DirX Directory DSA LDAP Extended Operations Reference Descriptions
The following sections provide reference descriptions for LDAP extended operations performed by the DirX Directory DSA.
dsa_ac_log_on
Parameters
parameter1; parameter2; …
One or more parameters to restrict the logging output to the information that is relevant to a particular type of operation. Specify the parameter in the format:
parameter_name=parameter_value
Use a semicolon (;) to separate multiple parameters.
There are two types of parameter:
-
Non-volatile parameters
-
Volatile parameters
Non-volatile parameters are stored and are in effect while the DSA process is running. They are updated only when the operation is called with the same parameter. Volatile parameters are in effect only for the extended operation to which they are attached.
The following table provides the name, the type, a description and the default value for each parameter:
| parameter_name | Volatility | Description | Default Value |
|---|---|---|---|
max_file_no |
non-volatile |
Controls the maximum number of log files used by the round robin mechanism. |
10 |
max_no_lines |
non-volatile |
Controls the maximum number of lines in each log file. |
10000 |
flush |
non-volatile |
If set to 1, fflush is called when a line is written. The information can be read from the log file immediately. |
0 |
entry |
volatile |
Specifies the DN of an entry in LDAP format. Only sections of entries with a matching DN are written to the log file. |
all |
requestor |
volatile |
Specifies the DN of the requestor in LDAP format. Only sections with a matching requestor DN are written to the log file. When filtering for anonymous sections, specify the keyword anonymous for the parameter value. |
all |
permission_category |
volatile |
Specifies the permission. Specify a comma-separated list of the following values:
|
all |
auth_level |
volatile |
Specifies the authentication level. Specify a comma-separated list of the following values:
|
all |
protected_item |
volatile |
Specifies the protected item. Specify a comma-separated list of the following values:
|
all |
attribute |
volatile |
Specify a comma-separated list of LDAP attribute names. |
all |
Description
Use the dsa_ac_log_on LDAP extended operation to enable a special AC logging. This logging is useful for analysis of the effects of the configured access control items contributing to an access control decision.
On success, the DSA returns the string AC logging is successfully enabled.
The resulting log file is an ASCII textfile written to install_path*/server/log*. The name of the log file is:
DSA_ACpid.file_number
Use the parameters to restrict the logging to the information that is relevant to a particular type of operation.
Example
In the following example, access control logging is enabled for the entry cn=Digger,ou=Development,o=My-Company. Access control logging is enabled for filterMatch, browse, and read operations:
dirxextop -D cn=admin,o=my-company -w dirx -t dsa_ac_log_on -P entry=cn=Digger,ou=Development,o=My-Company; permission_category=filterMatch,browse,read
On success, the LDAP extended operation returns the message:
AC logging is successfully enabled
Here is a snippet from a log file written after the command above has been performed successfully:
Con9_Op10 Wed Mar 24 14:22:01.588000 DAPThread ACDF was called R: cn=admin,o=My-Company AL: simple PI: user attribute DN: cn=Digger,ou=Development,o=My-Company ATTR: telephoneNumber PC: read Con9_Op10 List of all processed ACIs ordered by precedence: Con9_Op10 - Admin: enable most of operations (permission: 2 - grant) Con9_Op10 - Admin: enable most of operations (permission: 1 - grant) Con9_Op10 - Public Access: enable Read and Search - disable Read password (permission: 3 - deny) Con9_Op10 - Users: can Modify their passwords and telephoneNumbers (permission: 1 - grant) Con9_Op10 - Users: can Modify their passwords and telephoneNumbers (permission: 2 - grant) Con9_Op10 - Public Access: enable Read and Search - disable Read password (permission: 1 - grant) Con9_Op10 - Public Access: enable Read and Search - disable Read password (permission: 2 - grant) Con9_Op10 "Admin: enable most of operations (permission: 1 - grant)" is discarded because the requested item is not included. Con9_Op10 "Public Access: enable Read and Search - disable Read password (permission: 3 - deny)" has lower precedence than the lastly added relevant ACI. This and every further ACIs are discarded. Con9_Op10 List of relevant ACIs: Con9_Op10 - Admin: enable most of operations (permission: 2 - grant) Con9_Op10 "Admin: enable most of operations (permission: 2 - grant)" was selected as the most specific ACI. Con9_Op10 Access granted.
dsa_ac_log_off
Description
Use the dsa_ac_log_off LDAP extended operation to disable the AC logging.
On success, the DSA returns the string AC logging is successfully disabled.
Existing log files are preserved in the log folder. If logging is enabled again logging is continued in the next file of the round robin sequence.
dsa_dbam_aac
Synopsis
dsa_dbam_aac help |
list [bt=begin_time et=end_time] |
reset [all] |
show [index] |
start [bt=begin_time interval=interval_spec [no_of_intervals]] |
status |
stop
Purpose
Manages the DBAM AVIDX access counter (AAC) statistic histories. In the AAC statistic histories, the DSA records how often an attribute index is used in search operations.
The AAC statistic histories consist of a permanent statistic history with the index 0 and up to 54 statistic histories with the indexes 1 through 54. In the permanent statistic history, the DSA permanently records how often an attribute index is used in search operations. All other statistic histories are overwritten when the maximum number of statistics (54 statistics) is exceeded (first in first out) or a reset, start or stop command is performed.
The AAC statistic histories help an administrator to manage the attribute indexes and optimize the performance of search operations. For example, the administrator can identify attribute indexes that are never used and can then delete these attribute indexes.
help
Returns help information about the dsa_dbam_aac extended operation and its commands. The syntax is as follows:
dsa_dbam_aac help
Example
dsa_dbam_acc help
The sample command output is:
Usage :
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
list
Lists available AAC statistics histories. The syntax is as follows:
dsa_dbam_aac list [*bt=*begin_time *et=*end_time]
Arguments
bt=begin_time
The statistic history start time in GeneralizedTime local time format.
*et=*begin_time
The statistic history end time in GeneralizedTime local time format.
Description
The dsa_dbam_aac list command lists the available AAC statistics histories. When specified without any arguments, the command lists all available AAC histories. Use the arguments *bt=*begin-time or *et=*end-time or both to reduce the list. The list always starts with the most recent statistic history in descending order.
The output format of the command is as follows:
index [M|S] begin_time[ end_time]
where
index is an integer value in the range 1 to 54. The permanent AAC statistic has index 0 and is not listed. The permanent statistic is maintained continuously. The administrator does not have any control over this statistic.
The letter M indicates manual creation; that is, to start maintenance the AAC statistic histories a reset or start command was performed. The letter S indicates scheduled creation of the statistic history.
begin_time and end_time are timestamps in GeneralizedTime syntax and show the start and end of the statistic history period. The end_time stamp is not displayed because the most recent statistic is not completed.
To display the details of an AAC statistic; that is, how often an attribute index is used in search operations during the statistic history period, use the dsa_dbam_aac show command.
reset
Discontinues the maintenance of AAC statistics histories. The syntax is as follows:
dsa_dbam_aac reset [all]
show
Displays the counters of a specific ACC statistic history. The syntax is as follows:
dsa_dbam_aac show [index]
Arguments
index
An integer value in the range 0 to 54 that specifies the index of the AAC history. Index 0 is the default index and returns the current statistic of the permanent AAC. Index 1 to 54 returns the AAC statistic history associated with the specified index.
Description
The dsa_dbam_aac show command, when specified without any arguments, returns the current statistic of the permanent AAC (index 0). Use the index argument to return a specific AAC statistic history.
Use the dsa_dbam_aac list command to display all available AAC statistic histories if you do not know which statistics are available.
The output format contains a one-line header, followed by a two-line column description, followed by the multi-lined statistic counter. The counters provide information how often an attribute index was used in search operations. The statistic counters are always sorted in descending order. The hyphen character (-) indicates that the specific sub index is not configured.
For the permanent AAC statistic, the counters of all attribute indexes are displayed. The permanent AAC statistic header includes the time stamp in local time format of the last time the counters were saved to the DBAM block.
For all other statistic histories, the counters of a maximum of 400 attribute indexes are displayed. The AAC statistic history header includes the begin time and the end time in GeneralizedTime format.
Example
The following sample command returns the permanent AAC statistic:
dsa_dbam_aac show
The output provides details for all attribute indexes. The output is as follows:
Attribute access counter high score at Sat Jul 04 10:12:55 2015 :
Attribute name : Index access counter
: INITIAL FINAL CONTAINS PRESENT
objectClass : 1911746899 - - 19207113
dxmADsSamAccountName : 1790575257 - - 0
cn : 1167586108 1920 - 0
dxrUserLink : 758424228 - - 56807545
employeeNumber : 518684159 27 - 554491
dxrAssignFrom : 407342374 - - 2
dxrPrimaryKey : 379713170 - 2 51063
l : 125345929 - - 0
dxrIsPrimary : 77805510 - - 0
ou : 70507888 - - 0
dxrProject : 55199743 - - 0
dxrGroupMemberOK : 48085760 - - 1
modifyTimestamp : 37452904 0 - 0
dxrState : 29984514 0 - 25212874
uniqueMember : 12856898 - - 0
departmentNumber : 11149186 2 8 1059223
dxrRoleParamValue : 0 0 8093945 19
dxrPrivilegeLink : 5091699 - - 4399664
dxrGroupMemberDelete : 3957360 - - 78910
In the output, you can see that the last AAC statistic history was saved at Sat Jul 04 10:12:55 2015. The objectClass attribute INITIAL index was the attribute index that was used most frequently in search operations, and the dxrGroupMemberDelete attribute indexes most infrequently.
The following sample command returns the AAC statistic history for index 3:
dsa_dbam_aac show 3
The output provides details for a maximum of 400 attribute indexes that were used in search operations most frequently. The output is as follows:
ttribute access counter high score from 20150601000000 to 20150630235959:
Attribute name : Index access counter
: INITIAL FINAL CONTAINS PRESENT
uid : 14910248 - - 105
dxmOprOriginator : 333476 - - 0
objectClass : 237635 - - 20
employeeNumber : 153928 - - 0
member : 53968 - - 0
sn : 22345 - 7 33
modifyTimestamp : 6581 - - 0
cn : 4196 - - 0
createTimestamp : 579 - - 0
description : 236 - - 0
memberOf : 213 - - 0
ou : 21 - - 175
uniqueMember : 175 - - 0
l : 165 - - 0
In the output, you can see that this AAC statistic history was recorded between 1 June 2015 and 30 June 2015.
start
Directs DBAM to start a new AAC statistic history. The syntax is as follows:
dsa_dbam_aac start [*bt=*begin_time *interval=*interval_spec [no_of_intervals]]
Arguments
bt=begin_time
The start time of a new scheduled AAC statistic history in GeneralizedTime localtime format.
interval=interval_spec
The time period after which DBAM collects the number of attribute index accesses in search operations. Specify interval_spec in the format count time-unit where count is an integer value and time-unit is one of the following characters:
-
S or s for seconds
-
H or h for hours
-
D or d for days
-
W or w for weeks
-
M or m for months
no_of_intervals
An integer value that specifies the number of intervals after which DBAM stops the AAC statistic history.
Description
The dsa_dbam_aac start command, when specified without any arguments, stops a previously started AAC statistic history and immediately starts a new AAC manual statistic history. DBAM stores the start and end times of the previous statistic history and the current AAC counters in a DBAM statistic history block and then initiates the creation of the new history. To finish the current period, invoke the stop command or invoke a start command.
If a begin time is specified, DBAM starts a new AAC scheduled statistic history at the specified time.
DSA down time can lead to a schedule that does not conform to the configured schedule. For example, if the next schedule is planned for 2:00 AM and the DSA is not running at this time, the DSA creates the statistic history when it starts up again and then returns to the configured schedule.
Example
In the following example, a manual AAC statistic history is created immediately:
dsa_dbam_aac start
In the following example, a scheduled AAC statistic history is created on 1 July 2016 at 0:00 AM. The DSA saves the statistic history counters every month (with an interval of one month):
dsa_dbam_aac start bt=20160701000000 interval=1M
In the following example, a scheduled AAC statistic history is created on 1 July 2016 at 0:00 AM. The DSA saves the statistic history counters every day. The DSA automatically stops recording of AAC statistic histories after 10 days:
dsa_dbam_aac start bt=20160701000000 interval=1D 10
status
Returns the current status of the AAC statistic history configuration. The syntax is as follows:
dsa_dbam_aac status
Description
The dsa_dbam_aac status command returns the current configuration data of the AAC statistic history. If no AAC statistic history is configured, then the result is empty. If a manual AAC statistic history is configured, then the result is “manual creation”. If a scheduled statistic history is configured, then the begin time, the interval specification and the time for the next schedule is returned.
Example
The following sample command returns the configuration data of a scheduled AAC statistic history:
dsa_dbam_aac status
The output is as follows:
bt=20150701000000 interval=1M et=20150801000000
In this example, collecting AAC statistic history started on 1 July 2015 0:00 AM. The data are collected once each month. Collecting data ends on 1 August 2015 0:00 AM.
The following sample command returns the configuration data of a manual created AAC statistic history (the dsa_dbam_aac start command was performed without arguments):
dsa_dbam_aac status
The output is as follows:
manual creation
stop
Stops AAC statistic history collection. The syntax is as follows:
dsa_dbam_aac stop
Description
The dsa_dbam_aac stop command immediately stops AAC statistic history collection if active. DBAM stores the start and end times of the active statistic history and the current AAC counters in a DBAM statistic history block and doesn’t initiate the creation of the new history. Use this command to stop the collection of AAC statistics history explicitly (instead of using automatic scheduled history; see the dsa_dbam_aac start command for details).
Description
The dsa_dbam_aac LDAP extended operation allows DirX Directory administrators to manage the recording of AAC statistic histories. In the AAC statistic histories, the DSA records how often an attribute index is used in search operations.
The AAC statistic histories help an administrator to administrate the attribute indexes and optimize the performance of search operations. For example, the administrator can identify attribute indexes that are never used and can delete these attribute indexes.
After the DBAM database is initialized, a permanent AAC statistic history is saved into a DBAM block every five minutes. If the DSA crashes, the counter for the last unsaved period is lost.
Use the dsa_dbam_aac status command to find out whether an AAC statistic history is configured.
Use the dsa_dbam_aac start command to initiate a new statistic history. For each new statistic history, DBAM creates a new DBAM statistic history block, resets the counters to zero and records the statistic history start time.
Use the dsa_dbam_aac stop command to stop a statistic history explicitly.
Use the dsa_dbam_aac reset command to stop the statistic history immediately and to remove all AAC statistic histories except for the permanent AAC statistic history.
Use the dsa_dbam_aac list command to get a list of all available AAC statistic histories. Then use the dsa_dbam_aac show command to display the counters of a specific AAC statistic history.
DBAM can keep a maximum of 54 statistic histories. After the 54th statistic history, DBAM history collection wraps around to the first DBAM statistic history block.
The maximum number of indexed attributes is 800. The permanent AAC statistic history records counters for all attribute indexes. All other AAC statistic histories records counters for maximal 400 attribute indexes.
Example
The following example shows how to apply the dsa_dbam_aac LDAP extended operation with the tool dirxextop. It shows the creation of a scheduled AAC statistic history. The start time is 1 July 2016 at 0:00 AM, the interval is one day and the time span is scheduled for 10 days:
dirxextop -D cn=admin,o=my-company -w dirx -t dsa_dbam_aac -P “start bt=20160701000000 interval=1D 10”
Because dirxextop accepts only one parameter, you must enclose the arguments to the dsa_dbam_aac extended operation in double quotation marks ("").
dsa_dirxadm_cmd
Purpose
Performs dirxadm operations in a directory service that can only be accessed via LDAP protocol.This extended operation is available only on Linux systems.
Parameters
"dirxadm_command"
Specifies the dirxadm operation as a simple unencoded string enclosed in double quotes.
Description
Use the dsa_dirxadm_cmd LDAP extended operation to perform a dirxadm operation in a DSA that can only be accessed via LDAP protocol.
On success, the DSA returns the result of the dirxadm operation.
The dsa_dirxadm_cmd operation requires the Execute permission; that is, the user’s distinguished name must be contained in the LDAP Extended Operations Execute Users or LDAP Extended Operations Execute Groups attribute of the LDAP server.
The dsa_dirxadm_cmd operation uses the bind operation specified in the environment variable DIRX_DSA_EXTOP_ADM_BIND to perform the bind operation to the DSA.
Example
In the following example a lob show operation is performed:
dirxextop -D cn=admin,o=my-company -w dirx -t dsa_dirxadm_cmd -P "lob show -supplier /CN=1stDSA -agreementid 60"
On success, the LDAP extended operation returns the following output:
OBS=COOPERATIVE OBMV={VF=210304130754Z} AGR={SS={AREA={CP={/O=My-Company},RA={BAS={/OU=Sales/CN=Abele}}},ATT={DEF=TRUE}},UM={SI={OC=TRUE}}} US={D=FALSE,NU=19700101000000Z,US={SUS={AC=NO-CHANGES,OU={SID=0,UT=20210304132919Z,OPMSN=10454720,AC=FALSE},AU={WS=INVOKED}}}} RPOL={LDSUPP={BAS64=TRUE}}
In the following example the paging policy of the root entry is displayed:
dirxextop -D cn=admin,o=my-company -w dirx -t dsa_dirxadm_cmd -P "show / -attribute PAGP"
On success, the LDAP extended operation returns the following output:
/ PAGP={PTO=20,MAXNUM=20,MAXMEM=4096}
See Also
dirxextop and dirxadm in the DirX Directory Administration Reference, Environment Variables in DirX Directory Administration Reference, dirxadm command in the DirX Directory Administration Reference, dse bind operation in the DirX Directory Administration Reference, Attributes Controlling LDAP Extended Operations in the DirX Directory Syntaxes and Attributes, X.500 Security Features in the DirX Directory Introduction.
dsa_relevant_aci
Purpose
Searches for access control subentries that include the specified entry in the user classes.The operation searches only for access control subentries that contain prescriptive access control items.Entry access control items and subentry access control items are not returned.
The result is the list of distinguished names.Every line contains exactly one distinguished name.If Distinguished names containing a new line or a non-printable character are written in base64 encoding.
Parameters
The distinguished name of the entry can be specified as a parameter using LDAP distinguished name syntax. If no parameter is specified, the result contains the relevant access control subentries for an anonymous bind.
Example
In the following example an access control search is executed for the cn=admin,o=my-company entry:
dirxextop -D cn=admin,o=my-company -w dirx -t dsa_relevant_aci -P "cn=admin,o=my-company”
On success, the LDAP extended operation returns the following output:
cn=AccessControl-Subentry cn=AccessControl-Subentry,o=My-Company
In the following example an access control search is executed for an anonymous bind:
dirxextop -D cn=admin,o=my-company -w dirx -t dsa_relevant_aci
On success, the LDAP extended operation returns the following output:
cn=AccessControl-Subentry,o=My-Company