Chapter 1

Using the Directory Server Console

The Directory Server Console is an integral part of the Netscape Console. You start the Directory Server Console from Netscape Console, as described below.

Starting Directory Server Console

Check that the Directory Server daemon, slapd- serverID, is running. If it is not, as root user, enter the following command to start it:

serverRoot/slapd- serverID/start-slapd
Check that the Administration Server daemon, admin-serv, is running. If it is not, as root user, enter the following command to start it:

serverRoot/start-admin
Start Netscape Console by entering the following command:

serverRoot/startconsole

The Console login window is displayed. If your configuration directory (the directory that contains the o=NetscapeRoot suffix) is stored in a separate instance of Directory Server, a window is displayed requesting the administrator user id, password, and the URL of the Netscape Administration Server for that Directory Server.
Log in using the bind DN and password of a user with sufficient access permissions for the operations you want to perform.For example, use cn=Directory Manager and the appropriate password. The Netscape Console is displayed.
Navigate through the tree in the left-hand pane to find the machine hosting your Directory Server, and click on its name or icon to display its general properties.
To edit the name and description of your Directory Server, click the Edit button. Enter the new name and description in the text boxes. The name will appear in the tree on the left. Click OK to set the new name and description.
Double-click the name of your Directory Server in the tree or click the Open button to display the Directory Server Console.

Copying Entry DNs to the Clipboard

Using the Directory tab, you can copy the DN of an entry to the clipboard.

To do this:

In the Directory Server Console, select the Directory tab.
Browse through the tree until the entry whose DN you want to copy is displayed.
Select the entry in the tree, and then select Edit >Copy DN, or press Shift+Ctrl+C.

Binding to the Directory from Netscape Console

When you create or manage entries from the Directory Server Console and when you first access the Netscape Console, you are given the option to log in by providing a bind DN and a password. This option lets you indicate who is accessing the directory tree. This determines the access permissions granted to you and whether you can perform the requested operation.

Changing Login Identity

You can log in with the Directory Manager DN when you first start the Netscape Console. At any time, you can choose to log in as a different user, without having to stop and restart the Console.

To change your login in Netscape Console:

In the Directory Server Console, select the Tasks tab.
Click "Log on to the Directory Server as a New User."

A login dialog box appears.
Enter the new DN and password, and click OK.

Enter the full distinguished name of the entry with which you want to bind to the server. For example, if you want to bind as the Directory Manager, then enter the following in the Distinguished Name text box:

cn=Directory Manager

For more information about the Directory Manager DN and password, refer to Configuring the Directory Manager.

Viewing the Current Bind DN from the Console

You can view the bind DN you used to log in to the Directory Server Console by clicking the login icon in the lower-left corner of the display. The current bind DN appears next to the login icon, as shown here:

Figure 1-1 Viewing the Bind DN

Starting and Stopping the Directory Server

If you are not using Secure Sockets Layer (SSL), you can start and stop the Directory Server using the methods listed here. If you are using SSL, see Starting the Server with SSL Enabled.

If the Directory Server shuts down due to a full disk, subsequent restart of the server may take a very long time, even more than an hour. Ensure that the machine on which you install the server has adequate disk space and that the machine is configured appropriately to handle large files. For more information on setting these parameters, see chapter 3, “Computer System Requirements,” in the Netscape Directory Server Installation Guide.

Note

On UNIX systems, rebooting the system does not automatically start the slapd process. This is because the directory does not automatically create startup or run command (rc) scripts. Check your operating system documentation for details on adding these scripts. On Windows, a user can shut down the Directory Server from the Console. Care should be taken to restrict Console access to computers running Directory Servers.

Starting and Stopping the Server from the Console

Start the Directory Server Console.

For instructions, refer to Starting Directory Server Console.
In the Tasks tab, click "Start the Directory Server" or "Stop the Directory Server" as appropriate.

When you successfully start or stop your Directory Server from the Directory Server Console, the server displays a message box stating that the server has either started or shut down.

If you are using a Windows machine:

Select Start > Settings > Control Panel from the desktop.
Double-click the Services icon.
Scroll through the list of services, and select the Netscape Directory Server.

The service name is Netscape Directory Server version (serverID), where version is the version number and serverID is the identifier you specified for the server when you installed it.
Start or stop the service:
- To stop the service, click Stop, and then confirm that you want to stop the service.
- To start the service, select the Directory Server service, and click Start.

Starting and Stopping the Server from the Command-Line

Use one of the following scripts:

serverRoot /slapd- serverID/start-slapd

serverRoot /slapd- serverID/stop-slapd

where serverID is the identifier you specified for the server when you installed it.

On UNIX, both of these scripts must run with the same UID and GID as the Directory Server. For example, if the Directory Server runs as nobody, you must run the start-slapd and stop-slapd utilities as nobody.

Configuring LDAP Parameters

You can view and change the parameters relevant to the server's network and LDAP settings through the Directory Server Console. This section provides information on:

For information on schema checking, see chapter 9, "Extending the Directory Schema."

Changing Directory Server Port Numbers

You can modify the port or secure port number of your user Directory Server using the Directory Server Console or by changing the value of the nsslapd-port attribute under the cn=config entry.

If you want to modify the port or secure port for a Directory Server that contains the Netscape configuration information (o=NetscapeRoot subtree), you may do so through Directory Server Console.

If you change the configuration directory or user directory port or secure port numbers, you should be aware of the following repercussions:

You need to change the configuration or user directory port or secure port number configured for Netscape Administration Server. See Managing Servers with Netscape Console for information.
If you have other Netscape servers installed that point to the configuration or user directory, you need to update those servers to point to the new port number.

To modify the port or secure port on which either a user or a configuration directory listens for incoming requests:

In the Directory Server Console, select the Configuration tab, and then select the top entry in the navigation tree in the left pane.
Select the Settings tab in the right pane.
Enter the port number you want the server to use for non-SSL communications in the "Port" text box.

The default value is 389.
Enter the port number you want the server to use for SSL communications in the Encrypted Port text box.

The encrypted port number that you specify must not be the same port number as you are using for normal LDAP communications. The default value is 636.

Click Save.

A warning will appear: “You are about to change the port number for the Configuration Directory. This will affect all Administration Servers that use this directory and you’ll need to update them with the new port number. Are you sure you want to change the port number?” Click on Yes.

Then a dialog will appear, saying that the changes will not take effect until the server is restarted. Click OK.

Note

Do not restart the Directory Server at this point. If you do, you will not be able to make the necessary changes to the administration server.

Open the Administration Server Console.

Open the Configuration tab, then select the Configuration DS tab.

In the LDAP Port field, type in the new LDAP port number for your Directory Server port.

Check the Secure Connection box if this is a secure port.

Note

If you try to save these changes at this step, you will get a warning box that reads, “Invalid LDAP Host/LDAP Port, can not connect.” Click OK, and ignore this warning.

In the Task tab of the Directory Server Console, click on “Restart Directory Server.” A dialog will appear, asking if you want to restart the server. Click Yes.

See Starting and Stopping the Directory Server for information.
Now you can go to the Configuration DS tab of the Administration Console and select Save.

A dialog will appear, reading “The Directory Server setting has been modified. You must shutdown and restart your Administration Server and all the servers in the Server Group for the changes to take effect.” Click OK.

In the Tasks tab of the Administration Server Console, click on “Restart Admin Server.” A dialog will appear, saying that the Admin Server has been successfully restarted. Click on Close.

Note

You must close and reopen the Console before you can do anything else in the Console. Refresh may not update the Console, and, if you try to do anything, you will get a warning that reads, “Unable to contact LDAP server.”

Placing the Entire Directory Server in Read-Only Mode

If you maintain more than one database with your Directory Server and you need to place all your databases in read-only mode, you can do this in a single operation. Note, however, that if your Directory Server contains replicas, you must not use read-only mode because it will disable replication.

To put the Directory Server in read-only mode:

In the Directory Server Console, select the Configuration tab, and then select the top entry in the navigation tree in the left pane.
Select the Settings tab in the right pane.
Select the Make Entire Server Read-Only checkbox.
Click Save, and then restart the server.


Note	This operation also makes the Directory Server configuration read-only; therefore, you cannot update the server configuration, enable or disable plug-ins, or even restart the Directory Server while it is in read-only mode. Once you have enabled read-only mode, you cannot undo it from the Console; you must modify the configuration files.

For information on placing a single database in read-only mode, refer to Enabling Read-Only Mode.

Tracking Modifications to Directory Entries

You can configure the server to maintain special attributes for newly created or modified entries:

creatorsName -- The distinguished name of the person who initially created the entry.
createTimestamp -- The timestamp for when the entry was created in GMT (Greenwich Mean Time) format.
modifiersName -- The distinguished name of the person who last modified the entry.
modifyTimestamp -- The timestamp for when the entry was last modified in GMT format.


Note	When a database link is used by a client application to create or modify entries, the creatorsName and modifiersName attributes do not reflect the real creator or modifier of the entries. These attributes contain the name of the administrator who is granted proxy authorization rights on the remote server. For information on proxy authorization, refer to Providing Bind Credentials.

To enable the Directory Server to track this information:

In the Directory Server Console, select the Configuration tab, and then select the top entry in the navigation tree in the left pane.
Select the Settings tab in the right pane.
Select the Track Entry Modification Times checkbox.

The server adds the creatorsName, createTimestamp, modifiersName, and modifyTimestamp attributes to every newly created or modified entry.
Click Save, and then restart the server.

See Starting and Stopping the Directory Server for more information.

Starting the Server with SSL Enabled

To start Directory Server with SSL enabled:

Obtain server certificates and CA certs, and install them on the Directory Server.

See chapter 11, Managing SSL and SASL, for information on obtaining certificates.
Obtain and install server and CA certificates on the Administration Server.

It is important that the Administration Server and Directory Server have a CA certificate in common so that they can trust the other's certificates.
If you have not installed the servers as root, it is necessary to change the secure port setting from the default 636 to a number above 1024. See Changing Directory Server Port Numbers for more information.
1. Change the port number in the Configuration>Settings tab of the Directory Server Console. Save.
2. Restart the Directory Server. It will restart still with the regular port.
In the Configuration tab of the Directory Server Console, highlight the server name at the top of the table, and select the Encryption tab.

Select the "Enable SSL" checkbox, and fill in the appropriate certificate information. If you want Console operations to be secure, check the "Use SSL in the Console" box.
In the Administration Server Console, select the Configuration tab. Select the Encryption tab, and check the "Enable SSL" checkbox, and fill in the appropriate certificate information.
In the Configuration DS tab, set the new Directory Server secure port information. Do this even if you are using the default port of 636.
In the User DS tab, fill in the new Directory Server secure port information, the LDAP URL, and the user database information. Do this even if you are using the default port of 636.
Save the new SSL settings, Configuration DS, and User DS information in the Administration Server.
Restart the Admin Server. On UNIX, you must start the server from the command-line.
Restart the Directory Server.On UNIX, you must start the server from the command-line.
Restart the Console. Be certain that the address reads "https;" otherwise, the operation will timeout, unable to find the Admin Server.
A dialog box will appear, asking you to accept the certificate. Click OK.

On Windows, if you are using SSL with your server, you must start the servers from the server's host machine. This is because a dialog box will prompt you for the certificate PIN before the server will start. For security reasons, this dialog box appears only on the server's host machine.

Creating a Password File

On either Windows or UNIX systems, you can create a password file to store your certificate password. By placing your certificate database password in a file, you can start your server from the server console and also allow your server to restart automatically when running unattended.


Note	This password is stored in cleartext within the password file, so its usage represents a significant security risk. Do not use a password file if your server is running in an unsecured environment.

The password file must be placed in the following location:

serverRoot/alias/slapd-serverID-pin.txt

where serverID is the identifier you specified for the server when you installed it.

You need to include the token name and password in the file as follows:

Token:mypassword

For example:

Internal (Software) Token:mypassword

To create certificate databases, you must use the administration server and the Certificate Setup Wizard. For information on certificate databases, certificate aliases, SSL, and obtaining a server certificate, see Managing Servers with Netscape Console. For information on using SSL with your Directory Server, see chapter 11, Managing SSL and SASL.

Cloning a Directory Server

Once you have set up and configured your Directory Server, Netscape Console offers a simple way of duplicating your configuration on another instance of the Directory Server. This is a two-phase procedure:

First, you must create a new instance of the Directory Server.
Second, you must clone the configuration of your first Directory Server instance and apply it to the new one.

Note

The configuration information that is duplicated during these operations does not include the o=NetscapeRoot suffix of the configuration directory.

Creating a New Directory Server Instance

In the Netscape Console window, select Server Group in the navigation tree, and then right click.
From the pop-up menu, select Create Instance of > Directory Server.

The Create New Instance dialog box is displayed.
Enter a unique identifier for the server in the Server Identifier field.

This name must not include the period (.) symbol.
Enter the a port number for LDAP communications in the Network port field.
Enter the suffix managed by this new instance of the directory in the base suffix field.
Enter a DN for the Directory Manager in the Root DN field.

For information on the role and privileges of the Directory Manager entry, refer to Configuring the Directory Manager.
Enter the password for this user in the Password for Root DN field, and confirm it by entering it again in the Confirm Password field.
If running the server on a UNIX host, enter the user ID for the Directory Server daemon in the Server Runtime User ID field.
Click OK.A status box appears to confirm that the operation was successful. To dismiss it, click OK.

Cloning the Directory Configuration

In the Netscape Console window, expand the Server Group folder, and right-click on the Directory Server that you want to clone.
From the pop-up menu, select Clone Server Config.

A new window is displayed with the list of target servers for cloning.
In this window, select the server to which you want the configuration to apply, and click the Clone To button.

A message is displayed to give you the status of the operation.

Starting the Server in Referral Mode

Referrals are used to redirect client applications to another server while the current server is unavailable or when the client requests information that is not held on the current server.

For example, you can also start Directory Server in referral mode if you're making configuration changes to the Directory Server and you want all clients to be referred to another supplier for the duration. To do this, you must start the server with the refer command.

If the server is already running, you can put it in referral mode by using the Directory Server Console. This procedure is explained in Setting Default Referrals.

Using the refer Command

On a UNIX machine, follow these steps to start the Directory Server in referral mode:

Go to the /bin/slapd/server directory under your installation directory:

cd serverRoot/slapd-serverID/bin/slapd/server
Run the refer command as follows:

./ns-slapd refer -D instance_dir [-p port] -r referral_url

instance_dir is the directory instance for which queries will be referred, port is the option port number of the Directory Server you want to start in referral mode, and referral_url is the referral returned to clients. For information on the format of an LDAP URL, refer to Appendix C, "LDAP URLs."

On a Windows machine, to start the Directory Server in referral mode follow these steps:

Go to the following directory under your installation directory:

serverRoot\slapd-serverID\bin\slapd\server
Run the refer command as follows:

slapd.exe refer -D instance_dir [-p port] -r referral_url

instance_dir is the directory instance for which queries will be referred, port is the optional port number of the Directory Server you want to start in referral mode, and referral_url is the referral returned to clients. For information on the format of an LDAP URL, refer to Appendix C, "LDAP URLs."

Contents

Index

DocHome

© 2001 Sun Microsystems, Inc. Portions copyright 1999, 2002-2004 Netscape Communications Corporation. All rights reserved.
Read the Full Copyright and Third-Party Acknowledgments.

last updated November 26, 2004

Chapter 1 Introduction to Netscape Directory Server