In this example, we will demonstrate how to manage iDS by using the console. Once the iDS server has been installed, you should be able to start the console by using the command:
# directoryserver startconsole
The appropriate admin port number and hostname will be displayed on the login window, as shown in Figure 31-2. In this case, 14462 is the admin port for the LDAP server that was specified during install. The administration user ID and corresponding password must be entered in order to bring up the main administration window.
The main iDS console is then displayed, as shown in Figure 31-3. There are two tabs that are used to separate the two main functions of the console: Servers and Applications, and Users and Groups. The Servers and Applications tab has two separate panes: the first pane is a hierarchical object list of all servers and their respective databases that have been configured for the network. The local server group is displayed, along with entries for the local administration server and the actual directory server. By selecting the icon associated with the localhost, the hostname, description, physical location, platform, and operating system will be displayed.
Selecting the server group icon displays the group name, description, and installation path.
The second pane shows the domain name, description, port number, and user directory structure for the iDS server. In addition, the DN and password are displayed, as well as an option to encrypt connections to the server. It is possible to edit these details by clicking the Edit button.
By selecting the Directory Server icon in the Servers and Applications tab, a list of configured items for the local server is displayed, as shown in Figure 31-4. For example, the server name, description, installation date, product name, vendor name, version number, build number, revision level, security level, server status, and port are all displayed.
By double-clicking on the Directory Server icon, a new window is displayed, as shown in Figure 31-5, which is used to configure the directory server’s operation. There are four tabs available, each with a number of different operations. The Tasks tab defines nine different operations:
Start Directory Server, which initializes the local iDS server and launches it.
Stop Directory Server, which shuts down all local services, and stops the iDS processes.
Restart Directory Server, which shuts down all local services, stops the iDS processes, initializes the local iDS server and relaunches it.
Back Up Directory Server, which backs up the local iDS database.
Restore Directory Server, which restores the local iDS database from a backup.
Manage Certificates, which manages certificates for security.
Log In To Directory Server As A New User, which allows you to log in to iDS as a different user.
Import Databases, to import a new iDS database from a different system.
Export Databases, to export an existing local iDS database to a different system.
Figure 31-5: Directory Server Configuration window.
The Configuration tab contains a hierarchical list of objects associated with the iDS database, including tables, replication features, the database schema, logs, and optional plug-ins. In addition, a set of tabs allows various options to be configured. The Settings subtab allows the unencrypted port, encrypted port, and referrals to be set, as shown in Figure 31-6. In addition, the server can be set up as read-only and entry modification times can be tracked, along with various schema checks.
The Performance subtab sets limits on the size of the directory, a time limit for access, and an idle timeout, as shown in Figure 31-7. These settings will need to be modified for local use, but are set at 2000 entries, one hour, and zero, respectively.
The Encryption subtab has two main tasks: setting options for server security and for client authentication, as shown in Figure 31-8. On the server side, access can be granted using SSL, thereby protecting authentication tokens from interception by a third party. In this case, RSA options need to be set, including the name of the security device (by default, internal/software-based), the certificate location, and the cipher. On the client side, authentication can be disallowed, allowed, or required, depending on the application’s requirements. In addition, using SSL can be made mandatory within the iPlanet console.
The SNMP subtab, as shown in Figure 31-9, provides an interface to the Simple Network Management Protocol (SNMP), allowing service status to be remotely monitored by a third-party SNMP monitoring product. When alarm events are triggered because of runtime errors, administration staff can be notified by pager, phone, or e-mail, and appropriate action can be taken to rectify the problem. Descriptive properties, including the organization, location, and support contact, can be entered from the SNMP subtab, as well as three buttons allowing the service to be started, stopped, and/or restarted.
The Manager subtab, as shown in Figure 31-10, sets several options for the Directory Manager role. This includes the Distinguished Name of the Directory Manager, the algorithm used to encrypt the Directory Manager’s password (by default, the Secure Salted Hashing Algorithm, SSHA), and the Directory Manager’s password. It’s also possible to enter a new password into the New Password field and confirm it in the Confirm Password field.
The administration server can be configured by double-clicking the administration server icon in the Servers and Applications tab, as shown in Figure 31-11, which is used to configure the directory server’s operation. There are four tabs available, each with a number of different operations. The Tasks tab defines five different operations:
Start directory server, which initializes the local iDS server and launches it.
Restart directory, which shuts down all local services, stops the iDS processes, initializes the local iDS server, and relaunches it.
Configure the local administration server.
Set up local logging options.
Manage certificates for security.
Figure 31-11: Administration Server Configuration window.
The console provides an interface for querying the directory, as well as adding new entries at the user, group, and organizational unit levels. The search facility allows a search string to be entered and searched, where the string is a full or partial username, group name, or organizational unit. For example, to find the user “Paul Watters” in the directory, you could search on “Paul” or “Watters”. Figure 31-12 shows the searching interface, and the result of a search on “Watters” (no matches were found in the directory). If a match had been found, the name, user ID, e-mail address, and phone number would have been displayed. In addition, each entry found as the result of a search can be modified by selecting the Edit button.
If an entry is not found, it can be easily created by clicking on the Create button, as shown in Figure 31-13. A drop-down list of all possible entry types is shown, including users, groups, and organizational units.
After choosing to create a new user, group, or organizational unit, you need to indicate the directory subtree under which the entry will appear, as shown in Figure 31-14. There are four options: the Base Distinguished Name (that is, the top level of the directory), Groups, People, and Special Users.
A new user can be created by using the Create User screen, as shown in Figure 31-15. The user’s first name, last name, common name, user ID, password, e-mail address, phone number, and fax number can be entered into their respective fields. In addition, a target language can be entered for the user, and Windows NT or POSIX-specific user data can be stored. Since this iDS installation is based on Solaris, Posix should be selected.
Once the user’s detail have been entered, it should be possible to return to the user search screen, enter in the name of the user whose details have been stored, and retrieve their complete record, as shown in Figure 31-16. Once retrieved, the user’s details can be modified, or their record can be deleted.
A key user characteristic is group membership. Thus, once a number of users have been created in a directory, it makes sense to create a group to store them in, rather than entering them at the top level of the directory. Defining a new group requires a group name, as well as a group description. These can be entered into the Create Group window, as shown in Figure 31-17. The languages required to be used by group members can also be entered by selecting Languages from the left-hand pane.
Once a group has been defined, members can be added individually, by selecting Members from the left-hand pane and clicking the Add button, as shown in Figure 31-18. Alternatively, group members, once created using this screen, can be easily removed by clicking the Remove button.
After members have been added to groups, it’s then possible to search on a user and group basis, rather than just a user basis, as shown in Figure 31-19. The search string can either be a group name or a username. Once group members have been selected on the basis of the search term, their details are displayed sorted by name, with user ID, e-mail address, and phone number appearing.
At the top level, it’s possible to define a new organizational unit. The unit’s entry can contain the unit’s name, a description, phone number, fax number, alias, and full address, as shown in Figure 31-20. In addition, the language support required for the organizational unit can be defined by selecting Languages from the left-hand pane.
If you are unfamiliar with LDAP, you may need to consult a specialized book on the topic to be able to fully understand the administrative and security issues associated with creating organizational units, groups, and members.