| 1 | Documentation : |
|---|
| 2 | --------------- |
|---|
| 3 | |
|---|
| 4 | Schema Modifications : |
|---|
| 5 | ---------------------- |
|---|
| 6 | |
|---|
| 7 | pykota-schema-sunds.ldif : |
|---|
| 8 | |
|---|
| 9 | This file can be used to extend the schema for |
|---|
| 10 | Sun Directory Server to add the necessary object classes |
|---|
| 11 | and attribute type for use with PyKota. |
|---|
| 12 | |
|---|
| 13 | To extend the schema: |
|---|
| 14 | |
|---|
| 15 | % ldapmodify -h ldap.domain.com -D "cn=Directory Manager" -f pykota-schema-sunds.ldif |
|---|
| 16 | |
|---|
| 17 | Sun Directory Server will replicate schema changes in a |
|---|
| 18 | multi-master replication environment. |
|---|
| 19 | |
|---|
| 20 | Database Indexes : |
|---|
| 21 | ------------------ |
|---|
| 22 | |
|---|
| 23 | pykota-sunds-indexes.ldif : |
|---|
| 24 | |
|---|
| 25 | Creating indexes while not mandatory will speed up queries |
|---|
| 26 | to the PyKota objects. This will setup the following indexes: |
|---|
| 27 | |
|---|
| 28 | pykotaUserName: presence, equality, substring |
|---|
| 29 | pykotaGroupName: presence, equality, substring |
|---|
| 30 | pykotaPrinterName: presence, equality, substring |
|---|
| 31 | pykotaBillingCode: presence, equality, substring |
|---|
| 32 | pykotaLastJobIdent: equality |
|---|
| 33 | |
|---|
| 34 | To define the indexes: |
|---|
| 35 | |
|---|
| 36 | % ldapmodify -a -h ldap.domain.com -D "cn=Directory Manager" -f pykota-sunds-indexes.ldif |
|---|
| 37 | |
|---|
| 38 | By default configuration settings are NOT replicated in a |
|---|
| 39 | replication environment so the following indexes must be |
|---|
| 40 | defined on all hosts. |
|---|
| 41 | |
|---|
| 42 | To initialize the indexes: |
|---|
| 43 | |
|---|
| 44 | % ServerRoot/slapd-serverID/db2index.pl \ |
|---|
| 45 | -D "cn=Directory Manager" -w password -n userRoot \ |
|---|
| 46 | -t pykotaUserName |
|---|
| 47 | |
|---|
| 48 | % ServerRoot/slapd-serverID/db2index.pl \ |
|---|
| 49 | -D "cn=Directory Manager" -w password -n userRoot \ |
|---|
| 50 | -t pykotaGroupName |
|---|
| 51 | |
|---|
| 52 | % ServerRoot/slapd-serverID/db2index.pl \ |
|---|
| 53 | -D "cn=Directory Manager" -w password -n userRoot \ |
|---|
| 54 | -t pykotaPrinterName |
|---|
| 55 | |
|---|
| 56 | % ServerRoot/slapd-serverID/db2index.pl \ |
|---|
| 57 | -D "cn=Directory Manager" -w password -n userRoot \ |
|---|
| 58 | -t pykotaBillingCode |
|---|
| 59 | |
|---|
| 60 | % ServerRoot/slapd-serverID/db2index.pl \ |
|---|
| 61 | -D "cn=Directory Manager" -w password -n userRoot \ |
|---|
| 62 | -t pykotaLastJobIdent |
|---|
| 63 | |
|---|
| 64 | This must be preformed on all hosts within a replication environment. |
|---|
| 65 | |
|---|
| 66 | Managing Indexes References : |
|---|
| 67 | http://docs.sun.com/source/816-6698-10/indexing.html |
|---|
| 68 | |
|---|
| 69 | Directory Information Tree (DIT) : |
|---|
| 70 | ---------------------------------- |
|---|
| 71 | |
|---|
| 72 | pykota-sample.ldif : |
|---|
| 73 | |
|---|
| 74 | This is provided with PyKota though it will need to be modified |
|---|
| 75 | in order to be incorporated into your environment. Sun Directory Server |
|---|
| 76 | will encrypt the userPassword entry so you may wish to leave it as |
|---|
| 77 | plain text when creating the pykotaadmin and pykotauser entries. |
|---|
| 78 | |
|---|
| 79 | If a Password Policy is being enforced it would be advisable exclude |
|---|
| 80 | both the pykotauser and pykotaadmin from that policy. This is especially |
|---|
| 81 | true if passwordMustChange is set to 'On' since they will fail to authenticate |
|---|
| 82 | until the password is changed. |
|---|
| 83 | |
|---|
| 84 | Sun Directory Server will replicate DIT changes in a |
|---|
| 85 | multi-master replication environment. |
|---|
| 86 | |
|---|
| 87 | Access Control Instructions (ACI) : |
|---|
| 88 | ----------------------------------- |
|---|
| 89 | |
|---|
| 90 | The provided ACI's must not be blindly added using ldapmodify or |
|---|
| 91 | ldapadd, if you do so you will clobber any existing ACI's for a |
|---|
| 92 | given object! You must first query the server for any existing |
|---|
| 93 | ACI's and capture them to a file, append the PyKota ACI's to said |
|---|
| 94 | file and then modify the object. This is especially pertinent in |
|---|
| 95 | regards to ou=People which has 5 default ACI's associated with it. |
|---|
| 96 | |
|---|
| 97 | It is stongly recommended to use the Directory Server Console to |
|---|
| 98 | add the ACI's. You have been warned, there is no warrenty, good luck. |
|---|
| 99 | |
|---|
| 100 | Managing Access Control: |
|---|
| 101 | http://docs.sun.com/source/816-6698-10/aci.html |
|---|
| 102 | |
|---|
| 103 | pykota-admin-aci : |
|---|
| 104 | |
|---|
| 105 | dn: ou=pykota,dc=example,dc=com |
|---|
| 106 | aci: (targetattr="*") (version 3.0; acl "PyKota Pykota ACI"; allow(all) userdn="ldap:///cn=pykotaadmin,ou=PyKota,dc=example,dc=com";) |
|---|
| 107 | |
|---|
| 108 | dn: ou=People,dc=example,dc=com |
|---|
| 109 | aci: (targetattr="*") (version 3.0; acl "PyKota People ACI"; allow(write) userdn="ldap:///cn=pykotaadmin,ou=PyKota,dc=example,dc=com";) |
|---|
| 110 | |
|---|
| 111 | dn: ou=groups,dc=example,dc=com |
|---|
| 112 | aci: (targetattr="*") (version 3.0; acl "PyKota Groups ACI"; allow(write) userdn="ldap:///cn=pykotaadmin,ou=PyKota,dc=example,dc=com";) |
|---|
| 113 | |
|---|
| 114 | Sun Directory Server will replicate ACI changes in a |
|---|
| 115 | multi-master replication environment. |
|---|
