Directory Server, Version 6.1
Basic server administration tasks
Unless stated otherwise, the following tasks can be performed by the directory administrator, a member of a global administrative group, or a member of the local administrative group based on their roles.
- Changing an administrator distinguished name and password
- Starting and stopping the server
- Checking server status
- Managing server connections
- Managing connection properties
- Managing unique attributes
Changing an administrator distinguished name and password
This task can be performed by the directory administrator only.
The administrator name and password is usually set during the server installation and configuration process. However, we can change an administrator name and an administrator password by using either the Web Administration Tool or the command line. See Setting the administration password and lockout policy for information about administration password security restrictions.
Using Web Administration:
Click User properties in the navigation area of the Web Administration Tool. Two selections are displayed:
- Change administrator login
- Specify a new Administrator DN in the field and enter the current password. Click OK or click Cancel to return to the Introduction panel without making any changes.
This selection is available only if you are logged in as the directory administrator. It is not available if you are logged in as a user or an administrative group member.
- Change password
- To change the password for the currently logged-in DN, type your current password in the Current password field. Then type your new password in the New password field and type it again in the Confirm new password field and click OK. Click Cancel to return to the Introduction panel without making any changes.
Using the command line:
We can use either the idsdnpw command or the idsxcfg utility from the command line.
Using the idsdnpw command:
idsdnpw -u <admindn> -p <adminPW>To use the idsxcfg utility type idsxcfg on a command line. When the IBM® Tivoli® Directory Server Configuration Tool panel is displayed select Manage administrator DN to change the administrator's DN or Manage administrator password to change the administrator's password and follow the directions. See the IBM Tivoli Directory Server Version 6.1 Installation and Configuration Guide for additional information on using the idsxcfg utility.
See Distinguished names (DNs) for more information about distinguished names.
Starting and stopping the server
We can use either of the following methods to start or stop the server.
Using Web Administration:
The administration daemon (idsdiradm) for the given directory instance must be running.
The current status of the server, either started, stopped, or started in configuration mode, is indicated by the icons in the upper left-hand corner of the server status area. The current status is also described in the first sentence of the work area, for example:
The Directory Server is currently running
- If you have not done so already, click Server Administration in the Web Administration navigation area and then click Start/Stop/Restart Server in the expanded list.
When the Web admin tool is used to access the admin daemon:
- The status bar on the Start/Stop/Restart Server panel displays a message indicating that the tool is connected to the admin daemon. If you access panels that are not supported by admin daemon, a message is displayed indicating that the functions on the panels are not supported.
- The Start/Stop/Restart Server panel is enabled based on the capabilities present in rootDSE for ibm-supportedcapabilities attribute.
- The message area displays the current state of the server (stopped, running, or running in configuration only mode). Depending on the state of the server, running or stopped, buttons are enabled for you to change the state of the server.
Table 6. Actions available based on the status of the server Server status Buttons available Stopped Start, Close Running Stop, Restart, Close Running in configuration only mode Stop, Restart, Close
- If the server is running, click Stop to stop the server or Restart to stop and then start the server.
- If the server is stopped, click Start to start the server.
- Click Close to return to the Introduction panel.
- A message is displayed when the server successfully starts or stops.
If we need to perform server configuration maintenance, select the Start / Restart in configuration only mode check box. In this mode only the system administrator can bind to the server. All other connections are refused until the server is restarted with DB2® backends enabled (the Start / Restart in configuration only mode check box deselected). See Configuration only mode for additional information.
Configuration maintenance can be done while the server is running.
Using the command line or Windows Services icon:
Use the following commands to start server:
The administration daemon (idsdiradm) must be running for the ibmdirctl
ibmdirctl -h mymachine -D myDN -w mypassword -p 3538 startor
idsslapd -I <instancename>Use the following commands to stop the server:
ibmdirctl -h mymachine -D myDN -w mypassword -p 3538 stopor
idsslapd -I <instancename> -kto start and stop the server respectively. See the ibmdirctl and idsdiradm command information in the IBM Tivoli Directory Server version 6.1 Command Reference for more information.
For Windows® systems use the previous commands or:
- From the desktop, double-click the My Computer icon.
- Double-click the Control Panel icon.
- Double-click the Administrative Tools icon
- Double-click the Services icon.
- To start the server select Control Panel ->Administrative Tools->Services, select IBM Tivoli Directory Server Instance V6.1 - <instancename> and click Start.
- To stop the server select Control Panel ->Administrative Tools->Services, select IBM Tivoli Directory Server Instance V6.1 - <instancename> and click Stop.
If you change the time zone on your Windows machine, we need to restart the server and the administration daemon in order for the server and administration daemon to recognize the time change. This ensures that the time stamps in the administration daemon's logs match the time stamps in the server's logs.
Checking server status
We can check the status of the server by searching for the object classes under cn=monitor. To do this, use one of the following methods:
Using Web Administration:
Expand the Server administration category in the navigation area. Click View server status. This panel has nine tabs. At the bottom of this panel we can click Refresh to update the status displayed on the tab you are currently viewing or we can click Close to return to the IBM Tivoli Directory Server Introduction panel.
When the Web admin tool is used to access the admin daemon:
- The title of the View server status panel will change to View Admin Daemon status.
- The status bar on the View Admin Daemon Status panel displays a message indicating that the tool is connected to the admin daemon. If you access panels that are not supported by admin daemon, a message is displayed indicating that the functions on the panels are not supported.
- The View Admin Daemon Status panel is enabled based on the capabilities present in rootDSE for ibm-supportedcapabilities attribute.
If the directory server is running, the following information is displayed:
General
Click the General tab to display the following information:
- Hostname
- The host name of the LDAP server.
- Server status
- The server is either Running or Running configuration only mode. We can determine the server status at any time by the three icons displayed in the left side corner of the server status area.
- Start time
- The time the server was started. The start time is in the format:
year-month-day hour:minutes:seconds GMT- Current time
- The current time on the server. The current time is in the format:
year-month-day hour:minutes:seconds GMT- Total threads
- The number of worker threads being used by the server.
- Total threads blocked on write
- The number of threads sending data back to the client.
- Total threads blocked on read
- The number of threads reading data from the client.
- Number of connections
- The number of currently active connections.
- Total connections
- The total number of connections since the server was started.
- Number of entries sent
- The number of entries sent by the server since the server was started.
- Percentage of entry cache used
- The percentage of entry cache currently used. This value is not displayed in configuration only mode.
- Percentage of search filter cache used
- The percentage of search filter cache currently used. This value is not displayed in configuration only mode.
- ACL cache
- A Boolean value indicating that the ACL cache is active (TRUE) or inactive (FALSE). This value is not displayed in configuration only mode.
- Maximum ACL cache size
- The maximum number of entries allowed in the ACL cache. This value is not displayed in configuration only mode.
- Bypass alias dereferencing
- The server runtime value that indicates if alias processing can be bypassed. It displays true, if no alias object exists in the directory, and false, if at least one alias object exists in the directory.
- Total number of SSL connections
- The total number of SSL connections since the server was started. This information displays only if the server you are connected to supports the monitor connection type counts feature.
- Total number of TLS connections
- The total number of TLS connections since the server was started. This information displays only if the server you are connected to supports the monitor connection type counts feature.
Operation counts
Click Operation counts to display the following information:
- Number of operations requested
- The number of initiated requests since the server was started.
- Number of operations completed
- The number of completed requests since the server was started.
- Number of search operations requested
- The number of initiated searches since the server was started.
- Number of search operations completed
- The number of completed searches since the server was started.
- Number of bind operations requested
- The number of bind requests since the server was started.
- Number of bind operations completed
- The number of completed bind requests since the server was started.
- Number of unbind operations requested
- The number of unbind requests since the server was started.
- Number of unbind operations completed
- The number of completed unbind requests since the server was started.
- Number of add operations requested
- The number of add requests since the server was started.
- Number of add operations completed
- The number of completed add requests since the server was started.
- Number of delete operations requested
- The number of unbind requests since the server was started.
- Number of delete operations completed
- The number of completed unbind requests since the server was started.
- Number of modify RDN operations requested
- The number of modify RDN requests since the server was started.
- Number of modify RDN operations completed
- The number of completed modify RDN requests since the server was started.
- Number of modify operations requested
- The number of modify requests since the server was started.
- Number of modify operations completed
- The number of completed modify requests since the server was started.
- Number of compare operations requested
- The number of compare requests since the server was started.
- Number of compare operations completed
- The number of completed compare requests since the server was started.
- Number of abandon operations requested
- The number of abandon requests since the server was started.
- Number of abandon operations completed
- The number of completed abandon requests since the server was started.
- Number of extended operations requested
- The number of extended requests since the server was started.
- Number of extended operations completed
- The number of completed extended requests since the server was started.
- Number of unknown operations requested
- The number of unknown requests since the server was started.
- Number of unknown operations completed
- The number of completed unknown requests since the server was started.
When accessing admin daemon using the Web admin tool, some fields will not be displayed.
Work queue
Click Work queue to display the following:
- Number of worker threads available
- The number of worker threads available for work.
- Depth of the work queue
- The current size of the work queue.
- Largest size of the work queue
- The largest size that the work queue has ever reached.
- Number of connections closed by automatic connection cleaner
- The number of idle connections closed by the automatic connection cleaner.
- Number of times the automatic connection cleaner has run
- The number of times the automatic connection cleaner has run.
When accessing admin daemon using the Web admin tool, some fields will not be displayed.
View worker status
Click View worker status to display information about the worker threads that are currently active. This information is useful when the server is not performing as expected or performing poorly. Performing this search suspends all server activity until it is completed. A warning to that effect is displayed and explains that the time to complete this operation depends on the number of connections and active worker threads. Click Yes to display the information.
The following worker thread information is displayed in a table.
- Thread ID
- The ID of the worker thread, for example, 2640.
- Operation
- The type of work request receive, for example, search.
- Bind DN
- The DN used to bind to the server.
- Client IP
- The IP address of the client.
To view a worker thread's details, select the worker thread you want more information about from the View worker status table and click View. The following information fields about the selected worker thread are displayed:
- Thread ID
- The ID of the worker thread, for example, 2640.
- Operation
- The type of work request receive, for example, search.
- LDAP version
- The LDAP version level, either V1, V2 or V3.
- Bind DN
- The DN used to bind to the server.
- Client IP
- The IP address of the client.
- Client port
- The port used by the client.
- Connection ID
- The number that identifies the connection.
- Received at
- The date and time that the work request was received.
- Request parameters
- Additional information about the operation. For example, if the request was a search, the following information is also provided:
base=cn=workers,cn=monitor scope=baseObject derefaliases=neverDerefAliases typesonly=false filter=(objectclass=*) attributes=allClick Close to return to the View worker status panel.
Directory cached attributes
Click Directory cached attributes to display the following information. The status items are displayed in a table format. You can use the arrows next to each header to specify a sort in either ascending or descending order. We can also either use the Select Action drop-down list to select Edit sort and click Go or click the Edit sort icon to specify up to three sort criteria.
Table 7. Directory cached attributes table Attribute ∧ Number of cache hits ∧ Cache size ∧
- Attribute
- The name of the attribute.
- Number of cache hits
- The number of times the cache for this attribute was used to resolve a search filter.
- Cache size
- The amount of memory used by this attribute cache.
This tab also contains two non-editable fields:
- Cached attribute total size (in kilobytes)
- The amount of memory being used by the cache.
This number includes additional memory used to manage the caches. Consequently, this total is larger than the sum of the memory used for the individual attribute caches.
- Cached attribute configured size
- The maximum amount of memory that can be used by attribute caching. See Adding attributes to and removing attributes from the attribute cache for instructions.
Directory cache candidates
This table is a list of the 10 non-cached attributes that are most frequently used in search filters that can be resolved by the attribute cache manager. If the frequency of the usage of these attributes is excessive, you might want to add them to the attribute cache. We can use the arrows next to each header to specify a sort in either ascending or descending order. We can also either use the Select Action drop-down list to select Edit sort and click Go or click the Edit sort icon to specify up to two sort criteria.
Table 8. Directory cache candidates table Attribute ∧ Number of hits ∧
- Attribute
- The name of the attribute.
- Number of hits
- The number of times the attribute has been used in filters that can be resolved by the attribute cache manager.
Changelog cached attributes
Click Changelog cached attributes to display the following information. The status items are displayed in a table format. You can use the arrows next to each header to specify a sort in either ascending or descending order. We can also either use the Select Action drop-down list to select Edit sort and click Go or click the Edit sort icon to specify up to three sort criteria.
Table 9. Changelog cached attributes table Attribute ∧ Number of cache hits ∧ Cache size ∧
- Attribute
- The name of the attribute.
- Number of cache hits
- The number of times the cache for this attribute was used to resolve a search filter.
- Cache size
- The amount of memory used by this attribute cache.
This tab also contains two non-editable fields:
- Cached attribute total size (in kilobytes)
- The amount of memory being used by the cache.
This number includes additional memory used to manage the caches. Consequently, this total is larger than the sum of the memory used for the individual attribute caches.
- Cached attribute configured size
- The maximum amount of memory that can be used by attribute caching. See Adding attributes to and removing attributes from the attribute cache for instructions.
Changelog cache candidates
This table is a list of the 10 non-cached attributes that are most frequently used in search filters that can be resolved by the attribute cache manager. If the frequency of the usage of these attributes is excessive, you might want to add them to the attribute cache. We can use the arrows next to each header to specify a sort in either ascending or descending order. We can also either use the Select Action drop-down list to select Edit sort and click Go or click the Edit sort icon to specify up to two sort criteria.
Table 10. Changelog cache candidates table Attribute ∧ Number of hits ∧
- Attribute
- The name of the attribute.
- Number of hits
- The number of times the attribute has been used in filters that can be resolved by the attribute cache manager.
Trace and logs
Click Trace and logs to view the following information:
- Trace enabled
- The current trace value for the server. TRUE, if collecting trace data, FALSE, if not collecting trace data. See the ldaptrace command information in the IBM Tivoli Directory Server version 6.1 Command Reference for information about enabling and starting the trace function.
- Trace message level
- The current ldap_debug value for the server. The value is in hexadecimal form, for example,
0x0=0 0xffff=65535For more information, see the section on Debugging levels in the IBM Tivoli Directory Server version 6.1 Command Reference.- Trace message log
- The name of the file that contains the trace output.
If the value is stderr, the output is displayed in the command window where the LDAP server was started. If the server was not started from the command line, no data is displayed.
- Number of messages added to server logs
- The number of error messages recorded since the server started.
- Number of messages added to DB2 error log
- The number of DB2 error messages recorded since the server started.
- Number of messages added to audit log
- The number of messages recorded by the audit log since the server started.
- Number of error messages added to audit log
- The number of failed operation messages recorded by the audit log.
Using the command line:
To determine server status using the command line use the idsldapsearch command for the following bases
- cn=monitor
- cn=workers,cn=monitor
- cn=connections,cn=monitor
- cn=changelog,cn=monitor
- cn=system,cn=monitor
cn=monitor
idsldapsearch -h <servername> -p <portnumber> -b cn=monitor -s base objectclass=*This command returns the following information:
- cn=monitor
- version=IBM Tivoli Directory (SSL), Version 6.1
- totalconnections
- The total number of connections since the server was started.
- total_ssl_connections
- The total number of SSL connections since the server was started.
- total_tls_connections
- The total number of TLS connections since the server was started.
- currentconnections
- The number of active connections.
- maxconnections
- The maximum number of active connections allowed.
- writewaiters
- The number of threads sending data back to the client.
- readwaiters
- The number of threads reading data from the client.
- opsinitiated
- The number of requests since the server was started.
- livethreads
- The number of worker threads being used by the server.
- opscompleted
- The number of completed requests since the server was started.
- entriessent
- The number of entries sent by the server since the server was started.
- searchesrequested
- The number of requested searches since the server was started.
- searchescompleted
- The number of completed searches since the server was started.
- bindsrequested
- The number of bind operations requested since the server was started.
- bindscompleted
- The number of bind operations completed since the server was started.
- unbindsrequested
- The number of unbind operations requested since the server was started.
- unbindscompleted
- The number of unbind operations completed since the server was started.
- addsrequested
- The number of add operations requested since the server was started.
- addscompleted
- The number of add operations completed since the server was started.
- deletesrequested
- The number of delete operations requested since the server was started.
- deletescompleted
- The number of delete operations completed since the server was started.
- modrdnsrequested
- The number of modify RDN operations requested since the server was started.
- modrdnscompleted
- The number of modify RDN operations completed since the server was started.
- modifiesrequested
- The number of modify operations requested since the server was started.
- modifiescompleted
- The number of modify operations completed since the server was started.
- comparesrequested
- The number of compare operations requested since the server was started.
- comparescompleted
- The number of compare operations completed since the server was started.
- abandonsrequested
- The number of abandon operations requested since the server was started.
- abandonscompleted
- The number of abandon operations completed since the server was started.
- extopsrequested
- The number of extended operations requested since the server was started.
- extopscompleted
- The number of extended operations completed since the server was started.
- unknownopsrequested
- The number of unknown operations requested since the server was started.
- unknownopscompleted
- The number of unknown operations completed since the server was started.
- slapderrorlog_messages
- The number of server error messages recorded since the server was started or since a reset was performed.
- slapdclierrors_messages
- The number of DB2 error messages recorded since the server was started or since a reset was performed.
- auditlog_messages
- The number of audit messages recorded since the server was started or since a reset was performed.
- auditlog_failedop_messages
- The number of failed operation messages recorded since the server was started or since a reset was performed.
- filter_cache_size
- The maximum number of filters allowed in the cache.
- filter_cache_current
- The number of filters currently in the cache.
- filter_cache_hit
- The number of filters found in the cache.
- filter_cache_miss
- The number of search operations that attempted to use the filter cache, but didn't find a matching operation in the cache.
- filter_cache_bypass_limit
- Search filters that return more entries than this limit are not cached.
- entry_cache_size
- The maximum number of entries allowed in the cache.
- entry_cache_current
- The number of entries currently in the cache.
- entry_cache_hit
- The number of entries found in the cache.
- entry_cache_miss
- The number of entries not found in the cache.
- acl_cache
- A Boolean value indicating that the ACL cache is active (TRUE) or inactive (FALSE).
- acl_cache_size
- The maximum number of entries in the ACL cache.
- cached_attribute_total_size
- The amount of memory in kilobytes used by attribute caching.
- cached_attribute_configured_size
- The amount of memory in kilobytes that can be used by attribute caching.
- cached_attribute_hit
- The number of times the attribute has been used in a filter that could be processed by the changelog attribute cache. The value is reported as follows:
cached_attribute_hit=attrname:#####- cached_attribute_size
- The amount of memory used for this attribute in the changelog attribute cache. This value is reported in kilobytes as follows:
cached_attribute_size=attrname:######- cached_attribute_candidate_hit
- A list of up to ten most frequently used noncached attributes that have been used in a filter that could have been processed by the changelog attribute cache if all of the attributes used in the filter had been cached. The value is reported as follows:
cached_attribute_candidate_hit=attrname:#####We can use this list to help you decide which attributes you want to cache. Typically, you want to put a limited number of attributes into the attribute cache because of memory constraints.
- currenttime
- The current time on the server. The current time is in the format:
year-month-day hour:minutes:seconds GMT- starttime
- The time the server was started. The start time is in the format:
year-month-day hour:minutes:seconds GMT- trace_enabled
- The current trace value for the server. TRUE, if collecting trace data, FALSE, if not collecting trace data. See the ldaptrace command information in the IBM Tivoli Directory Server version 6.1 Command Reference for information about enabling and starting the trace function.
- trace_message_level
- The current ldap_debug value for the server. The value is in hexadecimal form, for example:
0x0=0 0xffff=65535For more information, see the section on Debugging levels in the IBM Tivoli Directory Server version 6.1 Command Reference.- trace_message_log
- The current LDAP_DEBUG_FILE environment variable setting for the server.
- en_currentregs
- The current number of client registrations for event notification.
- en_notificationssent
- The total number of event notifications sent to clients since the server was started.
- bypass_deref_aliases
- The server runtime value that indicates if alias processing can be bypassed. It displays true, if no alias object exists in the directory, and false, if at least one alias object exists in the directory.
- available_workers
- The number of worker threads available for work.
- current_workqueue_size
- The current depth of the work queue.
- largest_workqueue_size
- The largest size that the work queue has ever reached.
- idle_connections_closed
- The number of idle connections closed by the Automatic Connection Cleaner.
- auto_connection_cleaner_run
- The number of times that the Automatic Connection Cleaner has run.
cn=workers,cn=monitor
For worker thread information ensure that auditing is enabled and issue the following command:
idsldapsearch -D <adminDN> -w <adminpw> -b cn=workers,cn=monitor -s base objectclass=*This command gives the following type of information for each active worker:
- cn=workers,cn=monitor
- cn=workers
- objectclass=container
- cn=thread2640,cn=workers,cn=monitor
- thread
- The number of the worker thread. For example 2640.
- ldapversion
- The LDAP version level, either V1 or V2.
- binddn
- The DN used to bind to the server.
- clientip
- The IP address of the client.
- clientport
- The port used by the client.
- connectionid
- The number identifying the connection.
- received
- The date and time that the work request was received.
- workrequest
- The type of work request received and additional information about the request. For example, if the request was a search, the following information is also provided:
base=cn=workers,cn=monitor scope=baseObject derefaliases=neverDerefAliases typesonly=false filter=(objectclass=*) attributes=all
cn=connections,cn=monitor
idsldapsearch -D <adminDN> -w <adminpw> -h <servername> -p <portname> -b cn=connections,cn=monitor -s base objectclass=*This search returns something similar to the following:
cn=connections,cn=monitor connection=3546 : 9.48.181.83 : 2005-02-28 21:53:54 GMT : 1 : 5 : CN=ROOT : : connection=3550 : 9.48.181.83 : 2005-02-28 21:53:54 GMT : 1 : 3 : CN=ROOT : : connection=3551 : 9.48.181.83 : 2005-02-28 21:53:55 GMT : 1 : 4 : CN=ROOT : : connection=3553 : 9.48.181.83 : 2005-02-28 21:53:55 GMT : 1 : 3 : CN=ROOT : : connection=3554 : 9.48.181.83 : 2005-02-28 21:53:55 GMT : 1 : 5 : CN=ROOT : : connection=3555 : 9.48.181.83 : 2005-02-28 21:53:55 GMT : 1 : 2 : CN=ROOT : : connection=3556 : 9.48.181.83 : 2005-02-28 21:53:55 GMT : 1 : 2 : CN=ROOT : : connection=3557 : 9.48.181.83 : 2005-02-28 21:53:55 GMT : 1 : 1 : CN=ROOT : : connection=3558 : 9.48.181.83 : 2005-02-28 21:53:55 GMT : 1 : 1 : CN=ROOT : : connection=3559 : 9.48.181.83 : 2005-02-28 21:53:55 GMT : 0 : 1 : CN=ROOT : :
- connection=xxxx
- The connection number.
- 9.48.181.83
- The server IP address.
- 2005-02-28 21:53:54 GMT
- The current time on the server. The current time is in the format:
year-month-day hour:minutes:seconds GMT- 1 : 5
- The opsinprogress and opscompleted, respectively.
- opsinprogress – The number of requests in progress.
- opscompleted – The number of completed requests since the server was started.
- CN=ROOT
- This is the Administrator DN.
cn=changelog,cn=monitor
idsldapsearch -D <adminDN> -w <adminpw> -h <servername> -p <portname> -b cn=changelog,cn=monitor -s base objectclass=*This search returns something similar to the following:
CN=CHANGELOG,CN=MONITOR cached_attribute_total_size=0 cached_attribute_configured_size=0
- cached_attribute_total_size
- The amount of memory used by the changelog attribute cache, in kilobytes. This number includes additional memory used to manage the cache that is not charged to the individual attribute caches. Consequently, this total is larger than the sum of the memory used by all the individual attribute caches.
- cached_attribute_configured_size
- The maximum amount of memory, in kilobytes, that is enabled to be used by the changelog attribute cache
- cached_attribute_hit
- The number of times the attribute has been used in a filter that could be processed by the changelog attribute cache. The value is reported as follows:
cached_attribute_hit=attrname:#####- cached_attribute_size
- The amount of memory used for this attribute in the changelog attribute cache. This value is reported in kilobytes as follows:
cached_attribute_size=attrname:######- cached_attribute_candidate_hit
- A list of up to ten most frequently used noncached attributes that have been used in a filter that could have been processed by the changelog attribute cache if all of the attributes used in the filter had been cached. The value is reported as follows:
cached_attribute_candidate_hit=attrname:#####We can use this list to help you decide which attributes you want to cache. Typically, you want to put a limited number of attributes into the attribute cache because of memory constraints.
cn=system,cn=monitor
To collect system information from machines on which the directory server is running, issue the following command:
idsldapsearch -D <adminDN> -w <adminpw> -b cn=system,cn=monitor -s base objectclass=*The information that is returned will depend on the operating system on which directory server is running. Following information is returned for machines running on windows operating system:
- operatingSystem
- Operating system name. For instance, Windows or Windows-X640.
- memoryUsed
- The amount of virtual memory used (KB)
- memoryFree
- The amount of idle memory (KB).
- diskSpaceUsedByDB
- Disk space used by the directory where DB2 database is stored (KB).
- diskSpaceAvailableToDB
- Disk space available to DB2 database (KB).
The following information is returned for machines running on non-windows operating systems:
- operatingSystem
- Operating system name. For instance, Linux-x32, Linux-x64, Linux-PPC, Linux-Z, Solaris, Solaris-x86, AIX®, or, HP-UX.
- diskSpaceUsedByDB
- Disk space used by the directory where DB2 database is stored (KB).
- diskSpaceAvailableToDB
- Disk space available to DB2 database (KB).
Viewing root DSE information
A root DSE entry contains information about an LDAP server instance, which can be queried by a root DSE search. On performing a root DSE search on a server instance, root DSE attributes and their values, OIDs of supported and enabled capabilities, OIDs of supported extensions and controls are displayed. To view root DSE information, use any one of the following methods.
Using Web Administration
If you have not done so already, click Server administration in the Web Administration navigation area and then click View Root DSE in the expanded list. Next, click General.
The General tab displays the following information.
- Server instance name
- This field displays the name of the directory server instance running on the server. This field is populated with the value of the ibm-slapdServerInstanceName attribute in the root DSE entry.
- Server Id
- This field displays the unique ID assigned to the server at the first startup of the server. This ID is used in replication topology to determine a server's role. This field is populated with the value of the ibm-serverId attribute in the root DSE entry.
- Port number
- This field displays the non secure port on which the server is listening. This is present only if the server does not have a secure port enabled. This field is populated with the value of the port attribute in the root DSE entry.
- Directory version
- This field displays the version of IBM Tivoli Directory Server (TDS) installed on the server. This field is populated with the value of the ibmdirectoryversion attribute in the root DSE entry.
- Server backend
- This field specifies whether this server loads a database or proxy backend. This field is populated with the value of the ibm-slapdServerBackend attribute in the root DSE entry.
- Supported audit version
- This field displays the supported version of auditing. This field is populated with the value of the ibm-supportedAuditVersion attribute in the root DSE entry.
- LDAP service name
- This field displays the host name of the server. If a Kerberos realm is defined, the value is displayed in the form hostname@realmname. This field is populated with the value of the ibm-ldapservicename attribute in the root DSE entry.
- Security
- This field displays the secure SSL port the server is listening on. This field is populated with the value of the security attribute in the root DSE entry.
- Size limit
- This field displays the limit on the number of entries returned by a search initiated by non administrative users. This field is populated with the value of the ibm-slapdSizeLimit attribute in the root DSE entry.
- Time limit (seconds)
- This field displays the maximum amount of time in seconds the server spends processing a search request initiated by non administrative users. This field is populated with the value of the ibm-slapdTimeLimit attribute in the root DSE entry.
- Dereferences alias
- This field displays how the server is configured to handle dereferencing. This field is populated with the value of the ibm-slapdDerefAliases attribute in the root DSE entry.
- Vendor name
- This field displays the supplier of this version of LDAP running on the server. This field is populated with the value of the vendorname attribute in the root DSE entry. For example, for IBM Tivoli Directory Server (TDS), this is set to International Business Machines (IBM).
- Vendor version
- This field displays the version of the directory server. This field is populated with the value of the vendorversion attribute in the root DSE entry. For example, for IBM Tivoli Directory Server (TDS) 6.1, the vendor version is set to 6.1.
- Sub schema sub entry
- This field displays the name of a subschema entry in which the server makes available attributes specifying the schema. This field is populated with the value of the subschemasubentry attribute in the root DSE entry. It value is set to cn=schema.
- SASL digest realm name
- This field displays the SASL digest realm name associated with the server. This field is populated with the value of the ibm-sasldigestrealmname attribute in the root DSE entry.
- Supported LDAP version
- This list displays the LDAP versions implemented by the current server. This list is populated with the values of the supportedldapversion attribute in the root DSE entry. The values of this attribute are the versions of the LDAP protocol that the server implements.
- Naming context
- This list displays the naming contexts available in the server. This list is populated with the values of the namingcontexts attribute in the root DSE entry. The values of this attribute correspond to the naming contexts that this server masters or shadows. If the server does not master or shadow any information (for example, it is an LDAP gateway to a public X.500 directory), this attribute is absent.
If the server contains the entire directory, the attribute has a single value and that value is an empty string indicating the null DN of the root. This allows a client to choose suitable base objects for searching when it has contacted a server.
- Configuration naming context
- This field displays the suffix where the server's configuration entries are stored. This field is populated with the value of the ibm-configurationnamingcontext attribute in the root DSE entry.
We can click Refresh to refresh the information on this panel. Click Close to return to the "Introduction" panel. To view information about the supported capabilities, click Supported Capabilities. The Supported Capabilities tab displays the following information:
- Supported Capabilities
- This list displays the server capabilities currently supported by the server. This list is populated with the values of the ibm-supportedcapabilities attribute in the root DSE entry.
We can click Refresh to refresh the information on this panel. Click Close to return to the "Introduction" panel. To view information about the enabled capabilities, click Enabled Capabilities. The Enabled Capabilities tab displays the following information:
- Enabled Capabilities
- This list displays the server capabilities currently enabled for use on the server. This list is populated with the values of the ibm-enabledcapabilities attribute in the root DSE entry.
We can click Refresh to refresh the information on this panel. Click Close to return to the "Introduction" panel. To view information about the supported extensions, click Supported Extensions. The Supported Extensions tab displays the following information:
- Supported Extensions
- This list displays the OBJECT IDENTIFIERS (OIDs) of the supported extended operations which the server supports. This list is populated with the values of the supportedExtension attribute in the root DSE entry.
We can click Refresh to refresh the information on this panel. Click Close to return to the "Introduction" panel. To view information about the supported controls, click Supported Controls. The Supported Controls tab displays the following information:
- Supported Controls
- This list displays the OBJECT IDENTIFIERS (OIDs) of the supported controls which the server supports. This list is populated with the values of the supportedControl attribute in the root DSE entry.
We can click Refresh to refresh the information on this panel. Click Close to return to the "Introduction" panel. To view information about the supported SASL mechanism, click Supported SASL Mechanism. The Supported SASL Mechanism tab displays the following information:
- Supported SASL Mechanism
- This list displays all the names of the supported SASL mechanisms supported by the server. This list is populated with the values of the supportedsaslmechanisms attribute in root DSE entry. This attribute contains any SASL mechanism that is registered to the server.
We can click Refresh to refresh the information on this panel. Click Close to return to the "Introduction" panel.
Using command line
To initiate a root DSE search issue the following command:
idsldapsearch -s base -b "" objectclass=*To list the server capabilities currently enabled for use on the server, issue the following command:
idsldapsearch -s base -b "" objectclass=* ibm-supportedcapabilitiesTo list the server capabilities currently enabled for use on the server, issue the following command:
idsldapsearch -s base -b "" objectclass=* ibm-enabledcapabilities
Managing server connections
We can use one of the following methods to check the connection status of the server.
Using Web Administration:
Expand the Server administration category in the navigation area. Click Manage server connections. A table containing the following information for each connection is displayed. We can use the arrows next to each header to specify a sort in either ascending or descending order. We can also either use the Select Action drop-down list to select Edit sort and click Go or click the Edit sort icon to specify up to three sort criteria.
- DN
- Specifies the DNs of a client connection to the server.
- IP address
- Specifies the IP address of the client that has a connection to the server.
- Start time
- Specifies the date and time when the connection was made.
- Status
- Specifies whether the connection is active or idle. A connection is considered active if it has any operations in progress.
- Ops pending
- Specifies the number of operations pending since the connection was established.
- Ops completed
- Specifies the number of operations that have been completed for each connection.
- Type
- Specifies whether the connection is secured by SSL or TLS. Otherwise the field is blank.
Notes:
- This table displays up to 20 connections at a time.
We can specify to have this table displayed by either DN or IP address by expanding the drop-down menu at the top of the panel and making a selection. The default selection is by DN. Similarly we can also specify whether to display the table in ascending or descending order.
Click Refresh or select Refresh from the Select Action drop-down list and click Go to update the current connection information.
If you are logged on as the administrator or as a member of the Local administration group having DirDataAdmin or ServerConfigGroupMember role, you have additional selections to disconnect server connections available on the panel. This ability to disconnect server connections enables you to stop denial of service attacks and to control server access. We can disconnect a connection by expanding the drop-down menus and selecting a DN, an IP address or both and clicking Disconnect. Depending on your selections the following actions occur:
Table 11. Disconnection rules DN chosen IP address chosen Action <DNvalue> None All connections bound with the specified DN are disconnected. None <IPvalue> All connections over the specified IP address are disconnected. <DNvalue> <IPvalue> All connections bound as the specified DN and over the specified IP address are disconnected. None None This is not a valid condition. You must specify a DN or an IP address or both to use the disconnect function. The default value for each of the drop-down menus is None.
To disconnect all server connections except for the one making this request click Disconnect all. A confirmation warning is displayed. Click OK to proceed with the disconnect action or click Cancel to end the action and return to the Manage server connections panel.
Using the command line:
To view server connections, issue the command:
idsldapsearch -D <adminDN> -w <adminPW> -h <servername> -p <portnumber> -b cn=connections,cn=monitor -s base objectclass=*This command returns information in the following format:
cn=connections,cn=monitor connection=1632 : 9.41.21.31 : 2002-10-05 19:18:21 GMT : 1 : 1 : CN=ADMIN : : connection=1487 : 127.0.0.1 : 2002-10-05 19:17:01 GMT : 1 : 1 : CN=ADMIN : :
If appropriate, an SSL or a TLS indicator is added on each connection.
To end server connections issue, one of the following commands:
# To disconnect a specific DN: idsldapexop -D <adminDN> -w <adminPW> -op unbind -dn cn=john # To disconnect a specific IP address: idsldapexop -D <adminDN> -w <adminPW> -op unbind -ip 9.182.173.43 #To disconnect a specific DN over a specific IP address: idsldapexop -D <adminDN> -w <adminPW> -op unbind -dn cn=john -ip 9.182.173.43 #To disconnect all connections: idsldapexop -D <adminDN> -w <adminPW> -op unbind -allSee the ldapexop command information in the IBM Tivoli Directory Server version 6.1 Command Reference for more information on ending connections.
Managing connection properties
The ability to manage connection properties enables you to prevent clients from locking up the server by closing connections of clients that:
- Send data slowly, send partial data or send no data.
- Do not read data results or read results slowly.
- Do not unbind.
- Bind anonymously.
It also ensures that an administrator always has access to the server in the cases that the backend is kept busy with long running tasks.
Using Web Administration:
These selections are displayed only if you are logged in as the administrator or a member of the administration group on a server that supports this feature.
Expand the Server administration category in the navigation area. Click Manage connection properties.
The actual maximum threshold numbers are limited by the number of files permitted per process. On UNIX® or Linux® systems we can use the ulimit -a command to determine the limits. On Windows systems this is a fixed number.
- Select the General tab.
- The Allow anonymous connections check box is already selected for you so that anonymous binds are allowed. This is the default setting. We can click the check box to deselect the Allow anonymous connections feature. This action causes the server to unbind all anonymous connections.
Disallowing anonymous binds might cause some applications to fail.
- Set the threshold number to initiate the cleanup of anonymous connections. We can specify a number between 0 and 65535 in the Cleanup threshold for anonymous connections field. The default setting is 0. When this number of anonymous connections is exceeded, connections are cleaned up based on the idle timeout limit that you set in the Idle time out field.
- Set the threshold number to initiate the cleanup of authenticated connections. We can specify a number between 0 and 65535 in the Cleanup threshold for authenticated connections field. The default setting is 1100. When this number of authenticated connections is exceeded, connections are cleaned up based on the idle timeout limit that you set in the Idle time out field.
- Set the threshold number to initiate the cleanup of all connections. You can specify a number between 0 and 65535 in the Cleanup threshold for all connections field. The default setting is 1200. When this total number of connections is exceeded, connections are cleaned up based on the idle timeout limit that you set in the Idle time out field.
- Set the number of seconds that a connection can be idle before it is closed by a cleanup process. We can specify a number between 0 and 65535 in the Idle timeout limit field. The default setting is 300. When a cleanup process is initiated, any connections, subject to the process, that exceed the limit are closed.
- Set the number of seconds between write attempts that will be allowed. We can specify a number between 0 and 65535 in the Result timeout limit field. The default setting is 120. Any connections that exceed this limit are ended.
This applies to Windows systems only. A connection that exceeds 30 seconds is automatically dropped by the operating system. Therefore this Result timeout limit setting is overridden by the operating system after 30 seconds.
- When you are finished, click Apply to save your changes without exiting, or click OK to apply your changes and exit, or click Cancel to exit this panel without making any changes.
Using the command line:
To perform the same operations using the command line, issue the following command:
idsldapmodify -D <adminDN> -w <adminPW> -i <filename>where <filename> contains:
dn: cn=Connection Management,cn=Front End, cn=Configuration changetype: modify replace: ibm-slapdAllowAnon ibm-slapdAllowAnon: TRUE - replace: ibm-slapdAnonReapingThreshold ibm-slapdAnonReapingThreshold: 0 - replace: ibm-slapdBoundReapingThreshold ibm-slapdBoundReapingThreshold: 1100 - replace: ibm-slapdAllReapingThreshold ibm-slapdAllReapingThreshold: 1200 - replace: ibm-slapdIdleTimeOut ibm-slapdIdleTimeOut: 300 - replace: ibm-slapdWriteTimeout ibm-slapdWriteTimeout: 120 - replace: ibm-slapdEThreadEnabl ibm-slapdEThreadEnable: TRUE - replace: ibm-slapdESizeThreshold ibm-slapdESizeThreshold: 50 - replace: ibm-slapdETimeThreshold ibm-slapdETimeThreshold: 5 - #ibm-slapdEThreadActivate can be set to S for size only, T for #time only, SOT for size or time, and SAT for size and time. replace: ibm-slapdEThreadActivate ibm-slapdEThreadActivate: { S | T | SOT | SAT}To update the settings dynamically, issue the following idsldapexop command:
idsldapexop -D <adminDN> -w <adminPW> -op readconfig -scope entireThe idsldapexop command updates only those attributes that are dynamic. For other changes to take effect stop and restart the server. See Dynamically-changed attributes for a list of the attributes that can be updated dynamically.
[ Top of Page | Previous Page | Next Page | Contents | Index ]