Chapter 1. Basic management tasks
Learn about basic tasks of managing Directory Server instances after the installation.
1.1. Logging in to the Directory Server by using the web console Copy linkLink copied to clipboard!
The web console is a browser-based graphical user interface (GUI) that you can use for performing administrative tasks. The Directory Server package automatically installs the Directory Server user interface for the web console.
Prerequisites
- You have permissions to access the web console.
Procedure
Access the web console by using the following URL in your browser:
https://<directory_server_host>:9090
https://<directory_server_host>:9090
Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Log in as a user with
sudo
privileges. Select the
Red Hat Directory Server
entry.
1.2. Starting and stopping a Directory Server instance Copy linkLink copied to clipboard!
You can start, stop, and restart a Directory Server instance by using the command line or the web console.
1.2.1. Starting and stopping a Directory Server instance by using the command line Copy linkLink copied to clipboard!
Use the dsctl
utility to start, stop, or restart a Directory Server instance.
The dsctl
utility is the only correct way to stop the Directory Server instances. Do not use the kill
command to terminate the ns-slapd
process to avoid any data loss and corruption.
Procedure
To start the instance, run:
dsctl <instance_name> start
# dsctl <instance_name> start
Copy to Clipboard Copied! Toggle word wrap Toggle overflow To stop the instance, run:
dsctl <instance_name> stop
# dsctl <instance_name> stop
Copy to Clipboard Copied! Toggle word wrap Toggle overflow To restart the instance, run:
dsctl <instance_name> restart
# dsctl <instance_name> restart
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Optionally, you can enable Directory Server instances to automatically start when the system boots:
For a single instance, run:
systemctl enable dirsrv@<instance_name>
# systemctl enable dirsrv@<instance_name>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow For all instances on a server, run:
systemctl enable dirsrv.target
# systemctl enable dirsrv.target
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
You can check the instance status by using the dsctl
or systemctl
utility:
To view the instance status by using the
dsctl
utility, run:dsctl <instance_name> status
# dsctl <instance_name> status
Copy to Clipboard Copied! Toggle word wrap Toggle overflow To view the instance status by using the
systemctl
utility, run:systemctl status dirsrv@<instance_name>
# systemctl status dirsrv@<instance_name>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
1.2.2. Starting and stopping a Directory Server instance by using the web console Copy linkLink copied to clipboard!
You can use the web console to start, stop, or restart a Directory Server instance.
Prerequisites
- You are logged in to the web console. For more details, see Logging in to the Directory Server by using the web console.
Procedure
- Select the Directory Server instance.
Click the Actions button and select the action to execute:
- Start Instance
- Stop Instance
Restart Instance
Verification
Ensure that the Directory Server instance is running. When the instance is not running, the web console displays the following message:
This server instance is not running, either start it from the Actions dropdown menu, or choose a different instance.
This server instance is not running, either start it from the Actions dropdown menu, or choose a different instance.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
1.3. Changing the LDAP and LDAPS port numbers Copy linkLink copied to clipboard!
By default, Directory Server uses port 389
for the LDAP and, if you enabled, port 636
for the LDAPS protocol. You can change the port numbers, for example, to run multiple Directory Server instances on one host.
Other services must not use new ports that you assigned to the protocols for an instance.
1.3.1. Changing the port numbers using the command line Copy linkLink copied to clipboard!
You can change the port numbers of the LDAP and LDAPS protocol using the command line. LDAP and LDAPs port change requires update of the nsslapd-port
and nsslapd-securePort
parameters.
Procedure
Optionally: Display the current port numbers for the instance:
dsconf <instance_name> config get nsslapd-port nsslapd-securePort
# dsconf <instance_name> config get nsslapd-port nsslapd-securePort
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Change the LDAP port:
Set the new port for the LDAP protocol. For example, to set it to
1389
, run:dsconf <instance_name> config replace nsslapd-port=1389
# dsconf <instance_name> config replace nsslapd-port=1389
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Set the
ldap_port_t
type for the LDAP port you assigned in the previous step:semanage port -a -t ldap_port_t -p tcp 1389
# semanage port -a -t ldap_port_t -p tcp 1389
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Change the LDAPS port:
Set the new port for the LDAPS protocol. For example, to set it to
1636
, run:dsconf <instance_name> config replace nsslapd-securePort=1636
# dsconf <instance_name> config replace nsslapd-securePort=1636
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Set the
ldap_port_t
type for the LDAPS port you assigned in the previous step:semanage port -a -t ldap_port_t -p tcp 1636
# semanage port -a -t ldap_port_t -p tcp 1636
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Restart the instance:
dsctl <instance_name> restart
# dsctl <instance_name> restart
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Verify that Directory Server now uses the new LDAP port by the command:
dsconf <instance_name> config get nsslapd-port
# dsconf <instance_name> config get nsslapd-port
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Verify that Directory Server now uses the new LDAPS port number by the command:
dsconf <instance_name> config get nsslapd-securePort
# dsconf <instance_name> config get nsslapd-securePort
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
1.3.2. Changing the port numbers using the web console Copy linkLink copied to clipboard!
You can change the port numbers of the LDAP and LDAPS protocol using the web console.
Prerequisites
- You are logged in to the instance in the web console.
Procedure
Change the LDAP port:
- Open the menu.
-
On the
Server Setting
tab, enter the new port number into the LDAP Port field.
- Click .
Change the LDAPS port:
- Open the menu.
-
On the
General Settings
tab, enter the new port number into the LDAPS Port field. - Click .
- Restart the instance by clicking Restart Instance. and selecting
Verification
- Verify in the server setting that the changed port is reflected .
1.4. Managing default options for Directory Server command-line utilities using .dsrc file Copy linkLink copied to clipboard!
A ~/.dsrc
file simplifies commands that use the Directory Server command-line utilities. By default, you can pass information, for example, the LDAP URL
or the bind distinguished name (DN) to the command for these utilities. You can store the settings in a ~/.dsrc
file to use the command-line utilities without specifying these settings each time.
1.4.1. How a .dsrc file simplifies commands Copy linkLink copied to clipboard!
You can specify the LDAP URL of an instance and a bind DN in a ~/.dsrc
file:
server1
# server1
uri = ldap://server1.example.com
binddn = cn=Directory Manager
basedn = dc=example,dc=com
You can use shorter Directory Server commands with these settings. For example, to create a user account:
dsidm server1 user create
# dsidm server1 user create
Without the ~/.dsrc
file, you must specify the bind DN, LDAP URL, and base DN in the command:
dsidm -D cn=Directory Manager ldap://server1.example.com -b "dc=example,dc=com" user create
# dsidm -D cn=Directory Manager ldap://server1.example.com -b "dc=example,dc=com" user create
1.4.2. Using the dsctl utility to create a .dsrc file Copy linkLink copied to clipboard!
You can use the dsctl
utility to create a ~/.dsrc
file instead of creating it manually.
Procedure
- Run:
dsctl <instance_name> dsrc create ...
# dsctl <instance_name> dsrc create ...
You can add these options in the command:
-
--uri
When using the --uri
option, sets the URL to the instance in the format protocol://host_name_or_IP_address_or_socket
For example:
-
--uri ldap://server.example.com
-
--uri = ldaps://server.example.com
-
--uri = ldapi://%%2fvar%%2frun%%2fslapd-instance_name.socket
When you set the path to the Directory Server socket, use %%02
instead of slashes (/)
in the path.
The server identifies the user ID (UID) and group ID (GID) of the user who runs the Directory Server command-line utility when you use the ldapi
URL. If you run the command as the root
user, both UID and GID are 0
and Directory Server automatically authenticates you as cn=Directory Manager
without entering the corresponding password.
-
--starttls
When using the --starttls
option, configures the utilities to connect to an LDAP port and then send the STARTTLS
command to switch to an encrypted connection.
-
--basedn
When using the --basedn
option, sets the base distinguished name (DN).
For example: --basedn dc=example,dc=com
-
--binddn
When using the --basedn
option, sets the bind DN.
For example: --binddn cn=Directory Manager
-
--pwdfile
When using the --pwdfile
, sets the path to a file that contains the password of bind DN.
For example: --pwdfile /root/rhds.pwd
-
--tls-cacertdir
When using the --tls-cacertdir
option, sets the path in this parameter which defines the directory with the certificate authority (CA) certificate that is required to verify the server’s certificate if you use the LDAPS connection.
For example: --tls-cacertdir /etc/pki/CA/certs/
You can use the c_rehash /etc/pki/CA/certs/
command only when you copy the CA certificate to the specified directory.
-
--tls-cert
When using the --tls-certl
option, sets the absolute path to the server’s certificate.
For example: --tls-cert /etc/dirsrv/slapd-<instance_name>/Server-Cert.crt
-
--tls-key
When using the --tls-key
option, sets the absolute path to the server’s private key.
For example: --tls-key /etc/dirsrv/slapd-<instance_name>/Server-Cert.key
-
--tls-reqcert
When using the --tls-reqcert
option, sets what checks the client utilities perform on server certificates in a TLS session.
For example: --tls-reqcert hard
These parameters are available:
-
never
: The utilities do not request or check the server certificate. -
allow
: The utilities ignore certificate errors and the connection is established anyway. hard
: The utilities terminate the connection on certificate errors.-
--saslmech
-
When using the --saslmech
option, sets the SASL mechanism to use to PLAIN
or EXTERNAL
.
For example: --saslmech PLAIN
1.4.3. Remote and local connection resolution when using directory server utilities Copy linkLink copied to clipboard!
You can call Directory Server commands remotely and locally when securing the Directory Server connection. When you run a Directory Server command with an LDAP URL specified, the server considers it as a remote connection and checks the /etc/openldap/ldap.conf
configuration file along with system-wide settings to proceed with the command.
When you run a Directory Server command with an instance name specified, the server checks if the ~/.dsrc
file is present and applies the following logic to proceed:
-
The Directory Server considers the
~/.dsrc
file as a remote connection and checks whether the/etc/openldap/ldap.conf
configuration file and system-wide settings contain both the instance name and the LDAP URL. -
The Directory Server considers the
~/.dsrc
file as a local connection and uses thensslapd-certdir
setting from the localdse.ldif
file to secure the connection if the~/.dsrc
file contains only the specified instance name, or if the~/.dsrc
file does not exist. The server uses the default path/etc/dirsrv/slapd-<instance_name>/
to store the Network Security Services (NSS) database of the instance ifnsslapd-certdir
is not present.