LDAP Documentation: Presented by - Kuldeep Pandey

LDAP Documentation
Presented by – Kuldeep Pandey

© 2009 IBM Corporation
Contents
 Introduction
 Protocol
 Architecture
 Operations
 Schemas

Introduction
 Today people and businesses rely on networked computer systems to support
distributed applications.
 Applications might interact with computers on the same local area network, within
a corporate intranet, within extranets linking up partners and suppliers, or
anywhere on the worldwide Internet.
 To improve functionality and ease-of-use, and to enable cost-effective
administration of distributed applications:
– information about the services, resources, users, and other objects accessible
from the applications needs to be organized in a clear and consistent manner.
– Much of this information can be shared among many applications.
– But it must also be protected
 Such information is often collected into a special database that is sometimes
called a directory.
 The Lightweight Directory Access Protocol (LDAP) is an open industry standard
that has evolved to meet these needs.
 LDAP defines a standard method for accessing and updating information in a
directory.
 LDAP has gained wide acceptance as the directory access method of the Internet
and is therefore also becoming strategic within corporate intranets.

Directories
 A directory is a listing of information about objects arranged in some order that gives details
about each object.
 Common examples are a city telephone directory and a library card catalog.
 In computer terms, a directory is a specialized database, also called a data repository, that
stores typed and ordered information about objects.
 A particular directory might list information about printers (the objects) consisting of typed
information such as location (a formatted character string), speed in pages per minute
(numeric), print streams supported (for example PostScript or ASCII), and so on.

Directory vs Database
 A directory is often described as a database

 But it has special characteristics different from general
databases:
– They are accessed much more than they are updated. Hence they are
optimized for read access
– They are not suited for information that changes rapidly (e.g. number
of jobs in a printer queue)
– Many directory services don’t support transactions
– Directories normally limits the type of information that can be stored
– Databases use powerful query languages like SQL but Directories
normally use very simple access methods
– Hence directories can be optimized to economically provide more
applications with rapid access

Strengths/Limitations
 LDAP is well suited for

– Information that is referenced by many entities and applications
– Information that needs to be accessed from more than one location
• Roaming, e.g. by “Road Warriors”
• Preference information for web “portals”
– Information that is read more often than it is written
 LDAP is not well suited for
– Information that changes often (it is not a relational database)
– Information that is unstructured (it is not a file system)

LDAP protocol
 A message protocol used by directory clients and servers.

 It defines several messages like bindRequest and searchRequest
 There is LDAP API to be used by C and Java programs
 With Microsoft it can by accessed via ADSI
 All modern LDAP servers are based on LDAP version 3.
 Clients and servers may or may not be on the same machine

Type of directories
 Local: means nearby for example information about names, email addresses and so on for a
department or for a workgroup
 Global: Something is spread across the universe of interest. For example information about
persons in an entire company.
 Centralized: there is one directory server at one location. Local or remote clients can access
it.
 Distributed: information may be partitioned or replicated.

Directories advantages

Directory structure

LDAP architecture overview
 A typical entry serialized in LDIF:

dn: cn=John Doe,dc=example,dc=com
cn: John Doe
givenName: John
sn: Doe
telephoneNumber: +1 555 6789
telephoneNumber: +1 555 1234
mail: john@example.com
manager: cn=Barbara Doe,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top

Distinguished Names
 Each object in the LDAP directory has a DN
– uid=jheiss,ou=people,dc=example,dc=com
– cn=users,ou=group,dc=example,dc=com
 Notice that the DNS name is example.com (specified by DC=Domain Component
entries) for the domain
 OU is organizational unit
 Each domain subdomain could create a tree structure in LDAP (engr.example.com,
sales.example.com, pre.engr.example.com, support.engr.example.com, etc)

Sample DIT
S a m p le New Y o rk Directo ry In fo rm a tio n Tree
o =NY ,c=US
o u =DOH o u =OFT o u =TA X
o u =Gro u ps o u =P e o p le o u =Re so u rces o u =A p plica tio ns
cn =OFT A dm in istra to rs u id =b dig m an cn =1 B Floo r Po stscrip t P rin ter cn =OFT Po rtal
cn =E th ics A p p Use rs u id =jn o rtrup cn = Con fe re n ce Ro om 1 B -A cn =E th ics A p p lica tion
cn =E thics Ap p Ad m inistra to rs u id =d stra zze ri
• Branched by agency
• Agencies in this example have branches containing:
• Groups which contain people
• People in the organization
• Resources such as printers and conference rooms
• Applications (where application specific info. could be maintained)© 2009 IBM Corporation
Sample User Object
Sam ple U ser Object
dn: uid=jnortrup,ou=People,ou=NYS OFT ,o=NY,c=US
uid=jnortrup
• Objects contain attributes, e.g.,
• uid (user ID)
cn: Jim N ortrup
cn: Jam es N ortrup • cn (common name)
givennam e: Jim
givennam e: Jam es
• sn (surname)
sn: N ortrup • mail (e-mail address)
m ail: jnort@ oft.state.ny.us
• Attributes can be multi-valued,
ou: N YSOFT
e.g., givenname of both James
and Jim
telephonenum ber: 518-402-2018
• This object contains
facsim iletelephonenum ber: 518- 457-2019 • white-pages information
streetaddress: • X.509 certificate for PKI
N YSOFT $Executive Cham ber, S tate C apitol
usercertificate: X.509 Certificate

ObjectClass
 A commonly used attribute is "objectClass".
 Each record represents an object, and the attributes associated with that object
are defined according to it's objectClass
– The value of the objectClass attribute.

Object Type examples
 Examples of objectClass:
– organization (needs a name and address)
– person (needs name, email, phone & address)
– course (needs a CRN, instructor, mascot)
– cookie (needs name, cost & taste index)

Defining ObjectClass types
 You can define what attributes are required for objects with a specific value for the
objectclass attribute.
 You can also define what attributes are allowed.
 New records must adhere to these settings!

Multiple Values
 Each attribute can have multiple values, for example we

could have the following record:
DN: cn=Dave Hollinger, O=RPI, C=US

CN: Dave Hollinger
CN: David Hollinger
Email: hollingd@cs.rpi.edu
Email: hollid2@rpi.edu
Email: satan@hackers.org

Schemas
 The contents of the entries in a subtree is governed by a schema
 The schema defines the attribute types that directory entries can
contain.
 An attribute definition includes a syntax, and most non-binary
values in LDAPv3 use UTF-8 string syntax
– For example, a "mail" attribute might contain the value
"user@example.com".
– A "jpegPhoto" attribute would contain photograph(s) in binary JPEG
/JFIF format.
– A "member" attribute contains the DNs of other directory entries.
 Attribute definitions also include whether the attribute is single-
valued or multi-valued, how to search/compare the attribute.
 The schema defines object classes. Each entry must have an
objectClass attribute, containing named classes defined in the
schema.
– e.g. a person, organization or domain.
 Server administrators can define their own schemas in addition to
the standard ones.
Schema Examples
attributetype ( 0.9.2342.19200300.100.1.1
NAME ( 'uid' 'userid' )
DESC 'RFC1274: user identifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top

DESC 'Abstraction of an account with POSIX attributes'
MUST ( cn $ uid $ uidNumber $ gidNumber $
homeDirectory )
MAY ( userPassword $ loginShell $ gecos $ description ) )

The DSEE Installation:
1.Download the Directory Server Enterprise Edition zip distribution binaries.

2.Unzip the zip distribution file.
# cd /opt/sw
# unzip -q ODSEE11_1_1_7_0_xxx.zip
# cd ODSEE_ZIP_Distribution
# unzip -q sun-dsee7.zip -d /opt/ODSee
# cd /opt/ODSee/dsee7
3.Set Up the Administration (DSCC) Host:

The Directory Service Control Center (DSCC) is a web-based interface to manage Directory
Server and Directory Proxy Server instances. Set up the DSCC on the computer system that
you choose as the administration host.
a.Initialize the DSCC registry.
/opt/ODSee/bin/dsccsetup ads-create
Choose password for Directory Service Manager:directory-service-pwd
Confirm password for Directory Service Manager:directory-service-pwd
Creating DSCC registry...

DSCC Registry has been created successfully
b.Create the WAR file for DSCC
/opt/ODSee/dsee7/bin/dsccsetup war-file-create startconsole
Note:Here WAR file will be created with name startconsole.war
4.To create server instances on the same host on which DSCC is deployed, add the DSCC
agent to the DSCC registry.
a.Create a DSCC agent.
/opt/ODSee/dsee7/bin/dsccagent create
Enter DSCC agent password: ***
Confirm the password: ***
b.Add the new DSCC agent to the DSCC registry.
/opt/ODSee/dsee7/bin/dsccreg add-agent install-path/var/dcc/agent
c.Start the DSCC agent.
/opt/ODSee/dsee7/bin/dsccagent start

5.Deploy startconsole.war with glassfish application server:
a.Create an application server instance. Run the following commands:
$ mkdir /opt/glassfish
$ cd /opt/glassfish/bin
$ asadmin --user admin create-domain --domaindir /opt/glassfish --adminport 3737 dscc7
b.Deploy the startconsole.war file in your application server instance.
$ asadmin --user admin start-domain --domaindir glassfish-domain-path dscc7
$ cp /opt/ODSee/dsee7/var/startconsole.war /opt/glassfish/startconsole/autodeploy
For more information about creating and configuring application server instances and
deploying the WAR file, refer to the GlassFish Online Help.
In the GlassFish JVM options settings, verify the following property is set to true:
-Djava.awt.headless=true
Open DSCC.
.Use http://hostname:8080/dscc7 or https://hostname:8181/dscc7 based on the configuration
of your application server.
The Directory Service Manager Login page is displayed.

Creating Server Instances Using Directory Service Control Center:
1.Access DSCC by using http://dscc-host:port/startconsole

2.Log in to DSCC as Directory Service Manager.
Need to use the credential created during initialization of registry.

3.Under the Directory Servers tab, click New Server

4.Follow the instructions in the Directory Service Control Center New Directory Server wizard
to create the server instance.

While creating the new server instances, you need to provide the following information.
* Host: server-host # Host where DSCC agent has been configured
* LDAP Port: 389
* LDAPS Port: 636
* Instance Path: /ldap/UMC/iDS
* Directory Manager DN: cn=umcadmin,o=umc
* Directory Manager Password: xxxxxxxx
* Confirm Password: xxxxxxxx
* DSCC Agent Port: dscc-agent-port

The Directory Service Control Center(DSCC)
Directory Service Control Center (DSCC) is a user interface that enables you to manage
Directory Servers and by using a browser.
Please find more information on Directory Service Control Center (DSCC) in below link:
Directory Service Control Center
Interface - Oracle Directory Server Enterprise Edition Administration Guide

The DS and DSCC Commands:
 The command that we use in ODSEE for administration are:

dsadm
dsconf
1.dsadm:
While using the dsadm command, you may be required to stop the server depending
upon
the subcommands that are used with dsadm.
Please find more details on dsadm command in below link:
dsadm - 11g Release 1 (11.1.1.7.0) (oracle.com)

2.dsconf:
The dsconf command manages Directory Server configuration. It enables you to
modify the configuration entries
Please find more details on dsconf command in below lnk:
dsconf
(1M) (Oracle Fusion Middleware Man Page Reference for Oracle Directory Server Enterprise
Edition)
DSCC commands:
1.dsccsetup:
The dsccsetup command helps in setting up DSCC. When used with appropriate
subcommands, the dsccsetup command performs the operations such as creating the DSCC
registry, initializing DSCC after installation, and registering local agents of the administration
framework.
Please find more details related to dsccsetup in below link:
Synopsis - Oracle Directory Server Enterprise Edition Man Page Reference

2.dsccreg:
The dsccreg command registers Directory Server instances with DSCC
Please find more details on dsccreg in below link:

Searching and Modifying Directory Content

The ldapsearch Utility to Search a Directory
You can use the ldapsearch command-line utility to locate and retrieve directory entries.
 This utility opens a connection to the server with a specified a user identity
(usually a distinguished name) and password, and locates entries based on a
search filter. Search scopes can include a single entry, an entry’s immediate
subentries, or an entire tree or subtree.
 Search results are returned in LDIF format.

 ldapsearch [optional_options] [search_filter] [optional_list_of_attributes]
where
 optional_options represents a series of command-line options. These must be specified

before the search filter, if any.
 search_filter represents an LDAP search filter in a file using the -f option.
 optional_list_of_attributes represents a list of attributes separated by a space.
Please find more details on ldapsearch utility in below link:

Searching the Directory - Oracle Directory Server Enterprise Edition Reference

Ldapsearch examples:
Returning All Entries

Given the previous information, the following call will return all entries in the directory:
ldapsearch -h myServer -p 5201 -D cn=admin,cn=Administrators,cn=config

-b "dc=example,dc=com" -s sub "(objectclass=*)“
Here D is bind DN
b is search base

Specifying Search Filters on the Command Line
You can specify a search filter directly on the command line. If you do this, be sure to enclose
your filter in quotation marks (“filter”). Also, do not specify the -f option.
For example:
ldapsearch -h myServer -p 5201 -D cn=admin,cn=Administrators,cn=config -w -

-b "dc=example,dc=com" "(cn=Charlene Daniels)”

The ldapmodify utility
You can add delete and modify entry using ldapmodify utility:
ldapmodify [options] [filter] [attributes]
Please find more details on ldapmodify in below link:
ldapmodify
(1) (Oracle Fusion Middleware Man Page Reference for Oracle Directory Server Enterprise Ed
ition)
Managing Entries - Oracle Directory Server Enterprise Edition Administration Guide

Ldapmodify examples:
Adding entry:
Create ldif file containing below entries:
dn: uid=Marcia Garza,ou=People,dc=example,dc=com
cn: Marcia Garza
sn: Garza
givenName: Marcia
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
ou: Accounting
ou: People
And run below command to add in ldap:

$ ldapmodify -h hostname -p 1389 -D "cn=Directory Manager" -w password \
-a -f /usr/local/add_entry.ldif

Modifying the Value of an Attribute:

Create ldif file containing below entries:
changetype: modify
replace: telephonenumber
telephonenumber: +1 408 555 6456
And run below command to add in ldap:

$ ldapmodify -h hostname -p 1389 -D "cn=Directory Manager" -w password \
-f /usr/local/modify_attribute.ldif

Deleting an Attribute from the Command Line:

The following command specifies the host name (-h), port (-p), bind DN (-D), bind password (-
w), and deletes the facsimiletelephonenumber attribute for an entry. Because the command is
run from the command line, enter the dn, changetype, modification operation, and then press
Control-D (UNIX, Linux) or Control-Z (Windows) to process it:
$ ldapmodify -h hostname -p 1389 -D "cn=Directory Manager" -w password

changetype: modify
delete: facsimiletelephonenumber

Using Directory Server
Log Files

LDAP Logs:
There are three types of logs available in LDAP environment:
1.Access
2.Error
3.Audit

Access log:
 Access logs contain information about connections between an LDAP client and a directory
server. A connection is a sequence of requests from the same client, and can contain the
following components:
• Connection index and the IP address of the client
• Bind record
• Bind result record
• Sequence of operation request/result pairs, or individual records in the case of connection,
closed, and abandon records
• Unbind record
• Closed record

Error logs
Error logs contain a unique identifier of the error, warning or information message, and a
human readable message. Errors are defined according to the following severity.
Error:
The error is severe. Immediate action should be taken to avoid the loss or corruption of
directory data.
Warning:
The error is important. Action should be taken at some stage to prevent a severe error
occurring in the future.
Info:
An informative message, usually describing server activity , no action is necessary.
Audit logs:
Audit logs contain records of all modifications to configuration or suffix entries it is in ldif format

LDAP logs references:
Access, Error, and Audit Logs - Oracle Directory Server Enterprise Edition Reference

Configuring logging options:
 Many aspects of the log files can be modified. Some examples include the following:
• Enabling the audit log
• Unlike the access log and the errors log, the audit log is not enabled by default. For
information, see To Enable the Audit Log.
• General settings
• Enabling or disabling logging
• Enabling or disabling log buffering
• Log file location
• Verbose logging
To modify log configuration use below command:
dsconf set-log-prop -h host -p port log-type property:value
For example, to set the rotation interval for the error log to two days, use this command:
$ dsconf set-log-prop -h host1 -p 1389 error rotation-interval:2d

Replicating Directory Server Data

Replication Concepts
Replication is the mechanism by which directory contents are automatically copied from a
Directory Server to one or more other Directory Servers.

Basic Replication Topologies:
A database that participates in replication is defined as a replica
Directory Server distinguishes between three kinds of replicas:
Master or read-write replica. A read-write database that contains a master copy of the
directory data. A master replica can process update requests from directory clients. A topology
that contains more than one master is called a multi-master topology.
Consumer replica. A read-only database that contains a copy of the information in the master
replica. A consumer replica can process search requests from directory clients but refers
update requests to master replicas.
Hub replica. A read-only database (like a consumer replica) that is stored on a Directory
Server that supplies one or more consumer replicas.

Consumer and Supplier Servers:
A Directory Server that replicates to other servers is called a supplier. A Directory Server that
is updated by other servers is called a consumer. The supplier replays all updates on the
consumer through specially designed LDAP v3 extended operations. In terms of performance,
a supplier is therefore likely to be a demanding client application for the consumer.

Monitoring Replication Status:
 We use DSCC console tool to perform replication status monitoring. It should show 0 as
missing changes in destination.

We can also use below command to check replication status:
# ./dsconf show-repl-agmt-status -e -h ds1 -p 389 -D cn=umcadmin,o=umc -w /.dirpass

o=UMC ds2:389
Configuration Status : Ok
Authentication Status : Ok
Initialization Status : Ok

Enforcing Password Policies

Password Policy:
A password policy is a set of rules that govern how passwords are administered in a system.
Directory Server supports multiple password policies. The password policy can be configured
to suit the security requirements of your deployment.
Types of Password Policy:
Default password policy:
The default password policy is defined in the configuration entry
cn=PasswordPolicy,cn=config. The default password policy applies to all accounts in the
directory except for the directory manager.
Specialized password policy:
A password policy can be configured for an individual user or for set of users by using the CoS
and roles features. However, specialized password policies can not be applied to static
groups.

Please find more details on password policy in below link:
Directory Server Password Policy - 11g Release 1 (11.1.1.7.0) (oracle.com)

Directory Server Security (Certificates)

The Benefits of Using TLS/SSL
Using SSL with simple authentication (bind DN and password) encrypts all data sent to and
from the server. Encryption guarantees confidentiality and data integrity.

Steps to Create and Install Self-signed and Certificate Authority-
issued Certificates
To view the default self-signed certificate, use this command:

$ dsadm show-cert instance-path defaultCert
To create a self-signed certificate with non-default settings, use this command:

$ dsadm add-selfsign-cert instance-path cert-alias
When your self-signed certificate expires, stop the server instance and renew the certificate.
$ dsadm stop instance-path
$ dsadm renew-selfsign-cert instance-path cert-alias
Restart the server instance.

$ dsadm start instance-path

 To Request a CA-Signed Server Certificate:
1.Generate a CA-signed server certificate request.

$ dsadm request-cert [-i] [-W cert-pwd-file] {-S DN | --name name [--org org] \
[--org-unit org-unit] [--city city] [--state state] [--country country]} \
[--phone PHONE] [--email EMAIL] [--dns DOMAIN] [--keysize KEYSIZE] \
[--sigalg SIGALG] [-F format] [-o output-file] instance-path
For example, to request a CA-signed server certificate for the Example company, use this
command:
$ dsadm request-cert --name host1 --org Example --org-unit Marketing \

-o my_cert_request_file /local/dsInst

To Request a CA-Signed Server Certificate:
1.Generate a CA-signed server certificate request.
$ dsadm request-cert [-i] [-W cert-pwd-file] {-S DN | --name name [--org org] \
[--org-unit org-unit] [--city city] [--state state] [--country country]} \
[--phone PHONE] [--email EMAIL] [--dns DOMAIN] [--keysize KEYSIZE] \
[--sigalg SIGALG] [-F format] [-o output-file] instance-path
For example, to request a CA-signed server certificate for the Example company, use this
command:
$ dsadm request-cert --name host1 --org Example --org-unit Marketing \

-o my_cert_request_file /local/dsInst
2.Transmit the certificate request to your Certificate Authority, according to its procedures.
3.Save the certificate that you receive from the Certificate Authority.

To Add the CA-Signed Server Certificate and the Trusted CA Certificate:
1.Add the CA-signed server certificate.
$ dsadm add-cert instance-path cert-alias cert-file
For example, to install a CA-signed server certificate, you might use a command similar to
this:
$ dsadm add-cert /local/dsInst server-cert /local/safeplace/serv-cert-file
2.Add the trusted Certificate Authority certificate.

$ dsadm add-cert --ca instance-path cert-alias cert-file
For example, to install a trusted certificate from a Certificate Authority, you might use this
command:
$ dsadm add-cert --ca /local/dsInst CA-cert /local/safeplace/ca-cert-file

LDAP START/STOP AND BACKUP and RESTORE

 LDAP Service start
dsadm start <instance path>

/opt/ODSee/dsee7/bin/dsadm start /ldap/UMC/iDS
 LDAP Service stop
dsadm stop <instance path>

/opt/ODSee/dsee7/bin/dsadm stop /ldap/UMC/iDS

LDAP backup
Offline backup:
dsadm export instance-path suffix-DN LDIF-file
/opt/Odsee/dsee7/bin/dsadm export /ldap/UMC/iDS o=UMC <Path to ldif backup>
Online backup:
dsconf export –h host –p port suffix-DN LDIF-file
dsconf export –h <hostname> -p 389 o=UMC <Path to ldif backup>
LDAP restore
Offline restore:
dsadm import instance-path LDIF-file suffix-DN
/opt/Odsee/dsee7/bin/dsadm import /ldap/UMC/iDS <Path to ldif backup> o=UMC
Online restore:
dsconf import –h host –p port LDIF-file suffix-DN
dsconf import –h <hostname> -p 389 <Path to ldif backup> o=UMC

Tuning Directory Server Performance

Tuning the Operating System for Optimal Directory Server
Performance
We can tune the underlying operating system according to recommendations made by the
idsktune command.
Please find more info on idisktune command in below link:
https://docs.oracle.com/cd/E29127_01/doc.111170/e28967/idsktune-1m.htm#ODSMP00033

Tuning Read Performance by Managing Indexes and Configuring
the nsslapd-allidsthreshold Setting
As Directory Server handles more and more entries, searches potentially consume more and
more time and system resources. Indexes are one tool to improve search performance.
You can modify the following properties for each index:
1.eq-enabled equality
2.pres-enabled presence
3.sub-enabled substring
eq-enabled equality:
The equality index includes all entries in the database that have a specified value for a given
attribute. This index requires a value to be specified in the search filter.

pres-enabled presence:
The presence index includes all entries in the database that have a value for a specified
attribute, irrespective of that value.
sub-enabled substring:
Substring indexes are used for searches on three-character groups, for example, sn=*abc*.
The three-character groups are stored in the index
We can use DSCC to perform indexing.
Please find more details on managing indexing in below link:

Managing Indexes - Oracle Directory Server Enterprise Edition Administration Guide

Allidsthreshold
This attribute defines a threshold to limit the length of an index list. The threshold is called the
index list threshold. If the number of entries in the list for a particular key exceeds the index list
threshold, an unindexed search is performed.
The value of the nsslapd-allidsthreshold attribute can be configured globally for a Directory
Server instance, or can be configured for a suffix, or can be configured for an index type. If the
value of the nsslapd-allidsthreshold attribute is configured globally for a suffix, it can then be
changed for a specific index.
You must rebuild all indexes after you change the nsslapd-allidsthreshold attribute.
Please find more info on allidthreshold in below link:

ODSEE - What Value Should be Configured for the ALLIDS Threshold ? (Doc ID 1369615.1)
ODSEE - What Value Should be Configured for the ALLIDS Threshold ? (oracle.com)

Tuning Read Performance by Configuring Cache Sizes and
Configuring Search Limit Settings
Here you find the basic recommendations for maximizing search rates or maximizing
modification rates achieved by Directory Server. Set cache sizes according to the following
recommendations:
For Maximum Search Rate (Searches Only):

If the directory data do not fit into available physical memory, or only just fit with no extra room
to spare, set cache sizes to their default values, 32M for db-cache-size, 10M for entry-cache-
size, and allow the server to use as much of the operating system's file system cache as
possible. Run tests to correctly dimension the sizes based on your throughput.
If the directory data fit into available physical memory with physical memory to spare, allocate
memory to the entry cache until either the entry cache is full or, on a 32–bit system, the entry
cache reaches maximum size. Then allocate memory to the database cache until it is full or
reaches maximum size.

For Maximum Modification Rate (Modifications Only)
If the directory data do not fit into available physical memory, or only just fit with no extra room
to spare, set the entry cache sizes to the default value, 10M for entry-cache-size and allow the
server to use as much of the operating system's file system cache as possible. Keeping some
database cache available ensures that modifications remain cached between each database
checkpoint.
If the directory data fit into available physical memory with physical memory to spare, allocate
memory to the entry cache until either the entry cache is full or, on a 32–bit system, the entry
cache reaches maximum size. Then allocate memory to the database cache until it is full or
reaches maximum size.

Directory Server Security Methods

o Directory Server Security Methods, see document
https://docs.oracle.com/cd/E29127_01/doc.111170/e28969/ds-security.htm
o Authentication
https://docs.oracle.com/cd/E29127_01/doc.111170/e28969/ds-security.htm#gdzcu
o Attribute Encryption
https://docs.oracle.com/cd/E29127_01/doc.111170/e28969/ds-security.htm#gbghy
o Access Control
https://docs.oracle.com/cd/E29127_01/doc.111170/e28969/ds-security.htm#gdzct

Default Access Control Instructions (ACIs) Provided with Directory Server
o Special User Access Control

o Access Permissions on Directory Entries

• Enforcing Password Policies

https://docs.oracle.com/cd/E29127_01/doc.111170/e28972/ds-password-policy.htm

LDAP Documentation: Presented by - Kuldeep Pandey

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LDAP Documentation: Presented by - Kuldeep Pandey

Uploaded by

Copyright:

Available Formats

LDAP Documentation

Presented by – Kuldeep Pandey

© 2009 IBM Corporation

© 2009 IBM Corporation

© 2009 IBM Corporation

 A directory is often described as a database

© 2009 IBM Corporation

 LDAP is well suited for

© 2009 IBM Corporation

 A message protocol used by directory clients and servers.

© 2009 IBM Corporation

© 2009 IBM Corporation

© 2009 IBM Corporation

© 2009 IBM Corporation

 A typical entry serialized in LDIF:

© 2009 IBM Corporation

© 2009 IBM Corporation

o u =DOH o u =OFT o u =TA X

o u =Gro u ps o u =P e o p le o u =Re so u rces o u =A p plica tio ns

cn =OFT A dm in istra to rs u id =b dig m an cn =1 B Floo r Po stscrip t P rin ter cn =OFT Po rtal

cn =E th ics A p p Use rs u id =jn o rtrup cn = Con fe re n ce Ro om 1 B -A cn =E th ics A p p lica tion

cn =E thics Ap p Ad m inistra to rs u id =d stra zze ri

dn: uid=jnortrup,ou=People,ou=NYS OFT ,o=NY,c=US

usercertificate: X.509 Certificate

© 2009 IBM Corporation

 A commonly used attribute is "objectClass".

© 2009 IBM Corporation

© 2009 IBM Corporation

© 2009 IBM Corporation

 Each attribute can have multiple values, for example we

DN: cn=Dave Hollinger, O=RPI, C=US

© 2009 IBM Corporation

objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top

© 2009 IBM Corporation

3.Set Up the Administration (DSCC) Host:

a.Initialize the DSCC registry.

Creating DSCC registry...

© 2009 IBM Corporation

© 2009 IBM Corporation

1.Access DSCC by using http://dscc-host:port/startconsole

© 2009 IBM Corporation

© 2009 IBM Corporation

© 2009 IBM Corporation

© 2009 IBM Corporation

© 2009 IBM Corporation

 The command that we use in ODSEE for administration are:

© 2009 IBM Corporation

© 2009 IBM Corporation

© 2009 IBM Corporation

© 2009 IBM Corporation

© 2009 IBM Corporation

 optional_options represents a series of command-line options. These must be specified

 search_filter represents an LDAP search filter in a file using the -f option.

 optional_list_of_attributes represents a list of attributes separated by a space.

Please find more details on ldapsearch utility in below link:

© 2009 IBM Corporation

Returning All Entries

ldapsearch -h myServer -p 5201 -D cn=admin,cn=Administrators,cn=config

© 2009 IBM Corporation

ldapsearch -h myServer -p 5201 -D cn=admin,cn=Administrators,cn=config -w -

© 2009 IBM Corporation

ldapmodify [options] [filter] [attributes]

Please find more details on ldapmodify in below link: