ADS 2.0 configuration has been completely reworked since 1.0 and 1.5 versions. While those two versions were XML based, we decided to store the new configuration in the DiT (Directory Information Tree).
It's now available either through an LDAP browser, programatically using an LDAP API or simply by editing the LDIF files stored on the disk.
ADS is more than a LDAP server. It's also a Kerberos server, a DNS Server and a DHCP server. In other words, we have to define a configuration for many servers, some of them being backed by a Directory Service.
We can consider that the main service is the Directory Service, on top of which we have servers. Each server has a specific network configuration. We will expose the associated configuration.
The easiest way to manage a server configuration is to use Studio for that. Defining a new server will allow you to configure it, but you can also modify an existing server‘s configuration, as soon as you can connect on to this server. Let’s see how we process in both cases.
You can define a brand new server configuration using Studio. All you have to do is :
Click on the ‘New Server’ icon :
This will popup this window :
Select the type of server you want to configure (here, 2.0) and name your server.
By double-clicking on the created server, you will see an overview of the current configuration (all the value are default values at this point) :
You can modify the server port here, and access to the advanced configurations from this screen.
The LDAP/LDAPS tab let you configure all the SASL and TLS configuration, plus the server limits :
We manage two kind of limits :
In this tab, you can setup all the parameters needed to configure your Kerberos server :
This is where you add new partitions and modify them.
There are a few importants elements to configure for a partition :
Then you also have to configure the index used by this partition. Some of them are mandatory (apacheRdn, apacheSubLevel, apachePresence, apacheOneLevel, apacheOneAlias, apacheSubAlias, apacheAlias, objectClass, entryUuid, entryCsn), you can just modify their cache, all the others are user index, you have to create them. Each index is associated with an existing AttributeType.
Not yet available
The server should accept live modification. If this is the case, you just have to connect on the server and to modify it.
We need to define a directory tree to store the configuration.
Here is the existing structure, where we have defined one LDAP server (ldapServer1), backed by one Directory Service (DS1), and two associated transports (ldapSrv1 and ldapsSrv1) :
ou=config | +--ads-directoryServiceId=default | +--ads-changeLogId=defaultChangeLog | +--ads-journalId=defaultJournal | +--ou=interceptors | | | +--ads-interceptorId=aciAuthorizationInterceptor | | | +--ads-interceptorId=authenticationInterceptor | | | | | +--ou=authenticators | | | | | | | +--ads-authenticatorid=anonymousauthenticator | | | | | | | +--ads-authenticatorid=simpleauthenticator | | | | | | | +--ads-authenticatorid=strongauthenticator | | | | | +--ou=passwordPolicies | | | | | +--ads-pwdId=default | | | +--ads-interceptorId=collectiveAttributeInterceptor | | | +--ads-interceptorId=defaultAuthorizationInterceptor | | | +--ads-interceptorId=eventInterceptor | | | +--ads-interceptorId=exceptionInterceptor | | | +--ads-interceptorId=keyDerivationInterceptor | | | +--ads-interceptorId=normalizationInterceptor | | | +--ads-interceptorId=operationalAttributeInterceptor | | | +--ads-interceptorId=passwordHashingInterceptor | | | +--ads-interceptorId=referralInterceptor | | | +--ads-interceptorId=schemaInterceptor | | | +--ads-interceptorId=subentryInterceptor | | | +--ads-interceptorId=triggerInterceptor | +--ou=partitions | | | +--ads-partitionId=system | | | | | +--ou=indexes | | | | | +--ads-indexAttributeId=apacheRdn | | | | | +--ads-indexAttributeId=apacheSubLevel | | | | | +--ads-indexAttributeId=apachePresence | | | | | +--ads-indexAttributeId=apacheOneLevel | | | | | +--ads-indexAttributeId=apacheOneAlias | | | | | +--ads-indexAttributeId=apacheSubAlias | | | | | +--ads-indexAttributeId=apacheAlias | | | | | +--ads-indexAttributeId=objectClass | | | | | +--ads-indexAttributeId=entryUUID | | | | | +--ads-indexAttributeId=entryCSN | | | | | +--ads-indexAttributeId=ou | | | | | +--ads-indexAttributeId=uid | | | +--ads-partitionId=example | | | +--ou=indexes | | | +--ads-indexAttributeId=apacheRdn | | | +--ads-indexAttributeId=apacheSubLevel | | | +--ads-indexAttributeId=apachePresence | | | +--ads-indexAttributeId=apacheOneLevel | | | +--ads-indexAttributeId=apacheOneAlias | | | +--ads-indexAttributeId=apacheSubAlias | | | +--ads-indexAttributeId=apacheAlias | | | +--ads-indexAttributeId=objectClass | | | +--ads-indexAttributeId=entryUUID | | | +--ads-indexAttributeId=entryCSN | | | +--ads-indexAttributeId=ou | | | +--ads-indexAttributeId=uid | | | +--ads-indexAttributeId=dc | | | +--ads-indexAttributeId=krb5PrincipalName | +--ou=servers | +--ads-serverId=changePasswordServer | | | +--ou=transports | | | +--ads-transportId=tcp | | | +--ads-transportId=udp | +--ads-serverId=dnsServer | | | +--ou=transports | | | +--ads-transportId=tcp | | | +--ads-transportId=udp | +--ads-serverId=httpServer | | | +--ou=transports | | | | | +--ads-transportid=http | | | | | +--ads-transportid=https | | | +--ou=httpWebApps | | | +--ads-id=testapp | +--ads-serverId=kerberosServer | | | +--ou=transports | | | +--ads-transportid=tcp | | | +--ads-transportid=udp | +--ads-serverId=ldapServer | | | +--ou=replConsumers | | | +--ou=transports | | | | | +--ads-transportid=ldap | | | | | +--ads-transportid=ldaps | | | +--ou=extendedOpHandlers | | | | | +--ads-extendedOpId=gracefulShutdownHandler | | | | | +--ads-extendedOpId=starttlshandler | | | | | +--ads-extendedOpId=storedprochandler | | | +--ou=saslMechHandlers | | | +--ads-saslMechName=CRAM-MD5 | | | +--ads-saslMechName=DIGEST-MD5 | | | +--ads-saslMechName=GSS-SPNEGO | | | +--ads-saslMechName=GSSAPI | | | +--ads-saslMechName=NTLM | | | +--ads-saslMechName=SIMPLE | +--ads-serverId=ntpServer | +--ou=transports | +--ads-transportId=tcp | +--ads-transportId=udp
For every server backed by a directory, this is the place we define this service's configuration.
The Directory Service configuration itself depends on some sub-elements, which needs their own configuration :
see configuration schema description
Otherwise, we also have a set of simple parameters, listed in the following table :
We have many parameters we can configure in order to get the DirectoryService functioning. Some parameters are mandatory, other aren't. Some may have one single value, others may not.
Here is the list of mandatory and optional parameters
Some interceptors can be configured (Authentication and PassowordPolicy). They will be described with a specific ObjectClass.
Otherwise, they only have an identifier, and an order number, as the interceptors are used in an ordered chain. (we may want later to allow an administrator to inject a new interceptor)
This ObjectClass contains the informations relative to a base interceptor. It will be extended by each interceptor specific interceptor.
Here is the configuration :
{note} The partitionSuffix, revisionsContainerName and tagsContainerName should not be exposed. They won't be associated with a schema element. The changeLogStore is not defined right now, as we only have a InMemory changeLog system working. {note}
Here is the list of AttributeTypes we need for the changeLog :
Here is the ObjectClass we need for the changeLog :
This is the system storing every modifications in order to be able to restore the server if it crashes, or to manage replication. It is backed by a store, which needs to be configured too. Here is the configuration :
Here is the list of AttributeTypes we need for the journal :
Here is the ObjectClass we need for the journal :
The Partition parameters are listed in the following table :
the indexedAttributes parameter itself is a composite attribute, and will be described below.
{note} The ‘property’ parameter will probably be removed. {note}
{note} The ‘optimizerEnabled’ parameter will probably be removed. {note}
The Index parameters are listed in the following table :
{note} The cacheSize is likely to be removed. {note}
We will define at least two ObjectClasses, as we may have different kind of index (JDBM, Oracle, ...)
The LdapServer parameters are described in the following table :
Some of the parameters will not be used : extendedOperationHandlers, saslQop, saslMechanismHandlers and replicationSystem.
None of those parameters are composite, except the DirectoryService, which has already been described.
Here is the list of ObjectClasses we need for the LdapServer
The KerberosServer parameters are described in the following table :
Here is the list of AttributeTypes we need for the KerberosServer
Here is the list of ObjectClass we need for the KerberosServer
The transport layer is the layer in charge of managing incoming requests and outgoing responses. All the servers are depending on this layer. It support TCP and UDP transports.
The configuration parameters are the following :
The base transport is determinated by the type of transport object we will create :TcpTransport or UdpTransport.
For instance, in the current server.xml file, we have this configuration for the LDAP server and for the Kerberos server :
... <ldapServer id="ldapServer" ...> <transports> <tcpTransport address="0.0.0.0" port="10389" nbThreads="8"
backLog=“50” enableSSL=“false”/> ...
... <kdcServer id="kdcServer"> <transports> <tcpTransport port="60088" nbThreads="4" backLog="50"/> <udpTransport port="60088" nbThreads="4" backLog="50"/> </transports> ...
To be able to store the transport in the DiT, we must define a specific set of AttributeTypes and ObjectClasses to store them. Here are those definitions.
Here is the list of AttributeTypes we need for the transport layer
Here is the list of ObjectClasses we need for the transport layer