لطفا منتظر باشید ...
A Brief Hands-on Tour of Netscape Directory Server
Now that you have a functioning LDAP server, you can explore its capabilities. Put another way, it is time to shift into second gear. The Netscape server supports all significant LDAP standards, including LDAPv2 (for compatibility with very old applications) and LDAPv3. Netscape also supports many proposed LDAPv3 extensions, which are discussed later in the chapter.
Searching
When you viewed the dc=example,dc=com entries after installing the server, you used the
Directory tab within the Netscape Directory Server console. Now add a new entry using that same interface.
Step 1. Return to the
Directory tab and select the
People node on the left side of the window. Within the
Object menu, execute the
New User command to open the
Create New User window. Using the information shown in Figure 4.6, create a new user named Bugs Bunny. Choose a password such as "@home@WB" (the password is not used in any of the examples in this chapter).
Figure 4.6. Creating a New Entry for Bugs Bunny
Next let''s execute some directory searches.
Step 2. Use Netscape Console to search for the entry you just added. Locate the entry labeled
People on the left side of the
Directory pane. Use the rightmost mouse button to click on the
People entry and select
Search... from the context menu that appears. Type "Bugs Bunny" in the text field labeled
for and press the
Enter key.
A search result list with one entry should appear. Feel free to try other searches as well. The Netscape Console search window supports several search modes, including one that allows you to type arbitrary LDAP filters.
Step 3. Search for the same entry using the ldapsearch command-line tool that is bundled with the Netscape server. Start a Unix shell or a Microsoft Windows command prompt window. On Solaris, type these commands:
cd /export/ds6/shared/bin
./ldapsearch -b "dc=example,dc=com" "(cn=Bugs Bunny)"
On Microsoft Windows, type these commands:
cd \Netscape\Servers\shared\bin
ldapsearch -b "dc=example,dc=com" "(cn=Bugs Bunny)"
In the ldapsearch command the argument to the -b option is the search base (dc=example,dc=com), and the last command-line parameter is the LDAP filter (cn=Bugs Bunny), which specifies an exact match on the cn attribute for the string "Bugs Bunny." Listing 4.2 shows the result of this search: one entry in LDIF format.
Listing 4.2 Result of Search for "Bugs Bunny"
version: 1
dn: uid=bbunny,ou=People, dc=example,dc=com
mail: bbunny@example.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
givenName: Bugs
telephoneNumber: +1 555 555 1212
cn: Bugs Bunny
uid: bbunny
sn: Bunny
facsimileTelephoneNumber: +1 555 555 1299
There are no surprises here. Netscape has standardized on the inetOrgPerson object class defined in RFC 2798 for user entries, so the entry has objectClass: inetorgperson. The entry''s RDN is uid=bbunny because by default Netscape Console uses the uid (user id) attribute to name user entries.
Step 4. Try a more complex search. Suppose you want to find all entries that are people in the Product Development department who are located in the Cupertino location. Further, suppose that you want to retrieve only the name, department, and e-mail address of each person. This ldapsearch command will do the job (execute thisand all ldapsearch commands shown in this chapterfrom the same directory as in step 3):
ldapsearch -b "dc=example,dc=com" "(&(ou=Product Development)(L=Cupertino))" cn ou mail
The search filter consists of two equality filters ANDed together, and the list of requested attributes appears at the end of the command line (cn ou mail). This search returns 11 entries. Wouldn''t it be nice if they were sorted alphabetically by name? Luckily, ldapsearch supports the LDAPv3 Server-Side Sorting control, and so does Netscape Directory Server.
Step 5. Add the -x option to tell the server to sort the entries before returning them, and add the -Scn option to specify that the cn (common name) attribute should be used as the sort key. Here is the revised ldapsearch command:
ldapsearch -b "dc=example,dc=com" -x -Scn "(&(ou=Product Development)(L=Cupertino))" cnou mail
Listing 4.3 shows the resulting LDIF output.
Listing 4.3 Search Results Sorted by Name
version: 1
dn: uid=aworrell, ou=People, dc=example,dc=com
cn: Alan Worrell
ou: Product Development
ou: People
mail: aworrell@example.com
dn: uid=aknutson, ou=People, dc=example,dc=com
cn: Ashley Knutson
ou: Product Development
ou: People
mail: aknutson@example.com
dn: uid=bjensen, ou=People, dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen
ou: Product Development
ou: People
mail: bjensen@example.com
dn: uid=cwallace, ou=People, dc=example,dc=com
cn: Cecil Wallace
ou: Product Development
ou: People
mail: cwallace@example.com
dn: uid=jmuffly, ou=People, dc=example,dc=com
cn: Jeff Muffly
ou: Product Development
ou: People
mail: jmuffly@example.com
dn: uid=jcampaig, ou=People, dc=example,dc=com
cn: Jody Campaigne
ou: Product Development
ou: People
mail: jcampaig@example.com
dn: uid=jbourke, ou=People, dc=example,dc=com
cn: Jon Bourke
ou: Product Development
ou: People
mail: jbourke@example.com
dn: uid=mlangdon, ou=People, dc=example,dc=com
cn: Marcus Langdon
ou: Product Development
ou: People
mail: mlangdon@example.com
dn: uid=mtalbot, ou=People, dc=example,dc=com
cn: Martin Talbot
ou: Product Development
ou: People
mail: mtalbot@example.com
dn: uid=smason, ou=People, dc=example,dc=com
cn: Sue Mason
ou: Product Development
ou: People
mail: smason@example.com
dn: uid=speterso, ou=People, dc=example,dc=com
cn: Sue Peterson
ou: Product Development
ou: People
mail: speterso@example.com
Manipulating Netscape Directory Server Databases
Netscape Directory Server uses a high-performance embedded database to store data, and it allows multiple database instances to be active at the same time. Each database instance has a unique name and stores data for one naming context (one subtree within the DIT). The Typical installation used earlier in the chapter created two database instances:
NetscapeRoot .
Holds configuration and administration information that may be shared by more than one Netscape server.
userRoot .
Holds the data that you load into the directory. Earlier in the chapter, you chose dc=example,dc=com as the naming context for your data.
Netscape Console has full support for creating and maintaining databases. This section shows how to manipulate directory databases from the command line.
Step 1. Before executing any of the commands shown, ensure that the current working directory is the slapd-example instance directory. Start a Unix shell or a Microsoft Windows command prompt window. On Solaris, type this command:
cd /export/ds6/slapd-example
On Microsoft Windows, type this command:
cd \Netscape\Servers\slapd-example
In the commands that follow, all of the leading "./" sequences should be omitted if you''re working on Microsoft Windows.
Step 2. First use the suffix2instance command to display a list of active suffixes (naming contexts) and their corresponding Netscape Directory Server databases:
./suffix2instance -s "
The -s " parameter says that all suffixes are to be listed; if you wanted to list suffixes under only a specific subtree, you would include the subtree DN after the -s. The output produced is
Suffix, Instance name pair(s) under ":
suffix "o=NetscapeRoot"; instance name "NetscapeRoot"
suffix "dc=example,dc=com"; instance name "userRoot"
Step 3. Shut down the server using the stop-slapd command and replace the contents of the userRoot database with new data, a process known as
bulk-loading . Listing 4.4 shows how to use Netscape''s ldif2db command to load the Example.ldif file that is bundled with the server. The commands you need to type are shown in bold.
Listing 4.4 Bulk-Loading of Example.ldif Using the ldif2db Command
./stop-slapd
./ldif2db -n userRoot -i - <ldif/Example.ldif
importing data ...
[26/Aug/2002:16:04:18 -0500] - import userRoot: Index buffering enabled with bucket size 15
[26/Aug/2002:16:04:18 -0500] - import userRoot: Beginning import job...
[26/Aug/2002:16:04:18 -0500] - import userRoot: Processing file stdin
[26/Aug/2002:16:04:19 -0500] - import userRoot: Finished scanning file stdin (160 entries)
[26/Aug/2002:16:04:19 -0500] - import userRoot: Workers finished; cleaning up...
[26/Aug/2002:16:04:22 -0500] - import userRoot: Workers cleaned up.
[26/Aug/2002:16:04:22 -0500] - import userRoot: Cleaning up producer thread...
[26/Aug/2002:16:04:22 -0500] - import userRoot: Indexing complete. Post-processing...
[26/Aug/2002:16:04:22 -0500] - import userRoot: Flushing caches...
[26/Aug/2002:16:04:22 -0500] - import userRoot: Closing files...
[26/Aug/2002:16:04:22 -0500] - import userRoot: Import complete. Processed 160 entries in
The -n userRoot parameter selects the userRoot database instance, -i - indicates that the LDIF file is provided on standard input, and <ldif/Example.ldif causes the shell to send the contents of the Example.ldif file to ldif2db''s standard input.
Listing 4.5 demonstrates the reverse process (creating an LDIF file from an existing database). On Windows, ensure that a directory named \tmp exists in the root of the drive where you installed Netscape Directory Server, or use a different pathname for the example-dump.ldif output file.
Listing 4.5 Dumping a Database Using the db2ldif Command
./db2ldif -n userRoot -a /tmp/example-dump.ldif
ldiffile: /tmp/example-dump.ldif
[26/Aug/2002:16:35:28 -0500] - export userRoot: Processed 160 entries (100%).
more < /tmp/example-dump.ldif
version: 1
# entry-id: 1
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
aci: (target ="ldap:///dc=example,dc=com")(targetattr !="userPassword")(versio
n 3.0;acl "Anonymous read-search access";allow (read, search, compare)(userd
n = "ldap:///anyone");)
aci: (target="ldap:///dc=example,dc=com") (targetattr = "*")(version 3.0; acl
"allow all Admin group"; allow(all) groupdn = "ldap:///cn=Directory Administ
rators,ou=Groups,dc=example,dc=com";)
nsUniqueId: 093e751b-1dd211b2-80000000-00000000
# entry-id: 2
dn: ou=Groups, dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups
nsUniqueId: 093e751c-1dd211b2-80000000-00000000
# entry-id: 3
dn: cn=Directory Administrators, ou=Groups, dc=example,dc=com
cn: Directory Administrators
objectClass: top
objectClass: groupofuniquenames
ou: Groups
uniqueMember: uid=kvaughan, ou=People, dc=example,dc=com
uniqueMember: uid=rdaugherty, ou=People, dc=example,dc=com
uniqueMember: uid=hmiller, ou=People, dc=example,dc=com
nsUniqueId: 093e751d-1dd211b2-80000000-00000000
--More(2%)
The -n userRoot parameter indicates that entries within the default directory database should be extracted (-s "dc=example,dc=com" may be used instead to extract the entries on the basis of the LDAP subtree that contains them). The -a - parameter says that the output should be sent to standard output, and >example-dump.ldif tells the shell to capture the output in a file named example-dump.ldif.
Listing 4.5 shows the first portion of the file, as viewed using the more command. Each entry in the LDIF file includes an nsUniqueID attribute, which is an operational attribute that holds a global unique identifier (GUID) generated by Netscape Directory Server. The nsUniqueID values are used internally by Netscape to support replication and are preserved when entries are renamed. These values may also be used by LDAP clients that need to track entries without relying on the entry''s DN. Listing 4.6 shows how to dump a Netscape Directory Server database in Directory Services Markup Language (DSML) format rather than LDIF format. DSML is an XML-based format for representing directory data.
Listing 4.6 Dumping a Database Using the db2dsml Command
./db2dsml -n userRoot -a /tmp/example-dump.dsml
ldiffile: -
[26/Aug/2002:16:41:12 -0500] - export userRoot: Processed 160 entries (100%).
more < /tmp/example-dump.dsml
<?xml version="1.0" encoding="UTF-8" ?>
<dsml:dsml xmlns:dsml="http://www.dsml.org/DSML">
<dsml:directory-entries>
<dsml:entry dn="dc=example,dc=com">
<dsml:objectclass>
<dsml:oc-value>top</dsml:oc-value>
<dsml:oc-value>domain</dsml:oc-value>
</dsml:objectclass>
<dsml:attr name="dc">
<dsml:value>example</dsml:value>
</dsml:attr>
<dsml:attr name="nsuniqueid">
<dsml:value>093e751b-1dd211b2-80000000-00000000</dsml:value>
</dsml:attr>
<dsml:attr name="aci">
<dsml:value>(target ="ldap:///dc=example,dc=com")(targetattr != "userPassword")(
<dsml:value>(target="ldap:///dc=example,dc=com") (targetattr = "*")(version 3.0;
</dsml:attr>
</dsml:entry>
<dsml:entry dn="ou=Groups, dc=example,dc=com">
<dsml:objectclass>
<dsml:oc-value>top</dsml:oc-value>
<dsml:oc-value>organizationalunit</dsml:oc-value>
</dsml:objectclass>
<dsml:attr name="nsuniqueid">
<dsml:value>093e751c-1dd211b2-80000000-00000000</dsml:value>
</dsml:attr>
<dsml:attr name="ou">
<dsml:value>Groups</dsml:value>
</dsml:attr>
</dsml:entry>
<dsml:entry dn="cn=Directory Administrators, ou=Groups, dc=example,dc=com">
<dsml:objectclass>
<dsml:oc-value>top</dsml:oc-value>
<dsml:oc-value>groupofuniquenames</dsml:oc-value>
</dsml:objectclass>
<dsml:attr name="cn">
<dsml:value>Directory Administrators</dsml:value>
</dsml:attr>
<dsml:attr name="nsuniqueid">
<dsml:value>093e751d-1dd211b2-80000000-00000000</dsml:value>
</dsml:attr>
<dsml:attr name="uniquemember">
<dsml:value>uid=kvaughan, ou=People, dc=example,dc=com</dsml:value>
<dsml:value>uid=rdaugherty, ou=People, dc=example,dc=com</dsml:value>
<dsml:value>uid=hmiller, ou=People, dc=example,dc=com</dsml:value>
</dsml:attr>
<dsml:attr name="ou">
<dsml:value>Groups</dsml:value>
</dsml:attr>
</dsml:entry>
--More(1%)
The DSML output is more verbose than LDIF, but it is useful if you want to work with XML-savvy tools and with other applications that understand XML. See Chapter 3, LDAPv3 Extensions, for more information about DSML.
Another important database maintenance task is creating backups of the data. Netscape supports
hot backups that is, backups that are performed while the directory server is running and accepting updates. The Netscape server stores its active database files under a subdirectory named db, and the hot backup process makes a transactionally consistent copy of all the files.
Step 1. While the server is running, use the db2bak command as shown in Listing 4.7 to create a complete backup of the directory data. The sample run is from a Solaris system. Each .db3 file stores some entry data or an attribute index; on Microsoft Windows the pathnames of the files will be different.
Listing 4.7 Starting the Server and Creating a Backup
./start-slapd
./db2bak
[26/Aug/2002:17:01:21 -0500] - Backing up file 1 (/export/ds6/slapd-example/bak/
[26/Aug/2002:17:01:21 -0500] - Backing up file 2 (/export/ds6/slapd-example/bak/
[26/Aug/2002:17:01:21 -0500] - Backing up file 3 (/export/ds6/slapd-example/bak/
[26/Aug/2002:17:01:21 -0500] - Backing up file 4 (/export/ds6/slapd-example/bak/
[26/Aug/2002:17:01:21 -0500] - Backing up file 5 (/export/ds6/slapd-example/bak/
[26/Aug/2002:17:01:21 -0500] - Backing up file 6 (/export/ds6/slapd-example/bak/
[26/Aug/2002:17:01:21 -0500] - Backing up file 7 (/export/ds6/slapd-example/bak/
[26/Aug/2002:17:01:21 -0500] - Backing up file 8 (/export/ds6/slapd-example/bak/
[26/Aug/2002:17:01:21 -0500] - Backing up file 9 (/export/ds6/slapd-example/bak/
...
[26/Aug/2002:17:01:22 -0500] - Backing up file 25 (/export/ds6/slapd-example/bak/
[26/Aug/2002:17:01:22 -0500] - Backing up file 26 (/export/ds6/slapd-example/bak/
[26/Aug/2002:17:01:22 -0500] - Backing up file 27 (/export/ds6/slapd-example/bak/
[26/Aug/2002:17:01:22 -0500] - Backing up file 28 (/export/ds6/slapd-example/bak/
[26/Aug/2002:17:01:22 -0500] - Backing up file 29 (/export/ds6/slapd-example/bak/
[26/Aug/2002:17:01:22 -0500] - Backing up file 30 (/export/ds6/slapd-example/bak/
The db2bak command creates a consistent copy of all the database files. By default, the files are stored under a directory in the file system named according to the current date and time (/export/ds6/slapd-example/bak/2002_08_26_17_01_20/ in the sample run shown).
Step 2. If running on Microsoft Windows, use the commands shown in Listing 4.8 to restore the directory server data from the backup you created. First, stop the server using the stop-slapd command (databases cannot be restored while the server is running). Next, simulate loss of the active database files by using the del or rm command to remove all of the .db3 files. Finally, execute the bak2db command to restore the database files from the backup.
Listing 4.8 Restoring a Database from a Backup
stop-slapd
del /S/Q db\*.db3
Deleted file - C:\Netscape\Servers\slapd-example\db\DBVERSION
Deleted file - C:\Netscape\Servers\slapd-example\db\log.0000000001
Deleted file - C:\Netscape\Servers\slapd-example\db\NetscapeRoot\aci.db3
Deleted file - C:\Netscape\Servers\slapd-example\db\NetscapeRoot\ancestorid.db3
Deleted file - C:\Netscape\Servers\slapd-example\db\NetscapeRoot\cn.db3
...
Deleted file - C:\Netscape\Servers\slapd-example\db\userRoot\parentid.db3
Deleted file - C:\Netscape\Servers\slapd-example\db\userRoot\sn.db3
Deleted file - C:\Netscape\Servers\slapd-example\db\userRoot\telephoneNumber.db3
Deleted file - C:\Netscape\Servers\slapd-example\db\userRoot\uid.db3
Deleted file - C:\Netscape\Servers\slapd-example\db\userRoot\uniquemember.db3
bak2db C:\Netscape\Servers\slapd-example\bak\2002_08_26_170120
[27/Aug/2002:10:06:40 -0500] - Restoring file 1 (C:/Netscape/Servers/slapd-example/db/
[27/Aug/2002:10:06:40 -0500] - Restoring file 2 (C:/Netscape/Servers/slapd-example/db/log.
[27/Aug/2002:10:06:43 -0500] - Restoring file 3 (C:/Netscape/Servers/slapd-example/db/
[27/Aug/2002:10:06:43 -0500] - Restoring file 4 (C:/Netscape/Servers/slapd-example/db/
[27/Aug/2002:10:06:43 -0500] - Restoring file 5 (C:/Netscape/Servers/slapd-example/db/
[27/Aug/2002:10:06:43 -0500] - Restoring file 6 (C:/Netscape/Servers/slapd-example/db/
[27/Aug/2002:10:06:43 -0500] - Restoring file 7 (C:/Netscape/Servers/slapd-example/db/
[27/Aug/2002:10:06:43 -0500] - Restoring file 8 (C:/Netscape/Servers/slapd-example/db/
[27/Aug/2002:10:06:43 -0500] - Restoring file 9 (C:/Netscape/Servers/slapd-example/db/
...
[27/Aug/2002:10:06:43 -0500] - Restoring file 25 (C:/Netscape/Servers/slapd-example/db/
[27/Aug/2002:10:06:43 -0500] - Restoring file 26 (C:/Netscape/Servers/slapd-example/db/
[27/Aug/2002:10:06:43 -0500] - Restoring file 27 (C:/Netscape/Servers/slapd-example/db/
[27/Aug/2002:10:06:43 -0500] - Restoring file 28 (C:/Netscape/Servers/slapd-example/db/
[27/Aug/2002:10:06:43 -0500] - Restoring file 29 (C:/Netscape/Servers/slapd-example/db/
[27/Aug/2002:10:06:43 -0500] - Restoring file 30 (C:/Netscape/Servers/slapd-example/db/
If running on Solaris, use the following commands instead of the ones shown in Listing 4.8:
./stop-slapd
rm -rf db/*/*.db3
./bak2db /export/ds6/slapd-example/bak/2002_08_26_17_01_20
The pathname used in the bak2db command must match that produced by the db2bak command you already executed. If necessary, perform a directory listing of the bak directory to find the correct name.
Step 3. Execute the start-slapd and ldapsearch commands shown in Listing 4.9 to restart the server and perform a quick one-level search to verify that the data has been restored. The commands and output shown are from a Windows system. The output indicates that the restore was successful.
start-slapd
Listing 4.9 Checking That the Data Has Been Restored
C:\Netscape\Servers\slapd-example>net start slapd-example
The Netscape Directory Server 6 (example) service is starting.
The Netscape Directory Server 6 (example) service was started successfully.
cd \Netscape\Servers\shared\bin
ldapsearch -v -b "dc=example,dc=com" -s one "(objectClass=*)"
version: 1
dn: ou=Groups, dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups
dn: ou=People, dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
dn: ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
dn: ou=Netscape Servers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Netscape Servers
description: Standard branch for Netscape Server registration
Controlling Access to Directory Data
Netscape Directory Server allows directory administrators to control access to all data in the DIT down to the entry, attribute, and value levels. Access control instructions are stored in operational attributes named aci. The aci attributes may appear in any entry, and by default they affect all entries within the subtree where they are stored. For example, access control instructions that are stored in the entry dc=example,dc=com govern access to all entries at and below dc=example,dc=com, such as those within ou=People,dc=example,dc=com and within ou=Groups,dc=example,dc=com.
This section introduces Netscape Directory Server''s access control mechanism by demonstrating how to add an access control instruction to allow one entry to impersonate another. The actual impersonation is done using the LDAP Proxied Authorization control (see Chapter 3, LDAPv3 Extensions, for more information on this control). The Netscape access control mechanism uses a set of operation-specific rights to control access. To be able to use the Proxied Authorization control, the entry must have proxy rights for the entry you wish to impersonate.
Typically, the proxy right is granted to an administrative entry or to an entry that represents a software application. Follow these steps to add a special user to which you will grant the proxy right:
Step 1. Start Netscape Console if it is not already running, and log in, entering "cn=Directory Manager" as the DN and "secret389" as the password.
Step 2. Open the Directory Server Administration Console for the sample server by clicking the
Directory tab, and click to expand the directory node labeled
example . You should see four organizational unit entries:
Groups ,
People ,
Special Users , and
Netscape Servers .
Step 3. Select
Special Users by clicking it. On the
Object menu, choose the
New User command. Create a user named "Proxy User" and give it the password "lrtw,YB!". Figure 4.7 shows how the
Create New User screen should look before you click the
OK button.
Figure 4.7. Creating a New Entry Named "Proxy User"
Step 4. Confirm that the new user is not yet able to act as a proxy for other entries. The tests performed rely on the fact that access control instructions to allow people to modify their own entry are included in the Example.ldif file. Listing 4.10 shows two ldapmodify commands that both authenticate as the Proxy User entry and attempt to change the userPassword attribute within Sam Carter''s entry. The first command does not use Proxied Authorization; the second one does. The text you need to type is shown in bold. Press return twice to insert a blank line after the "-" character that appears on a line by itself. On Microsoft Windows, omit the leading "./" from the commands.
Listing 4.10 Failed Attempts to Modify an Entry
./ldapmodify -D "uid=puser,ou=Special Users,dc=example,dc=com" -w "lrtw,YB!"
dn: uid=scarter,ou=People,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: mySecret42
-
modifying entry uid=scarter,ou=People,dc=example,dc=com
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient ''write'' privilege to the ''userPassword''
./ldapmodify -D "uid=puser,ou=Special Users,dc=example,dc=com" -w "lrtw,YB!" -Y "dn:
dn: uid=scarter,ou=People,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: mySecret42
-
modifying entry uid=scarter,ou=People,dc=example,dc=com
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient ''write'' privilege to the ''userPassword''
The first ldapmodify command failed because the Proxy User entry is treated just like any other entry, and therefore it does not have permission to modify Sam Carter''s entries. The second ldapmodify command failed because Proxy User does not yet have permission to impersonate other users, which makes using the -Y (Proxied Authorization) option unhelpful. If the server allowed Proxy User to impersonate Sam Carter, Proxy User would be able to modify Sam''s entry (just as Sam Carter himself could).
Next, follow these steps to begin the process of adding a new access control instruction (ACI) to the ou=People,dc=example,dc=com subtree:
Step 1. Return to the Netscape Directory Server console
Directory tab and select the node labeled
People .
Step 2. From the
Object menu, choose the
Set Access Permissions command. A
Manage Access Control window will open. It shows a list of five access control instructions, which are included in the Example.ldif file.
Step 3. Click the
New button. Figure 4.8 shows the
Edit ACI window that opens. This window has an ACI
Name field, as well as five tabs:
Users/Groups .
Allows you to add users and groups that are given the rights granted by this access control instruction. By default, the set of users and groups is set to
All Users .
Rights .
Allows you to specify what the users and groups are allowed to do. The available rights are these:
read .
See attribute values, for example, by asking that an attribute be returned from an LDAP search operation.
compare .
Compare attribute values, for example, by using an LDAP compare operation.
search .
Determine if attribute values exist, for example, by using an attribute within an LDAP search filter.
selfwrite .
Allow an entry to add its own DN to an attribute.
write .
Modify attributes, for example, by using an LDAP modify operation.
delete .
Remove entries by using an LDAP delete operation.
add .
Add entries by using an LDAP add operation.
proxy .
Impersonate another entry by using the LDAPv3 Proxied Authorization control.
By default, the new ACI grants all rights except proxy.
Targets .
Allows you to limit the set of entries and attributes that this access control instruction governs. For example, you can specify that an ACI governs only the userPassword attribute of entries that match the filter (objectClass= inetOrgPerson). By default, the ACI affects all entries at and below the entry that contains the aci attribute, and all attributes within those entries.
Hosts .
Allows you to limit access based on the LDAP client''s host name or IP address. By default, all hosts are treated the same.
Times .
Allows you to limit access based on time of day and day of the week. For example, you could limit access to the hours 8
A.M. to 6
P.M. on weekdays. By default, no time- or day-based restrictions are enforced.
Figure 4.8. The Netscape Directory Server Console Edit ACI Window
Next, follow these steps to grant the proxy right to Proxy User:
Step 1. Type the phrase "Proxy permission for Proxy User" in the ACI
Name text field.
Step 2. Make sure the
Users/Groups tab is active and that
All Users is selected. Click the
Remove button to delete "All Users" and then click the
Add button to open the
Add Users and Groups window. Search for the Proxy User entry and add it to the access permission list. Click the
OK button to close the
Add Users and Groups window.
Step 3. Click the
Rights tab and make sure
Proxy is the only right checked (you must uncheck all the other rights and then check
Proxy ). Click the
OK button to save your new access control instruction. Figure 4.9 shows the updated
Manage Access Control window that includes your new proxy permission ACI.
Figure 4.9. The Manage Access Control Window for ou=People,dc=example,dc=com
Step 4. Using Netscape Console to manage access control simplifies the process considerably and allows you to avoid the messy syntax of the aci attributes. Use the ldapsearch command shown in Listing 4.11 to list the aci values present in the ou=People,dc=example,dc=com entry.
Listing 4.11 Examining aci Values from the Command Line
./ldapsearch -b "ou=People,dc=example,dc=com" -s base "(objectClass=*)" aci
version: 1
dn: ou=People, dc=example,dc=com
aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr ="userpassword
|| telephonenumber || facsimiletelephonenumber")(version 3.0;acl "Allow self entry
aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !="cn || sn ||
uid")(targetfilter ="(ou=Accounting)")(version 3.0;acl "Accounting Managers
Group Permissions";allow (write) (groupdn = "ldap:///cn=Accounting Managers
,ou=groups,dc=example,dc=com");)
aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !="cn || sn ||
uid")(targetfilter ="(ou=Human Resources)")(version 3.0;acl "HR Group Permi
ssions";allow (write)(groupdn = "ldap:///cn=HR Managers,ou=groups,dc=example
,dc=com");)
aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !="cn ||sn ||
uid")(targetfilter ="(ou=Product Testing)")(version 3.0;acl "QA Group Permis
sions";allow (write)(groupdn = "ldap:///cn=QA Managers,ou=groups,dc=example,
dc=com");)
aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !="cn || sn ||
uid")(targetfilter ="(ou=Product Development)")(version 3.0;acl "Engineerin
g Group Permissions";allow (write)(groupdn = "ldap:///cn=PD Managers,ou=grou
ps,dc=example,dc=com");)
aci: (targetattr = "*") (version 3.0;acl "Proxy permission for Proxy User";all
ow (proxy)(userdn = "ldap:///uid=PUser,ou=Special Users,dc=example,dc=com");
)
The ACI that was just added is the last one. It targets all attributes (*) and grants the proxy right to the entry with the DN uid=PUser,ou=Special Users, dc=example,dc=com. That sounds correct, although you''re probably glad you did not have to type it yourself.
Step 5. Use an ldapmodify command to impersonate Sam Carter and modify his entry. Listing 4.12 shows the command and the result. The entry modification was a success; the same command that failed earlier worked this time.
Listing 4.12 Using Proxied Authorization to Modify an Entry
./ldapmodify -v -D "uid=puser,ou=Special Users,dc=example,dc=com" -w "lrtw,YB!" -Y "dn:
ldapmodify: started Wed Aug 27 12:24:35 2002
ldap_init( localhost, 389 )
dn: uid=scarter,ou=People,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: mySecret42
-
replace userPassword:
mySecret42
modifying entry uid=scarter,ou=People,dc=example,dc=com
modify complete
<Ctrl-C>
You can learn more about Netscape Directory Server''s access control features by reading Netscape''s documentation.
Changing the Server Configuration Using LDAP
Netscape Directory Server exposes all of its configuration as a series of directory serverspecific entries that reside within a subtree named cn=config. The directory server''s configuration entries and attributes are documented in Netscape''s
Directory Server Configuration, Command, and File Reference manual. You can examine all of the stored configuration entries and attributes by viewing the config/dse.ldif file within the server instance directory. You can change the configuration using Netscape Console, by stopping the server and editing the config/dse.ldif file, or by using LDAP modify operations that target the entries within the cn=config subtree.
This section demonstrates how to change a configuration setting using LDAP. Specifically, you will change a setting so that user data can no longer be updated; that is, LDAP add and modify operations will be rejected. Changing configuration settings using LDAP is useful when you''re writing automated scripts that help manage a directory service deployment. The setting that you will learn how to change using the ldapmodify command-line utility can also be changed using the Netscape Directory Server console. To find the setting that controls whether the userRoot database will accept or reject LDAP updates, follow these steps:
Step 1. Open the Directory Server console and click on the
Configuration tab.
Step 2. Click on the plus sign next to the
Data node to reveal its contents. Several nodes will be visible, including
Database Link Settings ,
Database Settings , and
dc=example,dc=com .
Step 3. Click on the plus sign next to the
dc=example,dc=com node to show its contents. One node named
userRoot should be visible.
Step 4. Click on the
userRoot node and then on the
Database Settings tab on the right-hand side of the console window. The setting you''re looking for is now visible as a check box labeled
Database is read-only . By default, this is not checked; if it is checked, LDAP operations that change data are rejected by the server.
However, this section shows you how to change the setting without using the console. Follow these steps:
Step 1. Start a Unix shell or a Microsoft Windows command prompt window. On Solaris, type this command:
cd /export/ds6/shared/bin
On Microsoft Windows, type this command:
cd \Netscape\Servers\shared\bin
If you''re using the Windows command prompt, omit the leading "./" sequences from the commands that follow.
The attribute that controls whether a database instance is writable is named nsslapd-readonly, and for the default user database instance it is located in the configuration entry named cn=userRoot,cn=ldbm database,cn=plugins,cn=config (
LDBM stands for LDAP Database Manager and is the general name for Netscape''s built-in LDAP data store). Entry updates are allowed by default, so the value of nsslapd-readonly is off for all database instances; you will change the value within the userRoot configuration entry to on in order to disable updates for that database instance.
Step 2. Execute the two ldapmodify commands shown in Listing 4.13 to change the nsslapd-readonly setting to on and to test whether updates were indeed disabled. For demonstration purposes, the first ldapmodify command modifies the nsslapd-readonly configuration attribute while authenticated as the Directory Manager entry. That entry has full privileges within Netscape Directory Server; however, the cn=config subtree does support fine-grained access control using the same mechanism as the rest of the Netscape server.
Listing 4.13 Disabling Updates by Modifying a Configuration Entry
./ldapmodify -D "cn=Directory Manager" -w secret389
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-readonly
nsslapd-readonly: on
-
modifying entry cn=userRoot,cn=ldbm database,cn=plugins,cn=config
<Ctrl-C>
./ldapmodify -D "uid=kvaughan,ou=People,dc=example,dc=com" -w bribery
dn: uid=dmiller,ou=People,dc=example,dc=com
changetype: modify
replace: cn
cn: Dave Miller
cn: David Miller
-
modifying entry uid=dmiller,ou=People,dc=example,dc=com
ldap_modify: DSA is unwilling to perform
ldap_modify: additional info: database is read-only
The second ldapmodify command authenticates as Kirsten Vaughan (kvaughan) and attempts to modify the cn attribute values within David Miller''s entry (dmiller). The kvaughan entry is part of a Directory Administrators group that has full access to the entries under the ou=People,dc=example,dc=com subtree. Kirsten''s password in the Example.ldif data is "bribery."
Because the David Miller entry is in the userRoot database that has been configured to reject updates, the command fails with the error "DSA is unwilling to perform."
Step 3. Execute the command shown in Listing 4.14 to restore the original configuration setting.
LDAP as a Server Administration ProtocolExposing an extensive collection of server or application configuration information via LDAP is unusual, but this approach works well for Netscape Directory Server. LDAP is an open protocol that enables remote administration and allows a variety of configuration tools to be developed. Netscape Console communicates with the directory server via LDAP, as do many of Netscape''s command-line utilities and scripts. The directory server can check the syntax and range of configuration values before accepting a change, and its powerful access control features can be used to regulate access to the configuration data. In addition, configuration changes take effect instantly; there is no need to restart the server or tell it to read a configuration file. One potential disadvantage of using LDAP as a server administration protocol is that if intruders are able to get past the LDAP server''s access control protection, they can reconfigure the serverbut a similar risk exists with any method that supports remote administration. |
Listing 4.14 Reenabling Updates by Modifying a Configuration Entry
./ldapmodify -D "cn=Directory Manager" -w secret389
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-readonly
nsslapd-readonly: off
-
modifying entry cn=userRoot,cn=ldbm database,cn=plugins,cn=config
<Ctrl-C>
