for demonstration and prototyping.
Provide the means for managing directory data on an ongoing basis.
Can operate locally on the host Windows or UNIX server or execute from a
Windows client workstation to a directory server over a TCP/IP network.
Provide a migration path, a method, or both, for controlled exchange of data
when DSP is not appropriate.
Can be incorporated into your custom scripts. All tools return zero on
success and non-zero when an error occurs.
Using DXtools
10–1
Database Tools
Database Tools
The database tools provide a set of utilities that simplify the creation and
management of directory databases and the DSA tables.
Important! The RDBMS (Advantage Ingres) must be running for the database tools to
execute successfully.
The database tools are:
DXnewdsa
Creates a new DSA configuration, generating the initialization, database, and
knowledge files, and creating the database if necessary
DXnewdb
Creates a new database including the tables that DXserver requires
DXextenddb
Adds extra Advantage Ingres locations to a database
DXdestroydb
Destroys an existing database
DXemptydb
Destroys all data in a database
DXbackupdb
Creates a checkpoint of a database
DXrestoredb
Recovers a database from the last checkpoint
DXtunedb
Modifies indexes and collects statistics and tunes a database
DXindexdb
Adds or removes wide indexes, certificate component indexes, and reverse
indexes
DXstatdb
Displays statistics for a database
DXlistdb
Displays a list of databases owned by the user
DXadduser
Adds a new database administrator
10–2
eTrust Directory Administrator Guide
Database Tools
DXdeluser
Deletes an existing database administrator
DXloaddb
Loads (or reloads) an existing database from an LDIF file
DXdumpdb
Extracts data from a database into an LDIF file
DXgrantdb
Grants a particular user access to a database
DXupgradedb
Migrates the database to the current version
DXdisp
Initializes multiwrite DISP recovery
DXcertgen
Reports on currently configured certificates and generates new DSA
personality certificates.
Using DXtools
10–3
Database Tools
Creating a DSA: DXnewdsa
You can create a new DSA configuration with the DXnewdsa tool using the
following command:
dxnewdsa dsaname dbname port [prefix]
where:
■
dsaname is the name of the DSA
■
dbname is the name of the database
■
port is the port number of the DSA
■
prefix is the DSA prefix
For example:
dxnewdsa mydsa mydb 12345 c AU o DemoCorp ou Sales
Example output:
Checking if the Ingres database mydb exists...
The Ingres database mydb doesn't exist. Using dxnewdb to create it...
Creating database 'mydb' . . .
Creating DBMS System Catalogs . . .
Modifying DBMS System Catalogs . . .
Creating Standard Catalog Interface . . .
Creating Front-end System Catalogs . . .
Creation of database 'mydb' completed successfully.
New database created
>> Disconnecting...
>> Connecting to database 'iidbdb'...
>> Connecting to database 'mydb'...
>> Creating DIT table...
>> Creating TREE table...
>> Creating NAME table...
>> Creating SEARCH table...
>> Creating SUBSEARCH table...
>> Creating ENTRY table...
>> Creating BLOB table...
>> Creating ATTR table...
>> Creating SUBATTR table...
>> Creating ALIAS table...
>> Creating INFO table...
>> Creating DISP table...
>> Creating DISPMODDN table...
>> Disconnecting...
>> Disconnecting...
Tuning system catalogs...
Writing the database file...
Database file written
Writing the knowledge file...
knowledge file written
Writing the initialization file...
Initialization file written
Starting the DSA...
The DSA started.
10–4
eTrust Directory Administrator Guide
Database Tools
Creating a Database: DXnewdb
To create a new database with the DXnewdb tool, use the following command:
dxnewdb dbname
where dbname is the name of the database.
Extending a Database: DXextenddb
You can extend a database’s storage over multiple locations with the
DXextenddb utility using the following command:
dxextenddb dbname fileArea locationName
where:
■
■
■
dbname is the name of the database to extend
fileArea is the directory under which to create the additional location (must
be the absolute path name)
locationName is the name of the additional location
The DXextenddb utility is commonly used to increase the size of the database
over the current 2 GB limit for a location.
Adding Multiple
Extensions
To add multiple extensions, run DXextenddb multiple times. After you have
added all the required extensions, run DXtunedb with either the -relocate or full option. For example, on UNIX, you could use the following commands:
su – ingres
dxextenddb demo1 /local/ingres location2
dxextenddb demo1 /local/ingres location3
su – dsa
dxtunedb -relocate demo1
On Windows, you could use the following commands:
dxextenddb sampledsa c:\newlocation location2
dxtunedb -relocate sampledsa
Important! To run DXextenddb, you must be logged in as the Advantage Ingres user
(UNIX only).
Using DXtools
10–5
Database Tools
Destroying a Database: DXdestroydb
You can destroy a database that is no longer required with the DXdestroydb
utility using the following command:
dxdestroydb dbname
where dbname is the name of the database to be destroyed.
WARNING! The DXdestroydb utility removes all directory information in the database.
If you want to remove all directory information but keep the database, use DXemptydb
instead.
Important! This command also destroys checkpoints (backups) associated with the
database.
Emptying a Database: DXemptydb
You can remove all the data from a database that is no longer required with the
DXemptydb utility using the following command:
dxemptydb dbname
where dbname is the name of the database.
WARNING! The DXemptydb utility removes all data from all of the tables in the
database.
This utility differs from DXdestroydb because DXemptydb does not destroy the
database; it leaves the database tables ready to accept new data.
We recommend that you first create a backup of the database using DXbackupdb
before issuing the DXemptydb command.
10–6
eTrust Directory Administrator Guide
Database Tools
Backing Up a Database: DXbackupdb
The DXbackupdb utility creates a checkpoint of the specified database. You can
execute the DXbackupdb utility using the following command:
dxbackupdb [+journal|-journal] [-keepold] [-deleteoldest] dbname
where:
■
dbname is the name of the database
■
+journal turns journaling on
■
-journal turns journaling off
■
-keepold keeps previous checkpoints
■
-deleteoldest deletes the oldest checkpoint
Important! The backup performs a database checkpoint. There must be sufficient disk
space available to save this checkpoint. Note that journaling requires additional storage.
Using the +journal and -journal options, you can enable or disable database
journaling to maintain a log of all changes made since the last checkpoint. Once
you turn journaling on, it stays on until you issue the dxbackupdb command and
the -journal option. For example:
dxbackupdb
dxbackupdb
:
dxbackupdb
:
dxbackupdb
demo
+journal demo
(no journaling)
(journaling is turned on)
demo
(journaling is still on)
-journal demo
(journaling is turned off)
Tip: To turn journaling off, the database must be offline before you run the
dxbackupdb command with the -journal option. If you run DXloaddb or
DXindexdb, you must explicitly turn journaling back on (dxbackupdb
+journal) with the database offline in order to resume journaling for all
tables.
You can run the DXbackupdb utility when the DSA is online.
Important! Backups of the database are extremely important. See the chapter
“Deploying a Directory” for more information.
Using DXtools
10–7
Database Tools
Restoring a Database: DXrestoredb
The DXrestoredb utility restores a database from a previously created
checkpoint. You can execute the DXrestoredb utility using the following
command:
dxrestoredb [+/-journal] [-list] [-fromold checkpointNumber] dbname
where:
■
dbname is the name of the database to restore
■
+journal replays the journals after the checkpoint is restored
■
-journal restores the checkpoint without replaying the journals
■
-list lists valid checkpoints.
■
-fromold checkpointNumber restores from an older backup (the default is the
most recent backup taken)
Tip: We recommend that you perform daily backups, usually at night. When
performing a restore, all DSAs that connect to the database must be shut
down.
10–8
eTrust Directory Administrator Guide
Database Tools
Tuning a Database: DXtunedb
When populating or updating the directory, you can improve the performance of
the directory services by running the DXtunedb utility. You can execute the
DXtunedb utility with the following command:
dxtunedb [-full | -relocate] dbname
where dbname is the name of the database to tune.
The DXtunedb utility modifies the indexes, and updates statistics used by the
query optimizer.
You can run the DXtunedb utility when the DSA is online, except with the -full
option. However, it is better to tune when DSAs are not busy because tuning
consumes CPU.
Run a Full Tune
The DXtunedb utility has two options: -full and -relocate. The -full option
provides a more comprehensive tuning of the database. To run a full tune, use
the following command:
dxtunedb -full dbname
where dbname is the name of the database.
Tip: The DXtunedb utility with the -full option tunes all tables, indexes,
system tables, and statistics. All DSAs that connect to the database must be
shut down.
Enable New Locations
The -relocate option enables the use of the new locations created by
DXextenddb. Use the following command:
dxtunedb -relocate dbname
where dbname is the name of the database to be relocated.
Relocating a database is faster than performing a full tune, but less extensive in
terms of optimization.
Important! This option does not update statistics.
Using DXtools
10–9
Database Tools
Managing Indexes: DXindexdb
The DXindexdb utility is used to add, clear or list the following indexes:
■
Reverse indexes
■
Certificate component indexes
■
Certificate Revocation List (CRL) indexes
■
Wide indexes
The DXindexdb utility uses the following syntax:
dxindexdb dbname [[+ | -]reverse [attrList]]
| [[+ | -]cert [componentList]]
| [[+ | -]crl
[componentList]]
| [[+ | -]wide [attrList]]
where dbname is the name of the database.
Applying a reverse index to an attribute stores each value of that attribute in
reverse order. This aids substring searches of the type (attr=*val).
Only the first 106 characters of a value are significant in a search. If this is not
adequate, or you receive a warning to this effect in the log file, you can apply a
wide index to those attributes. For more information about wide indexes, see
Indexing Options in the chapter “General Administration.”
List Indexed Attributes,
Certificate/crl
Components
To list the currently indexed attributes, certificate/crl components and give a
list of attributes and components for indexing, specify dxindexdb with only the
database name:
dxindexdb demo
where demo is the database name.
Example output:
Reverse indexed attributes:
telephoneNumber
Component indexed attributes:
certificate(cert_version cert_issuer validity)
certificateList(crl_version crl_issuer)
Other attributes:
oc aliasedEntryName userPassword createTimestamp countryName
organizationName department givenName surname commonName
multiLineDescription cosineRfc822Mailbox
Other components:
certificate(serialNumber cert_signature subject subjectPublicKeyInfo
issuerUniqueIdentifier etc...)
certificateList(thisUpdate nextUpdate etc...)
10–10
eTrust Directory Administrator Guide
Database Tools
Clear Existing Indexes
To clear all the existing reverse, wide, and certificate/CRL indexes, use any of
the options with no arguments:
dxindexdb demo –reverse
dxindexdb demo –cert
dxindexdb demo -crl
Add Reverse-Index
Attributes
To create one or more reverse-index attributes, use the -reverse option followed
by a space-separated list of the attributes:
dxindexdb demo -reverse attribute1 attribute2
Note: This will clear any previous reverse indexes.
To add one or more reverse-index attributes to an existing set, use the +reverse
option followed by a space-separated list of attributes:
dxindexdb demo +reverse attribute1 attribute2
This will add the new reverse indexes to the previous reverse indexes.
Add Certificate
Component Indexes
To create one or more certificate component indexes, use the -cert option
followed by a space-separated list of the components:
dxindexdb demo -cert component1 component2
Note: This will clear any previous certificate component indexes.
To add one or more certificate component indexes to an existing set, use the +cert
option followed by a space-separated list of components:
dxindexdb demo +cert component1 component2
This will add the new certificate component indexes to the previous certificate
component indexes.
Add crl Component
Index
To create one or more CRL component indexes, use the -crl option followed by
a space-separated list of the components:
dxindexdb demo -crl component1 component2
Note: This will clear any previous crl component indexes.
To add one or more CRL component indexes to an existing set, use the +crl
option followed by a space-separated list of components:
dxindexdb demo +crl component1 component2
This will add the new CRL component indexes to the previous CRL component indexes.
Using DXtools
10–11
Database Tools
Add Reverse and
Component Index
When both reverse and component indexing is required, a single command
must be used to set up the indexes:
dxindexdb demo -reverse attribute1 attribute2 -cert component1 component2
If a reverse index is added using the following command, all component indexes
will be removed:
dxindexdb demo -reverse attribute1
Add Wide Index
To add a wide index to one or more attributes, use the following command:
dxindexdb demo -wide attribute1 attribute2
Add Reverse and
Wide Index
10–12
When both reverse and wide indexing is required, use the following command:
dxindexdb demo -reverse attribute1 attribute2 -wide attribute1 attribute2
eTrust Directory Administrator Guide
Database Tools
Displaying Database Statistics: DXstatdb
The DXstatdb utility displays statistics of a particular database. The DXstatdb
utility has the following format:
dxstatdb [-cert] [-d] dbname
where:
List Database Statistics
■
dbname is the name of the database for which statistics will be generated
■
-cert lists the statistics for the certificates stored in the database
■
-d includes statistics for entries marked as deleted
You can list the statistics for the database by using the following command:
dxstatdb dbname
The following is a sample output:
Statistics:
Number of attributes types
Number of entries
Number of node entries
Number of leaf entries
Number of alias entries
Number of level 1 entries
Number of level 2 entries
Number of level 3 entries
Number of level 4+ entries
Number of values
Number of blob (>2K) values
List Certificate
Statistics
=
=
=
=
=
=
=
=
=
=
=
27
104472
4424
100048
0
12
58
341
104061
709281
0
You can list the statistics for the certificates stored in the database with this command:
dxstatdb -cert dbname
The following is a sample output:
Certificate Statistics:
Number of userCertificate
Number of userCertificate issuers
Number of expired userCertificate
Number of not yet valid userCertificate
=
1
= Not Indexed
= Not Indexed
= Not Indexed
If there are CA Certificates and CRLs in the directory, the following output appears
(note that this output shows that the CA Certificate has a component index):
Certificate Statistics:
Number of userCertificate
Number of userCertificate issuers
Number of expired userCertificate
Number of not yet valid userCertificate
Number of cACertificate
Number of cACertificate issuers
Number of expired cACertificate
Number of not yet valid cACertificate
Number of certificateRevocationList
Number of certificateRevocationList issuers
Number of expired certificateRevocationList
Number of not yet valid certificateRevocationList
=
=
=
=
=
=
=
=
=
=
=
=
1
Not Indexed
Not Indexed
Not Indexed
1
0
0
0
1
Not Indexed
Not Indexed
Not Indexed
Using DXtools
10–13
Database Tools
List Deleted Entries
By default, the dxstatdb command ignores entries marked as deleted in the
database when reporting its statistics.
This is useful because two synchronized databases could give different statistics
because entries marked as deleted in a DISP shadow were being counted, but not
on the master.
To include entries marked as deleted in the listed statistics, use the '-d' option:
dxstatdb -d dbname
Listing Existing Databases: DXlistdb
List Databases Owned
by User
The DXlistdb utility lists the databases owned by the user. (The user must be a
database administrator—typically, the user who has created the database.) You
can execute the DXlistdb utility using the following command:
dxlistdb [dbname]
The output of a dxlistdb command is a list of database names, such as:
backup
demo
live
test
Test Database
Existence
You can test for the existence of a particular database by specifying the database
name as an optional parameter to the dxlistdb command:
dxlistdb mydatabase
If the database mydatabase does not exist then DXlistdb will return an error code.
Adding a Database User: DXadduser
You can create a new database administrator with the DXadduser utility using
the following command (this command is generally used only during
installation):
dxadduser dbadmin
where dbadmin is the name of the new database administrator.
Note: When dbadmin contains spaces, you must use quotation marks, for
example, “Fred Bloggs.”
10–14
eTrust Directory Administrator Guide
Database Tools
Deleting a Database User: DXdeluser
You can delete a database administrator with the DXdeluser utility using the
following command:
dxdeluser dbadmin
where dbadmin is the name of the database administrator.
Note: When dbadmin contains spaces, you must use quotation marks, for
example, “Fred Bloggs.”
Using DXtools
10–15
Database Tools
Loading a Database: DXloaddb
Use the DXloaddb tool to load or reload a database from a prepared LDIF file.
This utility used to use schema.txt file to get schema information. It now loads
schema information directly from the DSA. This means that you now have to
specify the DSA name when you use the DXloaddb tool. The same change has
been made to DXdumpdb.
The command is:
dxloaddb options ldif-file dbname
The following are the options of the dxloaddb command:
Option
Description
-p prefix
The prefix of the DSA. Use a comma-separated LDAP format.
Use a pair of quotes “” for a NULL DN.
If a portion of prefix is more than one word, you can enclose the whole prefix in
quotes or just the problem portion. For example, both of these prefixes will
work:
■
o=“democorp test”,c=au
■
“o=democorp test,c=au”
-O
Includes standard operational attributes during the load.
-P
Hashes or encrypts passwords if in clear text:
-I "not-searchable
<attrlist>"
10–16
0:
OEM hash algorithm. This option is deprecated - use SHA-1 instead.
1:
SHA-1 (default)
2:
Salted SHA-1. This produces a different hash even for the same clear text
password, which is more secure.
3:
OEM-reversible crypt algorithm (therefore less secure)
4:
Traditional UNIX crypt algorithm
5:
MD5 password hashing
Prevents the attributes listed from loading into the search table, which reducing
the size of the search table. Small table size means less disk space used, faster
tuning, and faster loading. Also, update operations are faster on these attributes.
Search operations containing these attributes will return empty results. The list
of attributes must match those set in the database configuration file. For
information about how to make attributes not searchable, see Indexing Options
in the chapter “General Administration.”
eTrust Directory Administrator Guide
Database Tools
Option
Description
-a attributes
The estimated average number of attributes per entry. This corresponds to the
average number of lines per entry in the LDIF file.
-n entries
The estimated number of entries.
-S dsaname
The DSA server with the schema definitions that the DXloaddb tool will use.
If you do not include this option, the DXloaddb tool parses the various
DXserver configurations to find the one that connects to the database specified.
database
The name of the database to load.
WARNING! If you use this option, all existing directory information in the database
will be lost.
The following are the parameters of the dxloaddb command:
Parameter
Description
ldif-file
The name of the LDIF file to use.
dbname
The name of the database to load.
The number of entries and the number of rows per entry are used to estimate the
size of each database table in advance. This enables the database to allocate the
appropriate resources before the load commences, greatly reducing load time.
The correct sequence in which to create and load a database is:
dxnewdb
dxextenddb
dxloaddb
(as many times as needed)
Note: There is no need to reorganize or tune the database since this is done
automatically as part of the DXloaddb process. Sort the LDIF file by
distinguished name, in ascending order.
The following example loads the data from democorp.ldif file to database
democorp:
dxloaddb –p "o=democorp test,c=au" -I "not-searchable
createTimestamp,userPassword" -S democorp democorp.ldif democorp
In this example, “o=democorp test,c=au” is the DN prefix, and the
createTimestamp and userPassword attributes are not searchable.
Using DXtools
10–17
Database Tools
Dumping a Database: DXdumpdb
Use the DXdumpdb utility to extract the data from a database to an LDIF file.
This utility used to use schema.txt file to get schema information. It now loads
schema information directly from the DSA. This means that you now have to
specify the DSA name when you use DXdumpdb. The same change has been
made to the DXloaddb tool.
The command is:
dxdumpdb options dbname [attributes]
The following are the options of the dxdumpdb command:
Option
Description
-p prefix
The prefix of the DSA. Use a comma-separated LDAP format.
If a portion of prefix is more than one word, you can enclose the whole prefix
in quotes or just the problem portion. For example, both of these prefixes will
work:
■
o=“democorp test”,c=au
■
“o=democorp test,c=au”
The prefix you specified doesn’t have to be the same as in the database. That is,
you can change the prefix to suit your needs.
-Z schema
Uses the schema file specified.
-f outfile
Dumps the data to the specified file.
-i
Includes attributes.
-O
Includes standard operational attributes.
-x
Excludes attributes.
-v
Run in verbose mode. This switches on error/status tracing.
-l
Locks the database while doing the dump.
-u
Username used to connect to the database.
-P passwd
The user’s Advantage Ingres password.
-E eidlist
Dumps only the entries specified. Eidlist is a comma-separated entry id list, for
example, “0,1,2…9”.
-S dsaname
The DSA server with the schema definitions that DXdumpdb will use.
If you do not include this option, DXdumpdb parses the various DXserver
configurations to find the one that connects to the database specified.
10–18
eTrust Directory Administrator Guide
Database Tools
The following are the parameters of the dxdumpdb command:
Parameter
Description
dbname
The name of the database to dump.
attributes
Space-separated list of attributes that you want to include or exclude in the
dump (if no attribute list is given, you dump all).
The following example extracts the LDIF format data from database democorp
on the screen, using the o=”democorp test”,c=au DN prefix, and excludes the
createTimstamp and userPassword attributes in the output.
Dxdumpdb –p o=”democorp test”,c=au –x democorp -S democorp createTimestamp
userPassword
The following example extracts the first three entries from database democorp to
the out.ldif file, using the o=”democorp test”,c=au DN prefix.
Dxdumpdb –p o=Admin,c=au –f out.ldif
-S democorp –E 0,1,2 democorp
Granting Access to a Database: DXgrantdb
Use this command to grant a nominated user access to a database with the
DXgrantdb utility:
dxgrantdb dbname [user]
where:
■
■
dbname is the name of the database to which you are granting access
user is the name of the user to whom you are granting access
Note: If you omit the user name, all database users are granted access.
Revoking Access to a Database: DXrevokedb
Use this command to remove the permission for the nominated user to access a
database with the DXrevokedb utility:
dxrevokedb dbname [user]
where:
■
dbname is the name of the database to which access is revoked.
■
user is the name of the user whose access is revoked.
Note: If you omit the user name, all database users will have their access
revoked.
Using DXtools
10–19
Database Tools
Upgrading Previous Versions of a Database: DXupgradedb
After upgrading eTrust Directory, existing databases may require changes to
enable new features to work. For example, you may need to add new tables,
upgrade existing indexes, or update existing tables.
To upgrade a database, use the following command:
dxupgradedb dbname
where dbname is the name of the database that you want to upgrade.
Note: You must run DXupgradedb before starting the server.
Initializing Multiwrite–DISP Recovery: DXdisp
When multi-write-disp-recovery = TRUE, and you reload a DSA, or remove a
DSA from the multiwrite-DISP configuration, you must clear the last update time
using the following command:
dxdisp -clear dsaname dbname
where:
■
dsaname is the name of the newly loaded or removed DSA
■
dbname is the name of the database
To list the last update times of all multiwrite-DISP peers recorded in the
database, use the following command:
dxdisp -list dbname
where dbname is the name of the database for which you want to list the last
update times.
10–20
eTrust Directory Administrator Guide
Database Tools
Reporting On and Generating Certificates: DXcertgen
The DXcertgen tool reports on currently configured certificates and generates
new DSA personality certificates and directory user certificates.
The command is:
dxcertgen options [report|generate]
The following are the options of the dxcertgen command:
Option
Description
-d days
Number of days certificate will be valid for(default days=365)
-i issuer
Generate root certificate with YOUR company's name (default:
"CN=Certificate Authority,O=DXCertGenPKI,C=AU")
-c clientcerts
Path to client certificate and private key store (default:
"$DXHOME/../jxplorer/security/clientcerts")
-C clientpass
Password for clientcerts keystore (default: <JXplorer clientcerts default>)
-s cacerts
Path to CA certificate and private key store (default:
"$DXHOME/../jxplorer/security/cacerts")
-S capass
Password for cacerts key store (default: <JXplorer cacerts default>)
-u users
LDIF file of users to generate certificates for
-p path
Write user certificates to path rather than keystore
-P keypass
Assign this password to protect private key (default: dxcertgen)
The following are the parameters of the dxcertgen command:
Parameter
Description
report
Report on configured certificates
certs
Generate certificates for DSAs (and 'users' if specified)
Using DXtools
10–21
Database Tools
Reporting Certificates
The certificate report shows who the subject of the certificate is, the Certificate
Authority who issued it, validity dates and whether the certificate is currently
valid.
Where there are multiple certificates in a file, they are numbered in the order
they are found. If you have to delete a certificate, use the report to determine
which one to delete.
To run a report on the currently configured certificates enter the command:
dxcertgen report <enter>
You will see a report like this:
TRUSTED ROOT CERTIFICATES
- trusted.pem certificate : 1
version
: 3
serialNum
: 0
issuer
: /C=AU/O=MiniPKI/CN=Certificate Authority
notBefore
: May 29 01:36:03 2003 GMT
notAfter
: May 27 01:36:03 2008 GMT
subject
: /C=AU/O=MiniPKI/CN=Certificate Authority
status
: valid
PERSONALITY CERTIFICATES
- router.pem certificate : 1
version
: 1
serialNum
: 4
issuer
: /C=AU/O=MiniPKI/CN=Certificate Authority
notBefore
: May 29 01:36:13 2003 GMT
notAfter
: May 27 01:36:13 2008 GMT
subject
: /C=AU/CN=DXserver
status
: valid
- democorp.pem certificate : 1
version
: 1
serialNum
: 1
issuer
: /C=AU/O=MiniPKI/CN=Certificate Authority
notBefore
: May 29 01:36:07 2003 GMT
notAfter
: May 27 01:36:07 2008 GMT
subject
: /C=AU/O=Democorp/CN=DXserver
status
: valid
- uddi.pem certificate :
version
:
serialNum
:
issuer
:
notBefore
:
notAfter
:
subject
:
status
:
1
1
5
/C=AU/O=MiniPKI/CN=Certificate Authority
May 29 01:36:15 2003 GMT
May 27 01:36:15 2008 GMT
/O=CA/CN=UDDI
valid
- unspsc.pem certificate : 1
version
: 1
serialNum
: 2
issuer
: /C=AU/O=MiniPKI/CN=Certificate Authority
notBefore
: May 29 01:36:09 2003 GMT
notAfter
: May 27 01:36:09 2008 GMT
subject
: /C=AU/O=UNSPSC/CN=DXserver
status
: valid
10–22
eTrust Directory Administrator Guide
Database Tools
- ocsp.pem certificate :
version
:
serialNum
:
issuer
:
notBefore
:
notAfter
:
subject
:
status
:
1
1
4
/C=AU/O=MiniPKI/CN=Certificate Authority
Jun 6 10:39:15 2000 GMT
Jun 5 10:39:15 2005 GMT
/C=AU/O=OCSP/CN=DXserver
valid
- sample.pem certificate : 1
version
: 1
serialNum
: 3
issuer
: /C=AU/O=MiniPKI/CN=Certificate Authority
notBefore
: May 29 01:36:10 2003 GMT
notAfter
: May 27 01:36:10 2008 GMT
subject
: /C=AU/O=Sample/CN=DXserver
status
: valid
Done.
Generating Certificates
To secure links between DSAs using SSL encryption or SSL authentication, each
DSA needs a certificate, just as if it was a directory user. These are called DSA
personality certificates, and are stored under
$DXHOME/config/ssld/personalities.
Note: To secure the system, the private key of the root certificate used to sign all
the generated certificates is not stored or written out in any way.
The tool generates a root certificate first, checks that it doesn't already exist in the
$DXHOME/config/ssld/trusted.pem file, then appends the new root certificate
to this file. It then uses the root certificate's private key to generate a new
personality certificate for each configured DSA, using the DSA-NAME from the
$DXHOME/config/knowledge file as the subject of the certificate. Any previous
personalities will be overwritten.
Using Your Company
Name as the CA Issuer
The default Certificate Authority issuer is hardcoded into the tool:
CN=Certificate Authority,O=DXCertGenPKI,C=AU. To use your company
name instead, just use the '-i issuer' option, and specify your company name as
an LDAP DN.
By default, the validity period for the certificates generated is 365 days, but you
can change by using the -d option.
Using DXtools
10–23
Database Tools
Generating
Certificates for eTrust
Directory Users
To generate user certificates and private keys, use the -u option. This should be
the complete path to an LDIF file of users. The user certificates will be
generated using the same root certificate's private key as the DSA personalities.
To write the user certificates and private keys to the file system, enter the
command:
dxcertgen -i "cn=Real Company Certificate Authority,o=Real Company PKI,c=au" -d
730 -u $USERS_PATH/users.ldif -p $TEMP_PATH/users certs <enter>
WARNING! The private keys that are written out are not password protected or
encrypted in any way - they should be moved as soon as possible.
Generating
Personality
Certificates for DSAs
To generate personality certificates for currently configured DSAs, enter the
command:
dxcertgen -i "cn=Real Company Certificate Authority,o=Real Company PKI,c=au" -d
730 certs <enter>
You will see the following output:
Generating a new trusted root certificate...
Generating a 1024-bit RSA public/private key pair...
...................................++++++
...............++++++
Appending trusted root certificate to
/.../products/dxserver/config/ssld/trusted.pem...
Generating dxserver personalities...
Generating a new personality certificate for democorp.dxc...
Generating a 1024-bit RSA public/private key pair...
.............++++++
....................................................++++++
Writing personality certificate to
/.../products/dxserver/config/ssld/personalities/democorp.pem...
Generating a new personality certificate for router.dxc...
Generating a 1024-bit RSA public/private key pair...
.++++++
................................++++++
Writing personality certificate to
/.../products/dxserver/config/ssld/personalities/router.pem...
Generating a new personality certificate for unspsc.dxc...
Generating a 1024-bit RSA public/private key pair...
.++++++
................................++++++
Writing personality certificate to
/.../products/dxserver/config/ssld/personalities/unspsc.pem...
Done.
10–24
eTrust Directory Administrator Guide
Database Tools
Wiring User
Certificates and
Private Keys to a
Secure Location
To generate user certificates and private keys and write them to a more secure
location, DXcertgen is able to use the keytool facility that ships with Java and
JXplorer to add the certificates and private keys to a "keystore". The keystore is
password protected and each private key is password protected as well. The
certificates and keys are separated out into "client" or user certificates/keys and
CA/self-signed/root certificates/keys.
By default the tool writes the certificates and private keys to the JXplorer
keystore, but you can specify alternate keystores. To specify an alternate keystore
for CA certs, use the '-s cacerts' option to enter the complete path to the CA
keystore. Don't forget to specify the CA certificates keystore password using '-S
capass'. To specify an alternate keystore for client certificates, use the '-c
clientcerts' option. Don't forget to specify the client certificates keystore
password using the '-C clientpass' option.
Specifying an
Alternate Private Key
Password
To specify an alternate private key password use the '-P keypass' option.
Note: JAVA_HOME must be set because the tool must run
$JAVA_HOME/bin/keytool to add the certificates and private keys to the
keystore.
To write certificates to the JXplorer keystore, enter the command:
dxcertgen -u "%DXHOME%\samples\democorp\users.ldi" certs
Generating a new trusted root certificate...
Generating a 1024-bit RSA public/private key pair...
....................++++++
Appending trusted root certificate to D:\Program Files\CA\eTrust Directory\dxser
ver\config\ssld\trusted.pem...
Adding alias 'trusted' to keystore...
Certificate was added to keystore
Generating dxserver personalities...
Generating a new personality certificate for router.dxc...
Generating a 1024-bit RSA public/private key pair...
....................................++++++
Writing personality certificate to D:\Program Files\CA\eTrust Directory\dxserver
\config\ssld\personalities\router.pem...
Generating a new personality certificate for unspsc.dxc...
Generating a 1024-bit RSA public/private key pair...
..................................................++++++
Writing personality certificate to D:\Program Files\CA\eTrust Directory\dxserver
\config\ssld\personalities\unspsc.pem...
Generating user certificates...
Generating a new user certificate for Nadia_KITE...
Generating a 1024-bit RSA public/private key pair...
..++++++
................................................++++++
Adding alias 'Nadia_KITE' to keystore...
Certificate was added to keystore
Generating a new user certificate for Jodie_LAY...
Generating a 1024-bit RSA public/private key pair...
Using DXtools
10–25
Database Tools
................................................++++++
.......................++++++
Adding alias 'Jodie_LAY' to keystore...
Certificate was added to keystore
Generating a new user certificate for Vivienne_LEVER...
Generating a 1024-bit RSA public/private key pair...
....++++++
.......................................++++++
Adding alias 'Vivienne_LEVER' to keystore...
Certificate was added to keystore
Generating a new user certificate for Juliet_LEVY...
Generating a 1024-bit RSA public/private key pair...
...................++++++
.++++++
Adding alias 'Juliet_LEVY' to keystore...
Certificate was added to keystore
Generating a new user certificate for Craig_LINK...
Generating a 1024-bit RSA public/private key pair...
..................++++++
......++++++
Adding alias 'Craig_LINK' to keystore...
Certificate was added to keystore
Generating a new user certificate for Gavin_LOWE...
Generating a 1024-bit RSA public/private key pair...
................++++++
................................................++++++
Adding alias 'Gavin_LOWE' to keystore...
Certificate was added to keystore
Done.
10–26
eTrust Directory Administrator Guide
LDIF Tools
LDIF Tools
The DXtools manage directory data using the LDAP Data Interchange Format
(LDIF). The LDIF file format is suitable for describing directory information or
modifications made to directory information. It is often used for transferring
directory information between LDAP-based directory servers or describing a set
of changes applied to a directory.
This section describes how you can transfer comma-separated value (CSV) data
files into LDIF directory files using the data conversion tools.
The data conversion tools are:
csv2ldif
Uses the CSV data file and the LDIF template file to prepare an LDIF file for
the dxmodify tool
ldifsort
Sorts an LDIF file or input stream on the given attribute type
ldifdelta
Calculates the change, or delta, between two LDIF files
CSV Source Data
A source data file is a comma-separated list of values. Each source data (CSV) file
can contain many lines, and each line in the file should contain information
about a single object or entry.
DXtools Example 1
CSV Data File
Fred,Jones,Manager,Administration,987 6254
Tom,Smith,Sales Person,Sales,987 6251
Bill,Smith,Foreman,Manufacturing,987 6257
Ken,Anderson,Account Manager,Sales,987 6255
Wendy,Murphy,Clerk,Administration,987 6233
Ann,Thompson,Receptionist,Administration,987 6222
Ian,Hall,Boilermaker,Manufacturing,987 6510
Linda,Bates,Accountant,Administration,987 6511
Sam,Campbell,Welder,Manufacturing,987,6510
Using DXtools
10–27
LDIF Tools
While the default separator is a comma, the DXtools support the use of
alternative and user-defined separators. See Converting CSV Data to LDIF
Format: csv2ldif in this chapter for more information.
You should enclose embedded commas within quotes. For example, if Tom
Smith's address is contained as a single field, you can include embedded commas
in the single address field as shown below:
Tom,Smith,"36 High Street,Boystown,NY"
To accommodate embedded quotation marks, as when applied to a property
name in an address field, always use two sequential quotation marks to
represent a single quotation mark in text. For example, if Tom Smith used his
property name “The Grange” in his address:
Tom,Smith,"""The Grange"",High Street,Boystown,NY"
Template Files (LDT)
The information contained in a data file is simply a list of values. To give
meanings to these values, you must specify what the values in each field
represent. To do this, define an LDIF template (LDT) file.
The LDT files describe the objects contained in the directory. The LDT file
follows the LDIF file format, which is used to add directory information to the
data values. An LDIF file consists of a series of records separated by blank lines.
A record consists of a sequence of lines describing a directory entry. Special
substitution tokens are used to place fields from the CSV file into the LDT.
Each line in the LDT file defines a rule that links a field in a CSV data file to a
directory attribute or name with an object description. These rules let the tools
translate CSV file information into LDIF file formats.
DXtools Example 2
A sample LDIF Template File
# Acme template file - LDIF format
dn:ou=$4, o="Acme", c=US
oc:organizationalUnit
dn:cn=$1 $2, ou=$4, o="Acme", c=US
oc:organizationalPerson
surname:$2
title:$3
telephonenumber:+61 3 $5
10–28
eTrust Directory Administrator Guide
LDIF Tools
The Format of LDT files
Each record in an LDT file specifies the format of entries at that level. Each
record contains a DN and one or more attribute-value template lines.
You can treat the $ character literally when the escape character (\) precedes it.
This escape character has no significance other than escaping. Use \\ to
represent the \ character.
Using substitution tokens in the DN line lets you specify leaf nodes and their
parents. You can therefore infer hierarchy from the original CSV data. You must
explicitly code parent objects in the template file, and they must appear in
increasing-depth order in the file before any definition of leaf objects.
If you need a literal number following a substitution token, you can use the
three-digit form of the token as in the following example (the three-digit form is
shown underlined):
# leaf node
dn:cn=$1 $2,ou=$4, o=DemoCorp,c=AU
oc:organizationalPerson
Surname:$2
Description: $00199 \$ $2 \$ $3
Telephone:+61 $3
A substitution token cannot exceed three digits (maximum is $999). When this
LDT file is interpreted, the $00199 looks at the first three digits after the $ (in this
example $001 is equal to $1), so the program finds the first column of the CSV to
substitute, and appends "99" characters to it. If you use $199 rather than $00199,
the 199th column of the CSV is used to substitute, which is not the intention of
this example.
LDIF Files
Using the LDIF format, you can convey directory information or a description of
a set of changes made to directory entries. An LDIF file consists of a series of
records with line separators. Each record consists of a sequence of lines
describing either a directory entry or a set of changes to a single directory entry.
These two types of records cannot be mixed in an LDIF file. An LDIF file contains
either records that specify a set of directory entries or records that specify a set of
changes you apply to directory entries, but not both.
For further information about the LDIF format, review the Internet Engineering
Task Force (IETF) draft Request For Comments (RFCs) available at
http://www.ietf.org.
Using DXtools
10–29
LDIF Tools
Converting CSV Data to LDIF Format: csv2ldif
The csv2ldif tool uses the CSV data file and the template LDT file described in the
preceding two sections to prepare an LDIF file for the DXmodify tool.
The format is:
csv2ldif options numfields LDTfile CSVfile
The following are the options of the csv2ldif command:
Option
Description
-b badfile
Output file name for CSV lines with bad format.
-d
Permits duplicate parent nodes to be generated.
-f branching factor
The number of branching factors. The default is 32.
Note: This is a low-level option and should not be used unless directed by
Computer Associates Technical Support.
-i lines
Ignores the first lines lines of the CSV file.
-s sep
Defines a field separator (default is a comma)
The following are the parameters of the csv2ldif command:
Parameter
Description
Numfields
Total number of fields defined in the input CSV file.
LDTfile
Name of the LDT file.
CSVfile
Name of the input CSV file.
DXtools Example 3
csv2ldif
Using the example CSV data file and the LDT file, you can execute the csv2ldif
utility using the following command:
csv2ldif -i 1 7 acme.ldt acme.csv > acme.ldi
The file acme.ldt contains the specification and translation rules. The file
acme.csv contains the raw data in comma-separated value format. The CSV file is
defined as having seven fields with the first line ignored.
10–30
eTrust Directory Administrator Guide
LDIF Tools
The output is redirected to the acme.ldi file. The following is a portion of
acme.ldi:
dn: o=Acme, c=US
oc: organization
dn: ou=Administration, o=Acme, c=US
oc: organizationalUnit
dn: cn=Fred Jones, ou=Administration, o=Acme, c=US
oc: organizationalPerson
postalAddress: 11 Main Street $ Newtown
surname: Jones
title: Manager
telephonenumber: +1 (305) 987 6254
dn: ou=Sales, o=Acme, c=US
oc: organizationalUnit
Sorting an LDIF File: ldifsort
The ldifsort program sorts an LDIF file or input stream for the given attribute
type. The default sort is DN, which sorts LDIF records based on their
distinguished names. In DN sort mode, ldifsort ensures that each record is
followed by its immediate subordinates.
The other sort option is to sort in descending order. You can use this option, for
example, when deleting the entries in an LDIF file from the directory. This sorts
the LDIF file on DN in descending order, thus ordering subordinates before
superior entries. The LDIF file can then be passed to DXmodify to delete these
entries.
Note: By default, duplicate entries are ignored or written to the bad record file
(-b file). If you do not want to ignore duplicate entries, use the -U option.
By default, the sort attribute is DN, but any attribute can be specified. You can
use another attribute, for example, to sort employee records in an LDIF file based
on their employee numbers for administration, or to sort based on telephone
numbers to allocate spare lines.
You must use ldifsort before ldifdelta to sort both input files to ldifdelta in the
same order.
ldifsort has the following command-line format:
ldifsort [options] infile [outfile]
Using DXtools
10–31
LDIF Tools
The options of the ldifsort command are:
Option
Description
-d
Sorts in descending order. The default is to sort in ascending order.
-v
Runs in verbose mode (diagnostics to standard error).
-U
Does not ignore (filter out) duplicate entries.
-a attr
Sorts entries based on the attribute attr. The default sort attribute is dn.
-b file
Writes duplicate or bad input records to file.
-m count
The number of records in each bucket. The default is 200. For best results, we
recommend that you set this option to the square root of the number of entries
in the file
(-m count = √ number of entries in file).
-r block
Number of buckets to allocate at a time. The default is 10,000.
-s bytes
Size of read buffer for each bucket. The default is 2,048 (2k).
-t dir
Uses the directory dir for temporary files.
The parameters of the ldifsort command are:
Parameter
Description
infile
The file to be sorted.
outfile
The file to which output is to be written. The default is to write output to
standard out.
DXtools Example 4
ldifsort
Make the old directory the same as the reference directory:
dxsearch -L -h oldhost "(oc=*)" > old.ldif
dxsearch -L -h referencehost "(oc=*)" > ref.ldif
ldifsort old.ldif old_sorted.ldif
ldifsort ref.ldif ref_sorted.ldif
ldifdelta old_sorted.ldif ref_sorted.ldif | dxmodify -h oldhost
10–32
eTrust Directory Administrator Guide
LDIF Tools
Calculating the Change Between Two LDIF Files: ldifdelta
Use this tool to calculate the change, or delta, between two LDIF files. The
ldifdelta program is an offline directory synchronization tool based on the LDAP
directory interchange format. You can use ldifdelta to fully or partially
synchronize directories.
The output file produced by ldifdelta is an LDIF file containing LDIF change
records. You can apply the output file against the outdated directory with the
DXmodify tool to update it with respect to the reference directory.
The format is:
ldifdelta [options] oldfile newfile [outfile]
The following are the parameters of the ldifdelta command:
Parameter
Description
oldfile
The outdated file.
newfile
The more recent file to compare against oldfile.
outfile
The output file containing the differences between newfile
and oldfile.
The following are the options of the ldifdelta command:
Option
Description
-x
Ignores X.500 operational attributes.
-v
Verbose output.
-Z schema
File containing schema definitions.
You must do two things before using the ldifdelta tool:
1.
Obtain the two required input LDIF files by using either the -L option with
the DXsearch utility or the DXdump utility.
2.
Sort the input LDIF data files using the ldifsort tool.
Using DXtools
10–33
LDIF Tools
DXtools Example 5
Using ldifdelta and ldifsort Together
Make the old directory the same as the reference directory:
dxsearch -L -h oldhost "(oc=*)" > old.ldif
dxsearch -L -h referencehost "(oc=*)" > ref.ldif
ldifsort old.ldif old_sorted.ldif
ldifsort ref.ldif ref_sorted.ldif
ldifdelta old_sorted.ldif ref_sorted.ldif | dxmodify -h oldhost
The following are known limitations of the ldifdelta tool:
■
■
10–34
Compares distinguished name in a case insensitive way, not by schema
matching rules.
When comparing URL values, ldifdelta compares only the file names. It does
not attempt to interpret the nature or contents of the file that the URL
references.
eTrust Directory Administrator Guide
DAP Tools
DAP Tools
The DAP import and export tools each work with LDIF files. The import tools
(DXmodify, DXrename, and DXdelete) generate updates of the directory, usually
from data in an LDIF file. The export tool (DXsearch) extracts data from the
directory and creates an LDIF file that contains the extracted data.
DXmodify
DXrename
Directory
DXsearch
LDIF
DXdelete
The following are the import and export tools:
DXmodify
Populates an empty directory; adds new entries; adds new attributes to
existing entries; modifies, renames, or deletes attributes of an entry
DXrename
Changes the common name of a directory entry
DXdelete
Deletes one or more directory entries
DXsearch
Searches a specified directory using defined filters
Note: These tools use the X.500 DAP/OSI protocol. They are similar to the public
domain LDAP tools (ldapsearch, ldapmodify, ldaprename and ldapdelete) but
offer more features.
Using DXtools
10–35
DAP Tools
Common Command Options
The following command arguments are common to the import and export tools:
Option
Value
-D binddn
Distinguished name of the user performing the bind.
-c
Continuous operation mode.
-n
Shows what would be done, but does not actually do it.
-Z schema
File containing schema definitions.
-v
Runs in verbose mode.
-f file
Reads file rather than standard input.
-w password
Bind password (for simple authentication).
-h daphost
Directory server (default is localhost).
-p dapport
Port on directory server (default is 102, the OSI port).
-H
Usage and option information is displayed.
-l timelim
Time limit (in seconds) of search.
You can include OSI addressing for transport, session, and presentation SAPs by
fully expanding the daphost:
hostname:portnumber/tsel/ssel/psel
You can include binary and ASCII characters in the tsel, ssel, and psel selectors.
The % is an escape character followed by two hexadecimal digits:
■
/ is expressed as %2F
■
% is expressed as %25
If you do not provide values for the binddn and password, the DXtools bind
anonymously.
You can combine the daphost and daport arguments into the daphost argument
only and express them as a dotted IP address or hostname. For example:
-h 192.168.19.202 -p 19389
can be expressed as:
-h hostname:1900
The examples in the following command descriptions are directed to the sample
DemoCorp directory supplied with DXserver. You can repeat the examples as a
training exercise.
10–36
eTrust Directory Administrator Guide
DAP Tools
Searching a Directory: DXsearch
The DXsearch tool searches a specified directory using defined filters. You can
specify search output as LDIF or text, or you can have each returned attribute
written to a file.
The format is:
dxsearch [options] filter [attributes]
The following are the available options for dxsearch:
Option
Meaning
-t dir
Writes values to files in the given directory.
-e
Sorts entries by depth (shallowest first).
-E
Sorts entries by depth (deepest first).
-A
Retrieves attribute names only (no values).
-N
Retrieves distinguished names only (no attributes).
-M
Does not multicast; limits search to a single directory.
-O
Retrieves all operational attributes.
-B
Does not suppress printing of non-ASCII values.
-T
Times the search (no search results printed).
-L
Prints entries in LDIF format (-B is implied).
-F sep
Prints sep instead of = between attribute names and values.
-b basedn
Base DN for search.
-s scope
Either base, one, or sub (search scope).
-a deref
Alias dereferencing; one of the keywords never, always, search, or
find.
-z sizelim
Size limit (in entries) for search.
The following are additional arguments for dxsearch:
Argument
Value
filter
RFC2254-compliant LDAP search filter.
attributes
Space-separated list of attributes you retrieve (when no attribute
list is given, you retrieve all).
Using DXtools
10–37
DAP Tools
DXtools Example 6
DXsearch
%dxsearch -L -h 192.168.19.202:19389 "(sn=horsfall)"
dn: cn=Murray HORSFALL,ou=Repair,ou=Operations,o=DemoCorp,c=AU
oc: organizationalPerson
oc: newPilotPerson
oc: quipuObject
cn: Murray HORSFALL
sn: HORSFALL
title: Information Technology Manager
telephone: 797 8877
description: Replacements
mail: [email protected]
postalAddress: 173 Toorak Pde $ Berkeley NSW
postalCode: 2506
If, in the previous example, you send the output to an LDIF file, you can edit the
file contents and use the DXmodify tool to implement the changes.
dxsearch -L -h yourhost:19389 "(sn=horsfall)" > h-modify.ldi
Reporting on Certificate and CRL Indexes: DXcert
The DXcert utility searches a directory for certificates and/or crls using defined
filters. You can specify search output as LDIF or text, or you can have the results
written to a file.
DXcert lists the results, with the specified certificate/crl components returned as
attributes.
Note: You must run DXindexdb before generating each report or batch of reports
to update the certificate/crl components indexes.
The format is:
dxcert options report -cert [component1 component2 ...] -crl [component1 component2 ...] filter
attributes]
10–38
eTrust Directory Administrator Guide
DAP Tools
Modifying a Directory: DXmodify
You can populate an empty directory, add complete new entries, add new
attributes to existing entries, modify, rename, or delete attributes of an entry
using the DXmodify tool. The key to DXmodify is the structure of the LDIF entry.
The tool DXmodify supports entry from standard input or an LDIF file. We
recommend using an LDIF file.
The format is:
dxmodify [options]
The following are the options for dxmodify:
Option
Meaning
-a
Add mode. The default is to add entries to the directory.
-r
Replace mode. The default is to replace entries in the directory
rather than add values.
-F
Forces use of all change records.
-q
Quiet mode, does not report successfully added or modified DNs
-s period
Sleeps for period (ms) after each operation
-O
Includes operational attributes.
The structure of the LDIF file specifies the modify action to take for each listed
attribute. When you do not specify a modify action, the system applies a default
action as specified in the command line. The available options are adding (-a) or
replacing (-r). This function is especially useful for importing large amounts of
data.
Note: When you do not specify a file name, the system waits for input.
DXtools Example 7
DXmodify
You can make multiple changes, such as changing the title and postal address,
adding a second telephone number, and deleting the description of an entry.
First, edit the contents of the output file h-modify.ldi from DXtools Example 6:
dn: cn=Murray HORSFALL,
ou=Repair,ou=Operations,o=DemoCorp,c=AU
changetype: modify
replace: title
title: Chief Information Officer
add: telephone
telephone: 797 8888
delete: description
Using DXtools
10–39
DAP Tools
replace: postalAddress
postalAddress: 173 Toorak Rd $ South Yarra
postalCode: 3066
This example shows that you can replace the values of multiple attributes using
one replace statement as long as the replace statement specifies the first attribute
name in the series.
Then we use DXmodify to apply the edited file as follows:
dxmodify -h localhost:19389 -f h-modify.ldi
modifying entry cn=Murray HORSFALL,ou=Repair,ou=Operations,o=DemoCorp,c=AU
Loading Binary Files: DXmodify
You can also use the DXmodify tool to load binary files.
To add a binary file, first decide on the directory schema object class and
attribute to use to hold the binary data—for example, the cosineJpegPhoto
attribute within the cosinePilotObject object class.
Next, create entries in an LDIF file with the following syntax:
attributeName:< FILE://path
Dxtools Example 8
DXmodify with Binary Files
In this example, we will add a JPEG file with a personnel record from staff.ldif.
For JPEG files, the object class is cosinePilotObject, the X.500 attribute name is
cosineJpegPhoto, and the LDAP attribute name is JpegPhoto.
Create an LDIF file (staff.ldif) with the following form:
dn: cn=Peter Bell,ou=Infrastructure,ou=Support,o=DemoCorp,c=AU
oc: organizationalPerson
oc: newPilotPerson
oc: cosinePilotObject
cn: Peter Bell
sn: BELL
cosineJpegPhoto:< FILE://d:\temp\PHOTO\BELPE01.jpg
title: Design Supervisor
telephone: 881 9256
description: Computing
mail: [email protected]
postalAddress: 7-11 Fine Street$Penville CA
postalCode: 32750
Run the following dxmodify command:
dxmodify -a -c -h hostname:19389 -f staff.ldif
10–40
eTrust Directory Administrator Guide
DAP Tools
Renaming a Directory Entry: DXrename
You can change the common name of a directory entry using the DXrename tool.
You can source the rename data for a single entry from the keyboard or source
multiple entries by using input from a file.
The format is:
dxrename [options] [dn newdn]
where:
■
-r removes the old RDN
■
dn is the distinguished name of the entry that is to be renamed
■
newrdn is the new RDN
Note: When a file name is not specified, the system will wait for input. The
content format for standard input and the file consists of multiple lines, and each
line is a unique distinguished name. The first line is the old distinguished name,
the second line is the new distinguished name, the third line is the old
distinguished name, and so on.
DXtools Example 9
DXrename
Consider an example entry Murray Horsfall and change the rdn to insert a
middle initial J. The example uses the input file option. The example file name is
filename.txt, shown below:
cn=Murray HORSFALL,ou=Repair,ou=Operations,o=DemoCorp,c=AU
cn=Murray J HORSFALL
You can apply the dxrename command as follows:
dxrename -r -h hostname:1900 -f filename.txt.
and you can check the results of the rename with a DXsearch as shown below:
dxsearch -L -h hostname:19389 "(sn=horsfall)"
dn: cn=Murray J HORSFALL,ou=Repair,ou=Operations,o=DemoCorp,c=AU
oc: organizationalPerson
oc: newPilotPerson
oc: 0.9.2342.19200300.99.3.2
cn: Murray J HORSFALL
sn: HORSFALL
title: Chief Information Officer
telephone: 797 8877
telephone: 797 8888
mail: [email protected]
postalAddress: 173 Toorak Rd $ South Yarra
postalCode: 3066
Using DXtools
10–41
DAP Tools
Deleting a Directory Entry: DXdelete
The DXdelete tool deletes one or more directory entries. You can supply the
target DN identification by a direct command-line entry, or you can delete
multiple entries by using input from a file.
The format is:
dxdelete [options] [dn]
The following is an additional argument for dxdelete:
Argument
Value
dn
Distinguished name of entry to delete.
Note: When a file name is not specified, the system waits for input. The content
format for standard input and the file consists of multiple lines, and each line is a
unique distinguished name.
DXtools Example 10
DXdelete
To delete the entry Murray J Horsfall, enter the command as follows:
dxdelete -v -h hostname:19389 "cn=Murray J HORSFALL,ou=Repair, ou=Operations,o=DemoCorp,c=AU"
and test the execution with DXsearch.
Bulk Loading Options
Traditionally, data is imported and exported from directories using the import
and export tools described earlier (see DAP Tools in this chapter for more
information) or using openly available LDAP utilities (ldapmodify and
ldapsearch). These utilities read and write LDIF files, encode or decode the data
into DAP or LDAP, and communicate with DXserver, which then decodes the
protocol and updates the underlying RDBMS database.
Importing and exporting can be made more efficient by bypassing the encoding
and decoding processes and loading or unloading LDIF directly to the database.
The bulk tools accomplish this by converting the LDIF file into a number of data
files that represent the internal database tables.
The following bulk tools are provided:
The DXloaddb tool
Creates and loads a database from a prepared LDIF file
The DXdumpdb tool
Extracts data from the database to an LDIF file
10–42
eTrust Directory Administrator Guide
Schema Tools
Schema Tools
The DXtools manage directory schema by making it easy to access and be
converted into proprietary formats.
The schema of the eTrust Directory server is in its schema directory (for example,
$DXHOME/config/schema), and consists up of individual schema configuration
files (.dxc) and group files (.dxg).
The schema of a running directory is available to LDAP clients through the
LDAP Version 3 mechanism of schema publishing. A convenient format in which
to extract the schema is LDIF.
After extracting the schema, you can use the schema tools to convert it into the
required format.
LDAP
dxschemaldif
Directory
Schema
LDIF
ldif2dxc
eTrust
dxschematxt
Directory
Schema
schema.txt
Schema management is required whenever the schema pertaining to a directory
is changed (for example, the addition of a new object class and its associated
attributes).
Another common case is integration with other LDAP directories. There may be
additional or different schema to incorporate in the existing directory system.
To make use of new schema, it must be made available to the directory and the
DXtools. This means a new or updated .dxc file, possibly an updated .dxg file,
and an updated schema.txt file.
The schema tools are:
DXschemaldif
Extracts published LDAP schema from LDAP directories in LDIF format
ldif2dxc
Converts LDAP schema in LDIF format into eTrust Directory server-side
format (.dxc) and optionally DXtools format (schema.txt)
DXschematxt
Converts eTrust Directory server-side schema into a schema.txt file that
DXtools uses
Using DXtools
10–43
Schema Tools
Extracting Schema in LDIF Format: DXschemaldif
Use the DXschemaldif tool to extract schema from external LDAP directories.
The tool extracts the LDAP schema in the LDIF format.
The syntax is:
dxschemaldif [-v] hostaddr:port
To get help on the tool, enter dxschemaldif with neither option nor parameter.
Typically, when using this tool, you will redirect the output from the screen to a
file.
DXtools Example 11
DXschemaldif
You want to extract the schema from a Version 3 LDAP directory and redirect
the output to the new_schema.ldif file. Enter the following command:
dxschemaldif -v ldapserver:389 > new_schema.ldif
You can use the ldif2dxc tool to convert the LDIF schema into the eTrust
Directory schema format.
10–44
eTrust Directory Administrator Guide
Schema Tools
Converting Schema from LDIF to DXserver Format: ldif2dxc
Use the ldif2dxc tool to convert LDAP schema in LDIF format into eTrust
Directory DXserver schema configuration format (.dxc). Optionally, the tool can
also update an existing schema.txt file.
The syntax is:
ldif2dxc [options] [outfile]
To get help on the tool, enter ldif2dxc with neither options nor parameter.
The options of the ldif2dxc command are:
Option
Meaning
-b badfile
Write bad schema records to the specified file.
-f file
Read input from the specified file.
-m map
Get OIDs from the specified map file. For information about the file,
see DXtools Example 14.
-M oid_arc
Generate missing OIDs from 'oid_arc'
For example:
■
x.y.z. generates x.y.z.0, x.y.z.1, etc
■
x.y.z.34 generates x.y.z.34, x.y.z.35, etc
For more information, see Example 16.
-s
Skip reserved DXserver attributes (for example, objectClass,
userPassword, …)
-x dxcFile
Exclude schema that is defined in the specified eTrust Directory
schema file.
-Z schema
Append new schema definitions in DXtools schema file format to
the specified file.
Using DXtools
10–45
Schema Tools
DXtools Example 12
ldif2dxc
You want to convert the schema in the new_schema.ldif file from DXtools
Example 11. In this case, you are not interested in the entire external schema, but
rather schema unique to the external source. The local directory also typically
sources a single DXserver schema group file (for example, default.dxg).
To convert only the schema unique to the external source, you want to instruct
the tool to exclude an existing schema file. In addition, you want to instruct the
tool not to redefine any internal DXserver schema definitions.
Enter the following command:
ldif2dxc -f new_schema.ldif -s -x default.dxg new_schema.dxc
DXtools Example 13
ldif2dxc with Errors
While converting the schema in the new_schema.ldif file, the tool stops with an
error because of schema incompatibility with eTrust Directory and does not
produce any output. The problem may be caused by an unsupported syntax or
matching rule, or an error in the published schema. In these cases, you can
instruct the tool to write any bad schema to a bad file but continue writing the
good schema to your output file. You can inspect the bad file and decide whether
it is worthwhile to correct any of the errors (for example, remove an obscure
matching rule for substrings), and then rerun the tool until you have what you
need.
To run the tool with a bad file, enter the following command:
ldif2dxc -b bad.txt -f new_schema.ldif -s -x default.dxg new_schema.dxc
10–46
eTrust Directory Administrator Guide
Schema Tools
DXtools Example 14
ldif2dxc with Map File
Some LDAP directories publish OIDs as labels rather than dotted decimal strings
(for example, xyConfig-oid). These object classes and attributes do not load into
the directory. Instead, the tool assigns them temporary OIDs off the eTrust
Directory arc to enable you to load the new schema, but this solution may not be
suitable for all directory implementations.
If the dotted decimal form of these object class and attribute OIDs are available,
you can create a map file, and instruct the tool to look up these label OIDs in the
file and substitute the labels by the dotted decimal OIDs.
The map file is a three-column comma-separated value (CSV) file with the
following format, for example:
------------------------------------#
# format: objectClass, attributeType, oid
#
# objectClasses
xyConfig-oid,,1.2.3.4
xyAdmin-oid,,1.2.3.5
# attributeTypes
,abstract-oid,1.2.4.5
,aci-oid,1.2.4.6
-------------------------------------
You map a dotted decimal OID to either an object class or an attribute type, but
not both.
To run the tool with a map file, enter the following command:
ldif2dxc -b bad.txt -f new_schema.ldif -m map.txt -s -x default.dxg new_schema.dxc
DXtools Example 15
ldif2dxc and the schema.txt File
If the new schema has attributes that should be searchable, or object classes and
attributes that exist as data in the directory, and you plan to use the DXtools to
search, load, or dump the directory, then you must update the schema.txt
DXtools file. While converting the schema in the new_schema.ldif file, you want
to instruct the tool to append any new schema to the existing schema.txt file. For
example, on a UNIX system, you can enter the following command:
ldif2dxc -b bad.txt -f new_schema.ldif -m map.txt -s -x default.dxg -Z
$DXHOME/bin/schema.txt new_schema.dxc
Using DXtools
10–47
Schema Tools
DXtools Example 16
ldif2dxc and label OIDs
If there are a large number of “label” OIDs (e.g. xyConfig-oid) in the LDIF
schema file it may take a long time to add an entry for everyone in a map file. An
alternative is to specify an OID arc that the tool will use in place of any label
OID, incrementing it for each label OID it finds.
If your arc is new, you can specify it with a trailing ‘.’, and the tool will start
incrementing it from 0. If some OIDs have already been assigned against this
OID arc, you can specify the next available OID, and the tool will start
incrementing from that one.
To replace the map file in Example 15 with a new OID arc of “1.22.333.444.”, on a
UNIX system, enter:
ldif2dxc -b bad.txt -f new_schema.ldif -M 1.22.333.444. -s -x default.dxg -Z
$DXHOME/bin/schema.txt new_schema.dxc
If the tool encountered the OID label xyConfig-oid in new_schema.ldif, it will
assign it an OID of 1.22.333.444.0. If it then encountered the OID label abConfigoid, it will assign it an OID of 1.22.333.444.1, etc.
If twenty OIDs from this arc were assigned, the next available OID would be
1.22.333.444.20. If you were to perform another integration with schema from
new_schema2.ldif, to avoid clashing with existing OIDs in the directory, on a
UNIX system, enter:
ldif2dxc -b bad.txt -f new_schema2.ldif -M 1.22.333.444.20 -s -x default.dxg -Z
$DXHOME/bin/schema.txt new_schema2.dxc
If the tool encountered the OID label cdConfig-oid in new_schema2.ldif, it will
assign it an OID of 1.22.333.444.20. If it then encountered the OID label efConfigoid, it will assign it an OID of 1.22.333.444.21, etc.
10–48
eTrust Directory Administrator Guide
Schema Tools
Converting Schema from DXserver Format to DXtools Format: DXschematxt
Use the DXschematxt tool to convert DXserver schema configuration files into a
DXtools schema file. This is required when the existing DXtools schema file is
badly out of date, or is lost or corrupted.
The syntax is:
dxschematxt [options] files
To get help on the tool, enter dxschematxt with neither options nor parameters.
The options of the dxschematxt command are:
Option
Meaning
-f path
Read schema from the specified path rather than the default schema
configuration path (for example, $DXHOME/config/schema).
-Z file
Write to the specified file rather than the default scheme.txt file (for
example, $DXHOME/bin/schema.txt).
files is a list of space-separated DXserver schema configuration files that you
want to convert. The list of files can include .dxc and .dxg files. The tool will read
the schema configuration files listed in the group files.
DXtools Example 17
dxschematxt
You want to rebuild the DXtools schema.txt file in $DXHOME/bin from the
default schema group file. The tool backs up the current file automatically. Enter
the following command to instruct the tool to read from that particular file:
dxschematxt default.dxg
DXtools Example 18
dxschematxt to New DXtools Schema File
You want to build a new DXtools schema file. For example, on a UNIX system,
you can enter the following command:
dxschematxt -Z $DXHOME/bin/new_schema.txt default.dxg
DXtools Example 19
dxschematxt from Other Path
You want to build a new DXtools schema file from files in another location. For
example, on a UNIX system, you can enter the following command:
dxschematxt -Z $DXHOME/bin/new_schema.txt -f $DXHOME/config/new_schema default.dxg
experimental.dxc
Using DXtools
10–49
Directory Administration Tools
Directory Administration Tools
Checking DSA configuration: DXsyntax
DXsyntax is a tool for checking the configuration of one or more DSAs. It is most
easily run on the server hosting those DSAs, but it can be run remotely, provided
the machine running it has access to the configuration directory of the server
hosting the DSAs.
DXsyntax has only one parameter: the DSA file name. Running DXsyntax
without a parameter causes it to check the configuration of every DSA.
To check a single DSA, run DXsyntax with the name of the DSA as its parameter.
The name can be a filename pattern. For example, to check all DSAs whose
names start with rk, run DXsyntax with a parameter of rk*.
DXsyntax runs through the configuration files of each DSA in turn, reporting a
detailed error message if it finds a problem. The error message specifies the line
and file where the error was detected (the actual error may be earlier), and
provides details on the error condition. Only one error is reported for each DSA
checked, because a single error can cause a cascade of problems that is
overwhelming.
If no errors are found, DXsyntax exits without a message, and with a return code
of 0. This is handy for use in routine test scripts. If one or more errors are found,
DXsyntax exits with an error message and a non-zero return code.
DXsyntax relies on the DXHOME environment variable. DXHOME must be set
to the home path of DXserver. This is done automatically when eTrust Directory
is installed. DXsyntax expects the DSA configuration files to be located in the
config folder under the path in DXHOME.
10–50
eTrust Directory Administrator Guide
Chapter
11
Using JXplorer
JXplorer is a general purpose LDAP-compliant directory browser. It has a simple
user interface, yet supports a wide range of powerful, configurable functions.
With the JXplorer browser, you can:
■
■
■
■
■
■
■
■
■
Connect to any directory that supports LDAP and navigate, search, and
modify the directory.
Read the directory’s schema directly, rather than relying on schema
configuration files.
Visually cut, paste, and edit subtrees in the directory, including drag and drop
on Windows platforms.
Import and export LDIF files from a directory and even manipulate them
offline.
Configure the browser in many ways, including its appearance and logging
information. For example, you can configure the look of the browser to a
company standard by using company-specific icons for the directory and
company graphics within the HTML templates.
Display directory data within configurable HTML templates using a simple
extension to the HTML language.
Run in debug mode, permitting full tracing of the LDAP BER protocol.
Run on a wide variety of operating system platforms, since JXplorer is
written in the Java programming language.
Optionally use SSL to communicate securely, and SASL for secure certificatebased authentication.
eTrust Directory is a fully functional LDAP-compliant directory that lets you use
all the features of JXplorer.
Using JXplorer
11–1
The JXplorer Browser
The JXplorer Browser
To start JXplorer, click Start, Programs, Computer Associates, eTrust, eTrust
Directory, JXplorer.
When you start JXplorer and connect to a directory, the main browser window
appears:
The menu bar at the top of the browser provides access to a full range of browser
functions through pull-down menus.
Two toolbars below the menu bar give shortcuts to commonly used functions.
The first is a button bar, with shortcuts to commonly used menu functions. The
second, the quick search toolbar, lets you quickly execute simple searches (such
as searching a directory for an employee’s name).
The status bar at the very bottom of the browser displays the status of the
browser. For example, it shows whether the browser is connected or not.
The main body of the browser is divided into two panes. The left pane is the
directory tree, which you can navigate by using the mouse to click the entries.
The right pane shows the selected entry from the directory, shown either as an
HTML page or as a table of attributes and values.
11–2
eTrust Directory Administrator Guide
The JXplorer Browser
Menu Bar
The menu bar provides the following functions:
Menu Item
Function
File
Connect
Connects to an LDAP-compliant directory.
Disconnect
Breaks the current LDAP connection.
Print
Prints the current viewed entry.
Refresh Tree
Resets the directory tree and starts reloading entries.
Exit
Closes the browser.
Edit
New
Adds a new entry under the selected position.
Copy DN
Sends the DN of the current entry to the clipboard.
Cut Branch
Cuts the currently selected entry or subtree.
Copy Branch
Copies the currently selected entry or subtree.
Paste Branch
Pastes the previously cut or copied subtree under the
selected position.
Paste Alias
Pastes the previously copied Distinguished
Name (DN) of an entry as an alias under the selected
position.
Delete
Deletes the currently selected entry or subtree.
Rename
Lets you rename the currently selected entry.
View
Show Button Bar
Displays or hides the shortcut button bar.
Show Search Bar
Displays or hides the quick search toolbar.
Refresh
Reloads the currently selected entry from the
directory.
Bookmark
Add Bookmark
Lets you add a bookmark.
Delete Bookmark
Lets you delete a bookmark.
Edit Bookmark
Lets you edit a bookmark.
Using JXplorer
11–3
The JXplorer Browser
Menu Item
Function
Search
Search
Performs an advanced search.
Delete Filter
Deletes a saved filter.
Return Attribute Lists Manages the attributes that you want returned in a
search.
Filter
Lists all saved filters.
Ldif
Export Full Tree
Writes the entire directory tree to an LDIF file.
Export Subtree
Writes the currently selected subtree to an LDIF file.
Import File
Imports an existing LDIF file into the directory.
View Offline
Lets you view and edit an LDIF file in the browser.
Options
Confirm Tree
Operations
Enables a safety mode, which prompts you to
confirm modifications before they are made.
Confirm Table Editor
Updates
Enables a confirmation dialog, which appears after
you make a change to the directory.
Ignore Schema
Checking
Stops the browser checking that the user’s input
conforms to the directory schema.
Resolve Aliases While Displays the alias details such as where the alias
Browsing
entry points. This affects both browsing and
searching.
Advanced Options
Displays the Advance Options dialog, which enables
you to choose the look and feel of the browser,
logging options, and LDAP levels.
Tools
Stop Action
Cancels the current browser operation.
Security
11–4
Trusted Servers and
CAs
Displays the options for server-only authentication.
Client Certificates
Displays the options for client and server
authentication.
Advanced Keystore
Options
Displays the options for setting up keystores.
eTrust Directory Administrator Guide
The JXplorer Browser
Menu Item
Function
Help
Contents
Lists the titles of help topics.
Search
Lets you search for help on a particular keyword.
About
Lists information about the JXplorer browser,
including its current version number.
Button Bar
The button bar provides shortcuts for normal menu functions.
Button
Function
Connect
Connects to an LDAP-compliant directory.
Disconnect
Breaks the current LDAP connection.
Print
Prints the currently selected entry.
Cut Branch
Cuts the currently selected entry or subtree.
Copy DN
Sends the DN of the current entry to the clipboard.
Copy Branch
Copies the currently selected entry or subtree.
Paste Branch
Pastes the previously cut or copied subtree under the
selected position.
Paste Alias
Pastes the previously copied DN of an entry as an
alias under the selected position.
Delete
Deletes the currently selected entry or subtree.
New
Adds a new entry under the selected position.
Rename
Lets you rename the selected entry.
Refresh Entry Reloads the currently selected entry from the
directory.
Cancel
Stops the current operation (such as a search or a
directory update).
Using JXplorer
11–5
The JXplorer Browser
Quick Search Bar
The quick search bar lets you execute simple searches.
1. Choose or
type an attribute
2. Choose
an operator
3. Type a value
to search on
4. Start the search
The operators are:
■
Equal to
=
■
Not equal to
!(=)
■
Less than or equal to
<=
■
Greater than or equal to
>=
■
Approximately equal to
~=
For more information about searching, look in Chapter 13 in the User Guide.
Displaying the Directory Tree
The tree display pane (the left pane) displays the directory tree, and allows you
to graphically browse the directory.
There are usually three tree views available:
Explore
Displays the data in the current directory
Results
Shows the results of the most recent search
Schema
Displays the schema currently in use by the directory
11–6
eTrust Directory Administrator Guide
Browsing a Directory
Browsing a Directory
With JXplorer, you can browse any LDAP-compliant directory. This section
describes the browsing functions available.
Starting JXplorer
You can run JXplorer on either a Windows or UNIX computer.
On Windows
To start JXplorer on a Windows computer, click Start on the taskbar, and then
choose Programs, Computer Associates, eTrust, eTrust Directory, JXplorer.
On UNIX
To start JXplorer on a UNIX computer, issue the following command from the
JXplorer directory:
./jxstart.sh
Connecting to a Directory
When you choose File, Connect (or click the Connect button), the browser
displays the following connection dialog, requesting the information that
JXplorer needs to connect to a directory.
The browser requires the following information to make a connection:
■
The name of the computer that hosts the directory.
■
The port number of the server on that computer.
■
The base distinguished name of the directory.
If none is given, the browser is still able to connect, providing that the
directory is one (like eTrust Directory) that makes this information available.
Using JXplorer
11–7
Browsing a Directory
■
■
■
The protocol that is in use, which can be Lightweight Directory Access
Protocol (LDAP) or Directory Services Markup Language (DSML). For
LDAP, this is usually Version 3, but can be Version 2 to support older
directories.
If the DSML protocol is selected, the path to the DSML service.
The security level with which you want to connect (not applicable to DSML).
You can connect to the directory anonymously, or with your user name and
password. If you require higher security, you can establish a link to the
server using SSL with either of these methods. When a client keystore is
available, you can use full client-authenticated SSL, combined with SASL
authentication at the directory.
The browser lets you save connection details for commonly used directories as
connection templates. To save the information, supply a name (or select an existing
name from the drop-down list), and then click Save. You can save any number of
connection templates, and you can edit or delete them at any time.
You can also choose to make one of the connection templates a default template.
After you specify a default template, the connection dialog opens with the details
from that template already filled in.
Note: For security reasons, the password field is not saved in any template.
Reading Schema
After the connection details are obtained, the browser attempts to contact the
directory. When the directory is contacted, the browser obtains the directory’s
current schema (provided that an LDAP Version 3 connection has been made).
Directories that support LDAP Version 3 (such as eTrust Directory) download
the schema to the browser. This lets the browser correctly create, display, and
edit entries without requiring any independent browser configuration. Since the
browser gets the schema from the directory, it is always up-to-date, and there is
no possibility of inconsistency.
Navigating the Directory Tree
You can navigate the directory tree by mouse or keyboard.
By Mouse
To expand or collapse a subtree, click on the expansion icon (which usually
appears as a small box containing either a + or -) to the left of the entry. Doubleclick on the text portion of a tree entry to display that entry in the viewing pane.
By Keyboard
Use the arrow keys to select entries. Press Enter to expand and collapse a
subtree, or display an entry in the viewing pane.
11–8
eTrust Directory Administrator Guide
Browsing a Directory
Displaying an Entry
The entry display pane (the right pane) displays the currently selected directory
entry, either in an HTML template, or in an editable table of attributes and values.
When you select an entry, whether from the Explore view, the Results view, or
even the Schema view, the browser queries the directory for the attribute values
of the entry and displays the results in the entry display pane. The results can be
displayed either in the HTML template view or in the attribute/value table view.
The HTML Viewer
The following is an employee record displayed in an HTML template. The
template contains three tabs (Main, Address, and Other) that display the
attribute information for the selected entry.
Using Different HTML Templates
When the browser initially reads an entry, it attempts to find an appropriate
HTML template in which to display the entry, as follows:
■
■
■
■
The HTML templates key on the object classes of the entry, with each HTML
template specializing in displaying one object class.
Each object class can have multiple HTML templates capable of displaying it.
HTML templates for a given object class can also display entries whose
object classes are inherited from that object class.
When you select an HTML template for a particular entry, the browser
remembers that template and uses it for other entries of the same object class.
Using JXplorer
11–9
Browsing a Directory
The number of attributes and how they are displayed depend on the HTML
template. When the HTML template does not have a tag for a particular attribute,
that attribute is not displayed. A tag is available for displaying all attributes that
have values. The tag is used to simplify the display of large numbers of
attributes.
This use of HTML templates enables:
■
Different types of entries to be displayed in ways appropriate to their type
■
Site-specific help information to be included in the HTML
■
HTML hyperlinks to be used to link to existing company resources
■
Straightforward customer configuration of data display
■
■
Special purpose templates for different types of users (administrator, help
desk, office staff, and so forth)
Use of corporate branding and logos
The Table Editor
The same employee record can be edited and displayed in the table editor.
You can also use it to view the attributes an entry can contain, because it uses
schema to show all the possible attributes that the entry might have.
Attributes in bold represent mandatory attributes – these must be present for the
entry to be valid. Click the Properties button to display operational attributes
such as the date of the last modification.
You can configure the table viewer to include custom binary editors, which may
be the only way to view complex or application-specific binary data.
11–10
eTrust Directory Administrator Guide
Browsing a Directory
Refreshing Entries
For efficiency, the browser caches entries, unless you specifically request to
reload them from the directory. You can force a single entry to be reloaded by
selecting the Refresh option. You can refresh the DIT by selecting the Refresh
Tree option.
Searching
In JXplorer, you can search for an entry in two ways. You can run a quick search
using simple criteria, or you can run a complex search that you can save to
search_filters.txt as filters. Complex searches display search results as complete
directory trees, letting you browse large numbers of search results or save them
as LDIF files.
Running a Quick Search
You can quickly execute simple, single-attribute-value searches using the quick
search bar, which contains a pull down list of common attribute types. You can
add attributes to this list; the browser saves changes to the list when you exit the
browser.
The quick search bar makes it possible to do common searches, for example,
specific employee names, part numbers, and so on, without having to access the
menu bar or enter a complete LDAP-format search request.
Running a Complex Search
You can perform more complex searches using the Search dialog.
Using JXplorer
11–11
Browsing a Directory
The Search dialog lets you search one of the following:
■
The selected entry
■
The next level from the selected entry, but not including the selected entry
■
The full subtree
You can use the filter constructor to create complex searches, and then save the
details in a property file for use later. You can use the Information to retrieve
drop-down list to select the definition that contains the list of attributes you want
returned. To create these definitions, choose Return Attribute Lists from the
Search menu. For more information about how to create the lists, see the online
help.
Aliases are similar to shortcuts and are used in some directories to link different
parts of the tree. When you search aliases, JXplorer returns the real entry to
which the alias points. When you do not search aliases, JXplorer does not resolve
alias references and returns all alias entries as regular entries.
You can choose to resolve aliases while:
■
■
Searching, that is, to resolve aliases for subordinate entries of the base object
Finding the base object, that is, to resolve aliases when locating the base
object of the search
Consequently, when you check both options, all aliases are resolved, and when
you do not check an option, no aliases are resolved.
Saving Complex Searches
Since constructing complex searches can be time-consuming, JXplorer lets you
save complex searches as filters for later use. With saved searches, you can:
11–12
■
Save any number of searches as filters
■
Edit or delete them at any time
■
Copy searches for modification, and save them under a different name
eTrust Directory Administrator Guide
Browsing a Directory
Search Results Tree
Regardless of whether the search is run using the quick search bar or a search
menu option, once it is run the matching entries are displayed as a results tree in
the Results view of the directory tree pane.
Parents of search results appear as empty entries in the tree. You can browse and
save the search result tree (including LDIF format) just like the directory tree.
You can edit the results.
You can set the number of entries returned from a search, and the timeout. See
Search Limits in this chapter for more information.
Creating Bookmarks
A bookmark is an entry in the directory that you identify and name for future
reference. You can use a bookmark to quickly jump to an entry.
To add a bookmark, simply select the entry that you want to mark, and choose
Add Bookmark from the Bookmark menu.
Using JXplorer
11–13
Browsing a Directory
Exploring Schema
In addition to viewing the data entries held in a directory, you can directly view
the schema that is read from the directory. Use the Schema view of the directory
tree pane.
Note: Some of the following options may not be available with servers other
than DXserver, because not all servers implement full schema publishing.
The Schema pane lets you examine attribute definitions, class definitions, and
syntax definitions.
Attribute definitions include:
■
Names
■
X.500 OIDs
■
Attribute syntaxes
■
Syntax descriptions
■
A flag showing whether the attribute is single valued
■
General descriptions (if available)
Class definitions include:
■
Names
■
Parents
■
Kind (structural, auxiliary or abstract)
■
A list of must-contain OIDs
■
A translation of OIDs that must be contained in attribute names
Syntax definitions include:
11–14
■
The numeric OID
■
The text description of the OID
eTrust Directory Administrator Guide
Browsing a Directory
As with the other tree displays, you can display schema entries either in the table
view or in custom HTML template pages. Unlike the other tree displays,
however, you cannot edit the schema directly through the browser. For security
and administration reasons, many servers do not permit their schema to be
edited online and require an administrator to perform schema maintenance at
the server.
You can export schema to an LDIF file, but this is not the usual way to store
schema information and most directories cannot use it without further
processing.
Using JXplorer
11–15
Editing the Directory
Editing the Directory
You can modify entries in the directory using the browser in a large number of
ways, ranging from slight modification of a single attribute value to large-scale
tree operations affecting many thousands of entries.
JXplorer lets you use graphical cut-and-paste techniques to manipulate entire
directory subtrees; you can manipulate individual entries using the table editor.
You can rename entries from either the directory tree pane or the table editor,
depending on what is most convenient at the time.
Directory Tree Operations
As you browse the directory tree, you can modify the directory using the menus,
the button bar shortcuts, or the Context menu (accessed by right-clicking on the
entry) for the entry in the tree itself.
WARNING! This is a very powerful tool, and you can affect large areas of the directory
with a single operation. To avoid accidents, you should turn on the Confirm Tree
Operations flag on the Options menu.
Cut, Copy, Paste, and Delete
You can manipulate the directory tree using the cut, copy, paste, and delete
operations. On Windows platforms, you can copy and move entries by dragging
them with the mouse (“drag and drop”). These operations can be carried out on
individual entries within the directory tree or on whole subtrees. Since most
directories do not natively support operations on entire subtrees, the client reads
and writes all subtree entries recursively, enabling operation on all types of
LDAP-compliant directories.
When you select (and therefore display) an entry, all cut, copy, paste, and delete
operations occur relative to this selected entry. Specifically:
Delete
Removes the selected entry and any subentries
Copy Branch
Copies the selected entry and any subentries
Cut Branch
Prepares the selected entry and any subentries to be moved to a new location
Paste Branch
Either moves or copies a previously cut or copied entry (and any subentries)
under the selected entry as child entries
11–16
eTrust Directory Administrator Guide
Editing the Directory
Since some subtree operations involving large numbers of entries can take a
significant time to complete, the browser displays a progress bar if it estimates
that the operation is extensive:
The progress bar displays the number of entries processed and estimates the
proportion of the operation completed. When you want to stop the operation,
you can either click Cancel in the Progress, or click the Stop button on the quick
search toolbar. When you do this, any changes already made will be kept.
Renaming Entries in the Directory Tree
You can rename an entry within the directory tree by selecting the Rename
option.
When an entry is renamed, the appropriate changes to the naming attributes are
also made. Naturally, when a parent is renamed, the DNs of the entries in the
entire subtree under the parent also change.
Copying Distinguished Names and Pasting Aliases
Aliases are similar to shortcuts and are used in some directories to link different
parts of the tree. To create an alias, copy the DN of an entry, and then paste it to
another part of the tree using the Paste Alias option. When you copy an entry,
you can choose to copy the full distinguished name of the entry.
You can also use the Copy Branch and Copy DN functions to copy the name of
an entry for pasting into any of JXplorer's text entry fields, or into your own
documents.
Using JXplorer
11–17
Editing the Directory
Modifying Attributes in an Entry
You can modify entries in the table editor, which is a simple tabulated list of
attribute names and corresponding attribute values. From the table editor, you
can:
■
■
■
■
■
■
■
Edit existing values
Add new attribute/value pairs
Delete attributes and values
Copy and paste attribute values
Manipulate binary attributes
Submit the results to the directory
Add or remove naming attributes
These user modifications do not affect the directory until the entry is submitted.
When you have finished modifying the entry and checked your work, click the
Submit button to send the changed entry to the directory. Only at this point is the
data in the directory changed.
Changing Attribute Values
You can edit existing values where they are by selecting the appropriate cell in
the table and retyping the value.
Note: Binary values, attributes that contain an address, and user passwords are
handled differently. See Using Binary Values, Using the Postal Address Editor,
and Entering a User Password in this chapter for more information.
Deleting Values and Attributes
You can delete values (including binary values) using one of the following
methods:
■
■
Select the text in the cell, and then press the Delete key to leave an empty
cell.
Right-click on the table row, and then choose Delete Value Attribute from the
Context menu.
When you delete the last value of a given attribute, the attribute is also deleted;
however, it is not possible to delete the last value of a mandatory attribute, and
the browser does not let you submit an entry that does not include mandatory
attributes, unless the Ignore Schema Checking option is active. See Mandatory
Attributes in this chapter for more information about mandatory attributes.
11–18
eTrust Directory Administrator Guide
Editing the Directory
Adding Values and Attributes
When an attribute does not already have a value, but is available to a particular
entry type, you can create it by finding the attribute in the list of blank-valued
attributes at the bottom of the table and filling in the missing value. When an
attribute already exists and has values, you can create a new value by rightclicking on the attribute name and choosing Add Another Value from the
Context menu.
You can add new binary values and addresses this way, but you must fill them
in using the Binary Editor, and the Postal Address Editor, respectively. See Using
Binary Values and Using the Postal Address Editor in this chapter for more
information.
Mandatory Attributes
Some attribute names are represented in bold type. These are mandatory
attributes, which must have at least one value for the entry. The browser does
not submit an entry if it has any mandatory attributes without at least one value.
Naming Attributes
Some attributes are used to name an entry, by forming its Relative Distinguished
Name (RDN). Each entry must have at least one naming attribute. Although
attributes can have more than one attribute value, only one of these can be
chosen as the naming attribute. For example, common name may have two
values, Fred and Freddie, but only one can be used as the naming attribute.
Important! You can set naming attributes for mandatory attributes only.
To make an entry a naming attribute, select the entry in the table editor, rightclick the mouse button, and choose Make Naming Value from the Context Menu.
Naming attributes are displayed in the table editor in blue. Multiple naming
attributes appear in the tree display with a + symbol joining them.
For example, you may want to name a person by the commonName, or cn
attribute, and the surname, or sn attribute. In the case of Craig Link, Craig LINK
is the value of the cn naming attribute, and LINK is the value of the sn naming
attribute. Both entries appear in the table editor in blue, and in the tree display as
Craig LINK + LINK. The order in which the naming attributes appear in the tree
display depends on the order in which they are originally entered into the
directory.
Using JXplorer
11–19
Editing the Directory
Changing Classes
The object class attribute of an entry determines the attributes that are available
for an entry; therefore, you must modify them separately using the Change
Classes button, located at the bottom of the table editor. This displays the same
list of available object classes as is available in the New Entry panel.
WARNING! You must be careful when deleting object class values because you also
remove all related attributes.
Using the Postal Address Editor
All attributes that have an address value, for example, homePostalAddress, are
entered through the Postal Address Editor dialog, which appears when you
select an address field in the Table Editor. The dialog lets you enter the details, as
they appear in a template with the relevant line breaks and spacing.
Entering a User Password
User passwords are entered via the User Password Data dialog, which appears
when you select the userPassword attribute type in the table editor. The same
procedure applies whether you are entering a new password, or changing an
existing password. Because access to a record is controlled via the access control
settings in the directory’s configuration file (.dxc), you do not have to enter the
existing password before changing it.
Using Binary Values
LDAP is primarily a string handling protocol and many attribute values are
simple text strings. However, it is often necessary to load other types of data, for
example, certificates and images.
JXplorer allows you to load binary files to some attributes, such as Photo and
userPKCS12.
The browser also supports custom binary editors (written in Java using a
provided minimal API) that dynamically loads at run time. You key such binary
editor extensions to a particular object class. This would allow you to write, for
example, an editor for a custom certificate object class.
Standard editors are provided for X.509 certificates, and a number of standard
image and audio formats.
11–20
eTrust Directory Administrator Guide
Editing the Directory
Importing Binary Files
With the Binary Data dialog shown below, you can:
■
Import binary files
■
Export binary files
See the online help for instructions for importing, exporting, and launching
binary files.
Adding a Photo
JXplorer lets you import a photo into the directory, and display it in an HTML
template. In table editor view, the photo is displayed using the photo editor.
JXplorer lets you import photos through the jpegPhoto dialog, which appears
when you select the jpegPhoto attribute type in the table editor. The display area
expands to display the photo you selected; however, it does exceed the size of the
window. When the photo is larger than the window, you can view the photo by
using the scroll bars. All photos must be in .jpeg format. After loading, JXplorer
gives you the option of saving the photo to another location, using your system’s
file browser.
Using JXplorer
11–21
Editing the Directory
Adding an Audio File
JXplorer lets you import an audio file into the directory, and export it using your
system’s file browser. You can also play the audio file from in JXplorer. You can
import all audio formats; however, the Audio dialog plays only the following
formats:
■
.mid
■
.au
■
.wav
■
.aiff
Audio files are imported through the Audio dialog, which appears when you
select the audio attribute type in the table editor.
Adding Files that Can Be Launched
JXplorer provides the odMultimedia class that contains attribute types that let
you launch files of the following formats:
Format
Attribute Type
.avi
odMovieAVI
.doc
odDocumentDOC
.mid
odMusicMID
.wav
odSoundWAV
.xls
odSpreadSheetXLS
A dialog appears when you click the value field of one of these attribute types in
the table editor.
For more information about how to add these files, see the online help.
11–22
eTrust Directory Administrator Guide
Editing the Directory
Adding a New Entry
You can add an entry by selecting the New option.
The new entry is created as a child of the currently selected entry in the tree.
When a new entry is created, you must specify the entry’s RDN and list its object
classes.
Choosing Object Classes
When there are other children of the selected entry, the browser suggests object
classes based on those children; otherwise, you must select them. (To turn this
behavior off, clear the Suggest Classes checkbox). Since the browser is schema
aware, it can fill in any required parent classes.
The choice of object classes must conform to the restrictions laid down by the
schema. The server may also have additional schema rules restricting where
entries of a particular type are created. For example, it may not be possible to
create a country entry underneath an organizationalUnit entry.
Setting Initial Attribute Values
When all information is entered in the new entry dialog, the entry is set up in the
browser, and you can fill in the entry’s attributes in the table editor. Before the
entry is actually created in the directory, you must enter the information for the
attributes and submit them—especially mandatory attributes.
Using JXplorer
11–23
Editing the Directory
Submitting an Entry to the Directory
Once a new entry has been filled in, or an existing entry has been modified, you
must submit the result to the directory. The browser checks for consistency using
schema information, and the directory checks the entry again when it is
submitted.
If the entry is invalid, the browser reports the directory error to you, but leaves
your changes unaltered in the edit table. To discard your changes, click the Reset
button.
Submitted entries are:
11–24
■
Checked for gross errors by the browser.
■
Submitted to the directory through LDAP.
■
Checked for errors by the directory, after which either:
–
The user is informed if an error has occurred.
–
If no error has occurred, the browser display tree is updated.
eTrust Directory Administrator Guide
Using LDIF Files
Using LDIF Files
LDIF files are a widely used format for saving directory information, similar to
the use of comma-separated value files for storing a table from a relational
database. LDIF is an Internet standard (RFC 2849) for storing directory entries in
a text file as a distinguished name followed by a list of attribute and value pairs.
More information about LDIF is available from the IETF (Internet Engineering
Task Force) at their web site http://www.ietf.org/rfc/rfc2849.txt.
JXplorer lets you use LDIF files to save, enter, and edit directory information,
both with and without an LDAP connection to a directory.
Importing and Exporting an LDIF File
You can import an LDIF file into or exported it from the browser. When the
browser is connected to a directory, it reads the values from the selected file and
added them to the directory, or reads the values from the directory and writes
them to an LDIF file.
JXplorer:
■
Lets the prefix of the DNs in the LDIF file be replaced when reading or
writing an entry to assist in data migration between directories
■
Automatically handles base-64-encoded binary LDIF data
■
Flags (with the help of the directory) when LDIF data entries are invalid
In addition, JXplorer provides a status display when it estimates that a large
import or export operation is taking place. The status display shows the number
of entries processed and the estimated proportion processed. Click Cancel when
you want to quit a long operation.
Using an LDIF File Without a Directory
An added feature of JXplorer is that it lets you use an LDIF file directly as a
miniature directory without any LDAP connection to a directory server. Using an
LDIF file offline in this way can be useful for:
■
Editing during data migration
■
Caching data over a slow communication link
■
Stand-alone demonstrations (on laptops, for example)
■
Reviewing data before committing it to a production environment
Using JXplorer
11–25
Using LDIF Files
Viewing and Saving Offline
To start offline operation, choose Ldif from the menu bar, and then select View
Offline. Select an LDIF file in the same way any LDIF file is imported into the
directory. Once selected, the browser loads the LDIF file, which is displayed as a
directory tree.
You can save the entire tree, or any subtree, at any time to any existing, or new,
LDIF file. To do this, choose Ldif from the menu bar, and then select Export Full
Tree or Export Subtree.
Navigating and Editing Offline
Because there is no communication lag, you may navigate the offline LDIF file
faster than using a directory. You can also edit the LDIF file, and add and
manipulate binary values. The only restriction in the use of offline LDIF files is
that they cannot be searched. To search an LDIF file, you must load the file in a
directory (or the raw LDIF file viewed using a text editor).
Binary Values in LDIF Files
Binary values in LDIF files are stored in base 64 format. This means that you can
copy and paste binary values between JXplorer and LDIF files with the same ease
as other string values.
For more information about base 64 encoding, see IETF in RFC1521, available at:
http://www.ietf.org/rfc/rfc1521.txt.
11–26
eTrust Directory Administrator Guide
Using SSL and SASL
Using SSL and SASL
It is possible to specify that SSL should be used to communicate securely with a
directory server using two variants:
■
SSL with server authentication only (simple)
■
SSL with both client and server authentication (authenticated)
When client authentication is used for the SSL connection, it is possible for the
server to use SASL to authenticate the client, using the client’s certificate to verify
the client’s identity.
Server Authenticated SSL
For server authenticated SSL to work, you must initialize the client with the
trusted public certificate of the directory server, or the server’s certificate
authority. The default keystore for trusted certificates is the security/cacerts file,
which comes initialized with the certificate authority certificate used to create the
demonstration DXserver certificates. While you can change this, the default
setup lets the demonstration directories be contacted immediately using SSL.
You can connect to the directory using server authenticated SSL, as either an
anonymous user, or with your user name and password. To do this, from the
connection dialog, select either SSL + Anonymous, or SSL + User + Password.
Client Authenticated SSL and SASL
Client authenticated SSL requires the registration of the server’s certificate with
the browser, and in addition, the registration of the browser’s certificate (or
certificate authority) with the server. A demonstration client certificate
marjorie.pem is provided in the security directory. Client authenticated SSL
requires the use of the browser’s private key, which is held in the
…//security/clientcerts file. This file is password protected, and requires the
password to be entered in the connection dialog for client authenticated SSL to
work.
The DXserver directory is able to use SASL authentication to authenticate a user,
rather than a user name and password. This implementation of SASL uses the
certificates previously exchanged by SSL, and will only work when client
authenticated SSL is used. This differs from server authenticated SSL where no
client certificate is produced, so the directory is not able to use it to establish
identity.
Using JXplorer
11–27
Online Help
To connect to the directory using client authenticated SSL, from the connection
dialog, select SSL + SASL + Keystore Password, and enter the client certificate
keystore password.
The secure use of client authenticated SSL requires creating a new private key for
the browser rather than using the default private key. This requires using a
Public Key Infrastructure (PKI) tool, such as eTrust™ PKI or Open SSL, to
produce a PKCS8 private key.
Managing Certificates and Keystores
To use SSL in either form, you must manage a variety of certificates and private
keys. These are kept in two Java keystores, which are password protected data
stores. The first keystore, …//security/cacerts, with the password changeit, is
used for storing the public certificates of trusted certificate authorities and
servers. The second keystore, …//security/clientcerts, is used for storing the
certificates and private keys of the JXplorer browser, and it has the password
passphrase. Manage these keystores from the Security menu in JXplorer, where
you can change the default keystore passwords.
To manage the certificates of trusted certificate authorities and servers, from the
Security menu, choose Trusted Servers and CAs. From the dialog, you can view,
add and delete certificates, and set the keystore password.
To manage the certificates and private keys of the JXplorer browser, from the
Security menu, choose Client Certificates. From the dialog, you can view, add,
and delete certificates, and apply private keys to corresponding certificates. You
can also export private keys and set the keystore password.
The JXplorer browser uses the standard Java cryptography tools for its SSL
support. These two files are standard Java keystores, which you can maintain
using the Java keytool utility. This is a command line utility produced by Sun
Microsystems. For more information, see
http://java.sun.com/j2se/1.3/docs/tooldocs/solaris/keytool.html.
Online Help
The online help system provides a number of immediately available aids to the
user, including:
11–28
■
An index of help topics that explain browser usage
■
A table of contents
■
Links to external web resources
eTrust Directory Administrator Guide
Configuring JXplorer
Configuring JXplorer
You can customize the following JXplorer features:
■
HTML templates
■
Browser panels
■
Logging and tracing
■
Directory tree icons
You can also create plugin editors for binary files.
View Menu
The View menu lets you access the toolbar configuration and refresh options.
The button bar and quick search bar are not required for the operation of the
browser and if you are short of window space you can hide either or both of
these bars. To do this, from the View menu, choose Show Button Bar and/or
Show Search Bar.
Options Menu
A number of behavioral options are available via the Options menu. These are
described in the following sections.
Look-and-Feel Options
Java supports a number of look-and-feel options for graphical interfaces. These
let the browser adopt the same appearance as other native applications on a
particular operating system.
You can also switch between appearances on the same operating system if you
are more familiar with one particular look than another.
For example, a UNIX user may be more familiar with the Motif/X Windows
appearance and may prefer to use that on a Microsoft Windows platform. The
possible look-and-feel options are:
■
Microsoft Windows
■
Motif/X Windows
■
Java
Using JXplorer
11–29
Configuring JXplorer
You can set these options from the Advanced Options dialog, which can be
accessed via the Options menu. To select an interface, click on the L & F tab,
select the look-and-feel interface you want, and then click the Apply button.
For copyright reasons, the Microsoft Windows option is not available on
non-Microsoft platforms.
Safety Mode
A single JXplorer operation can affect thousands of directory entries. To prevent
accidental changes, you can choose to be reminded before you make changes to
the directory. To do this, from the Options menu, choose Confirm Tree
Operations. The following dialog appears prior to modifying the directory by a
tree operation:
To remove this behavior, deselect Confirm Tree Operations from the Options
menu.
Confirming Changes to the Directory
Some users like to receive a confirmation message when making a change to the
directory. To enable the confirmation dialog, from the Options menu, choose
Confirm Table Editor Updates. The following dialog box appears:
To remove this behavior, from the Options menu, deselect Confirm Table Editor
Updates.
11–30
eTrust Directory Administrator Guide
Configuring JXplorer
Logging Level
There are a number of logging options available, ranging from no logging at all
to complete tracing of all the LDAP communications with the directory.
The client can log data to a log file, to the console window, to both, or not at all.
The following levels of logging information are currently available:
Level
Description
Meaning
0
Errors Only
Reports errors only.
1
Basic
Reports errors and additional warning information.
4
Tree
Operations
Logs internal tree operations, and other high-level
process information.
6
Extensive
Extensively logs internal browser operations.
8
All
Traces all internal operations, including the
translation system, and the resource loading system.
9
All + BER Trace Reports all of the previous information, plus has an
LDAP Basic Encoding Rules (BER) communications
trace. Useful for de-bugging directory-client
communications problems.
Usually, clients run at level 0 or level 1. However, level 4 can be useful for
auditing all transactions, and level 9 can be useful for debugging directory-client
communication problems.
Note: Level 9 may cause JXplorer to run slower.
You can set these options from the Advanced Options dialog, which can be
accessed via the Options menu. To select a logging level, click on the Log Level
tab, select the logging level you want, and then click the Apply button.
Using JXplorer
11–31
Configuring JXplorer
Logging Method
JXplorer lets you choose the method by which you view logging details. The
methods available are as follows:
Method
Meaning
None
No logging is performed.
Console
Logging details can be viewed via a console.
File
Logging details are copied to a file in
.../jxplorer/jxplorer.log.
Console and File
Logging details can be viewed via a management console;
they are also copied to a file in …/jxplorer/jxplorer.log.
You can set these options from the Advanced Options dialog, which can be
accessed via the Options menu. To select a logging method, simply click on the
Log Method tab, select the logging method you want, and then click the Apply
button.
Ignore Schema Checking
DXserver automatically checks all entries submitted to the directory to ensure
that they conform to the directory schema. However, when the network is slow,
it may be wise to check the entry on JXplorer, before you send it to the server. To
do this, from the Options menu, deselect Ignore Schema Checking.
If you do not want JXplorer to check that an entry conforms to the directory
schema when you submit it, select Ignore Schema Checking from the Options
menu.
Resolve Aliases While Browsing
When you select an alias entry in the directory, you can choose whether to view
all of the entry details or the details of the alias entry, that is, where the alias
entry points.
When you want to view all of the entry details, from the Options menu, choose
Resolve Aliases While Browsing. To display only the details of the alias entry,
deselect Resolve Aliases While Browsing from the Options menu.
11–32
eTrust Directory Administrator Guide
Configuring JXplorer
Alias Example
If you create an alias entry under Human Resources for Paul Smith in
Marketing and you select Resolve Aliases While Browsing, when you select
Paul’s alias entry under Human Resources you will see all of his details, just as
if you had selected his entry under Marketing.
However, if you deselect Resolve Aliases While Browsing, when you select
Paul’s alias entry under Human Resources you will see the details of the aliased
object name.
Search Limits
JXplorer lets you define the maximum number of entries returned from a search,
and the time (in seconds) allowed to perform the search.
You can set these options from the Advanced Options dialog, which can be
accessed via the Options menu. To select the search limits, click on the Search
Limits tab, select the LDAP limit and LDAP timeout that you want, and then
click the Apply button. To revert the search limits back to the last saved version
click the Reset button.
Values can also be set in the server configuration (.dxc) files. When values are set
in JXplorer and the server configuration files, the lower of the two values is
accepted.
URL Page Browser
By default, linked URL pages are launched in JXplorer. However, on a Windows
system, you can choose to launch them in an external web browser. To customize
this behavior, choose Advanced Options from the Options menu and click the
URL tab.
Using JXplorer
11–33
Configuring JXplorer
Creating HTML Viewing Templates
You can create HTML templates and place them in a file directory hierarchy
under the /templates subdirectory of the JXplorer root directory. When a shared
template directory exists on the file system, you can configure JXplorer to use
that directory instead by editing the dxconfig.txt configuration file in the
JXplorer directory.
Place templates in file directories corresponding to object class names. Within
these file directories, the templates can have any name (although names that
include spaces are not recommended). Templates placed directly in the
/templates directory are common to all object classes. For example, the following
file directory structure provides a general template, two templates for person,
and a default template for organizationalUnit:
Directory
Template Files
/templates/
general.html
/templates/person
employee.html
contractor.html
/templates/organizationalUnit
default.html
You can add any number of new HTML templates, including templates for
newly defined object classes by creating (if necessary) the appropriate
subdirectory under the /templates directory and placing the new HTML files in
that subdirectory. After you add new files, you may need to restart the browser
to recognize them.
HTML Tag Extensions
The HTML language is extended using a modification to the HTML <comment>
tag to set placeholders where attribute values can be filled in.
These extension tags:
■
Position individual attribute names and values in the page
■
List of all attribute names and values to be set with a single tag
■
Provide a variety of tabulated formatting options, such as HTML tables and
lists
See the JXplorer online help for more information.
11–34
eTrust Directory Administrator Guide
Configuring JXplorer
HTML Forms
You can also use standard HTML forms; however, you must give each form
element a name value that corresponds to an attribute, for example, title.
JXplorer will display existing values and make updates to the directory when
you click Submit.
Important! JXplorer submits the changes to the directory, not to a Web server.
A number of example HTML forms are in the templates sub-directory. For more
information, see the JXplorer online help.
Configuring Tree Icons
The browser reads the icons used in the directory display tree from the /icons
subdirectory of the JXplorer home directory. The icons are 16-pixel-square
images in the form:
object_class_name.gif
You can easily replace the icons. To make sure the browser recognizes the new
icons, you must restart it. For more information, see the JXplorer online help.
Extending the Java Binary Editor
JXplorer can be extended with user-defined binary editors inherited from the
Java class com.cai.od.editor, AbstractBinaryEditor. Such an editor class must be
named objectclassEditor (for example, certificateEditor) and placed in the
subdirectory com/cai/od/editor. When the browser is asked to edit a binary
object, it first searches in this directory for any editors that have the name of the
entry’s object class and dynamically loads them if they exist. For more
information, see the eTrust Directory SDK Developer Guide.
Plug-in Entry Editors
JXplorer can be extended to load small Java programs, similar to Web applets,
based on an entry’s object class. For more information, see the eTrust Directory
SDK Developer Guide.
Internationalization
You can localize JXplorer by using the language resource files in the languages
directory. For more information, see the eTrust Directory SDK Developer Guide.
Using JXplorer
11–35
Configuring JXplorer
Troubleshooting
If you experience trouble while using JXplorer, you can run the console.bat
utility provided in the JXplorer home directory, which displays any problems.
Other LDAP and Directory Resources
A number of online resources are available on the web:
■
■
■
11–36
http://supportconnect.ca.com—Computer Associates Technical Support.
http://www.ietf.org/rfc/—Information about the LDAP protocol is
available in a number of Internet RFC documents, especially (for LDAP V3)
RFC2251 through RFC2256.
http://www.java.sun.com/products/jndi/index.html—Details of the Java
naming and directory interface (JNDI) are available from Sun Microsystems.
eTrust Directory Administrator Guide
Chapter
12
Using DXmanager
DXmanager is a graphical web-based management portal. It lets you view and
monitor all of the namespaces and DSAs within a distributed eTrust Directory
environment.
DXmanager is a web tool that lets you monitor all of the namespaces and DSAs
in a distributed eTrust Directory environment. Using DXmanager, you can
monitor the following:
■
The status of each DSA
■
Configuration information about each DSA
■
Statistics about each DSA
■
Namespace diagrams for each DSA, server, or group of servers
Using DXmanager
12–1
How DXmanager Works
How DXmanager Works
DXmanager uses the DXadmind tool to work with DXserver.
The DXadmind tool is installed on each server that contains eTrust Directory
DSAs. This tool is a background process that enables monitoring of all DXservers
that are configured on the machine that runs DXadmind.
DXmanager works uses the data that each DXadmind tool extracts from the
DSAs on its server.
This diagram shows how DXmanager uses DXadmind to monitor DSAs within
the eTrust Directory system:
Computer 1
Internet
Browser
DXmanager
DXadmind
Democorp
DSA
UNSPSC
DSA
DXadmind
UDDI DSA
Democorp
DSA
Computer 2
DXmanager presents data collected by DXadmind
12–2
eTrust Directory Administrator Guide
UNSPSC
DSA
Computer 3
UDDI DSA
How You Can Use DXmanager
How You Can Use DXmanager
You can use the information presented by DXmanager to diagnose problems
earlier and more accurately.
Monitor DSA Status
Monitor the status of each DSA—The status can be started, stopped, can't
connect to server
Check DSA Configuration
Check on the configuration information about each DSA—Including the DSA
name and prefix, and port numbers. See the ZZZ section for a full list of
configuration items that DXmanager can let you monitor.
Track DSA Statistics
Track statistics about each DSA—Including the time the DSA has been running,
the number of incoming and outgoing operations, and the number of
anonymous binds. See the ZZZ section for a full list of statistics that DXmanager
can let you monitor.
Check Namespace Design
DXmanager can display the namespace design for each host. It shows a tree in
which all of the DSAs on that computer are connected.
The following DXmanager page shows the namespace on a computer with the
sample DSAs Router, Democorp, and UNSPSC installed:
Using DXmanager
12–3
How DXmanager Presents Information
How DXmanager Presents Information
Using DXmanager, you can easily monitor the DSAs on a group of servers. This
is useful for systems where a single directory information tree (DIT) is spread
across many servers.
To work with server groups, you need to define the server groups first. You can
then use DXmanager to monitor the DSAs in those server groups.
When you install eTrust Directory, a single server group named Default is
created. This server group contains only the DSAs running on the local
computer.
Starting DXmanager
To start DXmanager on a Windows computer:
1.
Click Start, All Programs, Computer Associates, eTrust, eTrust Directory,
Management and Samples.
2.
Click the DXmanager link.
To start DXmanager on a UNIX or Linux computer:
12–4
1.
Open a web browser..
2.
Go to this page:
http://hostname:8080/dxmanager
where hostname is the name of the computer on which DXmanager is
running. Use localhost for the local computer.
eTrust Directory Administrator Guide
Troubleshooting
Troubleshooting
This section describes how to deal with some problems that may occur while you
use Dxmananger.
Connectivity
The main area to investigate is usually connectivity.
If DXmanager cannot connect to the eTrust Directory Administration Daemon
(dxadmind) on the server being scanned then no information can be returned.
If this is the case, use the following steps:
Use the ping command to ping the target server from the system running
DXmanager's eTrust Directory WebServer.
If this succeeds logon to the target server and ensure that the eTrust Directory
Administration Daemon (dxadmind) is running. On windows it appears in the
Service Manager. On UNIX it appears as a process named dxadmind start. On
either system the command dxadmind status should return:
master is running
DXadmind uses a configuration file in the dxserver\config folder called
dxadmind.ldif. Ensure this contains the line:
dxadminURL: ldap://hostname:2123/
where hostname is the hostname of the target server.
DXwebserver Port Numbers
DXwebserver uses a set of ports. These default ports may conflict with existing
ports on the machine on which DXwebserver is being installed.
See the section Port Numbers Used by eTrust Directory in Chapter 2 for a list of
the default ports used by DXwebserver and other components.
If DXwebserver Does Not Start
Check the logs under the DXwebserver installation directory for port conflicts.
Look for this file in:
■
Windows: %DXHOME%\..\DXwebserver\logs
■
UNIX:
$DXHOME/../dxwebserver/logs
Using DXmanager
12–5
Troubleshooting
If there is a port number conflict, modify the DXwebserver configuration file. By
default, DXwebserver is set to use the port 8080.
To change the port number, you will need to modify the DXwebserver
configuration file server.xml:
1.
Install DXwebserver as usual.
2.
Look for this file in the following locations:
3.
-
Windows:
%DXHOME%\..\DXwebserver\conf
-
UNIX: $DXHOME/../dxwebserver/conf
In the server.xml file, look for the Connector section:
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8080" minProcessors="5" maxProcessors="75"
enableLookups="true" redirectPort="8443"
acceptCount="10" debug="0" connectionTimeout="20000"
useURIValidationHack="false" />
4.
Change the port number from 8080 to another port number.
5.
Restart DXwebserver to pick up the new port number.
If the Main HTTP Connection Port Number Is Modified
The main HTTP connection port number is set to 8080 by default. If this port
number is modified, then some of the web applications may not work correctly,
and on Windows computers, the Start menu shortcuts to Management and
Samples will be affected.
Note the new port number for future HTTP connections.
12–6
eTrust Directory Administrator Guide
Chapter
13
Using JXweb
JXweb is a general purpose LDAP-compliant directory browser and editor,
which provides access to a directory through the Web. It provides similar
functions as those provided by JXplorer.
JXweb lets you:
■
Connect remotely to any directory that supports LDAP
■
Browse the directory
■
Update directory entries
■
Manipulate the directory tree
Using JXweb
13–1
Connecting to JXweb
Connecting to JXweb
To access JXweb, all you need is a web browser and a network connection to a
computer on which JXweb is installed.
If JXweb is installed on your Windows computer, you can start JXweb from the
Start menu:
1.
Click Start on the taskbar, and then choose Programs, Computer Associates,
eTrust, eTrust Directory, Management and Samples.
2.
On the displayed page, click JXweb.
If you want to open JXweb on another computer:
1.
Start your web browser.
2.
Enter the URL http://server:port number/jxweb/index.html, where:
-
server is the name of the server on which JXweb is installed
-
port number is the number of the JXweb port. The default is 8080.
For example: http://computer32:8080/jxweb/index.html
The browser displays the JXweb Connect dialog:
13–2
eTrust Directory Administrator Guide
Connecting to a Directory
Connecting to a Directory
From the JXweb Connect dialog, you can connect to a directory. The browser
requires the following information for you to log in to a directory:
■
The name of the computer that hosts the directory
■
The port number of the directory server
■
■
■
(Optional) The base distinguished name of the directory, for example,
o=DEMOCORP,c=AU
(Optional) The distinguished name of your user account, if the directory to
which you want to connect has access controls enabled
(Optional) A user password that you must provide if you use your user
account
When you are connected to a directory and want to connect to another, click
Connect on the menu bar to display the JXweb Connect dialog.
When you exit your browser, you disconnect from the directory.
Using JXweb
13–3
The JXweb Environment
The JXweb Environment
When you connect to the directory, the left pane displays the Directory
Information Tree (DIT) of the directory to which you are connected. Click an
entry to display its details in the right pane. The DN of the displayed details
appears at the top of the pane. You can update the entry details (for example,
Edit) and manipulate the selected branch of the DIT (for example, Copy or
Move). For more information about JXweb, click Help from the JXweb menu bar.
Customizing JXweb
JXweb was created using Velocity tags, which render the HTML pages in JXweb.
To create your own look and feel for the packaged version of JXweb, you can
manipulate the HTML code and the Velocity tags.
For a description of the Velocity tags used in JXweb, see the JXweb online help.
For an example of how you can adjust JXweb to suit your organization, see the
Democorp sample in the dxwebserver\samples directory. This is a version of
JXweb that has been customized to work well for the fictional company
Democorp.
13–4
eTrust Directory Administrator Guide
Using JXweb in Languages Other Than English
Using JXweb in Languages Other Than English
eTrust Directory is language certified for the following nine languages:
■
Brazilian Portuguese
■
French
■
German
■
Italian
■
Japanese
■
Korean
■
Simplified Chinese
■
Spanish
■
Traditional Chinese
This means that all eTrust Directory components run on operating systems in
those languages.
Displaying Non-English Characters in Internet Explorer
By default Internet Explorer detects the language encoding automatically.
However, if there are problems with displaying non-English characters:
■
In Internet Explorer, select View, Encoding, Auto-Select has a check mark.
Displaying Non-English Characters in Mozilla Browsers
Web browsers based on the Mozilla engine (including Netscape) do not autodetect the character encoding correctly.
If there are problems with the characters displayed:
1.
In the Mozilla browser, select View, Character Coding, Auto-Detect, Off.
2.
Select View, Character Coding, Unicode (UTF-8).
Online Help
Use the online help to learn about how to use the JXweb interface, and how to
customize JXweb.
Using JXweb
13–5
Chapter
14
Using The UDDI Server
Universal Description, Discovery and Integration (UDDI) is an evolving standard
interface to information about services. A UDDI registry is a directory of
businesses and the services they offer.
In a UDDI registry, all the information is presented in a well-defined manner so
that it can be used by automated components and by humans. This lets the
repository be used, for example, as a means for an application to locate a
replacement service, should the service it is using become unavailable.
The full details of the UDDI specification can be found at the UDDI web site
http://www.uddi.org/.
Using The UDDI Server
14–1
About UDDI Registries
About UDDI Registries
A UDDI registry is a directory of all the Web services in an organization, be it a
single business enterprise or a globe-spanning multinational conglomerate.
The UDDI registry provides a central point for recording all the details about
each Web service, enabling the developers in the organization to locate other
Web services to use as building blocks to construct an application, thus saving
time and effort.
What a UDDI Registry Can Do
Because the UDDI registry contains all the details about the interfaces,
developers can more easily combine or present services developed by disparate
groups, possibly in different locations.
Moreover, the UDDI protocol provides for recovery—if a needed service fails
and is replaced by another at a different location, all those services that depend
on it can recover automatically by reloading the location and connection
parameters from the UDDI registry.
About the eTrust Directory UDDI Server
The eTrust Directory UDDI Server provides repository services. It functions as a
business directory, permitting searches based upon categorizations and
relationships between businesses. It provides authentication and authorization of
users for inquiry and publishing.
A server provides UDDI services to requests from clients. A web-based UDDI
Client enables you to publish to or search the repository.
14–2
eTrust Directory Administrator Guide
eTrust Directory UDDI Server
eTrust Directory UDDI Server
The eTrust Directory UDDI Server provides repository services. It can function
as a business directory, enabling searches based upon categorizations and
relationships between businesses. It provides authentication and authorization of
users, for inquiry and publishing. It acts as a repository for UDDI information
and as an engine for processing UDDI requests.
The UDDI server is installed under the Tomcat servlet container. It provides
UDDI services to client applications that make requests by using the Simple
Object Access Protocol (SOAP).
The UDDI Server is a multi-version server, responding to requests in UDDI
Version 1, Version 2, and Version 3 formats. For more information about the
UDDI APIs, see the eTrust Directory SDK Developer Guide.
The web-based UDDI Client enables users to:
■
Publish services to the repository.
■
Search for specific entries in the repository.
Using The UDDI Server
14–3
Connecting to the UDDI Client
Connecting to the UDDI Client
On Windows Only
On UNIX Or Windows
1.
Open the Management and Samples page. To do this, from the start button,
select Programs, Computer Associates, eTrust, eTrust Directory,
Management and Samples.
2.
Click on the UDDI Client link.
You can also access the UDDI Client directly from your web browser. Start your
web browser and enter the following URL, where server is the name of the host
on which the client is installed:
http://server:8080/uddiv3-client/index.html
The eTrust Directory UDDI Client Connect page appears.
14–4
eTrust Directory Administrator Guide
Connecting to a UDDI Registry
Connecting to a UDDI Registry
The UDDI Client Connect page enables you to connect to a UDDI registry.
By default, the client uses the following URLs to connect to the UDDI Server on
the same computer as the UDDI Client:
Inquiry URL: http://localhost:8080/uddi/services/Inquiry
Publish URL: http://localhost:8080/uddi/services/Publishing
When you want to connect to a server on a different host, change localhost in both
of these URLs to the name of the UDDI Server computer, then click Connect.
When you want to change servers at any time after you have connected, click
Connect on the menu bar to return to this page.
Using tModels
A tModel is a data structure representing a service type (a generic representation
of a registered service) in the UDDI Server. Each tModel consists of a name, an
explanatory description, and a Universal Unique Identifier (UUID). It can also
provide a URL that enables users to get further information.
A tModel may represent a technical specification. Services that are compliant
with the specification may reference the tModel. This facilitates the searching of
services that are compliant with a particular specification.
You can also use a tModel to provide meaning to data. For example, a tModel
can give structure to the following address line: 12 Montgomery Street, where 12
has the meaning of street number and Montgomery Street has the meaning of
street name.
Using The UDDI Server
14–5
Using the UDDI Client in Languages Other Than English
Using the UDDI Client in Languages Other Than English
eTrust Directory is language certified for the following nine languages:
■
Brazilian Portuguese
■
French
■
German
■
Italian
■
Japanese
■
Korean
■
Simplified Chinese
■
Spanish
■
Traditional Chinese
This means that all eTrust Directory components run on operating systems in
those languages.
Displaying Non-English Characters in Internet Explorer
By default Internet Explorer detects the language encoding automatically.
However, if there are problems with displaying non-English characters:
■
In Internet Explorer, select View, Encoding, Auto-Select has a check mark.
Displaying Non-English Characters in Mozilla Browsers
Web browsers based on the Mozilla engine (including Netscape) do not autodetect the character encoding correctly.
If there are problems with the characters displayed:
14–6
1.
In the Mozilla browser, select View, Character Coding, Auto-Detect, Off.
2.
Select View, Character Coding, Unicode (UTF-8).
eTrust Directory Administrator Guide
Chapter
15
Using the Sample DSAs,
Applications, and Tools
eTrust Directory comes with a number of samples for testing and demonstration
purposes:
■
Sample directories
■
Sample web applications
■
Sample configuration files
■
Sample tools
These technology previews are not covered by your usual CA Support. However,
your feedback is very welcome. Please see the Readme files in each sample
directory for how to let us know about your comments or questions.
Using the Sample DSAs, Applications, and Tools
15–1
Implementing the Samples
Implementing the Samples
In a default installation, these samples are installed but not set up. You need to
install each sample you want to work with.
By default, the sample directories and sample tools are installed under the
following directory:
■
Windows: %DXHOME%\samples
■
UNIX:
$DXHOME/samples
By default, the web applications are installed under the following directory:
■
Windows: %DXHOME%\..\dxwebserver\samples
■
UNIX:
$DXHOME/../dxwebserver/samples
The sample configuration files are installed into the main configuration file
directories. The default location is:
■
Windows: %DXHOME%\..\config
■
UNIX:
$DXHOME/../config
For more information about setting up these samples, see the appendixes
Installing eTrust Directory for Windows and Installing eTrust Directory for
UNIX, and also the Readme files in each of the sample directories.
15–2
eTrust Directory Administrator Guide
The Sample DSAs
The Sample DSAs
This section describes the sample directories, and explains how to install them
manually.
What the Sample DSAs Are Useful For
eTrust Directory provides a number of sample directories, which contain
different DSA configurations and show different methods of populating a
directory.
You can also use these samples to explore the eTrust Directory features before
setting up your own directory.
When the Sample DSAs Are Installed
When you run a default installation of eTrust Directory, the three sample
directories are automatically installed, configured, and started.
If you run a customer installation, you can choose whether to install the sample
directories.
How the Sample DSAs Work Together
Together, the Democorp, Router, and UNSPSC sample directories form a single
logical view of all of the directory information. It does not matter which directory
you connect to. You see the same data because the DSAs cooperate to resolve a
query or update through X.500 distribution.
Router
DSA
DSP
Democorp
DSA
DSP
UNSPSC
DSA
Using the Sample DSAs, Applications, and Tools
15–3
The Sample DSAs
The Democorp DSAs
Democorp is an example of a corporate staff directory.
The Democorp sample models a fictitious company called DemoCorp. There are
about 100 organizational units in the data, with approximately 1200 employees in
total. The Democorp sample demonstrates a front-end load of the directory using
the dxmodify tool.
The Democorp Directory Setup Script
The setup script creates a DXserver called democorp using an Advantage Ingres
database called democorp. The directory is loaded using the dxmodify tool with
the prefix O=DEMOCORP, C=AU. This is a demonstration of a front-end load in
a directory. Front-end loads are useful for loading fewer than a few thousand
entries and for loading data in already populated directories.
The data is converted from comma-separated value (CSV) format to LDAP
lightweight directory interchange format(LDIF) by using the csv2ldif tool. The
resulting LDIF file is loaded in the directory by using the dxmodify tool. After
loading, the democorp Advantage Ingres database is tuned.
The setup script performs the following steps:
15–4
1.
Creates the Democorp Advantage Ingres database called democorp.
2.
Configures the Democorp initialization file, database file, knowledge file,
and knowledge group file, and start the Democorp DXserver DSA.
3.
Converts the Democorp CSV data to LDIF.
4.
Loads the LDIF data in the Democorp directory.
5.
Tunes the democorp Advantage Ingres database.
eTrust Directory Administrator Guide
The Sample DSAs
The UNSPSC DSAs
The United Nations Development Program and Dun & Bradstreet merged their
separate commodity classification coding schemes in 1999 to form the Universal
Standard Products and Services Classification (UNSPSC).
The levels let you search products more precisely because you confine the
searches to logical categories, thus eliminating irrelevant hits. The levels also let
managers perform expenditure analysis on categories relevant to the company’s
situation.
The UNSPSC directory contains more than 10,000 entries.
The UNSPSC Directory Setup Script
The UNSPSC sample demonstrates a back-end load of the directory using the
DXloaddb tool.
The setup script creates a DXserver called unspsc using Advantage Ingres. This
is an example of a back-end or bulk load by using the DXloaddb tool. Bulk loads
are very fast because they bypass the DSA and load the data directly in the
database. They are used for initial data loads or updating the entire contents of a
directory.
The data is converted from CSV format to LDIF by using the csv2ldif tool. The
resulting LDIF file is loaded in the directory by using the DXloaddb tool.
The UNSPSC setup script performs the following steps:
1.
The script creates the UNSPSC Advantage Ingres database named unspsc.
2.
The script configures the UNSPSC initialization file, database file, knowledge
file, and the knowledge group file.
3.
The script converts the UNSPSC CSV data to LDIF.
4.
The script loads more than 10,000 LDIF entries in the UNSPSC directory.
5.
The script starts the UNSPSC DXserver DSA.
Tip: Use the bulk load tools ldifsort and DXloaddb to achieve a highperformance load of the UNSPSC data by directly loading the Advantage
Ingres UNSPSC database.
Using the Sample DSAs, Applications, and Tools
15–5
The Sample DSAs
The Router DSAs
The Router sample demonstrates a router DSA configuration, where the DSA has
no database, but has knowledge of two subordinate DSAs.
This sample demonstrates how a router DSA does not require a database of its
own. It also acts as a single point of entry into multiple directories as
demonstrated with Democorp and UNSPSC.
The Router Directory Setup Script
The setup script creates a DXserver called Router with no database and starts it.
The setup script performs the following steps:
15–6
1.
Configures the Router initialization file, knowledge file, and knowledge
group file.
2.
Starts the Router DXserver DSA.
eTrust Directory Administrator Guide
Sample Web Applications
Sample Web Applications
eTrust Directory comes with some sample web applications. You can open the
democorp and uddi applications from the Management and Samples page.
For information about the sample web applications, see the Readme files in each
of the sample tools directories.
For a list of all ports in a default installation of eTrust Directory, see the section
Port Numbers Used by eTrust Directory in the chapter DXserver Overview.
Customized Version of JXweb: democorp
To demonstrate how easily JXweb can be customized, the Democorp version of
JXweb has been included with eTrust Directory.
What the UDDI Demonstration Shows
This technology preview is an example of how you can adjust JXweb to suit your
organization. This is a version of JXweb that has been customized to work well
for the fictional company Democorp. It displays entry details in a “business
card” format.
Running the Democorp version of JXweb
To run the Democorp version of JXweb:
1.
Open your web browser.
2.
Enter the following URL into the Address field:
http://machinename:8080/democorp
where machinename is the name of the computer on which you installed the
Democorp preview. This is the computer on which DXwebserver resides.
Using the Sample DSAs, Applications, and Tools
15–7
Sample Web Applications
Sample DSML Server: dsml
This is a sample DSML server that converts DSML to LDAP and vice versa. This
allows client applications that use DSML (including web services) to
communicate with eTrust Directory without using LDAP directly.
How the DSML Server Works
The following happens when JXplorer uses DSML to communicate with dxserver
through the DSML server:
1.
JXplorer sends DSML requests to the DSML server.
2.
The DSML server translates these requests into LDAP requests and passes
them onto the directory.
3.
The directory responds using the LDAP protocol.
4.
The DSML server translates the LDAP directory response into a DSML
response and sends it back to JXplorer.
Running the DSML Server Using JXplorer
JXplorer can use DSML in order to let it connect to DSML web services. This
means that you can use JXplorer to test the DSML server.
To access the DSML server technology preview using JXplorer:
15–8
1.
The file dsml.properties points to Democorp on the current machine
2.
Connect using a DSML enabled LDAP client (such as JXplorer) to the web
servers, using the following connection settings:
Setting
Value
Host
The name of the computer running the DSML server
Port
8080
Protocol
DSML v2
DSML Service
dsml-sample/services/DSML
eTrust Directory Administrator Guide
Sample Web Applications
Changing the DSML Sample Properties
1.
Open the following file in a text editor:
-
Windows:
%DXHOME%\..\dxwebserver\webapps\dsmlsample\WEB-INF\dsml.poperties
-
UNIX:
$DXHOME/../dxwebserver/webapps/dsmlsample/WEB-INF/dsml.properties
Sample SAML Server: saml-sample
This is a sample SAML server that converts SAML to LDAP and vice versa. This
allows client applications that use SAML (including web services) to
communicate with eTrust Directory without using LDAP directly.
Installing the SAML Sample
1.
Navigate to the where you have installed eTrust Directory (Hint: echo your
DXHOME environment variable if you are unsure where this is). Then
navigate to dxwebserver > samples > saml.
2.
If you are on a Windows machine run the 'setup.bat', if on a Solaris machine
run the 'setup.sh'.
This setup file performs the following steps:
a.
Stops Tomcat
b. Copies the Tomcat server files and SAML files to
"%DXHOME%\..\dxwebserver\webapps\saml-sample".
c.
Restarts Tomcat.
The install should be complete in a few moments.
To Test the SAML Server
For testing you can use the example 'samlping' command line program that
allows for arbitrary SAML attribute requests to be sent to the server.
Run 'samlping -?' for more details.
To Access the SAML Server
1.
The file saml.properties points to Democorp on the current machine
2.
Connect using a SAML client to the web servers port.
Using the Sample DSAs, Applications, and Tools
15–9
Sample Web Applications
Sample SPML Server: spml-sample
To Install the SPML Sample
1.
Navigate to the where you have installed eTrust Directory (Hint: echo your
DXHOME environment variable if you are unsure where this is). Then
navigate to dxwebserver > samples > spml.
2.
If you are on a Windows machine run the 'setup.bat', if on a Solaris machine
run the 'setup.sh'.
This setup file performs the following steps:
a.
Stops Tomcat
b. Copies the Tomcat server files and SAML files to
"%DXHOME%\..\dxwebserver\webapps\spml-sample".
c.
Restarts Tomcat.
The install should be complete in a few moments.
Note: the above setup files perform the following steps:
To Access The SPML Sample
15–10
1.
The file spml.properties points to Democorp on the current machine
2.
Connect using a SPML client to the web servers port.
eTrust Directory Administrator Guide
Sample Web Applications
Sample Use of UDDI: uddiv3-demo
This is a demonstration of a typical application of a UDDI server. It shows a web
site that compares prices on airline flights by looking up the prices on different
web servers, which are registered with a UDDI server.
What the UDDI Demonstration Shows
The UDDI demo web site that searches for the cheapest flights between
destinations. The web site queries a UDDI registry for a list which web services it
should connect to.
Using the UDDI Demonstration
The following instructions show how to use this demonstration web site to show
how you can immediately remove information from a dynamic web site by
removing the name of a web services from a UDDI server.
1.
Open your a web browser, and go to the following page:
http://localhost:8080/uddiv3-demo
2.
Choose an origin and destination from the dropdown lists, and click Go.
If this is first time you have used the site since the last reboot, there will be a
pause while all the code is loaded into the servers .
3.
Click the Back button to reset the appearance of the demo before the demo
starts.
4.
Open another copy of your web browser and go to the following page:
http://localhost:8080/uddiv3-client
5.
Click on Connect, because the defaults are correct
You should now have two browser windows: one page shows the flight price
search demonstration site, and the other shows the UDDI Client.
6.
Click Login from the column of commands on the left. The Login page
opens.
7.
Enter the name of the airline you want to delete. To delete the Dirt Cheap
Airline:
a.
Log in using the following details:
Login name:
Dirt Cheap Discount Airlines
Password:
secret
b. Leave the info selection alone.
c.
Click Login. This brings you to the Registered Information display for
the chosen airline.
Using the Sample DSAs, Applications, and Tools
15–11
Sample Web Applications
8.
Click the Delete button under Business in the column of commands on the
left. The Delete Business page opens.
9.
Click the Add button to add the business to the Selected Business Keys.
These are the business to be deleted.
10. Click the Delete button to delete this business from the registry.
11. Return to the Demo window, and press Go again. The panel refreshes, and
the Dirt Cheap airline details no longer appear.
To reset the demonstration:
15–12
1.
Click the Refresh Demo link at the bottom of the page.
2.
Click Open to run the reset program - it reloads the entire demo directory
back to the original state.
eTrust Directory Administrator Guide
Sample Configuration Files
Sample Configuration Files
The sample DSAs use sample configuration files.
You can use these configuration files as templates for your own files.
For information about the sample configuration files, see the Readme files in
each of the sample DSA directories.
Sample Tools
The sample tools are some extra tools for managing eTrust Directory.
A number of sample configurations and utilities are provided for testing and
demonstration purposes. These reside in the ../dxserver/samples subdirectories:
The DXcmip Tool
An executable to request CMIP counters from the directory.
The dxcmip program is a management client which retrieves management
information from an Computer Associates DXserver using the CMIP protocol.
The management information retrieved is defined in ISO 9594-10 (Committee
Draft April 1995).
Usage
The dxcmip tool has the following command line format:
dxcmip [-r[n]] host[:port] [psel]
where:
■
-r[n] refresh every n seconds. Default: 5 seconds
■
host the hostname or IP address to contact
■
port the CMIP port. Default: 19389
■
psel the OSI P-SELECTOR. Default: CMIP
Using the Sample DSAs, Applications, and Tools
15–13
Sample Tools
The dua Tool
Sample text-based Directory User Agent (DUA) that runs over DAP This
directory contains the DAP directory client scripting DUA. This can be used to
execute scripts to add, modify or remove entries from the directory. This can also
be used to perform searches.
Example test scripts reside in the samples/test directory. These can be executed
either by running the setup script from that directory.
See the eTrust Directory SDK Developer Guide for more details.
Usage
The general syntax for the dua client is:
dua <script>
The script 'init' is executed if a script name is not specified.
The init script in this directory performs an anonymous bind.
The DemoCorp DSA should be started for this to work.
If an authenticated bind is required, then the username and password lines
should be uncommented and a password set on the bind username in the
directory as specified in the script.
The DXtoolsgui Tool
Java GUI interface to the DXtools—run dxtoolsgui.bat on Windows or
dxtoolsgui.sh on UNIX.
The dxtoolsgui tool requires Java Runtime Environment (JRE).
15–14
eTrust Directory Administrator Guide
Sample Tools
The ldua Tool
This directory contains the LDAP directory client scripting DUA. This can be
used to execute scripts to add, modify or remove entries from the directory. This
can also be used to perform searches. Example test scripts reside in the
samples/test directory. These can be executed either by running the setup script
from that directory.
See the eTrust Directory SDK Developer Guide for more details.
Usage
The general syntax for the ldua client is:
ldua <script>
The script 'init' is executed if a script name is not specified.
The init script in this directory performs an anonymous bind.
The DemoCorp DSA should be started for this to work.
If an authenticated bind is required, then the username and password lines
should be uncommented and a password set on the bind username in the
directory as specified in the script.
The schema Tool
A Perl schema translation tool to update schema.txt for the DXtools
This directory contains a perl script (transchema.pl) which translates a custom
schema file (.dxc) producing updated versions of schema.txt for the DXtools.
It also creates dxtype.txt and dxobject.txt for the DXplorer client that is no longer
supported but may still be the preferred client for some customers.
The script cannot handle schemas that contain attributes with varying OID
prefixes. Currently such schema would need to be translated manually.
Inputs
<schema-filename>
schema.bck
dxtype.bck
dxobject.bck
Using the Sample DSAs, Applications, and Tools
15–15
Sample Tools
Outputs
schema.txt in the current directory.
dxtype.txt
dxobject.txt
Usage
transchema.pl <schema-filename> <attr-prefix-name> <class-prefix-name>
where:
■
schema-filename is the name of a custom schema file e.g. custom.dxc
■
attr-prefix-name is the name of the attribute prefix used in the schema
■
class-prefix-name is the name of the object class prefix used in schema
Typically the custom schema file would contain the lines:
schema set oid-prefix customAttributeType = (2.16.840.1.113730.3.1);
schema set oid-prefix customObjectclass = (2.16.840.1.113730.3.2);
For example:
transchema.pl custom.dxc customAttributeType customObjectClass
This script requires Perl to run.
The input files need to be copied from their home directories.
On UNIX
On UNIX, use the following commands to copy the input files from their home
directories:
cp /opt/dxserver/bin/schema.txt .
cp /opt/dxserver/for_dxplorer/DXtype.txt dxtype.txt
cp /opt/dxserver/for_dxplorer/DXobject.txt dxobject.txt
On Windows
On Windows, use the following commands to copy the input files from their
home directories:
copy \opt\dxserver\bin\schema.txt .
copy \opt\dxserver\for_dxplorer\DXtype.txt dxtype.txt
copy \opt\dxserver\for_dxplorer\DXobject.txt dxobject.txt
15–16
eTrust Directory Administrator Guide
Sample Tools
The snmp Tool
An executable to request SNMP information from the directory.
The dxsnmp program is a management client which retrieves management
information from an Computer Associates DXserver using the SNMP protocol.
The management information retrieved is defined in RFC 1567 Directory
Monitoring MIB. An eTrust Directory specific information is defined in
dxmib.asn1. This can be found in the current directory and provides the
following:
■
Multiwrite queue monitoring
■
DSA statistics monitoring
Some statistic elements require stats logging/tracing to be enabled, as these
items impact performance)
■
DXcache Monitoring
Usage
The dxsnmp tool has the following command-line format:
Usage: dxsnmp -r[n] host[/port] [community]
where:
■
-r[n] refresh every n seconds. Default: 5 seconds
■
host the hostname or IP address to contact
■
port the SNMP port. Default: 19389
■
community the SNMP community of interest. Default: 'public'
Using the Sample DSAs, Applications, and Tools
15–17
Sample Tools
The soak Tool
Soak is a testing tool used to run searches against an LDAP or DAP directory.
The soak program can be used to run one search or even millions. Soak is
designed to keep a directory busy with searches to give an accurate time in how
long it takes to the directory to compete a search. Searches can range from
complex to exact matches.
Soak also has a queuing system where you can set a queue of searches. This to
eliminate the overhead of soak setting up the search, because if you keep a
number of searches in a queue then whenever the directory has finished a search
there is another one waiting. It is for this reason the soak worked better running
from another box or have it’s own processor. If you run soak from another
computer, then it must be a fast network and the traffic must be minimal.
This program uses either LDAP or DAP to measure throughput (as
searches/sec).
It attempts to keep the Directory Server saturated with search requests. This is
done by using asynchronous search requests.
Usage
The soak tool has the following command-line format:
soak [options] hostaddr:port namefile searches queuesize attributes
Where the options are:
15–18
■
-d
use the X.500 DAP protocol. Defaults to LDAP.
■
-m
modify mode (generates random data)
-
interpret names as DNs
-
interpret attributes as: rndAttr len rndAttr len
■
-M
modify mode (LDIF modify records)
■
-n
do not ask for any attributes to be returned.
■
-s
step through searches sequentially (default is rnd).
■
-F
interpret names as filters.
■
-A
retrieve attribute names only (no values)
■
-r count
make the first count chars of rnd value the same
■
-D base_dn bind dn
■
-w bind_password bind password (for simple authentication)
■
-b base_dn search base
eTrust Directory Administrator Guide
Sample Tools
■
-S msecs
sleep in milli-secs before each search (default=0)
■
-Z schema file containing schema definitions (DAP only)
And where the variables are:
■
hostaddr:port
Address and port of LDAP/DAP Directory Server.
■
namefile
File containing names to be searched.
■
searches
The number of searches to perform.
■
queuesize
The number of outstanding searches to maintain.
And where the attributes are a whitespace-separated list of attributes to retrieve
(if no attribute list is given, all are retrieved)
Example
For example, here is a typical soak command for exact match searches used with
the DemoCorp data:
soak 155.35.131.155:5544 /local/travis/Performance/names/tenk.name 50000 3
where
■
■
■
155.35.131.155 is the port number of the machine that the directory is
installed on.
5544 is the port number the directory is listening on.
Note: The port number and IP-ADDRESS are separated with a ‘:’
/local/travis/Performance/names/tenk.name is the name file the soak will
use to search the directory.
■
5000 is the number of searches to run
■
3 is the queue size to use for the searches.
The DemoCorp data has three different name file to used for each database for
exact matches.
■
tenk.name
■
onehundredk.name
■
onemillion.name
Example:
soak myhost:1001 names.dat 100 5
read 5 names
Connecting to myhost:1001 ...
1000: (cn=ann bradley)
999: (cn=ann bradley)
998: (cn=adrian gardner)
997: (cn=adrian gardner)
Using the Sample DSAs, Applications, and Tools
15–19
Sample Tools
996: (cn=adrian gardner)
995: (cn=ann bradley)
994: (cn=adam fischer)
993: (cn=adam fischer)
992: (cn=adrian gardner)
991: (cn=adam fischer)
...
7: (cn=adrian gardner)
6: (cn=craig link)
5: (cn=adrian gardner)
4: (cn=ann bradley)
3: (cn=adam fischer)
2: (cn=craig link)
1: (cn=craig link)
Searches: 800
Start time: 978082934.854
Stop time: 978082940.194
Elapsed time: 5.339
Searches/Sec: 149.83
Content of names.dat (taken from democorp example)
craig link
adam fischer
adrian gardner
ann bradley
joh martinez
15–20
eTrust Directory Administrator Guide
Sample Tools
The ssl Tool
The samples/ssl directory contains tests using the DAP and LDAP script DUA.
This sample includes examples of using DUA-DSA and DSA-DSA SSL
authentication and encryption, using SSL encryption and SSL authentication
between client and DXserver
The DAP and LDAP script DUAs connect to the DemoCorp DXserver using SSL
encryption or SSL authentication.
This directory contains the following files:
test1.dxs
This script demonstrates a client-server connection using an SSL-encrypted
link between the DUA and DemoCorp directory.
test2.dxs
This script demonstrates a mutually authenticated client–server SSL
connection between the DUA and DemoCorp directory.
test3.dxs
This script demonstrates a mutually authenticated client–server SSL
connection to the DemoCorp directory but searching the UNSPSC directory
using chaining.
test4.dxs
This script demonstrates distributed authentication. This time the DUA
connect to the UNSPSC DSA but is authenticated by the DemoCorp DSA and
searches the DemoCorp directory.
In tests 2-4 the DUA (via SSLD) requires use of client certificates stored in the
samples/ssl/certs directory. They require the certificate of a user that exists in
the DemoCorp directory, Marco Drew, in the file marco_drew.pem.
These scripts can be configured and run using the setup script.
Note: The DemoCorp and UNSPSC DSAs are assumed to be running. These can
be configured using their sample setup scripts.
The SSL Setup Script
To set up the ssl tool, run the setup script. This is setup.sh on UNIX, and
setup.bat on Windows NT.
The script performs the following steps:
1.
Starts the SSLD for Directory Server requests.
2.
Starts the SSLD for Directory Client requests.
Using the Sample DSAs, Applications, and Tools
15–21
Sample Tools
3.
Starts the DemoCorp DSA.
4.
Starts the UNSPSC DSA.
5.
Runs the DUA SSL encryption test (test1.dxs).
6.
Runs the DUA SSL authentication test (test2.dxs).
7.
Runs the DUA SSL authentication test (test3.dxs).
8.
Runs the DUA SSL distributed authentication test (test4.dxs).
9.
Runs the LDUA SSL encryption test (test1.dxs).
10. Runs the LDUA SSL authentication test (test2.dxs).
11. Runs the LDUA SSL authentication test (test3.dxs).
12. Runs the LDUA SSL distributed authentication test (test4.dxs).
The -q switch can be used to suppress user prompting.
About the Testing DUA and SSLD
The DAP and LDAP script DUAs makes use of a Client SSLD process to handle
the SSL encryption and authentication.
This should be started using the command:
ssld start client -certfiles samples/ssl/certs -ca config/ssld/trusted.pem -port
1113
The command ssld stop client can be used to stop the server SSLD.
This is in addition to the SSLD process used by the DSAs, this process listens for
SSL requests on port 1112 and is started by the command:
ssld start server -certfiles config/ssld/personalities -ca
config/ssld/trusted.pem
The command ssld stop server can be used to stop the server SSLD.
SSL encryption is enabled in the DUA by adding 'ssl-encryption' to the bind
request. The scripts explicitly use port 1113. When using SSL encryption, the
DSA will use normal access controls.
To enable SSL authentication as well as encryption, add 'ssl-auth' to the DUA
bind request. The DSA will check its list of trusted CAs to confirm that the
client's certificate is valid, then by default, the DSA will check for an entry in the
directory matching the subject name of the certificate. This check can be disabled
by setting 'ssl-auth-bypass-entry-check = true' in the DSA settings.
When binding with ssl-auth, note that the DUA bind syntax does not allow the
'user' and 'password' fields that are normally present.
15–22
eTrust Directory Administrator Guide
Sample Tools
The test Tool
A selection of Directory scripts to modify the directory using the supplied DUA
or LDUA clients. Run the setup script to automatically configure the Test DSA
and execute the DUA and LDUA client scripts.
This directory contains sample directory client scripts. These can be executed by
running the LDAP DUA (LDUA) and DAP DUA. These reside in the directories
samples/ldua and samples/dua.
The setup script creates a DXserver called 'test' using the Ingres database 'test'.
The test DSA is loaded by the test scripts using the master script basic.tests in
this directory. These scripts are executed using first the DAP DUA and then the
LDAP DUA directory client.
Usage
setup.sh (Solaris)
setup.bat (Windows NT)
The -q switch can be used to suppress user prompting.
The script performs the following steps:
1.
Create the Test Ingres database 'test'.
2.
Configure the Test initialization file: config/servers/test.dxi.
3.
Configure the Test database file: config/database/test.dxc.
4.
Configure the Test knowledge file: config/knowledge/test.dxc.
5.
Start the Test DXserver DSA. This DSA contains a null prefix.
6.
Execute the basic directory tests using the DAP DUA Client.
7.
Execute the basic directory tests using the LDAP DUA Client.
The test scripts include tests of all X.500 services. The tests are performed on a
single DSA with an existing database with no context prefix. The test scripts
return the database to its original condition when they run successfully.
All tests add a small subtree, conduct tests on this subtree and then remove the
subtree.
If the script executes successfully then the database will be returned to its
original state.
Using the Sample DSAs, Applications, and Tools
15–23
Sample Tools
The response to each request is checked using the "if-reply" line, so the number
of entries or attributes returned, or the returned error code can be checked. A test
will fail if the wrong response is returned, such as and add-entry-refuse when an
add-entry-confirm was expected, or if the wrong number of entries was returned
on a list or read result.
If a test fails the script will display an error message and exit. This may leave
entries in the database.
The scripts do not test authentication or security, so the user can bind to the DSA
as an anonymous user.
Test 1
This script tests all the basic services apart from search.
Test 2
This script tests the search service.
Test 3
This script tests various errors.
Test 4
This script tests schema (MUST and MAY contains and distinguished
values).
Test 5
This script tests the handling of large attribute values and attributes
containing large numbers of values.
Test 6
This script tests the operation of aliases.
15–24
eTrust Directory Administrator Guide
Sample Tools
The DXtrap Tool
Information and an example program that can receive triggers from the
directory.
The dxtrap program is a management application which receives SNMP Traps
from a Computer Associates DXserver.
Four trap types may be sent by DXserver. To enable the sending of traps in
DXserver, the following command should appear in the settings:
set snmp-log = udp <address> port <port>
where <address>:<port> is the trap address of the management application.
The traps are:
generic=6, specific=0
These are DXserver alarms. The trap contains three variables: sysName,
sysDescr and sysLocation. sysName contains the name of the DXserver and
sysLocation contains the actual alarm text.
DXserver always sends this trap when an alarm condition is detected if the
snmp-log has been configured.
generic=6, specific=1
This trap is sent, depending on configuration, when the DXserver has
performed an update operation. The trap contains three variables: sysName,
sysDescr and sysLocation. sysName contains the name of the DXserver
sending the trap plus some addressing information. sysLocation contains
information relating to the actual update operation.
DXserver sends this trap if the snmp-log has been configured and the
following command has been executed:
set trap-on-update = true;
generic=6, specific=2
This trap is sent, depending on configuration, when the DXserver detects an
authentication failure (invalid Bind credentials). The trap contains three
variables: sysName, sysDescr and sysLocation. sysName contains the name
of the DXserver and sysLocation contains the reason text.
DXserver sends this trap if the snmp-log has been configured and the
following command has been executed:
set auth-trap = true;
generic=6, specific=3
This trap is sent, depending on configuration, when the DXserver refuses to
perform an operation. The trap contains three variables: sysName, sysDescr
and sysLocation. sysName contains the name of the DXserver and
sysLocation contains the reason text.
DXserver sends this trap if the snmp-log has been configured and the
following command has been executed:
set op-error-trap = true;
Using the Sample DSAs, Applications, and Tools
15–25
Sample Tools
Usage
The dxtrap tool has the following command line-format:
dxtrap [ port ]
where port is the SNMP trap port (default: 162).
15–26
eTrust Directory Administrator Guide
Chapter
16
Deploying a Directory
This chapter provides some general guidelines regarding the deployment of a
directory. It is broken into three major sections:
■
Directory Design
■
Operations and Practices
■
Troubleshooting
This chapter is only intended to be an introduction to good directory design,
planning, and maintenance. Good directory design and proper attention to
operational details is critical to a successful directory service.
Many of the areas listed are common sense but they are included so that you can
use this chapter as a general checklist of items to consider when deploying a
directory system.
For companies with large-scale systems, or a critical need to provide continuous
service, many more factors need to be considered. When you are designing a
large-scale system, we recommend that you contact Computer Associates
Services at http://ca.com/ for assistance.
Deploying a Directory
16–1
Directory Design
Directory Design
Good directory design starts with understanding the information that the
directory contains and the way it is used.
Requirements Analysis
Generally, a requirements study will determine most of the important aspects of
the directory system such as:
■
Characteristics of the data, its size, initial load, and expected growth rate
■
The different directory applications and types of queries they use
■
The performance targets such as average response times and peak loads
■
■
The dimensioning of the hardware, network, and other supporting IT
infrastructure
How the directory is integrated with other services
Service Definition
A separate detailed service study should establish a service profile for each
directory application. This would include:
■
■
■
Type, frequency, and expected performance of searches and updates
(including adds, modifies, renames, and deletes)
Type of attributes specified in the search filter or returned from a search
Any unusual, but potentially computationally expensive, operations such as
substring and complex searches
Schema Design
After the sources and consumers of information are identified, you can
determine the set of all possible attributes. Generally, the schema designer
should try to use existing standard schema attributes where possible. Where no
standard schema exists, you should create a custom attribute.
You need to collect attributes into object classes. Generally, you combine related
attributes to form object classes. Objects should have real world meanings (such
as person, device, product), and be sensible units for directory-enabled
applications to use. See the chapter “Schema Definition” for more information.
16–2
eTrust Directory Administrator Guide
Directory Design
Directory Enabled Applications
The schema design should take into account the way that the information will be
used by directory applications. Some applications require read-only access, while
others require both read and update. Some applications have very high demand
for particular attributes, while other attributes are rarely used. Some attributes
are shared by many applications, while other attributes are particular to only one
application.
It is essential to organize information so that the directory can cope with the
maximum loading. You can group frequently used attributes together. It can also
result in a design where objects are deliberately split or combined because some
higher-level operation (for example, setting up a role) requires updates to many
attributes across many objects.
Namespace Design
A well-designed Directory Information Tree (DIT) is a key to scalability and
manageability. The namespace design needs to consider:
■
■
■
Geographic partitioning—when the directory is distributed in regions
Security and management policies—when parts of the directory are
accessed or managed in subtrees
Common objects—to avoid duplicating information required by different
DIT branches
It is important that the naming structure is stable. This means choosing naming
attributes that do not change often and a DIT structure that is as fixed as
possible.
Security
Security policies must cover all aspects of security. This includes:
■
■
■
■
Physical security—who has access to a site, a machine, or the directory
software itself
Authentication—who is permitted to access and manage information in the
directory
Access controls—which information is protected from unauthorized changes
Sensitivity—some information may be confidential or have business value
to third parties
Deploying a Directory
16–3
Directory Design
Dimensioning
A system can run many databases and many directory servers across multiple
sites. It is important that machines have enough disk memory and processors,
and that the configuration of DSAs makes best use of this hardware. Even
though the cost of hardware can be significant, an appropriate investment here
can offset large operational costs.
Performance
Performance relies upon the power of the hardware and network in use and the
configuration and tuning of the directory and database software. Often
additional indexes or additional servers can make a big difference to
performance. Items to consider include:
■
■
■
■
Security—affects performance if the access control scheme is too complex or
if every link employs SSL authentication. See the chapter “Security” for more
information about SSL authentication.
Logging—degrades performance if too much logging is enabled, particularly
diagnostic logging. See the chapter “General Administration” for more
information about logging.
Query streaming—reserves particular DSAs for high-speed lookups and
diverts known slower queries, for example substring searches to other
dedicated DSAs. It can also divert slower updates to dedicated DSAs. See the
chapter “Distribution and DSP” for more information about query
streaming.
Load sharing—lets servers share load across CPUs or across machines. See
the chapter “Distribution and DSP” for more information about load sharing.
Availability
Availability can be improved by providing a number of strategies. This may
include:
■
■
16–4
Hardware—backup power supplies, RAID disks, or backup machines
Network—providing multiple network interfaces and links between
machines
■
Directory servers—configuring alternative DSAs
■
Databases—using replication to provide alternative data stores
eTrust Directory Administrator Guide
Directory Design
Synchronization
Often, you must synchronize data with external systems. It is important therefore
to establish a list of sources and targets, and the timing and types of data that
must be exchanged. Often, you must perform normalization to filter out
duplicate entries, rude words, or map fields from one form to another. Planning
the timing of the synchronization is important because synchronization is
usually performed using a batch mode process.
Scalability and Distribution
Many DSAs can run on one machine for the purpose of:
■
Coping with large number of users
■
Splitting a large DIT into smaller, more manageable pieces
■
Achieving load balancing or query streaming
In addition, directory servers can run at multiple sites over regions, countries or
across the world. In this case, it is important that the separation of DSAs take
advantage of geography so that servers are concentrated in areas of highest
demand.
Complexity
Keep it simple. eTrust Directory is very flexible in terms of its features. However,
complex designs can be hard to understand and maintain. Always justify why a
configuration needs to be more complex.
Deploying a Directory
16–5
Operations and Practices
Operations and Practices
Directories provide a service. Often, service level agreements gives contractual
commitments on outage, response times, and escalation plans. It is critical to
define and adhere to formal practices and procedures.
Management
All aspects of the system including personnel, applications, services,
infrastructure, and day-to-day operations must be managed. There are many
factors often not considered early in a directory project lifecycle including:
■
Training—especially for operations staff
■
Support—such as hardware and software contracts
■
Upgrades—how systems will transition with minimum down time
Monitoring
Monitoring determines the health of a system. Generally, it will cover the
following areas:
■
Polling—using a protocol such as SNMP
■
Probing—involving periodical queries to test performance
■
■
■
Alarms—relying on systems to generate alerts when unexpected situations
arise
Log file analysis—scanning errors and linking into other alarm software
Indirect—inferring that something is wrong because other applications are
not functioning properly
Capacity Planning
Over time it is necessary to monitor existing platforms to show trends in growth.
When additional hardware, network capacity, or licenses are required, the
upgrades need to occur in a planned, orderly manner.
16–6
eTrust Directory Administrator Guide
Operations and Practices
Backup and Restore
This is probably the most important procedure in the system. It is very important
that you accurately document the backup procedure and ensure that it takes
place at specified times. Backups should occur daily.
You can perform database backups using the utility dxbackupdb. The
dxbackupdb utility can perform on-line backups of the database even when there
are DSAs updating the database.
Following standard industry practices, you should regularly test your backup
procedures by attempting to restore your backups onto a test system. You should
also perform a restore before any system configuration changes or tuning. The
restore time needs to be calculated, as it is crucial in meeting outage service level
agreements.
You can perform database restores using the Dxrestoredb tool.
See the chapter Using JXplorer for more information about backup and restore
tools.
Journaling
In addition to database backups, known as checkpoints, Advantage Ingres can
maintain a journal of all committed transactions since the last checkpoint. To
enable journaling, use the command:
dxbackupdb +journal dbname
Journaling should be enabled in operational environments. If journaling is
enabled, backups (dxbackupdb) should be run more frequently, preferably every
night. This prevents the journal logs from becoming too large and reduces
recovery time if you have to roll forward the changes (dxrestoredb).
Note: If dxindexdb is used, the journals must be re-enabled to let the journals
track the new indexes. Perform the following sequence of commands:
dxbackupdb dbname
dxindexdb dbname –reverse attrName
dxbackupdb +journal dbname
See DB Tools in the chapter “Using DXtools” for more information.
Deploying a Directory
16–7
Operations and Practices
Database Tuning
You should tune the directory database periodically to maintain optimum
performance.
You can use the dxtunedb utility in simple or full mode. In simple mode the
dxtunedb utility can be run while the DSA is online as it just builds table
statistics. This improves performance of the Advantage Ingres Query Optimizer.
To tune while the DSA is online, use the following command:
dxtunedb demo
In full mode the dxtunedb utility rebalances tables to optimize storage layouts,
rebuilds indexes to remove overflow pages, builds table statistics to help the
query optimizer, and tunes the system tables. We recommend that you execute
this utility after bulk loading or other large-scale modifications, and after a
period of gradual modification.
The dxtunedb utility requires at least 25 percent free disk space (for temporary
tables) and takes approximately one minute per 1,000 entries to complete a full
tune.
To perform a full tune, shut down any DSAs connected to the database and use
the following commands:
dxbackupdb demo
dxtunedb –full demo
dxbackupdb demo
Change Control
There are some basic principles of change management required to ensure the
ongoing consistency of the directory:
■
■
■
■
16–8
Subdirectories of the config directory contain the directory configuration
files. The configuration files contain the operational controls and schema
definitions for one or more DSAs. You should back up this config directory
in synchronization with copies of the matching Advantage Ingres database
set.
You should manually track modifications to the configuration files while
maintaining appropriate backup copies. You may want to consider a source
control system.
You should test configuration changes against test and development copies
of the directory database rather than the live database.
You can switch test databases into production, in a live environment, using
the hot swap facility.
eTrust Directory Administrator Guide
Operations and Practices
Upgrades
Over time, you need to install new versions of software for the directory,
database, or operating system to fix problems, add new functionality, or provide
performance features. You should build prototype systems first on separate
machines to validate the new system before going live.
Important! Always check the latest release notes for details of software changes,
particularly in the area of schema. The product schema files can evolve to follow changing
standards. Using these latest standards can break existing applications when they have
not been modified to keep pace with these changes. When it is not desirable or practical to
change existing applications, then these should use the existing schema on the upgraded
software.
Maintenance
Periodically, systems should be scheduled for maintenance to perform various
housekeeping tasks, such as disk defragmentation, hardware upgrades, or
software patches. The first maintenance step should be a backup sequence as
follows:
dxbackupdb demo
dxtunedb –full demo
dxbackupdb demo
This ensures that the database tables and indexes are optimally laid out.
Deploying a Directory
16–9
Troubleshooting
Troubleshooting
This section covers various areas that may cause problems in operational
systems. See DB Tools in the chapter “Using DXtools” for more information
about alarms, warnings, and logs.
Optimizing Performance
Performance problems generally arise because of unexpected demands on the
system. The following is a list of possible areas to investigate:
■
■
■
■
■
■
Resources—When a system is under peak loads, there may not be enough
CPU or disk to process all the required requests. Ensure that you have done
sufficient capacity planning and traffic analysis to determine the amount of
hardware required to achieve the given service levels.
Load-sharing DSAs—On a multi-CPU box it may be necessary to run a
router DSA and multiple load-sharing DSAs to make use of all the CPUs on a
given machine.
Query-streaming DSAs—When there is a large variation in the types of
queries, then different DSAs can be dedicated for different tasks, for
example, lookup queries, updates, and complex queries. If the lookup
queries are additionally handled by a load-sharing group of DSAs then the
system effectively can reserve DSAs to handle small, fast lookup queries
regardless of what else is going on in the system.
Database tuning—This optimizes the data layout in the database tables. You
should tune the database after large-scale modifications. The dxtunedb
utility can perform an on-line tune or full tune (“-full”) if all the DSAs are
taken off-line.
Advantage Ingres tuning—You can tune the cache and a number of other
Advantage Ingres parameters in mission-critical sites. Contact Computer
Associates at http://supportconnect.ca.com for advice.
File system tuning—On UNIX, the tunefs utility can optimize disk partitions
to minimize access times. We recommend that you run tunefs when you add
new hard drives, before you add data to the new device.
Managing Large Numbers of Users
The UNIX operating system limits the number of file descriptors per process (for
example, 1024). This limits the number of users who can bind to a DSA at any
one time. When the number of users is large, you can run multiple DSAs, all
connecting to the same database (DIB).
16–10
eTrust Directory Administrator Guide
Troubleshooting
Managing Large Numbers of Entries
When the DIT contains very large numbers of entries, you can split it into a
number of subtrees (each having, for example, 100,000 entries). You can run a
DSA for each subtree with a master top-level DSA. You can then link the DSAs
with local DSP configurations.
When a database needs to have a large number of entries, then the database can
be split over multiple locations. Use the dxextenddb utility to create such
locations. (See DB Tools in the chapter “Using DXtools” for more information.)
All database tools make use of multiple locations and can handle large (> 2 GB)
files.
When you need to load a large number of entries initially, use the bulk load tool
DXloaddb. When there are a large number of changes to be made, or a large
number of entries added to an existing database, consider extracting the existing
data into an LDIF file using the DXdumpdb tool. Manipulate the LDIF file
(merge it with new data), and reload the data using the bulk load tool DXloaddb.
Limiting Users
There are many ways to control users, including the following:
■
■
■
Security—Limit access to a directory through authentication and access to
particular data through access controls.
Service controls—Set service controls such as time limits and size limits on
operations.
Flow control—Use DXserver’s “credit” facility to prevent a client flooding a
DSA with requests. This works by simply not reading bytes on that client’s
socket so that TCP/IP back pressures then restricts that client’s ability to
send data on that connection.
Deploying a Directory
16–11
Appendix
A
Tailoring the RDBMS
This appendix describes how to change some Advantage Ingres database
parameters. This is usually not necessary but is desirable in certain cases as
recommended by Computer Associates Technical Support.
The customizations covered in this appendix are:
■
The default page size
■
The number of cache pages
You can configure each of these using the Advantage Ingres utility cbf
(configuration by forms). You can run cbf in an OpenWindows or CDE
(Common Desktop Environment) shell window.
Keep the following navigational tips in mind:
■
■
■
When using OpenWindows, you can move the cursor up or down using ↵,
Ctrl+J, or Ctrl+K.
When using CDE you can move the cursor up or down using ↵, ↑ (up
arrow), or ↓ (down arrow).
You can advance between fields using the Tab key.
On Windows, you can configure these using cbf from the command prompt.
Navigation instructions for cbf appear on the window.
Note: Throughout this guide, references to Advantage Ingres include both
Ingres II and OpenIngres, unless one or the other is explicitly specified.
Tailoring the RDBMS
A–1
Changing the Default Page Size
Changing the Default Page Size
Under most circumstances, the best performance is obtained with a database
page size of 2 KB. However, there may be circumstances in which you want to
change this.
To change the default page size, run cbf (configuration by forms) and enter the
following:
A–2
OpenWindow
Keystrokes
CDE Keystrokes Purpose
↵
↵
Moves to DBMS server line.
ESC+conf ↵
F10
Displays the DBMS Server Parameters
window.
dd
dd
Moves to default-page-size.
ESC+edit ↵
F10
Displays popup for new value.
8192 ↵
8192 ↵
Enters new value.
ESC+cache ↵
Insert
Displays the DBMS Caches window.
↵↵
↵↵
Moves to DMF cache 8K.
ESC+edit ↵
F11
Sets cache status to ON.
ESC+end ↵
F3
Exits DBMS Caches window.
ESC+end ↵
F3
Exits DBMS Server Parameters window.
↵
↵
Yes, saves changes and end.
ESC+quit
F4
Exits cbf.
eTrust Directory Administrator Guide
Increasing the Number of Cache Pages
Increasing the Number of Cache Pages
For systems that have a large amount of RAM, it can help to increase the number
of cache pages used. On a large production database, optimum performance is
obtained with a cache size of 60,000 pages of 2 KB per page, requiring 128 MB of
memory for the cache.
To increase the number of cache pages, run cbf , and enter the following:
OpenWindow
Keystrokes
CDE Keystrokes Purpose
↵
↵
Moves to DBMS server line.
ESC+conf ↵
F10
Displays the DBMS Server Parameters
window.
ESC+cache ↵
Insert
Displays the DBMS Caches window.
↵
↵
Moves to the largest activated cache line.
ESC+conf ↵
F10
Displays the DBMS Cache Parameters
window.
ESC+derived ↵
F11
Displays the Derived DBMS Cache
Parameters window.
ESC+edit ↵
F10
Displays popup requesting new value.
60000 ↵
60000 ↵
Enters new value.
ESC+end ↵
F3
Exits Derived DBMS Cache Parameters
for xk window.
ESC+end ↵
F3
Exits DBMS Cache Parameters for xk
Buffers window.
ESC+end ↵
F3
Exits DBMS Caches window.
ESC+end ↵
F3
Exits DBMS Server Parameters window.
↵
↵
Yes, saves changes and end.
ESC+quit
F4
Exits cbf.
Tailoring the RDBMS
A–3
Increasing the Number of Database Connections
Increasing the Number of Database Connections
eTrust Directory ships with a default configuration of 64 database connections.
However, if you are upgrading from a previous version of eTrust Directory, the
previous limit of 32 connections applies.
If you have many data DSAs running on the same machine and you then run the
DXloaddb tool, which uses many Ingres connections, you may get the following
error in II_SYSTEM/ingres/files/errlog.log:
E_US0001 Number of users has exceeded limit.
If you see this error, then the Ingres connection limit needs to be increased.
Step 1. Increase the Shared Memory Maximum (Optional)
To successfully increase the Ingres connection limit, you may need to increase
the shared memory maximum.
You can skip this step if the shared memory maximum is already higher than the
following list:
Number of Database
Connections
RAM required
32
16 MB
64
100 MB
128
200 MB
If you need to do this step, use the following table:
A–4
Platform
Action
Solaris
Edit the value of "set shmsys:shminfo_shmmax" to the
new value in /etc/system, then restart the machine.
Linux
Run sysctl -w kernel.shmmax="new value" and sysctl w kernel.shmall="new value", then restart the machine.
HP-UX
Use the sam command to update the shmmax kernel
parameter to the new value, rebuild the kernel, then
restart the machine.
AIX
No change is required because kernel parameters are
dynamic.
Windows
No change is required.
eTrust Directory Administrator Guide
Other Customizations
Step 2. Increase the Database Connection Limit
If enough shared memory has been allocated, then you can increase the
connection limit.
1.
As the ingres user, run Configuration-By-Forms (CBF):
% su - ingres
% setenv TERM_INGRES wxterm (csh assumed)
% cbf
2.
In CBF:
a.
Press D to highlight the DBMS Server row .
b. Press Esc and type Configure.
c.
Press c until the row connect_limit is highlighted.
d. Press Esc and type Edit.
e.
Enter the new maximum value.
f.
Press Esc and type End.
g. Press Enter to save the value.
h. Press Esc and type Quit to end CBF.
3.
Restart Ingres:
% ingstop; ingstart
Other Customizations
Several other customizations are possible, and Computer Associates Technical
Support may recommend them depending on the particular site and hardware in
use. These include:
■
Enabling the backup transaction log file
■
Configuring a separate disk area for backups
■
Configuring a separate disk area for tuning
You may want to set the Advantage Ingres log folder to a different disk drive for
improved performance.
For more information, contact Computer Associates Technical Support at
http://supportconnect.ca.com.
Tailoring the RDBMS
A–5
Appendix
B
DXserver Command Language
This appendix lists the configuration commands used by DXserver.
There are six command categories. Each command category includes a number
of valid commands.
Some commands also have additional parameters. For example, the following
command is made up of the set category, the admin-user command, and the ownentry parameter:
set admin-user = own-entry
Command Categories
Command
Description
add
Creates an additional wide index.
clear
Clears a portion of the configuration information. This command is commonly
used to ensure that you load configuration details into a clear setup, rather than
laying them on top of an (possibly contradictory) existing configuration.
close
Closes a log.
set
Defines an aspect of. There are over ninety set commands.
source
Specifies a file to be loaded. This is used to make configurations using multiple
files.
trace
Enables tracing, and defines what type of tracing is enabled.
DXserver Command Language
B–1
Add Command
Add Command
Command
Description
add index-wide
Create additional wide indexes for some attributes without changing any wide
indexes that have already been set up. For more information, see the section
Creating Additional Wide Indexes in the chapter “General Administration.”
Clear Commands
Command
Description
clear access
Clears all of the static access controls. Typically, this is done before loading access
controls to ensure that conflicting controls are not loaded.
clear dsas
Clears the knowledge of all DSAs. This may be done immediately before loading
knowledge.
clear indexes
Clears all indexing options on attributes.
clear schema
Clears all of the schema information. This is done before re-loading the schema,
to ensure there are no conflicting definitions for attributes or object classes.
Close Commands
Command
Description
close summary-log
Closes the summary log.
close stats-log
Closes the statistics log.
close trace-log
Closes the trace log.
close query-log
Closes the query log.
close update-log
Closes the update log.
close alert-log
Closes the alert log.
close cert-log
Closes the certificate log.
close connect-log
Closes the connection log.
Note: The alarm log cannot be closed.
B–2
eTrust Directory Administrator Guide
Set Commands
Set Commands
Command
Description
set access-controls
Specifies whether access controls are enabled or not
set add-oc-parents
Adds superior object classes even if the client did not specify these
while adding an entry.
set admin-user
Defines access controls that apply to users who are considered
administrators of the directory.
set agreement
Specifies the details of an agreement between two DSAs for replication
purposes.
set alarm-log
Specifies the name of the file to which the alarm-log is written.
set alert-log
Specifies the name of the file to which the alert-log is written.
set alias-integrity
Specifies whether the DSA manages the integrity of alias entries, for
example, deleting aliases that point to deleted entries.
set allow-binds
Specifies whether the DSA is accepting new binds.
set always-chain-down
Specifies whether requests are chained down, overriding X.500
controls.
set attribute
Specifies all of the information relating to an attribute.
set attr-cache-reload
The default is true. When set to false, a filter with an attribute type that
is not in the attribute cache will not cause the cache to automatically
reload from the database and is considered as not present in the
directory.
To see the current value, use get dip all;.
set attr-set
Specifies a name for a list of attributes.
set auth-trap
A mechanism that can be used to hook into the authentication
processing on the DSA using SNMP traps.
set cache-attr
Defines the attributes returned in a fast lookup (DXcache). The value
all-attributes can be used to ensure that all attributes are cached;
however, when a large number of attributes are used, this will require
a large amount of memory.
set cache-index
Sets the attributes to index in DXcache. The cache will respond to a
search filter that uses one of these attributes. You can define as many
as you like, separated by commas. Memory requirements are affected.
set cert-log
Specifies the name of the file to which the cert-log is written.
set connect-log
Specifies the name of the file to which the connect-log is written.
DXserver Command Language
B–3
Set Commands
Command
Description
set credits
A control used to regulate the DSA—new requests are accepted until
the number of credits is exhausted.
set database-name
Specifies the name of the Advantage Ingres database used by the
directory.
set dbconnection
Specifies the elements of a database connection.
set dsa
Specifies the knowledge of a DSA.
set dynamic-access-control
When TRUE, enables dynamic access controls; when FALSE, disables
dynamic access controls.
set eis-count-attr
Specifies the name of the attribute that is used when you want a count
of matches, instead of a list of matching entries.
set group
Defines a group of users. Groups are used when defining access
controls.
set hold-ldap-connections
When TRUE, prevents a DSA from clearing the underlying TCP/IP
connection after a bind refusal. The default value is FALSE.
set index-reverse
Lists the attributes to which to apply reverse index.
set index-wide
Lists the attributes to which to apply wide index.
set ignore-name-bindings
Lets the DXserver operate without name bindings. This is useful when
the schema is imported from a directory that does not support name
bindings.
set limit-list
Specifies whether the DSA should reject all list requests. This is useful
when there are thousands of entries under one node.
set limit-search
Specifies whether to limit the types of searches processed by the DSA.
This causes searches with no filter or with a filter containing an
attribute present; substring any; or a range of values to be rejected.
set lookup-cache
Specifies whether DXcache is enabled or not.
set max-bind-time
Specifies the maximum time a bind is held before being disconnected.
set max-cache-size
Sets the maximum amount of memory (in MB) that DXcache uses. This
value depends on how much memory your computer has. You should
set this to around 50% to 70% of your machine’s total memory,
depending on other programs’ memory requirements on the same
computer.
set max-dsp-ops
Specifies the maximum number of DSP operations that are accepted
simultaneously.
set max-local-ops
Specifies the maximum number of simultaneous local operations that
this DSA will accept.
B–4
eTrust Directory Administrator Guide
Set Commands
Command
Description
set max-op-time
Specifies the maximum amount of time a single operation takes before
it is aborted.
set max-op-size
Specifies the maximum size of an operation that is accepted by this
DSA.
set max-users
Specifies the maximum number of simultaneous users on a DSA.
set min-auth
Specifies the minimum level of authentication that is accepted.
set modify-on-add
Adds modifyTimestamp to a newly created entry. Used for SAP
compatibility.
set multi-casting
See set multi-chaining.
set multi-chaining
Specifies whether requests are chained to other DSAs.
set multi-write-disp-recovery
Enables or disables multiwrite DISP. The default value is FALSE.
set multi-write-queue
Specifies the maximum size of the queue of requests to be written to
other DSAs.
set multi-write-retry-time
This defines the time (in seconds) at which DXserver will attempt to
bind to a Multiwrite peer which cannot be contacted.
The default value is 60 seconds.
set name-binding
Specifies all of the information relating to a name binding, which
specifies an acceptable parent-child relationship between two object
classes.
set not-searchable
Lists attributes that are not to be searched.
set object-class
Specifies all of the information relating to an object class.
set oid-prefix
Specifies a name for an OID, which is used as a prefix when specifying
the OIDs for attributes, attr-sets, and object classes.
set op-error-trap
A mechanism that can be used to hook into the handling of errors
using SNMP traps.
set op-attrs
Specifies whether operational attributes are enabled.
set password-age
Sets the number of days a password is valid.
set password-force-change
Forces users to change their passwords after their passwords have
been reset.
set password-history
Sets the maximum number of entries to retain in the history.
set password-last-use
Sets the number of days a password remains valid. When the value is
exceeded, the password expires.
set password-length
Sets the minimum length of a password.
set password-allow-locking
Allows user accounts to be suspended by locking the password. This
DXserver Command Language
B–5
Set Commands
Command
Description
does not delete the password.
set password-max-suspension
Sets the number of seconds after which a suspended password
reactivates.
set password-min-age
Sets the number of days since a password was changed last before it
can be changed again (lockout period).
set password-non-alpha-num
Sets the minimum number of nonalphanumeric characters a password
contains.
set password-numeric
Sets the minimum number of numeric characters a password contains.
set password-policy
Specifies whether password management is enabled.
set password-retries
Sets the number of consecutive failed logon attempts before a
password is suspended.
set password-storage
Specifies a password storage method.
set precedence
Specifies a precedence rule, ordering DSA knowledge.
set protected-items
Defines static access controls, which apply to an item or items within
the directory.
set prune-oc-parents
Removes redundant superior object classes when new entries are
created.
set public-user
Defines static access controls that apply to users who are public users
of the directory. A public user is an unidentified user (anonymous
user).
set query-log
Specifies the name of the file to which the query-log is written.
set reg-user
Defines static access controls that apply to users who are registered
users of the directory. A registered user is an identified user (as
opposed to an anonymous user).
set relaxed-not-search
Interprets NOT in the non-standard manner supported by some other
directories.
For example, a search for "description not equal M*" returns entries
that have nothing in the description and all entries that do not start
with M. When the flag is false (or not set), a search returns only entries
that have the attribute populated and do not start with M.
set return-oc-parents
Replaces the superior object classes of entries retrieved when
searching.
set role-subtree
Specifies the DN where the roles are defined.
set snmp-log
Specifies the port address and server to which SNMP traps is written.
set ssl-auth-bypass-entry-check
Allows a bind to skip the server authentication step if it has already
B–6
eTrust Directory Administrator Guide
Set Commands
Command
Description
authenticated itself to the SSLD.
set stats-log
Specifies the name of the file to which the stats-log is written.
set summary-log
Specifies the name of the file to which the summary-log should be
written.
set syntax-alias
Creates a syntax alias for use when an attribute syntax is not
supported by eTrust Directory.
set super-user
Defines static access controls that apply to users who are considered
super-users of the directory.
set trace
Specifies tracing options.
set trace-level
Specifies the level of detail when tracing.
set trace-log
Specifies the name of the file to which the trace-log is written.
set transparent-routing
When set to true, enables a router DSA to route LDAP queries without
knowing the related schema.
set trap-on-update
A mechanism that can be used to hook into the processing of updates
on the DSA using SNMP traps.
set trust-sasl-proxy
Specifies the distinguished name of the trusted proxy.
set unique-attrs
Specifies attributes which are to have a unique value.
set update-log
Specifies the name of the file to which the update-log is written.
set use-roles
Set to true to enable role-based access controls; set to false to disable
role-based access controls.
set user-idle-time
Specifies the maximum time a user is idle before being disconnected.
set warn-log
Specifies the name of a separate file for error and warning messages.
Ensure that at least warn or error tracing is turned on.
set write-precedence
Specifies which DSAs are chosen to perform updates.
DXserver Command Language
B–7
Set Commands
The set admin-user Command
Use the set admin-user command to specify static access controls. See the chapter
“Security” for more information.
Parameter
Description
attrs
Lists attributes to which this access control applies.
auth-level
Specifies the level of authentication required. May be simple, ssl-auth.
entry
Specifies an entry to which access is granted.
group
Specifies a group of users for admin-user access.
own-entry
Specifies a user as admin-user for their own entry.
perms
Lists the permissions granted. May include read, add, remove, modify, rename,
all.
subtree
Specifies a subtree of the directory to which access is granted.
user
Specifies a named user to be treated as an admin-user.
user-subtree
Specifies a subtree within the user tree; users in this subtree are affected by this
access control.
validity
Specifies the period during which this is valid. May include start, end, on.
The set agreement Command
Use the set agreement command to define a DISP connection between two DSAs.
See the chapter “Replication” for more information.
Parameter
Description
area
Specifies the portion of the DIT covered by this agreement.
initiator
Specifies the name of the initiating DSA, and whether that DSA is the supplier or
consumer in the DISP connection.
relay
Specifies the name of the intermediate relay DSA. These parameters may include
anonymous, clear-password, ssl-auth.
responder
Specifies the name of the responding DSA, and the parameters of the connection.
These parameters may include anonymous, clear-password, ssl-auth.
strategy
Specifies when the interchange of data takes place. May include on-change,
minutely, hourly, daily, weekly, monthly, incremental, full.
B–8
eTrust Directory Administrator Guide
Set Commands
The set attribute Command
Use the set attribute command to define an attribute, which is a basic building
block in the schema. See the chapter “Schema Definition” for more information.
Parameter
Description
description
A description of the attribute.
equality
Indicates the type of matching to apply to the attribute.
ldap-names
Alternative names for the attribute. Think of these as nicknames—
they can be used anywhere the name can be used. Often these are
shorter, and used in DNs, for example, c for country.
name
The name of the attribute. This is its formal name, and is often
descriptive.
no-user-modification
Indicates whether the user can modify the value of the attribute
ordering
Indicates the ordering rules to apply to the attribute.
single-valued / multi-valued
Indicates whether the attribute has multiple values (for example, lines
of an address), or is limited to a single value (for example, salary).
substr
Indicates the substring-matching rule to apply to the attribute.
syntax
Indicates the type of data that may be stored in the attribute.
The set dsa Command
Use the set dsa command to define the knowledge of a DSA. See the chapter
“General Information” for more information.
Important! You must declare the parameters in a set order.
Parameter
Description
prefix
Specifies a partial DN, which specifies the portion of the DIT served by this
DSA.
native-prefix
Specifies a partial DN, which the DSA recognizes as applicable to its entries—
generally only used with LDAP servers.
dsa-name
Specifies the name of the DSA as a DN; not to be confused with the name of the
server
dsa-password
Specifies the password other DSAs must supply to communicate with this DSA.
ldap-dsa-name
Specifies the name of the LDAP DSA.
ldap-dsa-password
Specifies the password of the LDAP DSA.
DXserver Command Language
B–9
Set Commands
Parameter
Description
address
Specifies one or more addresses (TCP/IP address + port number) the DSA.
tsap
Specifies Transport SAP.
ssap
Specifies Session SAP.
osi-psap
Specifies Presentation SAP.
disp-psap
Specifies DISP Presentation SAP; if absent, DISP is disabled.
cmip-psap
Specifies CMIP Presentation SAP; if absent, CMIP is disabled.
snmp-port
Specifies the SNMP port.
console-port
Allows DXconsole to accept connections from the local computer. When this is
not specified, the DSA does not have a local console.
remote-console-port
Allows DXconsole to accept a connection from a remote computer on this port.
When this is not specified, there is no remote console for the DSA.
remote-console-ssl
Forces DXconsole encryptDXconsole sessions when it runs remotely.
console-password
The password required for connections from a remote computer. This password
is transmitted in clear text.
ssld-port
Specifies the port number that should be used for SSLD.
auth-levels
Specifies the levels of authentication that will be accepted by this DSA. May
include anonymous, clear-password, and ssl-auth.
dsp-idle-time
Specifies the maximum time (in seconds) that a DSP connection can be idle
before it is disconnected.
dsa-flags
Specifies the flags that control the operation of the DSA. The flags include
multiwrite, shadow, read-only, relay, load-share, no-routing-ac, limit-search, limit-list,
and multi-write-notify.
trust-flags
Specifies flags relating to trust that control the operation of the DSA. The flags
include allow-check-password, trust-conveyed-originator, allow-upgrading, allowdowngrading, and no-server-credentials.
link-flags
Specifies flags that control connecting to the DSA. The flags include dsp-ldap,
dsp-ldapv2, ms-exchange, ms-ad, ssl-encryption, and unavailable. For a complete list,
see Link Flags in the chapter “General Administration.”
B–10
eTrust Directory Administrator Guide
Set Commands
The set name-binding Command
Use the set name-binding command to define a name binding. This defines the
hierarchy of the directory. See the chapter “Schema Definition” for more
information.
Parameter
Description
allowable-parent
Specifies the parent and child object classes.
name
The name of the name binding. This is often descriptive; it can be constructed by
concatenating the names of the object classes being connected.
named-by
Lists the attributes that name an object of the child object class. Often only one
attribute is listed.
optional
Lists attributes that may optionally be appended to the list specified in namedby.
The set object-class Command
Use the set object-class command to define an object class, which is a fundamental
part of the schema, and essential to the directory. See the chapter “Schema
Definition” for more information.
Parameter
Description
description
A description of the object class.
kind
Specifies the kind of object class—may be structural, auxiliary, or abstract.
ldap-names
Alternative names for the object class. Think of these as nicknames—they can be
used anywhere the name can be used. Often these are shorter.
may-contain
Lists the attributes that may be supplied in an instance of this object class.
must-contain
Lists the attributes that must be supplied for every instance of this object class.
name
The name of the object class. This is its formal name, and is often descriptive.
subclass-of
Specifies the object class, or object classes, from which this object class inherits.
DXserver Command Language
B–11
Set Commands
The set protected-items Command
Use the set protected-items command to specify static access controls. Generally,
you use protected-items controls to protect specified attributes in a specified
portion of the DIT. See the chapter “Security” for more information.
Parameter
Description
attrs
Lists attributes to which this access control applies.
entry
Specifies an entry to which this access control applies.
group
Specifies that this control applies to a particular group of users.
own-entry
Specifies that this control applies to a user accessing their own entry.
perms
Gives registered users access to modify 'role' attribute in their own entries.
subtree
Specifies a subtree of the directory to which this access control applies.
user
Specifies that this control applies to a particular user.
user-subtree
Specifies a subtree within the user tree; users in this subtree are affected by this
access control.
validity
Specifies the period during which this is valid. May include start, end, on.
The set public-user Command
Use the set public-user command to specify static access controls. See the chapter
“Security” for more information.
Parameter
Description
attrs
Lists attributes to which this access control applies.
entry
Specifies an entry to which access is granted.
perms
Lists the permissions granted. May include read, add, remove, modify, rename,
all.
subtree
Specifies a subtree of the directory to which access is granted.
validity
Specifies the period during which this is valid. May include start, end, on.
B–12
eTrust Directory Administrator Guide
Set Commands
The set reg-user Command
Use the set reg-user command to specify static access controls. See the chapter
“Security” for more information.
Parameter
Description
attrs
Lists attributes to which this access control applies.
entry
Specifies an entry to which access is granted.
group
Specifies a group of users to be treated as a reg-user.
own-entry
Specifies that a user may be treated as a reg-user for their own entry.
perms
Lists the permissions granted. May include read, add, remove, modify, rename,
all.
subtree
Specifies a subtree of the directory to which access is granted.
user
Specifies a user to be treated as a reg-user.
user-subtree
Specifies a subtree within the user tree; users in this subtree are affected by this
access control.
validity
Specifies the period during which this is valid. May include start, end, on.
The set super-user Command
Use the set super-user command to specify static access controls. See the chapter
“Security” for more information.
Parameter
Description
auth-level
Specifies the level of authentication required. May be simple, ssl-auth.
group
Specifies a group of users to be treated as a super-user.
own-entry
Specifies that a user may be treated as a super-user for their own entry.
user
Specifies a user to be treated as a super-user.
user-subtree
Specifies a subtree within the user tree; users in this subtree are affected by this
access control.
validity
Specifies the period during which this is valid. May include start, end, on.
DXserver Command Language
B–13
Source Commands
Source Commands
A source command is a means of including shared commands. It says, “Include
the contents of this file here.” You can nest source commands, and source a file
that contains further source commands. An example is shown below:
source “file2.dxg”
set access-controls
= true;
source “file3.dxc”
set group =
source “file4.dxc”
set super-user =
set reg-user =
B–14
eTrust Directory Administrator Guide
Trace Commands
Trace Commands
You can specify trace commands in two ways:
■
You can enter them as arguments to a trace command. For example:
trace all;
■
You can enter them as parameters to a set trace command. For example:
set trace = all;
Command
Description
trace alert
Displays authentication errors.
trace all
Traces everything.
trace dsa
Similar to the x500 trace, but also includes tracing of the module flow inside the
DSA.
trace cert
Displays certificate operations.
trace connect
Displays connections.
trace error
Displays error messages of very high severity. Compare with TRACE WARN.
trace ldap
Traces detailed LDAP operations.
trace limit
Traces any violation of size or time limits.
trace none
Traces nothing.
trace query
Displays a one-line summary containing the server request and result.
trace stack
Displays detailed protocol tracing.
trace stats
Displays statistical information for each minute the DSA is not idle.
trace summary
Displays summary information.
trace time
Displays the start time, end time, and elapsed time of an operation with a brief
summary of the operation.
trace update
Displays update operations—add, delete, modify, and rename.
trace warn
Displays error messages of moderately high severity. Compare with TRACE
ERROR.
trace x500
Displays the full details of the service request, confirmation, or error. This traces
DAP, DSP, and LDAP operations.
DXserver Command Language
B–15
Appendix
C
Messages and Logs
This appendix describes the error and diagnostic logs that eTrust Directory
provides to assist you in diagnosing problems. It also explains some common
alarms and warning messages.
For further information, contact Computer Associates at
http://supportconnect.ca.com.
UNIX System Error Log
Both UNIX and DXserver log errors to the system error log. By default, the
system also displays all errors in the console window.
The system error log file is located in …/var/adm/messages.
A useful command for showing the most recent messages is:
%$ dmesg
Windows Event Log
Both Windows and DXserver log errors in the Windows event log. You can view
the event logs in the Windows Event Viewer.
To display the Event Viewer, click Start on the taskbar, and then choose
Programs, Administrative Tools (Common), Event Viewer.
DXserver logs errors in the Application Log. You can view the Application Log
by selecting Event Viewer Log, Application.
Messages and Logs
C–1
DXserver Logs
DXserver Logs
DXserver logs all errors, alarms, and warnings to server-specific log files. Each
server has both an alarm log and is usually configured with a trace log. The
server alarm log provides more detail than the system error log, while the trace
log provides additional diagnostic information.
Note: If an error is encountered while starting DXserver, the server cannot start,
and diagnostics are logged to these server-specific logs rather than to the system
error log.
When a DXserver fails to start or is not behaving as expected, consult the server
logs.
On UNIX, the server log files are:
$DXHOME/logs/servername_alarm.log
$DXHOME/logs/servername_trace.log
On Windows, the server log files are:
%DXHOME%\logs\servername_alarm.log
%DXHOME%\logs\servername_trace.log
In all cases, substitute the name of your server for servername.
C–2
eTrust Directory Administrator Guide
Advantage Ingres Logs
Advantage Ingres Logs
The Advantage Ingres RDBMS server reports all database-related errors to a
single log file. This file may contain more detailed diagnostics about databaserelated problems than the DXserver alarm log.
Note: Throughout this guide, references to Advantage Ingres include both
Ingres II and OpenIngres, unless one or the other is explicitly specified.
On UNIX, the Advantage Ingres error log file is:
$II_SYSTEM/ingres/files/errlog.log
On Windows, the Advantage Ingres error log file is:
%II_SYSTEM%\ingres\files\errlog.log
DSA Does Not Start and Alarm Log Reports "Database is inconsistent"
The alarm log reports something like this:
20040305.084328 DIB001: Unable to connect to database 'democorp' as ' '
SQL error (-39100): E_US0026 Database is inconsistent. Please contact the system
manager.
Reason:
A database "goes inconsistent" when Ingres does not know what state the
database is in. This is often caused by a hardware failure or hard shutdown. The
recommended method of recovery is to restore from backup.
The Ingres error log may give some indication as to why the database is
inconsistent. Things to look for include an absence of shutdown messages,
references to hardware problems (could not write to disk, etc), or anything OS
related.
Action:
For non-critical databases, the following ingres command can be used:
verifydb -mrun -sdbname "democorp" -oforce_consistent
This will give you several warnings. The force_consistent command is used to
permit entry into a database that is inconsistent. This does not fix the problem
with the database; it merely allows you to force the database to act as if it were in
a consistent state. This can be very dangerous if used against a production
database. Hidden data damage may render one or more tables in the database
unrecoverable at some time in the future.
Messages and Logs
C–3
Advantage Ingres Logs
I get "failed to connect" errors
E_LQ0001 Failed to connect to DBMS session.
E_LC0001 CGA protocol service (GCA_REQUEST) failure.
Internal service status E)GC0139 -- No DBMS servers (for the specified
database) are running in the target installation.
Reason:
This usually means that Ingres is not started.
Action:
The easiest way to resolve this is to stop and restart Ingres. The process differs
slightly for Windows and UNIX/Linux platforms.
To stop and restart Ingres on a Windows computer:
1.
From the Services menu, look for the status of Ingres Intelligent Database.
2.
If it is "starting" then either be patient, or manually kill the processes (see
below). Stop the Service.
3.
After Ingres had stopped, check Task Manager for the following processes:
4.
-
iigcc (comms server, optional)
-
iigcn (name server)
-
iidbms (one or more DBMS servers)
-
dmfrcp (recovery server)
-
dmfacp (archiver)
Try one or more of the following:
-
Manually kill any processes remaining.
-
Reboot the computer.
-
Stop Ingres again.
5.
Start Ingres again.
6.
Check that all the processes listed above are running. If one or more
processes failed to start, then send the ingres errlog.log to CA Technical
Services.
To stop and restart Ingres on a UNIX or Linux computer:
1.
Enter the following command to stop Ingres:
ingstop
2.
After the ingstop command completes, check ps -ef' for the following
processes:
-
C–4
iigcc (comms server, optional)
eTrust Directory Administrator Guide
Advantage Ingres Logs
3.
4.
-
iigcn (name server)
-
iidbms (one or more DBMS servers)
-
dmfrcp (recovery server)
-
dmfacp (archiver)
Try one or more of the following:
-
Manually kill any processes remaining.
-
Reboot the computer.
-
Stop Ingres again.
Enter the following command to start Ingres:
ingstart
5.
Check that all the processes listed above are running. If one or more
processes failed to start, then send the ingres errlog.log to CA Technical
Services.
6.
To test a connection, type 'sql iidbdb' at the command prompt. If you get an
asterisk prompt, then the connection succeeded. Type '\q' to quit. If the
connection failed, then screendump the output, and pass it to your favourite
Ingres whiz, along with the errlog.log.
DSA Does Not Start and Alarm Log Reports “No DBMS Servers”
If your alarm log has the following text, your IngresDBMS server is not setup
correctly.
Unable to connect to database 'democorp' as \'\' SQL error (-38100): E_LQ0001
Failed to connect to DBMS session. E_LC0001 GCA protocol service (GCA_REQUEST)
failure. Internal service status E_GC0139 -- No DBMS servers (for the specified
database) are running in the target installation..
Reason:
One of the causes of the above error is that the IngresDBMS server startup count
it set to 0 instead of 1.
Action:
If this error message has occurred on a production computer, you will need to
contact eTrust Directory support for help.
If this error message has occurred on a test computer and you previously had
enterprise eTrust Directory, and you just installed embedded eTrust Directory,
run the test again with a valid eTrust Directory license before you run the
embedded install.
For more help, please contact CA Technical Services.
Messages and Logs
C–5
Advantage Ingres Logs
Ingres Error Log Reports “Unknown ipcclean” (Windows Only)
Reason:
If you have the cygwin toolkit installed, an option inside this package includes a
file called ipcclean. If cygwin\bin is in your path, then when you install, Ingres
will try to use this ipcclean tool instead of the one installed by Ingres. This will
cause the post-installation setup to fail.
Action:
C–6
1.
Uninstall eTrust Directory.
2.
Check your computer is clean by using CleanReg.exe.
3.
Rename cygwin ipcclean to ipcclean.old and re-run the install.
4.
Do one of the following steps:
-
Move Ingres\bin to the beginning of the %PATH% environment
variable.
-
Rename the cygwin tool to ipccleanCygwin and leave the path as is.
eTrust Directory Administrator Guide
DXserver Alarm Messages
DXserver Alarm Messages
Database dbname has more entries (n) than license allows (m)
Reason:
The number of entries in the DXserver database has been exceeded. (This is only
relevant to legacy licenses, not those issued by Computer Associates.)
Action:
Either reduce the number of entries in the database or purchase a larger license.
Database attribute attribute-name has different syntax than schema
Reason:
The syntax of the attribute-name definition in the DSA schema has been
changed; however, directory entries have been created with the old syntax.
Action:
You must roll back the syntax in the schema. When you need a new syntax,
dump the database using DXtools, and then create a new one with the new
syntax.
Database attribute attribute-name not defined in schema
Reason:
The attribute attribute-name presented in the LDAP (or DAP) call has not been
defined in the schema.
Action:
Check the attribute-name definition. It is possible that the LDAP client has
misspelled the attribute. Alternatively, the LDAP client may be using an attribute
name not defined in the schema. If the latter is true, define the attribute
appropriately.
Messages and Logs
C–7
DXserver Alarm Messages
Error in initialization files
Reason:
One or more of the DXserver initialization files (.dxi) in the servers subdirectory
are not configured correctly.
Action:
Check the configuration of the initialization files.
Out of memory
Reason:
The DSA has run out of memory when processing the result of a large search.
Action:
Reduce the number of results returned by single searches by breaking them into
a number of separate, smaller searches, each returning part of the result. Also,
consider increasing the amount of virtual memory.
Prefix too large
Reason:
The DSA prefix is greater than 255 characters.
Action:
Shorten the DSA prefix.
Rejected console request
Reason:
More than one telnet session has attempted to connect to the DXserver console.
Action:
Remember that eTrust Directory supports only one console connection at a time.
C–8
eTrust Directory Administrator Guide
DXserver Alarm Messages
DIB001: Unable to connect to database 'production'
Reason:
This message may be because the ingres user has a password, which means that
eTrust Directory cannot connect to the database.
Action:
There are two things that can be done about this:
■
Use accessdb to remove the user’s password
■
If the user must have a password, then follow these steps:
a.
Remove the following command:
set database-name = "production";
b. Replace it with this command:
set dbconnection = {db-name=production, db-user=dba, dbpassword=mypassword};
DIB001: Unable to attr load cache
Reason:
This can happen when the user that the dxserver is trying to connect to the
database as is not the owner of the database.
Action:
To resolve the problem you must give the user grants on the database. This can
be done with the DXgrantdb tool, which is provided with eTrust Directory. To
do this, run the following command:
dxgrantdb database [user]
where:
■
■
database is the name of the database where access is granted.
user is the name of the user whose access is granted. If user is omitted, all
database users will be granted access.
After running this you will be able to operate a directory on the database.
Or, you can configure the dxserver to connect as a specific user by editing the
server configuration. To edit the server configuration:
1.
Remove the following command:
set database-name = "production";
2.
Replace it with this command:
set dbconnection = {db-name=production, db-user=dba, db-password=mypassword};
Messages and Logs
C–9
DXserver Alarm Messages
DIB003
This error code refers to a problem with allocating a new internal entry identifier.
Reason:
If this is seen, then you probably have added the maximum number of possible
entries to the directory.
Action:
You may have to use distribution.
DIB004: attr aid not in cache
The DIB004 error code refers to a problem with the attribute cache.
Reason:
During a read, search, or update operation, an attribute ID was found internally
that does not exist in the attribute cache. This may be the case if the attribute was
added for the first time by another DSA using the same database.
Depending on where this was encountered and current configuration setting the
attribute cache is usually reloaded and the operation redone.
DIB004: attr aid too big for cache - unable to resize
DIB004: subattr aid too big for cache - unable to resize
DIB004: too many attributes (number of attrs) to register
The DIB004 error code refers to a problem with the attribute cache.
Reason:
These messages are indicative of a problem resizing the attribtue cache. This is
usually due to running out of memory. These errors are usually found in
conjunction with out-of-memory errors.
C–10
eTrust Directory Administrator Guide
DXserver Alarm Messages
DIB008
This error code refers to a problem with normalising an attribute value.
Reason:
This may be the case if the attribute value is not valid for the defined attribute
syntax. The associated error message gives futher information about the type of
attribute being processed.
DIB009
This error code refers to a problem with buffer or storage sizes.
Reason:
This may be the case if the RDN (either normalised or raw) of an entry is too big.
MW-DISP: Invalid update strategy
Reason:
Standard MW-DISP (NOT cache-only) can only receive an incremental-refresh
DISP update. This message indicates it has received something other than an
incremental-refresh.
This could happen if you have a mix of cache-only and standard DSAs
configured to replicate to each other. This is not supported.
MW-DISP: Invalid update strategy for cache-only
Reason:
Cache-only MW-DISP can only receive a total-refresh DISP update because it has
no database to apply an incremental update to. This message indicates it has
received something other than a total-refresh.
This could happen if you have a mix of cache-only and standard DSAs
configured to replicate to each other. This is not supported.
Messages and Logs
C–11
DXserver Alarm Messages
Unable to connect to database - Shutting down
Reason:
This alarm is shown if during recovery from a database error, or switching
databases the DSA is unable to connect to the configured database.
Action:
If this alarm is raised, the DSA will automatically shut down.
For more information about thi, see the section Manage Connections to the
Database.
Shutting down due to SQL error
Reason:
This alarm is shown if shutdown-on-sql-error is set to TRUE in the configuration
of a DSA and an SQL error is encountered.
Action:
If this alarm is raised, the DSA will automatically shutdown.
For more information about thi, see the section Manage Connections to the
Database.
Error in initialization file
Action:
To find out which command caused this error, look in the trace log.
For example, see the following section of a router_trace.log:
20040902.123320 ERROR : Syntax Error: Line 14 in C:\Program Files\CA\eTrust
Directory\dxserver\config\settings\default.dxc near 'set'
Expected a ';'
> Setting max-users to (255)
* 20040902.123320 Error in initialization files
C–12
eTrust Directory Administrator Guide
DXserver Warning Messages
DXserver Warning Messages
To prevent excessive tracing and logging of repetitive warning message,
configure the affected DSA with "set trace = error". This will prevent warnings
from being logged, but will still capture real errors.
Cannot register address
Reason:
The DSA has been configured with incorrect protocol stack information.
Action:
Check the set DSA command within the appropriate knowledge file. Check the
details in the address setting.
DIP not connected to a database
Reason:
The DSA has been requested to add or update an entry within its naming context
and found that it has not been configured with a database.
Action:
Check the set database-name command in the appropriate configuration file (.dxc)
in the database subdirectory.
Database dbname entries (n) is close to license maximum (m)
Reason:
The directory exceeds 90 percent of the licensed maximum. (This is only relevant
to legacy licenses, not those issued by Computer Associates.)
Action:
Consider reducing the number of directory entries or purchasing a larger license.
Messages and Logs
C–13
DXserver Warning Messages
Licence expires in n days
Reason:
These warnings begin 20 days before the license is due to expire. (This is only
relevant to legacy licenses, not those issued by Computer Associates.)
Action:
Consider purchasing a new license.
No stack nor console
Reason:
The DSA has been configured without any protocol stack information.
Action:
Check the set dsa command within the appropriate knowledge file. Typically, this
message occurs when there is a mismatch between the name of the DSA (from
the initialization file (.dxi) in the servers subdirectory) and the name of the DSA
used in the set dsa command in the DXserver knowledge file.
Undefined syntax not ASN.1
The DXserver syntax binary refers only to datatypes that have an ASN.1
representation. To represent arbitrary binary data, octetString is a more suitable
choice.
Attribute (attrName) exceeds searchable size limit (106) - Refer to Managing Indexes in the
Admin Guide
Reason:
This message means that an attribute value has been added that is too big to
search reliably. Some search requests may produce incorrect results. The length
of an attribute value that will generate this message can vary, but the normalised
value can only by 106 bytes long before this message is reported. Note that due
to the different normalisation techniques that can be applied it may be possible
to add data that is much bigger than 106 bytes without causing a problem. For
example a 1MB jpeg photo will not cause this problem despite it's size, while a
110 character sentence probably will.
The search overflow message points out that some values are greater than the
106 byte normalised limit and their normalised form has been truncated.
C–14
eTrust Directory Administrator Guide
DXserver Warning Messages
Searches that have the same first 106 normalised values will match all entries
even if they varied past this point.
Searches for values ending with a particular value will give curious results on
this data as it will be matching on the truncated value.
Note This is a limitation for searching only, data this is returned will not be
truncated.
Action:
To overcome this problem, examine the use of the data. This could fall into one of
many categories:
■
■
■
■
Never searched or compared.
In this case the warning could be ignored, or even better to save space and
speed up operations mark the attribute as not searchable
Searched only by a begins with filter item.
If the filter items are less than the 106 byte searchable limit then the warning
can be ignored.
Searched only by an ends in filter item.
Consider adding a reverse index for the item.
Other searches.
Consider adding a wide index for this attribute. This does decrease
performance, but it also increases the searchable limit to 1900 bytes. If this is
still too small then a subsearch overflow message will be reported.
rs_rsp: Credit limit reached
Reason:
This message means that a DAP or DSP client has exceeded the number of
credits configured for that connection, and flow-control has been invoked. This is
not an error, merely and informative message.
In the case where all clients are using LDAP, then this message means that a DSP
backbone link from another DSA has exceeded the value of "max-dsp-credits".
DIP: time limit exceeded
This message only applies to search operations and means that the search has
taken longer than the configured op time limit, or the requested time limit in the
search controls.
Messages and Logs
C–15
Alias Errors
WARNING: ssld_ssl_request failed – certificate error?
Reason:
This message means that there was an error with a certificate. This error will
appear with “-debug 0” is set. Setting debug level to 5 or 9 should help to find
the actual problem.
This could be due to:
■
Invalid or expired DSA personality
■
Invalid or expired root certificate
■
Invalid client certificate
■
An error with the client application
This warning may also occur when an LDAP client disconnects an SSL
connection. When an SSL connection is set up between a client and server the
two ssl daemons perform a handshake process to determine the encryption
cypher that will be used. When a server receives an unbind request then the
SSLD daemons perform another handshake operation to close the ssl session.
However, some LDAP clients perform a "close connection" rather than an
unbind. If this occurs then the server SSLD cannot send its close SSL session
request to the client as the connection between the client and the server has
already been closed. In this case the above warning will be produced.
This warning can occur even if the connection is only using SSL encryption (no
certificates involved). The certificate error is only an indication of the possible
error.
Alias Errors
Aliases are a powerful mechanism for alternate naming. However, when you do
not use them properly, the result can be inconsistent DITs and degraded
performance.
Managing aliases properly is an application design issue. When you disable alias
integrity, the DSA does not prevent the creation of aliases to nonexistent objects.
It detects and reports invalid aliases only when it encounters them.
You should enable alias integrity. This prevents the creation of dangling aliases—
that is, aliases that point to no object entry.
See The Directory Information Base in the chapter “General Administration” for
more information about DIB commands.
C–16
eTrust Directory Administrator Guide
Service Errors
Service Errors
In rare circumstances, the DSA may find an inconsistency that is outside the
X.500 standard (for example, corrupt database tables). In this case, an X.500 error
is returned with a message sent to the console, as shown below:
Service Error: Directory unwilling to perform
If such a situation arises, contact Computer Associates Technical Support at
http://supportconnect.ca.com.
Advantage Ingres Errors
DXserver relies heavily on Advantage Ingres for database integrity and
processing. Usually, appropriate Advantage Ingres error codes will accompany
any database problems.
An example of the syntax of the Advantage Ingres errors reported by DXserver is
as follows:
DSA: DIB-001: Can't logon to database 'temp'
E_US0010 Database does not exist
The first line is a general error message produced by DXserver. The second line is
the Advantage Ingres error. (See the appropriate Advantage Ingres
documentation for details.)
If an Advantage Ingres error occurs, then more detail can be obtained from the
Advantage Ingres error log.
In an extreme case, a database can be corrupted. You can usually correct this by
restoring a backup and, if journaling was enabled, rolling forward all changes
that occurred after the backup. If this is not possible or the situation still exists,
you can use a number of other Advantage Ingres tools with the help of CA
Technical Support.
Some possible errors with their solutions are:
E_LQ0001 Failed to connect to DBMS session
Action:
Determine whether Advantage Ingres is running (for example, use the UNIX
command ps).
Messages and Logs
C–17
Advantage Ingres Errors
E_US000C You are not a valid Ingres user
Action:
As the UNIX user ingres (the Advantage Ingres superuser account) run accessdb,
and authorize UNIX user dsa to use the database.
E_US0DAE SELECT on table dit: no GRANT permission
Action:
Run the DSA from the UNIX user account dsa.
E_US0028 Could not open the iidbdb database
Action:
Check that you installed Advantage Ingres by running the Advantage Ingres
command ingbuild.
C–18
eTrust Directory Administrator Guide
Appendix
D
Installing eTrust Directory for
Windows
This appendix explains how to install eTrust Directory for Windows systems.
Note: Throughout this guide, references to Advantage Ingres include both
Ingres II and OpenIngres, unless one or the other is explicitly specified.
Installing eTrust Directory for Windows
D–1
Installation Overview
Installation Overview
The eTrust Directory setup programs automate the installation processes. These
programs check which eTrust Directory components are installed and up-todate, and either install or upgrade those components that are missing or old.
To install eTrust Directory, perform the following activities:
1.
Check the system and disk requirements.
2.
Install or upgrade the directory components of eTrust Directory.
3.
(Optional) Install or upgrade the web components of eTrust Directory.
4.
(Optional) Run the sample scripts to install the three sample directories, the
technology previews, and the sample tools.
eTrust Directory Components
The eTrust Directory installation is split into the following two sections, which
you can install separately or on the same computer:
■
■
D–2
Directory—The main eTrust Directory installation, which includes the
following modules:
-
DXserver—The eTrust Directory server, DXtools, and DXconsole
-
Ingres—A CA open-source database, which is required by DXserver if
the data repository is used
-
JXplorer—An LDAP client that lets you browse and update a directory
-
Documentation—PDF product manuals
-
Samples—Sample DSAs and sample tools for working with DXserver
Web Components—Optional web-based modules, including the following
modules:
-
DXmanager—A web-based tool for monitoring and administration
-
JXweb—A web-based LDAP client that lets you browse a directory
-
UDDI Server—A UDDI repository that functions as a business directory.
The UDDI Server requires DXserver.
-
UDDI Client—A web-based browser for the UDDI Server
-
Samples—Sample web applications, including a DSML server, a SAML
server, and a UDDI demonstration.
eTrust Directory Administrator Guide
Installation Overview
Default Installation Locations
By default, the eTrust Directory components are installed into the directories
listed in the following table. You can change these locations in a custom
installation.
Component
Default Directory
DXserver
C:\Program Files\CA\eTrust Directory\dxserver
Advantage Ingres
C:\Program Files\CA\Advantage Ingres [ET]\ingres
JXplorer
C:\Program Files\CA\eTrust Directory\jxplorer
DXwebserver
C:\Program Files\CA\eTrust Directory\dxwebserver
Documentation
C:\Program Files\CA\eTrust Directory\documentation
DXconsole
C:\Program Files\CA\eTrust Directory\ttermpro
Sample Directories and
Sample Tools
C:\Program Files\CA\eTrust Directory\samples
Sample Web
Applications
C:\Program Files\CA\eTrust Directory\dxwebserver\samples
The %DXHOME% Location
Throughout this guide, %DXHOME% refers to the location in which DXserver is
installed on your computer. This location is set in the DXHOME environment
variable.
For example, in a default installation, %DXHOME% is C:\Program
Files\CA\eTrust Directory\dxserver.
Installation Logging
All installations are logged.
If the DXHOME environment variable is defined, the installation log file is
created in %DXHOME%. If DXHOME is not defined, the installation log is
created in %TEMP%.
Installing eTrust Directory for Windows
D–3
Installation Overview
Upgrade eTrust Directory
If you have the enterprise version of eTrust Directory, you can upgrade this by
following the installation instructions in this chapter.
If you are using a version of eTrust Directory that is embedded in another
product, you must use the upgrade package from the embedding product.
Each embedding product that installs eTrust Directory has a specific process for
upgrading eTrust Directory and if this is not followed, the products will not
work as intended.
For example, if you use eTrust SSO and the embedded version of eTrust
Directory that comes with it, you must use an eTrust SSO package to upgrade
both products.
Upgrade Advantage Ingres
For a new installation, eTrust Directory embeds the single-byte version of
Advantage Ingres II 2.6 SP2, with the installation code ET. The installation
performs a standard tuning of the database parameters. You can customize these
parameters.
For an upgrade to an existing configuration, check the Readme to find out how
eTrust Directory works with the various versions of Advantage Ingres.
If you currently use Advantage Ingres 2.0 or 2.5, check with Computer
Associates’ Technical Support to find out whether the applications that use your
existing version of Advantage Ingres also support Advantage Ingres 2.6.
eTrust Directory ships with a default configuration of 64 database connections.
However, if you are upgrading from a previous version of eTrust Directory, the
previous limit of 32 connections applies.
If you plan to have many data DSAs running on the same machine, read the
section Increasing the Number of Database Connections in the appendix
“Tailoring the RDBMS”.
D–4
eTrust Directory Administrator Guide
Installation Overview
Embedded eTrust Identity and Access Management
The eTrust Directory Web Components installation includes an embedded
version of eTrust Identity and Access Management. This is a security module
that DXmanager uses to make sure that your directory system is protected.
If you install DXmanager, you will have to enter details about how the
embedded eTrust Identity and Access Management module will work.
The installation gives you four options for installing the module:
■
■
■
■
Install new local eIAM Server—Installs a new eIAM Server on the same
computer as DXmanager. You will have to supply a password for the user
EiamAdmin.
Install new local eIAM Server with an external user store—You will be
prompted to close the installation program, and go back to the Product
Explorer, where you should install eIAM from the Supporting Products
section.
You might choose this option if you want to reference another user store, or
if you want to install the eIAM server on another computer.
Reference existing local eIAM Server—Lets you reference an existing
installed eIAM Server on the local computer. You will have to supply a
password for the user EiamAdmin.
Reference existing remote eIAM Server—Lets you reference an existing
eIAM server on a remote computer. You will have to supply a password for
the user EiamAdmin.
Installing eTrust Directory for Windows
D–5
Install eTrust Directory Using the Product Explorer
Install eTrust Directory Using the Product Explorer
This section describes how to install eTrust Directory and the eTrust Directory
Web Components using the Product Explorer.
Step 1. Check System and Disk Requirements
This section lists the checks you should make before you install eTrust Directory.
Check the System Requirements
Check the Readme for system requirements.
The disk space required for directory information is approximately 20 times the
raw data size. This provides space for backups, journals, indexing, tuning,
import, and preprocessing.
Back Up Data
If you are upgrading from an earlier version, back up your schema files.
Design the Disk Configuration
To improve recovery and performance, you should store the database
information on a separate physical disk from the product files. Be sure that the
drives you choose are actually on separate physical disks. Do not use a single
physical disk partitioned into multiple drives.
In the following example of the layout of a typical installation, the C and D
drives are on separate physical disks:
The C drive
eTrust Directory product files
Advantage Ingres product files
Advantage Ingres transaction log
The D drive
Directory information (database files)
Advantage Ingres checkpoints (database backups)
Advantage Ingres journals
Advantage Ingres work area
In Windows Explorer, partitions local to the computer have Local Disk in the
Type column. You can configure and view logical and physical drives using the
Windows Disk Administrator.
For more information about disk configurations such as mirrored disks and RAID,
contact Computer Associates Technical Support at http://supportconnect.ca.com.
D–6
eTrust Directory Administrator Guide
Install eTrust Directory Using the Product Explorer
Step 2. Install eTrust Directory
To install eTrust Directory:
1.
Stop all applications that may have current open connections to an
Advantage Ingres database.
2.
Log in as a user with administrator privileges.
3.
Insert the eTrust Directory CD. The Product Explorer starts automatically.
If the Product Explorer does not start automatically, double-click on
PE_i386.exe in the top-level directory of the CD.
4.
If you plan to use JXplorer, install JRE from the Supporting Products list.
5.
Navigate to Directory for Windows and click Install.
6.
To install eTrust Directory now, select the option Install eTrust Directory.
To create a response file that can be used to install eTrust Directory silently
on many computers, select the option Build response file for unattended
installation. For information about response files, see the section Install
Silently Using Response File.
7.
Follow the instructions on the installation screens until you come to the
Setup Type screen.
To install DXserver, Ingres, JXplorer and the documentation in their default
locations, select Complete and click Next, then skip to step 9.
To choose which components to install, choose Custom Setup and click Next.
8.
Select options for the components you are installing.
If you are an advanced user, you can click the Options button to configure
some aspects of Advantage Ingres. For more information, see the section
Upgrade Advantage Ingres.
9.
When you have selected the components and selected the appropriate
options, the Setup wizard displays a message telling you that it is ready to
install the selected files.
Use the Back button to review your selections before finalizing the
installation.
10. When the installation is complete, the Advantage Ingres Intelligent Database
service starts automatically, and the sample scripts run if you selected this
option. The samples are run in a default installation, but not in a default
upgrade from a previous eTrust Directory version.
You do not have to reboot the computer after installation.
Installing eTrust Directory for Windows
D–7
Install eTrust Directory Using the Product Explorer
Step 3. (Optional) Install eTrust Directory Web Components
You can install the web components of eTrust Directory on a different computer
from the main directory components.
To install eTrust Directory Web Components:
1.
Log in as a user with administrator privileges.
2.
Insert the eTrust Directory CD. The Product Explorer starts automatically.
If the Product Explorer does not start automatically, double-click on
PE_i386.exe in the top-level directory of the CD.
3.
If Java Runtime Environment is not already installed, install it from the
Supporting Products list.
4.
If you plan to use the UDDI Server, make sure that the directory component
is already installed.
5.
Navigate to the section eTrust Directory Web Components, and click on the
Windows option.
6.
To install the web components now, click the select the option Install eTrust
Directory Web Components Now.
To create a response file that can be used to install eTrust Directory Web
Components silently on many computers, select the option Build response
file for unattended installation. For information about creating and using
response files, see the section Install Silently Using Response File.
7.
Continue to follow the instructions on the installation screens.
8.
Select options for the components you are installing.
9.
When you have selected the components and selected the appropriate
options, the Setup wizard displays a message telling you that it is ready to
install the selected files.
Use the Back button to review your selections before finalizing the installation.
D–8
eTrust Directory Administrator Guide
Install eTrust Directory Using the Product Explorer
Step 4. (Optional) Install the Samples and Technology Previews
eTrust Directory comes with sample directories, technology previews, and tools.
Install the Sample Directories
You can only set up the sample directories if you have installed the directory
components of eTrust Directory.
In a default installation of the directory components, these samples are installed
but not set up. You need to install each sample you want to work with.
The schema used by the Democorp sample has changed since eTrust Directory
3.6 SP2. You should reinstall the samples by running the setup script in the
Router, Democorp, and UNSPSC directories.
Important! If you run these scripts, any existing data in the Democorp and UNSPSC
databases will be lost.
To set up the sample directories:
1.
Log in as the DXserver administrator.
2.
Open Windows Explorer, and navigate to the %DXHOME%\samples\democorp
directory.
3.
Run setup.bat.
4.
Navigate to the %DXHOME%\samples\unspsc directory.
5.
Run setup.bat.
6.
Navigate to the %DXHOME%\samples\router directory.
7.
Run setup.bat.
Install the Sample Tools
eTrust Directory includes ten sample tools that you can use to work with your
DSAs.
You can only set up the sample tools if you have installed the directory
components of eTrust Directory.
In a default installation of the directory components, these samples are installed
but not set up. You need to install each sample you want to work with.
■
To install each of these sample tools, run the scripts in the directories under
the directory %DXHOME%\samples.
For more information, see the chapter “Samples”, and the Readme in each of the
samples sub-directories.
Installing eTrust Directory for Windows
D–9
Install eTrust Directory Using the Product Explorer
Install the Technology Previews
You can only set up the technology previews if you have installed the web
components of eTrust Directory.
In a default installation of the web components, these previews are installed but
not set up. You need to install each preview you want to work with.
These technology previews are not covered by your usual CA Support. However,
your feedback is very welcome. Please see the Readme files in each sample
directory for how to let us know about your comments or questions.
For more information, see the chapter “Samples”.
To install the Democorp version of JXweb:
1.
Navigate to \dxwebserver\samples\democorp.
2.
Run setup.bat.
To install the UDDI demonstration:
1.
Navigate to \dxwebserver\samples\uddi\uddiv3-demo .
2.
Run setup.bat.
To install the DSML server technology preview:
D–10
1.
Navigate to \dxwebserver\samples\dsml.
2.
Run setup.bat.
eTrust Directory Administrator Guide
Install eTrust Directory Using Commands
Install eTrust Directory Using Commands
You can install eTrust Directory and eTrust Directory Web Components using
the commands dxsetup and dxwebsetup.
The dxsetup Command
You can use the dxsetup command to install the main directory components.
dxsetup [-write_responses filepath/filename] [ADDLOCAL=value] [option-value]
where:
■
-write_responses creates a response file
■
the values and arguments are any of the following:
ADDLOCAL Value
Description
ALL
Installs all components
CA_LICENSE
Installs the CA license. Must be added with DXserver and Advantage Ingres
DXServer
Installs DXserver, must also use CA_LICENSE
ETRDocumentation
Installs the eTrust Directory documentation
IngresDBMS,IngresNet Installs Ingres 2.6 with the installation code ET
JXplorer
Installs JXplorer (requires JRE 1.4.2)
TeraTerm
Installs DXconsole, which traces DXserver
Option
Value
Description
ETRDIR_DXSERVER_SAMPLES
1
DXserver samples will be set up during installation.
ETRDIR_SHORTCUTS
1
All start menu shortcut are installed (default).
ETRDIR_SILENT_INSTALL
1
No prompts are displayed, and an installation log is
created in ..\%DXHOME%.
ETRDIRBASEPATH
path
The location for the whole installation.
ETRDIR_DOCO_DESTINATION
path
The eTrust Directory documentation location.
ETRDIR_DXSERVER_DESTINATION
path
The DXserver location.
ETRDIR_JXPLORER_DESTINATION
path
The JXplorer location.
ETRDIR_TERATERM_DESTINATION
path
The DXconsole location.
ETRDIR_BASIC_UI_INSTALL
1
A small progress bar appears during installation.
Installing eTrust Directory for Windows
D–11
Install eTrust Directory Using Commands
Option
Value
Description
INGRES_DESTINATION
path
The location for the whole Ingres installation.
INGRES_CKPDIR
path
The Ingres check point location.
INGRES_DATADIR
path
The Ingres data location.
INGRES_DMPDIR
path
The Ingres dump location.
INGRES_JNLDIR
path
The Ingres journal location.
INGRES_PRIMLOGDIR
path
The Ingres primary log file location.
INGRES_WORKDIR
path
The Ingres work location.
INGRES_LOGFILESIZE
size (MB) The size of the Ingres log file. Default: 64 MB.
The dxwebsetup Command
You can use the dxwebsetup command to install the web components of eTrust
Directory.
dxwebsetup [-write_responses filepath/filename] [ADDLOCAL=value] [option-value]
where:
■
-write_responses creates a response file
■
the values and arguments are any of the following:
ADDLOCAL Value
Description
ALL
Installs all components
DXmanager
Installs DXmanager, a DXserver management tool (requires DXwebserver)
DXwebservers
Installs the Tomcat web server (requires JRE 1.4.2).
JXweb
Installs JXweb (requires DXwebserver)
Uddi
Installs the UDDI Server (requires DXServer, IngresDBMS and DXwebserver)
UddiClient
Installs the UDDI Client (requires DXwebserver)
Option
Value
Description
ETRDIR_DXWEBSERVER_DESTINATION
path
The DXwebserver location.
ETRDIR_SILENT_INSTALL
1
No prompts are displayed, and an installation log
is created in ..\%DXHOME%.
ETRDIR_BASIC_UI_INSTALL
1
A small progress bar appears during installation.
D–12
eTrust Directory Administrator Guide
Install eTrust Directory Using Commands
Limit on Number of Characters in the Commands
The Windows command line may limit the number of characters in a single
command. This could be a problem if you want to set the installation
destinations for many eTrust Directory components.
To avoid using a very long command, use the ETRDIRBASEPATH argument to
set the location for the entire installation, instead of setting the location of each
component separately.
Example Commands
The following sections show some example commands.
Install All
Components Except
Samples
To install eTrust Directory with all components except the samples, run the
following command:
Install DXmanager
only
To install only DXmanager, you must also install DXwebserver. To install them
to to the default location, run the following command:
dxsetup ADDLOCAL=ALL ETRDIR_DXSERVER_SAMPLES=0
dxwebsetup ADDLOCAL=DXwebServers,DXmanager
Install DXserver,
Ingres, and CA
Licensing only
Install JXplorer only
To install DXserver, Advantage Ingres 2.6 [ET] and CA licensing to the default
location, run the following command:
dxsetup ADDLOCAL=DXServer,IngresDBMS,IngresNet,CA_LICENSE
ETRDIR_DXSERVER_SAMPLES=1
To install only JXplorer to the specified installation directory, run the following
command:
dxsetup ADDLOCAL=JXplorer ETRDIR_JXPLORER_DESTINATION=f:\Mynewdirectory\jxplorer
File Path that Includes
Spaces
If a file path includes spaces, surround the path with quotes. For example:
dxsetup ADDLOCAL=JXplorer ETRDIR_JXPLORER_DESTINATION=”f:\My directory\jxplorer”
Installing eTrust Directory for Windows
D–13
Install eTrust Directory Silently
Install eTrust Directory Silently
You can install eTrust Directory silently (or unattended). This means that no user
input is required during the installation process, and no feedback from the
installation process appears on the screen.
To install eTrust Directory silently, you need to provide the information that
would normally be supplied by the user during installation in one of the
following two ways:
■
As options with the dxsetup command
■
In a response file
If you plan to silently install JXplorer or any of the web components, Make sure
that the correct version of the Java Runtime Environment has been installed.
Install Silently Using Commands
To silently install the main directory components of eTrust Directory, use the
following command:
dxsetup ETRDIR_SILENT_INSTALL=1 [ADDLOCAL=values]
To silently install the web components of eTrust Directory, use the following
command:
dxwebsetup ETRDIR_SILENT_INSTALL=1 [ADDLOCAL=values]
See the section Install eTrust Directory Using Commands for descriptions of the
command options.
Example: Silently
Install Using the
dxsetup Command
To silently install eTrust Directory with all components except the samples, run
the following command from …\CD ROM drive\dxserver\windows:
Example: Silently
Install UDDI Server
Only
To silently install UDDI Server only, run the following command from …\CD
ROM drive\dxserver\windows:
D–14
dxsetup ETRDIR_SILENT_INSTALL=1 ADDLOCAL=ALL ETRDIR_DXSERVER_SAMPLES=0
dxwebsetup ETRDIR_SILENT_INSTALL=1 ADDLOCAL=Uddi,DXwebservers
eTrust Directory Administrator Guide
Install eTrust Directory Silently
Install Silently Using Response Files
The response file is a text file that supplies the arguments to be used during the
installation process. This input would usually be supplied by the user as they
install eTrust Directory or eTrust Directory Web Components.
A response file must contain data that you cannot create using a text editor. To
create a new response file, you must use the Product Explorer on the CD
Create a Response File
To create a response file, follow these steps:
1.
On a computer that does not have eTrust Directory installed on it, log in as a
user with administrator privileges.
2.
Insert the eTrust Directory CD. The Product Explorer starts automatically.
If the Product Explorer does not start automatically, double-click on
PE_i386.exe in the top-level directory of the CD.
3.
To create a response file for the directory components, navigate to Directory
for Windows and click Install.
To create a response file for the web components, navigate to Web
Components for Windows and click Install.
4.
Select the option Build response file for unattended installation, then click Next.
5.
If you accept the terms of the license agreement, scroll to the bottom of the
license agreement, then click I Agree.
6.
In the Response File Installation Options page, set the following options:
-
The location of the response file.
-
The name of the response file. This file can have any extension.
-
The level of feedback to be given during installation.
The option Small progress bar makes a bar appear during installations
that are controlled by this response file.
The option No dialogs makes the installation truly silent.
6.
Continue the installation as you would for a direct installation.
7.
When you have selected the components and selected the appropriate
options, the Setup wizard displays a message that it is ready to create the
response file.
Use the Back button to review your selections before creating the response file.
Installing eTrust Directory for Windows
D–15
Install eTrust Directory Silently
Install Using Response Files
To use a response file to install the main directory components, use the following
command:
dxsetup -responsefile filepath\filename
To use a response file to install web components, use the following command:
dxwebsetup -responsefile filepath\filename
where:
D–16
■
-responsefile sets the installation to use a response file
■
filepath/filename is the path to the response file you created
eTrust Directory Administrator Guide
Embed eTrust Directory in Another CA Product
Embed eTrust Directory in Another CA Product
eTrust Directory can be installed as an embedded product so that other CA
products can use its features in their product.
The information that the user would usually supply during the installation
process are supplied as options with the dxsetup command.
How Installation Codes Work
Only one product can use a particular installation code. They must also never
change this installation code. Each installation code is recorded, so as not to
affect any other instances of eTrust Directory. They must also use this installation
code to uninstall eTrust Directory.
This means that other CA products can install eTrust Directory using their own unique
installation code. Then, if eTrust Directory needs to be removed, the customer can
remove it without removing anything that the embedding product requires.
As with silent installation, you can put the embedded and installation code
commands on the one command line.
To find out which installation codes are supported, contact CA Support.
Install eTrust Directory as an Embedded Module
To install the main directory components as an embedded module, use the
following command:
dxsetup ETRDIR_DXSERVER_EMBEDDED=1 CALLER_ID=callerID [ADDLOCAL=values [arguments]
]
where:
■
■
ETRDIR_DXSERVER_EMBEDDED=1 specifies that this is an embedded
installation
CALLER_ID callerID uniquely identifies the embedding customer.
To install the web components as an embedded module, use the following
command:
dxwebsetup ETRDIR_DXWEBSERVER_EMBEDDED=1 CALLER_ID=callerID [ADDLOCAL=values
[arguments] ]
where:
■
■
ETRDIR_DXSERVER_EMBEDDED=1 specifies that this is an embedded
installation
CALLER_ID callerID uniquely identifies the embedding customer.
Installing eTrust Directory for Windows
D–17
Embed eTrust Directory in Another CA Product
Uninstall eTrust Directory After an Embedded Installation
The installation code must be used to uninstall eTrust Directory.
The uninstallation process determines if no more products require eTrust
Directory and remove the product accordingly. If other products are using eTrust
Directory then the uninstall will remove only the reference counter for that caller,
and not the eTrust Directory components used by the other callers.
Example: Install and
Uninstall the Directory
Components within
eTrust Web Access
Control
The following command installs embedded eTrust Directory silently as part of
the product eTrust Web Access Control:
dxsetup ADDLOCAL=ALL ETRDIR_DXSERVER_EMBEDDED=1 ETRDIR_SILENT_INSTALL=1
CALLER_ID=ETWAC
To silently uninstall embedded eTrust Directory as ETWAC:
dxsetup REMOVE=ALL ETRDIR_DXSERVER_EMBEDDED=1 ETRDIR_SILENT_INSTALL=1
CALLER_ID=ETWAC
D–18
eTrust Directory Administrator Guide
Troubleshooting
Troubleshooting
Error 267 or Error 1606
Reason:
These errors occur when there are some inconsistencies with the Windows
Installer DLL.
This usually occurs because a reboot was not performed when Windows Installer
was upgraded. This problem can also occur when you are upgrading from eTrust
Directory 3.6.
Action:
To prevent this problem from occurring or to fix this error if it has already
happened, use the eTrust Directory Cleanup tool, which is located under
Unsupported on the eTrust Directory installation CD. To run this tool, use the
following command:
CleanReg.exe -fixup267
Error 1605 Could not retrieve Version String
Reason:
This error appears when the registry has rogue entries under the Windows
Installer areas. These are usually from an aborted uninstall, or a failed uninstall.
Action:
Use the eTrust Directory Cleanup tool, which is located under Unsupported on
the eTrust Directory installation CD. To run this tool, use this command:
CleanReg.exe -all
Error 1639 Invalid Command Line Argument
Reason:
This error can occur when you install eTrust Directory using commands.
Action:
If you receive this error, check the following:
■
All arguments must be in the form of =. i.e ETRDIR_SILENT_INSTALL=1
■
All characters A-Z from the PROPERTY must be uppercase.
■
All paths specified in the VALUE must have quotes if they contain spaces.
For example, FOLDER="c:\Program Files\CA"
Installing eTrust Directory for Windows
D–19
Troubleshooting
Can’t Connect to eTrust Directory from Remote Computer (Windows XP SP2)
After you install Windows XP SP2, you may not be able to connect to eTrust
Directory from another computer.
Reason:
This is because the firewall is on by default. If you disable the firewall then you
do not need to configure anything (all ports are open).
Action:
If the Windows XP firewall is on, follow these steps to enable a program by using
this firewall:
1.
Open Control Panel.
2.
Click Windows Firewall.
3.
In the Windows Firewall dialog box, click the Exceptions tab, and then click
Add Program.
4.
In the Add a Program dialog box, click Browse to locate dxserver.exe. (This
will open all the ports that eTrust Directory uses)
5.
After you select the program, click OK.
6.
On the Exceptions tab, make sure that the checkbox next to dxserver.exe is
selected, and then click OK.
If you later decide that you do not want the program to be an exception, clear
this check box.
If you cannot identify the ports that are used by the program, you can open a
port manually. To manually open a port, follow these steps:
1.
Open Control Panel
2.
Click Windows Firewall.
3.
On the Exceptions tab, click Add Port.
4.
In the Add a Port dialog box, type the number of the port that you want to
open in the Port Number box. For example, type 2123 for DXadmind, and
then click TCP.
5.
Type a name for the port, and then click OK. For example, type DXadmind.
6.
On the Exceptions tab, notice that the new service is listed. To enable the
port, click to select the check box next to the service, and then click OK
To only allow connections to a specific DSA and block all the DSAs on the
computer:
D–20
1.
Do not add dxserver.exe to the exception list.
2.
Add the port number for that specific DSA. For example, add port number
19389 for access to the Democorp DSA only.
eTrust Directory Administrator Guide
Troubleshooting
Installing eTrust Directory for Windows
D–21
Appendix
E
Installing eTrust Directory for UNIX
This appendix explains how to install eTrust Directory for UNIX and Linux
systems.
Note: Throughout this guide, references to Advantage Ingres include both
Ingres II and OpenIngres, unless one or the other is explicitly specified.
Installing eTrust Directory for UNIX
E–1
Installation Overview
Installation Overview
The eTrust Directory setup programs automate the installation processes. These
programs check which eTrust Directory components are installed and up-todate, and either install or upgrade those components that are missing or old.
To install eTrust Directory, perform the following activities:
1.
Check the system and disk requirements.
2.
Install or upgrade the directory components of eTrust Directory.
3.
(Optional) Install or upgrade the web components of eTrust Directory.
4.
(Optional) Run the sample scripts to install the three sample directories, the
technology previews, and the sample tools.
eTrust Directory Components
The eTrust Directory installation is split into the following two sections, which
you can install separately or on the same computer:
■
■
E–2
The dxsetup program—The main eTrust Directory installation, which
includes the following modules:
-
DXserver—The eTrust Directory server, DXtools, and DXconsole
-
Ingres—A CA open-source database, which is required by DXserver if
the data repository is used
-
JXplorer—An LDAP client that lets you browse and update a directory
-
Documentation—PDF product manuals
-
Samples—Sample DSAs and sample tools for working with DXserver
The dxwebsetup program—Web-based modules, which can be installed on
a different computer to the main directory installation. This includes the
following modules:
-
DXmanager—A web-based tool for monitoring and administration
-
JXweb—A web-based LDAP client that lets you browse a directory
-
UDDI Server—A UDDI repository that functions as a business directory.
-
UDDI Client—A web-based browser for the UDDI Server
-
Samples—Sample web applications, including a DSML server, a SAML
server, and a UDDI demonstration.
eTrust Directory Administrator Guide
Installation Overview
Default Installation Locations
This table lists the locations into which the eTrust Directory components are
installed in a default installation.
Component
Default Directory
DXserver
/opt/CA/eTrustDirectory/dxserver
Advantage Ingres
/opt/CA/AdvantageIngresET/ingres
JXplorer
/opt/CA/eTrustDirectory/jxplorer
DXwebserver
/opt/CA/eTrustDirectory/dxwebserver
JRE
/opt/CA/eTrustDirectory/jre
Documentation
/opt/CA/eTrustDirectory/documentation
Sample Directories and /opt/CA/eTrustDirectory/dxserver/samples
Sample Tools
Sample Web
Applications
/opt/CA/eTrustDirectory/dxwebserver/samples
The $DXHOME Location
Throughout this guide, $DXHOME refers to the location in which DXserver is
installed on your computer. This location is set in the $DXHOME environment
variable.
For example, in a default installation, $DXHOME is
/opt/CA/eTrustDirectory/dxserver.
Installation Logging
All installations are logged.
If DXHOME is defined, the installation log file is created in $DXHOME/.. . If
DXHOME is not defined, the installation log is created in /tmp.
Installing eTrust Directory for UNIX
E–3
Installation Overview
Upgrade eTrust Directory
If you have the enterprise version of eTrust Directory, you can upgrade this by
following the installation instructions in this chapter.
If you are using a version of eTrust Directory that is embedded in another
product, you must use the upgrade package from the embedding product.
Each embedding product that installs eTrust Directory has a specific process for
upgrading eTrust Directory and if this is not followed, the products will not
work as intended.
For example, if you use eTrust SSO and the embedded version of eTrust
Directory that comes with it, you must use an eTrust SSO package to upgrade
both products.
Upgrade Advantage Ingres
For a new installation, eTrust Directory embeds the single-byte version of
Advantage Ingres II 2.6 SP2, with the installation code ET. The Advantage Ingres
RDBMS installation performs a standard tuning of the database parameters. You
can customize these parameters.
For an upgrade to an existing configuration, check the Readme to find out how
eTrust Directory works with the various versions of Advantage Ingres.
If you are currently running Advantage Ingres 2.0 or 2.5, check with Computer
Associates’ Technical Support to find out whether the applications that use your
existing version of Advantage Ingres also support Advantage Ingres 2.6.
You may want to set the Advantage Ingres log folder to a different disk drive for
improved performance.
eTrust Directory ships with a default configuration of 64 database connections.
However, if you are upgrading from a previous version of eTrust Directory, the
previous limit of 32 connections applies.
If you plan to have many data DSAs running on the same computer, read the
section Increasing the Number of Database Connections in the appendix
“Tailoring the RDBMS”.
E–4
eTrust Directory Administrator Guide
Installation Overview
User Accounts
eTrust Directory requires two user accounts to be set up:
■
dsa—An eTrust Directory administrator
■
ingres—An Ingres administrator
You can create these accounts manually before you install eTrust Directory, or
you can let the installation program create them.
If these accounts do not exist, the installation program will create them.
■
■
During a normal interactive installation, you will be prompted to create
passwords for these accounts.
After a silent installation, the accounts will be created without passwords.
You must manually assign passwords after the installation is complete.
Installing eTrust Directory for UNIX
E–5
Install eTrust Directory Using the Installation Program
Install eTrust Directory Using the Installation Program
This section describes how to install eTrust Directory using the installation
programs dxsetup and dxwebsetup.
Step 1. Check System and Disk Requirements
This section lists the checks you should make before you start installing eTrust
Directory.
Check System Requirements
Check the Readme for system requirements.
The disk space required for directory information is approximately 20 times the
raw data size. This provides space for backups, journals, indexing, tuning,
import, and preprocessing.
Back Up Data
If you are upgrading from an earlier version of eTrust Directory, make sure you
have adequate backups, including any changes to your schema files.
Verify CD-ROM Accessibility
Check that the CD-ROM is available.
You can install eTrust Directory and Advantage Ingres from either a local CDROM drive, or a remote CD-ROM drive on the same network.
Set Up User Permissions
If you are installing eTrust Directory from a local disk, you must ensure that the
parent directories have read and execute permissions for all users. This gives
newly added users (including dsa and ingres, which are created during the eTrust
Directory installation) permissions to access the tar files.
Note: You should never run DXserver as root.
E–6
eTrust Directory Administrator Guide
Install eTrust Directory Using the Installation Program
Check the Kernel Settings (Solaris and HP only)
Check the kernel settings and, if required, modify them. This is not required on
computers running Linux or AIX.
Check the Kernel Settings on Solaris
eTrust Directory on Solaris requires the following kernel settings:
Kernel Setting
Value
Description
seminfo_semmap
1
Max number of semaphore map entries
seminfo_semmni
100
Number of semaphore identifiers
seminfo_semmns
1000
Max number of semaphores
seminfo_semmnu
30
Number of semaphore undo structures
seminfo_semms1
50
seminfo_semopm
10
Max number of operations
seminfo_semume
10
Semaphore undo entries per process
seminfo_semusz
96
Size of undo structures
seminfo_semvmx
32767
Semaphore maximum value
seminfo_semaem
16384
Max value adjust on exit
shminfo_shmmax
100000000 Max shared mem segment
shminfo_shmmin
1
Min shared memory segment
shminfo_shmmni
100
Number of shared memory identifiers
shminfo_shmseg
10
Shared memory segments per process
To check that the …/etc/system file has the required settings, use the following
command:
./dxsetup.sh –check_kernel
This command returns the value 1 if kernel changes are required, and 0 if no
changes are required.
To update the kernel settings, use the following command:
./dxsetup.sh -reboot_kernel y|n
where:
■
y reboots the computer after the kernel parameters are modified
■
n leaves the computer running after the kernel parameters are modified
Installing eTrust Directory for UNIX
E–7
Install eTrust Directory Using the Installation Program
Check the Kernel Settings on HP
eTrust Directory on HP requires the following kernel settings:
Kernel Setting
Value
Description
sema
1
Enable sys V semaphores
semmap
1
Max number of semaphore map entries
semmni
100
Number of semaphore identifiers
semmns
1000
Max number of semaphores
semmmnu
30
Number of semaphore undo structures
semume
10
Semaphore undo entries per process
semvmx
32767
Semaphore maximum value
semaem
16384
Max value adjust on exit
shmem
1
Enable sys V shared memory
shmmax
100000000 Max shared mem segment
schmmni
100
Number of shared memory identifiers
schmseg
10
Shared memory segments per process
To update the kernel, use SAM:
E–8
1.
Run SAM as root.
2.
Set each parameter to the larger of the current or suggested values.
3.
Rebuild the kernel.
4.
Restart the computer.
eTrust Directory Administrator Guide
Install eTrust Directory Using the Installation Program
Design the Disk Configuration
To improve recovery and performance, you should store the database
information on a separate physical disk from the Advantage Ingres installation.
In the following example of the layout of a typical installation, the /local
partition is on a separate physical disk:
/opt/CA
DXserver product files
Advantage Ingres product files
Advantage Ingres transaction log
/local/CA
Directory information (database files)
Advantage Ingres checkpoints (database backups)
Advantage Ingres journals
Advantage Ingres work area
For information about disk configurations such as mirrored disks and RAID,
contact Computer Associates Technical Support at http://supportconnect.ca.com.
Installing eTrust Directory for UNIX
E–9
Install eTrust Directory Using the Installation Program
Step 2. Install eTrust Directory
The two eTrust Directory installation programs, dxsetup and dxwebsetup, are
located on the eTrust Directory CD-ROM.
These programs will ask a series of questions as the installation proceeds. In
general, you should use the defaults.
Step 2a. Run dxsetup
1.
Log in as root.
2.
If there is an existing Advantage Ingres installation on the system, stop
Advantage Ingres.
3.
Run the dxsetup installation program in one of the following ways:
-
Run dxsetup from the CD or from the location to which you copied the
CD contents. For example:
cd /dxserver/unix/install
./dxsetup.sh
-
Run dxsetup and include a parameter that specifies the location of the
installation files. For example:
./dxsetup.sh –r /dxserver/unix/install
4.
The Welcome dialog appears. It asks if you want to perform an express or
custom setup.
If you choose express setup, dxsetup installs eTrust Directory automatically,
with the default values shown in the table in the section Default Installation
Locations.
If you choose custom setup, dxsetup asks you for information during the
installation process.
E–10
eTrust Directory Administrator Guide
Install eTrust Directory Using the Installation Program
Step 2b. Configure the System Kernel
The dxsetup program checks the kernel configuration. This check ensures that
the settings in the …/etc/system file are at least as good as the settings listed in
the section Check the Kernel Settings.
This is done differently for the different platforms.
Solaris
The kernel is updated as part of the installation process:L
■
If the settings in the …/etc/system file are already correct, no action is taken.
■
If any of the settings do not exist, they are created.
■
If any of the settings already exist, their values are increased if necessary.
■
If any of these values are changed, the dxsetup program asks if you want to
restart the system. If you select n, dxsetup will exit.
See the section Check the Kernel Settings (Solaris and HP only) for how to check
the kernel settings manually.
HP-UX
Make sure that the kernel is already updated. See the section Check the Kernel
Settings (Solaris and HP only) for instructions.
Linux
Not applicable.
AIX
The kernel is updated automatically. No action is required.
Step 2c. Accept the License Agreement
Before the installation begins, you must view and agree to the license
agreements.
1.
The license agreement appears.
2.
When you have finished viewing the license, the dxsetup program asks:
Do you agree to the above license? (y/n) [ ]
-
If you select n, the installation process stops.
-
If you select y, the installation process continues.
-
If you select the default (blank), the question is repeated until you select
either y or n.
Installing eTrust Directory for UNIX
E–11
Install eTrust Directory Using the Installation Program
Step 2d. Set Up DXserver
1.
The dxsetup program asks if you want to install the DXserver software:
Do you want to install the DXserver software? (y/n/i/q) [y]
2.
If you select n, dxsetup quits.
If you select y, and dxsetup finds an existing DXserver installation, it asks if
you want to perform an upgrade. If you select y, the existing eTrust
Directory installation is backed up.
If you select y, and you are installing eTrust Directory for the first time, you
are prompted for the shell and password for the dsa user.
Enter the login shell for the dsa account [/bin/csh]
The dsa account requires a password
New password:
4.
The dxsetup program requests an installation directory for DXserver:
Please specify the DXserver installation directory
[/opt/CA/eTrustDirectory/dxserver]
Press Enter to accept the default directory, or enter the full pathname for a
different directory.
6.
The following confirmation message appears:
The directory /opt/CA/eTrustDirectory/dxserver will be created.
Do you wish to change the directory? (y/n) [n]
7.
Enter n to accept the directory.
Step 2e. Set Up the Documentation
1.
The dxsetup program asks if you want to install the documentation:
Do you want to install the eTrust Directory documentation? (y/n/i/q) [y]
2.
The dxsetup program then requests an installation directory for the
documentation:
Please specify the Documentation installation directory
[/opt/CA/eTrustDirectory/documentation]
Press Enter to accept the default directory, or enter the full pathname for a
different directory.
3.
The following confirmation message appears:
The directory /opt/CA/eTrustDirectory/documentation will be created.
Do you wish to change the directory? (y/n) [n]
4.
E–12
Enter n to accept the directory.
eTrust Directory Administrator Guide
Install eTrust Directory Using the Installation Program
Step 2f. Set Up Advantage Ingres
1.
The dxsetup program asks if you want to install the Advantage Ingres
software:
Do you want to install the Advantage Ingres software (y/n/i/q) [y]
2.
If you select y, and you are installing Advantage Ingres for the first time, you
are prompted for the shell and password for the Advantage Ingres user.
Enter the login shell for the ingres account [/bin/csh]
The ingres account requires a password
New password:
If you select n, dxsetup bypasses the Advantage Ingres installation section.
Ensure that you have adequate backups before performing an upgrade.
3.
The dxsetup program requests an installation directory for the Advantage
Ingres software:
Please specify the Advantage Ingres installation directory
[/opt/CA/AdvantageIngresET/ingres]
4.
Press Enter to specify the default directory
(/opt/CA/AdvantageIngresET/ingres), or provide the full pathname for an
alternate directory.
5.
When you press Enter, the confirmation message will appear.
The directory /opt/CA/AdvantageIngresET/ingres will be created.
Do you wish to change the directory? (y/n) [n]
6.
The installation program asks you if you want to specify separate locations
for data, work, checkpoint, dumps, and journals.
If you select Yes, you are asked to specify a separate location for each
component.
If you select No, the installation program asks you to specify the location of
the Advantage Ingres database directory:
Please specify the Advantage Ingres database directory
[/local/CA/AdvantageIngresET]
7.
Press Enter to accept the default directory (/local/CA/AdvantageIngresET),
or provide the full pathname for an alternate directory.
The directory /local/CA/AdvantageIngresET will be created.
Do you wish to change the directory? (y/n) [n]
8.
Enter n to accept the directory.
An ingres directory is added automatically to the path of the database
directory you select. For example, if you select /local2/IngresET, the
Advantage Ingres database directory is /local2/IngresET/ingres.
Installing eTrust Directory for UNIX
E–13
Install eTrust Directory Using the Installation Program
9.
You will then be prompted with a list of the time zones in that region.
This setting must be assigned one of the following values:
AFRICA
ASIA
AUSTRALIA
MIDDLE-EAST
NORTH-AMERICA
NORTH-ATLANTIC
SOUTH-AMERICA
SOUTH-PACIFIC
SOUTH-ASIA
GMT-OFFSET
Please enter one of the named regions:
10. You will then be asked to select from one of the time zones in the region.
11. When you enter one of the values, a confirmation message will appear.
The Time Zone you have selected is: timezone
Is this Time Zone correct? (y/n) [y]
Enter y to confirm your choice.
If dxsetup cannot upgrade a database, you will need to do this manually, using
the DXupgradedb tool.
To check for problems upgrading a database, look in the Ingres installation log files.
By default, these files are in the folder /opt/CA/AdvantageIngresET/ingres/files.
Step 2g. Set up DXadmind
1.
The dxsetup program asks for the details of DXadmind trusted hosts.
Please enter the Hostnames/IP Addresses of DXadmind Trusted Hosts.
Step 2h. Set Up JXplorer
1.
The dxsetup program asks if you want to install JXplorer:
Do you want to install the JXplorer browser software? (y/n/i/q) [y]
2.
The dxsetup program requests an installation directory for JXplorer:
Please specify the JXplorer installation directory
[/opt/CA/eTrustDirectory/jxplorer]
3.
Press Enter to choose the default directory, or provide the full pathname for
an alternate directory.
The directory /opt/CA/eTrustDirectory/jxplorer will be created.
Do you want to change the directory ? (y/n) [n]
4.
Enter n to accept the directory.
The dxsetup program installs the JXplorer files into the selected directory.
E–14
eTrust Directory Administrator Guide
Install eTrust Directory Using the Installation Program
Step 2i. Set Up Java Runtime Environment (JRE)
If you chose to install JXplorer, dxsetup checks to see if the Java Runtime
Environment (JRE) is already installed.
If JRE is installed:
■
If the installed version is up-to-date, dxsetup skips to the next section:
The existing java version 1.4.2_04 is newer/identical to the version supplied
with this package. JRE will not be upgraded.
■
If the installed version is not up-to-date, dxsetup upgrades JRE.
If JRE is not installed, the dxsetup program installs it:
1.
The dxsetup program requests an installation directory for the JRE:
Please specify the JRE installation directory. [/opt/CA/eTrustDirectory/jre]
2.
Press Enter to choose the default directory, or enter a different directory.
The directory [/opt/CA/eTrustDirectory/jre will be created.
Do you want to change the directory? (y/n) [n]
3.
Enter n to accept the directory.
Step 2j. Set Up the Sample Directories
1.
If you have installed Advantage Ingres, the dxsetup program asks if you
want to install the sample directories Democorp, UNSPSC, and Router:
Do you wish to start the sample directories (y/n) [y]
2.
If you select y, the samples will be installed and set up.
If you select n, the sample files will be installed, but they will not be set up.
Note: If you do not install Advantage Ingres, you cannot run the sample
scripts, and the system displays an error message.
The installation program installs eTrust Directory, using the settings you entered.
Installing eTrust Directory for UNIX
E–15
Install eTrust Directory Using the Installation Program
Step 3: (Optional) Install the Web Components
Step 3a. Run dxwebsetup
1.
The dxwebsetup program asks if you want to install DXwebserver:
Do you want to install the DXwebserver software? (y/n/i/q) [y]
2.
The dxwebsetup program requests an installation directory for
DXwebserver:
Please specify the DXwebserver installation directory
[/opt/CA/eTrustDirectory/dxwebserver]
3.
Press Enter to choose the default directory, or enter a different directory.
The directory /opt/CA/eTrustDirectory/dxwebserver will be created.
Do you want to change the directory ? (y/n) [n]
4.
Enter n to accept the directory.
Step 3b. Accept the License Agreement
Before the installation begins, you must view and agree to the license agreement.
1.
2.
The license agreement appears.
When you have finished viewing the license, the dxsetup program asks:
Do you agree to the above license? (y/n) [ ]
-
If you select n, the installation process stops.
-
If you select y, the installation process continues.
-
If you select the default (blank), the question is repeated until you select
either y or n.
Step 3c. Set Up Java Runtime Environment (JRE)
If the Java Runtime Environment (JRE) is already installed, the dxwebsetup
program checks the version:
■
If the installed version is up-to-date, dxwebsetup skips to the next section:
The existing java version 1.4.2_04 is newer/identical to the version supplied
with this package. JRE will not be upgraded.
■
If the installed version is not up-to-date, dxwebsetup upgrades JRE.
If JRE is not installed, the dxwebsetup program installs it:
1.
The dxwebsetup program requests an installation directory for the JRE:
Please specify the JRE installation directory. [/opt/CA/eTrustDirectory/jre]
2.
Press Enter to choose the default directory, or enter a different directory.
The directory [/opt/CA/eTrustDirectory/jre will be created.
Do you want to change the directory? (y/n) [n]
3.
Enter n to accept the directory.
The installation program installs the web components using the settings you entered.
E–16
eTrust Directory Administrator Guide
Install eTrust Directory Using the Installation Program
Step 4: (Optional) Install the Technology Previews and Sample Tools
This section describes how to set up the extras that come with eTrust Directory.
Install the Sample Directories
If you installed the samples but did not set them up, you can do this manually.
You need to install each sample you want to work with.
The schema used by the Democorp sample has changed since eTrust Directory
3.6 SP2. You should reinstall the samples by running the setup script in the
Router, Democorp, and UNSPSC directories.
Important! If you run these scripts, any existing data in the Democorp and UNSPSC
databases will be lost.
To set up the sample directories:
1.
Navigate to $DXHOME/samples/democorp.
2.
Run setup.sh.
3.
Navigate to $DXHOME/samples/unspsc.
4.
Run setup.bat.
5.
Navigate to $DXHOME/samples/router.
6.
Run setup.bat.
Install the Sample Tools
eTrust Directory includes sample tools that you can use to work with your DSAs.
In an express installation, these samples are installed but not set up. You need to
install each sample you want to work with.
■
To install each of these sample tools, run the scripts in the directories under
the directory $DXHOME/samples.
For more information, see the chapter “Samples”.
Installing eTrust Directory for UNIX
E–17
Install eTrust Directory Using the Installation Program
Install the Technology Previews
eTrust Directory comes with three technology previews that are examples of how
you can extend eTrust Directory, or are previews of upcoming features. For more
information, see the chapter “Samples”.
To install the Democorp version of JXweb:
1.
Navigate to dxwebserver/samples/democorp.
2.
Run setup.sh.
To install the UDDI demonstration:
1.
Navigate to dxwebserver/samples/uddi/uddiv3-demo.
2.
Run setup.sh.
To install the DSML server technology preview:
E–18
1.
Navigate to dxwebserver/samples/dsml.
2.
Run setup.sh.
eTrust Directory Administrator Guide
Install eTrust Directory Using Commands
Install eTrust Directory Using Commands
You can install eTrust Directory and the eTrust Directory web components using
the commands dxsetup and dxwebsetup.
The dxsetup Command
You can use the dxsetup command to install the main directory components:
./dxsetup.sh [options]
where the options are any of the following, in any order:
Option
Action
-nojxplorer
Install eTrust Directory without installing JXplorer
-nodocs
Install eTrust Directory without installing the user documentation
-noingres
Install eTrust Directory without installing Advantage Ingres. Only use this
option if DXserver will act as a router or a relay DSA. The DXserver directory
samples will not run, as these require a database.
-nosamples
Install eTrust Directory without installing the sample DSAs
-r source_directory
Run dxsetup from a remote location
-dxuser username
Allows a username other than the 'dsa' default
-silent
Installs eTrust Directory silently. This is ideantical to the -default option, which is
still valid.
-embedded
Installs eTrust Directory as a component embedded in another product
-caller_id caller_id
The installation code of the embedding product.
-list_callers
List all embedded installations of eTrust Directory. This does not install eTrust
Directory.
-write_responses
/filepath/filename
Create a response file that can be used to install eTrust Directory silently.
This does not install eTrust Directory.
-responsefile
/filepath/filename
Install eTrust Directory using the options listed in the response file.
This does not install eTrust Directory.
-check_kernel
(Solaris only) Checks if the kernel needs to be updated: returns 1 if kernel
changes are required, and returns 0 if no changes are required.
This does not install eTrust Directory.
-reboot_kernel y|n
(Solaris only) Modifies kernel parameters to allow installation, and then either
reboots the computer or leaves it running. If you enter y, the computer reboots
after the kernel parameters are modified. If you enter n, the computer is left
running. This does not install eTrust Directory.
Installing eTrust Directory for UNIX
E–19
Install eTrust Directory Using Commands
The dxwebsetup Command
Use the dxwebsetup command to install the web components of eTrust Directory:
./dxwebsetup.sh [options]
where the options are any of the following, in any order:
Option
Action
-r source_directory
Run dxwebsetup from a remote location
-silent
Installs the web components silently (no prompts are given to the user).
-embedded
Install eTrust Directory as a component embedded in another product
-caller_id caller_id
The installation code of the embedding product.
E–20
eTrust Directory Administrator Guide
Install eTrust Directory Silently
Install eTrust Directory Silently
You can install eTrust Directory silently (or unattended). This means that you
need to provide the information that would normally be supplied by the user
during installation in one of the following two ways:
■
In the command used to launch the installation
■
In a response file
Install Using Commands
During a silent installation, feedback is still printed to the screen. To suppress
this feedback, send the output to /dev/null:
./dxsetup.sh -silent >/dev/null
Install the Main eTrust Directory Components
1.
Change to the /dxserver/unix/install directory.
2.
Run the following command:
./dxsetup.sh -silent [options]
where options are the options listed in the table in the section The dxsetup
Command
3.
If the users dsa and ingres did not exist before, this installation created them
without passwords.
Run the passwd utility to assign passwords to the dsa and ingres users.
Example: Silently
Install DXserver Using
a COmmand
The following command installs only DXserver and DXtools, in the default
locations (the samples are not installed because Ingres is not installed):
./dxsetup.sh –silent –nojxplorer –nodxwebserver –nodocs –noingres
Install the eTrust Directory Web Components
1.
Change to the /dxserver/unix/install directory.
2.
Run the following command:
./dxwebsetup.sh> -silent [options]
where options are the options listed in the table in the section The dxsetup
Command
3.
If the user dsa did not exist before, this installation created it without a
password.
Run the passwd utility to assign a password to the dsa user.
Installing eTrust Directory for UNIX
E–21
Install eTrust Directory Silently
Install Using Response Files
A response file is a text file that supplies the arguments to be used during the
installation process. This input would usually be supplied by the user as they
install eTrust Directory.
When you create a response file, the license agreement appears, and if you agree
to the terms, a response file is created, using the options that you specify.
The eTrust Directory installation CD includes response filea that install the
components to the default locations shown in the table in the section Default
Installation Locations. You can edit these response files, or you can generate new
ones.
If you run an installation from a response file that has errors or omissions, error
messages are written to the screen, and the installation quits.
Install the Main eTrust Directory Components
To use a response file to install the main directory components, use the following
command:
./dxsetup.sh -responsefile /filepath/filename
where filepath/filename is the path to the response file
Install the eTrust Directory Web Components
To use a response file to install web components, use the following command:
./dxwebsetup -responsefile /filepath\filename
where filepath/filename is the path to the response file
Edit a Response File
The installation CD includes one response file for each of the two installation
modules:
■
The dxsetup response file: /dxserver/responsefile.txt
■
The dxwebsetup response file: /dxwebserver/responsefile.txt
To edit a response file:
E–22
1.
Copy the response file from the CD onto a computer.
2.
Edit the response file using a text editor.
eTrust Directory Administrator Guide
Install eTrust Directory Silently
Create a New Response File for the Main eTrust Directory Components
The default location for the response file is /tmp/etrdir8.rsp.
1.
To create a response file for the main directory components:
./dxsetup.sh -write_responses [/filepath/filename] [options]
where:
2.
-
/filepath/filename is the path to the new response file
-
options are the installation options listed in the section The dxsetup
Command
The installation program asks you for information as in a normal installation.
Create a New Response File for the Main eTrust Directory Components
The default location for the response file is /tmp/etrdir8.rsp.
1.
To create a response file for the web components:
./dxwebsetup.sh -write_responses [/filepath/filename] [options]
where:
2.
-
/filepath/filename is the path to the new response file
-
options are the installation options listed in the section The dxsetup
Command
The installation program asks you for information as in a normal installation.
Installing eTrust Directory for UNIX
E–23
Embed eTrust Directory in Another CA Product
Embed eTrust Directory in Another CA Product
eTrust Directory can be installed as an embedded product so that other CA
products can use its features in their product.
The information that the user would usually supply during the installation
process is supplied as options with the installation commands.
How Installation Codes Work
Only one product can use a particular installation code. Each product will always
use the same installation code. Each installation code is recorded, so as not to
affect any other instances of eTrust Directory. They must also use this installation
code to uninstall eTrust Directory.
This means that other CA products can install eTrust Directory using their own
unique installation code. Then, if eTrust Directory needs to be removed, the
customer can remove it without removing anything that the embedding CA
product requires.
All install commands can be used with the embedded and installation code
commands on the one command line.
To find out which installation codes are supported, contact CA Support.
Install the Main eTrust Directory Components as an Embedded Module
To install the main directory components as an embedded module, use the
following command:
./dxsetup.sh –embedded
-caller_id unique_id
where -caller_id unique_id uniquely identifies the embedding customer.
Install the Web Components as an Embedded Module
To install the web components as an embedded module, use the following
command:
./dxwebsetup.sh –embedded
-caller_id unique_id
where -caller_id unique_id uniquely identifies the embedding customer.
E–24
eTrust Directory Administrator Guide
Embed eTrust Directory in Another CA Product
Uninstall eTrust Directory after an Embedded Installation
The installation code must be used to uninstall an embedded version of eTrust
Directory.
The uninstallation process determines if no more products require eTrust
Directory and remove the product accordingly. If other products are using eTrust
Directory then the uninstall will remove only the reference counter for that caller,
and not the eTrust Directory components used by the other callers.
Example: Installing
and Uninstalling eTrust
Directory within eTrust
Web Access Control
The following command installs eTrust Directory silently with the installation
code ETWAC, which signifies that it is embedded within eTrust Web Access
Control:
./dxsetup.sh -default -embedded –caller_id ETWAC
To uninstall eTrust Directory that was installed with the installation code
ETWAC:
./dxuninst.sh -embedded –caller_id ETWAC
Installing eTrust Directory for UNIX
E–25
Troubleshooting
Troubleshooting
This section describes how to deal with problems that might occur during or
after installing or upgrading eTrust Directory.
Diagnosing Startup Problems with eTrust Directory or Ingres
On Solaris, eTrust Directory is started and stopped at system boot and shutdown
via the /etc/init.d/dxserver script. This starts and stops Ingres, SSL daemons,
the DXadmin daemon, and any DXserver processes marked for autostart.
This file writes a log called dxserver-rc.log usually in the DXserver logs
directory, $DXHOME/logs (if DXHOME is not defined for some reason then
look for this file in the /tmp directory). This log shows each of the processes
being started or stopped.
Prior to eTrust Directory 3.6, this file was called rc.log in the DXserver logs
directory. There should always be a dxserver-rc.log file in /tmp.
DXadmind Times Out after Upgrading
Reason:
This problem occurs because DXadmind is already started.
In a standard upgrade for DXserver, DXadmind is stopped and restarted once
the upgrade is complete. However if the installation for DXserver is cancelled
part-way, DXadmind may not have stopped and then when it tries to re-start, it
times out.
Action:
To check the status of DXadmind, type the following command:
dxadmind status
To fix the problem, run the following commands:
1.
Log in a the user DXserver Administrator (the default user is DSA).
2.
Stop DXadmind:
dxadmind stop all
3.
Re-start DXadmind:
dxadmind start all
E–26
eTrust Directory Administrator Guide
Troubleshooting
If DXadmind times out again, do the following steps:
1.
Type the following command:
ps -ef | grep dxadmind
The response includes a line similar to the following:
dsa 6204 1 0 21:23:34 ? 0:00 dxadmind start
2.
In the sample above, the number 6204 is the process number. You have to kill
that process by typing kill process number
Important! Ensure this number is typed correctly!
3.
Re-start DXadmind by typing the following command:
dxadmind start all
Note: To run the kill command, you can be logged in as root or dsa. However,
you need to be logged in as dsa to run the command dxadmind start.
Installing eTrust Directory for UNIX
E–27
Appendix
F
Licenses for Third-Party Products
eTrust Directory uses some third-party code. This appendix includes the license
agreements for that code.
See the Release Notes for a list of the components and version numbers.
Apache
This product includes software developed by the Apache Software Foundation
(http://www.apache.org/). The Apache software is distributed in accordance
with the following license agreement.
The Apache Software License, Version 1.1
Apache Ant 1.5.3
Copyright (C) 2000-2003 The Apache Software Foundation. All rights reserved.
Apache Axis 1.1
Copyright (c) 2002 The Apache Software Foundation. All rights reserved.
Apache Cactus 1.5
Copyright (c) 2001-2003 The Apache Software Foundation. All rights reserved.
Apache Jakarta-Oro 2.0
Copyright (c) 2000-2002 The Apache Software Foundation. All rights reserved.
Apache Log4j 1.2.8
Copyright (c) 1999 The Apache Software Foundation. All rights reserved.
Apache Tomcat 4.1.29
Copyright (c) 1999, 2000 The Apache Software Foundation. All rights reserved.
Apache Xalan C++ 1.6
Copyright (c) 1999 The Apache Software Foundation. All rights reserved.
Apache Xalan Java 2.5.2
Copyright (c) 1999-2003 The Apache Software Foundation. All rights reserved.
Licenses for Third-Party Products
F–1
Apache
Apache Xerces C++ 2.3
Copyright (c) 1999-2001 The Apache Software Foundation. All rights reserved.
Apache Xerces Java 2.6
Copyright (C) 1999-2003 The Apache Software Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list
of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this
list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. The end-user documentation included with the redistribution, if any, must
include the following acknowledgment: "This product includes software
developed by the Apache Software Foundation (http://www.apache.org/)."
Alternately, this acknowledgment may appear in the software itself, if and
wherever such third-party acknowledgments normally appear.
4. The names "Ant", "Axis", "Cactus", "The Jakarta Project", "Jakarta-Oro", "log4j",
"Tomcat", "Xalan", "Xerces", "Apache" and "Apache Software Foundation" must
not be used to endorse or promote products derived from this software without
prior written permission. For written permission, please contact
[email protected].
5. Products derived from this software may not be called "Apache" or "JakartaOro", nor may "Apache" or "Jakarta-Oro" appear in their name, without prior
written permission of the Apache Software Foundation.
THIS SOFTWARE IS PROVIDED "AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE
SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
F–2
eTrust Directory Administrator Guide
Morten’s JavaScript Tree Menu v2.3.2
Apache Ant, Axis, Cactus, Jakarta-Oro, Log4J and Tomcat consist of voluntary
contributions made by many individuals on behalf of the Apache Software
Foundation. For more information on the Apache Software Foundation, please
see <http://www.apache.org/>.
Portions of Apache Jakarta-Oro are based upon software originally written by
Daniel F. Savarese. We appreciate his contributions.
Apache Xalan C++ and Xalan Java consist of voluntary contributions made by
many individuals on behalf of the Apache Software Foundation and were
originally based on software copyright (c) 1999, Lotus Development Corporation,
http://www.lotus.com. For more information on the Apache Software
Foundation, please see <http://www.apache.org/>.
Apache Xerces C++ and Xerces Java consist of voluntary contributions made by
many individuals on behalf of the Apache Software Foundation and were
originally based on software copyright (c) 1999, International Business Machines,
Inc., http://www.ibm.com. For more information on the Apache Software
Foundation, please see <http://wwww.apache.org/>.
Morten’s JavaScript Tree Menu v2.3.2
This product includes software developed by Morten Wang & contributors. The
software is distributed in accordance with the following copyright and
permission notices.
Copyright (c) 2001-2002, Morten Wang & contributors All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list
of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this
list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
* Neither the name "Morten's JavaScript Tree Menu" nor the names of its
contributors may be used to endorse or promote products derived from this
software without specific prior written permission.
Licenses for Third-Party Products
F–3
OpenLDAP
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OpenLDAP
Portions of this product include software developed by the OpenLDAP
Foundation. The OpenLDAP software is distributed in accordance with the
following license agreement.
The OpenLDAP Public License
Version 2.8, 17 August 2003
Redistribution and use of this software and associated documentation
("Software"), with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions in source form must retain copyright statements and notices,
2. Redistributions in binary form must reproduce applicable copyright
statements and notices, this list of conditions, and the following disclaimer in the
documentation and/or other materials provided with the distribution, and
3. Redistributions must contain a verbatim copy of this document.
The OpenLDAP Foundation may revise this license from time to time.
Each revision is distinguished by a version number. You may use this Software
under terms of this license revision or under the terms of any subsequent
revision of the license.
F–4
eTrust Directory Administrator Guide
OpenLDAP
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND
ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP
FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S)
OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising
or otherwise to promote the sale, use or other dealing in this Software without
specific, written prior permission. Title to copyright in this Software shall at all
times remain with copyright holders.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California,
USA. All Rights Reserved. Permission to copy and distribute verbatim copies of
this document is granted.
The OpenLDAP Copyright Notice
Copyright 1998-2004 The OpenLDAP Foundation
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted only as authorized by the OpenLDAP Public License.
A copy of this license is available in the file LICENSE in the top-level directory of
the distribution or, alternatively, at
<http://www.OpenLDAP.org/license.html>.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
Individual files and/or contributed packages may be copyright by other parties
and subject to additional restrictions.
Licenses for Third-Party Products
F–5
OpenSSL
This work is derived from the University of Michigan LDAP v3.3 distribution.
Information concerning this software is available at
<http://www.umich.edu/~dirsvcs/ldap/>.
This work also contains materials derived from public sources.
Additional information about OpenLDAP can be obtained at
<http://www.openldap.org/>.
Portions Copyright 1998-2004 Kurt D. Zeilenga.
Portions Copyright 1998-2004 Net Boolean Incorporated.
Portions Copyright 2001-2004 IBM Corporation.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted only as authorized by the OpenLDAP Public License.
Portions Copyright 1999-2003 Howard Y.H. Chu.
Portions Copyright 1999-2003 Symas Corporation.
Portions Copyright 1998-2003 Hallvard B. Furuseth.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that this notice is preserved. The names of the copyright
holders may not be used to endorse or promote products derived from this
software without their specific prior written permission. This software is
provided ``as is'' without express or implied warranty.
Portions Copyright (c) 1992-1996 Regents of the University of Michigan.
All rights reserved.
Redistribution and use in source and binary forms are permitted provided that
this notice is preserved and that due credit is given to the University of Michigan
at Ann Arbor. The name of the University may not be used to endorse or
promote products derived from this software without specific prior written
permission. This software is provided ``as is'' without express or implied
warranty.
OpenSSL
Terms and Conditions for the Use of The OpenSSL Toolkit
F–6
eTrust Directory Administrator Guide
OpenSSL
Licensee agrees that the following terms (in addition to the applicable provisions
above) shall apply with respect to any open source provided by The OpenSSL
Project and Eric Young contained within the Product. Notwithstanding anything
contained in the CA End User License Agreement, solely with respect to such
open source, these terms are not superseded by any written agreement between
CA and Licensee:
Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ”AS IS” AND
ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young
([email protected]). This product includes software written by Tim Hudson
([email protected]).
Copyright (C) 1995-1998 Eric Young ([email protected]). All rights reserved.
The following conditions apply to all code found in this distribution, be it the
RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation
included with this distribution is covered by the same copyright terms except
that the holder is Tim Hudson ([email protected]).
This product includes software written by Tim Hudson ([email protected]).
Licenses for Third-Party Products
F–7
Sun Microsystems, Inc. Java Web Services Developer Pack
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ”AS IS” AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.
Sun Microsystems, Inc. Java Web Services Developer Pack
READ THE TERMS OF THIS AGREEMENT AND ANY PROVIDED
SUPPLEMENTAL LICENSE TERMS (COLLECTIVELY "AGREEMENT")
CAREFULLY BEFORE OPENING THE SOFTWARE MEDIA PACKAGE. BY
OPENING THE SOFTWARE MEDIA PACKAGE, YOU AGREE TO THE TERMS
OF THIS AGREEMENT. IF YOU ARE ACCESSING THE SOFTWARE
ELECTRONICALLY, INDICATE YOUR ACCEPTANCE OF THESE TERMS BY
SELECTING THE "ACCEPT" BUTTON AT THE END OF THIS AGREEMENT.
IF YOU DO NOT AGREE TO ALL THESE TERMS, PROMPTLY RETURN THE
UNUSED SOFTWARE TO YOUR PLACE OF PURCHASE FOR A REFUND OR,
IF THE SOFTWARE IS ACCESSED ELECTRONICALLY, SELECT THE
"DECLINE" BUTTON AT THE END OF THIS AGREEMENT.
F–8
1.
LICENSE TO USE. Sun grants you a non-exclusive and non-transferable
license for the internal use only of the accompanying software and
documentation and any error corrections provided by Sun (collectively
"Software"), by the number of users and the class of computer hardware for
which the corresponding fee has been paid.
2.
RESTRICTIONS. Software is confidential and copyrighted. Title to Software
and all associated intellectual property rights is retained by Sun and/or its
licensors. Except as specifically authorized in any Supplemental License
Terms, you may not make copies of Software, other than a single copy of
Software for archival purposes. Unless enforcement is prohibited by
applicable law, you may not modify, decompile, or reverse engineer
Software. Licensee acknowledges that Licensed Software is not designed or
intended for use in the design, construction, operation or maintenance of any
nuclear facility. Sun Microsystems, Inc. disclaims any express or implied
warranty of fitness for such uses. No right, title or interest in or to any
trademark, service mark, logo or trade name of Sun or its licensors is granted
under this Agreement.
eTrust Directory Administrator Guide
Sun Microsystems, Inc. Java Web Services Developer Pack
3.
LIMITED WARRANTY. Sun warrants to you that for a period of ninety (90)
days from the date of purchase, as evidenced by a copy of the receipt, the
media on which Software is furnished (if any) will be free of defects in
materials and workmanship under normal use. Except for the foregoing,
Software is provided "AS IS". Your exclusive remedy and Sun's entire
liability under this limited warranty will be at Sun's option to replace
Software media or refund the fee paid for Software.
4.
DISCLAIMER OF WARRANTY. UNLESS SPECIFIED IN THIS
AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO
THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID.
5.
LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY
LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY
LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT,
CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT
OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE,
EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event will Sun's liability to you, whether in contract, tort
(including negligence), or otherwise, exceed the amount paid by you for
Software under this Agreement. The foregoing limitations will apply even if
the above stated warranty fails of its essential purpose.
6.
Termination. This Agreement is effective until terminated. You may
terminate this Agreement at any time by destroying all copies of Software.
This Agreement will terminate immediately without notice from Sun if you
fail to comply with any provision of this Agreement. Upon Termination, you
must destroy all copies of Software.
7.
Export Regulations. All Software and technical data delivered under this
Agreement are subject to US export control laws and may be subject to
export or import regulations in other countries. You agree to comply strictly
with all such laws and regulations and acknowledge that you have the
responsibility to obtain such licenses to export, re-export, or import as may
be required after delivery to you.
8.
U.S. Government Restricted Rights. If Software is being acquired by or on
behalf of the U.S. Government or by a U.S. Government prime contractor or
subcontractor (at any tier), then the Government's rights in Software and
accompanying documentation will be only as set forth in this Agreement;
this is in accordance with 48 CFR 227.7201 through 227.7202-4 (for
Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and
12.212 (for non-DOD acquisitions).
Licenses for Third-Party Products
F–9
Sun Microsystems, Inc. Java Web Services Developer Pack
9.
Governing Law. Any action related to this Agreement will be governed by
California law and controlling U.S. federal law. No choice of law rules of any
jurisdiction will apply.
10. Severability. If any provision of this Agreement is held to be unenforceable,
this Agreement will remain in effect with the provision omitted, unless
omission would frustrate the intent of the parties, in which case this
Agreement will immediately terminate.
11. Integration. This Agreement is the entire agreement between you and Sun
relating to its subject matter. It supersedes all prior or contemporaneous oral
or written communications, proposals, representations and warranties and
prevails over any conflicting or additional terms of any quote, order,
acknowledgment, or other communication between the parties relating to its
subject matter during the term of this Agreement. No modification of this
Agreement will be binding, unless in writing and signed by an authorized
representative of each party.
JAVATM WEB SERVICES DEVELOPER PACK, VERSION 1.1
SUPPLEMENTAL LICENSE TERMS
These supplemental license terms ("Supplemental Terms") add to or modify the
terms of the Binary Code License Agreement (collectively, the "Agreement").
Capitalized terms not defined in these Supplemental Terms shall have the same
meanings ascribed to them in the Agreement. These Supplemental Terms shall
supersede any inconsistent or conflicting terms in the Agreement, or in any
license contained within the Software.
1.
F–10
Software Internal Use and Development License Grant. Subject to the terms
and conditions of this Agreement, including, but not limited to Section 4
(Java Technology Restrictions) of these Supplemental Terms, Sun grants you
a non-exclusive, non-transferable, limited license to reproduce internally and
use internally the binary form of the Software complete and unmodified for
the purposes of designing, developing, testing, and running your Java
applets and applications intended to run on the Java platform ("Programs"),
except for certain files identified in the Software "Release Notes" file which
may only be used for the purposes of designing, developing, and testing
Programs.
eTrust Directory Administrator Guide
Sun Microsystems, Inc. Java Web Services Developer Pack
2.
License to Distribute Software. Subject to the terms and conditions of this
Agreement, including but not limited to Section 4 (Java Technology
Restrictions) of these Supplemental Terms, Sun grants you a non-exclusive,
non-transferable, limited license to reproduce and distribute the Software in
binary code form only, provided that you (i) distribute the Software
complete and unmodified and only bundled as part of your Programs, (ii) do
not distribute additional software intended to replace any portion of the
Software, (iii) do not remove or alter any proprietary legends or notices
contained in the Software, (iv) only distribute the Software subject to a
license agreement that protects Sun's interests consistent with the terms
contained in this Agreement, (v) agree to defend and indemnify Sun and its
licensors from and against any damages, costs, liabilities, settlement amounts
and/or expenses (including attorneys' fees) incurred in connection with any
claim, lawsuit or action by any third party that arises or results from the use
or distribution of any and all Programs and/or Software, and (vi) include the
following statement as part of product documentation (whether hard copy or
electronic), as a part of a copyright page or proprietary rights notice page, in
an "About" box or in any other form reasonably designed to make the
statement visible to users of the Software: "This product includes code
licensed from RSA Data Security".
3.
License to Distribute Redistributables. Subject to the terms and conditions of
this Agreement, including but not limited to Section 4 (Java Technology
Restrictions) of these Supplemental Terms, Sun grants you a non-exclusive,
non-transferable, limited license to reproduce and distribute those
components specifically identified as redistributable in the Software "Release
Notes" file ("Redistributables") provided that: (i) you distribute the
Redistributables complete and unmodified (unless otherwise specified in the
applicable Release Notes file), and only bundled as part of your Programs,
(ii) you do not distribute additional software intended to supersede any
portion of the Redistributables, (iii) you do not remove or alter any
proprietary legends or notices contained in or on the Redistributables, (iv)
you only distribute the Redistributables pursuant to a license agreement that
protects Sun's interests consistent with the terms contained in the
Agreement, (v) you agree to defend and indemnify Sun and its licensors
from and against any damages, costs, liabilities, settlement amounts and/or
expenses (including attorneys' fees) incurred in connection with any claim,
lawsuit or action by any third party that arises or results from the use or
distribution of any and all Programs and/or Software, and (vi) if you
distribute the Java Secure Socket Extension package, include the following
statement as part of product documentation (whether hard copy or
electronic), as a part of a copyright page or proprietary rights notice page, in
an "About" box or in any other form reasonably designed to make the
statement visible to users of the Software: "This product includes code
licensed from RSA Data Security".
Licenses for Third-Party Products
F–11
Sun Microsystems, Inc. Java Web Services Developer Pack
F–12
4.
Java Technology Restrictions. You may not modify the Java Platform
Interface ("JPI", identified as classes contained within the "java" package or
any subpackages of the "java" package), by creating additional classes within
the JPI or otherwise causing the addition to or modification of the classes in
the JPI. In the event that you create an additional class and associated API(s)
which (i) extends the functionality of the Java platform, and (ii) is exposed to
third party software developers for the purpose of developing additional
software which invokes such additional API, you must promptly publish
broadly an accurate specification for such API for free use by all developers.
You may not create, or authorize your licensees to create, additional classes,
interfaces, or subpackages that are in any way identified as "java", "javax",
"sun" or similar convention as specified by Sun in any naming convention
designation.
5.
Java Runtime Availability. Refer to the appropriate version of the Java
Runtime Environment binary code license (currently located at
http://www.java.sun.com/jdk/index.html) for the availability of runtime
code which may be distributed with Java applets and applications.
6.
Trademarks and Logos. You acknowledge and agree as between you and
Sun that Sun owns the SUN, SOLARIS, JAVA, JINI, FORTE, and iPLANET
trademarks and all SUN, SOLARIS, JAVA, JINI, FORTE, and iPLANETrelated trademarks, service marks, logos and other brand designations ("Sun
Marks"), and you agree to comply with the Sun Trademark and Logo Usage
Requirements currently located at
http://www.sun.com/policies/trademarks. Any use you make of the Sun
Marks inures to Sun's benefit.
7.
Source Code. Software may contain source code that is provided solely for
reference purposes pursuant to the terms of this Agreement. Source code
may not be redistributed unless expressly provided for in this Agreement.
8.
Third Party Licenses. Additional copyright notices and license terms
applicable to portions of the software are set forth in the
THIRDPARTYLICENSEREADME file.
9.
Termination for Infringement. Either party may terminate this Agreement
immediately should any Software become, or in either party's opinion be
likely to become, the subject of a claim of infringement of any intellectual
property right.
eTrust Directory Administrator Guide
Tom Sawyer Layout Assistant
This software is provided "AS IS," without a warranty of any kind. ALL
EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT, ARE HEREBY EXCLUDED. SUN MICROSYSTEMS, INC.
("SUN") AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES
SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR
DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES. IN NO EVENT WILL
SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR
DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL,
INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND
REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF THE USE
OF OR INABILITY TO USE THIS SOFTWARE, EVEN IF SUN HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
For inquiries please contact: Sun Microsystems, Inc. 4150 Network Circle, Santa
Clara, California 95054.
Tom Sawyer Layout Assistant
END-USER LICENSE AGREEMENT FOR Tom Sawyer Software's Layout
Assistant® SOFTWARE
IMPORTANT—READ CAREFULLY. This Layout Assistant End-User License
Agreement ("EULA") is a legal AGREEMENT between You, the Licensee (either
as a registered individual user or as the registered user/representative on behalf
of a single entity), and Tom Sawyer Software Corporation for the Layout
Assistant software product identified above, which product includes computer
software and the associated documentation ("SOFTWARE PRODUCT"). Unless
You have a different license agreement signed by Tom Sawyer Software
Corporation, your installing, copying, or otherwise using the SOFTWARE
PRODUCT indicates You agree to be bound by all the terms of this EULA. If You
do not agree to the terms of this EULA, then You MUST NOT copy, install, or use
the SOFTWARE PRODUCT.
SOFTWARE PRODUCT LICENSE
The SOFTWARE PRODUCT is protected by copyright laws and international
copyright treaties, as well as other intellectual property laws and treaties. The
SOFTWARE PRODUCT is licensed, not sold.
1) Grant of License
This EULA grants You (the Licensee) the following rights:
Applications Software
Licenses for Third-Party Products
F–13
Tom Sawyer Layout Assistant
Tom Sawyer Software grants You the non-exclusive, non-sublicensable, limited
license to use one copy of the SOFTWARE PRODUCT on a single computer,
subject to the terms and conditions of this EULA. Any individual license for the
SOFTWARE PRODUCT may not be shared or used concurrently or otherwise on
different computers or by different users in a given organization.
In return for our license grant, You hereby irrevocably grant to Tom Sawyer
Software the non-exclusive, worldwide, fully-paid right to publicly disclose the
fact that You are using the SOFTWARE PRODUCT, including but not limited to
the reproduction and distribution of the software 'screen shots' and/or 'box
shots' from your applications for Tom Sawyer Software's advertising and other
promotional purposes.
Storage/Network Use
You may also store or install a copy of the SOFTWARE PRODUCT on a storage
device, such as a network server, used only to install or run the SOFTWARE
PRODUCT on your other computers over an internal network; however, you
must acquire and dedicate a distinct license for each developer using the
SOFTWARE PRODUCT from the storage device. Any given license for the
SOFTWARE PRODUCT may not be shared or used concurrently or otherwise on
different computers or by different developers in a given organization.
License Pack
If You have acquired this EULA in a Tom Sawyer Software Layout Assistant
License Pack, You may install the number of additional copies of the
SOFTWARE PRODUCT identified above on this EULA, and You may use each
copy in the manner specified above.
2) Description of Other Rights and Limitations
F–14
eTrust Directory Administrator Guide
Tom Sawyer Layout Assistant
You acknowledge that the SOFTWARE PRODUCT in source code form remains
a confidential trade secret of Tom Sawyer Software, and therefore You agree not
to reverse-engineer, decompile, or disassemble the SOFTWARE PRODUCT, or
make any attempt to discover the source code to the SOFTWARE PRODUCT,
except and only to the extent that such activity is expressly permitted by
applicable law notwithstanding this limitation. Except as expressly permitted in
this EULA, the SOFTWARE PRODUCT may not be used, copied, translated,
redistributed, retransmitted, published, sold, rented, leased, marketed,
sublicensed, pledged, assigned, disposed of, encumbered, transferred, altered,
modified, or enhanced, whether in whole or in part, nor may You create
derivative works from or based on the SOFTWARE PRODUCT. You may not
remove any proprietary notices, marks, or labels from the SOFTWARE
PRODUCT.
The SOFTWARE PRODUCT is licensed as a single product and its components
may not be separated for use on more than one computer.
Termination
Without prejudice to any of Tom Sawyer Software’s other rights, Tom Sawyer
Software may terminate this EULA if You fail to comply with the terms and
conditions of this EULA. In such event, You must destroy any and all copies of
the SOFTWARE PRODUCT and all of its component parts; to this end You grant
to Tom Sawyer Software the right to, with or without notice, monitor your
Internet accessible activities for the purpose of verifying SOFTWARE PRODUCT
performance and/or your compliance with the terms hereof, including, but not
limited to the remote monitoring and verification of your implementation, use
and duplication of the SOFTWARE PRODUCT.
3) Upgrades
You must currently be properly licensed to use the SOFTWARE PRODUCT in
order to be eligible to purchase an upgrade. A SOFTWARE PRODUCT identified
by Tom Sawyer Software as an upgrade replaces and/or supplements the
product that formed the basis for your eligibility for such upgrade. You may use
the resulting upgraded product only in accordance with the terms of this EULA.
4) Copyright and Trademarks
Licenses for Third-Party Products
F–15
Tom Sawyer Layout Assistant
All title, trademarks, and copyrights in and pertaining to the SOFTWARE
PRODUCT (including but not limited to any images, photographs, animation,
video, audio, music, text, and applets incorporated into the SOFTWARE
PRODUCT) are owned by Tom Sawyer Software Corporation. The SOFTWARE
PRODUCT is protected by copyright and trademark laws and international
treaty provisions. The SOFTWARE PRODUCT is licensed, not sold. There is no
transfer to You of any title or ownership of the SOFTWARE PRODUCT and the
license granted under this EULA should not be construed as a sale of any right in
the SOFTWARE PRODUCT. You must treat the SOFTWARE PRODUCT like any
other copyrighted materials for archival purposes.
You may not remove, modify or alter any Tom Sawyer Software copyright or
trademark notice from any part of the SOFTWARE PRODUCT, including but not
limited to any such notices contained in the electronic media or documentation,
in the Layout Assistant Setup Wizard dialogue or 'about' boxes, in any of the
runtime resources, and/or in any web-presence or web-enabled notices, code, or
other embodiments originally contained in or dynamically or otherwise created
by the SOFTWARE PRODUCT.
5) Dual-Media Software
You may receive the SOFTWARE PRODUCT in more than one medium.
Regardless of the type or size of the medium You receive, You may use only that
one medium that is appropriate for your single computer. You may not use or
install the other medium on another computer, including but not limited to
portable computers under the exclusive control of the registered developer. You
may not loan, rent, lease, or otherwise transfer the other medium to another user.
6) U.S. Government Restricted Rights
The SOFTWARE PRODUCT and documentation are provided with
RESTRICTED RIGHTS. Use, duplication, or disclosure by the U.S. Government is
subject to restrictions as set forth in subparagraph C(1)(ii) of the subparagraphs
(c) (1) and (2) of the Commercial Computer Software Restricted Rights at 48 CFR
52.227-19, as applicable. Manufacturer is: Tom Sawyer Software Corporation,
1625 Clay Street, Sixth Floor, Oakland, CA 94612, USA (or by FAX +1 510 208
4371, e-mail to [email protected]).
7) Miscellaneous
F–16
eTrust Directory Administrator Guide
Tom Sawyer Layout Assistant
If You acquired or use this SOFTWARE PRODUCT in the United States, this
EULA is governed by the laws of the State of California. If this SOFTWARE
PRODUCT was acquired and is used exclusively outside of the United States, the
local law may also apply. Should You have any questions concerning this EULA,
or if You desire to contact Tom Sawyer Software for any reason, please write:
Tom Sawyer Software Corporation, 1625 Clay Street, Sixth Floor, Oakland, CA
94612, USA (or by FAX +1 510 208 4371, e-mail to [email protected]).
8) Limited Warranty
Limited Warranty Tom Sawyer Software warrants that for a period of thirty (30)
days from the date of your original purchase ("warranty period") as evidenced
by your receipt or other proof of purchase, the SOFTWARE PRODUCT, unless
modified or otherwise altered by You, will perform substantially in accordance
with the accompanying written materials.
Tom Sawyer Software does not warrant that the SOFTWARE PRODUCT will
meet your requirements or use of the SOFTWARE PRODUCT will be
uninterrupted or error-free. Tom Sawyer Software is not responsible for
problems caused by changes in the operating characteristics of computer
hardware or computer operating systems which are made after the release of the
SOFTWARE PRODUCT, nor for problems in the interactions of the SOFTWARE
PRODUCT with non-Tom Sawyer Software products.
Some jurisdictions do not allow limitations on duration of an implied warranty,
so the above limitation may not apply to You. To the extent implied warranties
may not be entirely disclaimed but implied warranty limitations are allowed by
applicable law, implied warranties on the SOFTWARE PRODUCT, if any, are
limited to thirty (30) days.
THE ABOVE WARRANTIES ARE EXCLUSIVE. TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW, TOM SAWYER SOFTWARE DISCLAIMS
ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS OR
IMPLIED, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR PARTICULAR PURPOSE, TITLE, AND
NON-INFRINGEMENT, AND THOSE ARISING OUT OF USAGE OF TRADE
OR COURSE OF DEALING, CONCERNING THE SOFTWARE PRODUCT. NO
ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY TOM SAWYER
SOFTWARE OR ITS EMPLOYEES SHALL INCREASE THE SCOPE OF THE
ABOVE WARRANTIES OR CREATE ANY OTHER WARRANTIES.
Customer Remedies
Licenses for Third-Party Products
F–17
Tom Sawyer Layout Assistant
Tom Sawyer Software's entire liability, and your exclusive remedy, shall be, at
Tom Sawyer Software's option, either (a) repair or replacement of the
SOFTWARE PRODUCT that does not meet Tom Sawyer Software's Limited
Warranty, or (b) return of the price paid, if any, and termination of this EULA.
This remedy is subject to delivery to Tom Sawyer Software of a Tom Sawyer
Software-approved "Affidavit of Destruction" together with proof of purchase
within the Warranty Period. This Limited Warranty is void if failure of the
SOFTWARE PRODUCT has resulted from accident, abuse or misapplication.
Any replacement SOFTWARE PRODUCT will be warranted for the remainder of
the original warranty period or fifteen (15) days, whichever is longer.
9) Limitation of liability for damages
REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS IN
ITS ESSENTIAL PURPOSE, TO THE MAXIMUM EXTENT PERMITTED BY THE
APPLICABLE LAW, IN NO EVENT SHALL TOM SAWYER SOFTWARE BE
LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT
LIMITATION, CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL,
ECONOMIC, PUNITIVE, OR SIMILAR DAMAGES, OR DAMAGES FOR LOSS
OF BUSINESS PROFITS, LOSS OF GOODWILL, BUSINESS INTERRUPTION,
COMPUTER FAILURE OR MALFUNCTION, LOSS OF BUSINESS
INFORMATION, OR ANY AND ALL OTHER COMMERCIAL OR PECUNIARY
DAMAGES OR LOSSES) ARISING OUT OF THE USE OF OR INABILITY TO
USE THE SOFTWARE PRODUCT, HOWEVER CAUSED AND ON ANY LEGAL
THEORY OF LIABILITY (WHETHER IN TORT, CONTRACT, OR OTHERWISE),
EVEN IF TOM SAWYER SOFTWARE HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES, OR ANY CLAIM BY ANY OTHER PARTY.
YOU ACKNOWLEDGE THAT THE LICENSE FEE REFLECTS THIS
ALLOCATION OF RISK.
In any event, if any statute implies warranties or conditions not stated in this
EULA, Tom Sawyer Software's entire liability under any provision of this EULA
shall be limited to the greater of the amount actually paid by You to license the
SOFTWARE PRODUCT or Five United States Dollars (US$5.00). Because some
jurisdictions do not allow the exclusion or limitation of liability for consequential
or incidental damages, the above limitation may not apply to You.
F–18
eTrust Directory Administrator Guide
Index
defining, 6-42
privileges, 6-47
.
administrator, 6-12
defining, 6-42
.dxc file type, 2-4, 2-6, 3-1, 4-6, 5-8, 5-13, 5-14, 6-33
Advantage Ingres errors, C-17
.dxg file type, 2-4, 2-6, 4-2, 5-8, 5-13, 5-14, 6-33
.dxi file type, 2-4, 2-5, 4-2, 5-8, 5-13, 5-14
agreement, 7-20
get, 7-20
set, 7-20
.dxs file type, 2-4
alarm-log file, 3-8
alarms, 3-5
multiwrite queues, 7-12
A
alert-log file, 3-8
abandon
all operations, 3-24
operation, 3-24
abort associations, 3-18
abstract object classes, 4-14
access control permissions, 6-49
alias
access controls, 6-56
dangling aliases, C-16
entry, 4-19
errors, C-16
integrity, 3-27, C-16
invalid, 3-27
name binding, 4-19
access controls, 3-23
aliases, 6-56
dynamic, 6-50
policy, 6-33, 6-34
role-based, 6-53
roles, 6-53
routing, 6-57
rule hierarchies, 6-37
rules, 6-37
secure proxy, 6-55
static, 6-37
allow-check-password trust flag, 3-53
access subdirectory, 2-2
application program interface. See API
accounts
suspending, 6-30
arguments
DXtools, 10-36
add
assoc
commands, 3-13
configuration, 3-15
database user, 10-14
administrative user
allow-downgrading trust flag, 3-53
allow-upgrading trust flag, 3-53
alt-name, 8-3
anonymous bind, 6-11
Apache Tomcat license agreement, F-1
API (application program interface)
UDDI, 14-3
Index–1
associations
aborting, 3-18
configuration, 5-7
limiting, 3-18
maximum times, 3-17
queues, 3-19
rejection, 3-18
tracing, 3-16
users, 3-16
viewing, 3-16
asynchronous
multiwrite, 7-6
attributes
changing schema, 4-12
checking, 4-7
indexing, 3-30
inherited rules, 4-7
invalid, 4-7
locally customized, 8-3
multiple, 4-18
read-only, 4-5, B-9
sets, 4-8
single-valued, 4-5
syntax, 4-2, 4-6
auditing
monitoring, 9-2
authentication
conveying, 6-19, 6-20
DISP, 6-16, 6-18
distributed user, 6-15
DSP, 5-6, 6-16, 6-18
DSP link, 6-21
setting levels, 6-11
SSL, 6-13
strong, 6-21
user, 6-13
auxiliary object classes, 4-15
anonymous, 6-11
control, 3-17
DSP requests, 6-16
maximum time, 3-17
names, 4-18
with credentials, 5-6
bookmarks, 11-13
bulk loading, 16-8
C
cache-only mode, 3-38
configuring, 3-38
example, 3-39
caches, 3-32
cache-only mode, 3-38
configuring, 3-33
enabling, 3-33
example configuration, 3-36
indexing, 3-34, 3-35
load all attributes, 3-36
maximum size, 3-35
reverse-indexing, 3-36
settings, 3-34
synchronizing with database, 3-37
viewing configuration, 3-37
caching subordinate entries, 5-16
certificates, 6-5
generating, 10-21
generation, 6-5
reporting, 10-21
certification
language, 13-5, 14-6
cert-log file, 3-9
change control, 16-8
B
changes in LDIF files, 10-33
changing schema, 4-12
backup a database, 10-7
base-object searches, 3-33
billing
monitoring, 9-2
bin directory, 2-2
bind
Index–2
eTrust Directory Administrator Guide
characters
non-English, 13-5, 14-6
ciphers, 6-9
clear
dsas, 5-5
indexes, 3-30
CLI, 2-14
client encryption, 6-10
close logtype, 3-11
closing the management console, 2-15
CMIP (Common Management Information Protocol),
1-2, 3-22, 9-1
agent, 9-8
monitoring utility, 9-9
X.700 management, 9-8
cmip-psap, 9-8
collective attributes, 3-40
command-line
interface, 2-14
options, 2-9
commands
assoc, 3-13
controlling output, 3-8
DSP, 5-2
DXserver, 2-11
grouping by function, 2-11
help, 2-20
logs, 3-11
oper, 3-20
shortcuts, 2-21
syntax, 2-12
trace, 3-5, 3-6
commands, access control
set access-controls, 3-23
set protected-items, 6-36
set super-user, 6-41
ssld, 6-6
commands, associations
abort, 3-18
get assoc, 3-15
get users, 3-16, 3-17, 3-18, 3-24, 9-2
set allow-binds, 3-17
set authentication, 3-17
set credits, 3-19
set max-bind-time, 3-17
set max-users, 3-18
set min-auth, 6-11
set user-idle time, 3-18
commands, CMIP
cmip-psap, 9-8
dxcmip, 9-9
commands, DAP tools
common argument, 10-36
DXdelete, 10-42
DXmodify, 10-39
DXrename, 10-41
DXsearch, 10-37
commands, DB tools
DXadduser, 10-14
DXbackupdb, 10-7
DXdeluser, 10-15
DXdestroydb, 10-6
DXdumpdb, 10-18
DXemptydb, 10-6
DXextenddb, 10-5
DXgrantdb, 10-19
DXindexdb, 10-10
DXlistdb, 10-14
DXloaddb, 10-16
DXnewdb, 10-5
DXnewdsa, 10-4
DXrestoredb, 10-8
DXstatdb, 10-13
DXtunedb, 10-9
DXupgradedb, 10-20
commands, DIB
clear indexes, 3-30
get dib, 3-26
set alias-integrity, 3-27
set database-name, 2-23, 3-26
set eis-count-attr, 3-28
set index wide, 3-30
set index-reverse, 3-30
set not-searchable, 3-30
commands, DISP
disp update, 7-23
get agreement, 7-20
set agreement, 7-20, 7-21
commands, DSAs
set always-chain-down, 5-9
set dsa, 3-1, 5-8, 5-10, 5-11, 5-12, 6-6, 7-23, 8-9
set precedence, 5-19
shutdown, 3-16
commands, DSP
clear dsas, 5-3, 5-5
get dsp, 5-7
get online dsas, 5-7
get online-dsas, 5-5, 9-2
set multi-casting, 5-6
unbind, 5-3
commands, LDIF tools
csv2ldif, 10-30
ldifdelta, 10-33
Index–3
commands, local operations
get oper, 3-22
get stats, 3-22, 9-2
reset stats, 3-22
set max op-size, 3-23
set max-local-ops, 3-23
set max-op-size, 3-24
set max-op-time, 3-24, 3-27
commands, logs
close logtype, 3-11
echo, 3-12
echo-off, 3-12
echo-on, 3-12
flush logtype, 3-11
get log, 3-11
set logtype, 3-11
set summary-log, 3-12
commands, multiwrite
set multi-write-queue, 7-11
commands, schema, 4-3
get schema, 4-4
set attribute, 4-4, 4-5, 4-8
set attr-set, 4-8
set name-binding, 4-18
set object-class, 4-14
set oid-prefix, 4-4
commands, SCHEMA tools
DXschemaldif, 10-44
DXschematxt, 10-49
ldif2dxc, 10-45
commands, SNMP
snmp-port, 9-5
operations, 3-22
server, 2-2
configuration files, 1-3
grouping, 2-6
grouping commands, 2-11
configuring
another DXserver, 5-8
DSP relay, 5-15
first level DSA, 5-14
management console, 2-16
multiple local DSAs, 5-12, 5-14
third-party DSAs, 5-4, 5-6, 5-10, 5-11
connect times, 3-16
connection
address, 3-17
information, 3-16
remote, 5-4, 5-5, 5-16
time, 3-17
UDDI server, to, 14-5
connect-log file, 3-9
control
binds, 3-17
operations, 3-23, 3-24
controlling
operations, 3-23
output, 3-8
CPUs, multiple, 5-12
creating a database, 10-5
credentials, definition, 6-11
commands, traces
set trace, 3-6, 3-16
trace disable assoc, 3-16
trace enable assoc, 3-16
credits, 3-19
comments in script files, 2-13
csv2ldif, 10-27, 10-30
Common Management Information Protocol. See
CMIP
communication settings, view, 3-4
crypt password format, 3-29
CSV data, 10-27
D
complex queries, 5-24
dangling alias, C-16
config directory, 2-2
DAP (Directory Access Protocol), 1-2
configuration
DIB, 3-26
DSP, 5-2
file errors, 2-13
file type, 2-4, 2-6, 3-1, 4-6, 5-8, 5-13, 5-14, 6-33
database
add user, 10-14
backup, 10-7
backups, 16-7
Index–4
eTrust Directory Administrator Guide
creation, 10-5
data removal, 10-6
delete user, 10-15
destruction, 10-6
hot swap, 2-23
initializing, 2-22
integrity, 4-2, C-17
listing, 10-14
massive, 5-12
monitoring, 9-3
multiple directory, 2-23
name, 3-26
restore, 10-8
statistics, 10-13
tailoring, A-1
tuning, 10-9
database subdirectory, 2-3
debugging, 2-13
default port numbers, 2-24
defining
local data types, 4-20, 8-4
local schema, 4-20, 8-4
users, 6-12
delete
database user, 10-15
directory entries, 10-42
Democorp sample DSA
port number, 2-25
destroying a database, 10-6
DIB (Directory Information Base), 1-3, 3-25
manage, 3-25
directory
delete entries, 10-42
Information Shadowing Protocol (DISP), 7-20
knowledge, 3-1
modify, 10-39
rename, 10-41
samples, 1-4, 1-5, 15-13
search, 10-37
Directory Access Protocol. See DAP
Directory System Protocol. See DSP
Directory User Agent (DUA), 1-4
disk space
monitoring, 9-3
DISP (Directory Information Shadowing Protocol), 1-2
authentication, 6-16
responder, 7-20
update, 7-23
display database statistics, 10-13
distinguished name, 5-8
relative, 5-14
DIT (Directory Information Tree), 5-4
definition, 5-8
prefix, 5-4
relay DSA, 5-16
DSA
caching entries, 5-16
defining, 3-1
first level, 5-14
load-sharing, 5-20, 5-24
local, 5-8, 5-10
multiple local, 5-12, 5-14
proxy, 5-9
relay, 5-16
shadow, 7-23
stopping, 3-16
third-party, 5-4, 5-6, 5-10, 5-11
trust flags, 3-48
DSA flags, 3-25, 3-52, 5-16, 7-23
limit-list, 3-28
limit-search, 3-29
DSA processes, multiple, 2-22
dsa, ssld-port, 6-6
dsaEntriesTable, 9-4
dsaIntTable, 9-4
dsaOpsTable, 9-4
dsp
clear dsas, 5-2, 5-3
get, 5-2
set, 5-2
unbind, 5-2
unbind, 5-3
directory browser
JXplorer, 11-1
JXweb, 13-1
directory entries, counting, 3-28
Directory Information Base. See DIB
Directory Information Shadowing Protocol. See DISP
DSP
authentication, 6-18
DSP (Directory System Protocol), 1-2
Index–5
authentication, 5-6, 6-16, 6-18
bind request, 6-16
commands, 5-2
configuration, 5-2, 5-7
credentials, 5-6
incoming credentials, 5-6
monitoring connections, 5-7
multiprocessing, 5-12
outgoing connections, 5-5
outgoing credentials, 5-6
relay, 5-15
dsp-ldap link flag, 3-54
dsp-ldap-proxy link flag, 3-54
dsp-ldapv2 link flag, 3-54
DUA, 1-4
dump, 10-1
DXadduser, 10-14
DXadmind
port number, 2-24
DXbackup, 16-7
DXbackupdb, 10-7
DXcache, 3-32
cache-only mode, 3-38
configuring, 3-33
enabling, 3-33
example configuration, 3-36
indexing, 3-34, 3-35
load all attributes, 3-36
maximum size, 3-35
reverse-indexing, 3-36
settings, 3-34
synchronizing, 3-37
viewing configuration, 3-37
DXcertgen, 10-21
dxcmip, 9-9
DXconsole, 2-14, 9-2
DXdelete, 10-42
DXdeluser, 10-15
DXdestroydb, 10-6
DXdisp, 10-20
DXdumpdb, 10-18
DXemptydb, 10-6
Index–6
eTrust Directory Administrator Guide
DXextenddb, 10-5
DXgrantdb, 10-19
DXI configuration file, 3-32
DXindexdb, 10-10
DXlistdb, 10-14
DXloaddb, 10-16
DXmodify, 10-39
DXnewdb, 10-5
DXnewdsa, 10-4
DXrename, 10-41
DXrestoredb, 10-8
DXschemaldif tool, 10-44
DXschematxt tool, 10-49
DXsearch, 10-37
DXserver, 1-2
alarms, C-7
commands, 2-11
configuring SSL, 6-6
logs, C-2
version, 2-10
warning messages, C-13
dxsnmp, 9-6
DXstatdb, 9-3, 10-13
DXsyntax tool, 10-50
DXtools, 1-3, 7-26
csv2ldif, 10-30
DXadduser, 10-14
DXbackupdb, 10-7
DXcertgen, 10-21
DXdelete, 10-42
DXdeluser, 10-15
DXdestroydb, 10-6
DXdisp, 10-20
DXdumpdb, 10-18
DXemptydb, 10-6
DXextenddb, 10-5
DXgrantdb, 10-19
DXindexdb, 10-10
DXlistdb, 10-14
DXloaddb, 10-16
DXmodify, 10-39
DXnewdb, 10-5
DXnewdsa, 10-4
DXrename, 10-41
DXrestoredb, 10-8
DXschemaldif, 10-44
DXschematxt, 10-49
DXsearch, 10-37
DXstatdb, 10-13
DXtunedb, 10-9
DXupgradedb, 10-20
ldif2dxc, 10-45
ldifdelta, 10-33
DXtunedb, 10-9, 16-8
DXupgradedb, 10-20
DXweb server, 1-5
F
failover
multiwrite, 7-9
file descriptors, 3-18, 16-10
file extensions
dxc, 2-4, 2-6, 3-1, 4-6, 5-8, 5-13, 5-14, 6-33
dxg, 2-4, 2-6, 4-2, 5-8, 5-13, 5-14, 6-33
dxi, 2-4, 2-5, 4-2, 5-8, 5-13, 5-14
dxs, 2-4
files
configuration, 1-3
launch, 11-22
types, 2-4
DXwebserver
port number, 2-24
dynamic access controls, 6-50
dynamic groups, 3-40
firewall, 5-9
alternative network addresses, 5-10
flush logtype, 3-11
forward requests, 5-15
E
echo command, 3-12
embedded installation
on Windows, D-17
emptying a database, 10-6
encryption
client, 6-10
DSA to DSA, 6-10
error logs, C-1
error messages
search overflow, 3-31
G
generating certificates, 10-21
get
assoc, 3-15
dib, 3-25, 3-26
dsp, 5-3, 5-7
log, 3-11
online-dsas, 5-5, 5-7, 9-2
oper, 3-22
operations, 3-21
schema, 4-3, 4-4
stats, 3-22, 9-2
users, 3-16, 3-17, 3-18, 3-24, 9-2
errors
configuration file, 2-13
ldif2dxc tool, 10-46
script file, 2-13
statistics, 3-22
group
configuration files, 2-6
file type, 2-4, 2-6, 4-2, 5-8, 5-13, 5-14, 6-33
event logs, C-1
group membership, 3-40
events, 3-22
groups
dynamic, 3-40
hybrid, 3-41
static, 3-40
export, 10-1
guard, 5-9, 7-23
Index–7
H
invalid
aliases, 3-27
attribute, 4-7
help command, 2-20
ISO 9594-10, 9-8
history files, 3-12
hot swap, 2-23
hybrid
groups, 3-41
I
IA5 string, 4-7
idle times, 3-16
maximum, 3-18
IETF, 4-1
impersonation protection, 6-22
import, 10-1
import data, 3-23
increased user counts, 2-22
indexing
commands, 3-30
for caches, 3-35
options, 3-30
reverse, 3-36
wide indexes, 3-31
initialization
file, 2-5
file type, 2-4, 2-5, 4-2, 5-8, 5-13, 5-14
server, 2-9
initializing multiwrite–DISP recovery, 10-20
J
JXplorer, 11-1
add audio file, 11-22
add entry, 11-23
add photo, 11-21
binary values, 11-20
browse, 11-7
button bar, 11-5
connect, 11-7
display enries, 11-9
edit the directory, 11-16
file launch, 11-22
LDIF files, 11-25
managing certificates, 11-28
menu bar, 11-3
modify attributes, 11-18
navigate, 11-8
quick search bar, 11-6
refresh entries, 11-11
search, 11-11
SSL and SASL, 11-27
submit entry, 11-24
templates, 11-9
JXweb
connect to a directory, 13-3
display directory information, 13-4
K
initiator, 7-21
install directory, 2-3
Installation
logging on Windows, D-3, E-3
installation code, D-17, E-24
knowledge, 3-1, 6-5
directory, 2-3, 3-1
references, 5-3
knowledge flags, 3-48
installing eTrust Directory
for Windows, D-1, E-1
L
installing silently
on Windows, D-14
language certification, 13-5, 14-6
installing the sample tools
on Windows, D-9, E-17
Index–8
eTrust Directory Administrator Guide
LDAP (Lightweight Directory Access Protocol), 1-2
managing, 8-3
names, 4-5, 4-8
servers, 8-9
LDAP attributes
changing, 4-12
LDAP port number, 8-2
ldap-dsa-name, 8-7
ldap-dsa-password, 8-7
LDIF
format, 10-29
tools, 10-27
LDIF file
calculating changes, 10-33
sort, 10-31
template file, 10-28
ldif2dxc tool, 10-45
error handling, 10-46
OID maps, 10-47
schema.txt file update, 10-47
ldifdelta, 10-33
ldifsort, 10-31
LDT file, 10-28
LDUA, 1-4
license agreement
Apache Tomcat, F-1
OpenLDAP, F-4
OpenSSL, F-6
SUN Java Web Services, F-8
load sharing, 2-22, 5-12
DSA, 5-20, 5-24
load-share DSA flag, 3-52
local
attributes, 4-20, 8-4
data type definition, 4-20, 8-4
DSAs, 5-8, 5-10
schema, 4-20, 8-4
local operations, 3-20
locking a password, 6-30
log files
alarm-log, 3-8
alert-log, 3-8
cert-log, 3-9
closing, 3-11
commands, 3-11
connect-log, 3-9
flush, 3-11
monitoring, 9-2
opening, 3-11
query-log, 3-9
stats-log, 3-9
summary, 3-12
summary-log, 3-10
trace-log, 3-10
types, 3-8
update-log, 3-10
viewing, 3-11
Logging
installation on Windows, D-3, E-3
logging subdirectory, 2-3
Lightweight Directory Access Protocol. See LDAP
login entries, 6-48
limiting associations, 3-18
logs directory, 2-3
limiting searches to simple only, 3-29
limit-list DSA flag, 3-52
limits subdirectory, 2-3
limit-search DSA flag, 3-52
link flags, 3-54
list
existing databases, 10-14
listen address for LDAP requests, 8-2
listen address for SNMP requests, 9-5
listening address, 2-22, 3-4, 7-20, 8-2
M
management console, 2-14, 2-16
closing, 2-15
configuration, 2-16
opening, 2-14
Management Information Base. See MIB
managing
large numbers of entries, 16-11
large numbers of users, 16-10
LDAP, 8-3
Index–9
telnet configuration, 2-16
multiwrite status, 7-12
mapping, prefixes, 8-9
multi-write-async DSA flag, 3-52
matching rules, 4-6
multiwrite–DISP recovery, 10-20
may-contain, 4-14
multi-write-disp-queue DSA flag, 3-52
md5 password format, 3-29
multi-write-notify DSA flag, 3-52
members of groups, 3-40
must-contain, 4-14
memory
maximum size of cache, 3-35
merge, 10-1
MIB (Management Information Base), 3-22, 9-4
MIB walker, 9-6
migration path, 10-1
modify
directory, 10-39
monitoring
active users, 3-17
CMIP, 9-9
databases, 9-3
disk space, 9-3
DSP, 5-7
dxconsole, 9-2
log files, 9-2
ms-ad DSA flag, 3-52
ms-ad link-flag, 3-54
ms-exchange link-flag, 3-54
multicasting, 5-6, 5-13
multiple
DSA processes, 2-22
multiwrite
asynchronous, 7-6
enabling, 7-9
retry interval, 7-10
multi-write DSA flag, 3-52
multiwrite failover, 7-9
multiwrite groups, 7-7
setting up, 5-23, 7-9
multiwrite queues
alarms, 7-12
size, 7-11
multiwrite replication, 7-5
Index–10
eTrust Directory Administrator Guide
N
name, 8-3
name binding, 4-18
aliases, 4-19
checks, 4-18
considerations, 4-19
rules, 4-18
structural object classes, 4-19
native-prefix, 8-9
no compatible link type, 6-21
non-English characters, 13-5, 14-6
no-routing-ac DSA flag, 3-52
North American Directory Forum, 4-1
no-server-credentials trust flag, 3-53
nsap, 3-3
O
object class, 4-14
checking, 4-15, 4-16
kinds, 4-14
abstract, 4-14
auxiliary, 4-15
structural, 4-15
pruning, 4-17
replacing, 4-17
object identifier (OID), 4-4
oem-encrypt password format, 3-29
oem-hash password format, 3-29
OID prefix, 4-4
one-level searches, 5-16
opening the managment console, 2-14
pid directory, 2-3
OpenLDAP license agreement, F-4
port numbers, 2-24
LDAP, 8-2
setting with set dsa command, 3-4
OpenSSL license agreement, F-6
oper commands, 3-20
operations, 3-22
abandon, 3-24
configuration, 3-22
control, 3-23, 3-24
controlling, 3-23
remote, 5-17
statistics, 3-22
output, controlling, 3-8
preferredDelivery, 4-6
prefix
mapping, 8-9
schema, 4-4, 4-5
presentationAddress, 4-6
printable character, 4-7
privileges, 6-47
protected item, 6-42, 6-44
defining, 6-47
P
protocol tracing, 3-7
prototyping, 10-1
parallel processing, 5-12
parameters
get assoc command, 3-15
get dib command, 3-25
get dsp command, 5-3
get operations command, 3-21
get schema command, 4-3
oper command, 3-21
resetting SSLD, 6-8
set assoc command, 3-13, 7-21
set dib command, 3-25
set dsa command, 3-3
set dsp command, 5-2
set operations command, 3-20
set schema command, 4-3
password, 3-23
attribute, 6-12
expiry, 6-28
protection, 6-24, 6-48
reset, 6-24
passwords
locking, 6-30
storage formats, 3-29
performance, 5-12, 10-9
degradation, 6-35
tuning, 16-8
permissions, 6-37, 6-49
personality, 6-5
certificate generation, 6-5
proxy
DSAs, 5-9
secure, 6-55
public users, defining, 6-46
Q
query streaming, 5-24
query-log file, 3-9
R
RAM
maximum size of cache, 3-35
RDBMS
tools, 1-5
read
privileges, 6-44
unrestricted, 6-41
read-only access, 6-46
read-only attributes, 4-5, B-9
read-only DSA flag, 3-52
recovery
multiwrite–DISP, 10-20
Index–11
references, 5-3
referrals, 5-9
registered users, 6-44
relative distinguished name, 5-14
relay, 7-21
DSA, 5-16
DSP, 5-15
relay DSA flag, 3-52
reload, 10-1
remote connections, 5-4, 5-5, 5-16
remote operations, 5-17
rename a directory, 10-41
replication
clock synchronization, 7-4
directory, 2-3
multiwrite, 7-5
using DXtools, 7-26
defining local, 4-20
definition, 4-1
directory, 2-3
local, 4-20, 8-4
management, 4-3
prefixes, 4-4, 4-5
published, 4-20
validation, 4-2
viewing, 4-4
SCHEMA tools, 10-43
DXschemaldif, 10-44
DXschematxt, 10-49
ldif2dxc, 10-45
script file
description, 2-13
errors, 2-13
type, 2-4
reset stats, 3-22
search
a directory, 10-37
complex, 11-11
indexes, 3-30
quick, 11-11
return attribute lists, 11-12
templates, 11-12
resetting SSLD parameters, 6-8
search overflow error message, 3-31
resetting statistics, 3-22
searches
limiting to simple only, 3-29
simple, 5-25
repository, UDDI, 14-1
responder, 7-21
restore a database, 10-8
retry interval for multiwrite, 7-10
searching
base-object, 3-33
return attribute lists, 11-12
secure proxy, 6-55
reverse-indexing, 3-36
Secure Socket Layer, 6-2
RFC1567, 9-4
security, 5-12
roles, access controls, 6-53
security level, 3-23, 3-24, 3-28
Router sample DSA
port number, 2-25
server
configuration, 2-2
DXweb, 1-5
initialization, 2-9
UDDI, 14-3
rules, 6-34
components, 6-37
servers subdirectory, 2-3
S
service
errors, C-17
samples directory, 1-4, 1-5, 2-3, 15-13
schema
commands, 4-3
Index–12
eTrust Directory Administrator Guide
service error
administration limit exceeded, 3-24
operation abandoned, 3-24
set
name-binding, 4-18
object-class, 4-14
oid-prefix, 4-4
schema, 4-3
set commands
assoc, 3-13, 7-21
dib, 3-25
dsp, 5-2
operations, 3-20
set commands, access control
access-controls, 3-23
protected-items, 6-36
super-user, 6-41
set commands, traces
trace, 3-6
settings subdirectory, 2-3
sha-1 password format, 3-29
shadow DSA flag, 3-52
shadow DSAs, 7-23
set commands, associations
allow-binds, 3-17
authentication, 3-17
credits, 3-19
max-bind-time, 3-17
max-users, 3-18
min-auth, 6-11
user-idle-time, 3-18
shortcuts for commands, 2-21
set commands, DIB
alias-integrity, 3-27
database-name, 2-22, 2-23, 3-26
eis-count-attr, 3-28
index-reverse, 3-30
index-wide, 3-30
not-searchable, 3-30
simple searches, 5-25
set commands, DISP
agreement, 7-21
set commands, DSAs
always-chain-down, 5-9
dsa, 3-1, 5-8, 5-10, 5-11, 5-12, 6-6, 7-23, 8-9
precedence, 5-19
set commands, DSP
multi-casting, 5-6
set commands, local operations
max-local-ops, 3-23
max-op-size, 3-23, 3-24
max-op-time, 3-24, 3-27
set commands, logs
logtype, 3-11
summary-log, 3-12
set commands, mutliwrite
multi-write-queue, 7-11
set commands, schema
attribute, 4-5
attribute, 4-4, 4-8
attr-set, 4-8
shutdown command, 3-16
silent installation
on Windows, D-14
Simple Network Management Protocol. See SNMP
simple queries, 5-24
single-valued attributes, 4-5
SNMP (Simple Network Management Protocol), 1-2,
3-22, 9-1
MIB walker, 9-6
SNMP monitoring
port number, 2-25
SNMP port number, 9-5
snmp-port, 9-5
sort an LDIF file, 10-31
ssha-1 password format, 3-29
SSL
authentication, 6-13
configuring DXserver, 6-6
connections, 6-4
daemon, 6-3
enabling, 6-2
SSL/TLS connections
ciphers, 6-9
SSLD, 6-3
configuring, 6-6
port number, 2-24
SSLD example
ciphers for SSL/TLS connections, 6-9
four threads, 6-9
SSLD parameters
Index–13
resetting, 6-8
tModels, 14-5
ssl-encryption link-flag, 3-54
Tomcat port number, 2-24
ssl-encryption-remote link-flag, 3-54
tools
csv2ldif, 10-30
DXadduser, 10-14
DXbackupdb, 10-7
DXcertgen, 10-21
DXdelete, 10-42
DXdeluser, 10-15
DXdestroydb, 10-6
DXdisp, 10-20
DXdumpdb, 10-18
DXemptydb, 10-6
DXextenddb, 10-5
DXgrantdb, 10-19
DXindexdb, 10-10
DXlistdb, 10-14
DXloaddb, 10-16
DXmodify, 10-39
DXnewdb, 10-5
DXnewdsa, 10-4
DXrename, 10-41
DXrestoredb, 10-8
DXschemaldif, 10-44
DXschematxt, 10-49
DXsearch, 10-37
DXstatdb, 10-13
DXtunedb, 10-9
DXupgradedb, 10-20
ldif2dxc, 10-45
ldifdelta, 10-33
RDBMS, 1-5
static access controls, 6-37
static groups, 3-40
statistics
monitoring, 9-2
resetting, 3-22
traced, 3-7
viewing, 3-22
stats-log file, 3-9
statuses
multiwrite, 7-12
stopping DSAs, 3-16
strategy, 7-21, 7-22
string labels, 8-3
strong authentication, 6-21
structural object classes, 4-15
summary-log file, 3-10
SUN Java Web Services license agreement, F-8
superuser
password, 6-12
privileges, 6-47
suspend a user’s account, 6-30
synchronization, replication, 7-4
syntax
attribute, 4-2, 4-6
commands, 2-12
undefined, 4-6
trace
command, 3-5, 3-6
protocol, 3-7
statistics, 3-7
trace-log file, 3-10
tracing, 3-5
associations, 3-16
T
transparent routing, 5-15
telephoneNumber, 4-6
trust flags, 3-53
teletexTerminalId, 4-6
trust subdirectory, 2-3
telexNumber, 4-6
trust-conveyed-originator trust flag, 3-53
telnet, 9-1
tuning a database, 10-9
template file, 10-28
timeouts, 3-22
Index–14
eTrust Directory Administrator Guide
U
monitoring, 3-17
name, 3-17
number of, 3-17
public, 6-46
registered, 6-44
superusers, 6-12, 6-41
UDDI (Universal Description, Discovery and
Integration), 14-1
API, 14-3
UDDI Client, 14-4
UDDI registries, 14-1
tModels, 14-5
UDDI Server, 14-3
UDDI servers, 14-3
connecting to, 14-5
V
version, 2-10
Universal Description, Discovery and Integration. See
UDDI
viewing
assoc configuration, 3-15
associations, 3-16
communication settings, 3-4
DIB configuration, 3-26
DSP configuration, 5-7
operation configuration, 3-22
operation statistics, 3-22
schema, 4-4
unrestricted read, 6-41
virtual attributes, 3-40
unavailable link-flag, 3-54
unbind, outgoing connections, 5-5
undefined syntax, 4-6
UNSPSC sample DSA
port number, 2-25
update access, 6-41
W
update error, naming violation, 4-18
update requests, 5-24
wide indexes, 3-31
update-log file, 3-10
upgrading Advantage Ingres, D-4, E-4
X
URL pages, launching of, 11-33
user accounts
suspending, 6-30
users
administrative, 6-12, 6-42
associations, 3-16
authentication, 6-13
conveying authentication, 6-19, 6-20
current, 3-24
defining, 6-12
defining superusers, 6-41
distributed, 6-15
limit in associations, 3-18
managing large numbers, 16-10
maximum number to bind, 3-18
X.435, 4-1
X.500
guard, 5-9, 7-23
information types, 4-2
object class kinds, 4-14
schema, 4-2
tracing, 3-16
X.509 certificates, 6-2
X.520
attribute syntax, 4-6
attributes, 4-5
X.521, object classes, 4-14
Index–15