LDAP: a protocol for accessing on-line directory services.
The IETF designed and specified LDAP as a better way to make use of X.500 directories - having found the original Directory Access Protocol (DAP) too complex for simple internet clients to use. LDAP defines a relatively simple protocol for updating and searching directories running over TCP/IP.
Use and Deployment
The best documentation for use and deployment can be found in the Red Hat Directory Server documentation. Although these documents are for Red Hat Directory Server, they apply to 389 DS as well. However, be sure to read the Release_Notes and Install_Guide for 389 DS first in case there are important differences. Also check the FAQ for information about differences between Red Hat and 389 Directory Servers.
The following documents are helpful for learning more about installation options, administration, and deployments:
- New Set up commands - Documentation for new 1.1 and later setup commands
- Install_Guide - Installation Guide
These are the official Red Hat Directory Server 9 docs but they apply to 389 1.2 and later releases:
- Deployment Guide - Planning your directory server deployment
- Installation Guide - Step by step guide to installation, setup, and migration
- Administrator's Guide - Server Administration using the console, command line, and files
- Configuration, Command, and File Reference - Reference guide to configuration entries, attributes, command line utilities, and files
- Frequently Asked Questions
- LDAP 101 - Architecture
- Performance Tuning
- Fedora DS Documentation in Spanish (not official)
- DSGW for 1.1 Installation Guide
- Building DSGW
- DSML Gateway for 1.1 Docs
- Using and configuring 389 web apps, including the DSGW, DS Express, Org Chart, and Admin Express
A series of articles about how to perform common server configuration tasks.
- FAQ#Troubleshooting - How to use the directory server error log levels to diagnose problems
- FAQ#Debugging_Crashes - How to get the right information for reporting crashes
- FAQ#Debugging_Hangs - How to get the right information for reporting hangs (server unresponse, server won't shutdown cleanly)
- Howto:ResetDirMgrPassword - How to reset the directory manager password
- Howto:PasswordReset - How to reset a password that has been locked out due to excessive failed attempts
- Howto:CertMapping - Map a certificate subjectDN to the user's entry when using client certificate based authentication.
- Howto:ChainOnUpdate - Allow read-only replicas to "follow" referrals on behalf of clients, and enabled global password policy.
- Howto:MultiMasterReplication - How to configure multi-master replication without using the administration console.
- Howto:ReplicationMonitoring - How to check replication without using administration console or website
- Howto:AdminServerLDAPMgmt - How to manage the Admin Server using LDAP
- Howto:SysVInit - How to start the directory server automatically at boot time.
- Howto:systemd - How to use 389 with systemd (systemd is the SysV Init replacement in Fedora 15 and later)
- Howto:ClassOfService - Class of Service (CoS) examples
- Howto:AccessControl - How to use access control - create restricted administrative account
- Howto:OperationalAttributes - How to access operational attributes
- Howto:LogSystemPerf - Do I need to turn off access log to improve system performances
- Howto:UnlimitedWidthLdapSearch - How do I set an unlimited line width for ldapsearch
- Howto:LdapSearchSizeLimit - Why do I get this error message "ldap_search: Administrative limit exceeded"
- Howto:LdapSearchManyAttr - How to count large number of attribute entries using an anonymous bind
- Howto:WalkthroughMultimasterSSL - Setting up FDS with multi-master replication, SSL and importing OpenLDAP schema
- Howto:PAM_Pass_Through - Setting up the PAM pass through authentication plugin
- Howto:DNA - How to use Distributed Numeric Assignment to auto-generate uidNumber and gidNumber
- Howto:Default_Console_Object_Objectclass - How to set the list of default objectclasses the console uses to create new objects (Users, Groups, etc.)
- Howto:HostBasedAttributes - How to have different values for attributes on different hosts e.g. have a different login shell on certain hosts
- Howto:CLEANRUV - How to get rid of obsolete masters from your replication meta-data (i.e. the database RUV)
- CleanAllRUV_Design - How CLEANALLRUV works - the design doc.
- Sasl_Mapping_Fallback - How to configure Sasl Mapping Fallback and Prioritization
- Disable_Virtual_Attrs - How to disable virtual attribute lookups in searches (performance gain)
- RootDN_Access_Control - How to setup access control permissions for the Root DN
- Plugin_Track_Bind_DN - How to setup the internalModifiersname/internalCreatorsname feature
- SASL_Mechanism_Control - How to control what SASL mechanisms the server will allow
- Replication_Protocol_Timeout - What is the protocol timeout, and how to set it.
- Normalized_dn_cache - Details about the new cache, and how to configure it.
- Password_Administrator - How to setup Password Administrators.
- Replication_Retry_Settings - How to set the replication retry/backoff timers.
- SASL_Buffer - How to increase the SASL buffer.
- Howto:CopyACIs - How to copy ACIs from one server to another
- Howto:Fix_and_Reset_Time_Skew - When the replication CSN time skew grows too large, how to reset the CSN generator everywhere to get rid of time skew
A series of articles about how to get the Directory Server working with other tools.
- Directory Server Setup and Management
- Operating System
- Source - links to current source tarballs
Building and Installing
- Password_Syntax - Password syntax checking
- FHS_Packaging - Proposed Filesystem Hierarchy Standard Packaging layout
- Discrete_Packaging - Packaging 389 DS into smaller, discrete components
- FDS_Into_FedoraCore - Work required to get 389 DS into Fedora Core
- Migration_From_10 - How to migrate from a 1.0.x installation to 1.1 or later
- New_Setup_Design - New setup design for 1.1.0 and later
Proposed New Features
Directory Server Plugins
It's possible to write plugins that allow you to extend the functionality of the Directory Server. Our plugins page contains information on the API and the scope of the functionality. You might also want to look at our annotated license page for some legal information on using the plugin api.
Here is the new location at oracle.com - http://download.oracle.com/docs/cd/E17076_02/html/toc.htm
There are quite a few books available on LDAP, but we maintain a list of books that we think are pretty good.
- initscripts - The name "dirsrv" has been registered with LSB/LANANA (Linux Standards Base/Linux Assigned Names And Numbers Authority) for use by initscripts
- http://www.lanana.org/index.html is the official link
- as of December 11, 2009, the name hasn't shown up in the official list, but it is in the unofficial list at http://spreadsheets.google.com/pub?key=ryJELLdkiF3qYry5_E4SWvQ&single=true&gid=0&output=html
- dirsrv - the main directory server
- dirsrv-admin - the administration server
- dirsrv-snmp - the snmp sub-agent
Some relevant RFCs that Directory Server supports include:
- RFC 1274 - The COSINE and Internet X.500 Schema
- RFC 1558 - A String Representation of LDAP Search Filters
- RFC 1777 - Lightweight Directory Access Protocol
- RFC 1778 - The String Representation of Standard Attribute Syntaxes
- RFC 1779 - A String Representation of Distinguished Names
- RFC 1823 - The LDAP Application Program Interface
- RFC 2222 - Simple Authentication and Security Layer (SASL)
- RFC 2247 - Using Domains in LDAP/X.500 Distinguished Names
- RFC 2251 - Lightweight Directory Access Protocol (v3)
- RFC 2252 - Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions
- RFC 2253 - Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names
- RFC 2254 - The String Representation of LDAP Search Filters
- RFC 2255 - The LDAP URL Format
- RFC 2256 - A Summary of the X.500(96) User Schema for use with LDAPv3
- RFC 2307 - An Approach for Using LDAP as a Network Information Service
- RFC 2377 - Naming Plan for Internet Directory-Enabled Applications
- RFC 2829 - Authentication Methods for LDAP
- RFC 2830 - Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security
- RFC 2849 - The LDAP Data Interchange Format (LDIF) - Technical Specification
- RFC 3377 - Lightweight Directory Access Protocol (v3): Technical Specification