A Brief Hands-on Tour of Netscape Directory Server

Now that you have a functioning LDAP server, you can explore its capabilities. Put another way, it is time to shift into second gear. The Netscape server supports all significant LDAP standards, including LDAPv2 (for compatibility with very old applications) and LDAPv3. Netscape also supports many proposed LDAPv3 extensions, which are discussed later in the chapter.

Searching

When you viewed the dc=example,dc=com entries after installing the server, you used the Directory tab within the Netscape Directory Server console. Now add a new entry using that same interface.

Step 1. Return to the Directory tab and select the People node on the left side of the window. Within the Object menu, execute the New User command to open the Create New User window. Using the information shown in Figure 4.6, create a new user named Bugs Bunny . Choose a password such as "@home@WB" (the password is not used in any of the examples in this chapter).

Figure 4.6. Creating a New Entry for Bugs Bunny

Next let's execute some directory searches.

Step 2. Use Netscape Console to search for the entry you just added. Locate the entry labeled People on the left side of the Directory pane. Use the rightmost mouse button to click on the People entry and select Search... from the context menu that appears. Type "Bugs Bunny" in the text field labeled for and press the Enter key.

A search result list with one entry should appear. Feel free to try other searches as well. The Netscape Console search window supports several search modes, including one that allows you to type arbitrary LDAP filters.

Step 3. Search for the same entry using the ldapsearch command-line tool that is bundled with the Netscape server. Start a Unix shell or a Microsoft Windows command prompt window. On Solaris, type these commands:

 cd /export/ds6/shared/bin ./ldapsearch -b "dc=example,dc=com" "(cn=Bugs Bunny)" 

On Microsoft Windows, type these commands:

 cd \Netscape\Servers\shared\bin ldapsearch -b "dc=example,dc=com" "(cn=Bugs Bunny)" 

In the ldapsearch command the argument to the -b option is the search base ( dc=example,dc=com ), and the last command-line parameter is the LDAP filter (cn=Bugs Bunny) , which specifies an exact match on the cn attribute for the string "Bugs Bunny." Listing 4.2 shows the result of this search: one entry in LDIF format.

Listing 4.2 Result of Search for "Bugs Bunny"

 version: 1 dn: uid=bbunny,ou=People, dc=example,dc=com mail: bbunny@example.com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson givenName: Bugs telephoneNumber: +1 555 555 1212 cn: Bugs Bunny uid: bbunny sn: Bunny facsimileTelephoneNumber: +1 555 555 1299 

There are no surprises here. Netscape has standardized on the inetOrgPerson object class defined in RFC 2798 for user entries, so the entry has objectClass: inetorgperson . The entry's RDN is uid=bbunny because by default Netscape Console uses the uid (user id) attribute to name user entries.

Step 4. Try a more complex search. Suppose you want to find all entries that are people in the Product Development department who are located in the Cupertino location. Further, suppose that you want to retrieve only the name, department, and e-mail address of each person. This ldapsearch command will do the job (execute this ”and all ldapsearch commands shown in this chapter ”from the same directory as in step 3):

 ldapsearch -b "dc=example,dc=com" "(&(ou=Product Development)(L=Cupertino))" cn ou mail 

The search filter consists of two equality filters ANDed together, and the list of requested attributes appears at the end of the command line ( cn ou mail ). This search returns 11 entries. Wouldn't it be nice if they were sorted alphabetically by name? Luckily, ldapsearch supports the LDAPv3 Server-Side Sorting control, and so does Netscape Directory Server.

Step 5. Add the -x option to tell the server to sort the entries before returning them, and add the -Scn option to specify that the cn (common name) attribute should be used as the sort key. Here is the revised ldapsearch command:

 ldapsearch -b "dc=example,dc=com" -x -Scn "(&(ou=Product Development)(L=Cupertino))" cn  ou mail 

Listing 4.3 shows the resulting LDIF output.

Listing 4.3 Search Results Sorted by Name

 version: 1 dn: uid=aworrell, ou=People, dc=example,dc=com cn: Alan Worrell ou: Product Development ou: People mail: aworrell@example.com dn: uid=aknutson, ou=People, dc=example,dc=com cn: Ashley Knutson ou: Product Development ou: People mail: aknutson@example.com dn: uid=bjensen, ou=People, dc=example,dc=com cn: Barbara Jensen cn: Babs Jensen ou: Product Development ou: People mail: bjensen@example.com dn: uid=cwallace, ou=People, dc=example,dc=com cn: Cecil Wallace ou: Product Development ou: People mail: cwallace@example.com dn: uid=jmuffly, ou=People, dc=example,dc=com cn: Jeff Muffly ou: Product Development ou: People mail: jmuffly@example.com dn: uid=jcampaig, ou=People, dc=example,dc=com cn: Jody Campaigne ou: Product Development ou: People mail: jcampaig@example.com dn: uid=jbourke, ou=People, dc=example,dc=com cn: Jon Bourke ou: Product Development ou: People mail: jbourke@example.com dn: uid=mlangdon, ou=People, dc=example,dc=com cn: Marcus Langdon ou: Product Development ou: People mail: mlangdon@example.com dn: uid=mtalbot, ou=People, dc=example,dc=com cn: Martin Talbot ou: Product Development ou: People mail: mtalbot@example.com dn: uid=smason, ou=People, dc=example,dc=com cn: Sue Mason ou: Product Development ou: People mail: smason@example.com dn: uid=speterso, ou=People, dc=example,dc=com cn: Sue Peterson ou: Product Development ou: People mail: speterso@example.com 

Manipulating Netscape Directory Server Databases

Netscape Directory Server uses a high-performance embedded database to store data, and it allows multiple database instances to be active at the same time. Each database instance has a unique name and stores data for one naming context (one subtree within the DIT). The Typical installation used earlier in the chapter created two database instances:

1. NetscapeRoot . Holds configuration and administration information that may be shared by more than one Netscape server.

2. userRoot . Holds the data that you load into the directory. Earlier in the chapter, you chose dc=example,dc=com as the naming context for your data.

Netscape Console has full support for creating and maintaining databases. This section shows how to manipulate directory databases from the command line.

Step 1. Before executing any of the commands shown, ensure that the current working directory is the slapd-example instance directory. Start a Unix shell or a Microsoft Windows command prompt window. On Solaris, type this command:

 cd /export/ds6/slapd-example 

On Microsoft Windows, type this command:

 cd \Netscape\Servers\slapd-example 

In the commands that follow, all of the leading " ./ " sequences should be omitted if you're working on Microsoft Windows.

Step 2. First use the suffix2instance command to display a list of active suffixes (naming contexts) and their corresponding Netscape Directory Server databases:

 ./suffix2instance -s "" 

The -s "" parameter says that all suffixes are to be listed; if you wanted to list suffixes under only a specific subtree, you would include the subtree DN after the -s . The output produced is

 Suffix, Instance name pair(s) under "":         suffix "o=NetscapeRoot"; instance name "NetscapeRoot"         suffix "dc=example,dc=com"; instance name "userRoot" 

Step 3. Shut down the server using the stop-slapd command and replace the contents of the userRoot database with new data, a process known as bulk-loading . Listing 4.4 shows how to use Netscape's ldif2db command to load the Example.ldif file that is bundled with the server. The commands you need to type are shown in bold.

Listing 4.4 Bulk-Loading of Example.ldif Using the ldif2db Command

  ./stop-slapd   ./ldif2db -n userRoot -i - <ldif/Example.ldif  importing data ... [26/Aug/2002:16:04:18 -0500] - import userRoot: Index buffering enabled with bucket size 15 [26/Aug/2002:16:04:18 -0500] - import userRoot: Beginning import job... [26/Aug/2002:16:04:18 -0500] - import userRoot: Processing file stdin [26/Aug/2002:16:04:19 -0500] - import userRoot: Finished scanning file stdin (160 entries) [26/Aug/2002:16:04:19 -0500] - import userRoot: Workers finished; cleaning up... [26/Aug/2002:16:04:22 -0500] - import userRoot: Workers cleaned up. [26/Aug/2002:16:04:22 -0500] - import userRoot: Cleaning up producer thread... [26/Aug/2002:16:04:22 -0500] - import userRoot: Indexing complete. Post-processing... [26/Aug/2002:16:04:22 -0500] - import userRoot: Flushing caches... [26/Aug/2002:16:04:22 -0500] - import userRoot: Closing files... [26/Aug/2002:16:04:22 -0500] - import userRoot: Import complete. Processed 160 entries in  4 seconds. (40.00 entries/sec) 

The -n userRoot parameter selects the userRoot database instance, -i - indicates that the LDIF file is provided on standard input, and <ldif/Example.ldif causes the shell to send the contents of the Example.ldif file to ldif2db 's standard input.

Listing 4.5 demonstrates the reverse process (creating an LDIF file from an existing database). On Windows, ensure that a directory named \tmp exists in the root of the drive where you installed Netscape Directory Server, or use a different pathname for the example-dump.ldif output file.

Listing 4.5 Dumping a Database Using the db2ldif Command

  ./db2ldif -n userRoot -a /tmp/example-dump.ldif  ldiffile: /tmp/example-dump.ldif [26/Aug/2002:16:35:28 -0500] - export userRoot: Processed 160 entries (100%).  more < /tmp/example-dump.ldif  version: 1 # entry-id: 1 dn: dc=example,dc=com objectClass: top objectClass: domain dc: example aci: (target ="ldap:///dc=example,dc=com")(targetattr !="userPassword")(versio  n 3.0;acl "Anonymous read-search access";allow (read, search, compare)(userd  n = "ldap:///anyone");) aci: (target="ldap:///dc=example,dc=com") (targetattr = "*")(version 3.0; acl  "allow all Admin group"; allow(all) groupdn = "ldap:///cn=Directory Administ  rators,ou=Groups,dc=example,dc=com";) nsUniqueId: 093e751b-1dd211b2-80000000-00000000 # entry-id: 2 dn: ou=Groups, dc=example,dc=com objectClass: top objectClass: organizationalunit ou: Groups nsUniqueId: 093e751c-1dd211b2-80000000-00000000 # entry-id: 3 dn: cn=Directory Administrators, ou=Groups, dc=example,dc=com cn: Directory Administrators objectClass: top objectClass: groupofuniquenames ou: Groups uniqueMember: uid=kvaughan, ou=People, dc=example,dc=com uniqueMember: uid=rdaugherty, ou=People, dc=example,dc=com uniqueMember: uid=hmiller, ou=People, dc=example,dc=com nsUniqueId: 093e751d-1dd211b2-80000000-00000000 --More(2%) 

The -n userRoot parameter indicates that entries within the default directory database should be extracted ( -s "dc=example,dc=com" may be used instead to extract the entries on the basis of the LDAP subtree that contains them). The -a - parameter says that the output should be sent to standard output, and >example-dump.ldif tells the shell to capture the output in a file named example-dump.ldif .

Listing 4.5 shows the first portion of the file, as viewed using the more command. Each entry in the LDIF file includes an nsUniqueID attribute, which is an operational attribute that holds a global unique identifier (GUID) generated by Netscape Directory Server. The nsUniqueID values are used internally by Netscape to support replication and are preserved when entries are renamed . These values may also be used by LDAP clients that need to track entries without relying on the entry's DN. Listing 4.6 shows how to dump a Netscape Directory Server database in Directory Services Markup Language (DSML) format rather than LDIF format. DSML is an XML-based format for representing directory data.

Listing 4.6 Dumping a Database Using the db2dsml Command

  ./db2dsml -n userRoot -a /tmp/example-dump.dsml  ldiffile: - [26/Aug/2002:16:41:12 -0500] - export userRoot: Processed 160 entries (100%).  more < /tmp/example-dump.dsml  <?xml version="1.0" encoding="UTF-8" ?> <dsml:dsml xmlns:dsml="http://www.dsml.org/DSML">   <dsml:directory-entries>   <dsml:entry dn="dc=example,dc=com">     <dsml:objectclass>       <dsml:oc-value>top</dsml:oc-value>       <dsml:oc-value>domain</dsml:oc-value>     </dsml:objectclass>     <dsml:attr name="dc">       <dsml:value>example</dsml:value>     </dsml:attr>     <dsml:attr name="nsuniqueid">       <dsml:value>093e751b-1dd211b2-80000000-00000000</dsml:value>     </dsml:attr>     <dsml:attr name="aci">       <dsml:value>(target ="ldap:///dc=example,dc=com")(targetattr != "userPassword")(  version 3.0;acl "Anonymous read-search access" ;allow (read, search, compare)(userdn =  "ldap:///anyone");)</dsml:value>       <dsml:value>(target="ldap:///dc=example,dc=com") (targetattr = "*")(version 3.0;  acl "allow all Admin group"; allow(all) groupdn = "ldap:///cn=Directory Administrators,  ou=Groups, dc=example,dc=com";)</dsml:value>     </dsml:attr>   </dsml:entry>   <dsml:entry dn="ou=Groups, dc=example,dc=com">     <dsml:objectclass>       <dsml:oc-value>top</dsml:oc-value>       <dsml:oc-value>organizationalunit</dsml:oc-value>     </dsml:objectclass>     <dsml:attr name="nsuniqueid">       <dsml:value>093e751c-1dd211b2-80000000-00000000</dsml:value>     </dsml:attr>     <dsml:attr name="ou">       <dsml:value>Groups</dsml:value>     </dsml:attr>   </dsml:entry>   <dsml:entry dn="cn=Directory Administrators, ou=Groups, dc=example,dc=com">     <dsml:objectclass>     <dsml:oc-value>top</dsml:oc-value>     <dsml:oc-value>groupofuniquenames</dsml:oc-value>   </dsml:objectclass>   <dsml:attr name="cn">     <dsml:value>Directory Administrators</dsml:value>   </dsml:attr>   <dsml:attr name="nsuniqueid">     <dsml:value>093e751d-1dd211b2-80000000-00000000</dsml:value>   </dsml:attr>   <dsml:attr name="uniquemember">     <dsml:value>uid=kvaughan, ou=People, dc=example,dc=com</dsml:value>     <dsml:value>uid=rdaugherty, ou=People, dc=example,dc=com</dsml:value>     <dsml:value>uid=hmiller, ou=People, dc=example,dc=com</dsml:value>   </dsml:attr>     <dsml:attr name="ou">       <dsml:value>Groups</dsml:value>     </dsml:attr>   </dsml:entry> --More(1%) 

The DSML output is more verbose than LDIF, but it is useful if you want to work with XML-savvy tools and with other applications that understand XML. See Chapter 3, LDAPv3 Extensions, for more information about DSML.

Another important database maintenance task is creating backups of the data. Netscape supports hot backups ” that is, backups that are performed while the directory server is running and accepting updates. The Netscape server stores its active database files under a subdirectory named db , and the hot backup process makes a transactionally consistent copy of all the files.

Step 1. While the server is running, use the db2bak command as shown in Listing 4.7 to create a complete backup of the directory data. The sample run is from a Solaris system. Each .db3 file stores some entry data or an attribute index; on Microsoft Windows the pathnames of the files will be different.

Listing 4.7 Starting the Server and Creating a Backup

  ./start-slapd   ./db2bak  [26/Aug/2002:17:01:21 -0500] - Backing up file 1 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/userRoot/id2entry.db3) [26/Aug/2002:17:01:21 -0500] - Backing up file 2 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/userRoot/entrydn.db3) [26/Aug/2002:17:01:21 -0500] - Backing up file 3 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/userRoot/parentid.db3) [26/Aug/2002:17:01:21 -0500] - Backing up file 4 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/userRoot/aci.db3) [26/Aug/2002:17:01:21 -0500] - Backing up file 5 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/userRoot/uid.db3) [26/Aug/2002:17:01:21 -0500] - Backing up file 6 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/userRoot/nsUniqueId.db3) [26/Aug/2002:17:01:21 -0500] - Backing up file 7 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/userRoot/objectclass.db3) [26/Aug/2002:17:01:21 -0500] - Backing up file 8 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/userRoot/mail.db3) [26/Aug/2002:17:01:21 -0500] - Backing up file 9 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/userRoot/cn.db3) ... [26/Aug/2002:17:01:22 -0500] - Backing up file 25 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/NetscapeRoot/sn.db3) [26/Aug/2002:17:01:22 -0500] - Backing up file 26 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/NetscapeRoot/givenName.db3) [26/Aug/2002:17:01:22 -0500] - Backing up file 27 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/NetscapeRoot/uid.db3) [26/Aug/2002:17:01:22 -0500] - Backing up file 28 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/NetscapeRoot/uniquemember.db3) [26/Aug/2002:17:01:22 -0500] - Backing up file 29 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/log.0000000001) [26/Aug/2002:17:01:22 -0500] - Backing up file 30 (/export/ds6/slapd-example/bak/  2002_08_26_17_01_20/DBVERSION) 

The db2bak command creates a consistent copy of all the database files. By default, the files are stored under a directory in the file system named according to the current date and time ( /export/ds6/slapd-example/bak/2002_08_26_17_01_20/ in the sample run shown).

Step 2. If running on Microsoft Windows, use the commands shown in Listing 4.8 to restore the directory server data from the backup you created. First, stop the server using the stop-slapd command (databases cannot be restored while the server is running). Next, simulate loss of the active database files by using the del or rm command to remove all of the .db3 files. Finally, execute the bak2db command to restore the database files from the backup.

Listing 4.8 Restoring a Database from a Backup

  stop-slapd   del /S/Q db\*.db3  Deleted file - C:\Netscape\Servers\slapd-example\db\DBVERSION Deleted file - C:\Netscape\Servers\slapd-example\db\log.0000000001 Deleted file - C:\Netscape\Servers\slapd-example\db\NetscapeRoot\aci.db3 Deleted file - C:\Netscape\Servers\slapd-example\db\NetscapeRoot\ancestorid.db3 Deleted file - C:\Netscape\Servers\slapd-example\db\NetscapeRoot\cn.db3 ... Deleted file - C:\Netscape\Servers\slapd-example\db\userRoot\parentid.db3 Deleted file - C:\Netscape\Servers\slapd-example\db\userRoot\sn.db3 Deleted file - C:\Netscape\Servers\slapd-example\db\userRoot\telephoneNumber.db3 Deleted file - C:\Netscape\Servers\slapd-example\db\userRoot\uid.db3 Deleted file - C:\Netscape\Servers\slapd-example\db\userRoot\uniquemember.db3  bak2db C:\Netscape\Servers\slapd-example\bak02_08_26_170120  [27/Aug/2002:10:06:40 -0500] - Restoring file 1 (C:/Netscape/Servers/slapd-example/db/  DBVERSION) [27/Aug/2002:10:06:40 -0500] - Restoring file 2 (C:/Netscape/Servers/slapd-example/db/log.  0000000001) [27/Aug/2002:10:06:43 -0500] - Restoring file 3 (C:/Netscape/Servers/slapd-example/db/  NetscapeRoot/aci.db3) [27/Aug/2002:10:06:43 -0500] - Restoring file 4 (C:/Netscape/Servers/slapd-example/db/  NetscapeRoot/ancestorid.db3) [27/Aug/2002:10:06:43 -0500] - Restoring file 5 (C:/Netscape/Servers/slapd-example/db/  NetscapeRoot/cn.db3) [27/Aug/2002:10:06:43 -0500] - Restoring file 6 (C:/Netscape/Servers/slapd-example/db/  NetscapeRoot/entrydn.db3) [27/Aug/2002:10:06:43 -0500] - Restoring file 7 (C:/Netscape/Servers/slapd-example/db/  NetscapeRoot/givenName.db3) [27/Aug/2002:10:06:43 -0500] - Restoring file 8 (C:/Netscape/Servers/slapd-example/db/  NetscapeRoot/id2entry.db3) [27/Aug/2002:10:06:43 -0500] - Restoring file 9 (C:/Netscape/Servers/slapd-example/db/  NetscapeRoot/nsUniqueId.db3) ... [27/Aug/2002:10:06:43 -0500] - Restoring file 25 (C:/Netscape/Servers/slapd-example/db/  userRoot/objectclass.db3) [27/Aug/2002:10:06:43 -0500] - Restoring file 26 (C:/Netscape/Servers/slapd-example/db/  userRoot/parentid.db3) [27/Aug/2002:10:06:43 -0500] - Restoring file 27 (C:/Netscape/Servers/slapd-example/db/  userRoot/sn.db3) [27/Aug/2002:10:06:43 -0500] - Restoring file 28 (C:/Netscape/Servers/slapd-example/db/  userRoot/telephoneNumber.db3) [27/Aug/2002:10:06:43 -0500] - Restoring file 29 (C:/Netscape/Servers/slapd-example/db/  userRoot/uid.db3) [27/Aug/2002:10:06:43 -0500] - Restoring file 30 (C:/Netscape/Servers/slapd-example/db/  userRoot/uniquemember.db3) 

If running on Solaris, use the following commands instead of the ones shown in Listing 4.8:

  ./stop-slapd   rm -rf db/*/*.db3   ./bak2db /export/ds6/slapd-example/bak/2002_08_26_17_01_20  

The pathname used in the bak2db command must match that produced by the db2bak command you already executed. If necessary, perform a directory listing of the bak directory to find the correct name.

Step 3. Execute the start-slapd and ldapsearch commands shown in Listing 4.9 to restart the server and perform a quick one-level search to verify that the data has been restored. The commands and output shown are from a Windows system. The output indicates that the restore was successful.

  start-slapd  

Listing 4.9 Checking That the Data Has Been Restored

 C:\Netscape\Servers\slapd-example>net start slapd-example The Netscape Directory Server 6 (example) service is starting. The Netscape Directory Server 6 (example) service was started successfully.  cd \Netscape\Servers\shared\bin   ldapsearch -v -b "dc=example,dc=com" -s one "(objectClass=*)"  version: 1 dn: ou=Groups, dc=example,dc=com objectClass: top objectClass: organizationalunit ou: Groups dn: ou=People, dc=example,dc=com objectClass: top objectClass: organizationalunit ou: People dn: ou=Special Users,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Special Users description: Special Administrative Accounts dn: ou=Netscape Servers,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Netscape Servers description: Standard branch for Netscape Server registration 

Controlling Access to Directory Data

Netscape Directory Server allows directory administrators to control access to all data in the DIT down to the entry, attribute, and value levels. Access control instructions are stored in operational attributes named aci . The aci attributes may appear in any entry, and by default they affect all entries within the subtree where they are stored. For example, access control instructions that are stored in the entry dc=example,dc=com govern access to all entries at and below dc=example,dc=com , such as those within ou=People,dc=example,dc=com and within ou=Groups,dc=example,dc=com .

This section introduces Netscape Directory Server's access control mechanism by demonstrating how to add an access control instruction to allow one entry to impersonate another. The actual impersonation is done using the LDAP Proxied Authorization control (see Chapter 3, LDAPv3 Extensions, for more information on this control). The Netscape access control mechanism uses a set of operation-specific rights to control access. To be able to use the Proxied Authorization control, the entry must have proxy rights for the entry you wish to impersonate.

Typically, the proxy right is granted to an administrative entry or to an entry that represents a software application. Follow these steps to add a special user to which you will grant the proxy right:

Step 1. Start Netscape Console if it is not already running, and log in, entering "cn=Directory Manager" as the DN and "secret389" as the password.

Step 2. Open the Directory Server Administration Console for the sample server by clicking the Directory tab, and click to expand the directory node labeled example . You should see four organizational unit entries: Groups , People , Special Users , and Netscape Servers .

Step 3. Select Special Users by clicking it. On the Object menu, choose the New User command. Create a user named "Proxy User" and give it the password "lrtw,YB!". Figure 4.7 shows how the Create New User screen should look before you click the OK button.

Figure 4.7. Creating a New Entry Named "Proxy User"

Step 4. Confirm that the new user is not yet able to act as a proxy for other entries. The tests performed rely on the fact that access control instructions to allow people to modify their own entry are included in the Example.ldif file. Listing 4.10 shows two ldapmodify commands that both authenticate as the Proxy User entry and attempt to change the userPassword attribute within Sam Carter's entry. The first command does not use Proxied Authorization; the second one does. The text you need to type is shown in bold. Press return twice to insert a blank line after the " - " character that appears on a line by itself. On Microsoft Windows, omit the leading " ./ " from the commands.

Listing 4.10 Failed Attempts to Modify an Entry

  ./ldapmodify -D "uid=puser,ou=Special Users,dc=example,dc=com" -w "lrtw,YB!"   dn: uid=scarter,ou=People,dc=example,dc=com   changetype: modify   replace: userPassword   userPassword: mySecret42   -  modifying entry uid=scarter,ou=People,dc=example,dc=com ldap_modify: Insufficient access ldap_modify: additional info: Insufficient 'write' privilege to the 'userPassword'  attribute of entry 'uid=scarter,ou=people,dc=example,dc=com'.  ./ldapmodify -D "uid=puser,ou=Special Users,dc=example,dc=com" -w "lrtw,YB!" -Y "dn:  uid=scarter,ou=People,dc=example,dc=com"   dn: uid=scarter,ou=People,dc=example,dc=com   changetype: modify   replace: userPassword   userPassword: mySecret42   -  modifying entry uid=scarter,ou=People,dc=example,dc=com ldap_modify: Insufficient access ldap_modify: additional info: Insufficient 'write' privilege to the 'userPassword'  attribute of entry 'uid=scarter,ou=people,dc=example,dc=com'. 

The first ldapmodify command failed because the Proxy User entry is treated just like any other entry, and therefore it does not have permission to modify Sam Carter's entries. The second ldapmodify command failed because Proxy User does not yet have permission to impersonate other users, which makes using the -Y (Proxied Authorization) option unhelpful. If the server allowed Proxy User to impersonate Sam Carter, Proxy User would be able to modify Sam's entry (just as Sam Carter himself could).

Next, follow these steps to begin the process of adding a new access control instruction (ACI) to the ou=People,dc=example,dc=com subtree:

Step 1. Return to the Netscape Directory Server console Directory tab and select the node labeled People .

Step 2. From the Object menu, choose the Set Access Permissions command. A Manage Access Control window will open. It shows a list of five access control instructions, which are included in the Example.ldif file.

Step 3. Click the New button. Figure 4.8 shows the Edit ACI window that opens. This window has an ACI Name field, as well as five tabs:

1. Users/Groups . Allows you to add users and groups that are given the rights granted by this access control instruction. By default, the set of users and groups is set to All Users .
   
   
2. Rights . Allows you to specify what the users and groups are allowed to do. The available rights are these:
   
   
   • read . See attribute values, for example, by asking that an attribute be returned from an LDAP search operation.
     
     
   • compare . Compare attribute values, for example, by using an LDAP compare operation.
     
     
   • search . Determine if attribute values exist, for example, by using an attribute within an LDAP search filter.
     
     
   • selfwrite . Allow an entry to add its own DN to an attribute.
     
     
   • write . Modify attributes, for example, by using an LDAP modify operation.
     
     
   • delete . Remove entries by using an LDAP delete operation.
     
     
   • add . Add entries by using an LDAP add operation.
     
     
   • proxy . Impersonate another entry by using the LDAPv3 Proxied Authorization control.
     
     

   By default, the new ACI grants all rights except proxy .

3. Targets . Allows you to limit the set of entries and attributes that this access control instruction governs. For example, you can specify that an ACI governs only the userPassword attribute of entries that match the filter (objectClass= inetOrgPerson) . By default, the ACI affects all entries at and below the entry that contains the aci attribute, and all attributes within those entries.
   
   
4. Hosts . Allows you to limit access based on the LDAP client's host name or IP address. By default, all hosts are treated the same.
   
   
5. Times . Allows you to limit access based on time of day and day of the week. For example, you could limit access to the hours 8 A.M. to 6 P.M. on weekdays. By default, no time- or day-based restrictions are enforced.
   
   

Figure 4.8. The Netscape Directory Server Console Edit ACI Window

Next, follow these steps to grant the proxy right to Proxy User:

Step 1. Type the phrase "Proxy permission for Proxy User" in the ACI Name text field.

Step 2. Make sure the Users/Groups tab is active and that All Users is selected. Click the Remove button to delete "All Users" and then click the Add button to open the Add Users and Groups window. Search for the Proxy User entry and add it to the access permission list. Click the OK button to close the Add Users and Groups window.

Step 3. Click the Rights tab and make sure Proxy is the only right checked (you must uncheck all the other rights and then check Proxy ). Click the OK button to save your new access control instruction. Figure 4.9 shows the updated Manage Access Control window that includes your new proxy permission ACI.

Figure 4.9. The Manage Access Control Window for ou=People,dc=example,dc=com

Step 4. Using Netscape Console to manage access control simplifies the process considerably and allows you to avoid the messy syntax of the aci attributes. Use the ldapsearch command shown in Listing 4.11 to list the aci values present in the ou=People,dc=example,dc=com entry.

Listing 4.11 Examining aci Values from the Command Line

  ./ldapsearch -b "ou=People,dc=example,dc=com" -s base "(objectClass=*)" aci  version: 1 dn: ou=People, dc=example,dc=com aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr ="userpassword    telephonenumber  facsimiletelephonenumber")(version 3.0;acl "Allow self entry  modification";allow (write)(userdn = "ldap:///self");) aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !="cn  sn    uid")(targetfilter ="(ou=Accounting)")(version 3.0;acl "Accounting Managers   Group Permissions";allow (write) (groupdn = "ldap:///cn=Accounting Managers  ,ou=groups,dc=example,dc=com");) aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !="cn  sn    uid")(targetfilter ="(ou=Human Resources)")(version 3.0;acl "HR Group Permi   ssions";allow (write)(groupdn = "ldap:///cn=HR Managers,ou=groups,dc=example  ,dc=com");) aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !="cn sn   uid")(targetfilter ="(ou=Product Testing)")(version 3.0;acl "QA Group Permis  sions";allow (write)(groupdn = "ldap:///cn=QA Managers,ou=groups,dc=example,  dc=com");) aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !="cn  sn    uid")(targetfilter ="(ou=Product Development)")(version 3.0;acl "Engineerin   g Group Permissions";allow (write)(groupdn = "ldap:///cn=PD Managers,ou=grou   ps,dc=example,dc=com");) aci: (targetattr = "*") (version 3.0;acl "Proxy permission for Proxy User";all   ow (proxy)(userdn = "ldap:///uid=PUser,ou=Special Users,dc=example,dc=com");) 

The ACI that was just added is the last one. It targets all attributes ( * ) and grants the proxy right to the entry with the DN uid=PUser,ou=Special Users, dc=example,dc=com . That sounds correct, although you're probably glad you did not have to type it yourself.

Step 5. Use an ldapmodify command to impersonate Sam Carter and modify his entry. Listing 4.12 shows the command and the result. The entry modification was a success; the same command that failed earlier worked this time.

Listing 4.12 Using Proxied Authorization to Modify an Entry

  ./ldapmodify -v -D "uid=puser,ou=Special Users,dc=example,dc=com" -w "lrtw,YB!" -Y "dn:  uid=scarter,ou=People,dc=example,dc=com"  ldapmodify: started Wed Aug 27 12:24:35 2002 ldap_init(localhost, 389)  dn: uid=scarter,ou=People,dc=example,dc=com   changetype: modify   replace: userPassword   userPassword: mySecret42  - replace userPassword:         mySecret42 modifying entry uid=scarter,ou=People,dc=example,dc=com modify complete  <Ctrl-C>  

You can learn more about Netscape Directory Server's access control features by reading Netscape's documentation.

Changing the Server Configuration Using LDAP

Netscape Directory Server exposes all of its configuration as a series of directory server “specific entries that reside within a subtree named cn=config . The directory server's configuration entries and attributes are documented in Netscape's Directory Server Configuration, Command, and File Reference manual. You can examine all of the stored configuration entries and attributes by viewing the config/dse.ldif file within the server instance directory. You can change the configuration using Netscape Console, by stopping the server and editing the config/dse.ldif file, or by using LDAP modify operations that target the entries within the cn=config subtree.

This section demonstrates how to change a configuration setting using LDAP. Specifically, you will change a setting so that user data can no longer be updated; that is, LDAP add and modify operations will be rejected. Changing configuration settings using LDAP is useful when you're writing automated scripts that help manage a directory service deployment. The setting that you will learn how to change using the ldapmodify command-line utility can also be changed using the Netscape Directory Server console. To find the setting that controls whether the userRoot database will accept or reject LDAP updates, follow these steps:

Step 1. Open the Directory Server console and click on the Configuration tab.

Step 2. Click on the plus sign next to the Data node to reveal its contents. Several nodes will be visible, including Database Link Settings , Database Settings , and dc=example,dc=com .

Step 3. Click on the plus sign next to the dc=example,dc=com node to show its contents. One node named userRoot should be visible.

Step 4. Click on the userRoot node and then on the Database Settings tab on the right-hand side of the console window. The setting you're looking for is now visible as a check box labeled Database is read-only . By default, this is not checked; if it is checked, LDAP operations that change data are rejected by the server.

However, this section shows you how to change the setting without using the console. Follow these steps:

Step 1. Start a Unix shell or a Microsoft Windows command prompt window. On Solaris, type this command:

 cd /export/ds6/shared/bin 

On Microsoft Windows, type this command:

 cd \Netscape\Servers\shared\bin 

If you're using the Windows command prompt, omit the leading " ./ " sequences from the commands that follow.

The attribute that controls whether a database instance is writable is named nsslapd-readonly , and for the default user database instance it is located in the configuration entry named cn=userRoot,cn=ldbm database,cn=plugins,cn=config ( LDBM stands for LDAP Database Manager and is the general name for Netscape's built-in LDAP data store). Entry updates are allowed by default, so the value of nsslapd-readonly is off for all database instances; you will change the value within the userRoot configuration entry to on in order to disable updates for that database instance.

Step 2. Execute the two ldapmodify commands shown in Listing 4.13 to change the nsslapd-readonly setting to on and to test whether updates were indeed disabled. For demonstration purposes, the first ldapmodify command modifies the nsslapd-readonly configuration attribute while authenticated as the Directory Manager entry. That entry has full privileges within Netscape Directory Server; however, the cn=config subtree does support fine-grained access control using the same mechanism as the rest of the Netscape server.

Listing 4.13 Disabling Updates by Modifying a Configuration Entry

  ./ldapmodify -D "cn=Directory Manager" -w secret389   dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config   changetype: modify   replace: nsslapd-readonly   nsslapd-readonly: on   -  modifying entry cn=userRoot,cn=ldbm database,cn=plugins,cn=config  <Ctrl-C>   ./ldapmodify -D "uid=kvaughan,ou=People,dc=example,dc=com" -w bribery   dn: uid=dmiller,ou=People,dc=example,dc=com   changetype: modify   replace: cn   cn: Dave Miller   cn: David Miller   -  modifying entry uid=dmiller,ou=People,dc=example,dc=com ldap_modify: DSA is unwilling to perform ldap_modify: additional info: database is read-only 

The second ldapmodify command authenticates as Kirsten Vaughan ( kvaughan ) and attempts to modify the cn attribute values within David Miller's entry ( dmiller ). The kvaughan entry is part of a Directory Administrators group that has full access to the entries under the ou=People,dc=example,dc=com subtree. Kirsten's password in the Example.ldif data is "bribery."

Because the David Miller entry is in the userRoot database that has been configured to reject updates, the command fails with the error "DSA is unwilling to perform."

Step 3. Execute the command shown in Listing 4.14 to restore the original configuration setting.

Listing 4.14 Reenabling Updates by Modifying a Configuration Entry

  ./ldapmodify -D "cn=Directory Manager" -w secret389   dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config   changetype: modify   replace: nsslapd-readonly   nsslapd-readonly: off   -  modifying entry cn=userRoot,cn=ldbm database,cn=plugins,cn=config  <Ctrl-C>