Configuration of indexes, Accessing and modifying server configuration, Access control for configuration entries – Red Hat 8.1 User Manual

These entries and their children have many attributes used to configure different database settings, like
the cache sizes, the paths to the index files and transaction logs, entries and attributes for monitoring
and statistics; and database indexes.

2.1.2.4 . Configuration of Indexes

Configuration information for indexing is stored as entries in the Directory Server under the following
information-tree nodes:

cn=index,o=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config
cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config

For more information about indexes in general, see the Directory Server Administrator's Guide. For
information about the index configuration attributes, see

Section 3.4.1, “Database Attributes under

cn=config, cn=ldbm database, cn=plugins, cn=config”

.

2.2. Accessing and Modifying Server Configuration

This section discusses access control for configuration entries and describes the various ways in which
the server configuration can be viewed and modified. It also covers restrictions to the kinds of
modification that can be made and discusses attributes that require the server to be restarted for
changes to take effect.

2.2.1. Access Control for Configuration Entries

When the Directory Server is installed, a default set of access control instructions (ACIs) is implemented
for all entries under cn=config. The following code sample is an example of these default ACIs.

aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators Group";
allow (all)
groupdn = "ldap:///cn=Configuration Administrators,u=Groups,
ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow (all)
userdn = "ldap:///uid=admin, ou=Administrators, ou=TopologyManagement,
o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group";
allow (all)
groupdn = "ldap:///ou=Directory Administrators, dc=example,dc=com";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all)
groupdn = "ldap:///cn=slapd-phonebook, cn=Red Hat Directory Server,
cn=Server Group, cn=phonebook.example.com, dc=example,dc=com,
o=NetscapeRoot";)

These default ACIs allow all LDAP operations to be carried out on all configuration attributes by the
following users:

Members of the Configuration Administrators group.
The user acting as the administrator, the admin account that was configured at setup. By default,
this is the same user account which is logged into the Console.
Members of local Directory Administrators group.
The SIE (Server Instance Entry) group, usually assigned using the Set Access Permissions
process the main console.

For more information on access control, see the Directory Server Administrator's Guide.

2.2.2. Changing Configuration Attributes

Server attributes can be viewed and changed in one of three ways: through the Directory Server
Console, by performing ldapsearch and ldapmodify commands, or by manually editing the
dse.ldif file.

NOTE

Before editing the dse.ldif file, the server must be stopped; otherwise, the changes are lost.
Editing the dse.ldif file is recommended only for changes to attributes which cannot be altered
dynamically. See

Section 2.2.2.3, “Configuration Changes Requiring Server Restart”

for further

information.

The following sections describe how to modify entries using LDAP (both by using Directory Server
Console and by using the command line), the restrictions that apply to modifying entries, the restrictions
that apply to modifying attributes, and the configuration changes requiring restart.

Red Hat Directory Server 8.1 Configuration and Command Reference

15