From d52a706e7730a595ed18e17c0b05c296cbd7aa95 Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Tue, 05 Feb 2013 08:57:24 +0000
Subject: [PATCH] CR-1253 Fix for OPENDJ-642: Mention additional global configuration options in the admin guide
---
opendj3/src/main/docbkx/admin-guide/chap-server-process.xml | 11 +++
opendj3/src/main/docbkx/admin-guide/chap-listeners.xml | 94 +++++++++++++++++++++++++++++++
opendj3/src/main/docbkx/admin-guide/chap-ldap-operations.xml | 9 +++
opendj3/src/main/docbkx/admin-guide/chap-tuning.xml | 32 ++++++++++
4 files changed, 143 insertions(+), 3 deletions(-)
diff --git a/opendj3/src/main/docbkx/admin-guide/chap-ldap-operations.xml b/opendj3/src/main/docbkx/admin-guide/chap-ldap-operations.xml
index f6848a4..a44acc4 100644
--- a/opendj3/src/main/docbkx/admin-guide/chap-ldap-operations.xml
+++ b/opendj3/src/main/docbkx/admin-guide/chap-ldap-operations.xml
@@ -1132,6 +1132,15 @@
MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</screen>
</step>
</procedure>
+
+ <para>If you need to map authorization identifiers using the
+ <literal>u:</literal> form rather than using <literal>dn:</literal>, you can
+ set the identity mapper with the global configuration setting,
+ <literal>proxied-authorization-identity-mapper</literal>. For example, if you
+ get UID values from the client, such as <literal>bjensen</literal>, you can
+ use the Exact Match Identity Mapper to match those to DNs based on an
+ attribute of the entry. Use the <command>dsconfig</command> command
+ interactively to investigate the settings you need.</para>
</section>
<section xml:id="client-cert-auth">
diff --git a/opendj3/src/main/docbkx/admin-guide/chap-listeners.xml b/opendj3/src/main/docbkx/admin-guide/chap-listeners.xml
index 7b2ccee..0e22343 100644
--- a/opendj3/src/main/docbkx/admin-guide/chap-listeners.xml
+++ b/opendj3/src/main/docbkx/admin-guide/chap-listeners.xml
@@ -641,6 +641,100 @@
</procedure>
</section>
+ <section xml:id="restrict-ldap-clients">
+ <title>Restricting LDAP Client Access</title>
+ <indexterm><primary>Access control</primary></indexterm>
+
+ <para>Using the OpenDJ directory server global configuration properties, you
+ can add global restrictions on how clients access the server. These settings
+ are per server, and so much be set independently on each server in replication
+ topology.</para>
+
+ <para>These global settings are fairly coarse-grained. For a full discussion
+ of the rich set of administrative privileges and fine-grained access control
+ instructions that OpenDJ supports, see the chapter on <link
+ xlink:href="admin-guide#chap-privileges-acis"
+ xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Configuring
+ Privileges & Access Control</citetitle></link>.</para>
+
+ <variablelist>
+ <para>Consider the following global configuration settings.</para>
+
+ <varlistentry>
+ <term><literal>bind-with-dn-requires-password</literal></term>
+ <listitem>
+ <para>Whether the directory server should reject any simple bind request
+ that contains a DN but no password. Default: <literal>true</literal></para>
+ <para>To change this setting use the following command.</para>
+ <screen>$ dsconfig
+ set-global-configuration-prop
+ --port 4444
+ --hostname opendj.example.com
+ --bindDN "cn=Directory Manager"
+ --bindPassword password
+ --set bind-with-dn-requires-password:false
+ --no-prompt</screen>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>max-allowed-client-connections</literal></term>
+ <listitem>
+ <para>Restricts the number of concurrent client connections to the
+ directory server. Default: 0, meaning no limit is set</para>
+ <para>To set a limit of 32768 use the following command.</para>
+ <screen>$ dsconfig
+ set-global-configuration-prop
+ --port 4444
+ --hostname opendj.example.com
+ --bindDN "cn=Directory Manager"
+ --bindPassword password
+ --set max-allowed-client-connections:32768
+ --no-prompt</screen>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>reject-unauthenticated-requests</literal></term>
+ <listitem>
+ <para>Rejects any request (other than bind or StartTLS requests) received
+ from a client that has not yet been authenticated, whose last
+ authentication attempt was unsuccessful, or whose last authentication
+ attempt used anonymous authentication. Default: <literal>false</literal></para>
+ <para>To shut down anonymous binds use the following command.</para>
+ <screen>$ dsconfig
+ set-global-configuration-prop
+ --port 4444
+ --hostname opendj.example.com
+ --bindDN "cn=Directory Manager"
+ --bindPassword password
+ --set reject-unauthenticated-requests:true
+ --no-prompt</screen>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>return-bind-error-messages</literal></term>
+ <listitem>
+ <para>Does not restrict access, but by default prevents OpenDJ directory
+ server from returning extra information about why a bind failed, as that
+ information could be used by an attacker. Instead, the information is
+ written to the server errors log. Default: <literal>false</literal></para>
+ <para>To have OpenDJ return additional information about why a bind failed
+ use the following command.</para>
+ <screen>$ dsconfig
+ set-global-configuration-prop
+ --port 4444
+ --hostname opendj.example.com
+ --bindDN "cn=Directory Manager"
+ --bindPassword password
+ --set return-bind-error-messages:true
+ --no-prompt</screen>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </section>
+
<section xml:id="tls-protocols-cipher-suites">
<title>TLS Protocols & Cipher Suites</title>
<indexterm>
diff --git a/opendj3/src/main/docbkx/admin-guide/chap-server-process.xml b/opendj3/src/main/docbkx/admin-guide/chap-server-process.xml
index 15f8af1..238fcd2 100644
--- a/opendj3/src/main/docbkx/admin-guide/chap-server-process.xml
+++ b/opendj3/src/main/docbkx/admin-guide/chap-server-process.xml
@@ -20,7 +20,7 @@
!
! CCPL HEADER END
!
- ! Copyright 2011 ForgeRock AS
+ ! Copyright 2011-2013 ForgeRock AS
!
-->
<chapter xml:id='chap-server-process'
@@ -85,6 +85,15 @@
<screen>C:\Users\Mark> OpenDJ\bat\windows-service.bat --enableService</screen>
</listitem>
</itemizedlist>
+
+ <para>By default OpenDJ saves a compressed version of the server
+ configuration used on successful startup. This ensures that the server
+ provides a "last known good" configuration, which can be used as a reference
+ or copied into the active configuration if the server fails to start with the
+ current active configuration. It is possible, though not usually recommended,
+ to turn this behavior off by changing the global server setting
+ <literal>save-config-on-successful-startup</literal> to
+ <literal>false</literal>.</para>
</section>
<section xml:id="stop-server">
diff --git a/opendj3/src/main/docbkx/admin-guide/chap-tuning.xml b/opendj3/src/main/docbkx/admin-guide/chap-tuning.xml
index 4b38c21..b444836 100644
--- a/opendj3/src/main/docbkx/admin-guide/chap-tuning.xml
+++ b/opendj3/src/main/docbkx/admin-guide/chap-tuning.xml
@@ -20,7 +20,7 @@
!
! CCPL HEADER END
!
- ! Copyright 2011-2012 ForgeRock AS
+ ! Copyright 2011-2013 ForgeRock AS
!
-->
<chapter xml:id='chap-tuning'
@@ -222,7 +222,21 @@
<para>All three commands show you information about the response time
distributions, and allow you to perform tests at specific levels of
throughput.</para>
-
+
+ <para>If you need additional precision when evaluating response times, use
+ the global configuration setting <literal>etime-resolution</literal> to
+ change elapsed processing time resolution from milliseconds (default) to
+ nanoseconds.</para>
+
+ <screen>$ dsconfig
+ set-global-configuration-prop
+ --port 4444
+ --hostname opendj.example.com
+ --bindDN "cn=Directory Manager"
+ --bindPassword password
+ --set etime-resolution:nanoseconds
+ --no-prompt</screen>
+
<para>For more extensive testing, try the <link
xlink:href="http://slamd.com/">SLAMD Distributed Load Generation
Engine</link>. SLAMD is built to test more than just directory, but is
@@ -451,6 +465,20 @@
--set enabled:true
--trustAll
--no-prompt</screen>
+
+ <para>You can use the global setting, <literal>entry-cache-preload</literal>,
+ to force OpenDJ to load the entry cache as part of server startup.</para>
+
+ <screen>$ dsconfig
+ set-global-configuration-prop
+ --port 4444
+ --hostname opendj.example.com
+ --bindDN "cn=Directory Manager"
+ --bindPassword password
+ --set entry-cache-preload:true
+ --no-prompt</screen>
+
+ <para>By default, OpenDJ does not pre-load the entry cache.</para>
</section>
<section xml:id="perf-logging">
--
Gitblit v1.10.0