Red Hat 8.1 Installation Guide

LandmannRed Hat Directory Server 8.1Using the Admin Serverwith Red Hat Directory ServerEdition 8.1.1

4. Documentation HistoryRevision 8.1.1 September 9, 2009 Ella Deon Lackey Removing any references to the Directory Server Gateway or Org Chart.Revisi

Chapter 1. Introduction to Red Hat Admin ServerIdentity management and directory services with Red Hat Directory Server use three components,working i

When Red Hat Directory Server or Red Hat Certificate System (which depends on Red Hat DirectoryServer) is installed, then the Admin Server is automati

Chapter 2. Admin Server ConfigurationThe Admin Server is a separate server from Red Hat Directory Server or Red Hat Certificate System,although they w

2.2. Starting and Stopping the Admin ServerThe Admin Server is running when the setup-ds-admin.pl configuration script completes. Avoidstopping and st

There are scripts in the /usr/sbin directory./usr/sbin/{start|stop|restart}-ds-adminThe Admin Server service can also be stopped and started using sys

TIPIt is possible to send the Admin Server URL and port with the start script. For example:/usr/bin/redhat-idm-console -a http://localhost:9830The a o

Admin Server generates two kinds of logs:Access logs. Access logs show requests to and responses from the Admin Server. By default, the fileis located

Example 2.1. Example Access Logs127.0.0.1 - cn=directory manager [23/Dec/2008:19:32:52 -0500] "GET /admin-serv/authenticate HTTP/1.0" 200 33

WARNINGThe path to the log file is absolute and cannot be changed.5. Click OK to save the changes.6. Open the T asks tab, and click the Restart Serv

Red Hat Directory Server 8.1 Using the Admin Serverwith Red Hat Directory ServerEdition [email protected] m

/usr/lib/mozldap/ldapm odify -D "cn=directory manager" -w secret -p 389 -h server.example.comdn: cn=configuration, cn=adm in-serv-example, c

is in use, then the setup program will use a randomly-generated number larger than 1024 or one canassign any port number between 1025 and 65535.2.5.1

/usr/lib/mozldap/ldapsearch -D "cn=directory m anager" -w secret -p 389 -h server.example.com -b "o=NetscapeRoot" "(objectcla

5. Click the Add button to add another host to the list of allowed computers. T o add a hostname,make sure the drop-down list at the top reads Host N

NOTEThe Admin Server supports both IPv4 and IPv6 addresses.The Admin Server entry can be edited using ldapm odify.To set host restrictions:1. Get the

4. Restart the Admin Server to apply the changes.service dirsrv-admin restart2.7. Changing the Admin User's Name and PasswordDuring installation

5. Click Save.2.8. Working with SSLThe Admin Server can run over HT T PS (secure HT T P) if SSL is enabled on the server. There are stepsto enabling

Server Name. T he fully qualified hostname of the Directory Server as it is used in DNSand reverse DNS lookups; for example, server.example.com . T he

The Next button is grayed out until a password is supplied.3. T he Request Submission dialog box provides two ways to submit a request: directly to t

b. Select the Server Certs tab, and click Install.c. Give the absolute path to the certificate (In this file radio button) or paste the certificate

Legal NoticeCopyright © 2009 Red Hat, Inc..This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 UnportedLicense

After receiving the CA certificate, use the Certificate Install Wizard to configure the AdminServer to trust the CA.1. In the Admin Server Console, s

4. Click Next to move through the panels that show the CA certificate information and the certificatename.5. Select the purpose of trusting this cer

1. Open the Admin Server management window.2. Click the Configuration tab.3. Click the Encryption tab.4. Select the Enable SSL for this server che

restarted:Starting dirsrv-admin:Please enter password for "internal" token:The Admin Server can use a password file when TLS/SSL is enabled

After TLS/SSL is enabled, then the Admin Server can only be connected to using HTT PS. All of theprevious HT T P (standard) URLs for connecting to the

There can be multiple user directories in a single deployment because using multiple user directoriesenhances overall performance for organizations wh

Every location listed in the LDAP Host and Port field must contain that subtree and thesubtree must contain the user information.Optionally, enter the

Chapter 3. Admin Express3.1. Managing Servers in Admin ExpressAdmin Express provides a quick, simple web-based gateway to do basic management of serve

3.1.3. Viewing Server LogsAdmin Express can show and search the access and error logs for Directory Server and Admin Serverand the audit logs for the

3.1.5. Monitoring Replication from Admin ExpressAdmin Express has an option to monitor replication status in real-time, meaning that it shows the numb

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

grep \^User /etc/dirsrv/admin-serv/console.confThe configuration file should be readable by the Admin Server user and no other users, soconsider reset

updates from the supplier; this is the timedifference between the supplier and theconsumer's max CSNs. When a consumer is insync with its supplie

3.2.2. Admin Express Configuration FilesThe behavior for Admin Express is mostly set through the web server configuration and should not beedited. T h

<tr valign="TOP"> <td> </td> <td bgcolor="#9999cc" colspan="4"> <font color="whi

Figure 3.8. Monitoring Replication View Page ElementsThe text for the table headings, labels, and page sections are set in the Perl script. For exampl

Figure 3.9. Server Information Page Element sThe viewdata.htm l file is very simple, using only the two directives to insert the server data, plusothe

Figure 3.10. Log View Page ElementsThe page information is set through the inserted directives. T he server instance name is set in the ID_T ITLE dire

Table 3.2. Admin Express DirectivesDirect ive Description ExampleACCESS_LOG Inserts the server log file. <!-- ACCESS_LOG -->ADMURL <!-- ADMUR

STRING_TO_VIEW Inserts a form field to use to setthe search string for the logs.<!-- STRING_T O_VIEW -->SUBMIT Inserts a three-button set: tosav

Chapter 4. Admin Server Command-Line ToolsRed Hat Admin Server has command-line utilities which make it easier to manage the Admin Serverwithout havin

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

LocationSyntaxTasks and OptionsJAR Information FileExamples of Using modutilLocationThe m odutil tool is located in the /usr/bin folder.Syntax modutil

Table 4 .1. T ask Commands for modutilTasks Description Allowed Opt ions-add moduleName Adds the named PKCS #11module to the database.-libfile library

must be contained in the namedJAR file.The JAR file identifies all files toinstall, the module name, andmechanism flags. It should alsocontain any fil

Table 4 .2. Options for modutilOption Description-dbdir dbFolder Specifies a folder in which to access or createsecurity module database files. T his

no one is able to set or change the passwordon the internal module, because the passwordis stored in key3.db.When used with the -create command, onlya

Example 4 .1. Example JAR FileForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc } Platforms { Linux:2.0.32:x86 { ModuleName { "Fortezz

Per-File KeysGlobal KeysGlobal keys define the platform-specific sections of the JAR information file. T here are two global keys: ForwardCom patible

Table 4 .3. Mechanisms and Default Mechanism FlagsMechanism Hexadecimal Bitstring ValueRSA 0x00000001DSA 0x00000002RC2 0x00000004RC4 0x00000008DES 0x0

itself is specified by the RelativePath or AbsolutePath key.For example, to specify that the setup.exe program (located in the %temp% folder) is an ex

modutil -create -dbdir /etc/dirsrv/admin-servWARNING: Perform ing this operation while the browser is running could causecorruption of your security d

Table of Contents 3

modutil -enable "Cryptographic Module" -slot "Cryptographic Reader" -dbdir /etc/dirsrv/admin-servWARNING: Perform ing this operati

Platforms { Linux:2.0.32:x86 { ModuleName { "SuperCrypto Module" } ModuleFile { crypto.dll } DefaultMechanism Flags{0x0000}

modutil -dbdir "/etc/dirsrv/admin-serv" -jar install.jar -installdir "/etc"WARNING: Perform ing this operation while the browser i

IndexAaccess log- changing location and name- in the command line, Changing the Log Location in the Command Line- in the Console, Changing the Log Nam

- command line, Starting and Stopping Admin Server from the Command Line- Console, Starting and Stopping Admin Server from the Console- starting and s

Eencryption- settings for Admin Server, Working with SSLerror log- changing location and name- in the command line, Changing the Log Location in the C

modutil- commands- add, modutil- changepw, modutil- create, modutil- default, modutil- delete, modutil- disable, modutil- enable, modutil- fips, modut

Ssec-activate, sec- activateSSL, Working with SSL- Admin Server password file, Creating a Password File for the Admin Server- certificates, Requesting

PrefaceThe Admin Server Guide provides information on using a support administrative server with identitymanagement projects including Red Hat Directo

displayed in a prompt.Monospace with abackgroundThis type of formatting is used for anythingentered or returned in a command prompt.Italicized text An

administer Directory Server.The document set for Directory Server contains the following guides:Red Hat Directory Server Release Notes contain importa