Directory Server, Version 6.1

---

 

Basic server administration tasks

Unless stated otherwise, the following tasks can be performed by the directory administrator, a member of a global administrative group, or a member of the local administrative group based on their roles.

• Changing an administrator distinguished name and password

• Starting and stopping the server

• Checking server status

• Managing server connections

• Managing connection properties

• Managing unique attributes

 

Changing an administrator distinguished name and password

This task can be performed by the directory administrator only.

The administrator name and password is usually set during the server installation and configuration process. However, we can change an administrator name and an administrator password by using either the Web Administration Tool or the command line. See Setting the administration password and lockout policy for information about administration password security restrictions.

 

Using Web Administration:

Click User properties in the navigation area of the Web Administration Tool. Two selections are displayed:

Change administrator login

Specify a new Administrator DN in the field and enter the current password. Click OK or click Cancel to return to the Introduction panel without making any changes.

This selection is available only if you are logged in as the directory administrator. It is not available if you are logged in as a user or an administrative group member.

Change password

To change the password for the currently logged-in DN, type your current password in the Current password field. Then type your new password in the New password field and type it again in the Confirm new password field and click OK. Click Cancel to return to the Introduction panel without making any changes.

 

Using the command line:

We can use either the idsdnpw command or the idsxcfg utility from the command line.

Using the idsdnpw command:

idsdnpw -u <admindn> -p <adminPW>

To use the idsxcfg utility type idsxcfg on a command line. When the IBM® Tivoli® Directory Server Configuration Tool panel is displayed select Manage administrator DN to change the administrator's DN or Manage administrator password to change the administrator's password and follow the directions. See the IBM Tivoli Directory Server Version 6.1 Installation and Configuration Guide for additional information on using the idsxcfg utility.

See Distinguished names (DNs) for more information about distinguished names.

 

Starting and stopping the server

We can use either of the following methods to start or stop the server.

 

Using Web Administration:

The administration daemon (idsdiradm) for the given directory instance must be running.

The current status of the server, either started, stopped, or started in configuration mode, is indicated by the icons in the upper left-hand corner of the server status area. The current status is also described in the first sentence of the work area, for example:

The Directory Server is currently running

1. If you have not done so already, click Server Administration in the Web Administration navigation area and then click Start/Stop/Restart Server in the expanded list.

   When the Web admin tool is used to access the admin daemon:

   • The status bar on the Start/Stop/Restart Server panel displays a message indicating that the tool is connected to the admin daemon. If you access panels that are not supported by admin daemon, a message is displayed indicating that the functions on the panels are not supported.

   • The Start/Stop/Restart Server panel is enabled based on the capabilities present in rootDSE for ibm-supportedcapabilities attribute.

2. The message area displays the current state of the server (stopped, running, or running in configuration only mode). Depending on the state of the server, running or stopped, buttons are enabled for you to change the state of the server.

   Table 6. Actions available based on the status of the server

   Server status	Buttons available
   Stopped	Start, Close
   Running	Stop, Restart, Close
   Running in configuration only mode	Stop, Restart, Close

   • If the server is running, click Stop to stop the server or Restart to stop and then start the server.

   • If the server is stopped, click Start to start the server.

   • Click Close to return to the Introduction panel.

3. A message is displayed when the server successfully starts or stops.

If we need to perform server configuration maintenance, select the Start / Restart in configuration only mode check box. In this mode only the system administrator can bind to the server. All other connections are refused until the server is restarted with DB2® backends enabled (the Start / Restart in configuration only mode check box deselected). See Configuration only mode for additional information.

Configuration maintenance can be done while the server is running.

 

Using the command line or Windows Services icon:

Use the following commands to start server:

The administration daemon (idsdiradm) must be running for the ibmdirctl

ibmdirctl -h mymachine -D myDN -w mypassword -p 3538 start

or

idsslapd -I <instancename>

Use the following commands to stop the server:

ibmdirctl -h mymachine -D myDN -w mypassword -p 3538 stop

or

idsslapd -I <instancename> -k

to start and stop the server respectively. See the ibmdirctl and idsdiradm command information in the IBM Tivoli Directory Server version 6.1 Command Reference for more information.

For Windows® systems use the previous commands or:

1. From the desktop, double-click the My Computer icon.

2. Double-click the Control Panel icon.

3. Double-click the Administrative Tools icon

4. Double-click the Services icon.

5. To start the server select Control Panel ->Administrative Tools->Services, select IBM Tivoli Directory Server Instance V6.1 - <instancename> and click Start.

6. To stop the server select Control Panel ->Administrative Tools->Services, select IBM Tivoli Directory Server Instance V6.1 - <instancename> and click Stop.

If you change the time zone on your Windows machine, we need to restart the server and the administration daemon in order for the server and administration daemon to recognize the time change. This ensures that the time stamps in the administration daemon's logs match the time stamps in the server's logs.

 

Checking server status

We can check the status of the server by searching for the object classes under cn=monitor. To do this, use one of the following methods:

 

Using Web Administration:

Expand the Server administration category in the navigation area. Click View server status. This panel has nine tabs. At the bottom of this panel we can click Refresh to update the status displayed on the tab you are currently viewing or we can click Close to return to the IBM Tivoli Directory Server Introduction panel.

When the Web admin tool is used to access the admin daemon:

• The title of the View server status panel will change to View Admin Daemon status.

• The status bar on the View Admin Daemon Status panel displays a message indicating that the tool is connected to the admin daemon. If you access panels that are not supported by admin daemon, a message is displayed indicating that the functions on the panels are not supported.

• The View Admin Daemon Status panel is enabled based on the capabilities present in rootDSE for ibm-supportedcapabilities attribute.

If the directory server is running, the following information is displayed:

 

General

Click the General tab to display the following information:

Hostname

The host name of the LDAP server.

Server status

The server is either Running or Running configuration only mode. We can determine the server status at any time by the three icons displayed in the left side corner of the server status area.

Start time

The time the server was started. The start time is in the format:

year-month-day hour:minutes:seconds GMT 

Current time

The current time on the server. The current time is in the format:

year-month-day hour:minutes:seconds GMT

Total threads

The number of worker threads being used by the server.

Total threads blocked on write

The number of threads sending data back to the client.

Total threads blocked on read

The number of threads reading data from the client.

Number of connections

The number of currently active connections.

Total connections

The total number of connections since the server was started.

Number of entries sent

The number of entries sent by the server since the server was started.

Percentage of entry cache used

The percentage of entry cache currently used. This value is not displayed in configuration only mode.

Percentage of search filter cache used

The percentage of search filter cache currently used. This value is not displayed in configuration only mode.

ACL cache

A Boolean value indicating that the ACL cache is active (TRUE) or inactive (FALSE). This value is not displayed in configuration only mode.

Maximum ACL cache size

The maximum number of entries allowed in the ACL cache. This value is not displayed in configuration only mode.

Bypass alias dereferencing

The server runtime value that indicates if alias processing can be bypassed. It displays true, if no alias object exists in the directory, and false, if at least one alias object exists in the directory.

Total number of SSL connections

The total number of SSL connections since the server was started. This information displays only if the server you are connected to supports the monitor connection type counts feature.

Total number of TLS connections

The total number of TLS connections since the server was started. This information displays only if the server you are connected to supports the monitor connection type counts feature.

 

Operation counts

Click Operation counts to display the following information:

Number of operations requested

The number of initiated requests since the server was started.

Number of operations completed

The number of completed requests since the server was started.

Number of search operations requested

The number of initiated searches since the server was started.

Number of search operations completed

The number of completed searches since the server was started.

Number of bind operations requested

The number of bind requests since the server was started.

Number of bind operations completed

The number of completed bind requests since the server was started.

Number of unbind operations requested

The number of unbind requests since the server was started.

Number of unbind operations completed

The number of completed unbind requests since the server was started.

Number of add operations requested

The number of add requests since the server was started.

Number of add operations completed

The number of completed add requests since the server was started.

Number of delete operations requested

The number of unbind requests since the server was started.

Number of delete operations completed

The number of completed unbind requests since the server was started.

Number of modify RDN operations requested

The number of modify RDN requests since the server was started.

Number of modify RDN operations completed

The number of completed modify RDN requests since the server was started.

Number of modify operations requested

The number of modify requests since the server was started.

Number of modify operations completed

The number of completed modify requests since the server was started.

Number of compare operations requested

The number of compare requests since the server was started.

Number of compare operations completed

The number of completed compare requests since the server was started.

Number of abandon operations requested

The number of abandon requests since the server was started.

Number of abandon operations completed

The number of completed abandon requests since the server was started.

Number of extended operations requested

The number of extended requests since the server was started.

Number of extended operations completed

The number of completed extended requests since the server was started.

Number of unknown operations requested

The number of unknown requests since the server was started.

Number of unknown operations completed

The number of completed unknown requests since the server was started.

When accessing admin daemon using the Web admin tool, some fields will not be displayed.

 

Work queue

Click Work queue to display the following:

Number of worker threads available

The number of worker threads available for work.

Depth of the work queue

The current size of the work queue.

Largest size of the work queue

The largest size that the work queue has ever reached.

Number of connections closed by automatic connection cleaner

The number of idle connections closed by the automatic connection cleaner.

Number of times the automatic connection cleaner has run

The number of times the automatic connection cleaner has run.

When accessing admin daemon using the Web admin tool, some fields will not be displayed.

 

View worker status

Click View worker status to display information about the worker threads that are currently active. This information is useful when the server is not performing as expected or performing poorly. Performing this search suspends all server activity until it is completed. A warning to that effect is displayed and explains that the time to complete this operation depends on the number of connections and active worker threads. Click Yes to display the information.

The following worker thread information is displayed in a table.

Thread ID

The ID of the worker thread, for example, 2640.

Operation

The type of work request receive, for example, search.

Bind DN

The DN used to bind to the server.

Client IP

The IP address of the client.

To view a worker thread's details, select the worker thread you want more information about from the View worker status table and click View. The following information fields about the selected worker thread are displayed:

Thread ID

The ID of the worker thread, for example, 2640.

Operation

The type of work request receive, for example, search.

LDAP version

The LDAP version level, either V1, V2 or V3.

Bind DN

The DN used to bind to the server.

Client IP

The IP address of the client.

Client port

The port used by the client.

Connection ID

The number that identifies the connection.

Received at

The date and time that the work request was received.

Request parameters

Additional information about the operation. For example, if the request was a search, the following information is also provided:

base=cn=workers,cn=monitor
scope=baseObject
derefaliases=neverDerefAliases
typesonly=false
filter=(objectclass=*)
attributes=all

Click Close to return to the View worker status panel.

 

Directory cached attributes

Click Directory cached attributes to display the following information. The status items are displayed in a table format. You can use the arrows next to each header to specify a sort in either ascending or descending order. We can also either use the Select Action drop-down list to select Edit sort and click Go or click the Edit sort icon to specify up to three sort criteria.

Table 7. Directory cached attributes table

Attribute ∧	Number of cache hits ∧	Cache size ∧

Attribute

The name of the attribute.

Number of cache hits

The number of times the cache for this attribute was used to resolve a search filter.

Cache size

The amount of memory used by this attribute cache.

This tab also contains two non-editable fields:

Cached attribute total size (in kilobytes)

The amount of memory being used by the cache.

This number includes additional memory used to manage the caches. Consequently, this total is larger than the sum of the memory used for the individual attribute caches.

Cached attribute configured size

The maximum amount of memory that can be used by attribute caching. See Adding attributes to and removing attributes from the attribute cache for instructions.

 

Directory cache candidates

This table is a list of the 10 non-cached attributes that are most frequently used in search filters that can be resolved by the attribute cache manager. If the frequency of the usage of these attributes is excessive, you might want to add them to the attribute cache. We can use the arrows next to each header to specify a sort in either ascending or descending order. We can also either use the Select Action drop-down list to select Edit sort and click Go or click the Edit sort icon to specify up to two sort criteria.

Table 8. Directory cache candidates table

Attribute ∧	Number of hits ∧

Attribute

The name of the attribute.

Number of hits

The number of times the attribute has been used in filters that can be resolved by the attribute cache manager.

 

Changelog cached attributes

Click Changelog cached attributes to display the following information. The status items are displayed in a table format. You can use the arrows next to each header to specify a sort in either ascending or descending order. We can also either use the Select Action drop-down list to select Edit sort and click Go or click the Edit sort icon to specify up to three sort criteria.

Table 9. Changelog cached attributes table

Attribute ∧	Number of cache hits ∧	Cache size ∧

Attribute

The name of the attribute.

Number of cache hits

The number of times the cache for this attribute was used to resolve a search filter.

Cache size

The amount of memory used by this attribute cache.

This tab also contains two non-editable fields:

Cached attribute total size (in kilobytes)

The amount of memory being used by the cache.

This number includes additional memory used to manage the caches. Consequently, this total is larger than the sum of the memory used for the individual attribute caches.

Cached attribute configured size

The maximum amount of memory that can be used by attribute caching. See Adding attributes to and removing attributes from the attribute cache for instructions.

 

Changelog cache candidates

This table is a list of the 10 non-cached attributes that are most frequently used in search filters that can be resolved by the attribute cache manager. If the frequency of the usage of these attributes is excessive, you might want to add them to the attribute cache. We can use the arrows next to each header to specify a sort in either ascending or descending order. We can also either use the Select Action drop-down list to select Edit sort and click Go or click the Edit sort icon to specify up to two sort criteria.

Table 10. Changelog cache candidates table

Attribute ∧	Number of hits ∧

Attribute

The name of the attribute.

Number of hits

The number of times the attribute has been used in filters that can be resolved by the attribute cache manager.

 

Trace and logs

Click Trace and logs to view the following information:

Trace enabled

The current trace value for the server. TRUE, if collecting trace data, FALSE, if not collecting trace data. See the ldaptrace command information in the IBM Tivoli Directory Server version 6.1 Command Reference for information about enabling and starting the trace function.

Trace message level

The current ldap_debug value for the server. The value is in hexadecimal form, for example,

0x0=0
0xffff=65535

For more information, see the section on Debugging levels in the IBM Tivoli Directory Server version 6.1 Command Reference.

Trace message log

The name of the file that contains the trace output.

If the value is stderr, the output is displayed in the command window where the LDAP server was started. If the server was not started from the command line, no data is displayed.

Number of messages added to server logs

The number of error messages recorded since the server started.

Number of messages added to DB2 error log

The number of DB2 error messages recorded since the server started.

Number of messages added to audit log

The number of messages recorded by the audit log since the server started.

Number of error messages added to audit log

The number of failed operation messages recorded by the audit log.

 

Using the command line:

To determine server status using the command line use the idsldapsearch command for the following bases

• cn=monitor

• cn=workers,cn=monitor

• cn=connections,cn=monitor

• cn=changelog,cn=monitor

• cn=system,cn=monitor

 

cn=monitor

idsldapsearch -h <servername> -p <portnumber> -b cn=monitor -s base objectclass=*

This command returns the following information:

cn=monitor

version=IBM Tivoli Directory (SSL), Version 6.1

totalconnections

The total number of connections since the server was started.

total_ssl_connections

The total number of SSL connections since the server was started.

total_tls_connections

The total number of TLS connections since the server was started.

currentconnections

The number of active connections.

maxconnections

The maximum number of active connections allowed.

writewaiters

The number of threads sending data back to the client.

readwaiters

The number of threads reading data from the client.

opsinitiated

The number of requests since the server was started.

livethreads

The number of worker threads being used by the server.

opscompleted

The number of completed requests since the server was started.

entriessent

The number of entries sent by the server since the server was started.

searchesrequested

The number of requested searches since the server was started.

searchescompleted

The number of completed searches since the server was started.

bindsrequested

The number of bind operations requested since the server was started.

bindscompleted

The number of bind operations completed since the server was started.

unbindsrequested

The number of unbind operations requested since the server was started.

unbindscompleted

The number of unbind operations completed since the server was started.

addsrequested

The number of add operations requested since the server was started.

addscompleted

The number of add operations completed since the server was started.

deletesrequested

The number of delete operations requested since the server was started.

deletescompleted

The number of delete operations completed since the server was started.

modrdnsrequested

The number of modify RDN operations requested since the server was started.

modrdnscompleted

The number of modify RDN operations completed since the server was started.

modifiesrequested

The number of modify operations requested since the server was started.

modifiescompleted

The number of modify operations completed since the server was started.

comparesrequested

The number of compare operations requested since the server was started.

comparescompleted

The number of compare operations completed since the server was started.

abandonsrequested

The number of abandon operations requested since the server was started.

abandonscompleted

The number of abandon operations completed since the server was started.

extopsrequested

The number of extended operations requested since the server was started.

extopscompleted

The number of extended operations completed since the server was started.

unknownopsrequested

The number of unknown operations requested since the server was started.

unknownopscompleted

The number of unknown operations completed since the server was started.

slapderrorlog_messages

The number of server error messages recorded since the server was started or since a reset was performed.

slapdclierrors_messages

The number of DB2 error messages recorded since the server was started or since a reset was performed.

auditlog_messages

The number of audit messages recorded since the server was started or since a reset was performed.

auditlog_failedop_messages

The number of failed operation messages recorded since the server was started or since a reset was performed.

filter_cache_size

The maximum number of filters allowed in the cache.

filter_cache_current

The number of filters currently in the cache.

filter_cache_hit

The number of filters found in the cache.

filter_cache_miss

The number of search operations that attempted to use the filter cache, but didn't find a matching operation in the cache.

filter_cache_bypass_limit

Search filters that return more entries than this limit are not cached.

entry_cache_size

The maximum number of entries allowed in the cache.

entry_cache_current

The number of entries currently in the cache.

entry_cache_hit

The number of entries found in the cache.

entry_cache_miss

The number of entries not found in the cache.

acl_cache

A Boolean value indicating that the ACL cache is active (TRUE) or inactive (FALSE).

acl_cache_size

The maximum number of entries in the ACL cache.

cached_attribute_total_size

The amount of memory in kilobytes used by attribute caching.

cached_attribute_configured_size

The amount of memory in kilobytes that can be used by attribute caching.

cached_attribute_hit

The number of times the attribute has been used in a filter that could be processed by the changelog attribute cache. The value is reported as follows:

cached_attribute_hit=attrname:#####

cached_attribute_size

The amount of memory used for this attribute in the changelog attribute cache. This value is reported in kilobytes as follows:

cached_attribute_size=attrname:######

cached_attribute_candidate_hit

A list of up to ten most frequently used noncached attributes that have been used in a filter that could have been processed by the changelog attribute cache if all of the attributes used in the filter had been cached. The value is reported as follows:

cached_attribute_candidate_hit=attrname:#####

We can use this list to help you decide which attributes you want to cache. Typically, you want to put a limited number of attributes into the attribute cache because of memory constraints.

currenttime

The current time on the server. The current time is in the format:

year-month-day hour:minutes:seconds GMT

starttime

The time the server was started. The start time is in the format:

year-month-day hour:minutes:seconds GMT 

trace_enabled

The current trace value for the server. TRUE, if collecting trace data, FALSE, if not collecting trace data. See the ldaptrace command information in the IBM Tivoli Directory Server version 6.1 Command Reference for information about enabling and starting the trace function.

trace_message_level

The current ldap_debug value for the server. The value is in hexadecimal form, for example:

0x0=0
0xffff=65535

For more information, see the section on Debugging levels in the IBM Tivoli Directory Server version 6.1 Command Reference.

trace_message_log

The current LDAP_DEBUG_FILE environment variable setting for the server.

en_currentregs

The current number of client registrations for event notification.

en_notificationssent

The total number of event notifications sent to clients since the server was started.

bypass_deref_aliases

The server runtime value that indicates if alias processing can be bypassed. It displays true, if no alias object exists in the directory, and false, if at least one alias object exists in the directory.

available_workers

The number of worker threads available for work.

current_workqueue_size

The current depth of the work queue.

largest_workqueue_size

The largest size that the work queue has ever reached.

idle_connections_closed

The number of idle connections closed by the Automatic Connection Cleaner.

auto_connection_cleaner_run

The number of times that the Automatic Connection Cleaner has run.

 

cn=workers,cn=monitor

For worker thread information ensure that auditing is enabled and issue the following command:

idsldapsearch -D <adminDN> -w <adminpw> -b cn=workers,cn=monitor 
              -s base objectclass=*

This command gives the following type of information for each active worker:

cn=workers,cn=monitor

cn=workers

objectclass=container

cn=thread2640,cn=workers,cn=monitor

thread

The number of the worker thread. For example 2640.

ldapversion

The LDAP version level, either V1 or V2.

binddn

The DN used to bind to the server.

clientip

The IP address of the client.

clientport

The port used by the client.

connectionid

The number identifying the connection.

received

The date and time that the work request was received.

workrequest

The type of work request received and additional information about the request. For example, if the request was a search, the following information is also provided:

base=cn=workers,cn=monitor
scope=baseObject
derefaliases=neverDerefAliases
typesonly=false
filter=(objectclass=*)
attributes=all

 

cn=connections,cn=monitor

idsldapsearch -D <adminDN> -w <adminpw>  -h <servername> -p <portname> -b 
	cn=connections,cn=monitor -s base objectclass=*

This search returns something similar to the following:

cn=connections,cn=monitor
connection=3546 : 9.48.181.83 : 2005-02-28 21:53:54 GMT  : 1 : 5 : CN=ROOT :  : 
connection=3550 : 9.48.181.83 : 2005-02-28 21:53:54 GMT  : 1 : 3 : CN=ROOT :  : 
connection=3551 : 9.48.181.83 : 2005-02-28 21:53:55 GMT  : 1 : 4 : CN=ROOT :  : 
connection=3553 : 9.48.181.83 : 2005-02-28 21:53:55 GMT  : 1 : 3 : CN=ROOT :  : 
connection=3554 : 9.48.181.83 : 2005-02-28 21:53:55 GMT  : 1 : 5 : CN=ROOT :  : 
connection=3555 : 9.48.181.83 : 2005-02-28 21:53:55 GMT  : 1 : 2 : CN=ROOT :  : 
connection=3556 : 9.48.181.83 : 2005-02-28 21:53:55 GMT  : 1 : 2 : CN=ROOT :  : 
connection=3557 : 9.48.181.83 : 2005-02-28 21:53:55 GMT  : 1 : 1 : CN=ROOT :  : 
connection=3558 : 9.48.181.83 : 2005-02-28 21:53:55 GMT  : 1 : 1 : CN=ROOT :  : 
connection=3559 : 9.48.181.83 : 2005-02-28 21:53:55 GMT  : 0 : 1 : CN=ROOT :  : 

connection=xxxx

The connection number.

9.48.181.83

The server IP address.

2005-02-28 21:53:54 GMT

The current time on the server. The current time is in the format:

year-month-day hour:minutes:seconds GMT

1 : 5

The opsinprogress and opscompleted, respectively.

• opsinprogress – The number of requests in progress.

• opscompleted – The number of completed requests since the server was started.

CN=ROOT

This is the Administrator DN.

 

cn=changelog,cn=monitor

idsldapsearch -D <adminDN> -w <adminpw>  -h <servername> -p <portname> -b 
	cn=changelog,cn=monitor -s base objectclass=*

This search returns something similar to the following:

CN=CHANGELOG,CN=MONITOR
cached_attribute_total_size=0
cached_attribute_configured_size=0

cached_attribute_total_size

The amount of memory used by the changelog attribute cache, in kilobytes. This number includes additional memory used to manage the cache that is not charged to the individual attribute caches. Consequently, this total is larger than the sum of the memory used by all the individual attribute caches.

cached_attribute_configured_size

The maximum amount of memory, in kilobytes, that is enabled to be used by the changelog attribute cache

cached_attribute_hit

The number of times the attribute has been used in a filter that could be processed by the changelog attribute cache. The value is reported as follows:

cached_attribute_hit=attrname:#####

cached_attribute_size

The amount of memory used for this attribute in the changelog attribute cache. This value is reported in kilobytes as follows:

cached_attribute_size=attrname:######

cached_attribute_candidate_hit

A list of up to ten most frequently used noncached attributes that have been used in a filter that could have been processed by the changelog attribute cache if all of the attributes used in the filter had been cached. The value is reported as follows:

cached_attribute_candidate_hit=attrname:#####

We can use this list to help you decide which attributes you want to cache. Typically, you want to put a limited number of attributes into the attribute cache because of memory constraints.

 

cn=system,cn=monitor

To collect system information from machines on which the directory server is running, issue the following command:

idsldapsearch -D <adminDN> -w <adminpw> -b cn=system,cn=monitor 
              -s base objectclass=*

The information that is returned will depend on the operating system on which directory server is running. Following information is returned for machines running on windows operating system:

operatingSystem

Operating system name. For instance, Windows or Windows-X640.

memoryUsed

The amount of virtual memory used (KB)

memoryFree

The amount of idle memory (KB).

diskSpaceUsedByDB

Disk space used by the directory where DB2 database is stored (KB).

diskSpaceAvailableToDB

Disk space available to DB2 database (KB).

The following information is returned for machines running on non-windows operating systems:

operatingSystem

Operating system name. For instance, Linux-x32, Linux-x64, Linux-PPC, Linux-Z, Solaris, Solaris-x86, AIX®, or, HP-UX.

diskSpaceUsedByDB

Disk space used by the directory where DB2 database is stored (KB).

diskSpaceAvailableToDB

Disk space available to DB2 database (KB).

 

Viewing root DSE information

A root DSE entry contains information about an LDAP server instance, which can be queried by a root DSE search. On performing a root DSE search on a server instance, root DSE attributes and their values, OIDs of supported and enabled capabilities, OIDs of supported extensions and controls are displayed. To view root DSE information, use any one of the following methods.

 

Using Web Administration

If you have not done so already, click Server administration in the Web Administration navigation area and then click View Root DSE in the expanded list. Next, click General.

The General tab displays the following information.

Server instance name

This field displays the name of the directory server instance running on the server. This field is populated with the value of the ibm-slapdServerInstanceName attribute in the root DSE entry.

Server Id

This field displays the unique ID assigned to the server at the first startup of the server. This ID is used in replication topology to determine a server's role. This field is populated with the value of the ibm-serverId attribute in the root DSE entry.

Port number

This field displays the non secure port on which the server is listening. This is present only if the server does not have a secure port enabled. This field is populated with the value of the port attribute in the root DSE entry.

Directory version

This field displays the version of IBM Tivoli Directory Server (TDS) installed on the server. This field is populated with the value of the ibmdirectoryversion attribute in the root DSE entry.

Server backend

This field specifies whether this server loads a database or proxy backend. This field is populated with the value of the ibm-slapdServerBackend attribute in the root DSE entry.

Supported audit version

This field displays the supported version of auditing. This field is populated with the value of the ibm-supportedAuditVersion attribute in the root DSE entry.

LDAP service name

This field displays the host name of the server. If a Kerberos realm is defined, the value is displayed in the form hostname@realmname. This field is populated with the value of the ibm-ldapservicename attribute in the root DSE entry.

Security

This field displays the secure SSL port the server is listening on. This field is populated with the value of the security attribute in the root DSE entry.

Size limit

This field displays the limit on the number of entries returned by a search initiated by non administrative users. This field is populated with the value of the ibm-slapdSizeLimit attribute in the root DSE entry.

Time limit (seconds)

This field displays the maximum amount of time in seconds the server spends processing a search request initiated by non administrative users. This field is populated with the value of the ibm-slapdTimeLimit attribute in the root DSE entry.

Dereferences alias

This field displays how the server is configured to handle dereferencing. This field is populated with the value of the ibm-slapdDerefAliases attribute in the root DSE entry.

Vendor name

This field displays the supplier of this version of LDAP running on the server. This field is populated with the value of the vendorname attribute in the root DSE entry. For example, for IBM Tivoli Directory Server (TDS), this is set to International Business Machines (IBM).

Vendor version

This field displays the version of the directory server. This field is populated with the value of the vendorversion attribute in the root DSE entry. For example, for IBM Tivoli Directory Server (TDS) 6.1, the vendor version is set to 6.1.

Sub schema sub entry

This field displays the name of a subschema entry in which the server makes available attributes specifying the schema. This field is populated with the value of the subschemasubentry attribute in the root DSE entry. It value is set to cn=schema.

SASL digest realm name

This field displays the SASL digest realm name associated with the server. This field is populated with the value of the ibm-sasldigestrealmname attribute in the root DSE entry.

Supported LDAP version

This list displays the LDAP versions implemented by the current server. This list is populated with the values of the supportedldapversion attribute in the root DSE entry. The values of this attribute are the versions of the LDAP protocol that the server implements.

Naming context

This list displays the naming contexts available in the server. This list is populated with the values of the namingcontexts attribute in the root DSE entry. The values of this attribute correspond to the naming contexts that this server masters or shadows. If the server does not master or shadow any information (for example, it is an LDAP gateway to a public X.500 directory), this attribute is absent.

If the server contains the entire directory, the attribute has a single value and that value is an empty string indicating the null DN of the root. This allows a client to choose suitable base objects for searching when it has contacted a server.

Configuration naming context

This field displays the suffix where the server's configuration entries are stored. This field is populated with the value of the ibm-configurationnamingcontext attribute in the root DSE entry.

We can click Refresh to refresh the information on this panel. Click Close to return to the "Introduction" panel. To view information about the supported capabilities, click Supported Capabilities. The Supported Capabilities tab displays the following information:

Supported Capabilities

This list displays the server capabilities currently supported by the server. This list is populated with the values of the ibm-supportedcapabilities attribute in the root DSE entry.

We can click Refresh to refresh the information on this panel. Click Close to return to the "Introduction" panel. To view information about the enabled capabilities, click Enabled Capabilities. The Enabled Capabilities tab displays the following information:

Enabled Capabilities

This list displays the server capabilities currently enabled for use on the server. This list is populated with the values of the ibm-enabledcapabilities attribute in the root DSE entry.

We can click Refresh to refresh the information on this panel. Click Close to return to the "Introduction" panel. To view information about the supported extensions, click Supported Extensions. The Supported Extensions tab displays the following information:

Supported Extensions

This list displays the OBJECT IDENTIFIERS (OIDs) of the supported extended operations which the server supports. This list is populated with the values of the supportedExtension attribute in the root DSE entry.

We can click Refresh to refresh the information on this panel. Click Close to return to the "Introduction" panel. To view information about the supported controls, click Supported Controls. The Supported Controls tab displays the following information:

Supported Controls

This list displays the OBJECT IDENTIFIERS (OIDs) of the supported controls which the server supports. This list is populated with the values of the supportedControl attribute in the root DSE entry.

We can click Refresh to refresh the information on this panel. Click Close to return to the "Introduction" panel. To view information about the supported SASL mechanism, click Supported SASL Mechanism. The Supported SASL Mechanism tab displays the following information:

Supported SASL Mechanism

This list displays all the names of the supported SASL mechanisms supported by the server. This list is populated with the values of the supportedsaslmechanisms attribute in root DSE entry. This attribute contains any SASL mechanism that is registered to the server.

We can click Refresh to refresh the information on this panel. Click Close to return to the "Introduction" panel.

 

Using command line

To initiate a root DSE search issue the following command:

idsldapsearch -s base -b "" objectclass=* 

To list the server capabilities currently enabled for use on the server, issue the following command:

idsldapsearch -s base -b "" objectclass=* ibm-supportedcapabilities

To list the server capabilities currently enabled for use on the server, issue the following command:

idsldapsearch -s base -b "" objectclass=* ibm-enabledcapabilities 

 

Managing server connections

We can use one of the following methods to check the connection status of the server.

 

Using Web Administration:

Expand the Server administration category in the navigation area. Click Manage server connections. A table containing the following information for each connection is displayed. We can use the arrows next to each header to specify a sort in either ascending or descending order. We can also either use the Select Action drop-down list to select Edit sort and click Go or click the Edit sort icon to specify up to three sort criteria.

DN

Specifies the DNs of a client connection to the server.

IP address

Specifies the IP address of the client that has a connection to the server.

Start time

Specifies the date and time when the connection was made.

Status

Specifies whether the connection is active or idle. A connection is considered active if it has any operations in progress.

Ops pending

Specifies the number of operations pending since the connection was established.

Ops completed

Specifies the number of operations that have been completed for each connection.

Type

Specifies whether the connection is secured by SSL or TLS. Otherwise the field is blank.

Notes:

1. This table displays up to 20 connections at a time.

We can specify to have this table displayed by either DN or IP address by expanding the drop-down menu at the top of the panel and making a selection. The default selection is by DN. Similarly we can also specify whether to display the table in ascending or descending order.

Click Refresh or select Refresh from the Select Action drop-down list and click Go to update the current connection information.

If you are logged on as the administrator or as a member of the Local administration group having DirDataAdmin or ServerConfigGroupMember role, you have additional selections to disconnect server connections available on the panel. This ability to disconnect server connections enables you to stop denial of service attacks and to control server access. We can disconnect a connection by expanding the drop-down menus and selecting a DN, an IP address or both and clicking Disconnect. Depending on your selections the following actions occur:

Table 11. Disconnection rules

DN chosen	IP address chosen	Action
<DNvalue>	None	All connections bound with the specified DN are disconnected.
None	<IPvalue>	All connections over the specified IP address are disconnected.
<DNvalue>	<IPvalue>	All connections bound as the specified DN and over the specified IP address are disconnected.
None	None	This is not a valid condition. You must specify a DN or an IP address or both to use the disconnect function.

The default value for each of the drop-down menus is None.

To disconnect all server connections except for the one making this request click Disconnect all. A confirmation warning is displayed. Click OK to proceed with the disconnect action or click Cancel to end the action and return to the Manage server connections panel.

 

Using the command line:

To view server connections, issue the command:

idsldapsearch -D <adminDN> -w <adminPW> -h <servername> -p <portnumber> 
          -b cn=connections,cn=monitor -s base objectclass=*

This command returns information in the following format:

cn=connections,cn=monitor
connection=1632 : 9.41.21.31 : 2002-10-05 19:18:21 GMT  : 1 : 1 : CN=ADMIN : : 
connection=1487 : 127.0.0.1 : 2002-10-05 19:17:01 GMT  : 1 : 1 : CN=ADMIN : :

If appropriate, an SSL or a TLS indicator is added on each connection.

To end server connections issue, one of the following commands:

# To disconnect a specific DN:
idsldapexop -D <adminDN> -w <adminPW> -op unbind -dn cn=john

# To disconnect a specific IP address:
idsldapexop -D <adminDN> -w <adminPW> -op unbind -ip 9.182.173.43

#To disconnect a specific DN over a specific IP address:
idsldapexop -D <adminDN> -w <adminPW> -op unbind -dn cn=john -ip 9.182.173.43

#To disconnect all connections:
idsldapexop -D <adminDN> -w <adminPW> -op unbind -all

See the ldapexop command information in the IBM Tivoli Directory Server version 6.1 Command Reference for more information on ending connections.

 

Managing connection properties

The ability to manage connection properties enables you to prevent clients from locking up the server by closing connections of clients that:

• Send data slowly, send partial data or send no data.

• Do not read data results or read results slowly.

• Do not unbind.

• Bind anonymously.

It also ensures that an administrator always has access to the server in the cases that the backend is kept busy with long running tasks.

 

Using Web Administration:

These selections are displayed only if you are logged in as the administrator or a member of the administration group on a server that supports this feature.

Expand the Server administration category in the navigation area. Click Manage connection properties.

The actual maximum threshold numbers are limited by the number of files permitted per process. On UNIX® or Linux® systems we can use the ulimit -a command to determine the limits. On Windows systems this is a fixed number.

1. Select the General tab.

2. The Allow anonymous connections check box is already selected for you so that anonymous binds are allowed. This is the default setting. We can click the check box to deselect the Allow anonymous connections feature. This action causes the server to unbind all anonymous connections.

   Disallowing anonymous binds might cause some applications to fail.

3. Set the threshold number to initiate the cleanup of anonymous connections. We can specify a number between 0 and 65535 in the Cleanup threshold for anonymous connections field. The default setting is 0. When this number of anonymous connections is exceeded, connections are cleaned up based on the idle timeout limit that you set in the Idle time out field.

4. Set the threshold number to initiate the cleanup of authenticated connections. We can specify a number between 0 and 65535 in the Cleanup threshold for authenticated connections field. The default setting is 1100. When this number of authenticated connections is exceeded, connections are cleaned up based on the idle timeout limit that you set in the Idle time out field.

5. Set the threshold number to initiate the cleanup of all connections. You can specify a number between 0 and 65535 in the Cleanup threshold for all connections field. The default setting is 1200. When this total number of connections is exceeded, connections are cleaned up based on the idle timeout limit that you set in the Idle time out field.

6. Set the number of seconds that a connection can be idle before it is closed by a cleanup process. We can specify a number between 0 and 65535 in the Idle timeout limit field. The default setting is 300. When a cleanup process is initiated, any connections, subject to the process, that exceed the limit are closed.

7. Set the number of seconds between write attempts that will be allowed. We can specify a number between 0 and 65535 in the Result timeout limit field. The default setting is 120. Any connections that exceed this limit are ended.

   This applies to Windows systems only. A connection that exceeds 30 seconds is automatically dropped by the operating system. Therefore this Result timeout limit setting is overridden by the operating system after 30 seconds.

8. When you are finished, click Apply to save your changes without exiting, or click OK to apply your changes and exit, or click Cancel to exit this panel without making any changes.

 

Using the command line:

To perform the same operations using the command line, issue the following command:

idsldapmodify -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains:

dn: cn=Connection Management,cn=Front End, cn=Configuration
changetype: modify
replace: ibm-slapdAllowAnon
ibm-slapdAllowAnon:  TRUE
-
replace: ibm-slapdAnonReapingThreshold
ibm-slapdAnonReapingThreshold: 0
-
replace: ibm-slapdBoundReapingThreshold
ibm-slapdBoundReapingThreshold: 1100
-
replace: ibm-slapdAllReapingThreshold
ibm-slapdAllReapingThreshold: 1200
-
replace: ibm-slapdIdleTimeOut
ibm-slapdIdleTimeOut: 300
-
replace: ibm-slapdWriteTimeout
ibm-slapdWriteTimeout: 120
-
replace: ibm-slapdEThreadEnabl
ibm-slapdEThreadEnable: TRUE
-
replace: ibm-slapdESizeThreshold
ibm-slapdESizeThreshold: 50
-
replace: ibm-slapdETimeThreshold
ibm-slapdETimeThreshold: 5
-
#ibm-slapdEThreadActivate can be set to S for size only, T for 
#time only, SOT for size or time, and SAT for size and time.
replace: ibm-slapdEThreadActivate
ibm-slapdEThreadActivate: { S | T | SOT | SAT}

To update the settings dynamically, issue the following idsldapexop command:

idsldapexop -D <adminDN> -w <adminPW> -op readconfig -scope entire

The idsldapexop command updates only those attributes that are dynamic. For other changes to take effect stop and restart the server. See Dynamically-changed attributes for a list of the attributes that can be updated dynamically.

[ Top of Page | Previous Page | Next Page | Contents | Index ]