title: ADS 2.0 configuration
Introduction
ADS 2.0 configuration has been completely reworked since 1.0 and 1.5 versions. While those two versions were XML based, we decided to store the new configuration in the DiT (Directory Information Tree).
It's now available either through an LDAP browser, programatically using an LDAP API or simply by editing the LDIF files stored on the disk.
Configuration structure
ADS is more than a LDAP server. It's also a Kerberos server, a DNS Server and a DHCP server. In other words, we have to define a configuration for many servers, some of them being backed by a Directory Service.
We can consider that the main service is the Directory Service, on top of which we have servers. Each server has a specific network configuration. We will expose the associated configuration.
Using Apache DirectoryStudio to manage the configuration
The easiest way to manage a server configuration is to use Studio for that. Defining a new server will allow you to configure it, but you can also modify an existing server‘s configuration, as soon as you can connect on to this server. Let’s see how we process in both cases.
New server configuration
You can define a brand new server configuration using Studio. All you have to do is :
- to create a new Server instance
- modify it's configuration
- save the configuration as a file (ldif)
- move this ldif file in the installed server workspace at the right place (under the configuration partition)
Creation of a new server
Click on the ‘New Server’ icon :
This will popup this window :
Select the type of server you want to configure (here, 2.0) and name your server.
Configuration overview
By double-clicking on the created server, you will see an overview of the current configuration (all the value are default values at this point) :
You can modify the server port here, and access to the advanced configurations from this screen.
LDAP/LDAPS configuration
The LDAP/LDAPS tab let you configure all the SASL and TLS configuration, plus the server limits :
We manage two kind of limits :
- The maximum time the server will take to process a request (when this time has been expired, the request will be stopped)
- The maximum number of entries we will return
Kerberos configuration
In this tab, you can setup all the parameters needed to configure your Kerberos server :
Partition configuration
This is where you add new partitions and modify them.
There are a few importants elements to configure for a partition :
- its ID, which is an external name
- its Suffix, which must be a valid DN
- the cache size used for this partition (it's the number of page that will be kept in memory, considering that a page may contain more than one entry)
Then you also have to configure the index used by this partition. Some of them are mandatory (apacheRdn, apacheSubLevel, apachePresence, apacheOneLevel, apacheOneAlias, apacheSubAlias, apacheAlias, objectClass, entryUuid, entryCsn), you can just modify their cache, all the others are user index, you have to create them. Each index is associated with an existing AttributeType.
Replication
Not yet available
Modifying an existing server configuration
The server should accept live modification. If this is the case, you just have to connect on the server and to modify it.
DiT configuration structure
We need to define a directory tree to store the configuration.
Here is the existing structure, where we have defined one LDAP server (ldapServer1), backed by one Directory Service (DS1), and two associated transports (ldapSrv1 and ldapsSrv1) :
ou=config
|
+--ads-directoryServiceId=default
|
+--ads-changeLogId=defaultChangeLog
|
+--ads-journalId=defaultJournal
|
+--ou=interceptors
| |
| +--ads-interceptorId=aciAuthorizationInterceptor
| |
| +--ads-interceptorId=authenticationInterceptor
| | |
| | +--ou=authenticators
| | | |
| | | +--ads-authenticatorid=anonymousauthenticator
| | | |
| | | +--ads-authenticatorid=simpleauthenticator
| | | |
| | | +--ads-authenticatorid=strongauthenticator
| | |
| | +--ou=passwordPolicies
| | |
| | +--ads-pwdId=default
| |
| +--ads-interceptorId=collectiveAttributeInterceptor
| |
| +--ads-interceptorId=defaultAuthorizationInterceptor
| |
| +--ads-interceptorId=eventInterceptor
| |
| +--ads-interceptorId=exceptionInterceptor
| |
| +--ads-interceptorId=keyDerivationInterceptor
| |
| +--ads-interceptorId=normalizationInterceptor
| |
| +--ads-interceptorId=operationalAttributeInterceptor
| |
| +--ads-interceptorId=passwordHashingInterceptor
| |
| +--ads-interceptorId=referralInterceptor
| |
| +--ads-interceptorId=schemaInterceptor
| |
| +--ads-interceptorId=subentryInterceptor
| |
| +--ads-interceptorId=triggerInterceptor
|
+--ou=partitions
| |
| +--ads-partitionId=system
| | |
| | +--ou=indexes
| | |
| | +--ads-indexAttributeId=apacheRdn
| | |
| | +--ads-indexAttributeId=apacheSubLevel
| | |
| | +--ads-indexAttributeId=apachePresence
| | |
| | +--ads-indexAttributeId=apacheOneLevel
| | |
| | +--ads-indexAttributeId=apacheOneAlias
| | |
| | +--ads-indexAttributeId=apacheSubAlias
| | |
| | +--ads-indexAttributeId=apacheAlias
| | |
| | +--ads-indexAttributeId=objectClass
| | |
| | +--ads-indexAttributeId=entryUUID
| | |
| | +--ads-indexAttributeId=entryCSN
| | |
| | +--ads-indexAttributeId=ou
| | |
| | +--ads-indexAttributeId=uid
| |
| +--ads-partitionId=example
| |
| +--ou=indexes
| |
| +--ads-indexAttributeId=apacheRdn
| |
| +--ads-indexAttributeId=apacheSubLevel
| |
| +--ads-indexAttributeId=apachePresence
| |
| +--ads-indexAttributeId=apacheOneLevel
| |
| +--ads-indexAttributeId=apacheOneAlias
| |
| +--ads-indexAttributeId=apacheSubAlias
| |
| +--ads-indexAttributeId=apacheAlias
| |
| +--ads-indexAttributeId=objectClass
| |
| +--ads-indexAttributeId=entryUUID
| |
| +--ads-indexAttributeId=entryCSN
| |
| +--ads-indexAttributeId=ou
| |
| +--ads-indexAttributeId=uid
| |
| +--ads-indexAttributeId=dc
| |
| +--ads-indexAttributeId=krb5PrincipalName
|
+--ou=servers
|
+--ads-serverId=changePasswordServer
| |
| +--ou=transports
| |
| +--ads-transportId=tcp
| |
| +--ads-transportId=udp
|
+--ads-serverId=dnsServer
| |
| +--ou=transports
| |
| +--ads-transportId=tcp
| |
| +--ads-transportId=udp
|
+--ads-serverId=httpServer
| |
| +--ou=transports
| | |
| | +--ads-transportid=http
| | |
| | +--ads-transportid=https
| |
| +--ou=httpWebApps
| |
| +--ads-id=testapp
|
+--ads-serverId=kerberosServer
| |
| +--ou=transports
| |
| +--ads-transportid=tcp
| |
| +--ads-transportid=udp
|
+--ads-serverId=ldapServer
| |
| +--ou=replConsumers
| |
| +--ou=transports
| | |
| | +--ads-transportid=ldap
| | |
| | +--ads-transportid=ldaps
| |
| +--ou=extendedOpHandlers
| | |
| | +--ads-extendedOpId=gracefulShutdownHandler
| | |
| | +--ads-extendedOpId=starttlshandler
| | |
| | +--ads-extendedOpId=storedprochandler
| |
| +--ou=saslMechHandlers
| |
| +--ads-saslMechName=CRAM-MD5
| |
| +--ads-saslMechName=DIGEST-MD5
| |
| +--ads-saslMechName=GSS-SPNEGO
| |
| +--ads-saslMechName=GSSAPI
| |
| +--ads-saslMechName=NTLM
| |
| +--ads-saslMechName=SIMPLE
|
+--ads-serverId=ntpServer
|
+--ou=transports
|
+--ads-transportId=tcp
|
+--ads-transportId=udp
Directory Service
For every server backed by a directory, this is the place we define this service's configuration.
The Directory Service configuration itself depends on some sub-elements, which needs their own configuration :
- changeLog
- interceptors
- journal
- partitions
- replication
see configuration schema description
Otherwise, we also have a set of simple parameters, listed in the following table :
ads-directoryService ObjectClass
We have many parameters we can configure in order to get the DirectoryService functioning. Some parameters are mandatory, other aren't. Some may have one single value, others may not.
Here is the list of mandatory and optional parameters
Mandatory parameters
Optional parameters
Interceptors
Some interceptors can be configured (Authentication and PassowordPolicy). They will be described with a specific ObjectClass.
Otherwise, they only have an identifier, and an order number, as the interceptors are used in an ordered chain. (we may want later to allow an administrator to inject a new interceptor)
This ObjectClass contains the informations relative to a base interceptor. It will be extended by each interceptor specific interceptor.
Mandatory parameters
Authentication interceptor
ads-authenticationInterceptor
ChangeLog
Here is the configuration :
{note} The partitionSuffix, revisionsContainerName and tagsContainerName should not be exposed. They won't be associated with a schema element. The changeLogStore is not defined right now, as we only have a InMemory changeLog system working. {note}
ChangeLog schema
AttributeTypes
Here is the list of AttributeTypes we need for the changeLog :
ObjectClass
Here is the ObjectClass we need for the changeLog :
Journal
This is the system storing every modifications in order to be able to restore the server if it crashes, or to manage replication. It is backed by a store, which needs to be configured too. Here is the configuration :
Journal schema
AttributeTypes
Here is the list of AttributeTypes we need for the journal :
ObjectClass
Here is the ObjectClass we need for the journal :
Partition
The Partition parameters are listed in the following table :
the indexedAttributes parameter itself is a composite attribute, and will be described below.
{note} The ‘property’ parameter will probably be removed. {note}
{note} The ‘optimizerEnabled’ parameter will probably be removed. {note}
Partition schema
AttributeTypes
ObjectClass
Index
The Index parameters are listed in the following table :
{note} The cacheSize is likely to be removed. {note}
Index schema
AttributeTypes
ObjectClass
We will define at least two ObjectClasses, as we may have different kind of index (JDBM, Oracle, ...)
LdapServer
The LdapServer parameters are described in the following table :
Some of the parameters will not be used : extendedOperationHandlers, saslQop, saslMechanismHandlers and replicationSystem.
None of those parameters are composite, except the DirectoryService, which has already been described.
LdapServer schema
AttributeTypes
ObjectClass
Here is the list of ObjectClasses we need for the LdapServer
KerberosServer
The KerberosServer parameters are described in the following table :
KerberosServer Schema
AttributeTypes
Here is the list of AttributeTypes we need for the KerberosServer
ObjectClasses
Here is the list of ObjectClass we need for the KerberosServer
Transport Layer
The transport layer is the layer in charge of managing incoming requests and outgoing responses. All the servers are depending on this layer. It support TCP and UDP transports.
The configuration parameters are the following :
The base transport is determinated by the type of transport object we will create :TcpTransport or UdpTransport.
For instance, in the current server.xml file, we have this configuration for the LDAP server and for the Kerberos server :
...
<ldapServer id="ldapServer" ...>
<transports>
<tcpTransport address="0.0.0.0" port="10389" nbThreads="8"
backLog=“50” enableSSL=“false”/> ...
...
<kdcServer id="kdcServer">
<transports>
<tcpTransport port="60088" nbThreads="4" backLog="50"/>
<udpTransport port="60088" nbThreads="4" backLog="50"/>
</transports>
...
Transport schema
To be able to store the transport in the DiT, we must define a specific set of AttributeTypes and ObjectClasses to store them. Here are those definitions.
AttributeTypes
Here is the list of AttributeTypes we need for the transport layer
ObjectClasses
Here is the list of ObjectClasses we need for the transport layer