IBM Tivoli Directory Server Notes

IBM Tivoli Directory Server
IBM Tivoli Directory Server Topics
How To · Troubleshooting · Technical Notes

Contents 1 16 character attribute limitation has been fixed 2 Good Filters for searches under the suffix cn=schema. 3 IDS 6.0 improvements 4 Installing TDS 5 TDS SSL configuration

[edit] 16 character attribute limitation has been fixed

See here

[edit] Good Filters for searches under the suffix cn=schema.

Problem Filters only in certain formats will work in searches under the suffix cn=schema, in case you need to find the definition of a certain objectclass or attribute

Solution

A simple way to get the information about a certain OID or objectclass, from a large cn=schema search result, is to pipe the output to a grep command as mentioned below:

ldapsearch -D <BindDN> -w <BindPW> -s base -b "cn=schema" objectclass=* | grep -i <OID/NAME/Description..>

Though the search results obtained this way will have a pure text based filtering and may show multiple occurences of the OID itself, most of the times it is effective to get the definition out of a cn=schema search.

Further, to drill on only objectclass definitions ldapsearch given below can be used :

ldapsearch -D <BindDN> -w <BindPW> -s base -b "cn=schema" objectclass=* objectclassess| grep -i " '<objectclass>' "

For Example: In ITDS 6.0

ldapsearch -D cn=root -w root -p 389 -s base -b "cn=schema" objectclass=* objectclasses | grep -i " 'container' "

Output:

objectclasses=( 1.3.18.0.2.6.28 NAME 'container' DESC 'An object that can contain other objects.' SUP top STRUCTURAL MUST cn )

Similarly, to drill on only attribute definitions ldapsearch given below can be used :

ldapsearch -D <BindDN> -w <BindPW> -s base -b "cn=schema" objectclass=* attributetypes | grep -i " '<attribute>' "

For Example: In ITDS 6.0

ldapsearch -D cn=root -w root -p 3389 -s base -b "cn=schema" objectclass=* attributetypes|grep -i " 'userPassword' "

Output:

attributetypes=( xx.5.4.35 NAME 'userPassword' DESC 'Holds a password value for a distinguished name.' EQUALITY xx.5.13.17 SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

[edit] IDS 6.0 improvements

• IDS - Improved replication. Multi-instance.
• IDS 6.0 comes bundled with TIM/TAM
• Only stand alone version comes with a proxy and ITDI
• w/o idi agents perl scripts are needed to control (rollover,tarball) logs

[edit] Installing TDS

Partner download comes with a zip for IDS that has licence.txt password protected. the password is "password" - it is only relevant for business partners. (i.e they put a password on it so that customers do not unzip it as it does not apply to the customers, only to business partners)

[edit] TDS SSL configuration

• Create my SSL kdb for LDAP
• Setup the JAVA environment before running gsk7cmd ! ! (look in WAS bin directory for the setupcmdenv.cmd

set gsk=secret
set o=i78.com
set site=i78_
set env=LAB_
@echo Clean up any old files . .
@del \keystore\%site%%env%eLDAP.*
@echo create my keystore
@c:\progra~1\ibm\gsk7\bin\gsk7cmd -keydb -create -db C:\keystore\%site%%env%eLDAP.kdb -pw %gsk% -type cms -stash
@echo Create my self-signed certificate
@c:\progra~1\ibm\gsk7\bin\gsk7cmd -cert -create -db C:\keystore\%site%%env%eLDAP.kdb -pw %gsk% -size 1024 -dn "CN=LDAP,O=%o%,C=US" -label "eLDAP default key" -default_cert yes
@echo Save it as a ascii file fro others to use
@c:\progra~1\ibm\gsk7\bin\gsk7cmd -cert -extract -db C:\keystore\%site%%env%eLDAP.kdb -pw %gsk% -label "eLDAP default key" -target C:\keystore\%site%%env%eLDAP_default_cert.arm -format ascii
@echo and list what I have in my keydb . .
@c:\progra~1\ibm\gsk7\bin\gsk7cmd -cert -list personal -db C:\keystore\%site%%env%eLDAP.kdb -pw %gsk% -type cms

• ibmslapd config file needs a few changes:

ibm-slapdSecurity: SSL
ibm-slapdSslCertificate: eLDAP default key
ibm-slapdSslKeyDatabase: C:\keystore\i78_LAB_eLDAP.kdb

• OPTIONAL - (to use the default ldapkey.kdb for the client)

cd C:\Program Files\IBM\LDAP\lib
copy \keystore\i78_LAB_eLDAP.kdb ldapkey.kdb
copy \keystore\i78_LAB_eLDAP.sth ldapkey.sth

• Check to see if it is working:

C:\Program Files\IBM\LDAP\lib>ldapsearch -D cn=root -w secret -s base -b cn=connections,cn=monitor "objectclass=*"
cn=connections,cn=monitor
connection=27 : 127.0.0.1 : 2005-03-17 15:46:36 GMT  : 1 : 1 : CN=ROOT :  :
C:\Program Files\IBM\LDAP\lib>ldapsearch -Z -D cn=root -w secret -s base -b cn=connections,cn=monitor  objectclass=*"
cn=connections,cn=monitor
connection=28 : 127.0.0.1 : 2005-03-17 15:46:47 GMT  : 1 : 1 : CN=ROOT :  : SSL

IBM Tivoli Directory Server IBM Tivoli Directory Server Topics How To · Troubleshooting · Technical Notes