HP-UX Directory Server
A Global Directory Service
HP-UX Directory Server (HPDS) provides an industry-standard, centralized
directory service on which to build your intranet or extranet.Your HP-UX servers
and other directory-enabled applications use the directory service as a common,
network-accessible location for storing shared data such as user and group
identification, server identification, and access control information. In
addition, you can extend the HP-UX Directory Server to support your entire
enterprise with a global directory service that enables centralized management
of all enterprise resource information.
The HPDS product replaces the Red Hat Directory Server for HP-UX (RHDS)
product line. It is based on the same open source software as RHDS and includes
a straightforward migration process from RHDS.
Features and Benefits
HP-UX Directory Server provides the following components and features:
- LDAP Directory: A powerful directory server specifically
designed for LDAP (Lightweight Directory Access Protocol).
- Administration Console: A powerful server and directory
management tool with a graphical interface. Logging in from any system
connected to your network, you can configure a remote server or manage data in
a centralized directory. The included Administration Server allows for remote
operation (startup, shutdown, log viewing, SSL certificate management) of the
directory server. The improved management console includes a new dialog that
facilitates replication configuration.
- Command-line tools: Enables you to use customized scripts
to update and modify your directory server and its contents.
- Schema management interface: Enables you to create custom
object classes and attributes to define entries specific to your enterprise's
needs.
- On-line import and export LDIF files: Helps you manage
directory entries, enabling you to add, modify, and delete multiple entries.
- On-line backup and restore database: Enables you to make
backups of the directory database and to restore from the backups to protect
against data loss.
- SSL/TLS: Provides secure communications over the network
including ciphers with up to 168-bit encryption.
- Multiple authentication methods: Enable you to configure
selectable levels of security and application interoperability.
- Simple passwords - High level application integration
- SASL DIGEST-MD5 - Secure challenge and response
- SASL EXTERNAL - Client-side certificates and integration in Public Key
frameworks
- SASL GSSAPI - Kerberos integration
- Multi-master replication: Provides a highly available
directory service for both read and write operations.
- Support for SNMP: Permits you to monitor your directory
server in real time using the Simple Network Management Protocol (SNMP).
- Chaining and referrals: Increase the power of the
directory by storing a complete logical view of the directory on a single
server while maintaining data on a large number of directory servers,
transparently to clients. These features enable limitless scalability for the
size of the directory database. Chaining is an enhancement over referrals.
Where referrals inform clients where to look for requested data, chaining
handles referrals for the client, freeing clients of the responsibility for
finding the location of the requested data.
- Multiple databases: Provides a simple way of splitting
your directory data across multiple databases to simplify the implementation
of replication and chaining in your directory service.
- Password policy and account lockout:Enables you to define
a set of rules that govern how passwords and accounts are managed in the
directory server.
- Plug-in API: The Directory Server Plug-In API is fully
supported for customer use. You can extend the functionality of the Directory
Server by writing your own plug-in functions. HPE provides a Directory Server
Plug-In Programmer's Guide for end-user development to further enhance the
directory server for your needs.
- 64-bit versions of the server: HPDS uses 64-bit
architecture, enabling you to configure very large caches. Server scalability
is limited only by available memory and storage.
- Roles and class of service: A feature that provides a
flexible mechanism for dynamically grouping and sharing attributes between
entries.
- Database encryption: HPDS supports encryption of selected
attributes within a database.
- Windows user and group synchronization: HPDS supports
Windows Sync, which synchronizes changes in groups and user entries (including
passwords) between HPDS and Microsoft Active Directory.
What is new in HPDS 8.1?
- Support for LDAP via UNIX sockets: While RHDS only used
TCP sockets for communication with LDAP clients, HPDS now also supports using
UNIX sockets by allowing LDAP via IPC (LDAPI). This is intended for
applications that run on the same host as the Directory Server.
- DNA plug-in provides automatic numeric attribute
assignment: A new plug-in automates the assignment of numeric IDs,
such as the values for uidNumber and gidNumber for POSIX account entries. The
plug-in supports assignment with no risk of collisions in multi-master
replication topologies.
- memberOf plug-in provides a list of group memberships held by each
user: Provides a list of groups in multiple memberOf attributes in
each user entry. The new plug-in simplifies determining what groups a user
belongs to. The memberOf attribute can greatly simplify access control in
applications by simplifying verification of a user's group membership.
- Additional options for secure communication between
servers: Server to server connections, such as those used in
replication, are enhanced to support SASL/Digest-MD5 and SASL/GSSAPI
(Kerberos) authentication, and encryption with Start TLS.
- More flexibility in schema management: Schema can be
deployed or modified on-disk and then reloaded using a new task-based
mechanism. Previously, dynamic schema changes could only be performed via LDAP
which offered less control over the organization of the schema in its
persistent on-disk storage.
- Improved Get Effective Rights operation: Whereas the GER
operation in RHDS only showed effective rights for attributes that already
existed in an entry, with HPDS, the operation can now display any effective
rights for potential attributes as well (operational attributes, and those
that currently do not exist in the entry but are allowed by schema).
- More tuning for Windows synchronization: In previous
releases, the interval at which the Directory Server checked the Active
Directory Server for updates was fixed at five minutes. This interval is now
configurable.
- Option to disallow unauthenticated bind operations: A new
configuration parameter allows the administrator to deny access to LDAP
clients that do not provide a password. This allows improved compatibility
with server applications that might misinterpret a Directory Server's success
response to bind operations that lack a password.
- Account policy plug-in provides control over inactive
accounts: The new account policy plug-in tracks login time stamps and
provides the administrator with the option to lock accounts based on the
duration of inactivity since the last login time.
- Replication agreements can be prioritized: The
multi-master replication plug-in has been enhanced to allow prioritization of
replication agreements. This allows the administrator to control the order in
which multiple replicas are updated. This may be useful, for example, when you
require that a backup master replica be updated completely before updating one
or more read-only replicas accessible by client applications.
- Subtree rename and Entry Move: This feature provides the
following functionalities:
- ability to rename a node that has children
- ability to move a node, with or without children to another parent node
- Syntax Validation Check: The current version of Directory
Server does not perform any sort of syntax validation, but this release
addresses this issue by providing the capability to enforce the syntax
validation. Syntax validation checks every modification to attributes to make
sure that the new value has the required syntax for that attribute type.
- Strict DN Syntax Enforcement: A new configurable
parameter nsslapd-dn-validate-strict to enable strict DN parsing as described
in RFC 4514.
- Support additional standard attribute syntaxes:
Additional standard attribute syntaxes supported in this release are:
- Numeric String
- Bit String
- Delivery Method
- Enhanced Guide
- Facsimile Telephone Number
- Fax, Guide, Name and Optional UID
- Printable String
- Teletex Terminal Identifier
- Number
- Aware Regex: A new thread aware library to improve the
throughput of complex regex searches.
- Ability to shut off anonymous access: This feature adds a
new config switch in cn=config, nsslapd-allow-anonymous-access that allows you
to restrict all anonymous access.
- Resource limits for anonymously bound clients: Enables to
set resource limits (sizelimit, timelimit, lookthroughlimit) specifically for
anonymous connections.
- Requiring Secure Binds: A new configuration attribute
named nsslapd-require-secure-binds, when enabled, allows a simple bind over a
secure transport (SSL/TLS or a SASL privacy layer).
- Access based on the security strength of the connection:
Based on how secure the connection is, a new ACI keyword minssf allows to set
access control and a new global server setting in cn=config, nsslapd-minssf
allows to reject operations.
- Linked attributes: This feature provides the ability to
link two attributes bidirectionally together across entries, so that, when one
attribute in one entry is altered, a corresponding attribute on a related
entry is automatically updated.
- Entry USN (Update Sequence Number): This feature adds the
USN to each updated entry. "Update" includes add, modify, modrdn and delete
operations. Replicated operation is also considered as "update". The USN
Plug-in provides a way for LDAP clients to know that the database has been
updated.
- Named pipe log script: This feature allows the server to
send the log output to a named pipe instead of a log file. Named pipe log
script can:
- log only certain events
- log only lines that match a certain pattern
- send a notification when a certain event is detected
- log only the last N lines attached to a script, which is useful for
enabling full error log debug levels in production environments
- In-memory debug logging: This feature enables the
capturing of debug log messages in the memory instead of in a file in the
production environment when issues are encountered. Features of In-memory
debug logging are as follows:
- Captures custom debug logs directly to the memory buffer.
- Gets diagnostic images quickly when issues are encountered.
- Can be enabled or disabled by changing configuration parameter in the
dse.ldif file.
- Performs relatively better compared to error logging, due to lesser I/O
operations.
- Java6 support: HP-UX directory server 8.1 is enhanced to support JRE version 1.6.0.20.00. Later versions of JRE6.0 may also work.
- Apache 2.4 support: HP-UX Directory Server B.08.10.09 is enhanced to support apache 2.4.18.01.01. Later minor versions of Apache 2.4 may also work.
HP-UX Directory Server B.08.10.09 does not support earlier versions of Apache.
Migration support from Sun Java System Directory Server
HPDS shares a common heritage with Sun Java System Directory Server (SJDS)
and has almost identical features and capabilities. This helps provide a smooth
transition from the SJDS product to HPDS, the latter which provides a stable
platform that is based on current industry standards and is supportable for the
long term. To make the transition even easier, HPE now provides the sjdsmig.pl
script with the HPDS software (in /opt/dirsrv/contrib). This script facilitates
migrating data from SJDS.
Detailed information about the HP-UX Directory Server can be found at Directory
Server Documentation.
HP-UX Directory Server warnings:
- Replication failure when Subtree rename feature is enabled
Problem:
In HP-UX Directory Server B.08.10.09 version, when Subtree rename feature is enabled in the replication environment, the entry updates may fail in the replica with the following error due to the failure in updating changelog database:
Error Message:
ldap_add: Operations error
Error log message:
[DD/MMM/YYYY:HH:MM:SS] - libdb: BDB1566 txn_begin interface requires an environment configured for the transaction subsystem
[DD/MMM/YYYY:HH:MM:SS] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to start transaction; db error - 22 Invalid argument
[DD/MMM/YYYY:HH:MM:SS] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=user,dc=test,dc=hpe,dc=labs (uniqid: 8df8980f-cd7011e7-b155aae4-87a50860, optype: 16) to changelog csn 5a12c26a000000010000
When enabling the Subtree rename feature in HPDS using /opt/dirsrv/slapd-{instance}/dn2rdn command, it updates the HPDS internal attribute nsslapd-db-transaction-logging to off in the dse.ldif file. From HPDS version B.08.10.09, the internal flag nsslapd-db-transaction-logging is required to be on (default) in order to update the entries in the changelog successfully.
Workaround:
When Subtree rename feature is enabled (nsslapd-subtree-rename-switch:on ), for each instance in the replication environment follow the steps to make the replication work
- Stop
slapd instance if running
- Update the attribute
nsslapd-db-transaction-logging under cn=config,cn=ldbm database,cn=plugins,cn=config to on in the file /etc/opt/dirsrv/slapd-{instance}/dse.ldif
- Start
slapd instance
Note:
If the master replica is updated before applying the workaround, it is recommended to reinitialize the consumers from all the masters in order to replicate the updated entries to consumers and to resume replication operations. The updates made on consumer masters may be lost due to initialization from other master.
This workaround needs to be applied when Subtree rename feature is enabled after upgrade from earlier versions of HPDS to HPDS B.08.10.09.
For more details on this problem, refer QXCR1001607353 and contact HPE Support Center.
Failure in deletion of an attribute from an entry in replication environment
Problem
HP-UX Directory Server B.08.10.07, B.08.10.05 and B.08.10.04 versions introduced a behavior that may result in attribute not being deleted in replication environment when an attribute is deleted from an entry.
Solution
A fix for this issue is identified and included in the HP-UX Directory server B.08.10.09. For more details on the problem and solution refer QXCR1001368887 and contact HPE Support Center.
Product Pricing, Packaging, and Service
The HP-UX Directory Server is provided as part of your HP-UX OE software
package. Your HP-UX OE service contract covers the HP-UX Directory Server.
Note: While prior versions of Red Hat Directory Server for
HP-UX 11i required additional licensing fees for use in an extranet environment,
HP-UX Directory Server provides extranet support at no additional
charge.
|