Introduction

ADS 2.0 configuration has been completely reworked since 1.0 and 1.5 versions. While those two versions were XML based, we decided to store the new configuration in the DiT (Directory Information Tree).

It’s now available either through an LDAP browser, programatically using an LDAP API or simply by editing the LDIF files stored on the disk.

Configuration structure

ADS is more than a LDAP server. It’s also a Kerberos server, a DNS Server and a DHCP server. In other words, we have to define a configuration for many servers, some of them being backed by a Directory Service.

We can consider that the main service is the Directory Service, on top of which we have servers. Each server has a specific network configuration. We will expose the associated configuration.

Using Apache DirectoryStudio to manage the configuration

The easiest way to manage a server configuration is to use Studio for that. Defining a new server will allow you to configure it, but you can also modify an existing server’s configuration, as soon as you can connect on to this server. Let’s see how we process in both cases.

New server configuration

You can define a brand new server configuration using Studio. All you have to do is :

• to create a new Server instance
• modify it’s configuration
• save the configuration as a file (ldif)
• move this ldif file in the installed server workspace at the right place (under the configuration partition)

Creation of a new server

Click on the ‘New Server’ icon :

This will popup this window :

Select the type of server you want to configure (here, 2.0) and name your server.

Configuration overview

By double-clicking on the created server, you will see an overview of the current configuration (all the value are default values at this point) :

You can modify the server port here, and access to the advanced configurations from this screen.

LDAP/LDAPS configuration

The LDAP/LDAPS tab let you configure all the SASL and TLS configuration, plus the server limits :

We manage two kind of limits :

• The maximum time the server will take to process a request (when this time has been expired, the request will be stopped)
• The maximum number of entries we will return

Kerberos configuration

In this tab, you can setup all the parameters needed to configure your Kerberos server :

Partition configuration

This is where you add new partitions and modify them.

There are a few importants elements to configure for a partition :

• its ID, which is an external name
• its Suffix, which must be a valid DN
• the cache size used for this partition (it’s the number of page that will be kept in memory, considering that a page may contain more than one entry)

Then you also have to configure the index used by this partition. Some of them are mandatory (apacheRdn, apacheSubLevel, apachePresence, apacheOneLevel, apacheOneAlias, apacheSubAlias, apacheAlias, objectClass, entryUuid, entryCsn), you can just modify their cache, all the others are user index, you have to create them. Each index is associated with an existing AttributeType.

Replication

Not yet available

Modifying an existing server configuration

The server should accept live modification. If this is the case, you just have to connect on the server and to modify it.

DiT configuration structure

We need to define a directory tree to store the configuration.

Here is the existing structure, where we have defined one LDAP server (ldapServer1), backed by one Directory Service (DS1), and two associated transports (ldapSrv1 and ldapsSrv1) :

ou=config
 |
 +--ads-directoryServiceId=default
      |
      +--ads-changeLogId=defaultChangeLog
      |
      +--ads-journalId=defaultJournal
      |
      +--ou=interceptors
      |    |
      |    +--ads-interceptorId=aciAuthorizationInterceptor
      |    |
      |    +--ads-interceptorId=authenticationInterceptor
      |    |	|
      |    |	+--ou=authenticators
      |    |	|    |
      |    |	|    +--ads-authenticatorid=anonymousauthenticator
      |    |	|    |
      |    |	|    +--ads-authenticatorid=simpleauthenticator
      |    |	|    |
      |    |	|    +--ads-authenticatorid=strongauthenticator
      |    |	|
      |    |	+--ou=passwordPolicies
      |    |	     |
      |    |	     +--ads-pwdId=default
      |    |
      |    +--ads-interceptorId=collectiveAttributeInterceptor
      |    |
      |    +--ads-interceptorId=defaultAuthorizationInterceptor
      |    |
      |    +--ads-interceptorId=eventInterceptor
      |    |
      |    +--ads-interceptorId=exceptionInterceptor
      |    |
      |    +--ads-interceptorId=keyDerivationInterceptor
      |    |
      |    +--ads-interceptorId=normalizationInterceptor
      |    |
      |    +--ads-interceptorId=operationalAttributeInterceptor
      |    |
      |    +--ads-interceptorId=passwordHashingInterceptor
      |    |
      |    +--ads-interceptorId=referralInterceptor
      |    |
      |    +--ads-interceptorId=schemaInterceptor
      |    |
      |    +--ads-interceptorId=subentryInterceptor
      |    |
      |    +--ads-interceptorId=triggerInterceptor
      |
      +--ou=partitions
      |    |
      |    +--ads-partitionId=system
      |    |	|
      |    |	+--ou=indexes
      |    |	     |
      |    |	     +--ads-indexAttributeId=apacheRdn
      |    |	     |
      |    |	     +--ads-indexAttributeId=apacheSubLevel
      |    |	     |
      |    |	     +--ads-indexAttributeId=apachePresence
      |    |	     |
      |    |	     +--ads-indexAttributeId=apacheOneLevel
      |    |	     |
      |    |	     +--ads-indexAttributeId=apacheOneAlias
      |    |	     |
      |    |	     +--ads-indexAttributeId=apacheSubAlias
      |    |	     |
      |    |	     +--ads-indexAttributeId=apacheAlias
      |    |	     |
      |    |	     +--ads-indexAttributeId=objectClass
      |    |	     |
      |    |	     +--ads-indexAttributeId=entryUUID
      |    |	     |
      |    |	     +--ads-indexAttributeId=entryCSN
      |    |	     |
      |    |	     +--ads-indexAttributeId=ou
      |    |	     |
      |    |	     +--ads-indexAttributeId=uid
      |    |
      |    +--ads-partitionId=example
      | 	|
      | 	+--ou=indexes
      | 	     |
      | 	     +--ads-indexAttributeId=apacheRdn
      | 	     |
      | 	     +--ads-indexAttributeId=apacheSubLevel
      | 	     |
      | 	     +--ads-indexAttributeId=apachePresence
      | 	     |
      | 	     +--ads-indexAttributeId=apacheOneLevel
      | 	     |
      | 	     +--ads-indexAttributeId=apacheOneAlias
      | 	     |
      | 	     +--ads-indexAttributeId=apacheSubAlias
      | 	     |
      | 	     +--ads-indexAttributeId=apacheAlias
      | 	     |
      | 	     +--ads-indexAttributeId=objectClass
      | 	     |
      | 	     +--ads-indexAttributeId=entryUUID
      | 	     |
      | 	     +--ads-indexAttributeId=entryCSN
      | 	     |
      | 	     +--ads-indexAttributeId=ou
      | 	     |
      | 	     +--ads-indexAttributeId=uid
      | 	     |
      | 	     +--ads-indexAttributeId=dc
      | 	     |
      | 	     +--ads-indexAttributeId=krb5PrincipalName
      |
      +--ou=servers
       |
       +--ads-serverId=changePasswordServer
       |	|
       |	+--ou=transports
       |	     |
       |	     +--ads-transportId=tcp
       |	     |
       |	     +--ads-transportId=udp
       |
       +--ads-serverId=dnsServer
       |	|
       |	+--ou=transports
       |	     |
       |	     +--ads-transportId=tcp
       |	     |
       |	     +--ads-transportId=udp
       |
       +--ads-serverId=httpServer
       |	|
       |	+--ou=transports
       |	|    |
       |	|    +--ads-transportid=http
       |	|    |
       |	|    +--ads-transportid=https
       |	|
       |	+--ou=httpWebApps
       |	     |
       |	     +--ads-id=testapp
       |
       +--ads-serverId=kerberosServer
       |	|
       |	+--ou=transports
       |	     |
       |	     +--ads-transportid=tcp
       |	     |
       |	     +--ads-transportid=udp
       |
       +--ads-serverId=ldapServer
       |	|
       |	+--ou=replConsumers
       |	|
       |	+--ou=transports
       |	|    |
       |	|    +--ads-transportid=ldap
       |	|    |
       |	|    +--ads-transportid=ldaps
       |	|
       |	+--ou=extendedOpHandlers
       |	|    |
       |	|    +--ads-extendedOpId=gracefulShutdownHandler
       |	|    |
       |	|    +--ads-extendedOpId=starttlshandler
       |	|    |
       |	|    +--ads-extendedOpId=storedprochandler
       |	|
       |	+--ou=saslMechHandlers
       |	     |
       |	     +--ads-saslMechName=CRAM-MD5
       |	     |
       |	     +--ads-saslMechName=DIGEST-MD5
       |	     |
       |	     +--ads-saslMechName=GSS-SPNEGO
       |	     |
       |	     +--ads-saslMechName=GSSAPI
       |	     |
       |	     +--ads-saslMechName=NTLM
       |	     |
       |	     +--ads-saslMechName=SIMPLE
       |
       +--ads-serverId=ntpServer
        |
        +--ou=transports
             |
             +--ads-transportId=tcp
             |
             +--ads-transportId=udp

Directory Service

For every server backed by a directory, this is the place we define this service’s configuration.

The Directory Service configuration itself depends on some sub-elements, which needs their own configuration :

• changeLog
• interceptors
• journal
• partitions
• replication

see configuration schema description

Otherwise, we also have a set of simple parameters, listed in the following table :

ads-directoryService ObjectClass

We have many parameters we can configure in order to get the DirectoryService functioning. Some parameters are mandatory, other aren’t. Some may have one single value, others may not.

Here is the list of mandatory and optional parameters

Mandatory parameters

Optional parameters

Interceptors

Some interceptors can be configured (Authentication and PassowordPolicy). They will be described with a specific ObjectClass.

Otherwise, they only have an identifier, and an order number, as the interceptors are used in an ordered chain. (we may want later to allow an administrator to inject a new interceptor)

This ObjectClass contains the informations relative to a base interceptor. It will be extended by each interceptor specific interceptor.

Mandatory parameters

Authentication interceptor

ads-authenticationInterceptor

ChangeLog

Here is the configuration :

{note} The partitionSuffix, revisionsContainerName and tagsContainerName should not be exposed. They won’t be associated with a schema element. The changeLogStore is not defined right now, as we only have a InMemory changeLog system working. {note}

ChangeLog schema

AttributeTypes

Here is the list of AttributeTypes we need for the changeLog :

ObjectClass

Here is the ObjectClass we need for the changeLog :

Journal

This is the system storing every modifications in order to be able to restore the server if it crashes, or to manage replication. It is backed by a store, which needs to be configured too. Here is the configuration :

Journal schema

AttributeTypes

Here is the list of AttributeTypes we need for the journal :

ObjectClass

Here is the ObjectClass we need for the journal :

Partition

The Partition parameters are listed in the following table :

the indexedAttributes parameter itself is a composite attribute, and will be described below.

{note} The ‘property’ parameter will probably be removed. {note}

{note} The ‘optimizerEnabled’ parameter will probably be removed. {note}

Partition schema

AttributeTypes

ObjectClass

Index

The Index parameters are listed in the following table :

{note} The cacheSize is likely to be removed. {note}

Index schema

AttributeTypes

ObjectClass

We will define at least two ObjectClasses, as we may have different kind of index (JDBM, Oracle, …)

LdapServer

The LdapServer parameters are described in the following table :

Some of the parameters will not be used : extendedOperationHandlers, saslQop, saslMechanismHandlers and replicationSystem.

None of those parameters are composite, except the DirectoryService, which has already been described.

LdapServer schema

AttributeTypes

ObjectClass

Here is the list of ObjectClasses we need for the LdapServer

KerberosServer

The KerberosServer parameters are described in the following table :

KerberosServer Schema

AttributeTypes

Here is the list of AttributeTypes we need for the KerberosServer

ObjectClasses

Here is the list of ObjectClass we need for the KerberosServer

Transport Layer

The transport layer is the layer in charge of managing incoming requests and outgoing responses. All the servers are depending on this layer. It support TCP and UDP transports.

The configuration parameters are the following :

The base transport is determinated by the type of transport object we will create :TcpTransport or UdpTransport.

For instance, in the current server.xml file, we have this configuration for the LDAP server and for the Kerberos server :

  ...
  <ldapServer id="ldapServer" ...>
    <transports>
      <tcpTransport address="0.0.0.0" port="10389" nbThreads="8"

backLog="50” enableSSL="false”/> …

  ...
  <kdcServer id="kdcServer">
    <transports>
      <tcpTransport port="60088" nbThreads="4" backLog="50"/>
      <udpTransport port="60088" nbThreads="4" backLog="50"/>
    </transports>
  ...

Transport schema

To be able to store the transport in the DiT, we must define a specific set of AttributeTypes and ObjectClasses to store them. Here are those definitions.

AttributeTypes

Here is the list of AttributeTypes we need for the transport layer

ObjectClasses

Here is the list of ObjectClasses we need for the transport layer