DirX Directory Files
DirX Directory provides the following files:
-
dirxenv.ini - The ini file for setting DirX Directory environment variables.
-
Abbreviation filesvFiles that map constants used by dirxcp, dirxadm and dirxauddecode to internal values (OIDs)
-
dirxldap.cfg - The LDAP server configuration file.
-
dirxhttp.cfg - The HTTP server configuration file.
-
dirxcl.cfg - The Directory client configuration file.
-
LDAP server SSL key material files - Files that contain the key material that the LDAP server uses for SSL/TLS connections. These files include cert_ldapserver.pem, dirx_pkcs12.pwd and testCA.der.
-
cert8.db - The SSL/TLS certificate database. The dirxcp program uses this file to determine whether it can trust certificates sent from directory servers when a bind operation specifies the use of SSL/TLS protocol. This file also contains the user certificates sent from dirxcp directory clients when a bind operation specifies the use of certificate-based client authentication (SASL EXTERNAL).
-
key3.db - The SSL/TLS key database. The dirxcp program uses this file to access its private key when a bind operation specifies the use of certificate-based client authentication (SASL EXTERNAL).
-
IDMS configuration and key material files - The configuration file that contains the parameters for the SSL/TLS initialization when using the encrypted variant of the X.500 protocols over IDM (IDMS), and the necessary key material files.
-
snmptraps.cfg - The SNMPv2 trap configuration file.
-
dirxextauth.cfg - The configuration file that controls the forwarding of bind requests to external Authentication Services. See DirX Directory External Authentication for details.
-
dirxauddecode configuration file - The file that customizes the content of the output file when evaluating LDAP server audit log files with the dirxauddecode command.
-
dirxlogflt.cfg - The DirX Directory syslog configuration file for the use of the Linux system log daemon.
-
Logging configuration files - The Directory Service Agent and Directory client log and trace message configuration files.
-
Code signing files - Files and scripts for verifying that DirX Directory code has not been altered or corrupted. These files include signature files (*.sig) delivered for all DirX executables and dynamic libraries, code-signing verification scripts (verify.sh, verify.bat), and the public key file needed for code-signing verification (dxd_sign_pub.pem).
-
dirx.lic and dirx.lic.sig - The DirX Directory license file (dirx.lic) and and its signature file (dirx.lic.sig) for checking the validity of a DirX Directory license on a DirX Directory installation.
This chapter describes these files.
DirX Directory Environment Variable Ini File
dirxenv.ini
Purpose
The DirX Directory environment variable ini file specifies the settings for DirX Directory environment variables used by all DirX Directory processes.
Description
The location for the dirxenv.ini file is:
install_path/conf
In the ini file, comment lines begin with the hash tag character (#) in the first column and are ignored.
To set the value of an environment variable, specify the line in the following format:
-
set name=value
where name specifies the name and value the value of the environment variable.
To un-set the value of an environment variable, specify the line in the following format:
-
unset name
where name specifies the name of the environment variable.
Specify one line per environment variable. All set and un-set lines must start at the first column. The wildcard characters * and ?, and placeholders like $PATH are prohibited.
At startup time, all DirX Directory processes read this ini file. All environment variables specified in this file overwrite a previously set value.
A template file is installed when installing DirX Directory.
Sample dirxenv.ini File
# # DIR.X environment configuration file # # To set an environment variable use : set ENVVAR=xxx # To remove an environment variable use: unset ENVVAR=xxx # Do not use wildcards (*,?) or placeholders like $PATH (this is not a shell!) # All set/unset lines must begin at the first column # Lines that start with a '#' are skipped and treated as comments # ##################################################################### ################## GENERAL environment ################################################# ##################################################################### # All: Set max thread concurrency for one process [256] #set DIRX_MAX_THREADS=256 # All: Max used memsize by CTX in MB #set DIRX_CTX_LIMIT=1024 ...
Abbreviation Files
dirxabbr
dirxabbr-ext*
Purpose
Map object identifiers (internal identifiers) of directory attributes to attribute names and abbreviations.You can then use these names and abbreviations to specify the objects in the dirxcp and dirxadm commands. dirxauddecode uses the abbreviation files to replace objectidentifiers with user friendly abbreviations or names.
Description
The DirX Directory abbreviation file dirxabbr:
-
Specifies whether the syntax abbreviation will be appended to an attribute type´s OID or abbreviation. (See section Syntax Abbreviations in DirX Directory Syntaxes and Attributes for a list of attribute syntax abbreviations.) The default behavior is that the attribute syntax abbreviation (for example T61) is appended to the attribute type if it does not match the default syntax (for example CN_T61). To suppress this behavior the dirxabbr configuration file must contain the keyword NO_STX_SUFFIX at the beginning. (See also section Overriding Default Attribute Syntax in _DirX Directory Syntaxes and Attributes.)
The DirX Directory abbreviation files dirxabbr and dirxabbr-ext*:
-
List the abbreviations and OIDs valid for the DirX Directory schema attributes.
-
Map between abbreviations, full names, and OIDs for simple and structured schema attributes.
-
Map simple and structured attributes to their default attribute syntaxes.
This reference page describes the format of the abbreviation files dirxabbr and dirxabbr-ext* files. These files consist of:
-
OID Definition Block
-
Attribute Definition Block
-
Structured Class Definition Blocks
An empty OID or Attribute Definition Block must be indicated by curly brackets (\{}).
Lines starting with the character # are comment lines and therefore ignored.
The abbreviation file dirxabbr is installed together with the DirX Directory product. It contains the data of the DirX Directory default DSA schema. Project-specific enhancements can also be defined in the dirxabbr file, but we recommend creating project-specific abbreviation file(s) to avoid having to re-insert your project-specific enhancements into the dirxabbr file after a new installation (for example, when upgrading to a newer DirX Directory product version. The syntax for the filename of a project-specific dirxabbr file is:
-
dirxabbr-extproject_identification
for example, dirxabbr-ext-meta, dirxabbr-ext-security (where meta and security indicate different projects).
When DirX Directory clients like dirxcp or dirxadm are started, they first read the dirxabbr file and then all files with a filename starting with the string dirxabbr-ext. Files with the filename dirxabbr followed by an extension (.*extension) - for example, *dirxabbr.old - are not read.
The default location for the abbreviation files is:
-
install_path/client/conf
You can override the default location or specify a set of abbreviation files by setting the DIRX_ABBR_FILE environment variable to the full pathname of the file(s). (See chapter titled DirX Directory Environment Variables for details.) When setting this environment variable, only the specified abbreviation files are read by DirX Directory clients.
For a complete listing of the file contents of the dirxabbr file, refer to the installed file. The examples below illustrate only the format of the file sections and subsections.
OID Definition Block
The OID definition block maps between OIDs and abbreviations. It has the following syntax:
{
abbreviation full_name OID syntax LDAP_name
… … … … …
}
This block contains mappings for
-
Matching Rules and Knowledge Matching Rules
-
Object Classes and Schema Object Classes
-
Supported Application Contexts
-
Administrative Roles
-
Access Control Schemes
-
Encoded Information Types
The syntax is relevant only for matching rules when used in the extensible filter match. In the following OID definition block tables, if syntax is not relevant, a dash (-) is supplied in the Syntax column.
The LDAP_name is relevant only for object classes. In the following OID definition block tables, if LDAP name is not relevant, a dash (-) is supplied in the LDAP Name column.
Matching Rules (sorted by abbreviation)
Abbreviation |
Name |
OID |
Syntax |
LDAP Name |
APM |
Access-Point-Match |
2.5.14.0 |
DN |
- |
BM |
Boolean-Match |
2.5.13.13 |
BOOLEAN |
- |
BSM |
Bitstring-Match |
2.5.13.16 |
BIT_STR |
- |
CEM |
Case-Exact-Match |
2.5.13.5 |
DIR_STR |
- |
… |
… |
… |
… |
… |
Object Classes (sorted by abbreviation)
Abbreviation |
Name |
OID |
Syntax |
LDAP Name |
ACS |
Access-Control-Subentry |
2.5.17.1 |
- |
- |
ALI |
Alias |
2.5.6.1 |
- |
alias |
APE |
Application-Entity |
2.5.6.12 |
- |
applicationEntity |
APP |
Application-Process |
2.5.6.11 |
- |
applicationProcess |
C |
Country |
2.5.6.2 |
- |
country |
CA |
Certification-Authority |
2.5.6.16 |
- |
- |
… |
… |
… |
… |
… |
Supported Application Contexts (sorted by abbreviation)
Abbreviation |
Name |
OID |
Syntax |
LDAP Name |
DSP |
Directory-System-AC |
2.5.3.2 |
- |
- |
RSCI |
Rel-Shadow-Consumer-Initiated-AC |
2.5.3.7 |
- |
- |
RSSI |
Rel-Shadow-Supplier-Initiated-AC |
2.5.3.6 |
- |
- |
SCI |
Shadow-Consumer-Initiated-AC |
2.5.3.4 |
- |
- |
… |
… |
… |
… |
… |
Administrative Roles (sorted by abbreviation)
Abbre-viation |
Name |
OID |
Syntax |
LDAP Name |
AA |
Autonomous-Area |
2.5.23.1 |
- |
autonomousArea |
ACIA |
Access-Control-Inner-Area |
2.5.23.3 |
- |
accessControlInnerArea |
ACSA |
Access-Control-Specific-Area |
2.5.23.2 |
- |
accessControlSpecificArea |
CAIA |
Collective-Attribute-Inner-Area |
2.5.23.6 |
- |
collectiveAttributeInnerArea |
CASA |
Collective-Attribute-Specific-Area |
2.5.23.5 |
- |
collectiveAttributeSpecificArea |
PASA |
Proxy-Authorisation-Specific-Area |
1.3.12.2.1107.1.3.23.100 |
- |
ProxyAuthorisationSpecificArea |
SASA |
Subschema-Admin-Specific-Area |
2.5.23.4 |
- |
subschemaSpecificArea |
Attribute Definition Block (sorted by abbreviations)
The Attribute Definition Block contains information about the following attributes
-
Operational attributes
-
DSA operational attributes
-
Schema operational attributes
-
Access control schemes
It has the following syntax:
{
abbreviation full_name OID syntax equality_matching_rule
ordering_matching_rule LDAP_attribute_name_list
… … … … …
… …
}
where:
abbreviation
-
Is an abbreviation for the attribute type to be used in dirxadm and dirxcp commands.
Full_name
-
Is the name of the attribute type (must not contain blanks).
OID
-
Is the attribute type’s object identifier.
Syntax
-
Is the ASN.1 syntax of the attribute type. It should not be changed.
Equality_matching_rule
-
Specifies the matching rule to be used for equality matches.
Ordering_matching_rule
-
Specifies the matching rule to be used for ordering matches.
LDAP_attribute_name_list
-
A comma separated list of names that specifies names for the attribute type which may be used by LDAP clients.
Abbreviation, full_name and LDAP_attribute_name_list can be adapted to your requirements.
OID, syntax, equalitymatching_rule, and _ordering_matching_rule should not be changed.
For attributes with a syntax of OBJECT_ID, enter one of the following:
-
The correct OID
-
The OID abbreviation (from the OID mapping table)
For attributes with a syntax of ATTR_TYPE, enter either:
-
The correct attribute OID
-
The attribute abbreviation (from the attribute mapping table)
Abbre- viation |
Full Name |
OID |
Syntax |
Equality Matching Rule |
Ordering Matching Rule |
LDAP Attribute Name List |
AA |
Alternate-Address |
1.3.22.2.1.2.1.1 |
OCTET_STR |
- |
- |
- |
ACS |
Access-Control-Scheme |
2.5.24.1 |
OBJECT_ID |
OBJECT_ID |
- |
accessControlScheme |
AM |
Authentication- |
1.3.12.2.1107.1.3.4.16 |
INTEGER |
INTEGER |
INTEGER |
- |
AON |
Aliased-Object-Name |
2.5.4.1 |
DN |
DN |
- |
aliasedObjectName |
AR |
Administrative-Role |
2.5.18.5 |
OBJECT_ID |
OBJECT_ID |
- |
administrativeRole |
ARL |
Authority-Revocation-List |
2.5.4.38 |
CERT_LIST |
- |
- |
authorityRevocationList |
AT |
Attribute-Types |
2.5.21.5 |
ATTR_TYPE |
OBJECT_ID |
- |
attributeTypes |
BC |
Business-Category |
2.5.4.15 |
DIR_STR |
DIR_STR |
- |
businessCategory |
C |
Country |
2.5.4.6 |
PRINTABLE_ STR |
DIR_STR |
- |
c |
CN |
Common-Name |
2.5.4.3 |
DIR_STR |
DIR_STR |
- |
cn,commonName |
… |
… |
… |
… |
… |
… |
… |
Structured Class Definition Block for Structured Attribute Components
The following block contains information about the syntax of structured attributes. It maps between structured attribute components and their abbreviations. The syntax is
{
struct_syntax
abbreviation full_name internal_ID comp_syntax
… … … …
}
where:
struct_syntax is the syntax of the structured attribute. For each component, the following information is provided:
-
abbreviation is the abbreviation of the component.
-
full_name is the component name.
-
internal_ID is the internal abbreviation used by DirX Directory for the attribute component.
-
comp_syntax is the syntax of the attribute component.
Structured Class Definition Block for MRULE_DESCR ("MatchingRuleDescription") is
{
MRULE_DESCR
ID Identifier MRD_ID OBJECT_ID
N Name MRD_NAME DIR_STR
DSC Description MRD_DESCR DIR_STR
OBS Obsolete MRD_OBS BOOLEAN
INFO Information MRD_INFO DIR_STR
}
Structured Class Definition Block for ATTR_TYPE_DESCR ("AttributeTypeDescription") is
{
ATTR_TYPE_DESCR
ID Identifier ATD_ID ATTR_TYPE
N Name ATD_NAME DIR_STR
DSC Description ATD_DESCR DIR_STR
OBS Obsolete ATD_OBS BOOLEAN
INFO Information ATD_INFO ATTR_TYPE_INFO
}
Structured Class Definition Block for ATTR_TYPE_INFO ("AttributeTypeInformation") is
{
ATTR_TYPE_INFO
DER Derivation ATI_DERIVATION ATTR_TYPE
EM Equality-Match ATI_EQUAL_MATCH OBJECT_ID
OM Ordering_Match ATI_ORDERING_MATCH OBJECT_ID
SM Substring-Match ATI_SUBSTR_MATCH OBJECT_ID
AS Attribute-Syntax ATI_SYNTAX DIR_STR
MV Multi-Valued ATI_MULTIVALUED BOOLEAN
COL Collective ATI_COLLECTIVE BOOLEAN
UM User-Modifiable ATI_USER_MODIFIABLE BOOLEAN
APP Application ATI_APPLICATION ATTRIBUTE_USAGE
}
and so on …
Example
The following example lists the contents of the project specific abbreviation file
dirxabbr-ext.DirXIdentity. This file specifies the object classes and attribute types used by the DirX Identity meta controller metacp.
{
# =============================================================
# OID DEFINITION BLOCK (Mapping between OIDs and abbreviations)
# =============================================================
#
# Object Classes (sorted by abbreviation)
# =======================================
#
# new object classes for DirXmethub NT-Agent
DXMNTUS NTUser 1.3.12.2.1107.1.3.102.6.2.1 - dxmNTuser
DXMNTLG NTLocalGroup 1.3.12.2.1107.1.3.102.6.2.2 - dxmNTlocalgroup
DXMNTGG NTGlobalGroup 1.3.12.2.1107.1.3.102.6.2.3 - dxmNTglobalgroup
# new object classes for DirXmethub LotusNotes-Agent
DXMLNUS NotesUser 1.3.12.2.1107.1.3.102.6.1.1 - dxmLNuser
DXMLNG NotesGroup 1.3.12.2.1107.1.3.102.6.1.2 - dxmLNgroup
# new object classes for DirXmethub Exchange-Agent
DXMEXMB ExchangeMailbox 1.3.12.2.1107.1.3.102.6.3.1 - dxmEXmailbox
DXMEXRA ExchangeRemoteAddress 1.3.12.2.1107.1.3.102.6.3.2 - dxmEXremoteAddress
DXMEXG ExchangeGroupOfNames 1.3.12.2.1107.1.3.102.6.3.3 - dxmEXgroupOfNames
}
{
# ====================================================================
# ATTRIBUTE DEFINITION BLOCK (sorted by abbreviations)
# ====================================================================
# attributes for DirX Identity NT-Agent
DXMNTAD NT-AccountDisabled 1.3.12.2.1107.1.3.102.4.2.1 BOOLEAN BOOLEAN - dxmNTaccountDisabled
DXMNTAE NT-AccountExpires 1.3.12.2.1107.1.3.102.4.2.2 GENERALIZED_TIME GENERALIZED_TIME - dxmNTaccountExpires
DXMNTALO NT-AccountLockedOut 1.3.12.2.1107.1.3.102.4.2.3 BOOLEAN BOOLEAN - dxmNTaccountLockedOut
...
# attributes for DirX Identity LotusNotes-Agent
DXMLNAFDS LN-AvailableForDirSync 1.3.12.2.1107.1.3.102.4.1.1 BOOLEAN BOOLEAN - dxmLNavailableForDirSync
DXMLNAFUN LN-AltFullName 1.3.12.2.1107.1.3.102.4.1.2 DIR_STR DIR_STR - dxmLNaltFullName
DXMLNAFNL LN-AltFullNameLanguage 1.3.12.2.1107.1.3.102.4.1.3 DIR_STR DIR_STR - dxmLNaltFullNameLanguage
...
# attributes for DirX Identity Exchange-Agent
DXMEXADSC EX-AdminDescription 1.3.12.2.1107.1.3.102.4.3.1 DIR_STR DIR_STR - dxmEXadminDescription
DXMEXADN EX-AdminDisplayName 1.3.12.2.1107.1.3.102.4.3.2 DIR_STR DIR_STR - dxmEXadminDisplayName
DXMEXADSP EX-ADsPath 1.3.12.2.1107.1.3.102.4.3.3 DIR_STR DIR_STR - dxmEXADsPath
...
}
LDAP Server Configuration File
dirxldap.cfg[.subentry_name]
Purpose
The LDAP server configuration file, used by an LDAP server, defines the LDAP server’s own address and the DSAs (Directory System Agents) the LDAP server accesses.
Description
The default location for the dirxldap.cfg LDAP server configuration file is:
install_path/ldap/conf
You can override the default location by setting the DIRX_CLCFG_FILE environment variable to the full path name of the file.
In the configuration file, comment lines begin with the hash tag character (#) in the first column and are ignored.
Other than comments, the file contains two types of lines, as follows:
-
A mandatory line for the address of the LDAP server.
-
The DSA address line. If no DSA address lines are present, a “bad configuration file” error is reported.
The LDAP server address line starts with the word self (case insensitive), followed by the address of the LDAP server in valid PSAP address format.
The DSA address line consists of the name of a DSA followed by the address of the DSA in valid PSAP address format. Enclose the DSA name in quotation marks if it includes white space. Anything following and separated from the DSA address with a space is ignored. Specify one DSA address line for each DSA that the LDAP server is to contact. By default, only one DSA address line needs to be specified. If the LDAP server is to contact multiple DSAs, specify one DSA additional address line for each additional contact DSA.
If you use environment variables to override a dirxldap.cfg file entry and an error occurs (for example, if DIRX_CLCFG_FILE is set to a nonexistent path name or is incorrectly specified), DirX Directory reports the error, but makes no attempt to return to the overridden default. If errors occur, consult the exception log for a description of the error.
A primary LDAP server and one or more additional LDAP servers can be set up to run on a single machine. By default, all of these LDAP servers read their contact DSA information from the dirxldap.cfg file. To set up server-specific LDAP configuration files for individual LDAP servers, create the dirxldap.cfg file for the LDAP server and then append the filename extension .*subentry_name , where subentry_name is the common name used for the individual LDAP server’s configuration subentry; for example, *ldapConfig2. This is the same name as the one used in the process of configuring the additional LDAP server and the one that is specified in the
-n option to the dirxldapv3 command to start the additional LDAP server. So, for example, the server-specific LDAP configuration file name for an additional LDAP server named ldapConfig2 is dirxldap.cfg.ldapConfig2.
Note that the environment variable DIRX_LDAP_USE_SEPARATE_CLCFG_FILE must be set for the use of separate LDAP server-specific configuration files to take effect. If it is not set, all additional LDAP servers read their contact DSA information from dirxldap.cfg regardless of whether or not LDAP server-specific configuration files exist.
If the DIRX_CLCFG_FILE environment variable specifies a different location for the dirxldap.cfg file, all LDAP servers read the dirxldap.cfg file at the specified location instead of their LDAP server-specific files.
Sample dirxldap.cfg File
# any line starting with '#' is a comment and is ignored
# any line starting with 'self' (case insignificant) contains
# the psap of the ldap server - there must be 1 such line
# further lines contain the dsa name and address,
# the dsa name may be in quotation marks (") to allow them to
# include white space
"/CN=dsa 19" TS=S19,NA='TCP/IP_IDM!internet=123.45.67.89+port=1111',DNS='(HOST=my-server,PLAINPORT=21200)' This is some more text which will be ignored
"/CN=dsa 20" TS=S20,NA='TCP/IP_IDM!internet=123.45.67.88+port=1112',DNS='(HOST=my-server2,PLAINPORT=21201)' This is an additional contact DSA
# the next line is the psap of the ldap server itself - can be first,
# last or anywhere
Self TS=LDAP,NA='TCP/IP_IDM!internet=123.45.67.89+port=1111',DNS='(HOST=my-server,PLAINPORT=2222)'
HTTP Server Configuration File
dirxhttp.cfg
Purpose
The HTTP Server configuration file, used by dirxhttp, defines all the parameters used by the HTTP Server, like log levels, SSL configuration, the IP and port of the LDAP Server, and so on.
Description
The default location for the dirxhttp.cfg client directory configuration file is:
install_path/http/conf
Details of the format of the configuration files and the available options are available in the online documentation at https://<server_ip>:8443/dxd/ldap/v1/doc/dirxhttpcfg.html or open the local HTML file from install_path/http/doc/dirxhttpcfg.html.
Directory Client Configuration File
dirxcl.cfg
Purpose
The directory client configuration file, used by dirxcp, defines the DUA’s (Directory User Agent) own address and optionally the DSAs (Directory System Agents) and LDAP servers the DUA usually accesses.
Description
The default location for the dirxcl.cfg client directory configuration file is:
install_path/client/conf
You can override the default location by setting the DIRX_CLCFG_FILE environment variable to the full path name of the file.
In the configuration file, comment lines begin with the hash tag character (#) in the first column and are ignored.
Other than comments, the file contains three types of lines, as follows:
-
A mandatory line for the address of the DUA.
-
Optional DSA address lines.
-
Optional LDAP server address lines.
The DUA address line starts with the word self (case insensitive), followed by the address of the DUA in valid PSAP address format.
A DSA address line consists of the name of a DSA followed by the address of the DSA in valid PSAP address format and the optional keyword DAP (as the protocol specification). The first DSA address line identifies the default DSA. Enclose the DSA name in quotation marks if it includes white space.
An LDAP server address line is specified in the following format:
name address protocol
where:
name
* is the symbolic name of the LDAP server. This name is the name to be specified in the obj bind command in the -server option. (See obj bind operation for details.)
address
-
is the real address of the LDAP server in one of the following formats:
-
host[:_port_]
-
host1[:_port1_],host2[:_port2_][,…]
-
where host or hostn is either an IP address or a DNS (domain name server) name and port or portn is a port number (<32767). 389 is used as the default port number.
If more than one real address is specified, an attempt is made to establish a connection using real addresses from left to right.
protocol
-
is the protocol to be used for the LDAP bind. Supply one of the following keywords (case-insensitive):
-
LDAPv2—LDAP version 2
-
LDAPv3—LDAP version 3
The protocol specification can be overridden by -protocol option in the obj bind command. (See obj bind operation for details.)
-
The first LDAP server address line identifies the default LDAP server.
Anything following and separated from the protocol specification in a DSA address line or an LDAP server address line with a space is ignored.
If the DUA accesses a DSA or LDAP server that is not specified in this file the server address must be specified in the obj bind command in the -psap option for a DSA or in the -address option for an LDAP server. (See obj bind operation for details.)
If LDAPv2 or LDAPv3 is specified in the -protocol option of an obj bind operation and no LDAP server address line is specified in the client configuration file dirxcl.cfg a bind to the local LDAP server listening to the default LDAP port 389 is established. (See obj bind operation for details.)
If you use environment variables to override a dirxcl.cfg file entry and an error occurs (for example, if DIRX_CLCFG_FILE is set to a nonexistent or incorrectly specified), DirX Directory reports the error, but makes no attempt to return to the overridden default. If errors occur, consult the exception log for a description of the error.
Sample dirxcl.cfg File
# any line starting with '#' is a comment and is ignored
# any line starting with 'self' (case insignificant) contains
# the psap of the dua - there must be 1 such line
# further lines contain dsa names and addresses, the first is
# the default
# dsa names may be in quotation marks (") to allow them to
# include white space
"/CN=dsa 19" TS=S19,NA='TCP/IP_IDM!internet=123.45.67.89+port=1111',DNS='(HOST=my-server,PLAINPORT=21200)' DAP this is some more text which will be ignored
"/CN=dsa 20" TS=S20,NA='TCP/IP!internet=123.45.67.89+port=1111',DNS='(HOST=my-server,PLAINPORT=21200,SSLPORT=21201)'
"/CN=dsa 21" TS=Server21,NA='TCP/IP!internet=139.23.81.32+port=102'
# the next line is the psap of the dua itself - can be first,
# last or anywhere
Self TS=Client1,NA='TCP/IP_IDM!internet=123.45.67.89+port=2555',DNS='(HOST=my-host,PLAINPORT=2555,SSLPORT=2666)'
# LDAPv3 Server
hawk hawk.virt.de.com LDAPv3
# LDAPv2 Server
eagle eagle.virt.de.com,hawk@virt.de.com LDAPv2
LDAP Server Key Material
cert_ldapserver.pem (.der)
testCA.der
dirx_pkcs12.pwd
Purpose
The key material files that are installed by default are intended for testing the SSL and SASL bind functionality of the DirX Directory LDAP server.The content of the files should be loaded into the respective attributes of the LDAP SSL configuration subentry.
Description
The default location for the LDAP server key material is:
install_path/ldap/conf
The LDAP server’s full key material is contained in the PEM file named cert_ldapserver.pem.The content of this file can be loaded into the octet string attribute LDAP Own Keymaterial PEM of the LDAP SSL configuration subentry.
The file cert_ldapserver.der contains the LDAP server’s public key certificate in binary format.This file is intended to support the import of the LDAP server’s certificate into other key stores.
The file testCA.der contains the binary CA certificate of the CA that issued all the DirX Directory key material.It must be loaded into the LDAP Trusted CA Certs of the LDAP SSL configuration subentry.Testing SASL binds with the test user contained in the client certificate and key database files requires this step.
The file dirx_pkcs12.pwd contains the passphrase that protects the private key contained in the file cert_ldapserver.pem.
SSL/TLS Certificate Database
cert8.db
Purpose
The SSL/TLS certificate database, used by dirxcp, defines the server and certificate authority (CA) certificates that the LDAP client (dirxcp) is to trust when authenticating a server during a bind operation with SSL/TLS enabled.
Description
The default location for the cert8.db certificate database is:
install_path/client/conf
You can override the default location and file name by setting the DIRX_TRUSTED_CA environment variable to the full pathname of the file.
When an LDAP client connects to an LDAP server over SSL/TLS, the LDAP server authenticates itself by sending its certificate to the LDAP client. The LDAP client needs to determine whether or not the certificate authority (CA) that issued the certificate is trusted.
The LDAP client (dirxcp) uses the Mozilla SDK to implement SSL/TLS support. The security protocols and versions supported by the SDK are SSL V2 and SSL V3. The directory server supports SSL V3 and TLS V1. Consequently, if dirxcp connects to an LDAPv3 server, the two programs will agree on SSL V3 during the negotiation of the security protocol to use.
The Mozilla SDK API requires a certificate database to hold the CA certificate. The prerequisites for connecting over SSL are as follows:
-
The LDAP client has access to a Mozilla certificate database. This database must be the cert8.db database file. Note that previous and later versions of these applications use different file formats for the certificate database. Attempting to use a different version of the certificate database will result in certificate database errors. The LDAP API function called by dirxcp uses this certificate database to determine if it can trust the certificate sent from the server.
-
The certificate database that you are using can contain:
-
The certificate of the certificate authority (CA) that issued the LDAP server’s certificate
-
The certificates of all of the CAs in the hierarchy, if the certificate authorities (CAs) are organized in a hierarchy
-
The certificate of the LDAP server
-
User certificates
-
-
The CA certificate is marked as "trusted" in the certificate database.
When dirxcp sends an initial request to the secure LDAP server, the LDAP server sends its certificate back to dirxcp. dirxcp then determines which CA issued the LDAP server’s certificate and searches the certificate database (cert8.db) for the certificate of that CA.
If dirxcp cannot find a trusted certificate of the server or the issuer, it refuses to connect to the server. It also refuses to connect if the LDAP server’s certificate has expired or if the certificate extension restricts the usage to client usage only. The latter case applies if the LDAP server sends a browser certificate instead a server certificate.
The DirX Directory installation contains an example cert8.db file containing the CA certificate of the "Test CA" that issued all test key material. It includes also the user certificate for cn=mayer,ou=sales,o=my-company for the purpose of testing SASL binds.
Certificate Administration
dirxcp clients use the Mozilla LDAP SDK to implement the LDAP stub and the SSL Security support. To manipulate the certificate databases read by dirxcp, you need to use the utility program certutil provided as part of the SDK.
You may download the sources and binaries from the Mozilla Ftp Server
For a complete documentation on the certutil command line tool see
Key Database Used for Client Authentication
key3.db
Purpose
The key database, used by dirxcp when a SASL bind operation with the EXTERNAL mechanism is performed, contains the data required to access the private key that corresponds to the client certificate.
Description
The default location for the key3.db key database is:
install_path/client/conf
You can override the default location and file name by setting the DIRX_KEY3DB_FILE environment variable to the full pathname of the file.
When an LDAP client (in this case, dirxcp) binds to an LDAP server (in this case, the DirX Directory server) using the ldap_sasl mechanism (see the obj bind description for details), dirxcp accesses:
-
the cert8.db certificate database in order to retrieve the client’s user certificate
-
the key3.db key database in order to retrieve the client’s private key.
Use the Mozilla command line tool certutil to add Client PSEs to the cert8.db database and to the key3.db key database files.
The DirX Directory installation contains an example key3.db file containing a private key for testing purposes for the user with the nickname "mayer".It is protected with the passphrase dirxdirx.See the description of the -sasl option of the dirxcp operation obj bind.
The DirX Directory installation contains an example cert8.db file containing the CA certificate of the "Test CA" that issued all test key material.It includes also the user certificate for cn=mayer,ou=sales,o=my-company for the purpose of testing SASL binds.
IDMS Configuration and Key Material Files
idmssl.cfg
own_keymaterial.pem, password_file.pwd, trustedCA.pem
Purpose
The encrypted IDM (IDMS) configuration file idmssl.cfg specifies the parameters for the SSL initialization that is needed to perform the X.500 protocols over IDMS, the encrypted variant of IDM.The *.pem and .pwd files contain the necessary key material.
Description
Each DirX Directory process that uses IDMS has its own configuration file (idmssl.cfg) located in the respective conf folder:
-
For the DSA (dirxdsa process), the file is located in install_path*/server/conf/idmssl.cfg*
-
For the LDAP server (dirxldapv3 process), the file is located in install_path*/ldap/conf/idmssl.cfg*
-
For the DUA client dirxcp, the file is located in install_path*/client/conf/idmssl.cfg*
If IDMS is enabled, the processes read the file at startup. To enable IDMS, the DirX Directory process’s own PSAP address must contain a DNS component with an SSLPORT subcomponent value greater than 0. The environment variable DIRX_OWN_PSAP specifies the own PSAP address for the DSA process, whereas the LDAP server and the DUA client (dirxcp) get their own PSAP addresses from the SELF entry in the dirxldap.cfg or dirxcl.cfg configuration files.
The settings are used for the lifetime of the process; that is, a restart is required for changes to the configuration file to take effect.
The idmssl.cfg file contains the pathnames of the key material files used by the SSL/TLS library and configuration options for the security protocol, ciphers, wait time and logging level.
In the configuration file, comment lines begin with the hash tag character (#) in the first column and are ignored. The format of all other lines is:
-
keyword value
The following parameters (keyword) must be specified:
idm_ssl_own_pse_file
-
Specifies the fully-qualified name of the running process’s own PEM file.
This PEM file must contain the following Items:
-
The private key and the public key certificate representing the PSE (Personal Security Environment) of the running process.
-
The issuers’ Certificate Authority (CA) certificates (chain of CA certificates of all intermediate CAs and the root CA).
The file must be accessible and readable for the started DirX Directory process.
DirX Directory installs an example file IDMPSE.pem under install_path*/conf*. This file contains the demo PSE for /O=My-Company/OU=DirX-Example/OU=DirX8.2B/CN=dirxIDM issued by the testCA /O=My-Company/OU=DirX-Example/CN=test-CA.
-
idm_ssl_pwd_file
-
Specifies the fully-qualified name of the file that contains the password for accessing the private key contained in the own PEM file. (See idm_ssl_own_pse_file above for details.)
The password must be the only content of this file. When creating the file, the password must be specified in plain ASCII format. When IDMS reads the password for the first time, it encrypts it and reuses the encrypted format in subsequent starts. (Similar to the handling of the LDAP server’s SSL password; see the description of the LDAP PKCS12 Password File attribute in DirX Directory Syntaxes and Attributes.)
The file must be accessible and readable for the started process.
DirX Directory installs the file IDMPSE.pwd under install_path*/conf*. This file contains the clear text password dirxdirx, which is suitable for accessing the private key contained in the own PEM file.
idm_ssl_trusted_ca_cert_file
-
Specifies the fully-qualified name of the PEM file of all trusted CAs.
This PEM file contains the certificates of all CAs trusted to issue valid server certificates. In client mode, the certificate sent by the server is checked against the certificates contained in this file.
The file must be accessible and readable for the started process.
DirX Directory installs an example file testCA.pem under install_path*/conf*. This file contains the CA certificate of the CA /O=My-Company/OU=DirX-Example/CN=test-CA as trusted CA.
idm_ssl_protocol_min
-
Specifies the minimum version of the security protocol to be used for outgoing and to be accepted for incoming connections. The value must be one TLSv1, TLSv11, TLSv12 or TLSv13.
idm_ssl_protocol_max
-
Specifies the maximum version of the security protocol to be used for outgoing and to be accepted for incoming connections. The value must be one TLSv1, TLSv11, TLSv12 or TLSv13.
Both sides must share at least one common protocol version to establish an SSL connection.
SSLv3 is considered to be unsafe and therefore not supported.
idm_ssl_ciphers_list
-
Specifies the list of ciphers to use for TLSv12 and below.
IDMS accepts all cipher names and shortcuts that OpenSSL supports.
To get a list of cipher names, see the OpenSSL documentation or start an OpenSSL-shell and perform a ciphers command to get a list of cipher names or cipher groups. In the following example, the list of TLSv12 ciphers are read:OpenSSL> ciphers -tls1_2
The command output is as follows:
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA
The cipher names can also be meta-names like RSA, MEDIUM or HIGH as supported by OpenSSL.
idm_ssl_ciphers_suites
-
Specifies the list of ciphers to be used for TLSv13.
IDMS accepts the following five cipher suite names for the protocol TLSv13:-
TLS_AES_256_GCM_SHA384
-
TLS_CHACHA20_POLY1305_SHA256
-
TLS_AES_128_GCM_SHA256
-
TLS_AES_128_CCM_8_SHA256
-
TLS_AES_128_CCM_SHA256
The keyword DEFAULT specifies the first three cipher suites of the list above.
-
idm_ssl_io_timeout
-
Specifies the maximum time in seconds that IDMS is to wait while performing SSL_accept() to complete the initial SSL handshake. If this time period expires, the handshake is aborted and the TCP connection is disconnected.
If IDMS acts as a server (the DSA process), the initial SSL handshake requires both sides to exchange some messages (read/write) in order to establish an SSL connection. If the client does not send data within idm_ssl_io_timeout seconds, IDM will abort further data exchange and assume that the connection is broken.
While waiting for data, the corresponding IDM worker thread is blocked and does not service other requests. As a result, it is recommended not to configure this parameter in minutes or hours.
As IDMS is currently only used between DirX Directory components that can be assumed to behave in a friendly manner, a timeout may indicate serious network problems or a third-party attack.
idm_ssl_logging
-
Specifies whether or not IDM generates SSL logging. Use this option only for debugging. Specify one of the following values:
-
0—Logging is turned off.
-
1—Logging of SSL function calls (level low).
-
2—Logging of SSL function calls and select and poll events (level medium).
-
3—Logging of SSL function calls, select and poll events, and input / output data (level high).
-
-
If SSL logging is enabled, a log file is generated under install_path*/tmp*.The name of the log file is idmssl*pid**_id.txt*, where pid is the process identifier of the running process and id is either d (DSA), l (LDAP server, lower case l) or c (dirxcp).
Keep in mind that changing the logging status requires a restart of the process.A logging file grows endlessly.You can use logging, for example, to track down IDM SSL connection problems.
Although individual configuration is possible, the default IDMS configuration file that is installed with DirX Directory provides the following configuration settings for all DirX Directory processes using IDMS.All entities use the same key material:
######################################### # SSL Configuration file for IDM protocol # each line contains a token and a value ######################################### # the pathname of the file containing the own private key and certificate chain # in PEM format idm_ssl_own_pse_file C:/Program Files/DirX/Directory/conf/IdmPSE.pem # the pathname of the password file for accessing the private key idm_ssl_pwd_file C:/Program Files/DirX/Directory/conf/IdmPSE.pwd # the pathname of the PEM file that contains trusted CA certificates # the file may contain multiple CA certificates in PEM format. # In client mode, these CA certs are used to verify the certificate received # from the server. idm_ssl_trusted_ca_cert_file C:/Program Files/DirX/Directory/conf/testCA.pem # the minimum security protocol to be used - one of: TLSv1, TLSv11, TLSv12, TLSv13 idm_ssl_protocol_min TLSv1 # the maximum security protocol to be used - one of: TLSv1, TLSv11, TLSv12, TLSv13 idm_ssl_protocol_max TLSv13 # the ciphers to use for TLSv12 and below (names must be compatible with OpenSSL naming schema) idm_ssl_ciphers_list HIGH # the ciphers to use for TLSv13 (names must be compatible with OpenSSL naming schema) idm_ssl_ciphers_suites DEFAULT # max wait time in seconds in SSL I/O idm_ssl_io_timeout 10 # SSL log level (0=off,1=low) # 0 = off # 1 = low (SSL function calls) # 2 = medium ( == low + select/poll eventing ) # 3 = high ( == medium + I/O data ) idm_ssl_logging 0 #########################################
SNMPv2 Trap Configuration File
snmptraps.cfg
Purpose
The SNMPv2 trap configuration file, used by DirX Directory server processes (dirxdsa, dirxdsas, dirxldapv3), controls sending SNMPv2 traps if enabled (environment variable DIRX_SNMP=1).
Description
The default location for the snmptraps.cfg configuration file is:
install_path/conf
You can override the default location and file name by setting the DIRX_SNMPTRAPS_CFG environment variable to the full pathname of the file. If this file does not exist, sending SNMPv2 traps is disabled.
DirX Directory installs a template for the configuration file at its default location. An update installation installs the file snmptraps.cfg.new. The installed file provides a complete list of traps that DirX Directory is able to send. You can turn each trap on or off by commenting or un-commenting its line. It is recommended not to delete lines without proper knowledge of their function.
Configure the following main sections by editing the configuration file as follows:
-
The receiver addresses to which DirX Directory will send the SNMPv2 traps, indicated by the keyword trapreceiver.
-
The trap itself, indicated by the keyword trap.
-
The optional control parameter(s) for a trap, indicated by the keyword trapparam. Note that not all traps can be adjusted with parameters.
File Format
The SNMPv2-trap configuration file consists of the following sections:
-
Trap receiver section
-
Trap list section
-
Trap parameter section
-
Trap logging section
Each section is described below.
Trap Receiver Section
The trap receiver section specifies the processes that receive the SNMP-traps sent. DirX Directory sends traps to all trap receivers specified. It consists of one or more lines. Each line specifies one trap receiver in the following form:
-
trapreceiver host port community IP_stack
where:
host
-
Specifies the DNS name or the IP address of the host where the trap receiver is running.
When using a DNS name, ensure that the specified name can be resolved by the name service (DNS) on the sending host. You can use the dirxhostinfo command to check this.
port
-
Specifies the trap receiver port. Usually this is port 162.
community
-
Specifies the SNMP access identifier. Usually this is the keyword public or private. The trap receiver administers this parameter. It is used to authenticate the trap sender.
IP_stack
-
Specifies the IP protocol version used for sending the UDP packets. Specify one of the following values:
-
4—IPv4 stack
-
6—IPv6 stack
You must ensure that the trap receiver is able to handle the selected protocol.
-
Trap List Section
The trap list section specifies the available SNMPv2 traps that the DirX Directory server processes send. Each line specifies one specific SNMPv2 trap in the form:
-
trap trap_name max_repeat_count max_reapeat_time
where:
trap_name
-
Is the case-sensitive symbolic name for the trap. The trap list section of the installed configuration file already contains a complete list of all traps that DirX Directory servers are able to send.
You cannot extend this list because new traps require new implementation. It is prohibited to introduce trap names other than those that are listed, because this will result in problems.
The trap names are defined in the MIB file DIRX-MIB.txt. DirX Directory provides this file containing all necessary MIB definitions. The MIB definitions in this file associate the symbolic trap names with fixed OIDs. This file is very helpful for the trap receiver process to provide better readable output. To understand what a trap indicates, read the description of the trap in the DIRX-MIB.txt file.
max_repeat_count
-
Is an integer value specifying the maximum number of times DirX Directory sends the trap within a certain time period. (See max_repeat_time for details.) DirX Directory stops sending the trap if this limit is exceeded. A value of 0 means an unlimited number.
max_repeat_time
-
Is an integer value specifying how many seconds DirX Directory sends this trap. If the time is elapsed max_repeat_count is reset. A value of 0 means unlimited.
By setting max_repeat_count and max_repeat_time it is possible to configure that DirX Directory only sends a limited number of a specific trap within a specified time-period (number of seconds). This is useful if the administrator notices a trap flooding because of critical situations.
A special trap is the time watcher trap dirxOpTimeWatch:
When enabling this trap, a special thread in the LDAP server and the DSA, the time watcher thread, checks periodically whether an LDAP or DSA operation exceeds a specific time limit. If the operation exceeds the time limit this thread sends the dirxOpTimeWatch trap. The administrator can specify the time limit for the operation and the frequency of checking in specific parameters for this trap. (See the special_trap_token parameter in Trap Parameter Section for details.)
The time watcher trap is very helpful in detecting long lasting or even hanging operations that possibly never return due to some error condition in the server. Additionally it is very useful to get information about long lasting operations that might lead to resource shortage situations long before the shortage really appears.
The following special trap specifications include:
trap all 0 0
-
Specifies that DirX Directory is to send all traps in the trap list without any limit concerning the number of traps sent and for an unlimited time-period.
trap none 0 0
-
Specifies that DirX Directory is to send no traps.
trap dirxCtxLimitExceeded 10 3600
-
Specifies that DirX Directory is to send the CTX-Limit-Exceeded trap at most 10 times per hour.
trap dirxCtxLimitExceeded 10 0
-
Specifies that DirX Directory is to send the CTX-Limit-Exceeded trap at most 10 times and then never again.
Example
In the following example, the LDAP server sends a trap indicating that the thread pool is exhausted up to ten times per hour:
trap dirxThreadPoolExhausted 10 3600
If the LDAP server is running into permanent shortage of pooled threads, you will receive 10 traps within a very short time period. After receiving the 10th trap, you will not receive any more traps for an hour, after which you will begin to receive them again. In this situation, the you can consider increasing the thread pool.
Trap Parameter Section
The trap parameter section specifies a parameter for a specific trap. Each line specifies one parameter, in the form:
-
trapparam trap_name parameter
or
-
trapparam special_trap_token parameter
where:
trap_name
-
Is the case-sensitive symbolic name for the trap. This trap name must appear in the trap list section.
special_trap_token
-
Is one of the following special parameters for the time watcher trap dirxOpTimeWatch:
For the LDAP server:
-
dirxLdapOpTimeWatchDuration — Specifies the duration of an LDAP operation in seconds after which the LDAP server time watcher thread sends a dirxOpTimeWatch trap.
-
dirxLdapOpTimeWatchFreq — Specifies the time period in seconds after which the LDAP server time watcher thread checks for LDAP operations exceeding the time limit specified in the dirxLdapOpTimeWatchDuration parameter.
-
-
For the DSA:
-
dirxDsaOpTimeWatchDuration — Specifies the duration of an DSA operation in seconds after which the DSA time watcher thread sends a dirxOpTimeWatch trap.
-
dirxDsaOpTimeWatchFreq — Specifies the time period in seconds after which the DSA time watcher thread checks for DSA operations exceeding the time limit specified in the dirxDsaOpTimeWatchDuration parameter.
-
-
When enabling the time watcher trap, the you must also specify the operation duration limit and the frequency for the check. The value for the frequency must be less than the value for the operation duration. Setting any of the time watcher parameters to the value 0 disables the corresponding time watcher thread.
parameter
-
Is an integer value. The meaning of this integer value is trap specific. A value of 0 means unlimited.
Examples
-
In the following example DirX Directory sends a trap indicating that an operation has lasted longer than five seconds:
trapparam dirxMaxOpDurationExceeded 5
The dirxMaxOpDurationExceeded trap is sent after the operation has completed while the dirxOpTimeWatch trap is sent while the operation is in progress.
-
In the following example, the LDAP server time watcher thread checks every five seconds for LDAP operations running longer than ten seconds; and the DSA time watcher thread checks every ten seconds for DSA operations running longer than twenty seconds:
# Enable time watcher threads: trap dirxOpTimeWatch 0 0 # LDAP operation duration limit is 10 seconds: trapparam dirxLdapOpTimeWatchDuration 10 # frequncy of check in the LDAP server is every 5 seconds: trapparam dirxLdapOpTimeWatchFreq 5 # DSA operation duration limit is 20 seconds: trapparam dirxDsaOpTimeWatchDuration 20 # frequncy of check in the DSA is every 10 seconds: trapparam dirxDsaOpTimeWatchFreq 10
Trap Log Section
The trap log section specifies whether or not the SNMPv2 traps that the DirX Directory server processes send are logged in a local file. One line specifies logging of SNMPv2 traps in the form:
-
traplog status max_filesize
where:
status
-
Specifies whether SNMPv2 trap logging is enabled (1) or not (0).
max_filesize
-
Specifies the maximum size of the logging file in MB. Specify a value greater or equal than 1. Do not set the maximum file size to unlimited (value 0).
If the maximum file size is exceeded, the file size is re-set to 0 and logging continues with an empty file. (The old content is lost.)
If SNMPv2 trap logging is enabled, each process that sends traps creates its own log file:
install_path/tmp/snmppid.txt
where pid specifies the process ID.
dirxauddecode Configuration File
This section describes the dirxauddecode configuration file.
Purpose
The dirxauddecode configuration file, used by the dirxauddecode command, customizes the content of the output file when evaluating LDAP audit log files.
Description
The dirxauddecode configuration file is an ASCII file that may contain assignments and must contain at least one common sequence.Sequences may contain commands.(The following sections describe how to specify assignments, sequences, and commands.) The format of the file is as follows:
-
The maximum line length is 256 characters.
-
Each line must end with a new line character (CR or CRLF).
-
Blank lines and lines starting with the # or the SPACE character are ignored.
Customizing the dirxauddecode output file may be useful, for example, to generate a suitable output file for further processing by statistical tools.
DirX Directory does not provide a default file or expect a specific name or location because it is optional to customize the dirxauddecode output file.
The name of the dirxauddecode configuration file is specified in the -F option of dirxauddecode.
Specifying Assignments
Assignments specify separators for fields, records, and decimal numbers in the output file. Assignments must start with the % character at the first column of a new line. The syntax is:
-
%KEYWORD="value"
where KEYWORD is one of the following keywords:
FIELDSEPARATOR
-
Specifies the separator between two fields. The default field separator is \t (TAB).
RECORDSEPARATOR
-
Specifies the separator for records. The default record separator is \n (new line).
NUMERICDOT
-
Specifies the decimal symbol for numbers. The default is . (dot).
The value must be enclosed in double quotes (").
Specify only one assignment per keyword per file. You can specify assignments at any line of the configuration file, but you cannot specify them inside sequences.
Specifying Sequences
A sequence is a group of commands that specifies the output fields and their position in the output record. The syntax for a sequence is as follows:
-
+SEQUENCENAME
[%COMMAND 1
%COMMAND 2
…]
-SEQUENCENAME
Each sequence starts with *_SEQUENCENAME_ and ends with *-*_SEQUENCENAME_ where _SEQUENCENAME_ must be the same value. Specify the * and the - character in the first column of a new line. Specify only one sequence for a sequence name per file. Sequences can be empty. Specifying nested sequences is prohibited. (For a list of available commands, see the section Specifying Commands.)
Specify one of the following keywords for SEQUENCENAME:
COMMON
-
Specifies a common sequence that is processed first for each audit record. The common sequence is mandatory for each configuration file. Only commands of COMMON scope can be specified in a common sequence.
HEADER
-
Specifies the first sequence that is written to the output file. dirxauddecode performs the commands of the HEADER sequence only once at start time of the evaluating process. The header sequence is optional. It can specify HEADER scope-specific and COMMON scope-specific commands.
FOOTER
-
Specifies the last sequence that is written to the output file. dirxauddecode performs the commands of the FOOTER sequence only once when terminating the evaluating process. The footer sequence is optional. It can specify FOOTER scope-specific and COMMON scope-specific commands.
Operation scope-specific commands are processed only if the audit log file record represents the corresponding operation; for example, an OPSEARCH sequence is processed only for search operation audit records. Operation scope-specific sequences are optional. Like all other sequences, they may be empty. You can specify operation scope-specific and common scope-specific commands. Specify one of the following names for operation scope-specific sequences:
OPABANDON
-
Specifies commands performed for abandon operation audit records. The specified commands can be of OPABANDON or COMMON specific scope.
OPADD
-
Specifies commands performed for add operation audit records. The specified commands can be of OPADD or COMMON specific scope.
OPBIND
-
Specifies commands performed for bind operation audit records. The specified commands can be of OPBIND or COMMON specific scope.
OPCOMPARE
-
Specifies commands performed for compare operation audit records. The specified commands can be of OPCOMPARE or COMMON specific scope.
OPDELETE
-
Specifies commands performed for delete operation audit records. The specified commands can be of OPDELETE or COMMON specific scope.
OPEXTENDED
-
Specifies commands performed for LDAPv3 extended operation audit records. The specified commands can be of OPEXTENDED or COMMON specific scope.
OPMODDN
-
Specifies commands performed for moddn operation audit records. The specified commands can be of OPMODDN or COMMON specific scope.
OPMODIFY
-
Specifies commands performed for modify operation audit records. The specified commands can be of OPMODIFY or COMMON specific scope.
OPOTHER[none] * Specifies commands performed for audit records of unexpected operations that cannot be identified. The specified commands can be of OPOTHER or COMMON specific scope.
OPRPC
-
Specifies commands performed for rpc operation audit records. The specified commands can be of OPRPC or COMMON specific scope.
OPSEARCH
-
Specifies commands performed for search operation audit records. The specified commands can be of OPSEARCH or COMMON specific scope.
OPUNBIND
-
Specifies commands performed for unbind operation audit records. The specified commands can be of OPUNBIND or COMMON specific scope.
OPUNKNOWN
-
Specifies commands performed for audit records of unexpected operations that indicate client misbehaviour. The specified commands can be of OPUNKNOWN or COMMON specific scope.
When dirxauddecode evaluates an LDAP audit log file using the dirxauddecode configuration file, it performs the following process:
-
Performs the commands of the HEADER sequence and writes the HEADER output file record(s).
-
For all audit records:
-
Performs the commands of the COMMON sequence.
-
Performs the commands of the corresponding operation (OP*) sequence.
-
Writes the operation specific output file record. This is one single record.
-
-
Performs the commands of the FOOTER sequence, writes the FOOTER output file record(s), and terminates processing.
See the next section for information on how to specify commands inside a sequence.
dirxauddecode writes the operations to the output file in the same sequence as it reads it from the LDAP audit log file. That is, they are not guaranteed to be written in the same sequence as they were received by the LDAP server because the server writes an audit record after finishing the operation. For example, the LDAP server may log a long-lasting operation after a faster performed operation despite the fact that it received the long-lasting operation at an earlier date. (See also the dirxauddecode command reference page.)
Specifying Commands
A command specifies the data written to one field in the output file. The syntax for a command is as follows:
-
%COMMAND
Each command starts with + character in the first column of a new line in the configuration file. Only one command can be specified per line. Commands can only be specified inside a sequence. (See the section Specifying Sequences for details.)
Each command generates a field in the output file. After writing an output field, dirxauddecode writes the field separator specified in the FIELDSEPARATOR assignment to the output file. After it processes all commands for an audit file record, dirxauddecode writes the record separator specified in the RECORDSEPARATOR assignment to the output file. (See the section Specifying Assignments for details.)
The following table lists all available commands together with their associated scope:
| Command | Scope | DESCRIPTION |
|---|---|---|
$CREATETIME_INT |
COMMON |
Operation creation time in decimal representation; for example: The operation creation time is the time at which the LDAP server receives the operation. The LDAP server either starts processing or enters the operation on a waiting queue. Note: This numeric representation is useful if the generated list will be sorted by time later on. |
$CREATETIME |
COMMON |
Operation creation time in string representation; for example: |
$STARTTIME_INT |
COMMON |
Operation start time in decimal representation. The operation start time is that time at that the LDAP server starts processing. |
$STARTTIME |
COMMON |
Operation start time in string representation. |
$ENDTIME_INT |
COMMON |
Operation end time in decimal representation. The operation end time is that time at that the LDAP server terminates processing and sends back the operation result to the client. |
$ENDTIME |
COMMON |
Operation end time in string representation. |
$DURATION |
COMMON |
Operation duration time in seconds (microsecond resolution); for example, |
$APIDURATION |
COMMON |
Operation duration within the DIRXAPI (request to DSA and back) in seconds (microsecond resolution). |
$APISENDDURATION |
COMMON |
Operation duration within DIRXAPI ICOM-Send in seconds (microsecond resolution). |
$APIICOMWAIT |
COMMON |
Operation duration within DIRXAPI waiting for ICOM-Receive in seconds (microsecond resolution). |
$APIRECVDURATION |
COMMON |
Operation duration within DIRXAPI ICOM-Receive in seconds (microsecond resolution). |
$APIASN1DURATION |
COMMON |
Operation duration within DIRXAPI to decode the received result in seconds (microsecond resolution). |
$LDAPQUEUEDURATION |
COMMON |
Operation duration between creating and starting (queue-time) a request in seconds (microsecond resolution). |
$LDAPPREPDURATION |
COMMON |
Operation duration to prepare DAP request from LDAP request in seconds (microsecond resolution). |
$LDAPRESPDURATION |
COMMON |
Operation duration to return the result after receiving it from the DIRXAPI in seconds (microsecond resolution). |
$LDAPSENDDURATION |
COMMON |
Operation duration within TCP send() to return the result to the client in seconds (microsecond resolution). |
$IDMDURATION |
COMMON |
Operation duration within IDM transport component in seconds (microsecond resolution). |
$DSADURATION |
COMMON |
Operation duration within the DSA in seconds (microsecond resolution) |
$CONCURRENCY |
COMMON |
Number of simultaneous operations when processing starts |
$CONNID |
COMMON |
LDAP connection ID (incremented counter). |
$POOLTHREADNO |
COMMON |
Internal pool thread number. |
$POOLTHREADID |
COMMON |
System thread ID for processing the pool thread. |
$OPNAME |
COMMON |
Unique operation name; for example: |
$IP |
COMMON |
Client IP address. |
$USER |
COMMON |
LDAP bind name of the client; for example: |
$UNIQID |
COMMON |
Unique operation ID (integer). |
$OPCTXSIZE |
COMMON |
The memory size used to process operation within the LDAP server. |
$APICTXSIZE |
COMMON |
The memory size used to process operation within the DIRXAPI. |
$VERSION |
COMMON |
LDAP protocol version (2 or 3). |
$MSGID |
COMMON |
LDAP protocol message ID (from the client). (See RFC 2251 for details.) |
$RESULTCODE |
COMMON |
LDAP result code. (See RFC 2251 for details.) |
$SOCKERRNO |
COMMON |
Internal socket error code. |
$ERRORMSG |
COMMON |
LDAP protocol result error message (See RFC 2251 for details). |
$OPTYPE |
COMMON |
LDAP operation type. |
$BYTESIN |
COMMON |
Bytes received from the client (PDU size). |
$BYTESOUT |
COMMON |
Bytes returned to the client. |
$ABANDONED |
COMMON |
Whether the operation was abandoned before the LDAP server could complete it. |
$ENTIRECTXSIZE |
COMMON |
Entire memory in use by LDAP server. |
$RECORDSEPARATOR |
COMMON |
Output record separator (default: new line). |
$BINDTYPE |
OPBIND |
Authentication method used (anonym, simple, sasl). |
$BINDSECTYPE |
OPBIND |
Security level (none, ssl). |
$SHARECOUNT |
OPBIND |
DAP bind share counter (Number of users that share the same DAP bind). |
$BINDFD |
OPBIND |
Socket descriptor of LDAP connection. |
$BASEOBJECT |
OPSEARCH |
Base object for LDAP search |
$SCOPE |
OPSEARCH |
Search scope (baselevel, onelevel, subtree). |
$FILTER |
OPSEARCH |
Search filter; for example: |
$SIZELIMIT |
OPSEARCH |
Maximum number of entries to return. |
$TIMELIMIT |
OPSEARCH |
Maximum search time in seconds. |
$DEREFALIAS |
OPSEARCH |
How to handle alias objects during search. |
$TYPESONLY |
OPSEARCH |
Whether the returned result contains only the attribute types or attribute types and values. |
$CACHEDRESULT |
OPSEARCH |
Whether the returned result was resolved from the LDAP cache (no forward to DSA). |
$FOUNDENTRIES |
OPSEARCH |
Total number of entries in the result. |
$FOUNDATTRS |
OPSEARCH |
Total number of attributes in the result. |
$FOUNDVALUES |
OPSEARCH |
Total number of values in the result. |
$MODENTRY |
OPMODIFY |
DN of modified entry. |
$NUMMODIFICATIONS |
OPMODIFY |
Number of modifications in the request. |
$MODIFICATIONS |
OPMODIFY |
Modification details, in the format: modify_operation*:*attribute_type*:*value |
$ADDENTRY |
OPADD |
DN of entry to be added. |
$NUMADDITIONS |
OPADD |
Number of additions |
$ADDITIONS |
OPADD |
Addition details in the format: |
$OLDENTRY |
OPMODDN |
DN of entry to be changed. |
$NEWRDN |
OPMODDN |
Lowest RDN of new entry. |
$DELETEOLD |
OPMODDN |
Whether or not the old DN should be deleted. |
$NEWSUP |
OPMODDN |
New superior node. |
$DELENTRY |
OPDELETE |
DN of entry to be deleted. |
$CMPENTRY |
OPCOMPARE |
DN of entry to be compared. |
$CMPATTR |
OPCOMPARE |
Attribute and value to be compared. |
$ABANDONMSGID |
OPABANDON |
Message ID of operation to be abandoned. |
$EXTOPOID |
OPEXTENDED |
OID of the extended operation. |
$DIRXVERSION |
HEADER |
DirX Directory version string. |
$COLUMNNAMES |
HEADER |
Print names of COMMON sequence commands as separated fields. |
$CURRENTTIME |
HEADER |
Print current time stamp. |
$SUMMARY |
FOOTER |
Print audit summary (multi-line output). |
Sample LDAP Configuration File
In the following example, the administrator:
-
Specifies a header command sequence for the output file that results in printing:
-
The time when dirxauddecode started evaluating the LDAP audit log file (command
$CURRENTTIME) -
The DirX Directory version in use (command
$DIRXVERSION) -
The column names of common sequence commands output (command
$COLUMNNAMES)
-
-
Specifies a common command sequence for all operations that results in printing:
-
The unique operation id (command
$UNIQID) -
The operation type (command
$OPTYPE) -
The time when the LDAP server received the operation (command
$CREATETIME_INT) -
The duration of the operation (command
$DURATION) -
The operation name that the LDAP server generates (command
$OPNAME) -
The LDAP result code of the operation (command
$RESULTCODE)
-
-
Specifies a search operation specific command sequence that results in printing important input options and result options:
-
The DN of the base object (command
$BASEOBJECT)-
The scope of the obj search operation (command
$SCOPE) -
The specified filter option, if any (command
$FILTER) -
The size and the time limit (commands
$SIZELIMITand$TIMELIMIT) -
The dereference alias option (command
$DEREFALIAS) -
The types option (command
$TYPESONLY) -
Whether the LDAP server reads the result from the cache or must forward the operation to the DSA (command
$CACHEDRESULT)
See also the obj search operation to understand the printed options.
-
-
Does not print an audit summary. (Specifies no FOOTER command sequence.)
-
Uses the default separator assignments. (Specifies no assignments.)
The administrator may also specify other operation specific command sequences.
The dirxauddecode configuration file is as follows:
# # HEADER command sequence +HEADER $CURRENTTIME $DIRXVERSION $COLUMNNAMES -HEADER # COMMON command sequence +COMMON $UNIQID $OPTYPE $CREATETIME_INT $DURATION $OPNAME $RESULTCODE -COMMON # Search operation specific command sequence +OPSEARCH $BASEOBJECT $SCOPE $FILTER $SIZELIMIT $TIMELIMIT $DEREFALIAS $TYPESONLY $CACHEDRESULT -OPSEARCH ...
The header output may be as follows:
Tue Feb 21 09:31:09 2006 DirX V7.0 B00 7.6.5 2006:02:10 20:18 $UNIQID $OPTYPE $CREATETIME_INT $DURATION $OPNAME $RESULTCODE
The common output for an operation may be as follows:
10 SEARCH 1139918009.609421 0.013292 LDAP_Con0_Op9 32
A search operation specific output appended to the common output above may be as follows:
o=pqr baselevel (|(objectclass=PRES)(objectclass=ldapsubentry)) 2000 0 never 0 0
Note that the common output and the operation specific output is written to a single record in the output file that is there is no line break inside one record.
The initial output may be as follows:
syslog Configuration File
dirxlogflt.cfg
Purpose
The syslog configuration files define the levels and messages that the DirX Directory processes pass to the Linux system log daemon.
Description
Passing of messages to the Linux system log daemon is controlled by the specifications contained in the following files:
-
For the DSA (dirxdsa and dirxdsas process) install_path*/server/conf/dirxlogflt.cfg*
-
For the LDAP (dirxldapv3 process) server install_path*/ldap/conf/dirxlogflt.cfg*
-
For tools (for example dirxmodify, dirxload) install_path*/tools/conf/dirxlogflt.cfg*
-
For client (for example dirxadm, dirxcp) install_path*/client/conf/dirxlogflt.cfg*
Which messages are passed to the Linux system log daemon is specified in the following format:
-
log_syslog: message_level1|hexId1[:message_level2|hexId2 …]
where
message_level
-
Specifies the DirX Directory level of the logging messages to be passed. The following logging levels can be specified:
-
fatal - Fatal errors. This level is mapped to the syslog level LOG_ALERT.
-
error - Non fatal errors. This level is mapped to the syslog level LOG_ERR.
-
notice - Informational notices. This level is mapped to the syslog level LOG_NOTICE.
-
notice_verbose - Operation requests that the server received from the dirxadm command. This level is mapped to the syslog level LOG_INFO.
Messages of level warning and debug are never passed to the Linux system log daemon.
-
hexId
-
Specifies the hexadecimal identifier of a specific logging message. This hexadecimal identifier is generated at compile time and written to the DirX Directory logging files. 0x45046b7f for example is the identifier of the logging message 0x45046b7f NOTICE ldap_cfg mn_ldap_listener 1137 …. This identifier may change with each new version or patch of DirX Directory.
Blank lines and lines starting with the # character are ignored.
When DirX Directory is installed, default files disabling passing of messages are installed. These files may contain additional data for other purposes. It is prohibited to modify other lines than the specifications for passing logging messages.
Enabling syslog
To enable the DirX Directory syslog feature:
-
Edit the dirxlogflt.cfg files as described above.
-
Specify the DirX Directory environment variable DIRX_SYSLOG=1 (See chapter DirX Directory Environment Variables for details.)
-
Configure the Linux system log daemon (syslogd) in the file /etc/syslog.conf. (See your Linux system documentation for details.)
DirX Directory logging must be enabled and configured accordingly. (See section Logging Configuration Files for details.)
DirX Directory passes all messages to the Linux system log daemon as facility user.
When enabled other non-DirX Directory applications may log messages to the same syslog logging file as DirX Directory.
Example
In the following example, the DSA startup message with the identifier 0x45046cec, and all DSA messages of level fatal are passed to the Linux system log daemon.
The DirX Directory syslog configuration file install_path/dsa/conf/dirxlogflt.cfg contains the following lines:
# Pass the DSA startup message (0x45046cec) # and all fatal DSA errors to syslog daemon log_syslog: fatal: 0x45046cec
The Linux file /etc/syslog.conf contains the following lines:
... user.alert;user.err /data/qaee/tmp/syslog.err user.notice /data/qaee/tmp/syslog.notice user.info /data/qaee/tmp/syslog.info
The Linux syslog daemon writes messages of level
-
fatal and error to the file /data/qaee/tmp/syslog.err
-
notice to the file /data/qaee/tmp/syslog.notice
-
notice_verbose to the file /data/qaee/tmp/syslog.info
Keep in mind that the example passes just messages to the files /data/qaee/tmp/syslog.err and /data/qaee/tmp/syslog.notice.
After starting DirX Directory, you will find the following DirX Directory server message:
-
with the other server logging messages in the log file install_path*/server/log/EXC*process_id
... Mon Oct 22 12:20:21 0x45046cec DSA 8.2.109 NOTICE dir init dirxdsa.c 635-0 0x00000001 DSA initialized. ...
-
in the log file /data/qaee/tmp/syslog.notice
Oct 22 12:20:21 qasun01z2 dirxdsa[11234]: [ID 702911 user.notice] Mon Oct 22 12:20:21 2007 DSA 8.2.109 NOTICE dir init dirxdsa.c 635-0 0x00000001 DSA initialized.
You find no DirX Directory messages in the file /data/qaee/tmp/syslog.err because no fatal error occurred during DSA startup.
Logging Configuration Files
dirxlog.cfg
dirxlog.on
dirxlog.off
Purpose
Logging in DirX Directory serves two purposes:
-
To display critical information about runtime events, errors and problems.
-
To allow developers to trace the function calls and associated data executed at runtime to locate the source of a problem.
Nearly all DirX Directory components use the same type of logging; as a result, logging configuration is identical for nearly all DirX Directory components. When a process starts, it automatically reads the logging configuration, and, if configured to do so, starts logging. DirX Directory allows you to specify the kind of information to be logged and where this information is to be stored on disk. DirX Directory logging provides two sets of information that control logging:
-
Components and levels
-
Paths for output files
You can configure logging to start when a process starts and you can enable and disable logging during runtime. You can isolate logging to one or more DirX Directory components; for example, you can select the memory management component (the ctx subcomponent of the dir component) to produce logging information and leave the remaining components out of the logging process. You can also control how much information is appended during logging, so that a function might just log its calling or conversely, present highly detailed information about all of the data it transfers. All of these features allow for a very detailed tracing of what happens inside the process, nearly as detailed as a debugger. On the other hand, if detailed trace logging is turned on and a lot of data is written, it may significantly impact execution speed. Consequently, you should always select what is to be logged.
Exception logging is different from normal logging. Exception messages help the administrator to get a quick overview of errors or other relevant events that occur during process execution. We recommend that you do not turn off exception logging, because it is rarely time-critical and may provide valuable information for ensuring continuous service.
Logging configuration files define the messages to be logged and how and where the logs should be written. Two types of messages can be logged:
-
Trace Messages—messages that record useful non-error information for debugging about operation progress on the level of functions, for example, input parameters and output parameters. These messages are always written in binary format to files named LOG*processID.number that must be read by the *dirxdumplog command. Trace logging must be turned on and off explicitly. By default, this logging is turned off. Turning on this logging affects operation performance.
-
Exception Messages—messages that record errors, notices, warnings and dirxadm commands. These types of message comprise the following categories:
-
Warnings—messages that record exceptional erroneous function exits; for example, that the DSA received an incorrect encoded protocol. On Linux, these messages are written in ASCII format to files named EXC*processID.number. On Windows, these messages are written in binary format to files named *LOG*processID.number that must be read by the *dirxdumplog command.
-
Errors—messages that record errors that may result in disabling of features of the directory service; for example, the DSA detects an incorrect administered configuration file for external authentication. On Linux, these messages are written in ASCII format to files named EXC*processID.*number. On Windows, the Windows Event Service logs these messages as WARNING.
-
Fatal Errors—messages that record fatal errors. The directory service may not able to work properly; for example, because the DSA cannot allocate enough memory due to exhausted system resources. On Linux, these messages are written in ASCII format to files named EXC*processID.*number. On Windows, the Windows Event Service logs these messages as ERROR.
-
Notices—messages that record important non-error information; for example, that the DSA has initialized the database successfully during startup. On Linux, these messages are written in ASCII format to files named EXC*processID.*number. On Windows, the Windows Event Service logs these messages as INFORMATION.
-
Notices Verbose—messages that record all operation requests that the server received from the dirxadm command. These messages are written in ASCII format to files named ADM*processID.*number.
-
Description
Logging is controlled by the specifications contained in the following files:
-
For progsvr (dirxprogsvr process) logging install_path*/progsvr/conf/dirxlog.cfg*
-
For DSA (dirxdsa and dirxdsas process) logging install_path*/server/conf/dirxlog.cfg*
-
For LDAP (dirxldapv3 process) server logging install_path*/ldap/conf/dirxlog.cfg*
-
For tools (for example dirxmodify, dirxload) logging install_path*/tools/conf/dirxlog.cfg*
-
For client (for example dirxadm, dirxcp) logging install_path*/client/conf/dirxlog.cfg*
When DirX Directory is installed, the following configuration files specifying default values are installed:
-
For progsvr logging:
install_path*/progsvr/conf/dirxlog.cfg* (enables only progsvr exception logging)
install_path*/progsvr/conf/dirxlog.on* (enables default progsvr trace and exception logging)
install_path*/progsvr/conf/dirxlog.off* (disables only progsvr exception logging) -
For DSA logging:
install_path*/server/conf/dirxlog.cfg* (enables only DSA exception logging)
install_path*/server/conf/dirxlog.on* (enables default DSA trace and exception logging)
install_path*/server/conf/dirxlog.off* (disables only DSA exception logging)The log file names of the DSA process (dirxdsa) starts with the prefix DSA, the log file names of the watchdog process (dirxdsas) starts with the prefix SRV.
-
For LDAP server logging:
install_path*/ldap/conf/dirxlog.cfg* (enables only LDAP server exception logging)
install_path*/ldap/conf/dirxlog.on* (enables default LDAP server trace and
exception logging)
install_path*/ldap/conf/dirxlog.off* (disables only LDAP server exception logging) -
For tools logging:
install_path*/tools/conf/dirxlog.cfg* (enables only tools exception logging)
-
For client logging:
install_path*/client/conf/dirxlog.cfg* (enables only client exception logging)
By default, log files are written to the following directories:
-
For progsvr logging install_path*/progsvr/log*
-
For DSA logging install_path*/server/log*
-
For LDAP server logging install_path*/ldap/log*
-
For tools logging install_path*/tools/log*
-
For client logging install_path*/client/log*
Enabling Logging
When a process starts, it reads its dirxlog.cfg file and sets trace logging levels, exception logging levels and output file paths to the settings in this file. By default, the processes only log exception messages (like warnings, notices or errors) and do not perform trace logging. There are two methods you can use to enable trace logging, for example, when you want to trace a certain problem:
-
Edit the dirxlog.cfg file and set the desired levels there. This method enables trace logging from startup.
-
Edit the dirxlog.on file and then perform a dirxadm log command. This method enables trace logging only after the dirxadm log command.
We recommend using the second method (dirxlog.on and dirxadm log) if possible, because it omits unnecessary startup logs and does not require a process restart. (Remember that dirxlog.cfg is only read at process startup.)
-
Enable progsvr server logging at runtime:
Perform the dirxadm progsvr log operation. Subsequent progsvr logging will be controlled by the values specified in the configuration file install_path*/progsvr/conf/dirxlog.on*. -
Disable progsvr server logging at runtime:
Perform the dirxadm progsvr nolog operation. Subsequent progsvr server logging will be controlled by the values specified in the configuration file install_path*/progsvr/conf/dirxlog.off*. -
Enable DSA logging at runtime:
Perform the dirxadm sys log operation. Subsequent DSA logging is controlled by the log levels set in the dirxlog.on file. For example:dir:sys.0,sock.1,vthr.0,icom.1,shr.0,ctx.0,\ osi.0,rpc.1,ros.1,idb.1,idbn.1,idbm.0,idbnl.0,idbe.0,\ sec.1,daspp.2,dopi.0,disp.0,\ tjh.0,bth.0,init.0,norm.0,match.0,stx.0,sch.0,sth.0,aci.0,nms.0,\ attr.0,snmp.0,opb.1,opr.1,conf.0,asn1.0,drv.0,\ util.0,frm.0,sysadm.0,cref.0,glsch.0,idbr.0,idbl.0,hash.0,\ ldif_ut.0,load.0 dba:*.0
The dirxlog.on contains log-level specifications but does not contain any output file path information. The output file paths are the same as what was configured in the dirxlog.cfg file and thus read at process startup. -
Disable DSA logging at runtime:
Perform the dirxadm sys nolog operation. Subsequent DSA logging will be controlled by the values specified in the configuration file install_path*/server/conf/dirxlog.off*, which typically looks like this:dir:*.0 dba:*.0
This action disables all trace levels and leaves the exception levels (warnings, errors and so on) as they were at startup. The logging output paths are not changed.
-
Enable LDAP server logging at runtime:
Perform the dirxadm ldap log operation. Subsequent LDAP server logging will be controlled by the values specified in the configuration file install_path*/ldap/conf/dirxlog.on*. -
Disable LDAP server logging at runtime:
Perform the dirxadm ldap nolog operation. Subsequent LDAP server logging will be controlled by the values specified in the configuration file install_path*/ldap/conf/dirxlog.off*. -
Enable tools logging:
The DirX Directory tools – dirxload, dbamboot and so on – are controlled by the file install_path*/tools/conf/dirxlog.cfg*. As they are not server processes, their logging cannot be changed at runtime. -
Enable client logging:
The DirX Directory tools – dirxload, dbamboot and so on – are controlled by the file install_path*/client/conf/dirxlog.cfg*. As they are not server processes, their logging cannot be changed at runtime.
You can override the default file name for the startup logging configuration file by setting the DIRX_LOGCFG_FILE environment variable to the full pathname of the file. You can modify the .on and .off files to define your desired logging parameters, and you can create additional files that function in a manner similar to the .on and .off files.
Use the logging configuration .on and .off files for trace logging as follows:
-
Once server trace logging is turned on, override the default traces logged for servers.
-
Turn on client trace logging and specify the traces to be logged.
-
Turn off client and server trace logging for all or selected directory subcomponents.
File Formats
All logging configuration files consist of two sections. The first section defines trace logging, and the second defines exception logging. Each section is described below.
Section 1—Trace Logging
The first section defines the component and subcomponents for which to capture trace messages and the debug level of the traces to log. It consists of a line in the following form:
-
component:_subcomponent_.level,[…]:
process.max_num_files.max_num_entries:_file_name_
where:
component
-
Is the name of the component to log. There are the following component names:
Keyword
Meaning
dba
Data Base Access
dir
Directory
subcomponent
-
Is the name of the subcomponent to log and the debug level of the traces to capture. The valid values for subcomponent are listed in the table that follows. The description in the table includes an indication of whether the subcomponent is only valid for the client ©, the server (S), and / or the LDAP server (L).
You can use a wildcard character (*) to specify all subcomponents. In this case, however, the debug levels you specify with level are used for all subcomponents. There are the following subcomponent names for the component dir:
Value
Valid for Client ©,
Server (S) or
LDAP (L)?Meaning
aci
S
Access control
adm
C
Administration
api
C/L
Application interface
asn1
C/S/L
ASN1 encoder/decoder interface
attr
S/L
Attribute service
audit
S
Auditing
bth
C/S/L
Bind table handling
conf
S
Configuration
ctx
C/S/L
Context-specific memory interface
cref
S
Continuation references
daspp
S
DAP/DSP processor
disp
S
DISP initiator/responder
dopi
S
Operational binding protocol initiator
drv
S
Deriving-DN creation
frm
S
Formatting-DN creation
glsch
S
DSA schema handling
hash
S
Hashing
icom
C/S/L
Internal thread communication interface
idb
S
Interface to the database
idbe
S
Interface to the database (external, for further use)
idbl
S
Interface to the database (load)
idbm
S
Interface to the database in memory
idbn
S
Interface to the database (native)
idbnl
S
Interface to the database (native lower)
idbr
S
Interface to the database (rpc)
init
S
Initialization
ldap_aud
L
LDAP audit preparation
ldap_cache
L
LDAP cache operations
ldap_cfg
L
Configuration of the LDAP server
ldap_conn
L
LDAP connection handling
ldap_op
L
LDAP operation handling
ldap_req
L
LDAP request handling
ldap_ssl
L
SSL processing in the LDAP server
ldif_ut
S
LDIF utility functions
load
S
Database loading with dirxload
match
S
Matching
nms
S
Name service
norm
S
Normalization
opb
S
Operational binding
opr
S
DSA operation handling
osi
C/S/L
OSI communication
progsvr
S
progsvr service
que3
S
DirXQue3 search engine
reorg
S
Database reorganization
ros
C/S/L
Remote operation service
rpc
C/S/L
RPC interface
sch
S
Schema handling
sec
C/S/L
Security
shr
C/S/L
Shared resources interface
snmp
S
SNMP functions
sock
C/S/L
Socket interface
sth
S
Subtree handling
stx
S
Syntax handling
sys
C/S/L
System call interface
sysadm
S
DSA administration
tjh
S
Timed job handler
util
C/S/L
Utility functions
vthr
C/S/L
Virtual thread interface
There are the following subcomponent names for the component dba:
Value
Valid for Client ©,
Server (S) or
LDAP (L)?Meaning
dbam
S
Database kernel interface
dbambc
S
Internal database kernel (buffer cache) interface
dsync
S
Process synchronization interface
level
-
Specifies the debug level of the traces to log. Level is an integer or list of integers ranging from 0 through 9. You can specify debug levels:
-
As a range. For example, 1-5 indicates debug levels 1 through 5 inclusive
-
As individual levels separated by a period. For example, 1.3.4.5 indicates levels 1, 3, 4, and 5
-
As a combination of ranges and individual levels. For example 1.3-5 indicates level 1, 3, 4, 5.
-
-
The integers 0 and 9 have special meanings. 0 disables logging for the subcomponent. (Do not delete the subcomponent.) 9 causes the structures in a trace function to also be evaluated for each log level specified, that is the contents of the interface parameters defined as structures are logged also. (Note that the structure logging can create extremely large log files.) Switch on level 9 is possible for each valid value for level.
-
The contents of the other parameters are logged by the levels 1-8. 1 logs the top level functions, higher log levels determine the depth of the internal functions which are logged. For example, level 6 traces the function call xxx with parameters. If levels 6 and 9 are specified, function call xxx is traced with parameters and with the structures of those parameters.
-
You can specify multiple subcomponent*.level entries, separating each with a comma and using a backslash (\) to continue the line. Without the backslash, the *NEWLINE character terminates the line.
-
There are the following levels for the subcomponents of the dir component:
Sub-com-ponent
Valid value for level
Usage
aci
1
2
3
5
Interface functions of Access control Interface
Access control Interface top-level decisions
Access control Interface low-level decisions
Access Control Interface tuple operations
adm
1
2
4
5
6
7
8
dirxadm and dirxcp (Administration) translator functions
dirxadm internal translator functions
dirxcp internal functions for abandonLDAP client functions, such as BIND, SEARCH, CREATE etc.
LDAP functions for extracting names/attributes from a search result
LDAP functions for freeing internally used LDAP memory
OCL functions (OSS Convenience library, string parsing)
DAM functions (dir abbreviation module, that is functions for reading and writing the abbreviation file and validation of abbreviations)
api
1-2
Interface functions and internal functions of application interface
asn1
1
2-6
Interface functions of ASN1 encoder/decoder
Internal functions
attr
1
2-5
Interface functions of the Attribute Services (filter matching, finding relevant subentries, handling of DN replacements)
Internal functions (mainly for filter matching)
audit
N/A
Auditing
bth
1
2
3
4
5
6
Bind table handling functions (binding entries handling)
Operation entries handling
Subscriber handling
lock / unlock functions
resume_info handling
bind_waiter handling
conf
1
2-3
Interface functions of database configuration and audit system configuration
Internal functions
ctx
1
2
3-6
CTX-package (context specific memory) interface functions related to context creation/deletion
CTX-package interface functions related to context memory allocation/release
CTX-package internal functions
cref
1
2-7
Interface functions of Continuation references handler
Internal functions
daspp
2-7
Functions of DAP/DSP processor
disp
1-2
3
4
5
6
7-8
DISP initiator/responder
Initiator / responder schedule main functionsInitiator / Responder operation execution functions
Supplier / Consumer update main functions
Supplier / Consumer strategy pending main functions
Supplier / Consumer update processing functions
Utility functions for DISP
dopi
1
2
Interface functions of operational binding protocol initiator
Internal functions
drv
1
2-5
6
Interface functions of Deriving-DN creation
Internal functions
Attribute value which is derived
frm
1
2-5
6
Interface functions of Formatting-DN creation
Internal functions
Attribute value which is formatted
glsch
1
2-9
Interface functions of DSA schema handling
Internal functions
hash
1
2-3
Interface functions of hashing
Internal functions
icom
1
2-3
ICOM-package (internal thread communication) interface functions
ICOM-package internal functions
idb
1
2-3
IDB interface functions (all functions exported by RPC and also functions called only in the DSA process and mkdbconf and mkdb)
Internal functions
idbe
Interface to the database (external, for further use)
idbl
1
2
IDBL interface functions (load)
IDBL interface functions
idbm
1
2-5
Interface functions to the database in memory
Internal functions
idbn
1
2-5
IDBN interface functions (access to the native database)
IDBN internal functions
idbnl
1
2-3
IDBNL interface functions (native lower interface to the database, mapping to the interface functions of the real database system)
IDBNL internal functions
idbr
1
2
IDBR interface functions (rpc)
IDBR interface functions
init
1
2-5
Interface functions for initialization of DSA (read global schema, initialize database, start threads), synchronization of threads, reboot of DSA and main function of mkbootsch
Internal functions
ldap_aud
1
2
3
General Audit Information
Header / Record logging
Logging if record is not selected because of administration limits
ldap_cache
1
2
4
High level cache operations (add, search, delete, …)
Hit rate low warning, RPC registration, Out of bound messages
Key collision, Slot blocking
ldap_cfg
1
2
3
4
5
6
7-9
General information and non-fatal error messages
Tracing of configuration related DAP requests
Logging of current configuration parameters
Summary of configuration subentry names and internal tables
Logging of attributes read from configuration subentry
Tracing of configuration related DAP results
Internal functions
ldap_conn
1
2
3
4
5
6
7
Listener thread behavior
Connection to LDAP client, in particular
– establishment and release of connections
– starting operationsSockets handling details
Backend Bind management
LDAP Server configuration
General thread behavior and management
RPC thread behavior
ldap_op
1
2
4
5
9
General LDAP operation and LDAP request parameter logging
Structured logging of LDAP search responses
Detailed attribute handling
Filter details
Structured logging of incoming LDAP PDUs and responses
ldap_req
2
3
4
5
6
7
8
Attribute value handling
Attribute syntax specific functions
Additional name handling
Object identifiers
Hashed lookup lists for attribute types etc.
Character conversion
ASN1 encoded PDUs exchanged with LDAP client and attribute names resolved by dirxabbr instead of global schema
ldap_ssl
2
3
SSL provider interface functions
SSL provider utility functions
ldif_ut
1
2
3
7
8
DN and value encoding functions
Base64 conversion function
Attribute syntax specific conversion functions
Internal storage functions
Character set conversion functions
load
1
3
Interface functions to load the database with dirxload
Internal functions
match
1
2-3
Interface functions of matching
Internal functions
nms
Name service
norm
1
2-5
8
Interface functions for normalization
Internal functions
Normalization of individual printable or T61 string characters
opb
1
2-5
Interface functions of server for operational binding administration
Internal functions
opr
1
2-4
Interface functions of DSA operation handling
Internal functions
osi
1
3
Incoming/outgoing event-handling functions
TP-routines
progsvr
1-3
4
5
6-7
8
Request processing functions
Configuration handling
Initialization
Worker and execution
Miscellaneous and debugging
que3
1-9
DirXQue3 search engine functions
reorg
1
2
Interface functions of database reorganization
Internal functions
ros
1
3
4
6
7-8
RTROS-interface functions
RTROS-internal functions
CMX-interface functions
AMS-compiler logging
AMS (NDS)-library functions
rpc
1-2
Internal RPC-runtime functions
sch
1
2-3
Interface functions of schema handling
Internal functions
sec
1
2
3
4
5
6
7
8
Interface functions of auth (Security)
Main function within auth
Second level function within auth
Name logging
Utility function for auth policies
Utility function for simple protected
Utility function for NT security
General utility function for auth
shr
1
2
SHR-package interface functions related to shared resource creation/deletion
SHR-package interface functions related to shared resource acquirement
snmp
1
2
SNMP interface functions
Internal functions
sock
1
2
3
4
Socket interface functions (connection establishment)
Data transfer
Eventing
Name handling and utility functions
sth
1
2
Subtree handling interface functions
Internal functions
stx
1
2-5
Interface functions of syntax handling
Internal functions
sys
1
2
3
4
System calls (2)
System library functions (3C)
System library functions (3C) related to memory allocation
WIN32 library functions
sysadm
1
Interface functions of DSA administration
tjh
1
2
TJH-package (Timed job handler) interface functions
TJH-package internal functions
util
1
Utility functions
vthr
1
2-3
4
5
6
7
VT-package (Virtual thread) interface functions related to threads creation/termination
VT-package interface functions related to threads controlling
VT-package interface functions related to mutexes
VT-package interface functions related to condition variables
VT-package interface functions related to thread specific data
VT-package internal functions
-
There are the following levels for the subcomponents of the dba component:
Sub-com-ponent
Valid value for level
Usage
dbam
1
Database kernel interface functions
dbambc
1
2
3
4-5
6
7
8
Internal database buffer cache interface functions
Internal database buffer cache transaction functions
Internal database buffer cache checkpoint functions
Internal database buffer cache transaction device functions
Internal database buffer cache device input functions
Internal database buffer cache device output functions
Internal database buffer cache consistency check functions
dsync
1
2
3-4
Process synchronization interface functions
Process synchronization operational interface functions
Process synchronization utility interface functions
The following output path settings apply only to the dirxlog.cfg file (they do not apply to the dirxlog.on and dirxlog.off files):
process
-
Indicates how to store the log entries. Valid values for process are:
-
DISCARD—Do not write any log entries.
-
BINFILE—Write entries to a binary file. You must supply the name of the file. (See file_name, below.) BINFILE must be used for the dir component
-
TEXTFILE—This value must not be used for trace log entries.
-
STDOUT—This value must not be used for trace log entries.
-
STDERR—This value must not be used for trace log entries.
-
*GOESTO:*severity…—This value must not be used for trace log entries.
-
max_num_files
-
The maximum number of log files to create (a number from 01 to 99 inclusive). When the first log file reaches its capacity (specified by max_num_entries), a second file is written and so on until the number of files specified by max_num_files is reached. When the maximum number of files is reached, the next file overwrites the first file, and the next the second file, and so on. If multiple files are written, the sequence number of the file (a number in the range 01 to the number specified by max_num_files) is appended to the file name.
max_num_entries
-
The maximum number of entries to write to the file.
file_name
-
The full pathname of the file in which to store the entries. You can use the %s variable to insert the pathname of the base directory in which DirX Directory is installed in the file name. (See the environment variable $DIRX_INST_PATH for details.) You can use the %d variable to insert the ID of the currently running process in the file name. For example, LOG%d creates a file named LOG appended with the process ID. You must supply file_name only if you supply a process of BINFILE, TEXTFILE, and FILE.
Sample Trace Section Lines
The following sample line uses the wildcard character to specify logging for all subcomponents. It captures debug messages of levels 1-5 and level 9. The %s variable is used to insert the base directory in which DirX Directory is installed; for example, install_path, in the file name. The %d variable is used to store the log messages in a file named LOGprocess_id:
dir:*.9.1-5:BINFILE.2.200:%s/client/log/LOG%d
The following sample specifies the logging of level 1 messages from the adm, api, attr and audit subcomponents and of level 2 messages from the disp, dsapp, nms, sys, thr, and util components:
dir:adm.1,api.1,attr.1,audit.1,disp.2,dsapp.2,\ nms.2, sys.2, vthr.2, util.2: \ BINFILE.2.200:%s/client/log/LOG%d
In both of the sample lines above, two binary log files are created. The first 200 log entries are written to the file install_path/client/log/LOGprocess_id.01 and the second 200 log entries are written to the file install_path/client/log/LOGprocess_id.02. Then LOGprocess_id.01 is overwritten with the next 200 log entries, then LOGprocess_id.02 is overwritten and so on.
Depending on the logging configuration, the binary log files can become very big. It is recommended to configure only the log levels needed, for instance:
ros.4.9 in order to trace all DAP, DSP or DISP-PDUS vthr.1, icom.1.9 in order to trace the interthread communication
Section 2—Exception Logging
The second section of the logging configuration files defines the severity of exceptions to log and how and where to log them. The settings in this section only appear in the dirxlog.cfg file; they do not appear in the dirxlog.on or dirxlog.off files. The section consists of lines in the following format:
-
severity:_process_.max_num_files.max_num_entries:_file_name_
where:
severity
-
Specifies the severity of the exception to store. Valid values are:
-
FATAL—Fatal errors
-
ERROR—Non-fatal errors
-
WARNING—Warnings
-
NOTICE—Informational notices
-
NOTICE VERBOSE—Operation requests that the server received from the dirxadm command.
-
process
-
Indicates how to handle the log entries for the specified severity. Valid values, which can be used with any of the severities listed above, are:
-
DISCARD—Do not write any log entries.
-
BINFILE—Write entries to a binary file. You must supply the name of the file. (See file_name below.) BINFILE must be used for the dir component
-
TEXTFILE—Write entries to a human-readable text file. You must supply the name of the file. (See file_name below.) This value is ignored for severity NOTICE VERBOSE. They always are logged to the file named ADM*processID.number. On Windows, this value results in transferring messages of severity *FATAL, ERROR, and NOTICE to the Windows Event Service. Messages with severity WARNING are not transferred to the Windows Event Service due to their output length. It is recommended to write these messages either to a seperate BINFILE (see above) or to append them to the log file by specifying GOESTO:dir (see below). Appending messages of severity WARNING to the log files is the default behaviour specified in the initially installed logging configuration files.
-
STDOUT—Write entries in human-readable text to standard output.
-
STDERR—Write the entries in human-readable text to standard error.
-
GOESTO:*severity_or_component…—Write the entries to same destination as the entries of the specified severity or component. You can specify multiple severities or components by separating each one with a comma. This value is ignored for severity *NOTICE VERBOSE. They always are logged to the file named ADM*processID.*number.
-
max_num_files
-
The maximum number of log files to create (a number from 01 to 99 inclusive). See the max_num_files parameter in Section 1—Trace Logging for more details.
max_num_entries
-
The maximum number of entries to write to the file.
file_name
-
The full pathname of the file in which to store the entries. See the file_name parameter in Section 1—Trace Logging for more details.
Sample Exception Lines
The following example specifies that:
-
Exceptions with severity of FATAL are stored in two places. The first is a text file with up to 100 entries named install_path*/server/log/EXC*process_id. Only one such file is created. When the file reaches 100 entries it is overwritten. The second is not shown in the example. It is the file where the traces for the dir components are stored.
On Windows, exceptions with severity of FATAL are stored at the following two locations: -
The value TEXTFILE specifies that they are transferred to the Windows Event Service.
-
The value GOESTO:dir specifies that they are written to the same log file where the messages of the component dir are stored.
-
-
Exceptions with a severity of ERROR are stored in three places. The first is a text file with up to 100 entries named install_path*/server/log/USR*process_id. Only one such file is created. When the file reaches 100 entries it is overwritten. The second is the same place where exceptions with a severity of FATAL are stored. The third is the same place where traces for the dir component are stored.
On Windows, exceptions with severity of ERROR are stored at the following two locations: -
The value TEXTFILE specifies that they are transferred to the Windows Event Service.
-
The value GOESTO:FATAL specifies that they are written to the same log file where the messages of the component dir are stored.
-
-
Messages with a severity of NOTICE are stored in the same place as messages with a severity of ERROR.
FATAL:TEXTFILE.1.100:%s/server/log/EXC%d;GOESTO:dir ERROR:TEXTFILE.1.100:%s/server/log/USR%d;GOESTO:FATAL NOTICE:GOESTO:ERROR
Examples
In the examples that follow, lines beginning with the hash tag character (#) are comment lines used to differentiate the trace logging section from the exception logging section.
The following is a sample dirxlog.cfg file.
# Trace Logging dir:sys.1,sock.1.9,vthr.1,icom.1,shr.0,ctx.0,\ osi.1,rpc.1,ros.1,\ sec.1,api.1,daspp.1,\ bth.1,norm.1,match.1,\ conf.1,asn1.0,util.1-2:BINFILE.6.2000:%s/client/log/LOG%d # # Exception Logging FATAL:TEXTFILE.1.100:%s/client/log/EXC%d;GOESTO:dir ERROR:TEXTFILE.1.100:%s/client/log/USR%d;GOESTO:FATAL NOTICE:GOESTO:ERROR WARNING:GOESTO:FATAL NOTICE_VERBOSE:GOESTO:FATAL
The following is an example of a dirxlog.off file. Note that the first line of the file turns trace logging off for the dir and dba components.
dir:*.0 dba:*.0
Code Signing Files
.sig
verify.bat (Windows)
verify.sh (Linux)
dxd_sign_pub.pem
Purpose
Signature files named original_name*.sig* are supplied for all executables and dynamic libraries delivered with DirX. These signature files can be used to verify that the code has not been altered or corrupted since it was signed.
To perform the verification, use the verify.sh (Linux) or verify.bat (Windows) script in the folder install_path/signing and specify the full path of the public key for verification dxd_sign_public.pem on the command line. This public key is contained in the folder install_path/signing and can also be downloaded from the support portal.
Example
The following example shows the usage and output of code-signing verification:
% verify.bat c:\data\dxd_sign_pub.pem (Windows) % verify.sh /home/dirx/signing/dxd_sign_pub.pem (Linux)
Sample Verification Output
Verifying files C:\Program Files\DirX\Directory\Bin\amscomp.exe Verified OK C:\Program Files\DirX\Directory\Bin\certutil.exe Verified OK C:\Program Files\DirX\Directory\Bin\dbamboot.exe Verified OK ... C:\Program Files\DirX\Directory\Bin\ssl3.dll Verified OK Verification completed successfully
DirX Directory License Files
dirx.lic
dirx.lic.sig
Purpose
The DirX Directory service operates under license control and requires the presence of a valid license to run.The dirx.lic and dirx.lic.sig files are used by the DirX Directory service (DSA process) during its license validation procedure.They are located in:
install_path/conf
The dirx.lic file is a human-readable text file that describes the license agreement that you (the customer) have with the DirX Directory vendor for use of the DirX Directory product. The file contains parameters that define the agreed-upon terms and conditions for use, such as the license expiration date, the number of directory entries permitted, and the host names or IP addresses of machines that are allowed to run the service.
DirX Directory supplies a default “trial” dirx.lic file with restrictive parameter settings. The service uses this file for license control until you (optionally) replace it with a “perpetual” dirx.lic file that defines custom parameter settings negotiated between you and the DirX Directory vendor.
License control works as follows: at product installation, at each service startup, and daily on a running system, the service’s license validation procedure compares the settings in the dirx.lic file against the current installation and logs the results in the file install_path*/server/log/fatalDSA**. The action taken on a license violation depends on the type of violation and the license type.
You are allowed to read the dirx.lic file but you are not allowed to modify it.
The dirx.lic.sig file is a binary file generated from the dirx.lic file. The service’s license validation procedure uses this signature file at service startup and daily on a running system to verify that the dirx.lic file has not been tampered with or corrupted. See the section “Code Signing Files” in this chapter for more information on this type of file.
Trial license dirx.lic and dirx.lic.sig files are delivered with each DirX Directory release and are automatically installed into install_path*/conf*. Perpetual license dirx.lic and dirx.lic.sig files are issued by the DirX Directory vendor and must be manually installed by overwriting the trial dirx.lic and dirx.lic.sig files and then running the license validation procedure.
A DirX Directory upgrade installation installs the most recent trial dirx.lic and dirx.lic.sig files into install_path*/conf* unless it finds that these files are already present. In this case, it installs the most recent trial license files in the same directory as the existing license files with the names dirx.lic.new and dirx.lic.sig.new.
Note that the dirx.lic and dirx.lic.sig license files are not part of the regular backup procedure for a DirX Directory installation. You must back up these files manually.
For more information about license files and license types, how to obtain and install license files, and how license files are used in DirX Directory license validation, see the section “License Requirements” in the DirX Directory Release Notes.
Description
The dirx.lic file consists of two types of lines: comment lines and parameter lines.
Comment lines begin with the hash tag character (#) in the first column and are ignored.
A parameter line defines a specific term of the license agreement.
Parameter lines consist of a keyword and a value. Keywords appear in the first column and are separated from the value by one or more space characters.
Parameters can appear in any order within the file.
Most parameters are mandatory; a few are optional. If an optional parameter is not present in the file, there is no restriction on what the parameter controls. For example, if the host_name or host_ip parameters are not present, the service is permitted to run on any machine in the customer environment.
Parameters
create_date date
-
The date at which the license file was issued by the vendor, in the format yyyy-mm-dd. This parameter is mandatory and is for internal use only.
Example:create_date 2024-03-15
customer_email email_address
-
The email address that the vendor can use to contact you (the customer) for questions and/or incidents. This parameter is optional.
Example:customer_email anton.ant@acme.com
customer_name name
-
The name that the vendor can use to contact you (the customer) for questions and/or incidents. This parameter is optional and has no effect on DirX Directory license validation.
Example:customer_name ACME Inc.
customer_project project_name
-
The name of a specific project, when you (the customer) use the same DirX Directory installation in multiple projects. This parameter is optional and has no effect on DirX Directory license validation.
Example:customer_project ACME IAM Project
dirx_entries max_number_of_entries
-
The maximum number of directory entries for which the license is valid. This parameter is mandatory and is used to restrict the licensed DirX Directory installation to a certain number of entries in the DBAM database. The service’s license validation procedure checks this parameter. If the current number of entries exceeds max_number_of_entries and the license type is trial, the service shuts down (on a periodic license check) or does not start (on an initial license check). If max_number_of_entries is exceeded and the license type is perpetual, a warning is generated in install_path*/server/log/fatalDSA** and the service continues to run (periodic license check) or starts (initial license check).
Example:dirx_entries 1000000
host_ip address
-
The IP address of the machine that hosts the licensed DirX Directory installation. This parameter is optional and can be used to restrict the licensed DirX Directory installation to a specific host machine. It can be set multiple times to allow the same license to be used on several machines with different IP addresses. At least one IP address must match an IP address of the local host. Only explicit IPs are allowed; no wildcards are permitted. IP4 and IP6 addresses are supported. Local host addresses (for example, 127.0.0.01, ::1, etc.) are not allowed.
Example:host_ip 188.10.101.23 host_ip 11.96.22.40 host_ip fe80::7262:2324:b66d:a805%5
host_name name
-
The name of the machine that hosts the licensed DirX Directory installation. This parameter is optional and can be used to restrict the licensed DirX Directory installation to a specific host machine. It can be set multiple times to allow the same license to be used on several machines with different names. At least one name must match the name of the local host returned by the hostname command.
Example:host_name WINDOWS-BZTSANM4 host_name dxd-vm-rhel9
license_type trial | perpetual
-
The license type. A trial license is the default, limited-feature license delivered with DirX Directory and automatically installed with the product. A perpetual license is a customized license for DirX Directory that is negotiated between you (the customer) and the DirX Directory vendor and is issued by the vendor to you for use in a DirX Directory installation. This parameter is mandatory and is used by the service’s license validation procedure. For more details on license types and how they are used, see the section “License Requirements” in the DirX Directory Release Notes.
Example:license_type perpetual
product_name dirx_product_name
-
The name of the licensed DirX Directory product. This parameter is mandatory, and the value is always DirX Directory. The service’s license validation procedure checks this parameter. If the name in dirx_product_name does not match the product name of the installation, the service shuts down (on a periodic license check) or does not start (on an initial license check).
Example:product_name DirX Directory
product_version_major number
-
The major version number of the licensed DirX Directory product. This parameter is mandatory. The service’s license validation procedure checks this parameter. If the value in number does not match the major version number of the installation, service shuts down (on a periodic license check) or does not start (on an initial license check).
Example:product_version_major 9
product_version_minor number
-
The minor version number of the licensed DirX Directory product. This parameter is optional. The service’s license validation procedure checks for this parameter. If it is not present, the license is valid for all product versions that match the value specified in the product_version_major parameter; for example, 9.1, 9.2, and so on. If it is present and the specified value does not match the minor version number of the installation, the service shuts down (on a periodic license check) or does not start (on an initial license check).
Example:product_version_minor 1
signature_digest value
-
The digest algorithm used to generate the signature file for dirx.lic. This parameter is optional and is for internal use only.
Example:signature_digest SHA-512
support_expiry_date date
-
The date after which support by the vendor for the licensed DirX Directory product is no longer provided, in the format yyyy-mm-dd. This parameter is optional. If the parameter is present, license_type is perpetual, and the expiration date has passed, the service’s license validation procedure writes a warning message to the file install_path/server/log/fatalDSA* but allows the product to continue to be used. This parameter is not valid for a trial license because vendor support is not offered for this license type.
Example DirX Directory License File
Here is the template perpetual DirX Directory license file. It contains all the parameters that are available for use when creating a perpetual license. This file is not included with the DirX Directory installation.
# EVIDEN DirX Directory License file # DO NOT CHANGE!! # # In case of issue, contact vendor support via # Web : https://help.dirx.solutions/ # email: dirx-support.it-solutions@eviden.com # # day of license creation create_date 2023-12-19 # customer name and contact information customer_email anton.ant@acme.com customer_name ACME Inc. customer_project ACME IAM # name of product for which this license is generated # if only major version is present, license is valid for any minor version product_name DirX Directory product_version_major 9 product_version_minor 1 # type of license license_type perpetual # allowed IPs for this license host_ip 188.10.101.23 host_ip 10.96.25.40 host_ip 10.232.158.249 # name of host for which this license is valid host_name LAPTOP-B5EVANM4 host_name dxd-vm-rhel9 # max entries allowed in DB dirx_entries 100000 # digest type for signature verification signature_digest SHA-512 # # day when support for this license expires support_expiry_date 2024-12-31