Core Component

SCL requires that the software product Eviden CardOS API (64-bit) is installed. After a successful default installation of CardOS API the PKCS#11 library named "cardos11_64.dll" is in the folder

In order to successfully perform SCL logins the path to the PKCS#11 library cardos11_64.dll must be specified in DirX Directory Manager. In menu Tools -> Options specify the path in the Smart Card frame:

In order to successfully perform a sasl EXTERNAL bind the LDAP server must meet the following preconditions additionally to those that are required for SSL binds without client authentication:

Perform the following steps to prepare the LDAP server and the DSA for Smart Card login:

From the LDAP client perspective SCL is one flavor of SASL EXTERNAL binds. In the General tab of the Server properties -> Authentication check SASL EXTERNAL bind and select Smart Card (PKCS#11) for Client Keystore:

Now DirX Directory Manager and the DirX Directory service are prepared to accept smart card logins.

See the Release Notes for information about supported smart card types.

The menu is configured in a file called menubar.xml. Plug-ins can modify and extend the menu.

Example:

The core menu typically includes:

Note that:

The tool bar is configured in a file called toolbar.xml. Plug-ins can change and extend the toolbar and add additional toolbars.

Example:

Tool tips describe the menu items that a tool represents. Tools may be gray if they are available, but do not apply to or are not implemented for the actual context. The tools provided by the core component typically include:

Here is an example of the views bar:

The views bar is a window that offers access to views. You can also switch to a different view with the view menu (unless this menu has been disabled).

In the sample shown here (which, by the way, comes from a plug-in), you can see the view groups called "DirX Manager", "My-Company" and "My-Company (SSL)", and the views of view group "My-Company", called "Directory Entries", "Quick Search", "Configuration", "Schema", "Replication", and "Monitoring". Possible differences between different views include:

A view is organized in

The view area presents the view that is currently selected in the views bar. The view area consists of a "view title" and of "view panes".

A particular view typically offers a search pane or a tree pane, or a combination of both (as shown in the previous screen shot), with an associated search result list pane and/or property pane (also shown in the previous screen shot).

Here is an example of the status bar selection:

The status information provided by the core component includes:

Plug-ins may provide additional information in the status bar.

Drag and drop allows you to copy or move currently selected entries to different nodes. Drag and drop works in list panes and tree panes (crosswise, too); and it works also between different instances of this application.

See also: Clipboard functions in the Edit menu and in the property pane/dialog.

This application makes extensive use of tool tips. Tool tips are contextual annotations that are briefly displayed when the mouse cursor remains on a context-sensitive spot, for example, on a property value.

The places where the right mouse button is functional include

The tree pane allows you to browse hierarchical structures contained in the LDAP directory in a tree-like manner. The tree view is typically accompanied by a list pane or a property pane or a combination of both.

Here is an example of a tree pane:

If the server has implemented operational attributes such as "numSubordinates" and "numAllSubordiates" and if access control grants read access to those attributes, the tree pane may look like this:

In combination with searching, you can use the tree for determining a search base - depending on how it is configured - either automatically or by clicking a button located next to the search base field.

To make a multiple selection:

Click a selected entry while keeping the ctrl key pressed to de-select it.

A problem of “flat” trees is that size or time limit typically prevents all "children" from being displayed. On the other hand, with unlimited size and time, the number of entries returned by the LDAP server may just be too big to be handled reasonably. This problem can be approached in several ways:

The search pane allows you to specify a search filter and initiate a search causing the server to return all entries (or a subset if there are too many) that match your search filter.

Here is an example of a search pane and a Tree (=Browse) pane combined through a tabbed pane:

This example shows three panes:

Here is an example of a "slimmed down" search pane:

Note that the button may automatically change to each time a search is initiated.

The list pane allows having entries (typically search results), more detailed: your choice of their attributes, listed in a table and sorted by the attribute(s) of your choice.

Here is an example of a list pane:

In the example shown here, the list is sorted by three columns in this priority:

A simple list pane is like a list pane, but has only one column.

Here is an example of a simple list pane:

The property pane allows you to read and edit the properties of an entry.
Double-click an entry to display a property dialog (as opposed to a property pane that is embedded into the main window: A property dialog is a separate window that you can resize up to the full screen).

The property pane usually has two modes (read and edit). In read mode, you cannot edit any data.

The clipboard functions cut/copy/paste (cut and paste only in edit mode) are available on a per attribute value basis. These functions also work between different instances of this application. Note that (in tree and list panes) clipboard (and drag and drop) functions are also available for currently selected entries.

Here is an example of a property pane in read mode:

For information about the buttons shown on the right-hand side in the figure, see the topic Property Editors: Summary. This topic also describes how to view property values that do not fit into the value field.

Click Edit to change to edit mode. Click Save or Reset (these buttons appear when you click Edit) to change back to read mode. The property pane may change its appearance significantly between edit mode and read mode.

Read-only mode: (you cannot change to edit mode)

Read mode:

Edit mode: Note that in edit mode the rest of the GUI is blocked.

Note that plug-ins may add additional buttons here.

Here is an example of a property pane in edit mode:

For Password modifications, see also "Reset Password".

Container panes, which organize the layout of other panes and do not display any data. The core component provides the following container panes:

The attribute with DN syntax editor allows you to assign a DN to an attribute with DN syntax:

Click "" to open a dialog that offers searching and browsing facilities for the DN of interest. Alternatively, you can just type the DN into the value field.

Click "" to display the referenced entry.

The boolean attribute editor allows you to edit boolean attributes. A boolean attribute shows one of the following appearances:

The country string editor is a combo box like:

The directory string property editor is the default editor. It applies to attributes with syntax Directory String and to all attributes with a syntax that does not have a corresponding dedicated property editor.

This editor provides a simple editable text field. In order to make reading and editing lengthy directory strings more convenient, the context menu offered through the right mouse button typically includes an "Edit" function that pens a re-sizeable dialog:

The generalized time editor allows you to edit the date and (local) time.

Click to use your mouse to edit the date/time. Alternatively, you can just type the date/time in the value field.

The line that allows you to edit the time is not available under all conditions.

The IA5 editor provides a simple editable text field that is restricted to the character set defined by IA5 (http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-T.50).

Hex 20 to hex 7E, including “@”.

The integer editor provides a simple editable text field that does not take any characters other than digits that comply with a number in the range 0 to 2³² -1 (=4294967295).

Use the Jpeg editor to perform the following actions on JPEG images:

Here is an example of a Jpeg editor:

Figure : Jpeg Editor

The numeric string editor provides a simple editable text field that does not take any characters other than digits (0 to 9) and space.

The object class editor allows you to edit object classes:

Note that you cannot add, delete or change structural object classes; only auxiliary object classes can be added, deleted or modified.

The phone/fax editor allows you to edit a phone/fax attribute. Click the value field to change it to inline edit mode. Right-click the value field and select "check number…​" to have a dialog displayed like the one shown in the following figure:

The postal address editor allows you to edit a Postal Address (6 lines à 30 characters):

The printable string editor provides a simple editable text field that is restricted to the character set known as printable string (http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.208):

A to Z, a to z, 9-0, <space>, ‘)(+,-./:=?

This editor cannot be applied to email addresses, because the "at" character (@) is not available.

Use the user certificate editor to perform the following actions on user certificates:

Here is an example of a user certificate editor:

When clicking the view button the Certificate Details are displayed:

The user password editor allows you to change your own or someone else’s password (depending on the selected entry). Click the value field to display the editor, which is shown in the following figure :

Deleting a password works the same way as deleting any other property.

Note that multivalued user passwords are not supported by this application.

See also: Reset Password.

Binary attributes other than certificates and jpeg photos are indicated in the all attributes tab like this ("audio"):

Clicking the button allows to save the currently selected value in a file.

Clicking the button allows to import a binary value from a file.

Clicking the button displays a window that shows the value as hexdump:

(To change somebody else’s password, see the topic User Password).

This dialog allows you to change your own password; that is, the password that was used in the previous Login.

Here is an example:

Note that multivalued user passwords are not supported by this application.

This dialog allows you to choose a distinguished name that contains all valid values, either by browsing a tree or by searching. Here is an example:

Figure : Choosing a Distinguished Name Dialog

This dialog allows you to specify details regarding the current import:

Note: If the file that is to be imported does not appear to be LDIF or DSML compliant, the import will be refused with an error message. There is one exception: multi-line attributes in LDIF files must be base64 encoded; however, they are also accepted here, if they appear as text with the individual lines being separated by hex "01".

The login dialog allows you to exchange authentication information between you and the LDAP server.

Here are examples for the Login dialog:

In order for this application to be able to connect to a server, you must:

Note that you may be offered read access only, or read and write access- depending on the access policy settings in the server dialog.

Use the naming dialog to assign a name to an object that you are creating.

Here is an example:

The renaming dialog allows you to rename the currently selected object. Note that the checkbox "Retain old name" does not appear unless you are renaming an LDAP entry. The same holds true for the button , which allows you to assign additional naming attributes.

Here is an example (which illustrates renaming an LDAP entry):

The menu item contains the following selections (the menu appears when you right-click the button)

This is the same menu item as the previous example, but in LDAP notation. In this mode, there is only one function available through the right mouse button. This function changes the appearance of the dialog back to the look shown in the previous example.

There are two sorts of search dialogs available (may occur combined, too):

The server dialog allows you to specify server-specific information in a "Server Profile", particularly information needed to connect to an LDAP server. Server profiles often correspond to view groups or views. However, it is also possible to address different servers (or the same server with different server profiles settings) within a single tree pane.

Plug-ins may categorize server profiles; that is, they can ensure that you can only see server profiles of a certain category within the view groups, views, nodes in tree panes under control of a plug-in. Category names are not displayed. New server profiles you create in a context where a category is in effect already, implicitly inheriting that category.

The settings you can make here are organized into these tabs:

General
Deals with LDAP connection related settings

Options
Primarily deals with controls that are to be passed to the LDAP server along with respective LDAP operations

Visibility
Deals with the visibility of attributes and object classes in search panes and search dialogs

Password
Allows you to specify, if

LDAP Root
Displays what the server returns if asked for "LDAP Root".

General

Here is an example of the dialog’s "General" tab:

This tab deals with LDAP connection related settings and contains the following fields:

Name: name of this server profile

Description: any additional information you might consider helpful

Color: the color for this server profile

Host: host name or IP address
Also possible: a blank-separated list of hosts with or without complemental port number, e.g. "localhost:389 111.222.333.444 666.777.888.999:636"
In this case, this application will connect to the first address it can successfully connect to, starting with the first one. If the port number is missing, the value specified in the following field (Port) will be used.*
Note: when changing Host or Port here, the settings related settings in the password tab may need to be changed as well.*

Port: port number
By default, the server listens to port 389 or - if SSL is enabled - to port 636.
Note that

LDAP version: LDAP protocol version (normally: 3)

Server Type
This field is only present, if the "DirX Manager" plug-in is in place. There are two possible values: "DirX Directory" and "Other". The functionality DirX Directory Manager offers depends on this selection:

What functional areas ("features") are mapped to what vendor versions is specified in the file config\DirX.policy. Note that this release of DirX Directory Manager is not necessarily able to interwork with future releases of DirX Directory particularly regarding the functional areas mentioned above.

Search Base (displayed if server type is "DirX Directory") resp. Base DN (displayed, if server type is "Other" or if the DirX Directory Manager plug-in is absent)

Use secure connection
In order for a secure connection to work, you must ensure that a suitable certificate is available in a local key store. By default, a test certificate is used that matches the default the DirX Directory LDAP server uses. Note that this certificate is only meant for demonstration. Read more about this in the chapter SSL/TLS.

Anonymous bind: to have this application try to connect without credentials (anonymously)

Simple bind: to have this application try to connect over a simple authenticated bind with credentials

SASL_EXTERNAL bind: to have this application try to connect over a SASL-authenticated external bind. If you select this option you must specify the client keystore. The client keystore is either stored in a File or on a Smart Card (PKCS#11). Using a file is intended for demonstration or testing purposes. For details on how to perform a smart card login with DirX Directory Manager, see "Smart Card Login" above.

Default User DN: The DN you typically use to log in

Location to store server profile: the choice of locations may vary depending on the plug-in that is behind this dialog. Generally, the available choices should be all or a subset of:

Options

Here is an example of the dialog’s "Options" tab:

This tab primarily deals with controls that are to be passed to the LDAP server along with respective LDAP operations:

Limits

De-referencing aliases. Possible values are:

Access Policy
An LDAP server primarily grants and denies access rights based on access control information stored at the server side. This application normally cannot determine a particular user’s access rights. By default, the GUI does not offer any add/modify operations to users logging in anonymously and does offer those operations to users logging in with credentials. This behavior is not always appropriate and can therefore be changed. Possible values are:

Referrals

Here is an example of the dialog’s "Referrals" tab:

This tab deals with the handling of referrals.

Referrals
A server may return referrals pointing to other servers as part of a search result, thus indicating that one or more other servers should be consulted in order to complete a search operation.

Bind type for Referrals
Here you specify which bind you want to use for following the referrals.

Credentials for Referral bind (useOtherCredentials)
Here you specify the credentials used for bind to follow the referrals. Only active if useOtherCredentials is selected in “Bind type for Referrals”

Visibility

Here is an example of the dialog’s "Visibility" tab:

This tab deals with the visibility of attributes and object classes in search panes and search dialogs.

The schema usually provides quite a number of object classes and attributes you never intend to use in searches - and whose appearance in the respective combo boxes of search panes and search dialogs you may find bothersome. This dialog along with the subdialogs that pop up when you click one of the "Edit…​" buttons allows you to hide unwanted object classes and attributes in those combo boxes. You can either select all elements you want to have hidden (which means that all remaining ones are shown) or you can select all elements you want to have shown (that means all remaining ones are hidden).

Notes:

Password

Here is an example of the dialog’s "Password" tab:

Password management of DirX Identity users
Only of interest if the server addresses a DirX Identity database. Among many other things, DirX Identity deals with DirX Identity users that are characterized by an additional password stored in the attribute dxmPassword. This password must - depending on the DirX Identity configuration - either be scrambled or two-way encrypted. If you modify the ordinary attribute userPassword through DirX Identity functionality, dxmPassword will be implicitly modified, too.

The core component of this application has generic password management functionality that is originally not DirX Identity aware. However, by completing the settings you can do here, you can have the core component behave like DirX Identity when modifying userPassword. The Host/Port fields relating to the password management of DirX Identity users are editable, if the schema contains the attribute dxmPassword (note that this can only be found out, if the schema can be read). In this case, the core component will consider this server a DirX Identity database. To be able to do so, the core component must enquire the DirX Identity configuration to find out, whether dxmPassword is to be scrambled or to be encrypted; in the latter case, also the key must be picked up. Note that the DirX Identity configuration may reside in a different server. By default, the server storing the DirX Identity database is assumed to also store the DirX Identity configuration.

If you leave the respective Host/Port fields empty or if dxmPassword cannot be detected in the schema, the core component will not implicitly deal with the attribute dxmPassword.

Furthermore, if the server keeping the DirX Identity users is set up, the mirrored administrator user must be present in the Connectivity under the RDN dxmC=Users,dxmC=DirXmetahub.

Mail notification on password reset
If the affected users are to be notified by mail on password resets, you must specify host and port of the mail server as well as your credentials, i.e. your mail account and the belonging password. Note that the format of the mail account varies depending on the mail server in use. Common formats include: "<your domain/your name>", <your email address>, <a number>.
Note that the reset password functionality is only available, if the server indicates its support in the LDAP Root DSE ("Password Policy Control"; Object Identifier, displayed directly or thru tooltip: 1.3.6.1.4.1.42.2.27.8.5.1) and if the operational attribute pwdReset can be set.

See also: Property Tab "All Attributes", Change Password, Reset Password, User Password.

LDAP Root

Here is an example of the dialog’s "LDAP Root" tab:

This tab displays what the server returns if asked for "LDAP Root" (which is done by reading an entry with its DN being empty, i.e. DN=""). Details may vary from server to server, mainly depending on the vendor. Refer to the server’s original documentation for properties that are not self-explanatory. Note that modifying the LDAP Root is not supported. This application uses LDAP Root itself for a number of purposes; for example, to:

Open Server/Manage Server Profiles

The "Open Server" dialog may be configured in the menu (typically in the file menu). It allows you to open a pre-configured server profile. It also allows you to add new and delete/edit existing server groups profiles. New profiles can also be created based on existing ones ("Copy").

The slightly different "Manage Server Profiles" dialog may be available in the Login dialog. It has a "Close" button rather than an "Open" and a "Cancel" button, since an open button would not make sense in that context.