Tuesday September 04, 2007
Tuesday September 04, 2007 Configuring OpenDS with dsconfig -- part 2
Several weeks ago, I wrote about the dsconfig tool that can be used to help manage the OpenDS configuration. It provides a convenient way to view and edit the server configuration, and it can be very helpful in writing administrative scripts, much like the dscfg tool does in DSEE 6.Honestly, though, I think that it's time to come clean about something: whenever I'm configuring DSEE 6, I rarely use the dscfg tool. I think the main reason for this is that I got so used to managing the server with ldapmodify over the years with the 3.x, 4.x, and 5.x versions that it's always been just as easy for me to use ldapmodify (since I know all of the configuration entry DNs and attribute names by heart) than to try to remember all of the command line arguments to make dscfg do what I want.
Until very recently, I had fallen into the same trap with the OpenDS dsconfig tool. However, last week Matt Swift updated the dsconfig tool to provide a new interactive mode that takes all the effort out of it. The interactive mode isn't suitable for use in writing scripts that automate config changes, but the non-interactive mode is still available for that. However, if you just want to make a configuration change to the server (or even if you just want to see what is available to be configured) then I think that you'll like the new interactive mode.
To start it up in interactive mode, simply invoke the dsconfig tool with no arguments. For example, on a UNIX-based system, you can just use:
bin/dsconfig
The tool will then prompt you for information about how to connect to the server, and then it will present you with a menu of options. You can use this interactive mode to view information about the current configuration, edit or remove existing configuration objects, or create new configuration objects (basically, all of the same things that you can do with the non-interactive mode, but without the need to remember any subcommand, argument, or property names).
As an example, here's the output from a session that I used to edit the default password policy in order to configure passwords to expire after 90 days. I've formatted the output so that the stuff I typed is
bold and underlined and the output from the tool is in italics:
$ bin/dsconfig
>>>> Specify OpenDS LDAP connection parameters
Directory server hostname or IP address [localhost]: 127.0.0.1
Directory server port number [389]: 389
Administrator user bind DN [cn=directory manager]: cn=Directory Manager
Password for user 'cn=directory manager': password
>>>> OpenDS configuration console main menu
What do you want to configure?
1) Access Control Handler 20) Matching Rule
2) Account Status Notification Handler 21) Monitor Provider
3) Alert Handler 22) Multimaster Domain
4) Attribute Syntax 23) Password Generator
5) Backend 24) Password Policy
6) Certificate Mapper 25) Password Storage Scheme
7) Connection Handler 26) Password Validator
8) Crypto Manager 27) Plugin
9) Debug Target 28) Plugin Root
10) Entry Cache 29) Replication Server
11) Extended Operation Handler 30) Root DN
12) Global Configuration 31) Root DSE Backend
13) Group Implementation 32) SASL Mechanism Handler
14) Identity Mapper 33) Synchronization Provider
15) JE Index 34) Trust Manager
16) Key Manager 35) Virtual Attribute
17) Log Publisher 36) VLV JE Index
18) Log Retention Policy 37) Work Queue
19) Log Rotation Policy
q) quit
Enter choice: 24
>>>> Password Policy management menu
What would you like to do?
1) List existing Password Policies
2) Create a new Password Policy
3) View and edit an existing Password Policy
4) Delete an existing Password Policy
b) back
q) quit
Enter choice [b]: 3
>>>> Select the Password Policy from the following list:
1) Default Password Policy
2) Root Password Policy
c) cancel
q) quit
Enter choice [c]: 1
>>>> Configure the properties of the Password Policy
Property Value(s)
---------------------------------------------------------------------------
1) account-status-notification-handler-dn -
2) allow-expired-password-changes false
3) allow-multiple-password-values false
4) allow-pre-encoded-passwords false
5) allow-user-password-changes true
6) default-password-storage-scheme SSHA
7) deprecated-password-storage-scheme -
8) expire-passwords-without-warning false
9) force-change-on-add false
10) force-change-on-reset false
11) grace-login-count 0
12) idle-lockout-interval 0 s
13) last-login-time-attribute -
14) last-login-time-format -
15) lockout-duration 0 s
16) lockout-failure-count 0
17) lockout-failure-expiration-interval 0 s
18) maximum-password-age 0 s
19) maximum-password-reset-age 0 s
20) minimum-password-age 0 s
21) password-attribute userpassword
22) password-change-requires-current-password false
23) password-expiration-warning-interval 5 d
24) password-generator-dn "cn=Random Password
Generator,cn=Password
Generators,cn=config"
25) password-history-count 0
26) password-history-duration 0 s
27) password-validator-dn -
28) previous-last-login-time-format -
29) require-change-by-time -
30) require-secure-authentication false
31) require-secure-password-changes false
32) skip-validation-for-administrators false
33) state-update-failure-policy reactive
?) help
f) finish - apply any changes to the Password Policy
c) cancel
q) quit
Enter choice [f]: 18
>>>> Configuring the "maximum-password-age" property
Specifies the maximum length of time that a user may continue using the
same password before it must be changed.
Specifies the maximum length of time that a user may continue using the
same password before it must be changed (i.e., the password expiration
interval). The value of this attribute should be an integer followed by a
unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds will
disable password expiration. Changes to this configuration attribute will
take effect immediately.
Syntax: DURATION (s)
Do you want to modify the "maximum-password-age" property?
1) Keep the default value: 0 s
2) Change the value
?) help
q) quit
Enter choice [1]: 2
Enter a value for the "maximum-password-age" property [continue]: 90 days
Press RETURN to continue
>>>> Configure the properties of the Password Policy
Property Value(s)
---------------------------------------------------------------------------
1) account-status-notification-handler-dn -
2) allow-expired-password-changes false
3) allow-multiple-password-values false
4) allow-pre-encoded-passwords false
5) allow-user-password-changes true
6) default-password-storage-scheme SSHA
7) deprecated-password-storage-scheme -
8) expire-passwords-without-warning false
9) force-change-on-add false
10) force-change-on-reset false
11) grace-login-count 0
12) idle-lockout-interval 0 s
13) last-login-time-attribute -
14) last-login-time-format -
15) lockout-duration 0 s
16) lockout-failure-count 0
17) lockout-failure-expiration-interval 0 s
18) maximum-password-age 12 w 6 d
19) maximum-password-reset-age 0 s
20) minimum-password-age 0 s
21) password-attribute userpassword
22) password-change-requires-current-password false
23) password-expiration-warning-interval 5 d
24) password-generator-dn "cn=Random Password
Generator,cn=Password
Generators,cn=config"
25) password-history-count 0
26) password-history-duration 0 s
27) password-validator-dn -
28) previous-last-login-time-format -
29) require-change-by-time -
30) require-secure-authentication false
31) require-secure-password-changes false
32) skip-validation-for-administrators false
33) state-update-failure-policy reactive
?) help
f) finish - apply any changes to the Password Policy
c) cancel
q) quit
Enter choice [f]: f
The Password Policy was modified successfully
Press RETURN to continue
>>>> Password Policy management menu
What would you like to do?
1) List existing Password Policies
2) Create a new Password Policy
3) View and edit an existing Password Policy
4) Delete an existing Password Policy
b) back
q) quit
Enter choice [b]: q
$As I mentioned above, this was just integrated last week, so it will be in our next build (build005, which will hopefully be available at the end of this week). If you want to try it out before then, then feel free to check out and build the server for yourself.
Posted by cn_equals_directory_manager ( Sep 04 2007, 02:07:17 PM CDT ) Permalink Comments [2]
Post a Comment:
Comments are closed for this entry.
| Archives | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Language | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Links | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Referrers | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Today's Page Hits: 112 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This looks pretty cool. Neil, you seem not to like accepting defaults or you are just too fast with the keyboard (otherwise I don't understand why you needed to enter anything for hostname, port number and the administrator user bind dn). Another question: do you anticipate the dscfg tool to be internationalized at one point? If so, I assume that not just the order (the top-level menu seem to be sorted alphabetically), but the keyboard shortcuts should be customizable.
Posted by Bertold_Kolics on September 10, 2007 at 11:34 AM CDT #
I really didn't need to enter the hostname, port number, or bind DN. I could have just pressed ENTER to accept the defaults. I just typed them in this case because it was easier to show that than to indicate that I pressed ENTER without typing anything.
As for internationalization, yes we do intend to do that (although because of the effort involved, and because it's a constantly moving target with new messages added and existing messages changing all the time, we will probably only provide internationalized versions of the Sun product based on OpenDS). However, I'm honestly not sure how far that internationalization will extend. We won't internationalize subcommands or argument names for the non-interactive version. Most of the dsconfig logic is automatically generated from our configuration framework, and there are provisions for internationalizing things like descriptions, but I'm really not sure about whether component names were intended to be part of that. If you're interested in getting the answer from someone that knows more about that than I do, then users@opends.dev.java.net is probably the best place to ask.
Posted by Neil A. Wilson on September 10, 2007 at 11:49 AM CDT #