Mapping NT User Account Information to LDAP
The schema for two object classes ntUser and ntGroup that support Windows NT user accounts ships with the iPlanet Directory Server. Some of the LDAP attributes contained in these object classes correspond directly to Windows NT user account fields. These are shown in TABLE 12-1. TABLE 12-1 Windows NT to LDAP Mapping Directory Server Attribute NT User Account Field For each Windows NT user account as well as for Windows NT groups, an equivalent LDAP entry is created with these mapped fields....
Audit Log
The audit log is useful for tracking changes to the directory database and the directory server configuration. If a problem arises with the directory at a particular time, checking the audit log is a good place to start to see if the problem coincided with the directory malfunction. - slapd shutting down - signaling - slapd shutting down - waiting for - slapd shutting down - waiting for - Waiting for 4 database threads to - All database threads now stopped The following is an example of an...
Step 9 Setting Password Read Permission for proxyagent
If pam_unix is used to authenticate Solaris users as recommended the cn proxyagent DN, with which the Solaris LDAP client binds to the server, must be granted read permission for user account passwords. To perform this operation through the Directory Console, follow these steps 1. Click the right mouse button on the top-level object, then choose Set Access Permissions from the pull-down menu and add the following data User Group- cn proxyagent, ou profile use Add User to List Rights-compare,...
Monitoring the Database from the Command Line
You can monitor your directory server's database activities from any LDAP client by specifying the following parameters blueprints ldapsearch -h blueprints.com -s base -b cn monitor,cn ldbm objectclass When you monitor your server's activities in this way, you see the following information database The type of database you are currently monitoring. read-only State of the database, that is, whether in read-only mode. A value of 0 means the server is not in read-only mode 1 means it is in...
Exporting Databases to LDIF from the Command Line
The directory database is exported to LDIF with the ns-slapd command executed from the db2ldif keyword. Below is the full syntax for running this command. ns-slapd db2ldif -f slapd.conf -a outputfile -d debug_level -n -r -s include_suffix -x exclude_suffix slapd.conf Is the location of the directory server configuration file. The default location of the slapd.conf file is install_dir slapd-instance config. -a Is the location of the output file in which the server saves the exported LDIF. If a...
Import Schema Checking
Turning off schema checking during an import may provide as much as a factor of two performance gain however, you should never turn off schema check unless you are willing to sacrifice data integrity for speed. Leaving schema check off during import can result in an entry in the database that is impossible to modify once schema checking is turned back on. For this reason, you should not turn off schema checking unless you are certain that the entries in the LDIF file are valid for the...
Setting Search Limit Parameters
Three search limit parameters let you manage the Directory Server performance by limiting the amount of resources the server allocates to client requests. Size Limit in entries Specifies the maximum number of entries the server will return to the client in response to a search operation. If this limit is reached, the server returns any entries it has located that match the search request, as well as an exceeded size limit error. The default value for this parameter is 2000. Decreasing this...
LDAP Authentication Simple Authentication
Before any form of authentication takes place in the LDAP directory you must first perform some form of authentication. This authentication enables the directory server to determine what level of access you have and what you can do in terms of operations in the directory server. The most basic form of authentication is the simple authentication. Here you supply to the directory server the distinguished name DN and password if you do not supply a password, that is, NULL password is supplied to...
Tuning Write Performance
Compared with tuning the search performance of the directory, tuning the write performance is straightforward. The factor that most limits write performance is the amount of time it takes to update information in files on the physical disks of the machine where the directory is running. When a write operation of some type add, update, or delete is performed by the directory, the directory writes information to files in many different places The appropriate indexes are updated. The update is...
Initializing the Database
The quickest way to import data is to initialize the whole database. That is, remove all the current data and replace it with data from an LDIF file. This operation is performed while the directory server is offline. The command for initializing a database is ns-slapd with the ldif2db argument. One problem with performing a database initialization is that the configuration data that was placed there during the installation is lost. To preserve this data, you must back it up, then restore it....
Setting the All IDs Threshold
Each index that the directory server uses comprises a table of index keys and matching entry ID lists. That is, for each index key there is a list of directory entry IDs that match the key. This entry ID list is used by the directory server to build a list of candidate entries that can match a specified search filter. There is a size limit for each entry ID list. This size limit, called the All IDs threshold, is globally applied to every index key managed by the server. When the size of an...
LDAP v3 Result Codes
This appendix explains some of the LDAP error codes that can be returned by your LDAP server. It is not a complete list and does not discuss the mechanism of why an LDAP server gives a particular error. To find out additional information on error codes refer to RFC 2251, which defines these error codes. Also, as another very useful resource, see Internet Draft draft-just-ldapv3-rescodes-02.txt, which details exact descriptions of these error codes. Finally, you may also want to refer to the...
Unified Login and Single Signon
Directory consolidation by itself may provide a unified login, but it does not provide single sign-on SSO capability. A unified login is achieved since the same name and password are used for all directory-enabled application logins. However, this does not mean that each application will not prompt the user for a name and password. Single sign-on is achieved by only requiring the user to log in once. When the user attempts to access an application after already being authenticated, a special...
Solaris LDAP Client Profiles
To simplify Solaris LDAP client configuration, a client profile entry is created on the directory server. A separate client profile can be created for each client, or several clients can share the same one. The following is a list of client profile attributes and their description. SolarisLDAPServers A comma-separated list of LDAP servers that can be used by the client. This is a mandatory attribute that must contain at least one server name. If multiple servers are listed, the first server is...
Setting Entry Cache Size
Unlike the database cache, the entry cache size is set not by the amount of memory you would like it to consume but by the maximum number of entries you would like it to hold. The actual amount of memory it will consume is a function of the average entry size. For example, if your average entry size is 1 Kbyte, and you specify that the entry cache should hold a maximum of 10,000 entries, then the amount of memory the cache will consume will be 1 Kbyte entry 10,000 entries 10 Mbytes 25 for cache...
Mail Alias Schema
LDAP servers must be configured to support mail alias information. Mail alias information uses the schema defined by the LDAP Mailgroups Internet draft, formerly known as the draft-steinback-ldap-mailgroups draft. Since the introduction of the Solaris LDAP client functionality, this Internet draft has expired and is no longer a valid Internet draft. Unfortunately, no available standard provides a schema with the same information. For now, Solaris LDAP clients need to continue to use this schema...
Step 6 Modifying SelfEntry Modification
As discussed in Chapter 10, Managing Directory Services, you set permissions on a directory object by creating an ACI. You set the ACI either by using the Directory Console or by creating an LDIF file that contains ACI statements. a. Run the Directory Console and login as cn Directory Manager. b. Go to the Directory tab and highlight the top node of the DIT where the NIS objects reside. c. Right-click and choose Set Access Permissions on the pull-down menu. The Multivalue ACI Selector form is...
Step 10 Generating the Client Profile
1. Now generate the client profile and then add it into the LDAP server. You should generate the profile on a 2.8 Solaris machine or higher because older OS levels won't have the ldap_gen_profile utility. blueprints ldap_gen_profile -P profile -b baseDN -D bindDN -w bindDNpasswd ldapServer_IP_address es port The bindDN used here is the bind DN of the proxy agent. You can specify more than one LDAP server's IP address if you want to failover to another LDAP server. Capture the above result in a...
NIS Credentials
The Solaris crypt method only checks to see if the text string the user types in matches the stored string for that particular login ID. There is no check to see if the user is logging in from a legitimate workstation or domain, since that information is not stored anywhere. NIS addresses this problem by issuing credentials to users. Credentials were introduced in NIS as a means to identify legitimate users within a domain of workstations by maintaining more information than a simple user name....
Directory Server Setup
Before setting up an Address Book, you need to populate the directory with employee information. You typically do this by creating a script that converts existing data to an LDIF format that can be imported into the directory. Another way you can populate the directory is through the iPlanet Directory Console, by invoking the New User form. While this method is not practical for loading the entire Address Book, it can be useful for creating sample data. Before you create new user entries, you...
Basic PATROL Knowledge Modules
The knowledge module has three distinct characteristics. At Agent startup, a Knowledge Module is loaded from a file on the Agent's local file system. Similarly, at Console startup, a Knowledge Module is also loaded. The only time a KM is moved around over your underlying network is when a Developer Console updates knowledge stored at each Agent. A Knowledge Module comprises two major components discovery rules and scripts. The discovery rules implement the scope defined by the KM developer. The...
Database Entry Cache
The database entry cache caches all the directory data. The total size of the database entries is close to the size of the id2entry.db file. The size will depend on the number of entries and the number of attributes each entry contains. For a relatively small entry, say, containing 15 attributes, plan on about 1 Kbyte per entry. Therefore, a 100,000-entry database would consume 100 Mbytes of space. The size of the database entry cache can be configured but should be made large enough to fit all...
Adding an Object to the DIT
1. Run the Directory Console and login as cn Directory Manager. 2. Go to the Directory tab and highlight the portion of the tree in the left pane where you want to insert the new object. 3. Hold down the right mouse button and choose New from the pull-down menu. Four choices are offered User, Group, Organizational Unit, and Other. For the objects defined as ou entries choose Organizational Unit for the other objects, such as the nisMap object, choose Other and choose the appropriate object from...
ldapcachemgr Daemon
The ldap_cachemgr is a daemon that runs on the LDAP client machines. It serves two purposes Refreshes the information in the var ldap ldap_client_file file from the LDAP server. Accesses the credential information from the var ldap ldap_client_cred file which is readable only by root. If this process is not running, then the refresh is done per process and the var ldap ldap_client_file will not be updated. Also, only anonymous connections can be made to the directory server unless permissions...
Checking Memory Usage with pmap
The Solaris 8 operating environment includes a utility called pmap which is handy for determining which processes are using up memory. Since the database and entry cache sizes are dynamic, the amount of memory consumed by the directory server will change over time. To run pmap on the directory server process, specify the PID of the ns-slapd process. For example 24626 1 05 ns-slapd blueprints pmap 24626 The output from pmap is quite voluminous, so only a couple of lines are shown. You will...
Importing Databases from LDIF
You can import an LDIF file either by running the ns-slapd command with the ldif2db keyword or by running the ldapmodify command. To import an entire database run the ldif2db script, which executes the ns-slapd command with the ldif2db argument. For example blueprints cd install_dir slapd-instance blueprints . ldif2db -i . ldif 2000_04_17_224244.ldif Import a directory subtree from an LDIF file by using the ldif2db command. However, for importing small numbers of entries less than 10,000 run...
Benefits of Consolidation
The obvious benefit to consolidation is the ability to present a consistent view of data, such as employee information, across a wide range of applications. The data about an employee may be maintained in a Human Resources HR database, messaging system database, operating system naming service, and a company-wide address book. In many cases, the same data fields are maintained in all these places. If the employee transfers to another department, updates need to occur in all these data stores....
Changing the Transaction Log Location
Every operation performed on the directory is recorded in a transaction log, so the directory can be rolled back to a known good state in the event of a server crash. Data is being continuously written to the log, even during search operations. Therefore, it is important for performance reasons to locate this log on a separate volume. Chapter 7, Capacity Planning and Performance Tuning provides additional details on the performance hit caused by leaving the transaction log on the same volume as...
ldaplist Command
ldaplist is an LDAP utility that lists the Naming information from the LDAP servers. It uses the simplified API to access the information, thus obeying all the security and options defined by the configuration files. See the ldaplist l man page for additional information. Without any argument, ldaplist returns all the containers in the current search baseDN. dn ou Directory Administrators, dc blueprints,dc com dn ou People, dc blueprints,dc com dn ou Special Users,dc blueprints,dc com dn ou...
Capacity Planning and Performance Tuning
When directory servers become overloaded, they can no longer provide the level of service users have come to expect. Even though the server may still be considered up, response times can become so long that the directory service becomes unusable. Preventing overload conditions requires identifying the proper hardware configuration to handle the load and the proper tuning of the directory server software to assure peak performance. In this chapter, methodologies for correctly sizing your...
C
caching for performance, 184 cache parameters, 189 data design considerations, 193 Database tab statistics, 189 directory caches, 184 entry cache size, 186 LDAP client design, 195 Performance tab information, 192 Plugins icon, expanded, 196 removing unnecessary plug-ins, 195 setting all IDs threshold, 190 database cache size, 186 search limit parameters, 191 sizing database and entry caches, 187 sizing factors, 185 tuning all IDs threshold value, 191 cache sizes, 188 import performance, 199...
Exporting and Importing the Database with LDIF
An alternative to the backup and restore procedures described in the previous section is to export and import directory data in LDAP Data Interchange Format LDIF . This method is useful if you want to copy part of the directory tree to another server. Chapter 4, iPlanet Directory Server Installation and Configuration describes the procedures for initializing the directory by importing data in LDIF format. This is a common method for importing data from legacy data sources such as NIS maps. In...
12 Microsoft Windows Interoperability 289
How the NT User Account Information Is Made Available to Solaris Server 290 Mapping NT User Account Information to LDAP 291 How the Synchronization Service Works 291 Windows 2000 Interoperability 294 Active Directory Services Architecture 294 Information Model 296 Security Model 298 Access Model 299 Replication Model 300 How Active Directory Clients Interact with Servers 301 How Applications Access Active Directory Services 302 Solaris Directory Services and Active Directory Services...
2Solaris Naming Services Architecture 11
Evolution of Solaris Naming Services 11 NIS and Files Coexistence 12 NIS and DNS Coexistence 13 Solaris Naming Service Switch 13 NIS Architecture Overview 16 NIS Client Server Architecture 16 How NIS Clients Bind to the NIS Server 17 NIS Maps 17 NIS High Availability Architecture Features 19 NIS Architecture Overview 20 NIS Client Server Architecture 21 How NIS Clients Bind to the NIS Server 22 NIS Tables 23 NIS Interaction with DNS 24 NIS High Availability Architecture Features 25 Solaris DNS...