Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
1.11. Creating and Using a .dsrc File to Set Default Options for Directory Server Command-line Utilities
A
~/.dsrc file simplifies commands that use the Directory Server command-line utilities. By default, these utilities require that you pass, for example, an LDAP URL or bind distinguished name (DN) to the command. If you store these settings in a ~/dsrc file, you can use the command-line utilities without specifying these settings each time.
1.11.1. How a .dsrc File Simplifies Commands
The following is an example of a
~/.dsrc file that specifies the LDAP URL of an instance and a bind DN:
[server1] uri = ldap://server1.example.com binddn = cn=Directory Manager basedn = dc=example,dc=com
[server1]
uri = ldap://server1.example.com
binddn = cn=Directory Manager
basedn = dc=example,dc=com
With these settings, you can use shorter Directory Server commands. For example, to create a user account:
dsidm server1 user create
# dsidm server1 user create
Without the
~/.dsrc file, you must specify the bind DN, LDAP URL, and base DN in the command:
dsidm -D cn=Directory Manager ldap://server1.example.com -b "dc=example,dc=com" user create
# dsidm -D cn=Directory Manager ldap://server1.example.com -b "dc=example,dc=com" user create1.11.2. Using the dsctl Utility to Create a .dsrc File
Instead of manually creating a
~/.dsrc file, you can use the dsctl utility to create it:
dsctl instance_name dsrc create ...
# dsctl instance_name dsrc create ...
You can pass the following options to the command:
--uri: Sets the URL to the instance in the formatprotocol://host_name_or_IP_address_or_socket.Examples:--uri ldap://server.example.com--uri = ldaps://server.example.com--uri = ldapi://%%2fvar%%2frun%%2fslapd-instance_name.socketIf you set the path to an Directory Server socket, use%%02instead of slashes (/) in the path.Important
If you use anldapiURL, the server identifies the user ID (UID) and group ID (GID) of the user who runs the Directory Server command-line utility. If you run the command as therootuser, both UID and GID are0and Directory Server automatically authenticates you ascn=Directory Managerwithout entering the corresponding password.
--starttls: Sets configures the utilities to connect to an LDAP port and then send theSTARTTLScommand to switch to an encrypted connection.--basedn: Sets the base distinguished name (DN). For example:--basedn dc=example,dc=com--binddn: Sets the bind DN. For example:--binddn cn=Directory Manager--pwdfile: Sets the path to a file that contains the password of bind DN. For example:--pwdfile /root/rhds.pwd--tls-cacertdir: When you use an LDAPS connection, the path set in this parameter defines the directory with the certificate authority (CA) certificate that is required to verify the server's certificate. For example:--tls-cacertdir /etc/pki/CA/certs/Note that you must use thec_rehash /etc/pki/CA/certs/command after you copied the CA certificate to the specified directory.--tls-cert: Sets the absolute path to the server's certificate. For example:--tls-cert /etc/dirsrv/slapd-instance_name/Server-Cert.crt--tls-key: Sets the absolute path to the server's private key. For example:--tls-key /etc/dirsrv/slapd-instance_name/Server-Cert.key--tls-reqcert: Sets what checks the client utilities perform on server certificates in a TLS session. For example:--tls-reqcert hardThe following parameters are available:never: The utilities do not request or check the server certificate.allow: The utilities ignore certificate errors and the connection is established anyway.hard: The utilities terminate the connection on certificate errors.
--saslmech: Sets the SASL mechanism to use toPLAINorEXTERNAL. For example:--saslmech PLAIN
1.11.3. Remote and Local Connection Resolution When Using Directory Server Utilities
When securing the Directory Server connection, it is important to distinguish between calling Directory Server commands remotely and locally.
When you run a Directory Server command with an LDAP URL specified, the server considers it as a remote connection and checks the
/etc/openldap/ldap.conf configuration file along with system-wide settings to proceed with the command.
When you run a Directory Server command with an instance name specified, the server checks if the
~/.dsrc file is present and applies the following logic to proceed:
- If the
~/.dsrcfile exists and contains both the instance name and the LDAP URL, Directory Server considers it as a remote connection and checks/etc/openldap/ldap.confconfiguration file and system-wide settings. - If the
~/.dsrcfile exists and contains only the specified instance name, or if the~/.dsrcfile does not exist, Directory Server considers it as a local connection and uses thensslapd-certdirsetting from the localdse.ldiffile to secure the connection. Ifnsslapd-certdiris not present, the server uses the default path/etc/dirsrv/slapd-instance_name/to store the Network Security Services (NSS) database of the instance.
For more information about
nsslapd-certdir parameter refer to nsslapd-certdir (Certificate and Key Database Directory) section.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}