Configuring OpenDS with dsconfig -- part 2

Several weeks ago, I wrote about the dsconfig tool that can be used to help manage the OpenDS configuration. It provides a convenient way to view and edit the server configuration, and it can be very helpful in writing administrative scripts, much like the dscfg tool does in DSEE 6.

Honestly, though, I think that it's time to come clean about something: whenever I'm configuring DSEE 6, I rarely use the dscfg tool. I think the main reason for this is that I got so used to managing the server with ldapmodify over the years with the 3.x, 4.x, and 5.x versions that it's always been just as easy for me to use ldapmodify (since I know all of the configuration entry DNs and attribute names by heart) than to try to remember all of the command line arguments to make dscfg do what I want.

Until very recently, I had fallen into the same trap with the OpenDS dsconfig tool. However, last week Matt Swift updated the dsconfig tool to provide a new interactive mode that takes all the effort out of it. The interactive mode isn't suitable for use in writing scripts that automate config changes, but the non-interactive mode is still available for that. However, if you just want to make a configuration change to the server (or even if you just want to see what is available to be configured) then I think that you'll like the new interactive mode.

To start it up in interactive mode, simply invoke the dsconfig tool with no arguments. For example, on a UNIX-based system, you can just use:
bin/dsconfig
The tool will then prompt you for information about how to connect to the server, and then it will present you with a menu of options. You can use this interactive mode to view information about the current configuration, edit or remove existing configuration objects, or create new configuration objects (basically, all of the same things that you can do with the non-interactive mode, but without the need to remember any subcommand, argument, or property names).

As an example, here's the output from a session that I used to edit the default password policy in order to configure passwords to expire after 90 days. I've formatted the output so that the stuff I typed is bold and underlined and the output from the tool is in italics:
$ bin/dsconfig


>>>> Specify OpenDS LDAP connection parameters

Directory server hostname or IP address [localhost]: 127.0.0.1

Directory server port number [389]: 389

Administrator user bind DN [cn=directory manager]: cn=Directory Manager

Password for user 'cn=directory manager': password


>>>> OpenDS configuration console main menu

What do you want to configure?

    1)   Access Control Handler               20)  Matching Rule
    2)   Account Status Notification Handler  21)  Monitor Provider
    3)   Alert Handler                        22)  Multimaster Domain
    4)   Attribute Syntax                     23)  Password Generator
    5)   Backend                              24)  Password Policy
    6)   Certificate Mapper                   25)  Password Storage Scheme
    7)   Connection Handler                   26)  Password Validator
    8)   Crypto Manager                       27)  Plugin
    9)   Debug Target                         28)  Plugin Root
    10)  Entry Cache                          29)  Replication Server
    11)  Extended Operation Handler           30)  Root DN
    12)  Global Configuration                 31)  Root DSE Backend
    13)  Group Implementation                 32)  SASL Mechanism Handler
    14)  Identity Mapper                      33)  Synchronization Provider
    15)  JE Index                             34)  Trust Manager
    16)  Key Manager                          35)  Virtual Attribute
    17)  Log Publisher                        36)  VLV JE Index
    18)  Log Retention Policy                 37)  Work Queue
    19)  Log Rotation Policy

    q)   quit

Enter choice: 24


>>>> Password Policy management menu

What would you like to do?

    1)  List existing Password Policies
    2)  Create a new Password Policy
    3)  View and edit an existing Password Policy
    4)  Delete an existing Password Policy

    b)  back
    q)  quit

Enter choice [b]: 3


>>>> Select the Password Policy from the following list:

    1)  Default Password Policy
    2)  Root Password Policy

    c)  cancel
    q)  quit

Enter choice [c]: 1


>>>> Configure the properties of the Password Policy

         Property                                   Value(s)
    ---------------------------------------------------------------------------
    1)   account-status-notification-handler-dn     -
    2)   allow-expired-password-changes             false
    3)   allow-multiple-password-values             false
    4)   allow-pre-encoded-passwords                false
    5)   allow-user-password-changes                true
    6)   default-password-storage-scheme            SSHA
    7)   deprecated-password-storage-scheme         -
    8)   expire-passwords-without-warning           false
    9)   force-change-on-add                        false
    10)  force-change-on-reset                      false
    11)  grace-login-count                          0
    12)  idle-lockout-interval                      0 s
    13)  last-login-time-attribute                  -
    14)  last-login-time-format                     -
    15)  lockout-duration                           0 s
    16)  lockout-failure-count                      0
    17)  lockout-failure-expiration-interval        0 s
    18)  maximum-password-age                       0 s
    19)  maximum-password-reset-age                 0 s
    20)  minimum-password-age                       0 s
    21)  password-attribute                         userpassword
    22)  password-change-requires-current-password  false
    23)  password-expiration-warning-interval       5 d
    24)  password-generator-dn                      "cn=Random Password
                                                    Generator,cn=Password
                                                    Generators,cn=config"
    25)  password-history-count                     0
    26)  password-history-duration                  0 s
    27)  password-validator-dn                      -
    28)  previous-last-login-time-format            -
    29)  require-change-by-time                     -
    30)  require-secure-authentication              false
    31)  require-secure-password-changes            false
    32)  skip-validation-for-administrators         false
    33)  state-update-failure-policy                reactive

    ?)   help
    f)   finish - apply any changes to the Password Policy
    c)   cancel
    q)   quit

Enter choice [f]: 18


>>>> Configuring the "maximum-password-age" property

    Specifies the maximum length of time that a user may continue using the
    same password before it must be changed.

    Specifies the maximum length of time that a user may continue using the
    same password before it must be changed (i.e., the password expiration
    interval). The value of this attribute should be an integer followed by a
    unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds will
    disable password expiration. Changes to this configuration attribute will
    take effect immediately.

    Syntax: DURATION (s)

Do you want to modify the "maximum-password-age" property?

    1)  Keep the default value: 0 s
    2)  Change the value

    ?)  help
    q)  quit

Enter choice [1]: 2


Enter a value for the "maximum-password-age" property [continue]: 90 days

Press RETURN to continue


>>>> Configure the properties of the Password Policy

         Property                                   Value(s)
    ---------------------------------------------------------------------------
    1)   account-status-notification-handler-dn     -
    2)   allow-expired-password-changes             false
    3)   allow-multiple-password-values             false
    4)   allow-pre-encoded-passwords                false
    5)   allow-user-password-changes                true
    6)   default-password-storage-scheme            SSHA
    7)   deprecated-password-storage-scheme         -
    8)   expire-passwords-without-warning           false
    9)   force-change-on-add                        false
    10)  force-change-on-reset                      false
    11)  grace-login-count                          0
    12)  idle-lockout-interval                      0 s
    13)  last-login-time-attribute                  -
    14)  last-login-time-format                     -
    15)  lockout-duration                           0 s
    16)  lockout-failure-count                      0
    17)  lockout-failure-expiration-interval        0 s
    18)  maximum-password-age                       12 w 6 d
    19)  maximum-password-reset-age                 0 s
    20)  minimum-password-age                       0 s
    21)  password-attribute                         userpassword
    22)  password-change-requires-current-password  false
    23)  password-expiration-warning-interval       5 d
    24)  password-generator-dn                      "cn=Random Password
                                                    Generator,cn=Password
                                                    Generators,cn=config"
    25)  password-history-count                     0
    26)  password-history-duration                  0 s
    27)  password-validator-dn                      -
    28)  previous-last-login-time-format            -
    29)  require-change-by-time                     -
    30)  require-secure-authentication              false
    31)  require-secure-password-changes            false
    32)  skip-validation-for-administrators         false
    33)  state-update-failure-policy                reactive

    ?)   help
    f)   finish - apply any changes to the Password Policy
    c)   cancel
    q)   quit

Enter choice [f]: f
The Password Policy was modified successfully

Press RETURN to continue


>>>> Password Policy management menu

What would you like to do?

    1)  List existing Password Policies
    2)  Create a new Password Policy
    3)  View and edit an existing Password Policy
    4)  Delete an existing Password Policy

    b)  back
    q)  quit

Enter choice [b]: q
$

As I mentioned above, this was just integrated last week, so it will be in our next build (build005, which will hopefully be available at the end of this week). If you want to try it out before then, then feel free to check out and build the server for yourself.

Comments:

This looks pretty cool. Neil, you seem not to like accepting defaults or you are just too fast with the keyboard (otherwise I don't understand why you needed to enter anything for hostname, port number and the administrator user bind dn). Another question: do you anticipate the dscfg tool to be internationalized at one point? If so, I assume that not just the order (the top-level menu seem to be sorted alphabetically), but the keyboard shortcuts should be customizable.

Posted by Bertold_Kolics on September 10, 2007 at 04:34 AM CDT #

I really didn't need to enter the hostname, port number, or bind DN. I could have just pressed ENTER to accept the defaults. I just typed them in this case because it was easier to show that than to indicate that I pressed ENTER without typing anything.

As for internationalization, yes we do intend to do that (although because of the effort involved, and because it's a constantly moving target with new messages added and existing messages changing all the time, we will probably only provide internationalized versions of the Sun product based on OpenDS). However, I'm honestly not sure how far that internationalization will extend. We won't internationalize subcommands or argument names for the non-interactive version. Most of the dsconfig logic is automatically generated from our configuration framework, and there are provisions for internationalizing things like descriptions, but I'm really not sure about whether component names were intended to be part of that. If you're interested in getting the answer from someone that knows more about that than I do, then users@opends.dev.java.net is probably the best place to ask.

Posted by Neil A. Wilson on September 10, 2007 at 04:49 AM CDT #

Post a Comment:
Comments are closed for this entry.
About

cn_equals_directory_manager

Search

Top Tags
Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today