Ebook: Oracle Directory Server EE Activity Guide

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY.
COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Activity Guide
D68336GC10
Edition 1.0
September 2010
D69028
Oracle University and QUASIUS INVESTMENT CORP use only
Oracle Directory Server EE

11gR1: Maintenance and
Operations
Copyright 2010, Oracle and/or it affiliates. All rights reserved.
David Goldsmith
Disclaimer
Steve Friedberg
Technical Contributor
and Reviewer
Etienne Remillon
Graphic Designer
Satish Bettegowda
This document contains proprietary information and is protected by copyright and

other intellectual property laws. You may copy and print this document solely for your
own use in an Oracle training course. The document may not be modified or altered in
any way. Except where your use constitutes "fair use" under copyright law, you may
not use, share, download, upload, copy, print, display, perform, reproduce, publish,
license, post, transmit, or distribute this document in whole or in part without the
express authorization of Oracle.
The information contained in this document is subject to change without notice. If you
find any problems in the document, please report them in writing to: Oracle University,
500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Editors
Restricted Rights Notice
Malavika Jinka
If this documentation is delivered to the United States Government or anyone using

the documentation on behalf of the United States Government, the following notice is
applicable:
Raj Kumar
Publishers
Jayanthy Keshavamurthy
Michael Sebastian Almeida
Sumesh Koshy
U.S. GOVERNMENT RIGHTS

The U.S. Governments rights to use, modify, reproduce, release, perform, display, or
disclose these training materials are restricted by the terms of the applicable Oracle
license agreement and/or the applicable U.S. Government contract.
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names
may be trademarks of their respective owners.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Authors
About This Workbook .................................................. Lab Preface-xi

Lab Goals ........................................................................... Lab Preface-xi
Conventions ......................................................................Lab Preface-xiii
Icons.........................................................................Lab Preface-xiii
Typographical Conventions ........................................... Preface-xiv
Additional Conventions ............................................ Lab Preface-xv
Introducing Oracle Directory Server EE 11gR1 ..................... Lab 1-1
Objectives ..................................................................................... Lab 1-1
Exercise 1: Installing Oracle Directory Server EE 11gR1 ............ Lab 1-2
Preparation ............................................................................ Lab 1-2
Task 1 Examining Your Lab System ................................. Lab 1-3
Task 2 Installing Directory Server EE and Creating a Directory
Server Instance................................................................... Lab 1-5
Task 3 Updating the Schema ............................................. Lab 1-8
Task 4 Populating the Database....................................... Lab 1-11
Exercise 2: Installing DSCC ........................................................ Lab 1-14
Task 1 Installing a Tomcat Web Container ..................... Lab 1-14
Task 2 Installing DSCC ................................................... Lab 1-17
Task 3 Examining LDIF and Configuration Files ........... Lab 1-22
Exercise Summary ....................................................................... Lab 1-25
Exercise Solutions........................................................................ Lab 1-26
Exercise 2: Installing DSCC ............................................... Lab 1-26
Searching and Modifying Directory Content ......................... Lab 2-1
Objectives ..................................................................................... Lab 2-1
Exercise: Searching and Modifying Directory Data...................... Lab 2-2
Preparation ............................................................................ Lab 2-2
Task 1 Restarting Zones and Servers................................. Lab 2-2
Task 2 Verifying That the PATH Environment Variable References
the Desired LDAP Utilities................................................ Lab 2-3
Task 3 Searching the Directory ......................................... Lab 2-4
Task 4 Using the ldapmodify Utility.............................. Lab 2-6
Exercise Summary ......................................................................... Lab 2-9
Table of Contents
Using Directory Server EE Log Files ...................................... Lab 3-1

Objectives ..................................................................................... Lab 3-1
Exercise: Using Directory Server EE Log Files to Diagnose LDIF Errors
Lab 3-2
Preparation ............................................................................ Lab 3-2
Task 2 Using the Directory Server EE Logs to Diagnose LDIF
Errors ................................................................................. Lab 3-4
Task 3 Configuring Logging Options ................................ Lab 3-7
Task 4 Using the logconv Utility to Analyze Directory Server EE
Access Logs ..................................................................... Lab 3-11
Securing Directory Server EE Access .................................... Lab 4-1
Objectives ..................................................................................... Lab 4-1
Exercise 1: Diagnosing ACI Problems .......................................... Lab 4-2
Preparation ............................................................................ Lab 4-3
Task 2 Fixing an ACI......................................................... Lab 4-4
Task 3 Retrieving Jeff Vedders Directory Access Permissions ....
Lab 4-6
Task 4 Retrieving Sam Carters Directory Access Permissions.....
Lab 4-6
Task 5 Examining Current ACIs to Find the Cause of Problems ...
Lab 4-7
Task 6 Planning Your ACI Changes.................................. Lab 4-9
Task 7 Making ACI Modifications .................................. Lab 4-11
Task 8 Verifying That Your ACI Changes Fixed the Problems.....
Lab 4-13
Exercise 2: Configuring Connection-based Access Control........ Lab 4-15
Preparation .......................................................................... Lab 4-15
Task Configuring Connection-based Access Control...... Lab 4-15
Enforcing Password Policies................................................... Lab 5-1
Objectives ..................................................................................... Lab 5-1
Exercise: Enforcing Directory Server EE Password and Account Lockout
Policies........................................................................................ Lab 5-2
Preparation ............................................................................ Lab 5-3
Task 2 Configuring Password Settings and Account Lockout Lab
5-4
Task 3 Testing the Global Password Policy ...................... Lab 5-6
vi
Oracle Directory Server EE 11gR1: Maintenance and Operations

Using Certificates With Directory Server EE ......................... Lab 6-1

Objectives ..................................................................................... Lab 6-1
Exercise 1: Viewing and Managing SSL Settings and CertificatesLab 6-2
Preparation ............................................................................ Lab 6-2
Task 2 Viewing and Managing SSL Settings and Certificates Lab
6-4
Exercise 2: Using the ldapsearch Utility Over SSL.................. Lab 6-8
Preparation ............................................................................ Lab 6-8
Task Using the ldapsearch Utility Over SSL................ Lab 6-8
Exercise 3: Using the dsconf Utility Over SSL......................... Lab 6-10
Preparation .......................................................................... Lab 6-10
Task Using the dsconf Utility Over SSL....................... Lab 6-10
Backing Up and Restoring Directory Data ............................. Lab 7-1
Objectives ..................................................................................... Lab 7-1
Exercise: Backing Up and Restoring Directory Data .................... Lab 7-2
Preparation ............................................................................ Lab 7-2
Task 2 Backing Up and Restoring Directory Data From the
Command Line .................................................................. Lab 7-4
Task 3 Exporting and Importing a Suffix From the Command Line
Lab 7-6
Task 4 Creating a New Database and Importing LDIF Data... Lab
7-8
Replicating Directory Server EE Data..................................... Lab 8-1
Objectives ..................................................................................... Lab 8-1
Overview........................................................................................ Lab 8-2
Exercise 1: Setting Up Three-Way Multimaster Replication ........ Lab 8-4
Preparation .................................................................................. 8-5
Task 2 Preparing the Existing Directory Server Instance for
Replication ......................................................................... Lab 8-6
Task 3 Setting Up Multimaster Replication With Command-line
Tools .................................................................................. Lab 8-8
Task 4 Setting Up Multimaster Replication With DSCC Lab 8-16
Exercise 2: Monitoring Replication Using DSCC and Directory Server EE
Utilities...................................................................................... Lab 8-21
Task 1 Using DSCC to Monitor Replication Agreements....... Lab
vii
Task 4 Assigning a Password Policy to a User................ Lab 5-10

Task 5 Activating and Deactivating an Account ............. Lab 5-12
Tuning Directory Server EE Performance .............................. Lab 9-1

Configuring Failover and Load Balancing Using a Directory Proxy
Server....................................................................................... Lab 10-1
Exercise 1: Configuring Failover Using a Directory Proxy Server ..... Lab
10-2
Preparation ................................................................................ 10-2
Task 1 Restarting Zones and Servers............................... Lab 10-3
Task 2 Creating a Directory Proxy Server....................... Lab 10-4
Task 3 Creating Data Sources.......................................... Lab 10-6
Task 4 Creating a Data Source Pool ................................ Lab 10-7
Task 5 Creating a Data View........................................... Lab 10-9
Task 6 Confirming That Failover Is Working ............... Lab 10-10
Exercise 2: Configuring Proportional Load Balancing.............. Lab 10-14
Task 1 Creating a Different Data Source Pool .............. Lab 10-14
Task 2 Reconfiguring the Data View ............................ Lab 10-16
Task 3 Confirming That Proportional Load Balancing Is Working
Lab 10-17
Exercise 3: Configuring Load Balancing Using the Command-line
Interface .................................................................................. Lab 10-19
Task 1 Configuring Operation Type Load Balancing Using the
Command-line Interface ................................................ Lab 10-20
Task 2 Monitoring Operation Type Load Balancing..... Lab 10-23
Task 3 Creating a Data Pool with Equal Load Balancing (Optional)
Lab 10-25
Exercise Summary ..................................................................... Lab 10-27
Configuring Virtualization Using a Directory Proxy Server Lab 11-1
Business Requirements For This Lab .......................................... Lab 11-2
Exercise 1: Creating an LDAP Data View .................................. Lab 11-5
Preparation ................................................................................ 11-6
Task 1 Restarting Zones and Servers............................... Lab 11-7
Task 2 Stopping Unused Servers and Disabling Unused Data
Sources and Data Views .................................................. Lab 11-8
Task 3 Creating the dsm6 Directory Server Instance ...... Lab 11-9
viii

8-21
Task 2 Using the repldisc Utility to Discover a Replication
Topology .......................................................................... Lab 8-22
Task 3 Using the insync Utility to Examine Synchronization
State ................................................................................. Lab 8-23
Task 4 Using the dsconf Utility to Show Replication Agreement
Status................................................................................ Lab 8-24
Task 5 Pausing and Restarting Replication ..................... Lab 8-25
Task 6 Using the entrycmp Utility to Compare Directory Entries
Lab 8-27
Migrating to Oracle Directory Server EE 11gR1 .................. Lab 12-1

Objectives ................................................................................... Lab 12-1
Exercise: Migrating From Sun Directory Server 5.2 to Oracle Directory
Server EE 11gR1 (Optional)..................................................... Lab 12-2
Preparation .......................................................................... Lab 12-3
Task 1 Restarting the zone01 Zone ................................ Lab 12-4
Task 2 Installing Directory Server 5.2............................. Lab 12-4
Task 3 Migrating Directory Server 5.2 to Directory Server EE
11gR1............................................................................... Lab 12-6
Task 4 Confirming That Migration Was Successful ....... Lab 12-9
Working With the Solaris Sandbox.........................................Lab A-1
Objectives .................................................................................... Lab A-1
Starting, Logging In to, and Logging Out of Solaris Sandbox Zones . Lab
A-2
Overview of Solaris OS Zones ............................................ Lab A-2
Solaris Sandbox Zones......................................................... Lab A-2
Zone Management Commands in the Solaris Sandbox ....... Lab A-3
Starting Servers............................................................................. Lab A-4
Starting the Common Agent Container (CACAO).............. Lab A-4
Starting the DSCC Registry Directory Server Instance....... Lab A-4
Starting the Tomcat Web Container That Hosts the DSCC Web
Application........................................................................ Lab A-4
Starting the dsm1 Directory Server Instance ....................... Lab A-4
Starting the dps1 Directory Proxy Server........................... Lab A-5
ix
Task 4 Creating the Data Source, Data Source Pool, and Data
View............................................................................... Lab 11-12
Exercise 2: Creating a Joined LDAP/LDIF View ..................... Lab 11-16
Task 1 Creating an LDIF Data View ............................. Lab 11-16
Task 2 Hiding An Attribute in a Data View .................. Lab 11-19
Task 3 Creating Attribute Data Transformations .......... Lab 11-19
Task 4 Configuring a Join Data View ........................... Lab 11-22
Task 5 Restricting Access Using a Connection HandlerLab 11-24
Exercise 3: Accessing Relational Database Data Through a Directory
Proxy Server ........................................................................... Lab 11-29
Task 1 Installing and Configuring MySQL and the MySQL JDBC
Driver ............................................................................. Lab 11-29
Task 2 Configuring a JDBC Data View ........................ Lab 11-33
Task 3 Emulating LDAP Schema for the JDBC Data View ... Lab
11-35
Task 4 Writing to a Relational Database Using a JDBC Data View
Lab 11-40
Assessing the State of Your Lab SystemLab 1......................... Lab A-6

Assessing the State of Your Lab SystemLabs After Lab 1....... Lab A-7
Starting the Solaris Sandbox......................................................... Lab A-8
Bringing the Solaris Sandbox to the Starting Point for Doing a Lab .. Lab
A-9

About This Workbook

Lab Goals
After completing this course, you should be able to:
Install Oracle Directory Server Enterprise Edition (Directory Server EE,

ODSEE)
Install Directory Service Control Center (DSCC)
Search and modify directory data
Use Directory Server EE log files to diagnose LDAP Data Interchange

Format (LDIF) errors
Diagnose access control instruction (ACI) problems
Configure connection-based access control
Enforce Directory Server EE password and account lockout policies
View and manage SSL settings and certificates
Use the ldapsearch utility over SSL
Use the dsconf utility over SSL
Back up and restore Directory Server EE databases
Set up three-way multimaster replication
Monitor replication using DSCC and Directory Server EE utilities
Create a three-tier replication topology (optional)
Promote consumer replicas and create five-way multimaster replication

(optional)
Configure failover using a directory proxy server
Configure proportional load-balancing
Configure load-balancing using the command-line interface
Create an LDAP data view
Preface-xi
Preface
Create a joined LDAP/LDIF view
Access relational database data through a directory proxy server
Migrate from an older version of Directory Server EE to Directory Server

EE 11gR1 (optional)
Lab Goals
Preface-xii

Conventions
The following conventions are used in this course to represent various training
elements and alternative learning resources.
Icons
Additional resources Indicates other references that provide additional
information on the topics described in the module.
Discussion Indicates that a small-group or class discussion on the current topic

is recommended at this time.
Note Indicates additional information that can help students but is not crucial to
their understanding of the concept being described. Students should be able to
understand the concept or complete the task without this information. Examples
of notational information include keyword shortcuts and minor system
adjustments.
Caution Indicates that there is a risk of personal injury from a nonelectrical
hazard, or risk of irreversible damage to data, software, or the operating system.
A caution indicates that the possibility of a hazard (as opposed to certainty) might
happen, depending on the action of the user.
About This Workbook
Preface-xiii
Conventions
Typographical Conventions
Courier is used for the names of commands, files, directories, programming
code, and on-screen computer output; for example:
Use ls -al to list all files.
system% You have mail.
Courier is also used to indicate programming constructs, such as class names,
methods, and keywords; for example:
The getServletInfo method gets author information.
The java.awt.Dialog class contains Dialog constructor.
Courier bold is used for characters and numbers that you type; for example:
To list the files in this directory, type:
# ls
Courier bold is also used for each line of programming code that is referenced
in a textual description; for example:
1 import java.io.*;
2 import javax.servlet.*;
3 import javax.servlet.http.*;
Notice that the javax.servlet interface is imported to allow access to its
lifecycle methods (Line 2).
Courier italics is used for variables and command-line placeholders that are
replaced with a real name or value; for example:
To delete a file, use the rm filename command.
Courier italic bold represents variables whose values are to be entered by
the student as part of an activity; for example:
Type chmod a+rwx filename to grant read, write, and execute rights for
filename to world, group, and users.
Palatino italics is used for book titles, new words or terms, or words that you
want to emphasize; for example:
Read Chapter 6 in the Users Guide.
These are called class options.
Preface-xiv

Conventions
Additional Conventions
Java programming language examples use the following additional
conventions:
Courier is used for the class names, methods, and keywords.

Method names are not followed with parentheses unless a formal or actual
parameter list is shown; for example:
The doIt method... refers to any method called doIt.
The doIt() method... refers to a method called doIt that takes no
arguments.
Line breaks occur only where there are separations (commas), conjunctions
(operators), or white space in the code. Broken code is indented four spaces
under the starting code.
About This Workbook
Preface-xv
Conventions
Introducing Oracle Directory Server EE

11gR1
Lab 1
Objectives
After completing this lab, you should be able to:
Install Oracle Directory Server EE 11gR1
Install the Directory Service Control Center (DSCC)
Lab 1-1
Exercise 1: Installing Oracle Directory Server EE 11gR1

In this exercise, you explore your lab system and review software binaries and
student files that are available on this system.
Then you install Directory Server EE and create a directory server instance. You
customize the instances schema so that you can explore using customized object
classes and attributes in subsequent labs. Finally, you populate the instance with
the sample directory data.
Perform the following tasks:
Task 1 Examining Your Lab System

Task 2 Installing Directory Server EE and Creating a Directory Server
Instance
Task 3 Updating the Schema
Task 4 Populating the Database
Preparation
The following section contains information you need and describes actions you
take before proceeding to the first task in this exercise.
Prerequisite Labs
There are no prerequisite labs for performing this lab.
Assessing the State of Your Lab System

Using Table A-1 on page A-6 in Working With the Solaris Sandbox, assess the
state of your lab system, then take any additional actions described in the table.
Lab 1-2
Task 1 Examining Your Lab System

In this task, you examine your lab system, validating that it is set up correctly.
You also implement a custom profile for the root user.
Complete the following steps to examine the lab environment for your machine:
1.
Start the Virtual Box. From the Linux desktop menu bar, select Applications
> System Tools > Sun VirtualBox.
2.
If the License dialog appears, scroll to the bottom of the text and click I
Agree.
3.
When the Registration dialog appears, close the window by clicking the X
in the top right corner.
4.
Select Machine D68336GC10 and click Start. If you see a message about
Auto capture keyboard option, click OK to dismiss it.
5.
Dont do anything while the text login screens proceed, wait until the GUI
login screen. Log in as the root user. The password is cangetin.
6.
Read the following sections in Appendix A, Working With the Solaris

Sandbox:
Starting, Logging In to, and Logging Out of Solaris Sandbox Zones

on page A-2
Zone Management Commands in the Solaris Sandbox on page A-3.
These sections describe Solaris Operating System (Solaris OS) zones, and
how to use zones when you work in the Solaris Sandbox.
7.
Open a terminal window by right-clicking on the open Solaris desktop.
8.
If you did not run the lab -p command as part of step 6, do so now.
The lab -p command prepares the Solaris Sandbox zones for networking
and GUI display.
Note You can run the lab -p command multiple times during a Solaris
Sandbox session without any ill effect.
9.
Boot the zone01 zone:

global # zoneadm -z zone01 boot
10. Log into the zone01 zone:

global # zlogin zone01
11. Make sure that you are logged in to the zone01 zone.
Introducing Oracle Directory Server EE 11gR1
Lab 1-3
The prompt in the terminal window indicates which zone you are logged
into. For example:
zone01 #
12. Review the /opt/ses/shared/software and /opt/ses/shared/lab
directories:
# ls /opt/ses/shared/software
# ls /opt/ses/shared/lab
Subdirectories in the /opt/ses/shared/software directory contain
software that you install when doing these labs.
The /opt/ses/shared/lab directory contains files for doing the labs.
13. Start a Web browser on your lab system:
# firefox &
If the browser is unsuccessful in trying to open a home page, click on the
browser Stop icon.
14. Browse the Directory Server EE 11g (7.0) documentation, which is installed
on your lab system, using the following URL:
file:///opt/ses/shared/lab/docs/Contents.html
You can refer to the documentation at any time for more information while
you are doing labs.
15. Verify that the CATALINA environment variable is not currently set:
# env | grep CATALINA
No value is returned.
16. Append the custom profile file for these labs to the root users
.profile file:
# cat /opt/ses/shared/lab/profile >> /.profile
The customized .profile file provides a PATH environment variable and
other environment variables that lessen the amount of typing required when
doing the labs.
17. Make the new .profile file available in your current shell:
# chmod +x /.profile
# source /.profile
18. Confirm that the new profile is available by displaying the new values of
environment variables that start with the string, CATALINA:
CATALINA_HOME=/tomcat
CATALINA_BASE=/tomcat
CATALINA_OPTS=-Djava.awt.headless=true
Lab 1-4
Task 2 Installing Directory Server EE and Creating a

Directory Server Instance
In this task, you install Directory Server EE and create a directory server instance.
Complete the following steps in the zone01 zone:
1.
Unzip the Directory Server EE binaries into the /opt directory:

# cd /opt
# unzip /opt/ses/shared/software/dsee-7.0/sun-dsee7.zip
Even though this is version 11gR1, it shows version 7.0 throughout the
code.
2.
Verify the path of some commonly used Directory Server EE utilities that
you use in these labs:
# which dsadm
/opt/dsee7/bin/dsadm
# which dsconf
/opt/dsee7/bin/dsconf
# which dpadm
/opt/dsee7/bin/dpadm
Note In the previous task, you updated the PATH environment for the root
user. The new PATH value includes the locations for the dsadm, dsconf, and
dpadm utilities. If you did not get the expected results from the which command,
you probably need to return to step 17 in Task 1 Examining Your Lab System
and properly execute the .profile file.
3.
Create the directory in which you store Directory Server EE instances in

these labs:
# mkdir /local
Lab 1-5
4.
Create a directory server instance, specifying the /local/dsm1 directory

as the instance path:
Caution Make sure that you use the number 1 and not the letter l in the
/local/dsm1 directory name.
# dsadm create -p 1389 -P 1636 /local/dsm1
The following appears in the terminal window:
Warning: This platform is not supported by Directory
Server 7.
Choose the Directory Manager password:
Type sunlearning and press Return.
Confirm the Directory Manager password:
Note The message, Warning: This platform is not supported by
Directory Server 7, appears when you run the dsadm utility in this course.
The reason for this message is that 32-bit Solaris 10 OS running on x86
architecture is not supported for Directory Server EE 7.0 production use.
Running Directory Server EE 7.0 on 32-bit Solaris 10 OS x86 systems has been
tested by Sun engineering and is available for lightweight uses, such as training
and proof of concepts.
Running Directory Server EE 7.0 on 32-bit Solaris 10 OS x86 systems lets you
deploy the Solaris Sandboxthe platform for these labson any modern host
operating system.
Lab 1-6
5.
Install a special message set that lets you run Directory Server EE
administration utilities without the warning message that appeared in the
preceding step:
# cd /opt/dsee7
# unzip /opt/ses/shared/software/ \
dsee-7.0-extras/resources.zip
Note This course uses the \ character at the ends of lines in example commands
to indicate line continuation. When you see a command in multiple lines, each
ending with the \ character, enter the command on a single line, without pressing
Enter. Do not type the \ character when entering the command.
The following prompt appears in the terminal window:
Archive: /opt/ses/shared/software/dsee-7.0extras/resources.zip
replace resources/dsadmin/dsadmin_zh_CN.res? [y]es,
[n]o, [A]ll, [N]one, [r]ename:
Type A and press Return.
Note The special message set is for training purposes only.
6.
Confirm that you created the directory server instance and installed the
special message set correctly:
# dsadm info /local/dsm1
The following output appears in the terminal window:
Instance Path:
Owner:
Non-secure port:
Secure port:
Bit format:
State:
DSCC url:
SMF application name:
Instance version:
/local/dsm1
root(root)
1389
1636
32-bit
Stopped
D-A10
The message, Warning: This platform is not supported by

Directory Server 7, should not appear in the terminal window.
Lab 1-7
Task 3 Updating the Schema

In the previous task, you installed the Directory Server EE software and created a
directory server instance. Many deployments of Directory Server EE implement
custom schema. When using custom schema, you must configure Directory
Server EE to recognize the custom schema.
In this task, you update Directory Server EE schema definitions to include several
custom object class and attribute definitions.
1.
View the /local/dsm1/config/schema/99user.ldif file:

# cd /local/dsm1/config/schema
# more 99user.ldif
2.
Back up the 99user.ldif file twice:

# cp 99user.ldif 99user.ldif.backup.1
# cp 99user.ldif 99user.ldif.backup.2
Note The backups can help you recover the files if you encounter problems in
steps 3 through 5.
3.
Concatenate custom schema entries to the 99user.ldif file:

# cat 99user.ldif.backup.1 \
/opt/ses/shared/lab/99user.ldif > 99user.ldif
Lab 1-8
4.
Before proceeding, review the contents of the

/local/dsm1/config/schema/99user.ldif file.
The 99user.ldif file should contain a dn entry, three objectClass (not
objectClasses) entries, a cn entry, an aci entry, an objectClasses
entry, two attributeTypes entries, and an nsSchemaCSN entry. If the
contents of the 99user.ldif file are not correct, rerun the cat command
that you ran in step 3, and ensure that you specify the file names correctly.
The following is an example of the contents of the
/local/dsm1/config/schema/99user.ldif file after running the
cat command in step 3:
dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: schema
aci: (target="ldap:///cn=schema")(targetattr
!="aci")(version 3.0;acl "anonymous, no acis"; allow
(read, search, compare) userdn =ldap:///anyone";)
objectClasses: ( exampleperson-oid NAME 'exampleperson'
SUP 'inetorgperson' STRUCTURAL MAY ( exampleTShirtName
$ exampleTShirtSize ) X-ORIGIN 'user defined' )
attributeTypes: ( exampleTShirtSize-oid NAME
'exampleTShirtSize' DESC 'User Defined Attribute'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE XORIGIN 'user defined' )
attributeTypes: ( exampleTShirtName-oid NAME
'exampleTShirtName' DESC 'User Defined Attribute'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' X-ORIGIN 'user
defined' )
nsSchemaCSN: 3c346ac2000000000000
5.
Start the dsm1 directory server instance:

# dsadm start /local/dsm1
The custom schema is added to the Directory Server EE configuration upon
Directory Server EE startup. You confirm this configuration change later in
this lab.
Lab 1-9
6.
Use the following command to verify that an ns-slapd process is running:

# ps -ef | grep slapd
Output similar to the following indicates that the ns-slapd process is
running:
root 2847 1621
6 16:12:58 ?
0:03
/opt/dsee7/lib/ns-slapd -D /local/dsm1 -i
/local/dsm1/logs/pid
root 2849 2769
0 16:13:17 pts/4
0:00 grep
slapd
Lab 1-10
Task 4 Populating the Database

In the previous task, you updated Directory Server EE schema definitions to
include several custom object class and attribute definitions.
In this task, you create a user database by creating a suffix and adding a set of
data entries, including user entries that include some of the custom attributes and
object classes you defined previously.
1.
Add a suffix to the dsm1 instance:

# dsconf create-suffix -p 1389 dc=example,dc=com
Certificate "CN=zone01, CN=1636, CN=Directory Server,
O=Sun Microsystems" presented by the server is not
trusted.
Type "Y" to accept, "y" to accept just once, "n" to
refuse, "d" for more details:
Type Y and press Return.
Another prompt appears in the terminal window:
Enter "cn=Directory Manager" password:
Note By default, the dsconf utility uses the Start TLS Lightweight Directory
Access Protocol (LDAP) extension. When using this extension, you must
accepttrustthe digital certificate presented by Directory Server EE during
suffix creation. If you were to answer y (lowercase), you would be accepting
this certificate one time only, and would be asked to trust the certificate again the
next time you ran the dsconf utility. By answering Y (uppercase), you trust
this certificate permanently and are never again asked to trust the certificate for
this directory server instance.
By default, the dsconf utility binds as the cn=Directory Manager user.
Therefore, you are prompted for the directory manager users password. In
subsequent labs, you provide this password in a file so that you are not prompted
for the password. You can specify a user other than the cn=Directory
Manager user with the --user-dn option.
Lab 1-11
2.
Add user data to the dc=example,dc=com suffix of the dsm1 instance:

# dsconf import -p 1389 \
/opt/ses/shared/lab/Example.2340.ldif dc=example,dc=com
New data will override existing data of the suffix
"dc=example,dc=com".
Initialization will have to be performed on replicated
suffixes.
Do you want to continue [y/n] ?
Type y and press Return.
Output similar to the following appears in the terminal window:
## Index buffering enabled with bucket size 40
## Beginning import job...
## Processing file
"/opt/ses/shared/lab/Example.2340.ldif"
## Finished scanning file
"/opt/ses/shared/lab/Example.2340.ldif" (159 entries)
## Workers finished; cleaning up...
## Workers cleaned up.
## Cleaning up producer thread...
## Indexing complete.
## Starting numsubordinates attribute generation. This
may take a while, please wait for further activity
reports.
## Numsubordinates attribute generation complete.
Flushing caches...
## Closing files...
## Import complete. Processed 159 entries in 4
seconds. (39.75 entries/sec)
Task completed (slapd exit code: 0).
Lab 1-12
3.
Use the ldapsearch utility to confirm that the user data was successfully
imported:
# ldapsearch -p 1389 -b dc=example,dc=com \
-s sub uid=scarter
version: 1
dn: uid=scarter, ou=People, dc=example,dc=com
exampleTShirtSize: L
givenName: Sam
exampleTShirtName: IPO by 2003
exampleTShirtName: Balanced Books or Else
telephoneNumber: +1 408 555 4798
sn: Carter
ou: Accounting
l: Sunnyvale
manager: uid=bjensen,ou=people,dc=example,dc=com
roomNumber: 4612
mail: scarter@example.com
facsimileTelephoneNumber: +1 408 555 9751
uid: scarter
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: examplePerson
cn: Sam Carter
mobile: +1 408 555 9751
title: Directory of IT
pager: +1 408 555 9722
Lab 1-13
Exercise 2: Installing DSCC

This exercise introduces you to two Directory Server EE configuration tools:
DSCC
File-based configuration
In the first two tasks in this exercise, you install an Apache Tomcat Web
container and deploy the DSCC Web application into the Web container.
Note For these labs, you use Apache Tomcat as the Web container. A number of
other Web containers are supported for the DSCC Web application. Refer to the
Oracle Directory Server Enterprise Edition 11gR1 Installation Guide for a list of
supported Web containers.
After you install and deploy DSCC, you use DSCC to perform several
configuration tasks.
You can also configure Directory Server EE using configuration files. Some
configuration can be performed by modifying attribute value pairs in the
dse.ldif file. In the last task, you examine several configuration attributes in
the dse.ldif file.
Task 1 Installing a Tomcat Web Container
Task 2 Installing DSCC
Task 3 Examining LDIF and Configuration Files
Task 1 Installing a Tomcat Web Container

In this task, you install the Tomcat Web container. In the next task, you install
DSCC into that Web container.
1.
Change to the root directory:

# cd /
Lab 1-14
2.
Unzip the Tomcat software into the /apache-tomcat-5.5.27 directory:

# gzip -dc /opt/ses/shared/software/ \
apache-tomcat-5.5.27.tar.gz | tar xvf -
3.
Create a symbolic link to simplify references to the Apache Tomcat

installation directory when using command-line tools:
# ln -s /apache-tomcat-5.5.27 /tomcat
4.
Add a startup file for the Tomcat Web container to the /etc/init.d
directory:
# cp /opt/ses/shared/lab/tomcat.sh /etc/init.d/tomcat
5.
Start the Tomcat Web container:

# /etc/init.d/tomcat start
Messages similar to the following indicate successful startup:
Using CATALINA_BASE:
/tomcat
Using CATALINA_HOME:
/tomcat
Using CATALINA_TMPDIR: /tomcat/temp
Using JRE_HOME:
/usr/java
root 2887 2871
0 16:38:39 pts/4
0:00
/sbin/sh /etc/init.d/tomcat start
root 2885 1621 10 16:38:34 pts/4
0:04
/usr/java/bin/java Djava.util.logging.config.file=/tomcat/conf/logging.pro
pert
root 2871 2769
0 16:38:34 pts/4
0:00
/sbin/sh /etc/init.d/tomcat start
6.
Switch to a running Web browser on your zone01 lab system: If a browser

is not started, type the following command.
# firefox &
7.
Confirm that the Tomcat Web container is running by navigating to the

following URL in the browser:
http://zone01.example.com:8080
The default Tomcat home page appears.
Lab 1-15
8.
In an earlier task, you created a custom profile for the root user. Verify that
the custom profile set environmental variables as required to run DSCC in
the Tomcat Web container:
a.
Verify that the CATALINA_* environment variables have been set to

the proper values:
CATALINA_HOME=/tomcat
CATALINA_BASE=/tomcat
CATALINA_OPTS=-Djava.awt.headless=true
b.
Verify that the JAVA_HOME environment variable has been set to the
/usr directory:
# env | grep JAVA_HOME
JAVA_HOME=/usr
Note Refer to the Oracle Directory Server Enterprise Edition 11gR1

Installation Guide for environment changes required when running DSCC in
various Web containers.
Lab 1-16
Task 2 Installing DSCC

In the previous exercise, you used the dsadm and dsconf utilities to manage and
configure Directory Server EE from the command line. In this task, you install
DSCC, which lets you manage and configure Directory Server EE using a Web
browser.
In this task you create, install, and configure the DSCC Web application. During
DSCC setup, you run the dsccsetup initialize command. This important
command performs a variety of functions:
Creates the DSCC Web archive (WAR) file.

Initializes the DSCC registry. The DSCC registry contains entries for each
directory server and directory proxy server instance managed by DSCC.
Starts the DSCC registry directory server instance.
After DSCC setup, you register the previously created dsm1 directory server
instance with the DSCC and begin exploring that instances configuration.
1.
Execute the dsccsetup initialize command:

# dsccsetup initialize
Press Return until the software license agreement has displayed completely,
then type yes to accept the license agreement.
After you accept the license, the following messages appear in the terminal
window:
***
Configuring Cacao...
Cacao will listen on port 21162
Cacao has been successfully configured.
Registering DSCC Agent in Cacao...
Checking Cacao status...
Starting Cacao...
DSCC agent has been successfully registered in Cacao.
***
Choose password for Directory Service Manager:
Lab 1-17
A confirmation message, such as the following, appears in the terminal

window:
Confirm password for Directory Service Manager:
More messages appear in the terminal window:
Creating DSCC registry...
DSCC Registry has been created successfully
***
Created /opt/dsee7/var/dscc7.war
***
Note Each directory server instance has its own directory manager account. In
the preceding step, you set the password for the DSCC registry directory server
instances directory manager account. This password can either be the same
password or a different password from the dsm1 directory server instances
directory manager account.
2.
Confirm that the DSCC agent is registered with the common agent
container (CACAO):
a.
Verify that the cacaoadm command in the PATH is the cacaoadm

command that is distributed with Directory Server EE:
# which cacaoadm
/opt/dsee7/bin/cacaoadm
b.
Determine the status of CACAO:

# cacaoadm status
default instance is DISABLED at system startup.
Smf monitoring process:
2641
2642
Uptime: 0 day(s), 0:2
The line specifying Uptime indicates that CACAO is up and running.
c.
If CACAO is not up and running, start it:

# cacaoadm start
Lab 1-18
d.
Confirm that the dsccsetup initialize command registered the

DSCC agent with CACAO:
# cacaoadm list-modules
You should see the com.sun.directory.dscc7 1.0 entry at the
bottom of the cacaoadm list-modules output. The module names
are sorted alphabetically.
3.
Create a directory for the DSCC Web application:

# mkdir /tomcat/webapps/dscc
4.
Unzip the dscc7.war file into the newly created directory:

# unzip -d /tomcat/webapps/dscc /opt/dsee7/var/ \
dscc7.war
5.
Stop the Tomcat Web container:

# /etc/init.d/tomcat stop
6.
Edit the /tomcat/conf/web.xml file using the vi editor, the gedit

editor, or any other editor you choose. Insert the following lines before the
<load-on-startup> tag, which appears on line 98 of the web.xml file:
<init-param>
<param-name>enablePooling</param-name>
<param-value>false</param-value>
</init-param>
Note Notice that the enablePooling stanza is of the same form as the
preceding two init-params. The preceding change to the web.xml file is
specific to the Tomcat Web container. For other supported Web containers, review
the Oracle Directory Server Enterprise Edition 11gR1 Installation Guide for
required configuration changes.
Lab 1-19
7.
By default, Tomcat maintains login sessions for 30 minutes. After using

DSCC for 30 minutes, you are forced to reauthenticate in order to continue
to use DSCC.
Reconfigure the DSCC session timeout interval so that you can keep a
DSCC login session alive for as long as eight hours. Edit the
/tomcat/webapps/dscc/WEB-INF/web.xml file using any editor you
choose. Insert the following lines after the <web-app> tag, which appears
on line 5 of the web.xml file:
<session-config>
<session-timeout>480</session-timeout>
</session-config>
Caution Be sure that you have edited the correct files in steps 6 and 7. The
web.xml file that you edit in step 6 is in the /tomcat/conf directory. The
web.xml file that you edit in step 7 is in the /tomcat/webapps/dscc/WEBINF directory.
8.
Start the Tomcat Web container:

9.
Log in to DSCC:
a.
In a browser window, navigate to the following URL:

http://zone01.example.com:8080/dscc
b.
Enter the following authentication credentials:

Directory Service Manager: admin
Password: sunlearning
The DSCC Web interface appears.
10. Click Version in the upper left corner of the DSCC.

The version string Version 11.1.1.3.0 appears even though elsewhere
you may see 7.0.
11. Close the window that contains the version string.
12. Enable DSCC management of the directory server instance you created
earlier by registering the instance in DSCC:
a.
Select the Directory Servers tab.

There should be no registered directory servers listed.
Lab 1-20
b.
Select Register Existing Server from the More Server Actions dropdown menu to start the Register Existing Directory Server Wizard.
The Step 1: Enter Host and Server Information dialog box appears.
c.
d.
Specify the following values in the Step 1: Enter Host and Server
Information dialog box:
Instance Path: /local/dsm1
DSCC Agent Port: Click Other, then type 21162
Description: Master 1 (dsm1)
Click Next.
The Step 1.1: Provide Authentication Information for the Host dialog
box appears.
Note When needed, DSCC prompts you to enter the credentials of the Solaris
OS user that runs the ns-slapd processthe root user in these labs. Whenever
you are asked to provide authentication information for the host, enter root as
the user ID and cangetin as the password.
e.
Specify the following values in the Step 1.1: Provide Authentication

Information for the Host dialog box:
User ID: root
Password: cangetin
f.
Click Next to submit the credentials.

The Step 1.2: Review Server Certificate dialog box appears.
g.
Review the certificate details, then click Next to accept the certificate.
The Step 2: Provide Authentication Information dialog box appears.
h.
Enter sunlearning in the Administration DN Password field.
i.
Click Next.
The Step 3: Summary dialog box appears, with a warning that the
server instance will be restarted when you click Finish.
Lab 1-21
j.
Click Finish.
Messages appear as the dsm1 instance is registered with DSCC and
restarted.
When the operation is complete, the Operation Completed
Successfully message appears.
Note A message stating that DSCC could not set the locale correctly appears
during instance registration. You can ignore this message whenever it appears.
k.
Click Close to terminate the Register Existing Directory Server

Wizard.
l.
Verify that the zone01:1389 entry appears in the registered directory

servers list.
Note In these labs, the zone01:1389 directory server instance is also referred
to as the dsm1 instance.
13. In a previous task, you customized the schema for the dsm1
(zone01:1389) directory server instance. Confirm that you can see these
schema changes in DSCC:
a.
Select the link for the zone01:1389 directory server instance.
b.
Select the Schema tab.
c.
Confirm that the examplePerson object class is present in the list of

user-defined object classes.
d.
Select the Attributes tab.
e.
Confirm that the exampleTShirtName and exampleTShirtsize.

attributes are present in the list of user-defined attributes.

In this task, you examine LDIF and configuration files.
1.
Lab 1-22
In a terminal window, change to the /opt/ses/shared/lab directory.
2.
View the contents of the sample Example.2340.ldif file using any

editor.
The Example.2340.ldif file is a modified version of the sample file that
ships with the Directory Server EE binaries.
To locate a typical user entry, search for the first occurrence of the string
scarter.
a.
Which attribute constructs the relative distinguished name (RDN) of a

typical user entry?
________________________________________________________
b.
Where in the directory tree are user entries kept?

________________________________________________________
c.
Which object classes are included for a typical user entry?

________________________________________________________
d.
What is the value of the organizational unit (ou) attribute for a typical
user entry?
________________________________________________________
e.
What are the other attributes of a typical user entry?

________________________________________________________
3.
Close the Example.2340.ldif file.
4.
Change to the config directory for the directory server instance on your
workstation:
# cd /local/dsm1/config
Lab 1-23
5.
View the dse.ldif files contents using any editor.

The dse.ldif file contains configuration attributes. It is a UTF-8 text file
that is read when a directory server instance is started.
Caution To change the configuration of directory server instances, you should

use DSCC or the dsconf utility. Configuration changes made using DSCC or the
dsconf utility cause the directory server instance to rewrite the dse.ldif file.
Therefore, you should never manually edit the dse.ldif file for a directory
server instance when that instance is running. The edits to the dse.ldif file
might be overwritten.
Modify the dse.ldif file only when advised to do so by Oracle Support.
a.
What is the maximum number of entries returned from any search

operation (nsslapd-sizelimit configuration attribute)?
________________________________________________________
Note If this limit is reached, the server returns any entries it found that match
the search request, as well as an exceeded size limit error.
b.
What is the maximum number of seconds that Directory Server EE

can spend performing a search request (nsslapd-timelimit
configuration attribute)?
________________________________________________________
c.
What is the maximum number of entries that Directory Server EE

checks before returning a resource limit error
(nsslapd-lookthroughlimit configuration attribute)?
________________________________________________________
d.
What is the size in bytes of the in-memory cache

(nsslapd-dbcachesize configuration attribute)?
________________________________________________________
Note Increasing the value of the nsslapd-dbcachesize configuration

attribute uses more memory but can substantially improve server performance,
especially during modifications or when the indexes are being built. Do not
increase this number beyond the available resources for your machine.
6.
Lab 1-24
Close the dse.ldif file.
Exercise Summary
Discussion Take a few minutes to discuss what experiences, issues, or

discoveries you had during the lab exercise.
Experiences
Interpretations
Conclusions
Applications
Exercise Summary
Lab 1-25
Exercise Solutions
The following section provides solutions to questions in the lab.

Compare your answers to Steps 2 and 5 in Task 3.

2.
View the contents of the sample Example.2340.ldif file using any

editor.
The Example.2340.ldif file is a modified version of the sample file that
ships with the Directory Server EE binaries.
To locate a typical user entry, search for the first occurrence of the string
scarter.
a.
Which attribute constructs the relative distinguished name (RDN) of a

typical user entry?
uid
b.
Where in the directory tree are user entries kept?

ou=People,dc=example,dc=com
c.
Which object classes are included for a typical user entry?

top, person, organizationalPerson, inetOrgPerson,
examplePerson
d.
What is the value of the organizational unit (ou) attribute for a typical
user entry?
The department name; for example, Human Resources, Payroll,
or Accounting.
e.
What are the other attributes of a typical user entry?

sn and cn are required. Some of the other typical attributes are l,
uid, mail, telephonenumber, facsimiletelephonenumber,
roomnumber, userpassword, and exampleTShirtSize.
Lab 1-26
Exercise Solutions
5.
View the dse.ldif files contents using any editor.

The dse.ldif file contains configuration attributes. It is a UTF-8 text file
that is read when a directory server instance is started.
Caution To change the configuration of directory server instances, you should

use DSCC or the dsconf utility. Configuration changes made using DSCC or the
dsconf utility cause the directory server instance to rewrite the dse.ldif file.
Therefore, you should never manually edit the dse.ldif file for a directory
server instance when that instance is running, because the edits to the dse.ldif
file might be overwritten.
Modify the dse.ldif file only when advised to do so by Sun Support.
a.
What is the maximum number of entries returned from any search

operation (nsslapd-sizelimit configuration attribute)?
2,000
b.
What is the maximum number of seconds that Directory Server EE

can spend performing a search request (nsslapd-timelimit
configuration attribute)?
3,600
c.
What is the maximum number of entries that Directory Server EE

checks before returning a resource limit error
(nsslapd-lookthroughlimit configuration attribute)?
5,000
d.
What is the size in bytes of the in-memory cache

(nsslapd-dbcachesize configuration attribute)?
33,554,432
Lab 1-27
Exercise Solutions
Searching and Modifying Directory Content

Objectives
After completing this lab, you should be able to search and modify directory data.
Lab 2-1
Lab 2
Exercise: Searching and Modifying Directory Data

Task 1 Restarting Zones and Servers

Task 2 Verifying That the PATH Environment Variable References the
Desired LDAP Utilities
Task 3 Searching the Directory
Task 4 Using the ldapmodify Utility
Preparation
Prerequisite Lab
The following lab is a prerequisite for performing this lab:
The task to prepare your lab system depends on whether you performed the
prerequisite lab, and whether you have performed other labs, in addition to the
prerequisite lab.

By using Table A-2 on page A-7 in Working With the Solaris Sandbox, assess
the state of your lab system and then take any additional actions described in the
table.

If your lab system was not in the Ready to Go, Powered Up state, you need to
bring up zones and start servers.
Perform the following steps if your lab system was not in the Ready to Go,
Powered Up state:
1.
Start and log in to the zone01 zone.

For explicit instructions for starting and logging in to zones, refer to Zone
Management Commands in the Solaris Sandbox on page A-3.
Lab 2-2
2.
Start the following servers:
The CACAO server Refer to Starting the Common Agent

Container (CACAO) on page A-4.
The DSCC registry directory server instance Refer to Starting the
DSCC Registry Directory Server Instance on page A-4.
The Tomcat Web container that hosts the DSCC Web application
Refer to Starting the Tomcat Web Container That Hosts the DSCC
Web Application on page A-4.
The dsm1 directory server instance Refer to Starting the dsm1
Directory Server Instance on page A-4.
You perform the rest of this lab in the zone01 zone.
Task 2 Verifying That the PATH Environment Variable

References the Desired LDAP Utilities
The ldapsearch and ldapmodify utilities that you use in these labs are
included as part of the Directory Server Resource Kita component of Directory
Server EE. In this task, you verify that your PATH references the desired versions
of these two utilities.
The labs require that you use the LDAP utilities installed with Directory Server
EE, and not the Solaris OS versions of the LDAP utilities, which reside in the
/usr/bin directory. The Solaris OS LDAP utilities perform differently from the
LDAP utilities installed with Directory Server EE.
1.
Verify that the PATH environment variable references the ldapsearch

utility from the Directory Server Resource Kit:
# which ldapsearch
/opt/dsee7/dsrk/bin/ldapsearch
2.
Verify that the PATH environment variable references the ldapmodify

utility from the Directory Server Resource Kit:
# which ldapmodify
/opt/dsee7/dsrk/bin/ldapmodify
Lab 2-3

In this task, you perform a search for all entries in the directory and perform
searches for specific entries.
1.
Search for all entries in the dc=example,dc=com branch by using the

ldapsearch utility:
# ldapsearch -h zone01.example.com -p 1389 \
-b dc=example,dc=com -s sub objectclass=* | more
Following are tips to reduce the amount of typing required to perform the
tasks in this lab:
2.
The default host (-h argument) for the ldapsearch utility is

localhost. If you are searching in a terminal session running on the
same host (including a Solaris OS zone) on which a directory server
instance is running, you can omit the -h argument.
The default port (-p argument) for the ldapsearch utility is 389. If
you are searching against a directory server instance with a port
number of 389, you can omit the -p argument.
Your new boss was at the company party last night and met many
individuals but does not remember their names. Find specific people using
the criteria listed. Search for each person by using the ldapsearch
command-line utility.
Record the search string that worked in the space provided. Some searches
are more difficult to build than others. The answers are available in the
Exercise Solutions on page L2-10, but try to get the answers on your
own before consulting the solutions.
a.
The persons last name sounded something like veter what is his
email address?
ldapsearch:_____________________________________________
________________________________________________________
Note The email attribute is mail, and the approximate operator is ~=.
Lab 2-4
b.
I need the full name and phone number of Carter in Accounting, out
of the Santa Clara office.
ldapsearch:_____________________________________________
________________________________________________________
Note The full name attribute is cn, the last name attribute is sn, the phone
attribute is telephonenumber, the department/organizational unit attribute is
ou, the location attribute is l, and the AND operator is &. For example, the
following filter could be used in a search for a directory entry with last name
Smith, first name John, and location Mountain View:
(&(sn=smith)(givenname=john)(l=mountain view)).
c.
I need to know how many people have large-sized company t-shirts.

ldapsearch:_____________________________________________
________________________________________________________
Note The t-shirt size attribute is exampleTShirtSize.

d.
I need to know how many people in Accounting do not have

company t-shirts.
ldapsearch:_____________________________________________
________________________________________________________
Note The t-shirt name attribute is exampleTShirtName, the

department/organizational unit attribute is ou, the location attribute is l, the NOT
operator is !, and the AND operator is &. Human Resources has a special
application that sets the exampleTShirtName attribute only if a person has a
company t-shirt.
Lab 2-5
e.
I need to know all the individuals in the example.com database who

have Babs Jensen as a manager.
ldapsearch:_____________________________________________
________________________________________________________
Note The manager attribute is manager and is a distinguished name (DN) data
type.
When you are finished, compare your answers to those in the Exercise
Solutions on page L2-10. Discuss any differences you found during the exercise
debriefing.

In this task, you use the ldapmodify utility to add and modify specific entries.
1.
Create a file named rwilson.ldif in the /tmp directory using any text
editor.
2.
Enter the following instructions in the LDIF file for a new user:
dn: cn=Russ Wilson,ou=People,dc=example,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Russ Wilson
givenName: Russ
sn: Wilson
ou: Marketing
uid: rwilson
Lab 2-6
3.
In a terminal window, run the ldapmodify utility, authenticating as the

cn=Directory Manager user:
# ldapmodify -p 1389 -D "cn=Directory Manager" \
-w sunlearning -f /tmp/rwilson.ldif
adding new entry cn=Russ Wilson,ou=People,dc=example,
dc=com
4.
Make changes to Russ Wilsons directory entry as follows:

a.
Replace the contents of the rwilson.ldif file with the following

instructions:
changetype: modify
add: telephonenumber
telephonenumber: +1 203-555-1662
b.
Run the ldapmodify utility to make the changes.
c.
Change Russ Wilsons relative distinguished name (RDN) to Russell

Wilson using the following instructions in the LDIF file:
changetype: modrdn
newrdn: cn=Russell Wilson
deleteoldrdn: 1
d.
Perform the steps necessary to add an employee number to Russell

Wilsons entry. Use the following syntax:
add: employeeNumber
e.
Perform the steps necessary to change Russell Wilsons phone number

to reflect a new area code. Use the following syntax:
replace: telephonenumber
f.
Try to add a second phone number to this entry. Try to add a second
employee number.
Which number worked and which one failed?
________________________________________________________
How do you explain the success or the failure of each attempt?
________________________________________________________
Lab 2-7
g.
Try to add the exampleTShirtSize attribute. Use the following

syntax:
exampleTShirtSize: XL
Assuming that you used the correct syntax, why did this fail?
________________________________________________________
h.
Which steps must you perform to successfully enter the

exampleTShirtSize attribute-value pair?
________________________________________________________
i.
The exampleTShirtName attribute stored the names of different

types of T-shirts. Add values for ISO Certification 2005 and
Product Launch 2009.
j.
Replace the Product Launch 2009 value with Company Picnic

2006.
Which steps did you perform to make this happen?
________________________________________________________
Lab 2-8
Exercise Summary

Experiences
Interpretations
Conclusions
Applications
Exercise Summary
Lab 2-9
Exercise Solutions
Compare your answers to:
Step 2 in Task 3
Step 4 in Task 4

2.
Your new boss was at the company party last night and met many
individuals but does not remember their names. Find specific people using
the criteria listed. Search for each person by using the ldapsearch
command-line utility.
Record the search string that worked in the space provided. Some searches
are more difficult than others. The answers are available in the Exercise
Solutions on page L2-10, but try to get the answers on your own before
consulting the solutions.
a.
The persons last name sounded something like veter what is his
email address?
Expected result: jvedder@example.com
# ldapsearch -p 1389 \
-b dc=example,dc=com -s sub sn~=veter mail
b.
I need the full name and phone number of Carter in Accounting, out
of the Santa Clara office.
Expected result: Mike Carter, +1 408 555 1846
# ldapsearch -p 1389 -b dc=example,dc=com -s sub \
"(&(sn=carter)(l=Santa Clara)(ou=Accounting))" \
cn telephonenumber
c.
I need to know how many people have large-sized company

T-shirts.
Expected result: 7
-b dc=example,dc=com -s sub exampleTShirtSize=L \
cn exampleTShirtSize
Lab 2-10
Exercise Solutions
d.
I need to know how many people in Accounting do not have

company T-shirts.
Expected result: 33 people do not have a company T-shirt.
-b dc=example,dc=com -s sub \
'(&(!(exampleTShirtName=*))(ou=Accounting))' \
cn exampleTShirtName
Optionally, if you dont need to know who but just how many, then
after the last exampleTShirtName, append:
| grep cn: | wc -l
to get a simple line number count.
e.
I need to know all the individuals in the example.com database who

have Babs Jensen as a manager.
Expected result: Sam Carter, David Miller, and Torrey Clow
# ldapsearch -p 1389 -b dc=example,dc=com -s sub \
manager=uid=bjensen,ou=people,dc=example,dc=com \
cn manager

4.
Make changes to Russ Wilsons directory entry as follows:

f.
Try to add a second phone number to this entry. Try to add a second
employee number.
Which phone number worked and which one failed?
Schema checking allows the addition of a second phone number.
Schema checking returns an Object class Violation when you try to
add a second employee number.
How do you explain the success or the failure of each attempt?
In the schema, the phone number attribute is defined as multivalued.
The employee number attribute is defined as single-valued.
g.
Try to add the exampleTShirtSize attribute. Use the following

syntax:
exampleTShirtSize: XL
Assuming that you used the correct syntax, why did this fail?
The examplePerson object class defines the exampleTShirtSize
attribute. The rwilson entry does not yet contain the
examplePerson object class.
Lab 2-11
Exercise Solutions
h.
Which steps must you perform to successfully enter the

exampleTShirtSize attribute-value pair?
Use the ldapmodify utility to first add the examplePerson object
class to Russell Wilsons directory entry, then add the
exampleTShirtSize attribute-value pair.
dn: cn=Russell Wilson,ou=People,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: examplePerson
j.
Replace the Product Launch 2009 value with Company Picnic

2006.
Which steps did you perform to make this happen?
When an attribute has multiple values, the replace command
replaces all values. Therefore, to replace just one value, you could
replace the new value and then add back the values that you did not
intend to remove.
Lab 2-12
Exercise Solutions
Using Directory Server EE Log Files

Objectives
After completing this lab, you should be able to use Directory Server EE log files
to diagnose LDIF errors.
Lab 3-1
Lab 3
Exercise: Using Directory Server EE Log Files to Diagnose

LDIF Errors
In this exercise, you run the ldapmodify utility, using as input a series of LDIF
files. Some of these LDIF files have errors. You monitor the directory server
access log and observe the success or failure of the ldapmodify utility, and
explain how you would fix the problems.
You also configure logging options using DSCC and the dsconf utility, and you
use the logconv utility to analyze the access log file.
Task 2 Using the Directory Server EE Logs to Diagnose LDIF Errors
Task 3 Configuring Logging Options
Task 4 Using the logconv Utility to Analyze Directory Server EE Access

Logs
Preparation
Prerequisite Labs
The following labs are prerequisites for performing this lab:
prerequisite labs, and whether you have performed other labs, in addition to the
prerequisite labs.

Lab 3-2

Powered Up state:
1.

2.

Lab 3-3
Task 2 Using the Directory Server EE Logs to

Diagnose LDIF Errors
In this task, you use DSCC to locate the Directory Server EE logs. Then you use
the Directory Server EE logs to diagnose LDIF errors.
When you observe errors while performing the steps in this lab, record the error
message in the space provided, along with the corresponding entry in the access
log. Review the LDIF file, determine what is wrong with the file, and what
should be done to correct it.
1.
Acquaint yourself with the location of logging information for the dsm1
(zone01:1389) instance:
a.
Log in to DSCC by navigating to the following URL:

http://zone01.example.com:8080/dscc
The Directory Service Manager user ID is admin, and the password is
sunlearning.
The Common Tasks page appears.
b.
Select View Directory Server Logs.
c.
Select zone01:1389 from the Server list.
d.
Click OK.
Note If the error message, Error occurred searching the logs for
the server, appears, select Click here to update authentication. When
prompted, enter root as the user ID and cangetin as the password and click
OK.
e.
Lab 3-4
Select the Access Logs subtab.
f.
Maximize the DSCC window so that you can view as much

information from the access log as possible. In Firefox browsers, press
F11 for full-screen. Other browsers use other keys.
Refer to the access log information as you complete the remaining
steps of this task. Refresh your browser window as necessary to
update the log display.
Note Directory Server EE log files are maintained in the /local/dsm1/logs

directory. If you prefer to use a terminal window to examine the logs, use the
tail -f access command to view the access log. By default, logging data is
buffered. Therefore, it might take a while for log entries to appear in the log.
2.
In a terminal window, import the ldif1.ldif file by using the following

command:
-w sunlearning -f /opt/ses/shared/lab/ldif1.ldif
Note Whenever you see lines in command examples ending in \ in these labs,
enter them as a single command in your terminal session. Do not enter the \ as
part of the command.
The import operation should work correctly. What message did you
receive?
Message: ____________________________________________________
What corresponding entries appeared in the access log?
Access log entry: _____________________________________________
Note When reviewing log entries using DSCC, try the following:
1. Observe that the adding new entry uid=jabrown message appeared in
the terminal window after you ran the ldapmodify command.
2. In the DSCC Access Logs page, enter the string jabrown in the Only Show
Entries Containing field.
3. Click Search. A single entry appears in the Log Viewer Results table,
indicating that the ADD operation completed successfully.
4. Note the connection number to the right of the ADD message. Enter that
connection number in the Only Show Entries Containing field. Click Search.
Lab 3-5
All the log entries associated with the ldapmodify command execution now
appear in the Log Viewer Results table. In some cases, extraneous entries might
also appear in the Log Viewer Results table.
3.
Import the ldif2.ldif file. What happens?

Message: ____________________________________________________
Access log entry: _____________________________________________
What is wrong? ______________________________________________
How would you fix the problem?
_____________________________________________________________
_____________________________________________________________
4.

Message: ____________________________________________________
Access log entry: _____________________________________________
Error log entry:_______________________________________________
What is wrong? ______________________________________________
_____________________________________________________________
_____________________________________________________________
5.

Message: ____________________________________________________
Access log entry: _____________________________________________
Error log entry:_______________________________________________
What is wrong? ______________________________________________
_____________________________________________________________
_____________________________________________________________
Lab 3-6
6.

Message: ____________________________________________________
Access log entry: _____________________________________________
What is wrong: _______________________________________________
_____________________________________________________________
_____________________________________________________________

In this task, you view and configure logging options using a variety of methods,
including using DSCC, using command-line tools, and directly viewing the
dse.ldif file.
Using the different methods lets you continue to familiarize yourself with
Directory Server EE configuration techniques.
1.
Enter the following command in a terminal window:

echo sunlearning > /opt/dsee7/pwd
When running the dsconf utility, you are prompted for the DSCC
administrators password to execute the command. Running the dsconf
utility with the -w passwordfile option makes it unnecessary to enter
the password.
2.
View error logging configuration properties:

a.
View the current error log settings by viewing the error log attributes
in dse.ldif. and by running the dsconf utility:
# grep errorlog dse.ldif
# dsconf get-log-prop -p 1389 -w /opt/dsee7/pwd \
error
Lab 3-7
b.
Table 3-1
Record the logging configuration attribute values in Table 3-1. Several

attributes do not appear in the dse.ldif file. You record these values
later in this lab.
Configurable Error Log Property Names
dse.ldif File Attribute

Name
dsconf Utility
Property Name
nsslapd-errorlog
path
nsslapd-errorloglogging-enabled
enabled
nsslapd-errorlogmaxlogsperdir
max-file-count
nsslapd-errorlogmaxlogsize
max-size
nsslapd-errorloglogrotationtime
rotation-time
nsslapd-errorlogexpirationtime
max-age
nsslapd-errorloglogrotationtimeunit
rotation-interval
nsslapd-errorloglevel
level
nsslapd-errorloglogexpirationtimeun
it
max-age
nsslapd-errorloglogminfreediskspace
min-free-diskspace-size
nsslapd-errorloglogmaxdiskspace
max-disk-spacesize
nsslapd-errorlogpermissions
perm
nsslapd-infologlevel
verbose-enabled
Lab 3-8
Value in the
dse.ldif File (if
any)
Value as Reported
by the dsconf
Utility
3.
c.
In DSCC, select the Server Configuration tab.
d.
Select the Error Logging subtab.
Change error logging settings in DSCC as follows:
Verbose Logging: Select the Enabled check box.
Note Enabling verbose logging negatively affects performance of directory

server instances. You should enable verbose logging only when needed for
troubleshooting or other analysis.
Log File Permissions: Type 640 to let group members view the error
logs.
Max Number of Log Files: Type 5.
Time-based Log Deletion:
Select Delete Log Files When Log Age Exceeded.
Type 1 and select week(s).
File Size Based Log Deletion:
Select Delete Log Files When Size Limit Exceeded.
Size Limit: Type 300.
Click Save.
4.
Confirm that your changes have been updated in the dse.ldif file:
# grep errorlog dse.ldif
Attributes that were not observed when you performed in step 2a now
appear in the grep command output.
5.
View your changes using the dsconf utility:

# dsconf get-log-prop -p 1389 -w /opt/dsee7/pwd error
The modified configuration attribute values appear in the dsconf command
output.
6.
Configure audit logging:

a.
Observe that you cannot currently determine the status of audit

logging by viewing the audit logging attributes in the dse.ldif file:
# grep auditlog dse.ldif
Most of the audit logging attributes do not exist in the dse.ldif file
by default.
Lab 3-9
b.
The nsslapd-auditlog-logging-enabled attribute determines

whether audit logging is enabled. This attribute is not specified in the
default dse.ldif file. Determine the status of audit logging using the
ldapsearch utility to query for this attribute:
# ldapsearch -D "cn=Directory Manager" \
-w sunlearning -p 1389 -b cn=config -s base \
"objectclass=*" nsslapd-auditlog-logging-enabled
c.
Use the dsconf utility to determine the audit logging settings:

audit
d.
Enable audit logging with the dsconf utility:

# dsconf set-log-prop -p 1389 -w /opt/dsee7/pwd \
audit enabled:on
e.
Confirm your change:

audit
7.
Modify access logging configuration settings:

a.
Determine the current access logging settings:

access
b.
Change the file size-based log rotation size limit to 300 MB and the
file size-based log deletion size limit to 1000 MB:
access max-size:300M max-disk-space-size:1000M
8.
9.
Rotate the access log using DSCC:

a.
Select the Access Logging subtab.
b.
Click Rotate Log File Now.
c.
Click OK to respond to the confirmation message.
d.
Click Close after log file rotation has completed.
View the audit logs to determine which attributes or entries were modified
or added when you performed steps 7 and 8.
# cd /local/dsm1/logs
# more audit
Lab 3-10
10. Disable audit logging:

audit enabled:off
11. Verify that audit logging is disabled:
# dsconf get-log-prop -p 1389 -w /opt/dsee7/pwd audit
12. Log out of DSCC.
Caution Audit logging negatively affects performance of directory server
instances. Audit logging should only be enabled when you need to log changes to
the directory data. For example, if you want to determine how a particular
application is modifying directory data, you might want to temporarily turn on
audit logging to capture a set of the changes, then disable audit logging.
You can reenable audit logging to help with troubleshooting at any time while
doing these labs.
Task 4 Using the logconv Utility to Analyze Directory

Server EE Access Logs
In this task, you use the Directory Server Resource Kit logconv utility to
analyze the Directory Server EE access logs.
1.
Change directories to the location of the access logs and view the log file
names:
# cd /local/dsm1/logs
# ls
The ls command output includes the rotated access log filethe file
named access.datestamp.
Lab 3-11
2.
View a basic analysis of the rotated access log using the logconv utility:
# logconv access.datestamp
SunOne Access Log Analyzer 5.2
Initializing Variables...
Processing 1 Access Log(s)...
access.20090511-093437 (Total Lines: 2241)
1000 Lines Processed
*
Lines Processed:
2241
* Total Lines Analyzed:
2241
----------- Access Log Output -----------Start of Log:

End of Log:
Lab 3-12
11/May/2009:09:36:33
11/May/2009:14:18:50
Restarts:
Opened Connections:
Closed Connections:
SSL Connections:
147
288
0
Total Operations:
Total Results:
Overall Performance:
Most Pending Operations:
770
772
100.3%
2
Searches:
Modifications:
Adds:
Deletes:
Mod RDNs:
Compares:
482 (0.028/sec)
14 (0.001/sec)
14 (0.001/sec)
0 (0.000/sec)
1 (0.000/sec)
0 (0.000/sec)
Extended Operations:
Proxied Auth Operations:
Internal Operations:
Entry Operations:
119
0
0
0
Persistent Searches:
Abandoned Requests:
0
1
Total
3.
VLV Operations:
VLV Unindexed Searches:
SORT Operations:
0
0
0
Entire Search Base Queries:

Smart Referrals Received:
Search-Tune Searches:
Unindexed Searches:
1
0
0
0
FDs Taken:
FDs Returned:
Highest FD Taken:
147
288
34
Broken Pipes:
Connections Reset By Peer:
Resource Unavailable:
Ber Decoding Errors:
Unsupported Critical Exts:
0
0
0
0
0
Binds:
Unbinds:
140
144
LDAP v2 Binds:
LDAP v3 Binds:
Expired Password Logins:
SSL Client Binds:
Failed SSL Client Binds:
SASL Binds:
0
140
0
0
0
0
Directory Manager Binds:

Anonymous Binds:
Other Binds:
32
0
108
View a detailed analysis of the rotated access log using the logconv utility:
# logconv -V access.datestamp
This shows many of the Top 20 statistics, such as Most Frequent etimes,
Longest etimes, Largest nentries, Requested Attributes, and so on.
Lab 3-13
Exercise Summary
Lab 3-14

Experiences
Interpretations
Conclusions
Applications
Exercise Summary
Exercise Solutions
Steps 2 through 6 in Task 2
Step 2b in Task 3
Task 2 Using the Directory Server EE Logs to Diagnose LDIF

Errors
In this task, you use the Directory Server EE logs to diagnose LDIF errors.
2.
In a terminal window, import the ldif1.ldif file by using the following

command:
-w sunlearning -f /opt/ses/lab/ldif1.ldif
The import operation should work correctly. What message did you
receive?
Message:
Added new entry uid=jabrown,ou=people,dc=example,dc=com
What corresponding entries appeared in the access log?
Access log entry:
ADD dn="uid=jabrown,ou=People,dc=example,dc=com"
RESULT err=0 tag=105 nentries=0 etime=0
Lab 3-15
Exercise Solutions
3.

Message:
No such object
Access log entry:
ADD dn="uid=jbbrown,ou=People,o=example.com"
What is wrong?
DN calls for domain o=example.com.
DN should call for domain dc=example,dc=com.
4.

Message:
Object class violation
Access log entry
ADD dn="uid=jcbrown,ou=People,dc=example,dc=com"
Error log entry
User error: Entry
"uid=jcbrown,ou=People,dc=example,dc=com",
attribute exampletshirtnam is not allowed
What is wrong?
Attribute name is exampleTShirtNam.
Attribute name should be exampleTshirtName.
Lab 3-16
Exercise Solutions
5.

Message:
Object class violation
Access log entry
ADD dn="uid=jdbrown,ou=People,dc=example,dc=com"
Error log entry
User error: Entry
"uid=jdbrown,ou=People,dc=example,dc=com", singlevalued attribute exampleTshirtSize has multiple
values
What is wrong?
exampleTShirtSize is a single valued attribute.
Remove one of the two entries for exampleTShirtSize.
6.

Message:
Already exists
Access log entry:
ADD dn="uid=scarter,ou=People,dc=example,dc=com"
What is wrong?
Entry already exists for Sam Carter.
To add or change attributes for entry Sam Carter, use the
changetype: modify option of the ldapmodify utility.
Lab 3-17
Exercise Solutions

2.
View error logging configuration properties:

b.
Table 3-1
Record the logging configuration attribute values in Table 3-1. Several

attributes do not appear in the dse.ldif file. You record these values
later in this lab.

Value in the
dse.ldif File (if
any)
Value as Reported
by the dsconf
Utility
path
/local/dsm1/
logs/errors
/local/dsm1/
logs/errors
nsslapd-errorloglogging-enabled
enabled
on
on
nsslapd-errorlogmaxlogsperdir
max-file-count
nsslapd-errorlogmaxlogsize
max-size
100
100M
nsslapd-errorloglogrotationtime
rotation-time
undefined
nsslapd-errorlogexpirationtime
max-age
(no value)
1M
nsslapd-errorloglogrotationtimeunit
rotation-interval
week
1w
nsslapd-errorloglevel
level
(no value)
default
nsslapd-errorloglogexpirationtimeun
it
max-age
(no value)
1M
nsslapd-errorloglogminfreediskspace
min-free-diskspace-size
(no value)
5M
nsslapd-errorloglogmaxdiskspace
max-disk-spacesize
(no value)
100M
nsslapd-errorlogpermissions
perm
(no value)
600

Name
dsconf Utility
Property Name
nsslapd-errorlog
Lab 3-18
Exercise Solutions
Table 3-1

Name
dsconf Utility
Property Name
Value in the
dse.ldif File (if
any)
Value as Reported
by the dsconf
Utility
nsslapd-infologlevel
verbose-enabled
(no value)
off
Exercise Solutions
Lab 3-19
Securing Directory Server EE Access

Lab 4
Objectives
Diagnose ACI problems
Configure connection-based access control
Lab 4-1
Exercise 1: Diagnosing ACI Problems

In this exercise, you uncover some problems with the ACIs in the
dc=example,dc=com suffix by viewing the permissions that Jeff Vedder and
Sam Carter have on their own directory entries. You then examine the ACIs in the
directory to uncover the problems.
Use the values in Table 4-1 in this exercise. Ask your instructor for any additional
values that have not been provided.
Table 4-1
Required Passwords and User IDs
Information
Value
Jeff Vedders user ID
jvedder
Jeff Vedders password
befitting
Sam Carters user ID
scarter
Sam Carters password
sprain
Chris Schmiths user ID
cschmith
Chris Schmiths password
hypotenuse
Lab 4-2
Task 2 Fixing an ACI
Task 3 Retrieving Jeff Vedders Directory Access Permissions
Task 4 Retrieving Sam Carters Directory Access Permissions
Task 5 Examining Current ACIs to Find the Cause of Problems
Task 6 Planning Your ACI Changes
Task 7 Making ACI Modifications
Task 8 Verifying That Your ACI Changes Fixed the Problems
Preparation
Prerequisite Labs
prerequisite labs.


Powered Up state:
1.

Lab 4-3
2.

You perform the rest of this lab in the zone01 and zone02 zones. Detailed
instructions are provided when the zone02 zone is required.

In this task, you make an existing ACI more restrictive.
Caution The ACIs modified in this chapter are done so for demonstration
purposes only. They are in no way an attempt at a complete security policy and
are in no way a recommendation.
1.
Log in to DSCC.
2.
Select Manage Registered Directory Servers.
3.
Select the zone01:1389 server.

The zone01:1389 page appears.
4.
Lab 4-4
Select the Entry Management tab.
5.
Select the Access Control subtab.
6.
Select the link for the rule labelled, Allow self entry modification except
for nsroledn, aci, resource limit attributes, passwordPolicySubentry and
password policy state attributes.
What does this ACI do?
_________________________________________________________
_________________________________________________________
Why should this rule be made more restrictive?
_________________________________________________________
_________________________________________________________
In subsequent steps, you make the rule more restrictive.
7.
Edit the syntax so that the targetattr section reads as follows:

(targetattr="nsroledn || aci")
Be sure to change the string != to = in the ACI.
8.
The rule also says:

allow(write)
Edit the line to read:
deny(write)
9.
Edit the description section to read as follows:

acl "Deny self entry modification for nsroledn and aci"
10. Click Check Syntax.
If the ACI syntax is incorrect, correct it, recheck the syntax, and click
OK.
If the ACI syntax is correct, click OK.
11. If a dialog box with the message readwrite appears, click OK.
Note A dialog box with the message readwrite occasionally appears when
working in the DSCC Access Control subtab due to Directory Server EE bug
number 6803995. The dialog box should never appear. If this dialog box appears
at any point during this lab or any other lab, click OK.
Lab 4-5
Task 3 Retrieving Jeff Vedders Directory Access

Permissions
In this task, you retrieve Jeff Vedders directory access permissions.
1.
In a terminal window, execute the ldapsearch utility with the

-X option to get the effective rights list for user jvedder:
-D "cn=Directory Manager" -w sunlearning \
-c "dn: uid=jvedder,ou=People,dc=example,dc=com" \
-X "mobile pager title" -b dc=example,dc=com \
uid=jvedder aclRights
2.
Is Jeff Vedder able to modify his own mobile phone number, pager number,
and title in his directory entry?
_________________________________________________________
Task 4 Retrieving Sam Carters Directory Access

Permissions
In this task, you retrieve Sam Carters directory access permissions.
1.
In a terminal window, execute the ldapsearch utility with the

-X option to get the effective rights list for user scarter:
# ldapsearch -p 1389 -D "cn=Directory Manager" \
-w sunlearning \
-c "dn: uid=scarter,ou=People,dc=example,dc=com" \
-X "mobile pager title" -b dc=example,dc=com \
uid=scarter aclRights
2.
Is Sam Carter able to modify his own mobile phone number, pager number,
and title in his directory entry?
_________________________________________________________
Lab 4-6
Task 5 Examining Current ACIs to Find the Cause of

Problems
From the preceding tasks, you should have discovered:
Jeff Vedder is not able to change his title, pager number or mobile phone
number.
Sam Carter is able to change his title, pager number, and mobile phone
number.
Assume that the desired behavior is for individuals to be able to change their own
pager number or mobile phone number, but only human resources (HR) managers
can change a users title. As a result, the following changes must be achieved:
Jeff Vedder should be able to change his pager number and mobile phone
number.
Sam Carter should not be able to change his title.
Only HR managers can change titles.

1.
View all the ACIs under the dc=example,dc=com using the ldapsearch
utility:
"aci=*" aci
In your own words, interpret what each ACI specifies.
Do not spend too much time on this task. Ask your instructor for help if you
encounter problems.
The first ACI is completed for you as an example.
Under dc=example,dc=com:
a.
ACI 1 (Anonymous access)

Anonymous access Anyone (without authenticating) can read,
search, or compare any entry attributes under dc=example,dc=com
except for userpassword, passwordHistory,
passwordExpirationTime, passwordExpWarned,
passwordRetryCount, retryCountResetTime,
accountUnlockTime, and passwordAllowChangeTime
attributes.
Lab 4-7
b.
ACI 2 (Directory Administrators Group)

________________________________________________________
________________________________________________________
c.
ACI 3 (Deny self entry modification for nsroledn and aci)

________________________________________________________
________________________________________________________
Under ou=People,dc=example,dc=com:
d.
ACI 1 (Allow self entry modification)

________________________________________________________
________________________________________________________
e.
ACI 2 (Accounting Managers Group Permissions)

________________________________________________________
________________________________________________________
f.
ACI 3 (HR Group Permissions)

________________________________________________________
________________________________________________________
g.
ACI 4 (QA Group Permissions)

________________________________________________________
________________________________________________________
h.
ACI 5 (Engineering Group Permissions)

________________________________________________________
________________________________________________________
Lab 4-8
Task 6 Planning Your ACI Changes

In this task, you plan for ACI changes to let Jeff Vedder change his own pager
and mobile phone numbers and to prevent Sam Carter from changing his own
title.
Assume that you edit and create ACIs with the following general design
principles:
Use allow statements and avoid deny statements as much as possible.

If you mix too many allow and deny statements together, it can be
difficult to untangle all the logic. Because everything is implicitly denied in
the directory from the start, it can be cleaner and simpler to manage if you
use only allow statements.
When setting write permissions, avoid all attributes except statements

(targetattr!=).
As you begin adding and using new attributes in the future, previous write
permissions for all attributes except can lead to unforeseen problems,
much like Sam Carter being able to change his title. It can be cleaner and
easier to manage if you explicitly state which attributes are permitted for
writing.
Remember, the desired permissions are:
Everyone should be able to change is or her own pager number and mobile
phone number.
Only an HR manager should be able to change a users title.
Lab 4-9

1.
For context, display the following searches in a command window. Note

that the third search for jvedder* is not expected to return anything, but the
other searches should.
"uniquemember=uid=scarter*"
# ldapsearch -p 1389 -b dc=example,dc=com uid=scarter
"uniquemember=uid=jvedder*"
# ldapsearch -p 1389 -b dc=example,dc=com uid=jvedder
"uniquemember=uid=cschmith*"
# ldapsearch -p 1389 -b dc=example,dc=com uid=cschmith
2.
Plan to modify existing ACIs:
3.
Setting up ACIs for anyone to modify his or her own pager number
and mobile phone number is relatively easy. Just add the pager and
mobile attributes to the list of attributes that can be written to in the
Allow Self Entry Modification ACI. You do this in the next task.
The group manager ACI statements (Accounting, Engineering, and so
on) that let Sam Carter change his own title (or anything else you
might add in the future) are a little more complex. Following the
preceding design principles, it is better to explicitly decide which
specific attributes you want the managers to be able to change.
Assume that it only makes sense to let the accounting managers
change things like location, room number, and the various phone
numbers (telephone, pager, mobile, fax). You set this up in the next
task.
Plan for new ACIs:

After you have fixed existing ACIs that are causing problems, you might
need to add new ACIs. In the next task, you add an ACI that lets HR
managers change any Example Chocolates employees title.
Lab 4-10
Task 7 Making ACI Modifications

In this task, you make an existing ACI more restrictive. You modify the Allow
self-entry modification ACI to allow write access for the pager and mobile
attributes.
1.
If necessary, navigate to the Access Control subtab for the zone01:1389

instance in DSCC.
2.
Click Allow Self Entry Modification ACI to edit the ACI.
3.
Edit the first section of the ACI to include the pager, mobile, and
exampleTShirtSize attributes:
(targetattr="userPassword || telephoneNumber ||
facsimileTelephoneNumber || pager || mobile ||
exampleTShirtSize")
a.
Click Check Syntax:
b.
4.
If the ACI syntax is incorrect, correct it, recheck the syntax, and
click OK.
If a dialog box with the message readwrite appears, click OK.
Next, modify the Accounting Managers Group Permissions to explicitly

allow only writing to the location, room number, telephone, fax, pager, and
mobile phone number attributes:
a.
Select the Accounting Managers Group Permissions ACI.
b.
Verify that the ACIs targetattr clause is as follows:

(targetattr!="cn || sn || uid")
Modify the statement to the following:
(targetattr="l || roomnumber || telephonenumber ||
facsimiletelephonenumber || pager || mobile")
Note that != was changed to =, and that the first attribute in the list is
the letter l, which holds users locations.
c.
Click Check Syntax:
If the ACI syntax is incorrect, correct it, recheck the syntax, and
click OK.
Lab 4-11
d.
At this point, if you were correcting the ACIs for all the department
managers, you would make the same changes to the ACIs for the
Engineering, QA, and HR department manager groups. It is not necessary to
make these changes for this exercise.
5.
Next, create a new ACI that lets HR Managers change anyones title:
a.
Click New ACI From Wizard.
b.
c.
The Step 1: Choose ACI Name dialog box appears.
d.
Specify values as follows:
e.
Name: HR Title Permission
Click Next.
The Step 2: Choose Access Rights dialog box appears.
f.
Deselect all rights (including Special Rights) except for the write
right.
g.
Click Next.
The Step 3: Assign Access Rights dialog box appears.
h.
Select Assign Rights to Specified Users.
i.
Click Enter DN.

A dialog box prompting you to enter a DN appears.
j.
Enter the DN of the HR Managers group in the dialog box:

cn=HR Managers,ou=groups,dc=example,dc=com
k.
Click OK.
The DN appears in the Step 3: Assign Access Rights dialog box.
l.
Click Next.
The Step 4: Choose Target dialog box appears.
m.
n.
Specify the following values:
Target DN: ou=People,dc=example,dc=com
Options: Select ACI Applies to All Entries Below This Entry
Click Next.
The Step 5: Choose Attributes dialog box appears.
Lab 4-12
o.
Select Selected Attributes.
p.
Click Remove All to make sure the Selected Attributes list is empty.
q.
Locate the title attribute in the Available Attributes column. Select

the title attribute and click Add to add the title attribute to the
Selected Attributes column.
r.
Click Next.
The Step 6: Specify ACI Location dialog box appears.
s.
Click Next.
The Step 7: Summary dialog box appears.
t.
Verify that the ACI has been constructed correctly:
The targetattr clause should have the following syntax:

(targetattr="title")
The ACI permissions clause should have the following syntax:
allow (write)
u.
Click Finish.
v.
The ACI is successfully created.

Click Close.
w.
Task 8 Verifying That Your ACI Changes Fixed the

Problems
Finally, verify that the changes you made to the ACIs control access are as
expected.
1.
Review the ACI changes that you just made:

# ldapsearch -p 1389 -b ou=People,dc=example,dc=com \
"aci=*" aci | more
The new HR Title Permission ACI appears at the bottom of the list of
ACIs.
2.
Review Jeff Vedders and Sam Carters directory access permissions using
the ldapsearch utility. Use the same technique that you used to view
permissions in Task 3 Retrieving Jeff Vedders Directory Access
Permissions on page L4-6 and Task 4 Retrieving Sam Carters Directory
Access Permissions on page L4-6.
3.
Review Chris Schmiths directory access permissions using the

ldapsearch utility. This user is an HR manager and should have the right
to write to the title attribute.
Lab 4-13
4.
5.
Lab 4-14
Use the ldapmodify utility to verify that your ACI changes are correct:
a.
Run the ldapmodify utility, authenticating as Jeff Vedder (uid:

jvedder, password: befitting). Confirm that Jeff can change
his pager number and mobile phone numbers, but cannot change his
title.
b.
Run the ldapmodify utility, authenticating as Sam Carter (uid:

scarter, password: sprain). Confirm that Sam can change his
pager number and mobile phone numbers, but cannot change his title.
c.
Run the ldapmodify utility, authenticating as HR Manager Chris

Schmith (uid: cschmith, password: hypotenuse). Confirm
that Chris can change Sam Carters title.
Log out of DSCC.
Exercise 2: Configuring Connection-based Access Control

In this exercise, you restrict access to your directory server instance to only
specified hosts using the servers ability to implement transmission control
program (TCP) wrappers.
You test access to the restricted directory server instance from the zone02 zone.
Perform the following task:
Task Configuring Connection-based Access Control
Preparation
There is no special preparation for this exercise.
Task Configuring Connection-based Access Control

In this task, you configure your directory server instance to accept requests only
from hosts that you specify.
Complete the following steps in the zone01 and zone02 zones:
1.
Open a second terminal window or terminal tab page on your lab system.
The new terminal window or tab pages prompt indicates that it accesses the
global zone:
global #
2.
In the new terminal window, boot and log in to the zone02 zone:
zone02 #
3.
Verify that, using the network, you can access the zone01 zone from the
zone02 zone:
zone02 # ping zone01.example.com
Lab 4-15
4.
Verify that you can access the directory server instance running in the
zone01 zone from the zone02 zone:
zone02 # ldapsearch -h zone01.example.com -p 1389 \
-b dc=example,dc=com -s sub "uid=scarter"
Sam Carters directory entry, retrieved from the directory server instance
running in the zone01 zone, appears in the zone02 terminal window.
Note Because you have not installed Directory Server EE in the zone02 zone,
you use the Solaris OS version of the ldapsearch utility in the zone02 zone.
The Solaris OS version of the ldapsearch has sufficient functionality for the
tests you perform in the zone02 zone.
5.
Use the dsconf utility to set the nsslapd-host-access-dirpath

attribute in the directorys cn=config branch. Setting this attribute enables
or disables connection-based access control after a directory server restart.
Perform the following steps in the zone01 zone:
a.
Set the property using the dsconf utility:

zone01 # dsconf set-server-prop -p 1389 \
-w /opt/dsee7/pwd \
host-access-dir-path:/local/dsm1/config
The following messages appear in the terminal window:
"host-access-dir-path" property has been set to
"/local/dsm1/config".
The "/local/dsm1/config" directory on localhost
must contain valid hosts.allow and/or hosts.deny
files.
Directory Server must be restarted for changes to
take effect.
Note The preceding command fails if you attempt to run it from the zone02
zone.
b.
Restart the directory server instance to enable the configuration

change:
zone01 # dsadm restart /local/dsm1
Lab 4-16
6.
Using any text editor, create a file in the zone01 zone named
/local/dsm1/config/hosts.deny with the following contents:
ALL:ALL
This file tells the directory server instance to deny all connection from all
hosts unless explicitly allowed in the hosts.allow file.
7.
Run the following command from the zone02 zone:

The error message ldap_result: Can't contact LDAP server
appears.
Access to the directory server instance in the zone01 zone is denied from
the zone02 zone because connection-based access control has been
enabled.
8.
Using any text editor, create a file in the zone01 zone named
/local/dsm1/config/hosts.allow with the following contents:
ALL: zone01.example.com
ALL: zone02.example.com
9.
In the zone01 zone, change the permissions of the hosts.deny and

hosts.allow files so that only the owner can read and write to the files:
zone01 # chmod 600 /local/dsm1/config/hosts.allow
zone01 # chmod 600 /local/dsm1/config/hosts.deny
10. Test directory access from the zone01 zone using the ldapsearch utility.
Use the ldapsearch utility both with and without the -h parameter:
a.
Run the ldapsearch utility with the -h parameter:

The ldapsearch utility with the -h parameter succeeds.
b.
Run the ldapsearch utility without the -h parameter:

zone01 # ldapsearch -p 1389 \
The ldapsearch utility without the -h parameter fails because you
did not add an entry with the loopback address to the hosts.allow
file.
11. Add the following line to the hosts.allow file in the zone01 zone:
ALL: LOCALHOST
12. Retest access from your machines loopback address:
zone01 # ldapsearch -p 1389 \
Lab 4-17

13. Run the following command from the zone02 zone:
Access to the directory server instance in the zone01 zone should be
allowed from the zone02 zone because of the changes you made to the
hosts.allow file.
14. Delete the hosts.allow and hosts.deny files.
15. Run the following command from the zone02 and global zones to shut
down the zone02 zone and close the second terminal window or tab page:
zone02 # exit
global # zoneadm -z zone02 halt
global # exit
Lab 4-18
Exercise Summary

Experiences
Interpretations
Conclusions
Applications
Exercise Summary
Lab 4-19
Exercise Solutions

Step 6 in Task 2
Step 2 in Task 3
Step 2 in Task 4
Step 1 in Task 5

6.
Select the link for the rule labelled, "Allow self entry modification except
for nsroledn, aci, resource limit attributes, passwordPolicySubentry and
password policy state attributes."
What does this ACI do?
This rule allows anyone to write any attribute in their own record, except
for nsroleDN, aci, or resource limits. This rule was added by the system; it
is not part of the LDIF file that you imported earlier.
Why should this rule be made more restrictive?
This rule is too open-ended. Perhaps it should be rewritten to deny write
access to these specific attributes. Make it explicit rather than implicit.
In subsequent steps, you must make the rule more restrictive.
Task 3 Retrieving Jeff Vedders Directory Access Permissions

2.
Is Jeff Vedder able to modify his own mobile phone number, pager number,
and title in his directory entry? No
Task 4 Retrieving Sam Carters Directory Access Permissions

2.
Lab 4-20
Is Sam Carters able to modify his own mobile phone number, pager
number, and title in his directory entry? Yes
Exercise Solutions
Task 5 Examining Current ACIs to Find the Cause of Problems

1.
View all the ACIs under the dc=example,dc=com using the ldapsearch
utility:
# ldapsearch -p 1389 -b dc=example,dc=com "aci=*" aci
In your own words, interpret what each ACI specifies.
Do not spend too much time on this task. Ask your instructor for help if you
encounter problems.
The first ACI is completed for you as an example.
Under dc=example,dc=com:
a.
ACI 1 (Anonymous access)

Anonymous access Anyone (without authenticating) can read,
search, or compare any entry attributes under dc=example,dc=com,
except for the userPassword, passwordHistory,
passwordExpirationTime, PasswordExpWarned,
passwordRetryCount, retryCountResetTime,
accountUnlockTime, and passwordAllowChangeTime
attributes.
b.
ACI 2 (Directory Administrators Group)

Directory Administrators Users who are member of the Directory
Administrators Group can do anything to any entry attributes
under dc=example,dc=com.
c.
ACI 3 (Deny self entry modification for nsroledn and aci)

Self modification Users cannot change their own ACIs, or
nsroleDN attribute. (This is the rule that you modified earlier.)
Under ou=People,dc=example,dc=com:
d.
ACI 1 (Allow self entry modification)

Allow self entry modification All persons authenticating as
themselves can modify their own userpassword,
telephonenumber, or facsimiletelephonenumber attributes
under ou=People,dc=example,dc=com.
e.
ACI 2 (Accounting Managers Group Permissions)

Accounting Managers Group Permissions Any member of the
Accounting Managers group can write to any attributes except cn,
sn, or uid, for any entry under ou=People,dc=example,dc=com
that contains an ou=Accounting attribute (essentially, for any
person who works in Accounting).
Lab 4-21
Exercise Solutions
f.
ACI 3 (HR Group Permissions)

HR Group Permissions Any member of the HR Managers group can
write to any attributes except cn, sn, or uid, for any entry under
ou=People,dc=example,dc=com that contains an ou=Human
Resources attribute (essentially, for any person who works in
Human Resources).
g.
ACI 4 (QA Group Permissions)

QA Group Permissions Any member of the QA Managers group can
write to any attributes except cn, sn, or uid, for any entry under
ou=People,dc=example,dc=com that contains an ou=Product
Testing attribute (essentially, for any person who works in Product
Testing).
h.
ACI 5 (Engineering Group Permissions)

Engineering Group Permissions Any member of the PD Managers
group can write to any attributes except cn, sn, or uid, for any entry
under ou=People,dc=example,dc=com that contains an
ou=Product Development attribute (essentially, for any person
who works in Product Development).
Lab 4-22
Exercise Solutions
Enforcing Password Policies

Objectives
After completing this lab, you should be able to enforce Directory Server EE
password and account lockout policies.
Lab 5-1
Lab 5
Exercise: Enforcing Directory Server EE Password and

Account Lockout Policies
In this exercise, you configure and test a complete password policy and the
account activation tools. You practice configuring Directory Server EE to enforce
password and lockout policies.
Table 5-1
Required Values
User ID
Password
jwallace
linear
hmiller
hillock
ahel
sarsaparilla
Lab 5-2
Task 2 Configuring Password Settings and Account Lockout
Task 3 Testing the Global Password Policy
Task 4 Assigning a Password Policy to a User
Task 5 Activating and Deactivating an Account
Exercise: Enforcing Directory Server EE Password and Account Lockout Policies
Preparation
Prerequisite Labs
prerequisite labs.


Powered Up state:
1.

Lab 5-3
2.

Task 2 Configuring Password Settings and Account

Lockout
In this task, you configure password and account lockout settings for a global
password policy.
The password requirements are:
Passwords expire after 30 days.
Users receive warnings seven days before their passwords expire.
Directory Server EE maintains a list of five passwords for each user to

avoid reuse.
Passwords cannot be trivial words, such as any value stored in the uid, cn,
sn, givenName, ou, or mail attribute of the users entry.
Passwords must contain one number, one uppercase letter, one lowercase
letter, and one special character.
Passwords must not be trivial words contained in a dictionary file.
The minimum password length is 10 characters.
The account lockout requirements are:
Lab 5-4
Users are allowed three failed attempts within any 10-minute period to
supply the correct password.
After this period, they are locked out of authenticating to the directory, and
their password must be reset by an administrator.

1.
Log in to DSCC.
2.
3.

4.
5.
Select the Password Policies subtab.
6.
Select Global Password Policy.
7.
Specify Password Change options:

a.
Verify that the Password Reset: Require Password Change at First

Login and After Reset check box is deselected.
If the check box is selected, deselect it.
b.
Verify that the User-Changeable: Allow Users to Change Their

Passwords check box is checked.
If the check box is not checked, select it.
c.
Specify Change Frequency options:
d.
9.
Set the Minimum Number of Days Between Changes field to 10

days.
Specify Password Reuse options:
8.
Select the Change Frequency: Set Limit on How Frequently

Password can be Changed check box.
Select the Password Reuse: Prevent Users from Reusing

Passwords check box.
Set the Number of Passwords to Remember field to 5 passwords.
Specify Password Expiration options:

a.
Select the Password Expiration: Set Age Limit on Passwords check

box.
b.
Set the age limit on passwords to 30 days.
c.
Set the number of days in the Expiration Warning: Days Before

Password Expires field to 7 days.
Specify Password Content options:

a.
For Password Syntax Checking, select Always Check.
b.
Set the Minimum Password Length field to 10 characters.
Lab 5-5
c.
Specify Password Strong Check options:
Select the Enable Password Strong Check check box.

Confirm that options are set that require passwords to contain at
least one lowercase, one uppercase, one numerical, and one
special character.
Confirm that passwords based on words in the dictionary are
forbidden.
10. Specify Account Lockout options:

a.
Select the Account Lockout: Enable Account Lockout check box.
b.
Verify that the Failures Before Lockout field is set to 3 failures.

If the Failures Before Lockout field is not set to 3 failures, set the field
to the value 3.
c.
Verify that the Failure Count Reset: Minutes After Last Failed Login
is set to 10 minutes.
If the Failure Count Reset: Minutes After Last Failed Login field is
not set to 10 minutes, set the field to the value 10.
d.
Verify that the Set Limit on Lockout Duration check box. is checked.
If the check box is not checked, select it.
e.
Verify that the Lockout Duration field is set to 60 minutes.

If the Lockout Duration field is not set to 60 minutes, set the field to
the value 60.
f.
Click OK to save the updated password and account lockout policies.

A dialog box warning you that a directory server restart is required
appears.
g.
Click OK.
h.
In a terminal window, restart the directory server instance so that the

Password Strong Check feature of the Global Password Policy takes
effect.
# dsadm restart /local/dsm1

In this task, you test the global password policy that you set up in the previous
tasks. When you have completed testing, you reset the password length setting to
its original value of 6 to avoid problems in subsequent labs.
Lab 5-6

1.
Create the file /tmp/jwallace.ldif with the following instructions:

dn: uid=jwallace,ou=People,dc=example,dc=com
changetype: modify
replace: userpassword
userpassword: abc
Save and close the file.
2.
Run the ldapmodify utility as jwallace to change the password:

# ldapmodify -p 1389 -D uid=jwallace,ou=People,\
dc=example,dc=com -w linear -f /tmp/jwallace.ldif
Note Make sure to type this command on a single line.

You should expect a response message, such as the following message:
modifying entry uid=jwallace,ou=People,dc=example,
dc=com
ldap_modify: Constraint violation
ldap_modify: additional info: invalid password syntax:
no uppercase character
Note The initial password for user jwallace has fewer than 10 characters. The
directory does not enforce new policies on existing passwords until a password
change occurs.
3.
Modify the /tmp/jwallace.ldif file, changing the password to the

string, jwallace@example.com. Run the ldapmodify utility again. Was
this successful? Why or why not?
__________________________________________________________
Lab 5-7
4.
Attempt to change the password to a string that is at least 10 characters in

length and includes one number, one uppercase letter, one lowercase letter,
and one special character: t0ughP@ssword.
Note Make sure that the second character in the string t0ughP@ssword is the
number 0 and not the capital letter O.
You should expect a response message, such as the following message:
modifying entry uid=jwallace,ou=People,dc=example,
dc=com
ldap_modify: additional info: invalid password syntax:
dictionary word match
5.
Your attempt to change the password to t0ughP@ssword failed because

it contains the nontrivial word, word. Confirm that word is in the
dictionary file:
# cd /opt/dsee7/resources/plugins
# grep word words-english-big.txt
6.
Modify the /tmp/jwallace.ldif file and change the password to the

string, t0ughP@ssw0rd.
Note Make sure that the second and tenth characters in the string
t0ughP@ssw0rd are the number "0" and not the capital letter "O."
7.
Run the ldapmodify utility as jwallace. The command should run

without any errors.
8.
Log in with multiple incorrect passwords and observe the results:

a.
Run the ldapmodify utility as jwallace but use badpassword as

the password.
A message appears indicating that you tried to log in with invalid
credentials.
b.
Try running ldapmodify with the wrong password twice more.

At the third incorrect login, the following message appears:
ldap_simple_bind: Constraint violation
ldap_simple_bind: additional info: Exceed password
retry limit. Account locked.
Directory Server EE has locked out the jwallace account for 60
minutes or until the password or the passwordretrycount attribute
is reset.
Lab 5-8
9.
View the value of the passwordretrycount attribute. You must bind as a

user with the permissions to do this:
-w sunlearning -s sub -b ou=People,dc=example,dc=com \
"uid=jwallace" passwordretrycount
What was the value of the passwordretrycount attribute? _____
10. Bind as the Directory Manager and reset jwallaces password:

a.
Change jwallaces password in the /tmp/jwallace.ldif file to a

nontrivial value that is at least 10 characters in length: n3wP@ssw0rd.
b.
Run the ldapmodify utility, authenticating as cn=Directory

Manager:
-w sunlearning -f /tmp/jwallace.ldif
11. Use the ldapsearch utility to view the value of the

passwordretrycount attribute. You must bind as a user with the
permissions to do this.
What was the value of the passwordretrycount attribute? ______
12. To verify that the account is no longer locked, run the ldapsearch utility,
authenticating as jwallace with password n3wP@ssw0rd.
# ldapsearch -p 1389 -D uid=jwallace,ou=People,\
dc=example,dc=com -w n3wP@ssw0rd -s sub -b \
ou=People,dc=example,dc=com "uid=jwallace" \
telephonenumber
13. Reset the value of the Minimum Password Length field in the Global
Password Policy to 6 and turn off the Strong Password Check.
For detailed instructions on configuring the Global Password Policy using
DSCC, refer to Task 2 Configuring Password Settings and Account
Lockout.
Lab 5-9
15. Restart the directory server instance so that the canceling of the Password
Strong Check feature of the Global Password Policy takes effect:
Note Directory server restart is required for the change to the Strong Password
Check plugin to take effect. Restart is not needed for the change to the minimum
password length to take effect.
Task 4 Assigning a Password Policy to a User

In this task, you assign a password policy to a single user. That password policy
differs from the global password policy that you created in previous tasks in this
exercise. At the end of the task, the user hmiller, a directory administrator, has
a stricter password policy than other users.
1.
Open the /opt/ses/shared/lab/strictPasswordPolicy.ldif file

with a text editor and review the file. Verify that for the password policy
entry defined in this file, the minimum allowable length for a password is
15 characters.
2.
Add the password policy entry to the directory:

# ldapadd -p 1389 -a -D "cn=Directory Manager" \
-w sunlearning \
-f /opt/ses/shared/lab/strictPasswordPolicy.ldif
3.
Restart the directory server instance:

4.
Log in to DSCC.
5.
6.

Lab 5-10
7.
8.
Select the Password Policies subtab.
9.
Assign the strict password policy to the user, hmiller:

a.
Select the check box for Strict Password Policy.
b.
Click Assign Policy.

The Browse Data dialog box appears.
c.
In the Browse Data dialog box, double click the ou=people branch.
d.
Select the uid=hmillers entry.
e.
Click OK.
f.
Click Close.
10. Attempt to change the password to a new password with six charactersa
valid length according to the global password policy:
a.
Create the /tmp/hmiller.ldif file as follows:

dn: uid=hmiller,ou=People,dc=example,dc=com
changetype: modify
userpassword: psswrd
b.
In a terminal window, run the ldapmodify utility, authenticating as

user hmiller:
# ldapmodify -p 1389 -D uid=hmiller,ou=People,\
dc=example,dc=com -w hillock -f /tmp/hmiller.ldif
A response similar to the following appears:
modifying entry uid=hmiller,ou=People,
dc=example,dc=com
ldap_modify: additional info: Password too short
The constraint violation demonstrates that the strict password policy is
in effect for user hmiller.
11. Modify the LDIF file and change the password to fifteencharacters.
Rerun the ldapmodify utility, authenticating as user hmiller.
The password change should be successful.
Lab 5-11
Task 5 Activating and Deactivating an Account

In this task, you test account activation and deactivation.
Andrew Hel is about to leave for a three-month vacation. You do not want to
delete his directory entry. However, you do not want anyone authenticating to his
account while he is away. Therefore, you have decided to deactivate his account.
1.
In a terminal window, run the dsutil utility with the

account-inactivate option to deactivate Andrew Hels account.
# dsutil account-inactivate -p 1389 \
-D "cn=Directory Manager" -w /opt/dsee7/pwd \
uid=ahel,ou=People,dc=example,dc=com
The following message appears in the terminal window:
"uid=ahel,ou=people,dc=example,dc=com" has been
inactivated.
2.
Test account deactivation by running the ldapsearch utility,

authenticating as the user ahel, with the password sarsaparilla.
You should not be able to authenticateyou should get a message similar to
the following indicating that the ahel account is inactivated:
ldap_simple_bind: DSA is unwilling to perform
ldap_simple_bind: additional info: Account inactivated.
Contact system administrator.
3.
Display account activation status from the command line as follows:

# dsutil account-status -p 1389 \
A message should appear indicating that the ahel account is inactive.
Lab 5-12
4.
To reactivate ahels account, run the dsutil utility with the

account-activate option:
# dsutil account-activate -p 1389 \
The following message appears in the terminal window:
"uid=ahel,ou=people,dc=example,dc=com" has been
activated.
5.
Test account reactivation by running the ldapsearch utility, authenticating

as the user ahel, with the password sarsaparilla. to confirm that you
can once again authenticate as ahel.
# ldapsearch -p 1389 -D uid=ahel,ou=People,\
dc=example,dc=com -w sarsaparilla -s sub -b \
ou=People,dc=example,dc=com "uid=ahel" telephonenumber
Lab 5-13
Exercise Summary
Lab 5-14

Experiences
Interpretations
Conclusions
Applications
Exercise Summary
Exercise Solutions
Compare your answers to Steps 3, 9, and 11 in Task 3.

3.
Modify the /tmp/jwallace.ldif file, changing the password to the

string, jwallace@example.com. Run the ldapmodify utility again. Was
this successful? Why or why not?
It was not successful because jwallace@example.com did not have any
uppercase or numeric characters.
9.
View the value of the passwordretrycount attribute. You must bind as a

user with the permissions to do this:
-w sunlearning -s sub -b ou=People,dc=example,dc=com \
"uid=jwallace" passwordretrycount
What was the value of the passwordretrycount attribute? 3
11. Use the ldapsearch utility to view the value of the

passwordretrycount attribute. You must bind as a user with the
permissions to do this.
What was the value of the passwordretrycount attribute? 0
Lab 5-15
Exercise Solutions
Using Certificates With Directory Server EE

Lab 6
Objectives
View and manage SSL settings and certificates
Use the ldapsearch utility over SSL
Use the dsconf utility over SSL
Lab 6-1
Exercise 1: Viewing and Managing SSL Settings and

Certificates
In this exercise, you view and manage SSL settings and certificates.
values that are not provided.
Table 6-1
Required Values
Information
Value
Trust (key) database password
sunlearning
Task 2 Viewing and Managing SSL Settings and Certificates
Preparation
Prerequisite Labs
prerequisite labs.

Lab 6-2
Exercise 1: Viewing and Managing SSL Settings and Certificates

Powered Up state:
1.

2.

Lab 6-3
Task 2 Viewing and Managing SSL Settings and

Certificates
In this task, you view the SSL settings.
In some steps, you use different methods to obtain the same information so that
you have a better understanding of the Directory Server EE tool set.
1.
Use the command line to view the directory server instances SSL settings
and certificates:
a.
Determine whether SSL is enabled using the dsconf utility:

# dsconf get-server-prop -p 1389 \
-w /opt/dsee7/pwd ssl-enabled
The output should be ssl-enabled: on.
b.
The dsconf utility, used in the previous step, queries the directorys
cn=config tree to obtain the property value.
Query the cn=config tree directly, using the ldapsearch utility:
-w sunlearning -s base -b cn=config \
"objectclass=*" nsslapd-security
The following should appear in the ldapsearch output: nsslapdsecurity: on.
c.
The cn=config tree that you queried in steps a and b is built from
the dse.ldif file.
Determine whether SSL is configured as on or off directly from the
dse.ldif file:
# grep nsslapd-security /local/dsm1/config/dse.ldif
The output should be nsslapd-security: on.
d.
List all Directory Server EE SSL-related property names and

descriptions:
# dsconf help-properties | grep -i ssl
Lab 6-4
e.
View the values of some of the SSL-related properties that you viewed
in step d. You can view more than one setting at a time.
Use the following command to view properties:
-w /opt/dsee7/pwd ldap-secure-port \
ssl-rsa-cert-name ssl-rsa-security-device
The following output appears:
ldap-secure-port
ssl-rsa-cert-name
ssl-rsa-security-device
2.
:
:
:
1636
defaultCert
Internal (Software)
Use the dsadm utility to view and renew the directory server instances
certificates:
a.
Familiarize yourself with the options for viewing and managing

certificates with the dsadm utility:
# dsadm --help | grep -i cert
b.
List the directory server instances certificate(s):

# dsadm list-certs /local/dsm1
c.
Record the expiration date and time:_ _______________________
d.
View the directory server instances default certificate:

# dsadm show-cert /local/dsm1 defaultCert
e.
Stop the directory server instance so that you can renew its default
certificate:
# dsadm stop /local/dsm1
f.
Renew the directory server instances default certificate:

# dsadm renew-selfsign-cert /local/dsm1 defaultCert
The following warning appears:
Caution: you are going to change the certificate
used by the instance.
Note An expired certificate is still usable to create an SSL connection. It is the

clients decision to accept or reject an expired certificate.
g.
Start the directory server instance:

Lab 6-5
h.
Determine the new expiration date and compare it to the previous

expiration date and time that you recorded in step c:
# dsadm list-certs /local/dsm1
3.
Use DSCC to view the directory server instances SSL settings and
certificate information:
a.
Log in to DSCC.
b.
c.

d.
Select the Security tab.
Note A message similar to the following might appear in DSCC:

An error occurred searching the certificates for the
server. An authentication error occurred connecting to
zone01. Check that the User ID and password are correct.
Click to provide the required information. Click here to
update authentication.
If this message appears, click the link and enter root as the user ID and
cangetin as the password.
e.
View the settings on the General subtab.
f.
Select the Certificates subtab.
g.
Record the default certificates certificate name and expiration date

and time.
________________________________________________________
h.
Compare the value in the Issued By column to the value in the Issued
To column.
i.
Select the CA Certificates subtab.
j.
Navigate to the last page of the Certificate Authority list.

The certificate that you noted in step g appears as the last entry in the
CA certificate list.
k.
Lab 6-6
Select the Server Configuration tab
l.
Locate the LDAP Secure Port field.

The value of the LDAP Secure Port field should be the same as the
value you noted when you ran the dsconf utility in step 1e.
4.
Log out of DSCC.
Lab 6-7
Exercise 2: Using the ldapsearch Utility Over SSL

In this exercise, you use the ldapsearch utility over SSL.
Task Using the ldapsearch Utility Over SSL
Preparation
Task Using the ldapsearch Utility Over SSL

In this task, you use the ldapsearch utility to search a directory over an SSL
connection.
1.
Search the directory over an SSL connection with the ldapsearch utility:
# ldapsearch -p 1636 -Z -P \
/local/dsm1/alias/slapd-cert8.db \
-b dc=example,dc=com "uid=scarter"
Lab 6-8
2.
View the access log to confirm that your search was over a secure
connection:
# tail -20 /local/dsm1/logs/access
The following is an example of the access log output:
[28/Sep/2009:13:17:57 -0700] conn=41 op=-1 msgId=-1 fd=22 slot=22 LDAPS connection from 127.0.0.1:33241 to
127.0.0.1
[28/Sep/2009:13:17:57 -0700] conn=41 op=-1 msgId=-1 SSL 128-bit RC4
[28/Sep/2009:13:17:57 -0700] conn=41 op=0 msgId=1 SRCH base="dc=example,dc=com" scope=2
filter="(uid=scarter)" attrs=ALL
[28/Sep/2009:13:17:57 -0700] conn=41 op=0 msgId=1 RESULT err=0 tag=101 nentries=1 etime=0
[28/Sep/2009:13:17:57 -0700] conn=41 op=1 msgId=2 UNBIND
[28/Sep/2009:13:17:57 -0700] conn=41 op=1 msgId=-1 closing from 127.0.0.1:33241 - U1 - Connection closed
by unbind client [28/Sep/2009:13:17:59 -0700] conn=41 op=-1 msgId=-1 closed.
Note the presence of the entries with the text LDAPS connection from
127.0.0.1:33241 to 127.0.0.1 and SSL 128-bit RC4. These two
entries indicate that the connection to the directory server instance made
when the ldapsearch utility was executed was made over SSL.
Lab 6-9
Exercise 3: Using the dsconf Utility Over SSL

In this exercise, you use the dsconf utility over SSL.
Task Using the dsconf Utility Over SSL
Preparation
Task Using the dsconf Utility Over SSL

In this task, you use the dsconf utility to securely manage directory server
instances over SSL. By default, the dsconf utility uses an SSL connection if
available, so there is no extra configuration for you to perform.
In this task, you use two terminal windows, both running in the zone01 zone:
The original terminal window, in which you run commands

A second terminal window (or terminal tab page), in which you observe
changes in the access log

1.
Open a second terminal window or terminal tab page.

You use the second terminal window or terminal tab page to view the access
log.
2.
In the second terminal window or terminal tab page, log in to the zone01
zone:
# zlogin zone01
3.
In the second terminal window or terminal tab page, open the access log for
the zone01:1389 (dsm1) instance:
# tail -f /local/dsm1/logs/access
Lab 6-10
4.
Execute the dsconf utility in the original terminal window, specifying port
1389:
Accept the certificate when prompted to do so.
5.
Wait for entries pertaining to the dsconf utility execution to appear in the
access log in the second terminal window or terminal tab page.
6.
After access log entries pertaining to the dsconf utility execution have
appeared in the second terminal window or terminal tab page, review the
entries. You should see that an LDAP connection was made. Within that
connection, the LDAP extension is represented by the object identifier
(OID) number 1.3.6.1.4.1.1466.20037 in an access log entry similar to the
following:
[28/Sep/2009:13:45:00 -0700] conn=46 op=0 msgId=1 - EXT
oid="1.3.6.1.4.1.1466.20037"
This LDAP extension represents a request to initiate a secure connection, if
possible. Because SSL is enabled on the directory server instance, a secure
connection is establishednote the presence of a log entry with the text
SSL 128-bit RC4. The entire LDAP conversation between the dsconf
utility and the directory server instance is encrypted over this connection,
including the bind and search operations.
7.
Execute the ldapsearch utility in the original terminal window, specifying

port 1389:
-w sunlearning -s base -b cn=config "objectclass=*" \
nsslapd-security
8.
Wait for entries pertaining to the ldapsearch utility execution to appear in

the access log in the second terminal window or terminal tab page.
9.
After access log entries pertaining to the ldapsearch utility execution

have appeared in the second terminal window or terminal tab page, review
the entries.
You should not see evidence that a secure connection was made, nor should
you see an access log file entry with the OID number
1.3.6.1.4.1.1466.20037.
Lab 6-11
10. Execute the dsconf utility in the original terminal window, specifying port
1636 (note the Uppercase -P):
# dsconf get-server-prop -P 1636 \
11. Wait for entries pertaining to the dsconf utility execution to appear in the
access log in the second terminal window or terminal tab page.
12. After access log entries pertaining to the dsconf utility execution have
appeared in the second terminal window or terminal tab page, review the
entries. You should see that a secure connection was made.
13. Execute the ldapsearch utility in the original terminal window, specifying
port 1636:
-w sunlearning -s base -b cn=config \
-Z -P /local/dsm1/alias/slapd-cert8.db \
"objectclass=*" nsslapd-security
14. Wait for entries pertaining to the ldapsearch utility execution to appear in
the access log in the second terminal window or terminal tab page.
15. After access log entries pertaining to the ldapsearch utility execution
have appeared in the second terminal window or terminal tab page, review
the entries. You should see that a secure connection was made.
16. Close the second terminal window or terminal tab page.
Lab 6-12
Exercise Summary
Experiences
Interpretations
Conclusions
Applications
Exercise Summary
Lab 6-13
Backing Up and Restoring Directory Data

Objectives
After completing this lab, you should be able to back up and restore directory
data.
Lab 7-1
Lab 7
Exercise: Backing Up and Restoring Directory Data

The purpose of this exercise is to give you practice using the Directory Server EE
command-line utilities to back up, restore, export, and import directory data.
After each backup you take in this lab, you change some directory data. Then you
perform a restore. To verify that the restore worked correctly, you observe that the
changes you made have been overwritten during the restore.

Task 2 Backing Up and Restoring Directory Data From the Command
Line
Task 3 Exporting and Importing a Suffix From the Command Line
Task 4 Creating a New Database and Importing LDIF Data
Preparation
Prerequisite Labs
prerequisite labs.

Lab 7-2

Powered Up state:
1.

2.

Lab 7-3
Task 2 Backing Up and Restoring Directory Data

From the Command Line
In this task, you back up directory data, change database content, restore directory
data, and confirm that content was restored.
1.
Run the following command in a terminal window:

# date +%m_%d_%y_%H_%M_%S
Record the output of the date command on the following line:
_____________________________________________________________
The output from the date command is used in several places in this lab.
Several commands that you run include the variable, date_and_time.
When you see example commands with the date_and_time variable,
replace this variable with the output from the date command.
2.
Back up the dsm1 directory data:

# dsconf backup -p 1389 -w /opt/dsee7/pwd \
/local/dsm1/bak/date_and_time
Replace the date_and_time variable in the example command with the
value of the date command from step 1.
3.
Change some directory data:

a.
Create the /tmp/awhitedel.ldif file with the following contents:

dn: uid=awhite,ou=People,dc=example,dc=com
changetype: delete
b.
Use the ldapmodify utility to remove Alan Whites directory entry:

-w sunlearning -f /tmp/awhitedel.ldif
c.
Create the /tmp/alutzchg.ldif file with the following contents:

dn: uid=alutz,ou=People,dc=example,dc=com
changetype: modify
replace: facsimileTelephoneNumber
d.
Use the ldapmodify utility to change Alexander Lutzs fax number

in the directory:
-w sunlearning -f /tmp/alutzchg.ldif
Lab 7-4
e.
Confirm your changes using the ldapsearch utility. You should not
be able to find Alan Whites directory entry, and Alexander Lutzs
directory entry should contain the new value for the
facsimileTelephoneNumber attribute:
"(|(uid=awhite)(uid=alutz))"\
facsimileTelephoneNumber
4.
Review the backup directorys contents:

# cd /local/dsm1
# ls -l bak
You should see a directory with a name based on the output of the date
command from step 1.
5.
Restore the dsm1 directory data using the dsconf utility:

# dsconf restore -p 1389 -w /opt/dsee7/pwd \
/local/dsm1/bak/date_and_time
value of the date command from step 1.
Restoring "/local/dsm1/bak/name_of_backup_directory" on
"localhost:1389" will erase all existing data of the
Directory Server.
Type y in response to the prompt.
Progress messages appear in the terminal window until the data has been
restored. The Task completed (slapd exit code: 0) message
indicates completion of the dsconf utility execution.
6.
Verify that the modifications to the directory that you made in step 3 have
been overwritten as a result of restoring the Directory Server EE database:
"(|(uid=awhite)(uid=alutz))" facsimileTelephoneNumber
Output from the ldapsearch utility shows that Alan Whitess user entry
has been restored to the People branch, and Alexander Lutzs fax number
has been restored to its original value.
Lab 7-5
Task 3 Exporting and Importing a Suffix From the

Command Line
A directory comprises one or more suffixes. You can back up and restore all the
suffixes in a directory using the following backup and restore utilities:
The dsconf backup utility
The dsconf restore utility
The dsadm backup utility
The dsadm restore utility
To back up or restore a single suffix, you must use different syntax.

In this task, you export and import the dsm1 directorys dc=example,dc=com
suffix to practice using the single suffix export and import command syntax.
1.
Export the dc=example,dc=com suffix to an LDIF file:

# dsconf export -Q -p 1389 -w /opt/dsee7/pwd \
dc=example,dc=com \
/local/dsm1/ldif/date_and_time_example.ldif
value of the date command from the previous task.
## Beginning export of 'example'
## example: Processed 167 entries (100%).
## Export finished.
You now have an LDIF file with the dc=example,dc=com suffixs
contents.
2.
Change some directory data.

Make the same changes that you made in Task 2 Backing Up and
Restoring Directory Data From the Command Line, step 3 on page L7-4.
Lab 7-6
3.
Use the dsconf import utility to import the LDIF file you created in step
1 into the directory :
# dsconf import -p 1389 -w /opt/dsee7/pwd \
/local/dsm1/ldif/date_and_time_example.ldif \
dc=example,dc=com
"dc=example,dc=com" Initialization will have to be
performed on replicated suffixes. Do you want to
continue [y/n] ?
## Processing file
"/local/dsm1/ldif/05_12_09_08_37_37_example.ldif"
"/local/dsm1/ldif/05_12_09_08_37_37_example.ldif" (170
entries)
reports.
Flushing caches...
## Closing files...
## Import complete. Processed 167 entries in 4
seconds. (42.50 entries/sec)
4.
Verify that the changed data has been overwritten as a result of restoring the
Directory Server EE database:
Verify changes by running the same verification test that you ran in Task 2
Backing Up and Restoring Directory Data From the Command Line, step
6 on page L7-5.
Lab 7-7
Task 4 Creating a New Database and Importing LDIF

Data
Directory Server EE supports multiple databases per directory instance. At this
point in these labs, you have a single database named example.
In this task, using data from the ou=People,dc=example,dc=com branch, you
move data to a new database named People. You create the new database and
populate it by using the LDIF file that you created in Task 3 Exporting and
Importing a Suffix From the Command Line.
1.
View the database directory for the dsm1 directory server instance:
# ls /local/dsm1/db
# ls /local/dsm1/db/example
2.
Use the ldapsubtdel utility to delete the People branch point:

# ldapsubtdel -v -r -D "cn=Directory Manager" \
-w sunlearning -p 1389 -b ou=People,dc=example,dc=com
Processing subtree ou=people,dc=example,dc=com
Deleting entry uid=alutz, ou=People, dc=example,dc=com
Deleting entry uid=btalbo2, ou=People,
dc=example,dc=com
...
Deleting entry uid=jdbrown,ou=People,dc=example,dc=com
Deleting entry ou=people,dc=example,dc=com
Successfully deleted subtree
ou=people,dc=example,dc=com
3.
Confirm that the People branch point has been removed by using the
ldapsearch utility:
# ldapsearch -D "cn=Directory Manager" -w sunlearning \
-p 1389 -b ou=People,dc=example,dc=com "objectclass=*"
The ldap_search: No such object message appears.
4.
Create a new subsuffix named ou=People,dc=example,dc=com:

# dsconf create-suffix -p 1389 -w /opt/dsee7/pwd \
-N ou=People,dc=example,dc=com
Lab 7-8
5.
View the database directory for the dsm1 directory server instance:
# ls /local/dsm1/db
# ls /local/dsm1/db/People
The contents of the /local/dsm1/db directory have changed since you
ran the dsconf create-suffix utility.
6.
View the configuration data that you created with the

dsconf create-suffix utility:
-p 1389 -b "cn=mapping tree,cn=config" \
"nsslapd-backend=*"
version: 1
dn: cn=dc=example\,dc=com,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
nsslapd-backend: example
nsslapd-state: backend
cn: dc=example,dc=com
dn: cn=ou=People\,dc=example\,dc=com,cn=mapping
tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
nsslapd-backend: People
nsslapd-parent-suffix: dc=example,dc=com
nsslapd-state: backend
cn: ou=People,dc=example,dc=com
You should see that you created a definition for the subsuffix
ou=People,dc=example,dc=com. The associated back-end database for
this subsuffix is the People database.
7.
Create additional indexes for the ou=People,dc=example,dc=com

subsuffix:
a.
When you create a new database, a set of default index definitions is

created for that database. List the set of attributes that are indexed by
default for the People database:
# dsconf list-indexes -p 1389 -w /opt/dsee7/pwd \
b.
Add a new index definition for the exampleTShirtSize attribute:

# dsconf create-index -p 1389 -w /opt/dsee7/pwd \
ou=People,dc=example,dc=com exampleTShirtSize
Lab 7-9
c.
Confirm that the exampleTShirtSize attribute is configured as an

indexed attribute:
d.
Confirm that only equality and presence index definitions are created
for the exampleTShirtSize attribute:
# dsconf get-index-prop -p 1389 -w /opt/dsee7/pwd \
ou=People,dc=example,dc=com exampleTShirtSize
The eq-enabled and pres-enabled properties should have the
value on. Other indexes should have the value off.
You have now created the index definition for the exampleTShirtSize
attribute. When you create a new index definition, you must then reindex
the directory data so that the index databases on the file system are updated.
However, because the People database is currently empty, there is no point
in reindexing the directory data now. When you import data into the
People database, indexes are automatically updated.
Lab 7-10
8.
Import the LDIF file that you created in Task 3 Exporting and Importing
a Suffix From the Command Line, step 1 into the People database using
the dsconf import utility:
/local/dsm1/ldif/date_and_time_example.ldif \
"dc=example,dc=com"
Initialization will have to be performed on replicated
suffixes.
## Starting to process and index entries
## Processing file
"/local/dsm1/ldif/09_28_09_17_21_15_example.ldif"
"/local/dsm1/ldif/09_28_09_17_21_15_example.ldif" (167
entries)
reports.
Flushing caches...
## Closing files...
## Import complete. Processed 167 entries (14 entries
were skipped because they don't belong to this
database) in 4 seconds. (41.50 entries/sec)
Lab 7-11
9.
Verify that the directory entries have been imported into the
ou=people,dc=example,dc=com suffix:
-p 1389 -b ou=People,dc=example,dc=com \
"objectclass=*"
10. (Optional) Use DSCC to confirm the creation of the

ou=People,dc=example,dc=com subsuffix.
Log out of DSCC when you have finished performing this step.
Lab 7-12
Exercise Summary

Experiences
Interpretations
Conclusions
Applications
Exercise Summary
Lab 7-13
Replicating Directory Server EE Data

Lab 8
Objectives
Set up three-way multimaster replication
Monitor replication using DSCC and Directory Server EE utilities
Lab 8-1
Overview
In this lab, you use both DSCC and command-line tools to set up a replication
topology consisting of three master servers. You also use various monitoring tools
to monitor replication.
In addition, you can choose to perform optional exercises at the end of the lab in
which do you the following:
Create a replica hub and a consumer replica

Promote the hub and the consumer replica to create a five-way multimaster
replication topology
Table 8-1 describes actions taken during each exercise in this lab.
Table 8-1
Exercise Overview
Exercise Phase
Actions
Exercise 1: Setting Up Three-Way Multimaster Replication

Restart servers
If required, restart servers in the zone01 zone.
Task 2 Preparing the Existing Directory Server Instance for Replication

Prepare master 1 for
replication
Enable replication and set the replica type in

DSCC for the dsm1 instance.
Prepare suffix data
Export LDIF initialization files for each suffix.
Task 3 Setting Up Multimaster Replication With Command-line Tools
Lab 8-2
Create a second master

instance
Create the dsm2 instance with a People

database.
Prepare for multimaster

replication
Enable replication and set the replica type for the

dsm2 instance.
Replicate from the first

master to the second
master
Create a replication agreement for each database

on the dsm1 instance, and initialize the dsm2
instance.
Replicate from the second

master to the first master
Create a replication agreement for each database

on the dsm2 instance, but do not initialize the
dsm1 instance.
Register the second master

in DSCC
Register the dsm2 instance in DSCC.
Overview
Table 8-1
Exercise Overview (Continued)
Exercise Phase
Actions
Test multimaster
replication
Change user data on the dsm1 instance, and verify

that the same change is made to the entry on the
dsm2 instance.
Task 4 Setting Up Multimaster Replication With DSCC

Create a third master
instance
Create the dsm3 instance in DSCC with a

People database. Enable replication to and from
all instances. Initialize data while creating the
suffixes.
Test multimaster
replication
Change user data on the dsm2 instance, and verify

that the same change is made to the entry on the
dsm1 and dsm3 instances.
Exercise 2: Monitoring Replication Using DSCC and Directory Server EE

Utilities
Task 1 Using DSCC to Monitor Replication Agreements
Monitor replication
Monitor replication using DSCC.
Task 2 Using the repldisc Utility to Discover a Replication Topology

Discover a replication
topology
Discover a replication topology using the

repldisc utility.
Task 3 Using the insync Utility to Examine Synchronization State

Examine synchronization
state
Use the insync utility to examine

synchronization state between replicas.
Task 4 Using the dsconf Utility to Show Replication Agreement Status

Examine Replication
Agreement Status
Use the dsconf utility to show replication

agreement status.
Task 5 Pausing and Restarting Replication

Pause and restart
replication
Pause and restart replication from the dsm1

instance to the dsm2 and dsm3 instances.

Compare directory entries
Use the entrycmp utility to compare directory

entries on several replicas.
Lab 8-3
Overview

In this exercise, you use both DSCC and command-line tools to set up a
replication scenario that includes three master servers.
Table 8-2
Required Values
Information
Value
First directory server master instance

and port number
dsm1:1389
Second directory server master

instance
dsm2:2389
Third directory server master instance
dsm3:3389
Lab 8-4
Task 2 Preparing the Existing Directory Server Instance for Replication
Task 3 Setting Up Multimaster Replication With Command-line Tools
Task 4 Setting Up Multimaster Replication With DSCC
Preparation
Prerequisite Labs
prerequisite labs.


Powered Up state:
1.

Lab 8-5
2.

Task 2 Preparing the Existing Directory Server

Instance for Replication
In this task, you set up and enable replication on the dsm1 directory server
instance. The dsm1 instance is the directory server instance with which you have
been working in prior labs.
You set up the dsm1 instance as a master replica in the replication topology that
you build out in this lab.
You also export LDIF data files from each suffix that you use to initialize the
suffixes of new directory server instances that you create subsequently in this lab.
1.
Log in to DSCC.
2.
3.

4.
Lab 8-6
Enable multimaster replication for the dc=example,dc=com suffix and the

ou=People,dc=example,dc=com subsuffix on the dsm1 instance:
a.
Select the Suffixes tab.
b.
Select the check boxes for both the dc=example,dc=com suffix and
the ou=People,dc=example,dc=com subsuffix.
c.
Select Enable Replication from the More Suffix Actions drop-down

menu.
The Enable Replication dialog box appears.
d.
Select Master as the Replication Role if it is not preselected.
e.
Click OK.
The Enabling Replication dialog box appears.
f.
5.
Click Close after the Operation Completed Successfully

message appears.
Export an LDIF file that you can use to initialize the dc=example,dc=com
suffix on replica servers:
a.
In the Suffixes page, select the dc=example,dc=com suffix check

box.
b.
Select Export Data to LDIF from the More Suffix Actions drop-down
menu.
The Export to LDIF dialog box appears.
c.
Type /local/dsm1/ldif/example_init.ldif in the Path on

Server zone01 field.
d.
Select the Export Replication Data check box if it is not already

checked.
e.
Click OK.
The Exporting to LDIF Progress dialog box appears.
f.
6.

message appears.
Export an LDIF file that you can use to initialize the

ou=People,dc=example,dc=com suffix on replica servers:
a.
In the Suffixes page, select the ou=People,dc=example,dc=com

suffix check box.
b.
Select Export Data to LDIF from the More Suffix Actions drop-down
menu.
The Export to LDIF dialog box appears.
c.
Type /local/dsm1/ldif/people_init.ldif in the Path on

Server zone01 field.
d.
Select the Export Replication Data check box if it is not already

checked.
e.
Click OK.
The Exporting to LDIF Progress dialog box appears.
Lab 8-7
f.

message appears.
Task 3 Setting Up Multimaster Replication With

Command-line Tools
In this task, you create another new directory server instancethe dsm2
instanceand configure it as a master using command-line tools.
1.
Use the dsadm utility to create a new directory server instance named dsm2
running on ports 2389 and 2636:
# dsadm create -p 2389 -P 2636 /local/dsm2
When you are prompted to enter and confirm the Directory Manager
password, type sunlearning.
2.
Start the dsm2 instance:

3.
Create the dc=example,dc=com suffix on the dsm2 instance:

dc=example,dc=com
trusted.
Type "Y" to accept, "y" to accept just once, n to
4.
Create the ou=People,dc=example,dc=com subsuffix on the dsm2

instance:
-N ou=People,dc=example,dc=com
Lab 8-8
5.
Use the dsconf utility to confirm that the suffixes were created on the
dsm2 instance:
# dsconf list-suffixes -p 2389 -w /opt/dsee7/pwd
dc=example,dc=com
6.
Change to the dsm2 instance database directory and verify that directories
named example and People have been created:
# cd /local/dsm2/db
# ls -l
Files in the example and People directories hold data for the
dc=example,dc=com and ou=People,dc=example,dc=com suffixes.
7.
Use the dsconf utilitys help feature to see all replication subcommands:
# dsconf --help | grep repl

accord-repl-agmt
Ensures the authentication properties of the
destination suffix are in accord with those of the replication agrement
change-repl-dest
Changes the remote replica pointed to by an
existing replication agreement
create-repl-agmt
Creates replication agreement for existing suffix
create-repl-priority
Creates a prioritized replication rule on a master
delete-repl-agmt
Deletes replication agreement
delete-repl-priority
Deletes a prioritized replication rule
demote-repl
Demotes an existing replicated suffix
disable-repl
Abandons replication for replicated suffix
disable-repl-agmt
Disables replication with another directory
enable-repl
Enables replication by assigning a role to an
existing suffix
enable-repl-agmt
Enables replication with another directory
get-repl-agmt-prop
Displays replication agreement property values
init-repl-dest
Launches total update of remote replica from local
suffix
list-repl-agmts
Lists replication agreements
list-repl-priorities
Lists prioritized replication rules and displays
their property values
promote-repl
Promotes an existing replicated suffix
set-repl-agmt-prop
Sets replication agreement property values
show-repl-agmt-status Displays a comparison of a source and destination
suffix configuration and the status of the replication agreement
update-repl-dest-now
Forces updates of remote replica from local suffix
Lab 8-9
8.
Enable replication for the dc=example,dc=com suffix and the

ou=People,dc=example,dc=com subsuffix on the dsm2 instance:
# dsconf enable-repl -p 2389 \
-w /opt/dsee7/pwd -d 102 master \
dc=example,dc=com ou=People,dc=example,dc=com
The following messages appear in the terminal window:
Use "dsconf create-repl-agmt" to create replication
agreements on "dc=example,dc=com".
Use "dsconf create-repl-agmt" to create replication
agreements on "ou=People,dc=example,dc=com".
The messages are a warning that even though you have enabled replication
for the two suffixes on the dsm2 instance, you still need to create replication
agreements between the dsm2 instance and other directory server instances.
9.
Review the command syntax for creating a replication agreement:

# dsconf create-repl-agmt
Operands are missing
Usage: dsconf create-repl-agmt [-A PROTOCOL] [-J]
SUFFIX_DN HOST:PORT [HOST:PORT...]
10. Create replication agreements from the dsm1 instance to the dsm2 instance:
a.
Create a replication agreement for the dc=example,dc=com suffix:

# dsconf create-repl-agmt -p 1389 \
-w /opt/dsee7/pwd \
dc=example,dc=com zone01:2389
Lab 8-10
b.
Create a replication agreement for the

ou=People,dc=example,dc=com suffix:
# dsconf create-repl-agmt -p 1389 \
-w /opt/dsee7/pwd \
ou=People,dc=example,dc=com zone01:2389
After you create each replication agreement, a message similar to the

following appears:
Use "dsconf init-repl-dest dc=example,dc=com
zone01:2389" to start replication of
"dc=example,dc=com" data.
Replication is enabled, and a replication agreement is in place, but you must
still take action to activate replication from the dsm2 instance to the dsm1
instance:
11. Configure the replication authentication information for the replication
agreements for both suffixes:
# dsconf accord-repl-agmt -p 1389 -w /opt/dsee7/pwd \
12. The dc=example,dc=com suffix contains 14 entries. Use the dsconf
init-repl-dest utility to initialize the dc=example,dc=com suffix on
the dsm2 instance from the data in the dsm1 instance:
# dsconf init-repl-dest -p 1389 -w /opt/dsee7/pwd \
Lab 8-11
13. Initialize the ou=People,dc=example,dc=com suffix from the LDIF file

that you created in the previous task:
/local/dsm1/ldif/people_init.ldif \
"ou=People,dc=example,dc=com" Initialization will have
to be performed on replicated suffixes. Do you want to
continue [y/n] ?
Type y and press Return.
After initialization, the data in both suffixes on both servers is the same, and
replication has started from the dsm1 instance to the dsm2 instance. In
subsequent steps, you configure the replication agreements from the dsm2
instance to the dsm1 instance to build a two-way multimaster topology.
Note The ou=People,dc=example,dc=com suffix is also very smallit
contains 154 entries. Using the dsconf init-repl-dest utility would have
been a fast, viable way to initialize this suffix. For larger deployments, you
should initialize with an LDIF file, as you did in this step.
14. Create a replication agreement for each database from the dsm2 instance to
the dsm1 instance:
# dsconf create-repl-agmt -p 2389 -w /opt/dsee7/pwd \
# dsconf create-repl-agmt -p 2389 -w /opt/dsee7/pwd \
15. Configure the replication authentication information for the replication
agreements of both suffixes:
Multimaster replication is now running in both directions between the dsm1
and dsm2 instances.
Lab 8-12
16. DSCC does not yet recognize the dsm2 instance because the dsm2 instance
was created using command-line tools.
Register the dsm2 instance with DSCC so that you can administer the
instance using the Web application:
a.
In DSCC, navigate to the Directory Servers tab.
b.
Select the Servers subtab.
c.
Select Register Existing Server from the More Server Actions dropdown menu to start the Register Existing Directory Server Wizard.
The Step 1: Enter Host and Server Information dialog box appears.
d.
Specify the following values in the Step 1: Enter Host and Server
Information dialog box:
e.
Click Next.
f.
If the The Step 1.1: Provide Authentication Information for the Host
dialog box appears, specify the following values in the Step 1.1:
Provide Authentication Information for the Host dialog box:
User ID: root
Password: cangetin
Click Next to submit the credentials.
The Step 2: Provide Authentication Information dialog box appears.
g.
Enter sunlearning in the Administration DN password field.
h.
Click Next.
The Step 3: Summary dialog box appears, with a warning that the
server instance will be restarted when you click Finish.
i.
Click Finish.
Messages appear as the dsm2 instance is registered with DSCC and
restarted.
When the operation is complete, the Operation Completed
Successfully message appears.
j.
Click Close to terminate the Register Existing Directory Server

Wizard.
k.
Verify that the zone01:2389 entry appears in the registered directory

servers list.
Lab 8-13
17. By viewing the access logs you can determine if updates are occurring, and
whether updates are being made directly by an LDAP client or by
replication.
Monitor the access logs for the dsm1 and dsm2 instances as follows:
a.
Open two new terminal windows (or terminal tab pages). In one of the
terminal windows you monitor the access log for the dsm1 instance; in
the other window, you monitor the access log for the dsm2 instance.
b.
Use the Terminal / Set Title menu option to set titles on the new
terminal windows. Use the titles dsm1 and dsm2 for the window titles.
c.
Log into the zone01 zone in each new terminal window:

# zlogin zone01
d.
Run the tail command in each terminal to view changes to the

access log.
Run the following command to monitor the dsm1 instance in the dsm1
terminal window:
terminal window:
18. Verify that multimaster replication works correctly by performing the

following steps in DSCC:
a.
Select the Common Tasks tab.
b.
Select Search Directory Data.

The Choose Directory Server dialog box appears.
c.
Select zone01:1389 as the value of the Server field.
d.
Click OK.
The zone01:1389 - Search Data page appears. The search filter is
preset to the values Full Name (cn) and Contains.
e.
Type Andy Walker in the search filter, in the blank field to the right
of the Contains field.
f.
Click Search.
The Search Results page appears, with a single entry for Andy Walker.
g.
Select awalker.
The zone01:1389 - awalker - Entry Overview page appears.
Lab 8-14
h.
Change the value in the Telephone Number field to +1 408 555

1234.
i.
Click OK.
j.
View the output of the tail command in the dsm1 terminal window.
You should see log entries that indicate the modification of the
awalker entry. You might have to scroll up to see these log entries.
k.
View the output of the tail command in the dsm2 terminal window.
You should see log entries that indicate the modification of the
awalker entry.
Note the connection number associated with this modification. The
connection number will be denoted by the string conn=.
________________________________________________________
l.
Scroll up the dsm2 terminal window and locate the bind operation
under the connection number noted in the previous step.
For example, if the connection number were 10, you would search for
the line starting with the following text:
[ TIMESTAMP ] conn=10 op=0 msgId=1 - BIND dn=.
The bind DN in this log file entry should be the following DN:
cn=replication manager,cn=replication,cn=config
A connection initiated by the cn=replication
manager,cn=replication,cn=config user is performed during
directory data replication.
Lab 8-15
m.
Use DSCC to verify that Andy Walkers phone number was changed
on the dsm2 instance.
Locate Andy Walkers entry in DSCC using the same technique that
you used in steps 18a through 18g. Be sure to select zone01:2389 in
the Choose Directory Server dialog box, and not zone01:1389.
Confirm that the telephone number is +1 408 555 1234. In order to
confirm replication is working in both directions, change awalkers
telephone number to +1 408 555 3456.
n.
Use DSCC to verify that Andy Walkers phone number was changed
back to +1 408 555 3456 on the dsm1 instance.
o.
Close the dsm1 and dsm2 terminal windows (or tab pages).
Task 4 Setting Up Multimaster Replication With

DSCC
Multimaster replication is now working between the dsm1 and dsm2 instances. In
this task, you create a third directory server instance and add this instance to the
directory server topology as a third master replica.
1.
Create a new directory server instance:

a.
In DSCC, navigate to the Common Tasks page.
b.
Select Create New Directory Server.

The New Directory Server Wizard starts.
The Step 1: Enter Required Settings dialog box appears.
Lab 8-16
c.
d.
Enter the following values in the Step 1: Enter Required Settings

dialog box:
Host: Known Host: Select zone01.
LDAP Port: 3389
LDAP Secure Port: 3636
Directory Manager DN: cn=Directory Manager
Directory Manager Password: sunlearning
Confirm Password: sunlearning
Runtime User ID: root
Runtime User Password: cangetin
DSCC Agent Port: Select Other and type 21162.
Click Next.
If the Confirm Password Change dialog box appears, select the
cn=Directory Manager user and click OK.
The Step 2: Choose Additional Settings dialog box appears.
e.
Select Copy Settings from Server: specifying the zone01:1389

server.
f.
Click Select All to check all the check boxes.
g.
Click Next.
h.
Review the settings in the Summary dialog box.
i.
Click Finish to create the new instance.

The Creating New Server dialog box appears.
Progress messages appear in the Creating New Server dialog box.
The following warning, which is expected and does not indicate that
any problems are present, appears:
The Dictionary Path of the Password Strong Check
configuration has not been copied because is a file
system dependent parameter.
Lab 8-17
j.
Click Close.
The Directory Servers page appears. The new instance appears in the
directory servers list.
2.
Create the dc=example,dc=com suffix for the dsm3 instance:

a.
Select zone01:3389 from the directory servers list.
b.
c.
Click New Suffix.

The Step 1: Enter Suffix Name dialog box appears.
d.
For the Suffix DN, type dc=example,dc=com.
e.
Click Next.
The Step 2: Choose Replication Options dialog box appears.
f.
Select Extend Existing Replication Topology.
g.
Click Next.
The Step 2.1: Choose Server(s) dialog box appears.
h.
Select zone01:3389 from the list of available servers and click Add
to add the dsm3 instance to the list of master replicas.
i.
If the Create Replication Agreements Between All Servers check box

is not checked, select it.
j.
Click Next.
The Step 3: Choose Settings dialog box appears.
k.
Select Copy Settings from Suffix, and make sure the

dc=example,dc=com (zone01:1389) suffix is selected.
l.
Click Next.
The Step 4: Choose Database Location Options dialog box appears.
m.
If the Use Default Database Location check box is not checked, select
it.
n.
Click Next.
The Step 5: Choose Data Options dialog box appears.
o.
Lab 8-18
Select the Initialize by Importing Contents of an LDIF File option.
p.
Enter the following path in the field below the Initialize by Importing
Contents of an LDIF File option:
/local/dsm1/ldif/example_init.ldif
q.
Click Next.
r.
Click Preview Topology.

The Replication Topology Viewer window appears.
s.
Verify the multimaster topology between the three master replicas.
t.
Close the Replication Topology Viewer window.
u.
Click Finish to create and initialize the suffix.

The Creating New Suffix dc=example,dc=com dialog box appears.
Progress messages inform you about the status of suffix creation.
v.
3.
Click Close.
Create the ou=People,dc=example,dc=com suffix for the dsm3

instance.
Use a method similar to the technique you used in step 2 when you created
the dc=example,dc=com suffix.
Be sure to provide the following values to the New Directory Server
Wizard:
Suffix DN: ou=People,dc=example,dc=com

Copy Settings from Suffix: Select
ou=People,dc=example,dc=com (zone01:1389)
LDIF File to Import: /local/dsm1/ldif/people_init.ldif
All other values are the same as the values specified in step 2.
4.
Enable client updates for the two suffixes:

a.
If needed, navigate to the zone01:3389 - Suffixes page in DSCC.
b.
Select the link for the dc=example,dc=com suffix.

The informational message, Client Updates Can Safely be
Enabled, appears at the top of the page.
Lab 8-19
c.
In the General section, click Enable Client Updates.
Note Not the General Tab, but the General section further down the same page
as the informational message in the previous step b. You might need to scroll
down the screen to locate the Enable Client Updates button.
5.
d.
Click Save.
e.
Return to the zone01:3389 - Suffixes page.
f.
Enable client updates for the ou=People,dc=example,dc=com

suffix.
Verify that replication to the dsm3 instance works correctly by making

changes to Andy Walkers entry on the dsm2 instance, then examining the
Directory Server EE access logs and the directory data on the dsm3
instance. Use the same technique you used when you performed step 18
starting on page L8-14.
Make sure that entries on the dsm1 and dsm3 instances are both updated
when you change Andy Walkers entry on the dsm2 instance.
Lab 8-20
Exercise 2: Monitoring Replication Using DSCC and

Directory Server EE Utilities
In this exercise, you examine a variety of techniques for working with a
replication topology. You monitor replication status, review replication topology,
and compare directory entries on replicas.
Task 1 Using DSCC to Monitor Replication Agreements
Task 2 Using the repldisc Utility to Discover a Replication Topology
Task 3 Using the insync Utility to Examine Synchronization State
Task 4 Using the dsconf Utility to Show Replication Agreement Status
Task 1 Using DSCC to Monitor Replication

Agreements
In this task, you monitor replication using DSCC.
1.
Navigate to the Common Tasks page in DSCC.
2.
3.
Select the Replication Agreements subtab.

The Replication Agreements page appears.
4.
View a visual representation of the replication topology:

a.
Click View Topology.

The Replication Topology Viewer window appears.
5.
b.
Scroll down the Replication Topology Viewer to view the entire

topology.
c.
Use the Suffix drop-down menu to view other replicated suffixes.
d.
Close the Replication Topology Viewer window.
The Operational Status column in the Replication Agreements page

provides the status of each replication agreement.
Lab 8-21
Exercise 2: Monitoring Replication Using DSCC and Directory Server EE Utilities
If a replication agreement has the Replication Idle status, then there are no
issues with the deployment that inhibit the operation of the replication
agreement.
Click the Refresh button at the top right of the window to make sure that
you are viewing the most recent status.
6.
Explore different ways to view replication information:

a.
Sort the list of replication agreements by Source Server by clicking

the Source Server column title.
b.
View only the replication agreements for the

ou=People,dc=example,dc=com subsuffix.
In the Filter drop-down menu, locate the set of menu options
pertaining to the ou=People,dc=example,dc=com suffix. Select
On All Servers from this set of options.
c.
Select other view options to continue to explore the ways to see the
replication information.
Task 2 Using the repldisc Utility to Discover a

Replication Topology
The repldisc utility constructs a table of all known servers in a replication
topology.
1.
Open a terminal window (if necessary).
2.
Verify that the dsm1, dsm2, and dsm3 directory server instances are
running.
Note If directory server instances are not running, including instances that are
not part of the replication topology, the repldisc utility fails with a message
that it is not able to connect to the LDAP server.
Lab 8-22
3.
Create a replication map for the ou=People,dc=example,dc=com

subsuffix of the dsm1 instance:
# repldisc -D "cn=Directory Manager" -w sunlearning \
-b ou=People,dc=example,dc=com -s zone01:1389
The following replication topology appears in the terminal window:
Topology for suffix: ou=People,dc=example,dc=com

Legend:
^ : Host on row sends to host on column.
v : Host on row receives from host on column.
x : Host on row and host on column are in MM mode.
| zone01:1389 | zone01:2389 | zone01:3389 |
==============+==========================================
zone01:1389 |
|
x
|
x
|
--------------+-----------------------------------------zone01:2389 |
x
|
|
x
|
--------------+-----------------------------------------zone01:3389 |
x
|
x
|
|
--------------+-----------------------------------------4.
Run the repldisc utility with the -a option to omit the replication table:
# repldisc -D "cn=Directory Manager" -w sunlearning \
-a -b ou=People,dc=example,dc=com \
-s zone01:1389
The following replication topology appears in your terminal window:
Topology for suffix: ou=people,dc=example,dc=com

Legend:
The direction of the replication is indicated with arrows.
multimaster : servers are shown linked by a double arrow (<->).
Single-master: suppliers appear on left, consumers on right (->).
zone01:2389 <-> zone01:1389
zone01:3389 <-> zone01:1389
zone01:3389 <-> zone01:2389
Task 3 Using the insync Utility to Examine

Synchronization State
The insync utility indicates the synchronization state between a master replica
and one or more consumer replicas.
Lab 8-23

1.
Run the insync utility on the dsm1 instance:

# insync -D "cn=Directory Manager" -w sunlearning \
-s zone01:1389
Note If directory server instances are not running, including instances that are
not part of the replication topology, the insync utility fails with a message that it
is not able to connect to the LDAP server.
2.
Examine the output of the insync utility, noting the Replica DN,
Consumer, Supplier, and Delay values.
Task 4 Using the dsconf Utility to Show Replication

Agreement Status
You can use the dsconf utility to determine the status of replication agreements.
1.
Determine the status of the replication agreement from the dsm1 master
replica to the dsm2 master replica for the dc=example,dc=com suffix:
# dsconf show-repl-agmt-status -p 1389 \
-w /opt/dsee7/pwd dc=example,dc=com zone01:2389
2.
Determine the status of the replication agreement from the dsm2 master
replica to the dsm1 master replica for the dc=example,dc=com suffix:
# dsconf show-repl-agmt-status -p 2389 \
-w /opt/dsee7/pwd dc=example,dc=com zone01:1389
3.
Lab 8-24
Check the replication agreement status for the other agreements in the
replication topology if you like.

It is sometimes helpful to pause replication. For example, a bulk import operation
slows significantly if the host system on which the import is being performed
doing the import must send out replication information at the same time that it
performs the import operation. It is more efficient to pause replication, perform
the import, and then reenable replication.
In this task, you pause replication of the ou=People,dc=example,dc=com
subsuffix, change some data, and restart the replication. Because there are
agreements between the dsm1 instance and the dsm2 instance, and between the
dsm1 instance and the dsm3 instance, you must pause replication to both
instances.
Note that you do not pause replication in the other direction in this task. In a
production environment, you might pause replication in both directions if the
replication operations were to impact performance.
1.
If necessary, navigate to the Replication Agreements page in DSCC.
2.
Pause replication for replication agreements on the

ou=People,dc=example,dc=com suffix originating from the dsm1
instance:
a.
b.
c.
Select the check box for the following agreement:
Agreement Suffix: ou=People,dc=example,dc=com
Source Server: zone01: 1389
Destination Server: zone01:2389
Select Disable Agreement from the More Agreement Actions dropdown menu.
A dialog box prompts you to confirm the action.
d.
Click OK.
The Disabling Replication Agreements dialog box appears.
Progress messages inform you of the status of the operation.
Lab 8-25
3.
e.
Close the Disabling Replication Agreements window after the

operation is complete.
f.
Verify in DSCC that the operational status of the two replication

agreements has changed to the Disabled status.
Verify that replication has been paused. Use DSCC to change Andy
Walkers fax number on the dsm1 instance, then verify that his fax number
has not been replicated to the dsm2 and dsm3 instances.
If you are not sure how to change the fax number and to verify that the
number did not change on the replicas, refer to step 18 on page L8-14.
4.
Restart replication:
a.
Navigate to the Replication Agreements page in DSCC.
b.
c.
d.
Select Enable Agreement from the More Agreement Actions dropdown menu.
The Enabling Replication Agreements dialog box appears.
Progress messages inform you of the status of the operation.
e.
5.
Lab 8-26
Close the Enabling Replication Agreements window after the

operation is complete.
Verify that replication has been restarted by confirming that the change to
Andy Walkers fax number has been replicated to the dsm2 and dsm3
instances.
Task 6 Using the entrycmp Utility to Compare

Directory Entries
The entrycmp utility compares the same entry on two or more servers.
1.
Compare Sam Carters directory entry on replicated servers:

# entrycmp -D "cn=Directory Manager" \
-w sunlearning -s zone01:1389 \
uid=scarter,ou=People,dc=example,dc=com
Output similar to the following appears:
entrycmp: zone01:2389 - entries match.
2.
Pause replication of the ou=People,dc=example,dc=com subsuffix from

the dsm1 instance to the dsm2 instance, and from the dsm1 instance to the
dsm3 instance.
If you are not sure how to pause replication, refer to steps 1 and 2 on
page L8-25.
3.
Use DSCC to change Sam Carters telephone number on the dsm1 instance.
If you are not sure how to change the phone number, refer to step 18 on
page L8-14.
4.
Run the entrycmp utility again:

Output similar to the following appears, indicating that the directory entries
for Sam Carter are out of sync on the replicas:
entrycmp: zone01:2389 - different values for
telephoneNumber.
entrycmp: zone01:3389 - different values for
telephoneNumber.
entries match.
5.
Restart replication of the ou=People,dc=example,dc=com subsuffix

from the dsm1 instance to the dsm2 instance, and from the dsm1 instance to
the dsm3 instance.
If you are not sure how to restart replication, refer to step 4 on page L8-26.
6.
Run the entrycmp utility again:

Lab 8-27
Output similar to the following appears, indicating that the directory entries
for Sam Carter are back in sync on the replicas:
Lab 8-28
Exercise Summary
Experiences
Interpretations
Conclusions
Applications
Exercise Summary
Lab 8-29
Exercise Summary
Lab 8-30
There is no lab for this module.
Lab 9
Tuning Directory Server EE Performance
Lab 9-1
Configuring Failover and Load Balancing

Using a Directory Proxy Server
Lab 10
Configure failover using a directory proxy server
Configure proportional load-balancing
Configure load-balancing using the command-line interface
Lab 10-1
Exercise 1: Configuring Failover Using a Directory Proxy

Server
In this exercise, you create a directory proxy server and configure it for failover
across three directory server instances.
Task 2 Creating a Directory Proxy Server
Task 3 Creating Data Sources
Task 4 Creating a Data Source Pool
Task 5 Creating a Data View
Task 6 Confirming That Failover Is Working
Preparation
Prerequisite Labs
prerequisite labs.
Lab 10-2
Exercise 1: Configuring Failover Using a Directory Proxy Server


Powered Up state:
1.

2.

Configuring Failover and Load Balancing Using a Directory Proxy Server
Lab 10-3
Task 2 Creating a Directory Proxy Server

In this task, you create a directory proxy server.
1.
Make sure that the dsm1, dsm2, and dsm3 directory server instances are
started, and all other directory server instances are stopped:
Note If a directory server instance is already started, running the dsadm

start utility for that instance has no effect. Similarly, if a directory server
instance is already stopped or does not exist, running the dsadm stop utility for
that instance has no effect.
2.
Log in to DSCC.
3.
Select the Proxy Servers tab.
4.
Click New Server to start the New Proxy Server Wizard.

Lab 10-4
5.
Specify the following values in the Step 1: Enter Required Settings dialog
box:
LDAP Port: 9389
Instance Path: /local/dps1
Proxy Manager DN: cn=Proxy Manager
Proxy Manager Password: sunlearning
Description: Proxy 1 (dps1)
Caution For this lab, you configure the same password for the cn=Proxy
Manager and cn=Directory Manager users. Because both users have the
same password, you can use the /opt/dsee7/pwd file to specify the password
in directory server and directory proxy server CLI operations.
Specifying the same password for multiple internal user accounts is not a security
best practice.
Note A dialog box might appear asking you to confirm the user for which you
are changing the password. If this dialog box appears, select the root user and
click OK. Respond similarly if you see this dialog box appear at any point in
these labs.
6.
Click Next.
7.
Click Next to accept the default settings for the Step 2: Choose Additional
Settings dialog box.
8.
Click Finish.
Messages appear in the Creating New Server dialog box as the dps1 proxy
server is created and started.
9.
Click Close to terminate the New Proxy Server Wizard.

The new proxy server appears in the proxy servers list in DSCC.
Lab 10-5
Task 3 Creating Data Sources

Start configuring the directory proxy server for failover by creating three data
sources.
Each data source you create in this task maps to one of the directory server
instances:
The LDAP_1 data source maps to the dsm1 directory server instance

1.
In DSCC, select the zone01:9389 proxy server.
2.
Select the Routing tab.

The zone01:9389 - Data Sources page appears, with the Data Sources
subtab preselected.
3.
Click New Data Source to start the New Data Source Wizard.
The Step 1: Specify General Properties dialog box appears.
4.
5.
Specify the following values in the Step 1: Specify General Properties

dialog box:
Name: LDAP_1
Description: LDAP 1 (dsm1)
Read/Write State: Select Read/Write.
Use Registered Directory Server: Select zone01:1389.
TCP No-Delay: Select the Enabled check box.
SSL Policy: Select Never Use SSL.
Click Next.
The Step 2: Choose Client Identity Forwarding Policy dialog box appears.
6.
Click Next to accept the default settings for the Step 2: Choose Client
Identity Forwarding Policy dialog box.
The Step 3: Specify Number of Connections dialog box appears.
7.
Click Next to accept the default settings for the Step 3: Specify Number of
Connections dialog box.
8.
Lab 10-6
Click Finish.
Messages appear in the Creating New Data Source dialog box as the
LDAP_1 data source is created.
9.
Click Close to terminate the New Data Source Wizard.

The LDAP_1 data source appears in the data sources list in DSCC.
10. Using the technique you followed in steps 3 through 9, create the LDAP_2
and LDAP_3 data sources for the dsm2 and dsm3 directory server instances.
Make the following changes:
For the LDAP_2 data source, set the description to LDAP 2 (dsm2)
and use the zone01:2389 registered directory server.
For the LDAP_3 data source, set the description to LDAP 3 (dsm3)
and use the zone01:3389 registered directory server.
Task 4 Creating a Data Source Pool

Next, you create a data source pool from the available data sources. A data source
pool defines a set of data sources and a load-balancing algorithm to be used to
route requests from the directory proxy server to the data sources.
1.
Verify that the zone01: 9389 - Data Sources page appears in DSCC.
2.
Select the Data Source Pools subtab.
3.
Click New Data Source Pool to start the New Data Source Pool Wizard.
The Step 1: Enter Name and Choose Data Sources dialog box appears.
4.
Specify the following values in the Step 1: Enter Name and Choose Data
Sources dialog box:
Name: LDAP_HA_Pool
Description: LDAP Pool
5.
Data Sources: Click Add All to move the LDAP_1, LDAP_2, and
LDAP_3 data sources from the Available Data Sources column to the
Chosen Data Sources column.
Click Next.
The Step 2: Choose Load Balancing Algorithm dialog box appears.
6.
Select Failover.
7.
Click Next.
The Step 3: Configure Load Balancing Algorithm dialog box appears.
Lab 10-7
Even though you specified failover as the load-balancing algorithm in the

previous step, the Configure Load Balance Algorithm dialog box computes
and displays percentage weights values as though you had selected the
proportional load-balancing algorithm. Ignore the percentages that appear in
the dialog box.
8.
Enter values from Table 10-1 in the Step 3: Configure Load Balancing
Algorithm dialog box:
Table 10-1 Data Sources and Load Balancing Weights

Data Source
Read/Bind Operations
Write Operations
LDAP_1
LDAP_2
LDAP_3
Caution DSCC might not display the data sources in sequential order. Make
sure that you enter the correct value for each data source.
Table 10-1 shows data sources and load-balancing weights. When using the
failover load-balancing algorithm, a directory proxy server sends requests to
all data sources with the highest weight. To demonstrate failover in this lab,
you set different weights for each data source.
Initially, the directory proxy server routes all traffic to the data source with
the highest weightthe LDAP_1 data source. After you shut down the
LDAP_1 data source, the directory proxy server routes all traffic to the data
source with the next highest weight the LDAP_2 data source.
In a production environment, you might choose to set the weights equally.
Setting the weights equally causes equal load-balancing of requests across
all three data sources, while still handling a data source failure.
9.
Click Next.
Lab 10-8
10. Click Finish.

LDAP_HA_Pool data source pool is created.
11. Click Close to terminate the New Data Source Pool Wizard.
The LDAP_HA_Pool data source pool appears in the data source pools list
in DSCC.
Task 5 Creating a Data View

In this task, you create a data view.
1.
Verify that the zone01: 9389 - Data Source Pools page appears in DSCC.
2.
Select the Data Views subtab.
3.
Click New Data View to start the New Data View Wizard.
The Step 1: Enter Name and Description dialog box appears.
4.
5.
Specify the following values in the Step 1: Enter Name and Description
dialog box:
Name: LDAP_View
Description: LDAP View
Click Next.
The Step 2: Specify Data Settings dialog box appears.
6.
7.
Specify the following values in the Step 2: Specify Data Settings dialog
box:
View Base DN: ou=People,dc=example,dc=com
Data Source Pool: Select LDAP_HA_Pool.
Click Next.
8.
Click Finish.
Messages appear in the Creating New Data View dialog box as the
LDAP_View data view is created.
Lab 10-9
9.
Click Close to terminate the New Data View Wizard.

The LDAP_View data view appears in the data views list in DSCC. Its state
is listed as enabled.
Task 6 Confirming That Failover Is Working

In this task, you verify that the directory proxy server handles failover in
accordance with the load-balancing weights that you assigned to the
LDAP_HA_Pool data source pool in Task 4 Creating a Data Source Pool on
page L10-7.
First, you confirm that the dps1 directory proxy server normally routes all LDAP
operations to the LDAP_1 data sourcethe dsm1 directory server instance. This
is the expected behavior, because you assigned the highest load-balancing weight
to the LDAP_1 data source when you created the LDAP_HA_Pool data source
pool.
Then you shut down the dsm1 directory server instance. The dps1 directory
proxy server now routes all LDAP operations to the LDAP_2 data sourcethe
dsm2 directory server instance. You assigned the LDAP_2 data source the second
highest weight when you created the LDAP_HA_Pool data source pool.
Finally, you shut down the dsm2 directory server instance. The dps1 directory
proxy server now routes all LDAP operations to the LDAP_3 data sourcethe
dsm3 directory server instance. You assigned the LDAP_3 data source the lowest
weight when you created the LDAP_HA_Pool data source pool.
1.
You can determine where directory server requests are routed by viewing
the access logs.
Monitor the access logs for the dsm1, dsm2, and dsm3 directory server
instances, and for the dps1 directory proxy server as follows:
Lab 10-10

a.
Open four new terminal windows (or terminal tab pages). You will use
the four windows (or tabs) to monitor access logs for the following
instances:
The dsm1 directory server instance
The dps1 directory proxy server
b.
Use the Terminal / Set Title menu option to set titles on the new
terminal windows. Use the titles dsm1, dsm2, dsm3, and dps1 for the
window titles.
c.
Log into the zone01 zone in each new terminal window (or tab):
# zlogin zone01
d.
Run the tail command in each terminal (or tab):

terminal window:
# tail -f /local/dsm1/logs/access | grep -i scarter
terminal window:
terminal window:
Run the following command to monitor the dps1 instance in the dps1
terminal window:
# tail -f /local/dps1/logs/access | grep -i scarter
Note In the next step, you search for user Sam Carter using the filter
"uid=scarter" in the original terminal window, and monitor the access logs in
the new terminal windows. By using the grep command, you filter the output so
that you see only the lines containing the string scarter.
Lab 10-11
2.
In the original terminal window, perform an LDAP search operation on the

directory proxy server:
-b ou=People,dc=example,dc=com uid=scarter
Note The search base DN matches the view base DN specified for the data
view in Task 5 Creating a Data View.
3.
Repeat the ldapsearch utility requests in step 2 three more times.
4.
View the output of the access logs for the directory proxy server and the
three directory server instances. Confirm that the search was performed
only on the LDAP_1 data sourcethe dsm1 instance. Updates to the access
logs are buffered, so it might take a few seconds for your search to appear
in the logs.
The directory server proxy access log should have log records similar to the
following:
[12/Oct/2009:18:02:21 -0700] - OPERATION - INFO conn=19 op=0 msgid=1 SEARCH
base="ou=People,dc=example,dc=com" scope=2 controls=""
filter="(uid=scarter)" attrs="*"
[12/Oct/2009:18:02:21 -0700] - SERVER_OP - INFO conn=19 op=0 SEARCH base="ou=people,dc=example,dc=com"
scope=2 filter="(uid=scarter)" attrs="*" s_msgid=22
s_conn=ldap_1:6
Notice the string, s_conn=ldap_1, in the directory server proxy access
log. This string indicates that a connection to the LDAP_1 data sourcethe
dsm1 instancewas made.
5.
Once you are convinced that requests are only being sent to the LDAP_1
data source, shut down the dsm1 instance from the original terminal
window:
Lab 10-12
6.
Repeat the ldapsearch utility request that you performed in step 2 several
times.
7.
Review the output of the access logs for the directory proxy server and the
three directory server instances. Confirm that the search was performed
only on the dsm2 instance.
8.
Shut down the dsm2 instance from the original terminal window.
9.
Repeat the search operation to verify failover to the dsm3 instance.

10. Restart the two stopped instances, and reactivate the monitoring setup for
those instances:
a.
Restart the dsm1 and dsm2 instances from the original terminal
window.
b.
Stop the tail command in the terminal windows monitoring the

dsm1 and dsm2 access logs by pressing the Ctrl + C keys.
c.
Restart the tail command in the terminal windows monitoring the

dsm1 and dsm2 access logs.
11. Repeat the search to verify that the search is once again performed on the
dsm1 instance.
12. Leave the terminal windows open for use in the next exercise.
Lab 10-13
Exercise 2: Configuring Proportional Load Balancing

In this exercise, you use the data sources configured in the previous exercise to
create a different data source pool. The new data source pool uses proportional
load-balancing to route requests to the data sources.
Task 1 Creating a Different Data Source Pool
Task 2 Reconfiguring the Data View
Task 3 Confirming That Proportional Load Balancing Is Working
Task 1 Creating a Different Data Source Pool

In this task, you configure the directory proxy server for proportional loadbalancing by creating a new data source pool from the LDAP_1, LDAP_2, and
LDAP_3 data sources.
When configuring the new data source pool, you weight the data sources so that
the LDAP_2 data source will receive twice as many requests as the LDAP_1 and
1.
Navigate to the Proxy Servers page in DSCC.
2.
Select the zone01:9389 proxy server.
3.
4.
5.
Click New Data Source Pool to start the New Data Source Pool Wizard.
6.
Specify the following values in the Step 1: Enter Name and Choose Data
Sources dialog box:
Name: LDAP_Prop_Pool
Description: LDAP Proportional Pool
7.
Lab 10-14
Data Sources: Click Add All to move the LDAP_1, LDAP_2, and
LDAP_3 data sources from the Available Data Sources column to the
Chosen Data Sources column.
Click Next.


8.
Verify that the Proportional option is selected.
9.
Click Next.
10. Enter values from Table 10-2 in the Step 3: Configure Load Balancing
Algorithm dialog box:
Table 10-2 Data Sources and Load Balancing Weights
Data Source
Read/Bind Operations
Write Operations
LDAP_1
LDAP_2
LDAP_3
Caution DSCC might not display the data sources in sequential order. Make
sure that you enter the correct value for each data source.
11. Click Next.
12. Click Finish.
Messages appear in the Creating New Data Source Pool dialog box as the
LDAP_Prop_Pool data source pool is created.
13. Click Close to terminate the New Data Source Pool Wizard.
The LDAP_Prop_Pool data source pool appears in the data source pools
list in DSCC.
Lab 10-15
Task 2 Reconfiguring the Data View

In the previous exercise, you created the LDAP_View data view. This data view
lets the directory proxy server access the base DN,
ou=People,dc=example,dc=com, using the failover algorithm configured in
the LDAP_HA_Pool data source pool.
You still want to access the same base DN, but you want to apply the proportional
load-balancing algorithm you just configured in the LDAP_Prop_Pool data
source pool.
Rather than define a new data view, you can simply reconfigure the existing
LDAP_View data view to use the LDAP_Prop_Pool data source pool instead of
the LDAP_HA_Pool data source pool.
1.
In DSCC, select the Data Views subtab.
2.
Select the LDAP_View data view.
3.
Locate the Data Source Pool field.

The LDAP_HA_Pool data source pool is currently configured as the data
source pool.
Lab 10-16
4.
Select LDAP_Prop_Pool as the value of the Data Source Pool field.
5.
Click OK.
6.
Log out of DSCC.

Task 3 Confirming That Proportional Load Balancing

Is Working
In this task, you confirm that proportional load-balancing works as you
configured it in Task 1 Creating a Different Data Source Pool. You expect the
following results:
25% of LDAP requests are routed to the LDAP_1 data sourcethe dsm1
instance
instance
instance
You use the same technique that you used in Exercise 1: Configuring Failover
Using a Directory Proxy Server to verify that the directory proxy server is routing
LDAP requests as expected.
1.
You should still have four terminal windows (or tabs) set up to monitor the
access logs for the dsm1, dsm2, dsm3, and dps1 instances.
If you removed the monitoring setup from your lab system, re-create the
setup using the technique you used in step 1 on page L10-10.
2.
In the original terminal window, perform an LDAP search operation on the

directory proxy server four times:
-b ou=People,dc=example,dc=com uid=scarter
3.
Confirm that the search was performed on the directory server instances in
the proportions specified in Table 10-2.
4.
Shut down the dsm1 instance from the original terminal window:
5.
Repeat the ldapsearch utility request that you performed in step 2 six
more times.
6.
Confirm that the search was performed twice as often on the LDAP_2 data
sourcethe dsm2 instanceas on the LDAP_3 data sourcethe dsm3
instance.
7.
Restart the stopped dsm1 instance, and reactivate the monitoring setup for
that instance:
a.
Restart the dsm1 instance from the original terminal window.
Lab 10-17
8.
b.
Stop the tail command in the terminal window monitoring the dsm1
access log by pressing the Ctrl + C keys.
c.
Restart the tail command in the terminal window monitoring the

dsm1 access log.
Leave the terminal windows open for use in the next exercise.
Lab 10-18

Exercise 3: Configuring Load Balancing Using the

Command-line Interface
You have some new requirements for directory usage:
The LDAP_1 and LDAP_2 data sources must handle search and compare
requests only.
All other directory services requests must be handled by the LDAP_3 data
source.
To implement this requirement, you create a new data source poolthe

LDAP_op_Pool data source pool. Then you configure the LDAP_op_Pool data
source pool to meet the new requirements. Finally, you reconfigure the
LDAP_View data view to use the new data source pool.
In an optional task at the end of the exercise, you define another data source pool
that balances access requests to all three data sources.
Task 1 Configuring Operation Type Load Balancing Using the Commandline Interface
Task 2 Monitoring Operation Type Load Balancing
Task 3 Creating a Data Pool with Equal Load Balancing (Optional)
Lab 10-19
Exercise 3: Configuring Load Balancing Using the Command-line Interface
Task 1 Configuring Operation Type Load Balancing

Using the Command-line Interface
You start this task by using the CLI to examine configuration properties of the
existing LDAP_Prop_Pool data source pool. By using the CLI to review
properties, you become accustomed to CLI presentation of a data source pool.
Then you create and configure a new data source poolthe LDAP_op_Pool data
source pool. Then you reconfigure the LDAP_View data view to use the new data
source pool.
1.
Review the existing properties of the LDAP_Prop_Pool data source pool:

# dpconf get-ldap-data-source-pool-prop -p 9389 \
-w /opt/dsee7/pwd LDAP_Prop_Pool
Certificate "CN=zone01.example.com:9389" presented by
the server is not trusted.Type "Y" to accept, "y" to
accept just once, "n" to refuse, "d" for more details:
client-affinity-bind-dn-filters
: any
client-affinity-criteria
: connection
client-affinity-ip-address-filters : any
client-affinity-policy
: write-affinity-after-write
client-affinity-timeout
: 20s
description
: LDAP Proportional Pool
enable-client-affinity
: false
load-balancing-algorithm : proportional
2.
Review the current load-balancing weights of each of the three data sources
configured in the LDAP_Prop_Pool data source pool:
a.
Review load-balancing weights for the LDAP_1 data source:

# dpconf get-attached-ldap-data-source-prop \
-p 9389 -w /opt/dsee7/pwd LDAP_Prop_Pool LDAP_1
The load-balancing weights for the LDAP_1 data source have the value
1.
Lab 10-20

b.

2.
c.

1.
3.
Create a new data source pool named LDAP_op_Pool:

# dpconf create-ldap-data-source-pool -p 9389 \
-w /opt/dsee7/pwd LDAP_op_Pool
4.
Attach the LDAP_1, LDAP_2, and LDAP_3 data sources to the

LDAP_op_Pool data source pool:
# dpconf attach-ldap-data-source -p 9389 \
-w /opt/dsee7/pwd LDAP_op_Pool LDAP_1 LDAP_2 LDAP_3
5.
Set the LDAP_op_Pool data source pools load-balancing method to

proportional:
# dpconf set-ldap-data-source-pool-prop -p 9389 \
-w /opt/dsee7/pwd LDAP_op_Pool \
load-balancing-algorithm:proportional
6.
Configure load-balancing weights, by operation type, for the LDAP_1 data

source:
# dpconf set-attached-ldap-data-source-prop -p 9389 \
-w /opt/dsee7/pwd LDAP_op_Pool LDAP_1 \
add-weight:disabled bind-weight:disabled \
compare-weight:1 delete-weight:disabled \
modify-dn-weight:disabled modify-weight:disabled \
search-weight:1
The LDAP_1 data source will only receive search and compare requests
only.
Lab 10-21
7.
Confirm that you configured the LDAP_1 data source correctly:

# dpconf get-attached-ldap-data-source-prop -p 9389 \
-w /opt/dsee7/pwd LDAP_op_Pool LDAP_1
The following output should appear in the terminal window:
add-weight
bind-weight
compare-weight
delete-weight
modify-dn-weight
modify-weight
search-weight
8.
:
:
:
:
:
:
:
disabled
disabled
1
disabled
disabled
disabled
1
Set the load-balancing weights, by operation type, for the LDAP_2 data
source:
add-weight:disabled bind-weight:disabled \
compare-weight:1 delete-weight:disabled \
modify-dn-weight:disabled modify-weight:disabled \
search-weight:1
The weights are identical to those for the LDAP_1 data source.
9.

10. Set the load-balancing weights, by operation type, for the LDAP_3 data
source:
add-weight:1 bind-weight:1 \
compare-weight:disabled delete-weight:1 \
modify-dn-weight:1 modify-weight:1 \
search-weight:disabled
The LDAP_3 data source will receive all request types except search and
compare requests.
Lab 10-22

11. Confirm that you configured the LDAP_3 data source correctly:
add-weight
bind-weight
compare-weight
delete-weight
modify-dn-weight
modify-weight
search-weight
:
:
:
:
:
:
:
1
1
disabled
1
1
1
disabled
12. Review the LDAP_View data views configuration to determine which data
source pool is configured in the data view:
# dpconf get-ldap-data-view-prop -p 9389 \
-w /opt/dsee7/pwd LDAP_View | grep pool
ldap-data-source-pool:
LDAP_Prop_Pool
13. Reconfigure the LDAP_View data view to use the LDAP_op_Pool data
source pool:
# dpconf set-ldap-data-view-prop -p 9389 \
-w /opt/dsee7/pwd LDAP_View \
ldap-data-source-pool:LDAP_op_Pool
Task 2 Monitoring Operation Type Load Balancing

1.
You should still have four terminal windows (or tabs) set up to monitor the
access logs for the dsm1, dsm2, dsm3, and dps1 instances.
If you removed the monitoring setup from your lab system, re-create the
setup using the technique you used in step 1 on page L10-10.
2.
Run the ldapsearch utility several times to verify that search requests are
routed only to the LDAP_1 data sourcethe dsm1 instanceand the
LDAP_2 data sourcethe dsm2 instance:
uid=scarter
Lab 10-23
3.
Using any text editor, create two LDIF files that you can use to change the
value of the exampletshirtsize attribute in Sam Carters directory
entry:
a.
Create the /tmp/scarterchg1.ldif file with the following

content:
dn: uid=scarter,ou=People,dc=example,dc=com
changetype: modify
replace: exampleTShirtSize
exampleTShirtSize: mammoth
b.
Create the /tmp/scarterchg2.ldif file with the following

content:
dn: uid=scarter,ou=People,dc=example,dc=com
changetype: modify
replace: exampleTShirtSize
exampleTShirtSize: large
4.
Run the ldapmodify utility twice to make two attribute value changes to
Sam Carters directory entry:
# ldapmodify -p 9389 \
-D uid=scarter,ou=People,dc=example,dc=com \
-w sprain -f /tmp/scarterchg1.ldif
# ldapmodify -p 9389 \
-D uid=scarter,ou=People,dc=example,dc=com \
-w sprain -f /tmp/scarterchg2.ldif
Review the directory proxy server log to determine where the requests are
being routed. All requests to modify directory entries should be routed to
the LDAP_3 data sourcethe dsm3 instance.
Why do you also see requests to modify directory entries in the dsm1 and
dsm2 instances access logs?
Lab 10-24

Task 3 Creating a Data Pool with Equal Load

Balancing (Optional)
In this task, you define another data source pool that balances access requests to
all three data sources equally.
1.
Create the LDAP_Fair_Pool data source pool:

# dpconf create-ldap-data-source-pool -p 9389 \
-w /opt/dsee7/pwd LDAP_Fair_Pool
2.
Attach the LDAP_1, LDAP_2 and LDAP_3 data sources to the new data
source pool:
# dpconf attach-ldap-data-source -p 9389 \
-w /opt/dsee7/pwd LDAP_Fair_Pool LDAP_1 LDAP_2 LDAP_3
3.
Set the LDAP_Fair_Pool data source pools load-balancing method to the

proportional method:
# dpconf set-ldap-data-source-pool-prop -p 9389 \
-w /opt/dsee7/pwd LDAP_Fair_Pool \
load-balancing-algorithm:proportional
4.
By default, attached data sources have all request types disabled. Set loadbalancing weights for the data sources to allow all request types:
a.
Set load-balancing weights for the LDAP_1 data source:

# dpconf set-attached-ldap-data-source-prop \
-p 9389 -w /opt/dsee7/pwd LDAP_Fair_Pool LDAP_1 \
compare-weight:1 delete-weight:1 \
modify-weight:1 modify-dn-weight:1 \
search-weight:1
b.

-p 9389 -w /opt/dsee7/pwd LDAP_Fair_Pool LDAP_1
c.

search-weight:1
Lab 10-25
d.

e.

search-weight:1
f.

5.
Reconfigure the LDAP_View data view to use the LDAP_Fair_Pool data

source pool:
# dpconf set-ldap-data-view-prop -p 9389 \
-w /opt/dsee7/pwd LDAP_View \
ldap-data-source-pool:LDAP_Fair_Pool
6.
Lab 10-26
Using your monitoring setup, verify that all request types are distributed
equally to the LDAP_1, LDAP_2, and LDAP_3 data sources.

Exercise Summary

Experiences
Interpretations
Conclusions
Applications
Exercise Summary
Lab 10-27
Configuring Virtualization Using a Directory

Proxy Server
Lab 11
Create an LDAP data view
Create a joined LDAP/LDIF view
Access relational database data through a directory proxy server
Lab 11-1
Business Requirements For This Lab

Example Chocolates wants to use directory proxy server to meet some new
business requirements. Some existing applications currently access employee
information from three different types of data sources:
A directory server instance containing HR data. This directory can be

accessed using the LDAP protocol.
The following additional requirement applies to the directory server
instance:
Only HR users and auditors are allowed to access this data.
A directory server instance containing administration data. This directory

cannot be accessed using the LDAP protocol; instead, the administration
department makes an LDIF file available for the applications to use.
The following additional requirements apply to the LDIF file:
Some attributes should not be viewable.

The administration application uses specific names to retrieve
attributes. The LDIF file uses different names for those attributes.
There needs to be a way to map the attribute names in the LDIF file to
the names expected by the administration application so that there is
no need to recode the administration application.
Internal auditors need to read and review the joined contents of the
HR and administration data stores.
A relational database containing payroll data.

The following additional requirements apply to the database:
The payroll application uses specific names to retrieve attributes. The

database tables use different names for those attributes. There needs to
be a way to map the column names in the tables to the names expected
by the payroll application, so that there is no need to recode the
payroll application.
The payroll application needs to write to the database tables.
Example Chocolates wants to use a virtual directory to let the applications use
directory services to access the data stored in the three discrete types of data
sources. In this lab, you configure a virtual directory that meets all of Example
Chocolates business needs.
Lab 11-2
Table 11-1 shows the configuration of the virtual directory solution:

Table 11-1 Configuration Objects in the Virtual Directory Solution
Type of Data
Data Source
Data View
Base DN
HR data in a directory
server instance
accessible using the
LDAP protocol
The dsm6 directory

server instance
HR_View
dc=example,
dc=com
Administration data in
an LDIF file
The Example.dps.
ad.ldif file
AD_View
o=ad.ldif
Joined contents of HR
and administration data
The data sources for

HR and administration
data
HR_AD_View
dc=example
Payroll data in
relational database
tables
The users and

salary tables in the
payroll database
Payroll_View
o=payroll
Sample Data
A Sample Entry From the dsm6 Directory Server Instance
dn: uid=hmiller, ou=People, dc=example,dc=com
employeeNumber: 12014
givenName: Harry
telephoneNumber: +1 408 555 9804
sn: Miller
objectClass: top
objectClass: person
uid: hmiller
cn: Harry Miller
userPassword:
{SSHA}IWgRfhTv8dnRJBNdq7Qs8NT165/deOlYm2BlOQ==
Configuring Virtualization Using a Directory Proxy Server
Lab 11-3
A Sample Entry From the Example.dps.ad.ldif file

dn: cn=Harry Miller, ou=People, o=ad.ldif
eid: 12014
sn: Miller
department: Human Resources
location: Santa Clara
roomNumber: 4304
mail: hmiller@example.com
objectClass: top
objectClass: person
cn: Harry Miller
jobstatus:Permanent
Sample Data From the payroll Database

Sample data from the users table:
+----------+--------+----------+----------+-------------------+
| id
| f_name | l_name
| password | job_title
|
+----------+--------+----------+----------+-------------------+
| achassin | Audrey | Chassin | password | Project Manager
|
| alutz
| Alex
| Lutz
| password | Watchman
|
| ejohnson | Ed
| Johnson | password | Temp
|
| gtriplet | Glen
| Triplet | password | Staff
|
| jcampai2 | John
| Campaine | password | J2EE Developer
|
| mlangdon | Matt
| Langdon | password | Q & A Team Member |
+----------+--------+----------+----------+-------------------+
Sample data from the salary table:
+----------+-------+-------------+--------------+------------+
| id
| grade | ssNumber
| vacationDays | startDate |
+----------+-------+-------------+--------------+------------+
| achassin | G12
| 333-33-3333 | 12
| 4/1/2005
|
| alutz
| G7
| 111-11-1111 | 4
| 12/31/1987 |
| ejohnson | T5
| 222-22-2222 | 2
| 2/2/2002
|
| gtriplet | G8
| 999-99-9999 | 3
| 6/21/2001 |
| jcampai2 | G4
| 555-55-5555 | 6
| 1/1/1996
|
| mlangdon | G4
| 777-77-7777 | 17
| 3/15/1979 |
+----------+-------+-------------+--------------+------------+
Lab 11-4
Exercise 1: Creating an LDAP Data View

In this task, you create and configure the dsm6 directory server instance, which is
the data source for the HR application.
Then you create and configure a new data source, a data source pool, and a data
view in the dps1 directory proxy server, so that the HR application can access
data in the directory using the directory virtualization features in directory proxy
server.

Task 2 Stopping Unused Servers and Disabling Unused Data Sources and
Data Views
Task 3 Creating the dsm6 Directory Server Instance
Task 4 Creating the Data Source, Data Source Pool, and Data View
Lab 11-5
Preparation
Prerequisite Labs
prerequisite labs.

Lab 11-6

Powered Up state:
1.

2.

The dps1 directory proxy server Refer to Starting the dps1
Directory Proxy Server on page A-5.
Lab 11-7
Task 2 Stopping Unused Servers and Disabling

Unused Data Sources and Data Views
In this task, you reset the deployment environment you have created in the
zone01 zone.
You start by making sure that the dps1 directory server proxy is started and all
the directory server instances you worked with in previous labs are stopped. The
dps1 directory server proxy is the only previously created server you use in this
lab. HR data is stored in a new directory server instance that you create in the
next task.
Then you disable the LDAP_1, LDAP_2, and LDAP_3 data sources and the
LDAP_View data view.
You created these configuration objects in the Configuring Failover and Load
Balancing Using a Directory Proxy Server lab. They are not needed for any
subsequent labs. Because you disable the objects rather than delete them, the
objects are available for you to refer to if you want to go back and review the
Configuring Failover and Load Balancing Using a Directory Proxy Server lab.
Note Several data source pools remain in the dps1 proxy servers configuration
after you complete this task. It is not possible to disable data source pools. This is
not a problem, because the remaining data source pools are not referenced by any
active data views.
1.
Make sure that all the directory server instances that you worked with in the
preceding labs are stopped:
#
#
#
#
#
2.
dsadm
dsadm
dsadm
dsadm
dsadm
stop
stop
stop
stop
stop
/local/dsm1
/local/dsm2
/local/dsm3
/local/dsrh1
/local/dsr1
Restart the dps1 directory proxy server:

# dpadm restart /local/dps1
Lab 11-8
3.
Log in to DSCC.
4.
5.
Select the zone01: 9389 proxy server.
6.

The Data Sources subtab is preselected, and the Data Sources list appears in
DSCC.
7.
Disable the data sources you added to your configuration in the previous
lab:
a.
Select the three check boxes to the left of the LDAP_1, LDAP_2, and
b.
Click Disable.
A confirmation dialog box appears.
c.
Click OK.
Messages appear in the Disabling Data Source dialog box as the data
sources are disabled.
d.
8.
Click Close to close the Disabling Data Source dialog box.
Disable the data view you added to your configuration in the previous lab:
a.
b.
Select the check box to the left of the LDAP_View data view.
c.
Select Disable from the More Data View Actions drop-down menu.
A confirmation dialog box appears.
d.
Click OK.
Messages appear in the Disabling Data View dialog box as the data
sources are disabled.
e.
Click Close to close the Disabling Data View dialog box.
Task 3 Creating the dsm6 Directory Server Instance

In this task, you create the dsm6 directory server instance and its
dc=example,dc=com suffix.
You use the dsm6 directory server instance in the remaining portion of this lab.
1.
Create the dsm6 directory server instance:

a.
b.
Select Create New Directory Server.

Lab 11-9

c.
d.
Enter the following values in the Step 1: Enter Required Settings

dialog box:
Host: Known Host: Select zone01.
LDAP Port: 6389
Directory Manager DN: cn=Directory Manager
Directory Manager Password: sunlearning
DSCC Agent Port: Select Other and type 21162.
Click Next.
If the Confirm Password Change dialog box appears, select the
cn=Directory Manager user and click OK.
e.
Click Next to accept the default setting.

f.
Review the settings in the Summary dialog box.
g.
Click Finish to create the new instance.

Progress messages appear in the Creating New Server dialog box.
h.
Click Close.
The Directory Servers page appears. The new instance appears in the
directory servers list.
2.
Create and initialize the dc=example,dc=com suffix for the dsm6

instance:
a.
Select zone01:6389 from the directory servers list.
b.
c.
Click New Suffix.

The Step 1: Enter Suffix Name dialog box appears.
Lab 11-10

d.
For the Suffix DN, type dc=example,dc=com.
e.
Click Next.
The Step 2: Choose Replication Options dialog box appears.
f.
Click Next to accept the default setting

The Step 2.1: Choose Server(s) dialog box appears.
g.
Verify that the zone01:6389 server appears in the Chosen Servers

column.
h.
Click Next.
The Step 3: Choose Settings dialog box appears.
i.
Click Next to accept the default setting.

The Step 4: Choose Database Location Options dialog box appears.
j.
If the Use Default Database Location check box is not checked, select
it.
k.
Click Next.
The Step 5: Choose Data Options dialog box appears.
l.
Select the Initialize by Importing Contents of an LDIF File option.
m.
Enter the following path in the field below the Initialize by Importing
Contents of an LDIF File option:
/opt/ses/shared/lab/Example.dps.hr.ldif
n.
Click Next.
o.
Click Finish to create and initialize the suffix.

The Creating New Suffix dc=example,dc=com dialog box appears.
Progress messages inform you about the status of suffix creation.
Lab 11-11
p.
Click Close.
Note The set of user entries in the dsm6 directory server instances
dc=example,dc=com suffix is a different set of entries than the entries with
which you have been working in previous labs. You might want to review the set
of user entries in the new suffix to familiarize yourself with this new sample data.
Task 4 Creating the Data Source, Data Source Pool,

and Data View
In this task, you create the following set of configuration objects in the dps1
directory proxy server:
The HR_LDAP data source
The HR_Pool data source pool
The HR_View data view
The configuration objects let you access data in the dsm6 directory server
instance using the dps1 directory proxy server.
After you create these objects, you run the ldapsearch utility to verify that you
configured the objects correctly.
1.
2.
3.
Select the link for the zone01: 9389 proxy server.
4.

The Data Sources subtab is preselected, and the Data Sources list appears in
DSCC.
5.
Create the HR_LDAP data source:

a.
Click New Data Source to start the New Data Source Wizard.
The Step 1: Specify General Properties dialog box appears.
Lab 11-12

b.
Specify the following values in the Step 1: Specify General Properties

dialog box:
Name: HR_LDAP
Description: HR_LDAP (dsm6)
Use Registered Directory Server: Select zone01:6389.
TCP No-Delay: Select the Enabled check box.
SSL Policy: Select Never Use SSL.
Note Verify that you have selected the zone01:6389 directory server instance
before proceeding.
c.
Click Next.
The Step 2: Choose Client Identity Forwarding Policy dialog box
appears.
d.
Click Next to accept the default settings for the Step 2: Choose Client
Identity Forwarding Policy dialog box.
The Step 3: Specify Number of Connections dialog box appears.
e.
Click Next to accept the default settings for the Step 3: Specify
Number of Connections dialog box.
f.
Click Finish.
HR_LDAP data source is created.
g.
Click Close to terminate the New Data Source Wizard.

The HR_LDAP data source appears in the data sources list in DSCC.
6.
Create the HR_Pool data source pool:

a.
b.
Click New Data Source Pool to start the New Data Source Pool
Wizard.
Lab 11-13
c.
Specify the following values in the Step 1: Enter Name and Choose
Data Sources dialog box:
Name: HR_Pool
Description: HR Pool
d.
Data Sources: Select the HR_LDAP data source and click Add to
move this data source from the Available Data Sources column to
the Chosen Data Sources column. Make sure that the HR_LDAP
data source is the only data source in the Chosen Data Sources
column.
Click Next.
e.
Verify that the Proportional option is selected.
f.
Click Next.
g.
h.
Specify the following values for the HR_LDAP data source:
Read/Bind operations: 2
Write operations: 2
Click Next.
i.
Click Finish.
Messages appear in the Creating New Data Source Pool dialog box as
the HR_Pool data source pool is created.
j.
Click Close to terminate the New Data Source Pool Wizard.

The HR_Pool data source pool appears in the data source pools list in
DSCC.
7.
Create the HR_View data view:

a.
b.
Click New Data View to start the New Data View Wizard.
The Step 1: Enter Name and Description dialog box appears.
c.
d.
Lab 11-14
Specify the following values in the Step 1: Enter Name and

Description dialog box:
Name: HR_View
Description: HR View
Click Next.

The Step 2: Specify Data Settings dialog box appears.

e.
f.
Specify the following values in the Step 2: Specify Data Settings

dialog box:
View Base DN: ou=People,dc=example,dc=com
Data Source Pool: Select HR_Pool.
Click Next.
g.
Click Finish.
Messages appear in the Create New Data View dialog box as the
HR_View data view is created.
h.
Click Close to terminate the New Data View Wizard.

The HR_View data view appears in the data views list in DSCC. Its
state is listed as enabled.
8.
Confirm that the data from the HR_LDAP data sourcethe dsm6 directory
server instanceis accessible through the directory proxy server.
Display Kurt Jensens directory entry:
uid=kjensen
Entries from the HR_LDAP data source include attributes such as the
employeeNumber, givenname, and telephoneNumber attributes.
Note If the ldapsearch utility fails with error code 52, you probably specified
the wrong directory server instance when you configured the HR_LDAP data
source. Review the HR_LDAP data source configuration to determine whether a
misconfiguration is the source of your problem.
Lab 11-15
Exercise 2: Creating a Joined LDAP/LDIF View

In previous exercises, you used directory proxy server LDAP data views to access
entries in directory server instances. You created the LDAP_View and HR_View
data views using DSCC, and DSCC supports only LDAP data views.
In this exercise and the next exercise, you explore other directory virtualization
features available in Directory Server EE. In addition to accessing LDAP
directory entries, Directory Server EE can also access LDIF files and Java
Database Connectivity (JDBC) relational database tables as virtual directory
entries, and can combine elements in multiple data views:
LDIF files are accessed as virtual directory entries using LDIF views.
Relational database tables are accessed as virtual directory entries using
JDBC views.
Combinations of elements from multiple data views of any type are
accessed through join views.
In this exercise, you create the AD_View LDIF view that lets the administration
application access the Example.dps.ad.ldif file as a virtual directory. Then
you create a join view, which lets the auditing application access elements in the
HR_View LDAP view and the AD_View LDIF view using a single operation.
Note Because DSCC supports only LDAP data views, you use the CLI in this
exercise to create and configure LDIF and join data views.
Task 1 Creating an LDIF Data View
Task 2 Hiding An Attribute in a Data View
Task 3 Creating Attribute Data Transformations
Task 4 Configuring a Join Data View
Task 5 Restricting Access Using a Connection Handler
Task 1 Creating an LDIF Data View

In this task, you create the AD_View LDIF data view in the dps6 directory proxy
server configuration.
Lab 11-16

1.
Review the LDIF file that the AD_View data view abstracts:
# more /opt/ses/shared/lab/Example.dps.ad.ldif
Observe that the base DN ou=People,o=ad.ldif applies to the user
entries in the LDIF file.
Also, observe the presence of the following attribute names in user entries:
2.
The eid attribute, which holds the employee ID
The cn attribute
The location attribute
The roomNumber attribute
Review attributes in user entries accessed using the HR_View data view:
uid=kjensen
Observe the presence of the following attribute names in user entries:
The employeeNumber attribute
The cn attribute
After you create the join view later in the exercise, the join view is able to
retrieve attributes from both data views using a single ldapsearch utility
execution.
3.
Create a directory for the LDIF file and copy the Example.dps.ad.ldif
file to that directory:
# mkdir /local/dps1/ldif
# cp /opt/ses/shared/lab/Example.dps.ad.ldif \
/local/dps1/ldif
Lab 11-17
4.
Use the help feature of the dpconf utility to list the set of subcommands
that you use with LDIF data views:
# dpconf --help | grep ldif
The following subcommands are available:
5.
The create-ldif-data-view subcommand
The delete-ldif-data-view subcommand
The get-ldif-data-view-prop subcommand
The list-ldif-data-views subcommand
The set-ldif-data-view-prop subcommand
Type the dpconf create-ldif-data-view subcommand but omit any

arguments, in order to see the command syntax:
# dpconf create-ldif-data-view
Operands are missing
Usage: dpconf create-ldif-data-view VIEW_NAME
LDIF_FILE_NAME SUFFIX_DN
6.
Create the AD_View LDIF data view:

# dpconf create-ldif-data-view -p 9389 \
-w /opt/dsee7/pwd AD_View \
/local/dps1/ldif/Example.dps.ad.ldif o=ad.ldif
7.
Review the AD_View data views properties:

# dpconf get-ldif-data-view-prop -p 9389 \
-w /opt/dsee7/pwd AD_View
8.
Confirm that the data is accessible through the directory proxy server by
using the ldapsearch utility to search the LDIF data views base DN:
# ldapsearch -p 9389 -b o=ad.ldif eid=12025
Kurt Jensens directory entry from the AD_View data view appears.
9.
Review the directory proxy server access log:

# tail /local/dps1/logs/access
An entry similar to the following confirms that the search request with base
DN o=ad.ldif was routed to the
/local/dps1/ldif/Example.dps.ad.ldif file and not to an LDAP
data source:
[15/Oct/2009:11:45:05 -0700] - SERVER_OP - INFO
conn=10 op=0 SEARCH base="o=ad.ldif" scope=2
filter="(eid=12025)" attrs="*"
file=/local/dps1/ldif/Example.dps.ad.ldif
Lab 11-18

Task 2 Hiding An Attribute in a Data View

Directory Server EE data views let you hide attributes so they are not seen when
you access directory entries. In this task, you configure the AD_View data views
mail attribute to be nonviewable.
1.
Retrieve Sam Carters user entry using the AD_View data view:
# ldapsearch -p 9389 -b o=ad.ldif "cn=Sam Carter"
Observe that the ldapsearch utility returns the eid, sn, department,
location, roomNumber, mail, cn, and jobstatus attributes.
2.
Configure the AD_View so that the mail attribute is not readable:

# dpconf set-ldif-data-view-prop -p 9389 \
-w /opt/dsee7/pwd AD_View non-viewable-attr:mail
3.
Repeat the search you performed in step 1.

Observe that the ldapsearch utility returns the eid, sn, department,
location, roomNumber, cn, and jobstatus attributes, but not the mail
attribute.
Task 3 Creating Attribute Data Transformations

The administration application needs to access administrative data, but this data is
maintained in a directory server instance that is unavailable to the application.
However, the administration application is permitted access to the administrative
data using the virtual directory accessed using the AD_LDIF data view.
The administration application accesses the displayName and
employeeNumber attributes. But the LDIF file containing administrative data
names these attributes cn and eid. The application also accesses the office
attribute, which is the concatenation of the location and roomNumber
attributes in the LDIF file.
In this task, you create attribute data transformations that let the administration
application access the AD_View LDIF data view without having to change the
attribute names coded into the application.
Also, applications that access the AD_View data view should not have access to
the jobStatus attribute. In this task, you remove the jobStatus attribute from
the AD_View data view.
Lab 11-19

1.
Retrieve Sam Carters user entry using the AD_View data view:
Observe that the ldapsearch utility returns the eid, location,
roomNumber, cn, and jobStatus attributes, but does not return the
displayName, employeeNumber, and office attributes.
Lab 11-20

2.
Create data transformations for the AD_View data view:

a.
Map the cn attribute already available in the AD_View LDIF data

view to the new displayName attribute:
# dpconf add-virtual-transformation -p 9389 \
-w /opt/dsee7/pwd AD_View read \
add-attr displayName \${cn}
Caution In the add-virtual-transformation commands in steps 2a, 2b,

and 2c, the \ character is used to indicate command continuation and is part of
the command.
Do not type the \ character when it appears at the end of the line in a nonbold
type face.
Do type the \ character when it appears in the middle of the line in a bold type
face.
b.
Map the location and roomNumber attributes already available in

the AD_View LDIF data view to the new office attribute:
add-attr office \${location}-\${roomNumber}
c.
Map the eid attribute already available in the AD_View LDIF data
view to the new employeeNumber attribute:
add-attr employeeNumber \${eid}
3.
Confirm that the displayName, office, and employeeNumber attributes

are returned when you run the ldapsearch utility, and that values for these
attributes are the expected values.
Observe that the jobStatus attribute is still returned to clients.
Note The eid, location, roomNumber, and cn attributes are still defined in
the AD_View data view, and, thus, are still returned.
Lab 11-21
4.
Create a data transformation that removes the jobStatus attribute from

the AD_View data view for read operations:
read remove-attr jobStatus
5.
Confirm that the jobStatus attribute is no longer returned when you run
the ldapsearch utility:
6.
Review the properties of the virtual transformations configured for the

AD_View data view:
# dpconf list-virtual-transformations -p 9389 \
-w /opt/dsee7/pwd AD_View
read_add-attr_displayName
read_add-attr_office
read_add-attr_employeeNumber
read_remove-attr_jobStatus
Task 4 Configuring a Join Data View

In this task, you define a join rule that compares the AD_View data views eid
attribute to the HR_View data views employeeNumber attribute.
Then you define the HR_AD_View as a join data view that aggregates attributes
from the HR_View and AD_View data views when the join rules condition is
met.
1.
Define the join rule to compare the AD_View data views eid attribute with
the HR_View data views employeeNumber attribute.
# dpconf set-ldif-data-view-prop -p 9389 \
filter-join-rule:eid=\${HR_View.employeeNumber}
Caution Do not type the \ character when it appears at the end of the line in
a nonbold type face.
face.
Lab 11-22

2.
Define the HR_AD_View join data view, using the dc=example DN as the
join views base DN:
# dpconf create-join-data-view -p 9389 \
-w /opt/dsee7/pwd HR_AD_View HR_View AD_View dc=example
3.
Compare the output from the request to the HR_AD_View join data view to
output from requests to the HR_View and AD_View data views:
a.
Search for Sam Carters user entry in the HR_View data view,
specifying the base DN, ou=People,dc=example,dc=com:
# ldapsearch -p 9389 -b \
ou=People,dc=example,dc=com uid=scarter
The mobile attribute appears in the search results. The eid attribute
does not appear in the search results.
b.
Search for Sam Carters user entry in the AD_View data view,
specifying the base DN, o=ad.ldif:
The eid attribute appears in the search results. The mobile attribute
does not appear in the search results.
c.
Search for Sam Carters user entry in the HR_AD_View join view,
specifying the base DN, dc=example:
# ldapsearch -p 9389 -b dc=example uid=scarter
Both the mobile and eid attributes appear in the search results.
Lab 11-23
Task 5 Restricting Access Using a Connection

Handler
At this stage of your deployment, any user with sufficient access rights can access
all the data views. But one of the business requirements is to restrict access so
that the HR department applications can access only HR data, which is available
through the HR_View data view.
A connection handler lets you restrict access to a virtual directory. You define
filtering criteriafor example, user DNs, internet protocol (IP) addresses, domain
names, or authentication methodsand a list of data views, and Directory Server
EE restricts access based on the filters to the specified parts of the virtual
directory.
In this task, the hr_user user is assumed to be the login ID for HR department
applications. By specifying the hr_user user in the filtering criteria, you
configure Directory Server EE to restrict HR department applications access to
the virtual directory.
You use DSCC in this task. DSCC supports the creation and configuration of
connection handlers, even when configuring routing to LDIF and join data views.
1.
Confirm that the hr_user user can currently access Kurt Jensens directory
data using the HR_View, AD_View, and HR_AD_View data views:
a.
Attempt to access Kurt Jensens directory data using the HR_View

data view:
# ldapsearch -D \
uid=hr_user,ou=People,dc=example,dc=com \
-w password -p 9389 \
-b ou=People,dc=example,dc=com \
uid=kjensen telephonenumber department
The telephonenumber attribute appears.
Lab 11-24

b.
Attempt to access Kurt Jensens directory data using the AD_View

data view:
# ldapsearch -D \
-w password -p 9389 -b o=ad.ldif \
"cn=kurt jensen" telephonenumber department
The department attribute appears.
c.
Attempt to access Kurt Jensens directory data using the HR_AD_View

data view:
# ldapsearch -D \
-w password -p 9389 -b dc=example \
The telephonenumber and department attributes appear.
Note A convenient way to distinguish between the data in the HR_View and
AD_View data views is to request the telephonenumber and department
attributes. The telephonenumber attribute is present only in the HR_Data data
view, whereas the department attribute is present only in the AD_View data
view. Therefore, the telephonenumber attribute is returned from searches that
access the HR_View data view, the department attribute is returned from
searches that access the AD_View data view, and both attributes are returned from
searches that access the HR_AD_View join data view.
2.
Confirm that the alutz user can also access Kurt Jensens directory data
using the HR_View, AD_View, and HR_AD_View data views:
a.
Attempt to access Kurt Jensens directory data using the HR_View

data view:
# ldapsearch -D \
uid=alutz,ou=People,dc=example,dc=com\
-w password -p 9389 \
-b ou=People,dc=example,dc=com \
The telephonenumber attribute appears.
Lab 11-25
b.
Attempt to access Kurt Jensens directory data using the AD_View

data view:
# ldapsearch -D \
uid=alutz,ou=People,dc=example,dc=com \
-w password -p 9389 -b o=ad.ldif \
"cn=kurt jensen" telephonenumber department
The department attribute appears.
c.
Attempt to access Kurt Jensens directory data using the HR_AD_View

data view:
# ldapsearch -D \
uid=alutz,ou=People,dc=example,dc=com \
-w password -p 9389 -b dc=example \
The telephonenumber and department attributes appear.
3.
In DSCC, navigate to the zone01:9389 proxy server page.
4.
Select the Connections tab.
5.
Create the HR_App connection handler:

a.
Click New Connection Handler to start the New Connection Handler

Wizard.
The Step 1: Enter Name And Description dialog box appears.
b.
c.
Specify the following values in the Step 1: Enter Name And

Description dialog box:
Name: HR_App
Description: Restrict access for HR users
Click Next.
The Step 2: Specify Matching Criteria dialog box appears.
d.
Specify the following values in the Step 2: Specify Matching Criteria

dialog box:
e.
Connections: Select Connection Handler Only Applies to

Connections Matching Criteria Below.
Criteria: Select Bind DN from the drop-down menu and type
uid=hr_user,ou=People,dc=example,dc=com in the field
to the right of the drop-down menu. Then click Add. The bind
DN filter appears in the text box below the drop-down menu.
Click Next.
The Step 3: Choose Policies dialog box appears.
Lab 11-26

f.
Accept the default selections and click Next.

The Step 4: Choose Data Views dialog box appears.
g.
Specify the following values in the Step 4: Choose Data Views dialog
box:
h.
Data Views: Select Route Requests Only to Data Views Specified

Below.
Select the HR_View data view from the Available Data Views column
and click Add.
The HR_View data view appears in the Chosen Data Views column.
i.
Click Next.
j.
Click Finish.
Messages appear in the Creating New Connection Handler dialog box
as the HR_App connection handler is created.
k.
Click Close to terminate the New Connection Handler Wizard.

The HR_App connection handler appears in the connection handlers
list.
6.
Log out of DSCC.
7.
In a terminal window, run the same ldapsearch utility commands that you
ran in step 1, authenticating as the hr_user user.
If the connection handler is working correctly, the hr_user user should
only be able to access Kurt Jensens directory data using the HR_View data
view.
Messages similar to the following appear when the hr_user user attempts
to access Kurt Jensens directory data using the AD_View data view:
ldap_search: No such object
ldap_search: additional info: The entry "o=ad.ldif" is
not handled by the server.
Messages similar to the following appear when the hr_user user attempts
to access Kurt Jensens directory data using the HR_AD_View data view:
ldap_search: No such object
ldap_search: additional info: The entry "dc=example" is
not handled by the server.
Lab 11-27
8.
Review the directory proxy server access log:

An entry similar to the following confirms that the HR_App connection
handler was called:
[15/Oct/2009:01:31:35 -0700] - PROFILE
- INFO
conn=135 assigned to connection handler
cn=HR_App,cn=connection handlers,cn=config
9.
Run the same ldapsearch utility commands that you ran in step 2,
authenticating as the alutz user.
The alutz user should still be able to access Kurt Jensens directory data
using all three data views. The filter defined in the HR_App connection
handler does not apply to the alutz user.
Lab 11-28

Exercise 3: Accessing Relational Database Data Through

a Directory Proxy Server
The payroll database is made up of two tablesthe users and salary tables.
The payroll application needs access to this information using directory services.
In this exercise, you install MySQL software. Then you install the Payroll
database and its two tables. Then you create a JDBC data view, which lets the
payroll application access the relational database using directory services.
Task 1 Installing and Configuring MySQL and the MySQL JDBC Driver
Task 2 Configuring a JDBC Data View
Task 3 Emulating LDAP Schema for the JDBC Data View
Task 4 Writing to a Relational Database Using a JDBC Data View
Task 1 Installing and Configuring MySQL and the

MySQL JDBC Driver
In this task, you install and configure MySQL database version 5.1.30 and the
MySQL JDBC driver version 5.1.7.
1.
Install MySQL database software and create a symbolic link, /mysql, to

reduce the amount of typing:
# cd /
# gzip -dc /opt/ses/shared/software/ \
mysql-5.1.30-solaris10-i386.tar.gz | tar xvf # ln -s /mysql-5.1.30-solaris10-i386 /mysql
2.
Copy the JAR file containing the MySQL driver to the /mysql directory
and rename the JAR file to the jdbc.jar file:
# cp /opt/ses/shared/software/ \
mysql-connector-java-5.1.7/ \
mysql-connector-java-5.1.7-bin.jar /mysql/jdbc.jar

Lab 11-29
Exercise 3: Accessing Relational Database Data Through a Directory Proxy Server
3.
Copy a MySQL startup script to the /etc/init.d directory:

# cp /opt/ses/shared/lab/mysql.sh /etc/init.d/mysql
4.
Initialize the MySQL database tables:

# cd /mysql
# ./scripts/mysql_install_db
Output appears in the terminal window while the tables are initialized.
5.
Start the MySQL server daemon:

# /etc/init.d/mysql start
Messages similar to the following appear in the terminal window:
Starting mySQL...
root 14719 14718
1 02:13:06 pts/4
0:00 /bin/sh
./bin/mysqld_safe --user=root
root 14718 13335
0 02:13:06 pts/4
0:00
/usr/bin/sh /etc/init.d/mysql start
root 14759 14719
2 02:13:07 pts/4
0:01
/mysql-5.1.30-solaris10-i386/bin/mysqld -basedir=/mysql-5.1.30-solaris10-i386
6.
Verify that MySQL is operational:

a.
Start the MySQL monitor:

# cd /mysql/bin
# ./mysql -u root
The MySQL monitor appears:
Welcome to the MySQL monitor.
or \g.
Commands end with ;
Your MySQL connection id is 3

Server version: 5.1.30 MySQL Community Server (GPL)
Type help; or \h for help. Type \c to clear
the buffer.
mysql>
b.
Execute the show databases command to test MySQL operation:

mysql>show databases;
Output from the show databases command indicates the presence
of the information_schema, mysql, and test databases.
c.
Execute the quit command to terminate the MySQL monitor:

mysql>quit;
Lab 11-30

7.
Use the provided script to create the payroll database:

# ./mysql -u root < \
/opt/ses/shared/lab/create_payroll_tables.mysql
8.
Confirm that the database and its two tables were created:
# ./mysqlshow payroll
Output in the terminal window indicates that the payroll database was
created with two tablesthe salary and users tables.
9.
Use the provided script to populate the payroll database with data:
# ./mysql -u root < \
/opt/ses/shared/lab/add_payroll_data.mysql
10. Review the data in the payroll.users and payroll.salary tables:

a.
Start the MySQL monitor and access the payroll database:

# ./mysql
mysql> use payroll;
b.
Review the data in the users table:

mysql> select * from users;
+----------+--------+----------+----------+-------------------+
| id
| f_name | l_name
| password | job_title
|
+----------+--------+----------+----------+-------------------+
| achassin | Audrey | Chassin | password | Project Manager
|
| alutz
| Alex
| Lutz
| password | Watchman
|
| ejohnson | Ed
| Johnson | password | Temp
|
| gtriplet | Glen
| Triplet | password | Staff
|
| jcampai2 | John
| Campaine | password | J2EE Developer
|
| mlangdon | Matt
| Langdon | password | Q & A Team Member |
+----------+--------+----------+----------+-------------------+
6 rows in set (0.01 sec)

Lab 11-31
c.
Review the data in the salary table:

mysql> select * from salary;
+----------+-------+-------------+--------------+------------+
| id
| grade | ssNumber
| vacationDays | startDate |
+----------+-------+-------------+--------------+------------+
| achassin | G12
| 333-33-3333 | 12
| 4/1/2005
|
| alutz
| G7
| 111-11-1111 | 4
| 12/31/1987 |
| ejohnson | T5
| 222-22-2222 | 2
| 2/2/2002
|
| gtriplet | G8
| 999-99-9999 | 3
| 6/21/2001 |
| jcampai2 | G4
| 555-55-5555 | 6
| 1/1/1996
|
| mlangdon | G4
| 777-77-7777 | 17
| 3/15/1979 |
+----------+-------+-------------+--------------+------------+
d.
Stop the MySQL monitor:

mysql> quit;
Lab 11-32

Task 2 Configuring a JDBC Data View

In this task, you create a JDBC data view in the dps6 directory proxy server
configuration.
First, you define the Payroll_Data JDBC data source. Then you define the
Payroll_Pool data source pool, which references the Payroll_Data JDBC
data source. Finally, you create the Payroll_View JDBC data view, which
references the Payroll_Pool data source pool.
Because DSCC supports only LDAP data sources and data views, you use the
CLI to create and configure the JDBC data views and related configuration
objects.
1.
Define the payroll database as a JDBC data source:

# dpconf create-jdbc-data-source -b payroll \
-B jdbc:mysql:/// -J file:/mysql/jdbc.jar \
-S com.mysql.jdbc.Driver -p 9389 \
-w /opt/dsee7/pwd Payroll_Data
The preceding dpconf utility uses the following parameters:
-b The name of the MySQL database
-B The JDBC URL
-J The location of the MySQL JDBC driver
-S The JDBC driver class
Payroll_Data The JDBC data source created by the dpconf

utility

Lab 11-33
2.
Configure the directory proxy server to use the dbuser user to access the
payroll database:
# dpconf set-jdbc-data-source-prop -p 9389 \
-w /opt/dsee7/pwd Payroll_Data db-user:dbuser \
db-pwd-file:/opt/dsee7/pwd
The following message appears:
The proxy server will need to be restarted in order for
the changes to take effect
Note In the /opt/ses/shared/lab/create_payroll_tables.mysql

script, which is the script you used to create the payroll database and its tables,
full access to the payroll database is granted to the dbuser user. The dbuser
users password is sunlearning. This password is available in the
/opt/dsee7/pwd file. Therefore, you set the db-pwd-file property to the
value /opt/dsee7/pwd.
3.
Restart the dps1 directory proxy server.

# dpadm restart /local/dps1
4.
Review the Payroll_Data data source properties:

# dpconf get-jdbc-data-source-prop -p 9389 \
-w /opt/dsee7/pwd Payroll_Data
The data source is enabled, and the data source is not read-only.
5.
Create the Payroll_Pool data source pool:

# dpconf create-jdbc-data-source-pool -p 9389 \
-w /opt/dsee7/pwd Payroll_Pool
6.
Attach the Payroll_Data data source to the Payroll_Pool data source

pool:
# dpconf attach-jdbc-data-source -p 9389 \
-w /opt/dsee7/pwd Payroll_Pool Payroll_Data
7.
Create the Payroll_View JDBC data view, specifying the

Payroll_Pool data source pool and the base DN o=payroll:
# dpconf create-jdbc-data-view -p 9389 \
-w /opt/dsee7/pwd Payroll_View Payroll_Pool o=payroll
8.
Lab 11-34
(Optional) Verify that you have configured the data source, data source
pool, and data view correctly. Use the dpconf --help | grep listjdbc utility to determine which dpconf utility options to use for
verification.

Task 3 Emulating LDAP Schema for the JDBC Data

View
In order for directory proxy server to return data that resembles LDAP objects
from operations on a JDBC data view, you must configure a set of entities that
emulate LDAP schema.
In this task, you define attributes and object classes in the directory proxy server
that are used when the JDBC data view builds directory entries in response to
queries and other operations.
At the end of this task, configuration of the JDBC data view is complete, and you
perform a test query on the JDBC data view.
1.
Review the structure of the payroll database.

Refer to the results of the sql select statements you ran when you
performed step 10 on page L11-31.
2.
Before you can define emulated attributes, you must define tables in
directory proxy server. Directory proxy server tables map to relational
database tables.
Create tables in directory proxy server that map to the payroll database
tables:
a.
Create the Payroll_Users table in directory proxy server to map to

the users table in the payroll database:
# dpconf create-jdbc-table -p 9389 \
-w /opt/dsee7/pwd Payroll_Users users
b.
Create the Payroll_Salary table in directory proxy server to map

to the salary table in the payroll database:
# dpconf create-jdbc-table -p 9389 \
-w /opt/dsee7/pwd Payroll_Salary salary
3.
Add attributes to the directory proxy server tables that map to the users
tables columns:
a.
Create the uid attribute and map it to the id column:

# dpconf add-jdbc-attr -p 9389 \
-w /opt/dsee7/pwd Payroll_Users uid id

Lab 11-35
b.
Create the givenname attribute and map it to the f_name column:

-w /opt/dsee7/pwd Payroll_Users givenname f_name
c.
Create the sn attribute and map it to the l_name column:

-w /opt/dsee7/pwd Payroll_Users sn l_name
Note Be sure to use the letter l and not the number 1 when you type the
l_name column.
d.
Create the userpassword attribute and map it to the password

column:
-w /opt/dsee7/pwd Payroll_Users \
userpassword password
e.
Create the title attribute and map it to the job_title column:

-w /opt/dsee7/pwd Payroll_Users title job_title
4.
Add attributes to the directory proxy server tables that map to the salary
tables columns:
a.
Create the pay_grade attribute and map it to the grade column:

-w /opt/dsee7/pwd Payroll_Salary pay_grade grade
b.
Create the ssn attribute and map it to the ssNumber column:

-w /opt/dsee7/pwd Payroll_Salary ssn ssNumber
c.
Create the vacationdays attribute and map it to the vacationdays

column:
-w /opt/dsee7/pwd Payroll_Salary vacationdays \
vacationdays
Lab 11-36

d.
Create the startdate attribute and map it to the startDate

column:
-w /opt/dsee7/pwd Payroll_Salary startdate \
startDate
5.
Verify that you created the directory proxy server attributes correctly:
a.
Verify that you created attributes for the directory proxy server
Payroll_Users table correctly:
# dpconf list-jdbc-attrs -p 9389 \
-w /opt/dsee7/pwd Payroll_Users
givenname
sn
title
uid
userpassword
b.
Verify that you created attributes for the directory proxy server
Payroll_Salary table correctly:
# dpconf list-jdbc-attrs -p 9389 \
-w /opt/dsee7/pwd Payroll_Salary
pay_grade
ssn
startdate
vacationdays

Lab 11-37
6.
Create the emulated exampleperson object class for the JDBC view,
defining the Payroll_Users table as the primary table for the object class
and the Payroll_Salary table as the secondary table for the object class:
# dpconf create-jdbc-object-class -p 9389 \
-w /opt/dsee7/pwd Payroll_View exampleperson \
Payroll_Users Payroll_Salary uid
Note JDBC object classes DNs are constructed from the base DN of the JDBC
data view and the last parameter in the dpconf create-jdbc-object-class
command. In this example, the DN is constructed from the uid attribute and the
base DN of the Payroll_View data viewo=payroll.
You need to provide base DNs when you run the ldapmodify utility and define
ACIs in the next task.
7.
Verify that you created the object class correctly:

# dpconf list-jdbc-object-classes -p 9389 \
-w /opt/dsee7/pwd Payroll_View
exampleperson
8.
Define the superclassthe LDAP object class from which the JDBC object
class inherits attributesas the inetOrgPerson object class:
# dpconf set-jdbc-object-class-prop -p 9389 \
-w /opt/dsee7/pwd Payroll_View exampleperson \
super-class:inetOrgPerson
9.
The join rule defines how data from the Payroll_Salary table (which
was defined as the secondary table) is linked to data from the
Payroll_Users table (which was defined as the primary table).
Define the join rule to compare the salary tables id column with the
users tables id column:
# dpconf set-jdbc-table-prop -p 9389 \
-w /opt/dsee7/pwd Payroll_Salary \
filter-join-rule:id=\${users.id}
Caution Do not type the \ character when it appears at the end of the line in
a nonbold type face.
face.
Lab 11-38

10. Verify that the data in the payroll database is now accessible by running
the ldapsearch utility on the directory proxy server:
# ldapsearch -p 9389 -b o=payroll uid=achassin
version: 1
dn: uid=achassin,o=payroll
objectclass: inetOrgPerson
objectclass: exampleperson
sn: Chassin
title: Project Manager
userpassword: password
uid: achassin
givenname: Audrey
startdate: 4/1/2005
ssn: 333-33-3333
pay_grade: G12
vacationdays: 12
Observe the following results:
The users DN is uid=achassin,o=payroll. For information

about DN construction in a JDBC data view, review step 6.
The inetOrgPerson and exampleperson object classes are
returned as part of the directory data. For information about object
classes in a JDBC data view, review steps 6 and 8.
The attributes that are returned have the same values as the data in the
database tables, but the attribute names differ from the relational
database table column names. For information about column to
attribute mapping in a JDBC data view, review steps 3 and 4.

Lab 11-39
11. Review the previous request in the directory proxy server access log:
You should see a record similar to the following in the access log:
[15/Oct/2009:07:19:47 -0700] - SERVER_OP - INFO conn=28 op=0 SEARCH base="o=payroll" scope=2
filter="(uid=achassin)" attrs="*"
jdbcServer=payroll_data sqlStatement="SELECT
users.id,users.l_name,users.job_title,users.password,us
ers.f_name,salary.startDate,salary.ssNumber,salary.grad
e,salary.vacationdays FROM users LEFT OUTER JOIN
salary ON (salary.id=users.id) WHERE ( ( users.id IS
NOT NULL ) ) AND ( ( UPPER(users.id) = 'ACHASSIN' ) )
ORDER BY users.id"
This access log record provides the operation that was performed on the
payroll database.
Task 4 Writing to a Relational Database Using a

JDBC Data View
In this task, you allow write access to the payroll database through the JDBC
data view by enabling write access to the Payroll_Data data source, then
adding an ACI to directory proxy server that lets Ed Johnson modify any attribute
of any entry in the Payroll_View JDBC data view.
Then you create a connection handler with a bind filter for user Ed Johnson that
uses the ACI.
1.
Confirm that Ed Johnson does not have write access to the JDBC data view:
a.
Create the /tmp/ejohnsonchg.ldif file with the following

content:
dn: uid=ejohnson,o=payroll
changetype: modify
userpassword: anotherpassword
Lab 11-40

b.
Use the ldapmodify utility to try to modify the Ed Johnsons

password in the payroll database:
# ldapmodify -p 9389 -D "uid=ejohnson,o=payroll" \
-w password -f /tmp/ejohnsonchg.ldif
modifying entry uid=ejohnson,o=payroll
ldap_modify: Insufficient access
ldap_modify: additional info: No aciSource setup in
connection handler "default connection handler"
2.
Create the /tmp/payroll_aci.ldif file, which defines the ACI entry

that lets Ed Johnson write to the Payroll_View JDBC data view:
dn: cn=payroll,cn=virtual access controls
changetype: add
objectclass: acisource
dpsaci: (targetattr="*")(target="ldap:///o=payroll") \
(version 3.0; acl "access for payroll"; \
allow(all) userdn="ldap:///uid=ejohnson,o=payroll";)
cn: payroll
Note Make sure to type the dpsaci statementstarting with the string
dpsaci and ending with the string userdn="ldap:///uid=ejohnson,
o=payroll";)on a single line. The /tmp/payroll_aci.ldif file should
contain exactly five lines. Also, be sure not to type the backslash (\) characters
into the dpsaci definition.
3.
Add the ACI as the cn=Proxy Manager user:

# ldapmodify -D "cn=Proxy Manager" -w sunlearning \
-p 9389 -f /tmp/payroll_aci.ldif
4.
Create and configure the connection handler that lets the ACI take effect for
user Ed Johnson:
a.
Create the Payroll_App connection handler:

# dpconf create-connection-handler -p 9389 \
-w /opt/dsee7/pwd Payroll_App
b.
Enable the Payroll_App connection handler and set a bind DN filter

to the ejohnson user:
# dpconf set-connection-handler-prop -p 9389 \
-w /opt/dsee7/pwd Payroll_App is-enabled:true \
bind-dn-filters:uid=ejohnson,o=payroll

Lab 11-41
c.
Specify that the Payroll_App connection handler handles requests to

the Payroll_View data view:
-w /opt/dsee7/pwd Payroll_App \
data-view-routing-policy:custom \
data-view-routing-custom-list:Payroll_View
d.
Assign the payroll ACI to the Payroll_App connection handler:

-w /opt/dsee7/pwd Payroll_App aci-source:payroll
Note You cannot configure connection handlers that route requests to JDBC
data views using DSCC.
5.
Confirm that Ed Johnson can modify his password:

# ldapmodify -p 9389 -D "uid=ejohnson,o=payroll" \
-w password -f /tmp/ejohnsonchg.ldif
modifying entry uid=ejohnson,o=payroll
If the modification is denied due to insufficient access, start troubleshooting
by reviewing the directory proxy server access log and confirming that the
request was directed to the Payroll_App connection handler.
6.
Confirm that Ed Johnsons password was changed in the payroll

database:
a.
Start the MySQL monitor and access the payroll database:

# cd /mysql/bin
# ./mysql
mysql> use payroll;
Lab 11-42

b.
Review the data in the users table:

mysql> select * from users;
+----------+--------+----------+-----------------+-------------------+
| id
| f_name | l_name
| password
| job_title
|
+----------+--------+----------+-----------------+-------------------+
| achassin | Audrey | Chassin | password
| Project Manager
|
| alutz
| Alex
| Lutz
| password
| Watchman
|
| ejohnson | Ed
| Johnson | anotherpassword | Temp
|
| gtriplet | Glen
| Triplet | password
| Staff
|
| jcampai2 | John
| Campaine | password
| J2EE Developer
|
| mlangdon | Matt
| Langdon | password
| Q & A Team Member |
+----------+--------+----------+-----------------+-------------------+
c.
Stop the MySQL monitor:

mysql> quit;

Lab 11-43
Exercise Summary
Lab 11-44

Experiences
Interpretations
Conclusions
Applications

Exercise Summary
Migrating to Oracle Directory Server EE

11gR1
Objectives
After completing this lab, you should be able to migrate an older version of
Directory Server to Oracle Directory Server EE 11gR1 (optional).
Lab 12-1
Lab 12
Exercise: Migrating From Sun Directory Server 5.2 to

Oracle Directory Server EE 11gR1 (Optional)
In this exercise, you install and configure Sun Directory Server 5.2 software, then
migrate the Sun Directory Server 5.2 configuration to Oracle Directory Server EE
11gR1.
Note Moving from Sun Directory Server EE version 6 to Oracle version 11gR1
is a rather easy, straightforward process. No data is migrated, so it is a simple
software upgrade. In many cases, the upgrade can be performed by running a
single commandthe dsadm upgrade commandon each directory server
instance in a Directory Server EE deployment.
Therefore, you practice performing a more complex migration scenario in this
labmigrating from Sun Directory Server version 5.2 to Oracle version 11gR1.
If this migration scenario is not of interest to you, you can skip this lab.
Begin by installing Directory Server 5.2 software, creating a directory server
instance, customizing it, and populating it with sample data. You do not need to
know Directory Server 5.2 commands because the installation, instance creation,
and data population are scripted.
After running the installation and configuration script, you have a Directory
Server 5.2 instance running on port 10389.
You then migrate the Sun Directory Server 5.2 instance to Oracle Directory
Server EE 11gR1 by creating an Oracle Directory Server EE 11gR1 instance, then
running the Oracle Directory Server EE 11gR1 migration utility.
At the end of this exercise, you have an Oracle Directory Server EE 11gR1
instance on port 7389 in addition to the Sun Directory Server 5.2 instance.
Lab 12-2
Task 1 Restarting the zone01 Zone
Task 2 Installing Directory Server 5.2
Task 3 Migrating Directory Server 5.2 to Directory Server EE 11gR1
Task 4 Confirming That Migration Was Successful
Exercise: Migrating From Sun Directory Server 5.2 to Oracle Directory Server EE
Preparation
Prerequisite Labs
prerequisite labs.

Migrating to Oracle Directory Server EE 11gR1
Lab 12-3
Task 1 Restarting the zone01 Zone

bring up the zone01 zone.
Perform the following step if your lab system was not in the Ready to Go,
Powered Up state:
1.


Note No servers need to be started before performing this lab.
Task 2 Installing Directory Server 5.2

In this task, you install Directory Server 5.2 as a legacy server from which you
later migrate. You run a script to install Directory Server 5.2 software, and create
and configure a Directory Server 5.2 instance.
1.
Start a terminal window (if necessary).
2.
Make sure that all the directory server instances and directory proxy servers
that you worked with in the preceding labs are stopped:
#
#
#
#
#
#
#
Lab 12-4
dsadm
dsadm
dsadm
dsadm
dsadm
dsadm
dpadm
stop
stop
stop
stop
stop
stop
stop
/local/dsm1
/local/dsm2
/local/dsm3
/local/dsm6
/local/dsrh1
/local/dsr1
/local/dps1
3.
Run the installds52.sh script to install and configure the Directory

Server 5.2 instance:
# cd /opt/ses/shared/lab
# ./installds52.sh
A Directory Server 5.2 instance with custom schema, custom indexing, and
localized user data is installed, configured, and started.
Note The installds52.sh script typically takes between five and ten
minutes to complete.
4.
Verify that the dc=example,dc=com suffix in the Directory Server 5.2

instance is populated with sample data:
-b dc=example,dc=com "objectclass=*"
5.
Verify that the Directory Server 5.2 instance contains custom schema
definitions:
# ldapsearch -T -p 10389 \
-b cn=schema "objectclass=*" | grep -i example
The exampleTShirtName and exampleTShirtSize attribute definitions
and the examplePerson object class definition should be present.
6.
Verify that the Directory Server 5.2 instance contains custom index
definitions:
-D "cn=Directory Manager" -w sunlearning \
-b "cn=exampletshirtsize,cn=index,cn=userRoot, \
cn=ldbm database,cn=plugins,cn=config" \
"objectclass=*" nsIndexType
The presence and equality indexes should be listed for the
exampletshirtsize attribute.
Lab 12-5
Task 3 Migrating Directory Server 5.2 to Directory

Server EE 11gR1
In this task, you create a Directory Server EE 11gR1 instance, then migrate user
data from the Directory Server 5.2 instance to the Directory Server EE 11gR1
instance by performing the following actions:
Creating a Directory Server EE 11gR1 instance
Stopping the Directory Server 5.2 instance
Running the dsmig migration utility

1.
Create a Directory Server EE 11gR1 instance that runs on port 7389:

# dsadm create -p 7389 -P 7636 /local/dsmigrated1
Choose the Directory Manager password:
The following confirmation prompt appears in the terminal window:
Confirm the Directory Manager password:
Type sunlearning again and press Return.
2.
Start the new Directory Server EE 11gR1 instance:

# dsadm start /local/dsmigrated1
3.
Stop the Directory Server 5.2 instance:

# /var/opt/mps/serverroot/slapd-m1/stop-slapd
4.
Migrate the schema:

# dsmig migrate-schema \
/var/opt/mps/serverroot/slapd-m1 /local/dsmigrated1
Launching Schema Migration of server instance
/var/opt/mps/serverroot/slapd-m1 .....
Stopping server instance /local/dsmigrated1 .....
Directory Server instance '/local/dsmigrated1' stopped
Starting server instance /local/dsmigrated1 .....
Directory Server instance '/local/dsmigrated1' started:
pid=8852
Operation "migrate-schema" complete.
Lab 12-6
5.
Migrate configuration data:

# dsmig migrate-config -R -N \
Launching Configuration Migration of server instance
Directory Server instance '/local/dsmigrated1' is
already running (pid: 8852)
Connecting to server localhost:7389 .....
trusted.
Type "Y" to accept, "y" to accept just once, "n" to
Discovering suffixes in /var/opt/mps/serverroot/slapdm1/config/dse.ldif configuration file ..... DONE.
Parsing file (/var/opt/mps/serverroot/slapdm1/config/dse.ldif) ..... DONE.
Setting server properties ..... DONE.
Setting log properties ..... DONE.
Creating suffix o=netscaperoot ..... DONE.
Creating suffix dc=example,dc=com ..... DONE.
Setting suffix o=netscaperoot properties ..... DONE.
Setting suffix dc=example,dc=com properties ..... DONE.
Setting plugin 7-bit check properties ..... DONE.
Setting plugin uid uniqueness properties ..... DONE.
Configuration data of user plugins not migrated. It can
be found at
/local/dsmigrated1/migration/old_userplugins_conf.ldif.
Setting replication manager properties ..... DONE.
Operation "migrate-config" complete.
Lab 12-7
6.
Migrate security data:

# dsmig migrate-security \
Launching Security Migration of server instance
Waiting for Directory Server instance
'/local/dsmigrated1' to start...
pid=8885
Operation "migrate-security" complete.
7.
Migrate user data:

# dsmig migrate-data -R -N \
Launching Data Migration of server instance
Migrating database (/var/opt/mps/serverroot/slapdm1/db/NetscapeRoot) .....DONE.
Database migrated.
Migrating database (/var/opt/mps/serverroot/slapdm1/db/userRoot) .....DONE.
Database migrated.
Waiting for Directory Server instance
'/local/dsmigrated1' to start...
pid=8898
Operation "migrate-data" complete.
Lab 12-8
8.
Check the migration status:

# dsmig info /local/dsmigrated1
Old instance path
New instance path
:
:
/var/opt/mps/serverroot/slapd-m1
/local/dsmigrated1
Schema Migration
Security Migration
Config Migration
Data Migration
:
:
:
:
Completed
Completed
Completed
Completed
Task 4 Confirming That Migration Was Successful

In this task, you confirm that the Directory Server 5.2 instances configuration
and data were migrated.
1.
Verify that the dc=example,dc=com suffix in the Directory Server EE

11gR1 instance is populated with the sample data that is in the
dc=example,dc=com suffix in the Directory Server 5.2 instance:
-b dc=example,dc=com "objectclass=*"
Compare the output from the preceding command to the output from the
ldapsearch command that you ran when you performed step 4 on
page L12-5.
2.
Verify that the custom schema changes were migrated to the Directory
Server EE 11gR1 instance:
# ldapsearch -T -p 7389 \
-b cn=schema "objectclass=*" | grep -i example
The exampleTShirtName and exampleTShirtSize attribute definitions
and the examplePerson object class definition should be present.
3.
Verify that the custom index was migrated to the Directory Server EE
11gR1 instance:
| grep -i exampletshirtsize
The exampletshirtsize attribute should be listed among the
dc=example,dc=com suffixs indexes.
Lab 12-9
Exercise Summary
Lab 12-10

Experiences
Interpretations
Conclusions
Applications

Exercise Summary
Working With the Solaris Sandbox
Appendix A
Objectives
Start, log in to, and log out of Solaris Sandbox zones
Start servers
Assess the state of your lab systemLab 1
Assess the state of your lab systemlabs after Lab 1
Start the Solaris Sandbox
Bring the Solaris Sandbox to the starting point for doing a lab
Appendix A-1
Starting, Logging In to, and Logging Out of Solaris

Sandbox Zones
The Solaris Sandbox provides you with a global zone and 12 nonglobal zones. A
zone is a virtualized operating system environment created within a single
instance of the Solaris OS. If you are not familiar with the concept of Solaris OS
zones, you can get more information at the following URL:
http://www.sun.com/bigadmin/content/zones
Overview of Solaris OS Zones

The global zone is the only zone from which nonglobal zones can be configured,
started, and accessed.
Nonglobal zones can be thought of as hosts. One or more applications can run on
these hosts without interacting with the rest of the system. Nonglobal zones can
have host names and IP addresses.
To access a nonglobal zone, you boot the nonglobal zone from the global zone,
and then log in to the nonglobal zone.
Solaris Sandbox Zones

The Solaris Sandbox has one global zone and 12 nonglobal zones. The nonglobal
zones in the Solaris Sandbox are named zonenn, where nn is a number between
01 and 12.
When you start the Solaris Sandbox and open a terminal window, you gain access
to the global zone, as indicated by the Solaris Sandbox terminal window prompt:
global #
Labs are performed almost exclusively in the nonglobal zones. The Solaris
Sandbox terminal window prompt lets you know when you are logged in to a
nonglobal zone. For example, when you are logged in to the zone04 zone, the
following prompt appears in the terminal window:
zone04 #
Appendix A-2

Zone Management Commands in the Solaris Sandbox

Manage zones as follows when working in the Solaris Sandbox:
Boot a zone:
global # zoneadm -z zonenn boot
Log in to a zone that has already been booted:

global # zlogin zonenn
zonenn #
The zonenn # prompt appears, indicating that you have successfully
logged into a nonglobal zone. In this example, nn is the number of the zone
into which you have logged in.
Log out of a zone:

zone01 # exit
global #
The global # prompt appears, indicating that you have successfully
logged out of the zone01 zone.
For example, to boot and log in to the zone01 zone, run the following
commands:
zone01 #
The zone01 # prompt appears, indicating that you have successfully logged into
the zone01 zone.
Appendix A-3
Starting Servers
The following sections provide instructions for starting servers used in the labs.
Starting the Common Agent Container (CACAO)

Run the following command in the zone01 zone:
# cacaoadm start
Starting the DSCC Registry Directory Server Instance

# dsadm start /opt/dsee7/var/dcc/ads
Starting the Tomcat Web Container That Hosts the

DSCC Web Application
Starting the dsm1 Directory Server Instance



Appendix A-4

Starting Servers
Starting the dps1 Directory Proxy Server

# dpadm start /local/dps1
Starting Servers
Appendix A-5
Assessing the State of Your Lab SystemLab 1

Before starting Lab 1, your lab system can be in one of two states defined in
Table A-1 on page A-6. Determine which of these two states describes your lab
system. Then, depending on the state of your lab system, follow the instructions
in the table.
Table A-1 Lab System Start States and Instructions
Lab System
State
Description
First Time
Doing Labs
Not at
Starting Point
Appendix A-6
Instructions
You installed the Solaris Perform the steps in the

section Starting the
Sandbox on your system
Solaris Sandbox on
You have not done any labs page A-8.
on the Solaris Sandbox
You completed other labs in the

Solaris Sandbox, and now you
want to come back and do this
lab
Perform the steps in the

section Bringing the
Solaris Sandbox to the
Starting Point for Doing a
Lab on page A-9.

Assessing the State of Your Lab SystemLab 1
Assessing the State of Your Lab SystemLabs After Lab 1

Before starting any lab after Lab 1, your lab system can be in one of three states
defined in Table A-2 on page A-7. Determine which of these three states
describes your lab system. Then, depending on the state of your lab system,
follow the instructions in the table.
Table A-2 Lab System Start States and Instructions
Lab System
State
Description
Ready to Go,
Powered Up
You
completed
the No additional preparation
prerequisite labs and no is required.
additional labs
After
completing
the
prerequisite labs, you did not
power down the Solaris
Sandbox
You
completed
the Perform the steps in the
prerequisite labs and no section Starting the
Solaris Sandbox on
additional labs
page A-8.
After
completing
the
preceding lab, you powered
down the Solaris Sandbox
Ready to Go,
Powered
Down
Not at
Starting Point
Instructions
Perform the steps in the

section Bringing the
You did not complete the Solaris Sandbox to the
Starting Point for Doing a
prerequisite labs
Lab on page A-9.
Or, you completed other labs
in addition to the prerequisite
labs, and now you want to
come back and do this lab
Either:
Appendix A-7
Assessing the State of Your Lab SystemLabs After Lab 1
Starting the Solaris Sandbox

Perform the following steps:
1.
Start the VirtualBox software.
2.
Power up the Solaris Sandbox.
3.
Log in to the Solaris OS as the root user. The password is cangetin.
Caution When possible, examples in this course demonstrate security best

practices. However, your own specific security requirements might be more
stringent than the techniques followed in this course. Do not assume that the
techniques demonstrated in this course meet your security requirements.
For your convenience, many of the passwords used in this class have the values
cangetin and sunlearning. Setting system passwords to the same value is not
a security best practice.
4.
Prepare the nonglobal zones for doing lab exercises:

global # lab -p
You have successfully started the Solaris Sandbox. You can now begin work on
your lab.
If your lab system requires a proxy server to access the Internet, be sure to
configure the proxy server address in the Firefox browser after you have started a
zone when doing the lab.
Appendix A-8

Starting the Solaris Sandbox
Bringing the Solaris Sandbox to the Starting Point for

Doing a Lab
Perform the following steps:
1.
Start your VirtualBox software, if necessary.
2.
If the Solaris Sandbox is currently started, power the Sandbox down by

opening a terminal window in the global zone and run the following
command:
global # poweroff
3.
Power up the Solaris Sandbox.
4.
Log in to the Solaris OS as the root user, if necessary. The password is

cangetin.
5.
Start a terminal window, if necessary.
6.
If you are logged in to a zone, use the exit command to log out of this
zone.
7.
Run the lab -n command, which brings the Solaris Sandbox to the
starting point for this lab:
global # lab -n lab_number
In this example, lab_number is the number of the lab that you want to
perform.
For example, if you wanted to bring the Solaris Sandbox to a state at which
you could start working on Lab 2, you would run the following command:
lab -n 2
Progress messages appear in the terminal window as the lab -n command
restores the Solaris Sandboxs state to the starting point for this lab.
Note In many cases, the lab -n command processes large quantities

gigabytesof data. Therefore, this command might require a significant amount
of timeten minutes or moreto complete.
Appendix A-9
Bringing the Solaris Sandbox to the Starting Point for Doing a Lab
8.
Prepare the nonglobal zones for doing lab exercises:

global # lab -p
You have successfully brought the Solaris Sandbox to the starting point for a lab.
You can now begin work on the lab.
If your lab system requires a proxy server to access the Internet, be sure to
configure the proxy server address in the Firefox browser after you have started a
zone when doing the lab.
Appendix A-10

Bringing the Solaris Sandbox to the Starting Point for Doing a Lab

Ebook: Oracle Directory Server EE Activity Guide

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Ebook: Oracle Directory Server EE Activity Guide

Hochgeladen von

Copyright:

Verfügbare Formate

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY.

COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle University and QUASIUS INVESTMENT CORP use only

Oracle Directory Server EE

Copyright 2010, Oracle and/or it affiliates. All rights reserved.

This document contains proprietary information and is protected by copyright and

Restricted Rights Notice

If this documentation is delivered to the United States Government or anyone using

U.S. GOVERNMENT RIGHTS

Oracle University and QUASIUS INVESTMENT CORP use only

About This Workbook .................................................. Lab Preface-xi

Copyright 2010, Oracle and/or it affiliates. All rights reserved.

Oracle University and QUASIUS INVESTMENT CORP use only

Using Directory Server EE Log Files ...................................... Lab 3-1

Oracle Directory Server EE 11gR1: Maintenance and Operations

Oracle University and QUASIUS INVESTMENT CORP use only

Exercise Solutions........................................................................ Lab 2-10

Using Certificates With Directory Server EE ......................... Lab 6-1

Copyright 2010, Oracle and/or it affiliates. All rights reserved.

Oracle University and QUASIUS INVESTMENT CORP use only

Task 4 Assigning a Password Policy to a User................ Lab 5-10

Tuning Directory Server EE Performance .............................. Lab 9-1

Oracle Directory Server EE 11gR1: Maintenance and Operations

Oracle University and QUASIUS INVESTMENT CORP use only

Migrating to Oracle Directory Server EE 11gR1 .................. Lab 12-1

Copyright 2010, Oracle and/or it affiliates. All rights reserved.

Oracle University and QUASIUS INVESTMENT CORP use only

Oracle University and QUASIUS INVESTMENT CORP use only

Assessing the State of Your Lab SystemLab 1......................... Lab A-6

Oracle Directory Server EE 11gR1: Maintenance and Operations

About This Workbook

Install Oracle Directory Server Enterprise Edition (Directory Server EE,

Install Directory Service Control Center (DSCC)

Search and modify directory data

Use Directory Server EE log files to diagnose LDAP Data Interchange

Diagnose access control instruction (ACI) problems

Configure connection-based access control

Enforce Directory Server EE password and account lockout policies

View and manage SSL settings and certificates

Use the ldapsearch utility over SSL

Use the dsconf utility over SSL

Back up and restore Directory Server EE databases

Set up three-way multimaster replication

Monitor replication using DSCC and Directory Server EE utilities

Create a three-tier replication topology (optional)

Promote consumer replicas and create five-way multimaster replication

Configure failover using a directory proxy server

Configure proportional load-balancing

Configure load-balancing using the command-line interface

Create an LDAP data view

Copyright 2010, Oracle and/or it affiliates. All rights reserved.

Oracle University and QUASIUS INVESTMENT CORP use only

Create a joined LDAP/LDIF view

Access relational database data through a directory proxy server

Migrate from an older version of Directory Server EE to Directory Server

Oracle University and QUASIUS INVESTMENT CORP use only

Oracle Directory Server EE 11gR1: Maintenance and Operations

Discussion Indicates that a small-group or class discussion on the current topic

About This Workbook

Copyright 2010, Oracle and/or it affiliates. All rights reserved.

Oracle University and QUASIUS INVESTMENT CORP use only

Oracle Directory Server EE 11gR1: Maintenance and Operations

Oracle University and QUASIUS INVESTMENT CORP use only