Red Hat Directory Server 8.1 Using Red Hat Console For Red Hat Directory Server Ella Deon Lackey Publication date: Released April 28, 2009 Using Red Hat Console Red Hat Directory Server 8.1 Using Red Hat Console For Red Hat Directory Server Edition 8.1 Author Copyright © 2009 Red Hat, Inc Ella Deon Lackey Copyright © 2009 Red Hat, Inc This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version of the OPL is presently available at http://www.opencontent.org/openpub/) Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc in the United States and other countries All other trademarks referenced herein are the property of their respective owners 1801 Varsity Drive Raleigh, NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park, NC 27709 USA This guide provides background information that system architects and administrators need to successfully install and manage Red Hat Directory Servers in their enterprise Read about Red Hat server basics here before you begin installing and configuring servers in your enterprise Preface vii Purpose of This Guide .vii Examples and Formatting vii 2.1 Command and File Examples .vii 2.2 Tool Locations viii 2.3 LDAP Locations viii 2.4 Text Formatting and Styles viii Additional Reading ix Giving Feedback x Documentation History xi Overview of Red Hat Console 1.1 How the Console, Directory Server, and Administration Server Work Together 1.2 Red Hat Console Menus 1.3 Red Hat Console Tabs 1.3.1 The Servers and Applications Tab 1.3.2 The Users and Groups Tab 1.4 Server-Specific Consoles 1.4.1 The Directory Server Console 1.4.2 The Administration Server Console Basic Tasks in the Red Hat Console 11 2.1 Installing the Console 11 2.2 Launching the Console 11 2.3 Opening a Directory or Administration Server Window 13 2.4 Changing the Console Appearance 14 2.4.1 Changing Profile Locations 15 2.4.2 Restoring Default Font Settings 16 2.4.3 Changing Console Fonts 18 2.4.4 Reordering Table Columns 20 2.4.5 Customizing the Main Window 22 2.4.6 Working with Custom Views 22 Managing Server Instances 29 3.1 Editing Domain, Host, Server Group, and Instance Information 29 3.2 Creating and Removing Admin Domains 30 3.2.1 Creating and Editing an Admin Domain 30 3.2.2 Removing an Admin Domain 32 3.3 Creating a New Directory Server Instance 33 3.4 Deleting a Directory Server Instance 34 Managing Directory Server Users and Groups 37 4.1 Searching for Users and Groups 37 4.2 Creating Directory Entries 39 4.2.1 Directory and Administrative Users 40 4.2.2 Groups 43 4.2.3 Organizational Units 46 4.3 Modifying Directory Entries 48 4.3.1 Editing Entries 48 4.3.2 Allowing Sync Attributes for Entries 49 4.3.3 Changing Administrator Entries 50 4.3.4 Removing an Entry from the Directory 55 Setting Access Controls 57 5.1 Granting Admin Privileges to Users for Directory Server and Administration Server 57 5.2 Setting Access Permissions on Console Elements 60 v Using Red Hat Console Using SSL/TLS with Red Hat Console 67 6.1 Overview of SSL/TLS 67 6.2 Installing Certificates 69 6.2.1 Generating a Certificate Request 69 6.2.2 Installing the Certificate 72 6.2.3 Trusting a Certificate Authority or Adding a Certificate Chain 75 6.3 Enabling TLS/SSL 78 6.4 Creating Password Files 85 6.4.1 Creating a Password File for the Directory Server 85 6.4.2 Creating a Password File for the Administration Server 85 Index 89 vi Preface Welcome to the Managing Servers with Red Hat Console Guide Red Hat Directory Server and Administration Server have a special Java-based console which simplifies administering the directories This guide covers the basic structure of the Red Hat Console for both the Directory Server and the Administration Server and provides an overview of how to use the main Red Hat Console to manage users and access within the Console Purpose of This Guide There are three Java consoles bundled together to manage the servers in Red Hat Directory Server: • The Red Hat Console, which is the first console to open This has a unified view of all Administration Server and Directory Server instances being managed and can perform basic user and group tasks, like adding, searching, editing, and deleting entries • The Administration Server, which manages the Administration Server local instance, including viewing logs and changing the Administration Server configuration • The Directory Server Console, a separate window for each Directory Server instance with manages the server through changing configuration and viewing logs and performance monitors and manages the directory and directory policies This guide provides a basic overview of how to use and navigate through Red Hat Console so that managing servers through the consoles is easy and effective Examples and Formatting Each of the examples used in this guide, such as file locations and commands, have certain defined conventions 2.1 Command and File Examples All of the examples for Red Hat Directory Server commands, file locations, and other usage are given for Red Hat Enterprise Linux (32-bit) systems Be certain to use the appropriate commands and files for your platform To start the Red Hat Directory Server: service dirsv start Example Example Command vii Preface 2.2 Tool Locations The tools for Red Hat Directory Server are located in the /usr/bin and the /usr/sbin directories These tools can be run from any location without specifying the tool location 2.3 LDAP Locations There is another important consideration with the Red Hat Directory Server tools The LDAP tools referenced in this guide are Mozilla LDAP, installed with Red Hat Directory Server in the / usr/lib/mozldap directory on Red Hat Enterprise Linux (32-bit) (or /usr/lib64/mozldap for 64-bit systems) However, Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the / usr/bin directory It is possible to use the OpenLDAP commands as shown in the examples, but you must use the -x argument to disable SASL, which OpenLDAP tools use by default 2.4 Text Formatting and Styles Certain words are represented in different fonts, styles, and weights Different character formatting is used to indicate the function or purpose of the phrase being highlighted Formatting Style Purpose Monospace font Monospace is used for commands, package names, files and directory paths, and any text displayed in a prompt Monospace with a background This type of formatting is used for anything entered or returned in a command prompt Italicized text Any text which is italicized is a variable, such as instance_name or hostname Occasionally, this is also used to emphasize a new term or other phrase Bolded text Most phrases which are in bold are application names, such as Cygwin, or are fields or options in a user interface, such as a User Name Here: field or Save button Other formatting styles draw attention to important text NOTE A note provides additional information that can help illustrate the behavior of the system or provide more detail for a specific issue viii Additional Reading IMPORTANT Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot WARNING A warning indicates potential data loss, as may happen when tuning hardware for maximum performance Additional Reading The Directory Server Administrator's Guide describes how to set up, configure, and administer Red Hat Directory Server and its contents this manual does not describe many of the basic directory and architectural concepts that you need to deploy, install, and administer a directory service successfully Those concepts are contained in the Red Hat Directory Server Deployment Guide You should read that book before continuing with this manual When you are familiar with Directory Server concepts and have done some preliminary planning for your directory service, install the Directory Server >The instructions for installing the various Directory Server components are contained in the Red Hat Directory Server Installation Guide Many of the scripts and commands used to install and administer the Directory Server are explained in detail in the Red Hat Directory Server Configuration, Command, and File Reference Also, Managing Servers with Red Hat Console contains general background information on how to use the Red Hat Console You should read and understand the concepts in that book before you attempt to administer Directory Server The document set for Directory Server contains the following guides: • Red Hat Directory Server Release Notes contain important information on new features, fixed bugs, known issues and workarounds, and other important deployment information for this specific version of Directory Server • Red Hat Directory Server Deployment Guide provides an overview for planning a deployment of the Directory Server • Red Hat Directory Server Administrator's Guide contains procedures for the day-to-day maintenance of the directory service Includes information on configuring server-side plug-ins • Red Hat Directory Server Configuration, Command, and File Reference provides reference information on the command-line scripts, configuration attributes, and log files shipped with Directory Server • ix Preface Red Hat Directory Server Installation Guide contains procedures for installing your Directory Server as well as procedures for migrating from a previous installation of Directory Server • Red Hat Directory Server Schema Reference provides reference information about the Directory Server schema • Red Hat Directory Server Plug-in Programmer's Guide describes how to write server plug-ins in order to customize and extend the capabilities of Directory Server • Red Hat Directory Server Web Applications Guide explains how to implement a gateway instance with basic directory look-up functionality and contains information useful for implementing a more powerful gateway instance with directory authentication and administration capabilities This also includes information about the DSML gateway • Using Red Hat Console gives an overview of the primary user interface and how it interacts with the Directory Server and Administration Server, as well as how to perform basic management tasks through the main Console window • Using the Admin Server describes the different tasks and tools associated with the Administration Server and how to use the Administration Server with the Configuration and User Directory Server instances For the latest information about Directory Server, including current release notes, complete product documentation, technical notes, and deployment information, see the Red Hat Directory Server documentation site at http://1www.redhat.com/1docs/1manuals/1dir-server/ Giving Feedback If there is any error in this Managing Servers with Red Hat Console or there is any way to improve the documentation, please let us know Bugs can be filed against the documentation for Red Hat Directory Server through Bugzilla, http://1bugzilla.redhat.com/1bugzilla Make the bug report as specific as possible, so we can be more effective in correcting any issues: • Select the Red Hat Directory Server product • Set the component to Doc - managing-servers • Set the version number to 8.1 • For errors, give the page number (for the PDF) or URL (for the HTML), and give a succinct description of the problem, such as incorrect procedure or typo For enhancements, put in what information needs to be added and why x Chapter Using SSL/TLS with Red Hat Console Go to the CA Certs tab, and click Install If the CA's certificate is saved to a file, enter the path in the field provided Alternatively, copy and paste the certificate, including the headers, into the text box Click Next 76 Trusting a Certificate Authority or Adding a Certificate Chain Check that the certificate information that opens is correct, and click Next Name the certificate, and click Next Select the purpose of trusting this certificate authority; it is possible to select both options: 77 Chapter Using SSL/TLS with Red Hat Console • Accepting connections from clients (Client Authentication) The server checks that the client's certificate has been issued by a trusted certificate authority • Accepting connections to other servers (Server Authentication) This server checks that the directory to which it is making a connection (for replication updates, for example) has a certificate that has been issued by a trusted certificate authority Click Done After installing the CA certificate, it is listed in the CA Certificates tab NOTE If a CA certificate is incorrectly generated, it is listed in the Server Certificates tab in the Console rather than the CA Certificates tab The certificate still works as a CA certificate, even though it is listed in the wrong tab Still, request certificates from a real certificate authority to minimize the risk of using an incorrectly generated certificate and breaking SSL/TLS in the Administration Server 6.3 Enabling TLS/SSL In order to run the Red Hat Console over TLS/SSL, the Administration Server and Directory Server must also be configured to run in TLS/SSL This configures server authentication for the Console and the Red Hat Directory Server and Administration Server 78 Enabling TLS/SSL Obtain server certificates and CA certs, and install them on the Directory Server This is described in Section 6.2, “Installing Certificates” Obtain and install server and CA certificates on the Administration Server This is a similar process as for the Directory Server NOTE It is important that the Administration Server and Directory Server have a CA certificate in common so that they can trust the other's certificates If the default port number of 636 is not used, change the secure port setting a Change the secure port number in the Configuration>Settings tab of the Directory Server Console, and save b Restart the Directory Server2 It restarts over the regular port service dirsrv restart slapd-example In the Configuration tab of the Directory Server Console, highlight the server name at the top of the table, and select the Encryption tab This command is for Red SSL Hat Enterprise Linux (32-bit); for commands for other platforms, see the Directory Server Adminis5 Select the Enable checkbox trator's Guide 79 Chapter Using SSL/TLS with Red Hat Console Check the Use this Cipher Family checkbox Select the certificate to use from the drop-down menu Click Cipher Settings By default, all ciphers are selected 80 Enabling TLS/SSL Set the preferences for client authentication • Do not allow client authentication With this option, the server ignores the client's certificate This does not mean that the bind will fail • Allow client authentication This is the default setting With this option, authentication is performed on the client's request 81 Chapter Using SSL/TLS with Red Hat Console • Require client authentication With this option, the server requests authentication from the client With this option, all clients must use a certificate to authenticate to the server, and no simple authentication (username/password) is allowed NOTE To use client certificate-based authentication with replication, configure the consumer server either to allow or to require client authentication To verify the authenticity of requests, select the Check hostname against name in certificate for outbound SSL connections option The server does this verification by matching the hostname against the value assigned to the common name (cn) attribute of the subject name in the being presented for authentication The hostname that is checked in the certificate is the same one set in the server name field in the request in Section 6.2.1, “Generating a Certificate Request” By default, this feature is disabled If it's enabled and if the hostname does not match the cn attribute of the certificate, appropriate error and audit messages are logged Red Hat recommends enabling this option to protect Directory Server's outbound TLS/SSL connections against a manin-the-middle (MITM) attack Check the Use SSL in the Console box NOTE This is the only option which sets whether the Red Hat Console will run over SSL Hit Save In the Administration Server Console, select the Configuration tab Select the Encryption tab, check the Enable SSL checkbox, and fill in the appropriate certificate information 82 Enabling TLS/SSL After TLS/SSL is enabled, then the Administration Server can only be connected to using HTTPS All of the previous HTTP (standard) URLs for connecting to the Administration Server and its services no longer work This is true whether connecting to the Administration Server using the Console or using a web browser In the Configuration DS tab, change the port number to the new Directory Server secure port in4 formation, even if the default port of 636 is used Check the Secure Connection checkbox In the User DS tab, select the Set User Directory radio button, and fill in the Directory Server se5 cure port information, the LDAP URL, and the user database information Check the Secure Connection checkbox 83 Chapter Using SSL/TLS with Red Hat Console Save the new TLS/SSL settings and Configuration DS and User DS information in the Administra6 tion Server Console Restart the Directory Server The server must be restarted from the command line service dirsrv restart slapd-example When the server restarts, it prompts for the PIN or password to unlock the key database This is the same password used when the server certificate and key were imported into the database Using a pin.txt file to store the token database passwords allows the Directory Server to restart without prompting for the password This is covered in Section 6.4.1, “Creating a Password File for the Directory Server” Restart the Administration Server The server must be restarted from the command line service dirsrv-admin restart When the server restarts, it prompts for the PIN or password to unlock the key database This is the same password used when the server certificate and key were imported into the database Using a password.conf file to store the token database passwords allows the Administration Server to restart without prompting for the password This is covered in Section 6.4.2, “Creating a Password File for the Administration Server” 84 Creating Password Files NOTE After configuring SSL/TLS for the Administration Server, be certain that the address reads https when next logging into the Administration Server or Red Hat Console With SSL/TLS, all connections to the Administration Server must be over HTTPS Otherwise, the operation will time out, unable to find the server since it is running on a secure connection After successfully connecting, a dialog box appears to accept the certificate Click OK to accept the certificate (either only for that current session or permanently) 6.4 Creating Password Files If SSL/TLS is enabled for the Directory Server or Administration Server, then the server prompts for a password to access the certificate and key databases every time the server is restarted The servers can restart silently if that password is supplied in a password file which the start scripts can access 6.4.1 Creating a Password File for the Directory Server It is possible to store the certificate password in a password file By placing the certificate database password in a file, the server can be started from the Directory Server Console and also restarted automatically when running unattended WARNING This password is stored in clear text within the password file, so its usage represents a significant security risk Do not use a password file if the server is running in an unsecured environment The password file must be in the same directory where the other key and certificate databases for Directory Server are stored This is usually the main configuration directory, /etc/dirsrv/slapd-instance_name The file should be named pin.txt Include the token name and password in the file For example: Internal (Software) Token:secret For the NSS software crypto module (the default software database), the token is always called internal The PIN file should be owned by the Directory Server user and set to read-only by the Directory Server user, with no access to anyone other user (mode 0400) 6.4.2 Creating a Password File for the Administration Server 85 Chapter Using SSL/TLS with Red Hat Console Like the Directory Server, the Administration Server can use a password file during login when TLS/ SSL is enabled WARNING This password is stored in clear text within the password file, so its usage represents a significant security risk Do not use a password file if the server is running in an unsecured environment Open the Administration Server configuration directory, /etc/dirsrv/admin-serv Create a password file named password.conf The file should include a line with the token name and password, in the form token:password For example: internal:secret For the NSS software crypto module (the default software database), the token is always called internal The password file should be owned by the Administration Server user and set to read-only by the Administration Server user, with no access to any other user (mode 0400) NOTE To find out what the Administration Server user ID is, run grep in the Administration Server configuration directory: cd /etc/dirsrv/admin-serv grep \^User console.conf In the /etc/dirsrv/admin-serv directory, edit the nss.conf file to point to the location of the new password file # Pass Phrase Dialog: # Configure the pass phrase gathering process # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout NSSPassPhraseDialog file://etc/dirsrv/admin-serv/password.conf Restart the Administration Server 86 Creating a Password File for the Administration Server service dirsrv-admin restart 87 88 dynamic group, 43 Index E encryption, 67 A Access Control to navigation tree, 57 admin domain creating, 30, 32 administration domain defined, removing, 32 Administration Server defined, Administration Server Administrator changing user name or password for, 53 defined, 50 administrators, overview of, 50 F C host information, modifying, 29 certificate password, 85 certificate group, 43 Configuration Administrator changing user name or password for, 51 defined, 50 Configuration Administrators group adding users to, 54 configuration directory defined, custom views, 14 changing to, 25 creating, 23 editing, 24 removing, 25 setting ACIs on, 25 using, 22 fonts changing, 18 G groups creating, 44 editing, 48 locating, 37 removing, 55 types, 43 H L logging into Console logging in, 12 M management window opening for Directory or Administration Server, 13 menus, in Red Hat Console, N navigation tree overview, setting access permissions to, 57 O D deleting Directory Server instance, 34 digital signatures, 67 directory changing the search directory, 38 directory entries creating, 39 removing, 55 searching for, 37 Directory Server configuration subtree, deleting instance, 34 role in managing resources and users, user subtree, organizational units creating, 46 removing, 55 P password changing for a user or administrator, 49 password file Administration Server, 85 SSL certificate, 85 passwords certificate, 85 preferences, 14 font, 18 UI permissions, 15 89 Index R Red Hat Console defined, information panel, logging into, 12 menus, overview of, tabs, S searching changing the search directory, 38 for directory entries, 37 server defined, opening a management window for, 13 server group defined, modifying information for, 29 server instance creating, 33 modifying information for, 29 SSL, 67 Administration Server password file, 85 certificate password, 85 static group, 43 synchronization options enabling, 49 overview, 49 T tables changing column position in, 20 tabs, in Red Hat Console, TLS, 67 topology defined, U user entries changing passwords for, 49 creating, 40 editing, 48 locating, 37 removing, 55 Users and Groups tab, changing the search directory for, 38 90 .. .Using Red Hat Console Red Hat Directory Server 8.1 Using Red Hat Console For Red Hat Directory Server Edition 8.1 Author Copyright © 2009 Red Hat, Inc Ella Deon Lackey Copyright © 2009 Red Hat, ... the Red Hat Console, including installing the Console, creating and editing server instances, and configuring the Console appearance 2.1 Installing the Console The Red Hat Console package, redhat-ds -console. noarch,... create, and edit user and group entries in the user directory Chapter Overview of Red Hat Console Figure 1.1 The Red Hat Console Interface When a user logs into Red Hat Console, the Console connects