Chapter 4: Configure RadiantOne Server Settings
Configure the appropriate server settings on the Client Consumption Layer machine:
LDAP Controls and Extensions
RadiantOne supports the following controls and extensions:
Subtree Delete Control - 1.2.840.113522.214.171.1245
Password expired notification control - 2.16.840.1.1137126.96.36.199
Password expiring notification control - 2.16.840.1.1137188.8.131.52
Password policy control - 184.108.40.206.220.127.116.11.18.104.22.168
Persistent search control - 2.16.840.1.113722.214.171.124
Virtual list view request control - 2.16.840.1.1137126.96.36.199
Proxied authorization (version 2) control, described in RFC 4370 - 2.16.840.1.1137188.8.131.52
Server-side sort request, described in RFC 2891 - 1.2.840.1135184.108.40.2063
Authorization bind identity response control, described in RFC 3829 - 2.16.840.1.1137220.127.116.11
Authorization bind identity request control, described in RFC 3829 - 2.16.840.1.113718.104.22.168
Who Am I extended operation, described in RFC 4532 - 22.214.171.124.4.1.4126.96.36.199
Paged Results Control - 1.2.840.1135188.8.131.529
Dynamic entries extension, described in RFC 2589 - 184.108.40.206.4.1.14220.127.116.11
All Operational Attributes feature, described in RFC 3673 - 18.104.22.168.4.1.422.214.171.124
Absolute True and False Filters as described in RFC 4526 - 126.96.36.199.4.1.4188.8.131.52
The following controls that could be used in Sun Java Directory/ODSEE are not supported in RadiantOne:
Manage DSA IT control, described in RFC 3296 - 2.16.840.1.1137184.108.40.206
Get effective rights request control - 220.127.116.11.18.104.22.168.22.214.171.124
Account usability control - 126.96.36.199.188.8.131.52.184.108.40.206
Specific backend search request control - 2.16.840.1.1137220.127.116.11
Real attributes only request control - 2.16.840.1.113718.104.22.168
Virtual attributes only request control - 2.16.840.1.113722.214.171.124
Paged Results, VLV/Sort, Persistent Search and Proxy Authorization Controls are enabled from the Main Control Panel > Settings tab > Server front end > Supported Controls. For details about each, please see the RadiantOne System Administration Guide.
Password expired notification, password expiring notification, and password policy control are configured for password policies. Configure password policies on the Client Consumption layer.
Directory Servers provide information about themselves to clients through the rootDSE. It contains information about the server in the form of attributes, some of which are multi-valued. The rootDSE may contain information about the vendor, the naming contexts the server supports, the LDAP controls the server supports, the supported SASL mechanisms, schema location, and other information. The contents of the rootDSE generally determine the sequence and format of requests clients issue to the server.
The RadiantOne rootDSE is located at <RLI_HOME>\vds_server\conf\rootdse.ldif and is the default content returned to clients when they request the rootDSE (an LDAP search request with an empty DN). Some LDAP clients search the rootDSE to determine the naming contexts available in the LDAP directory and leverage this information to determine the baseDN (starting point in the directory) to pass in search requests.
Some legacy LDAP directories support plug-ins to add specific functionality to the server.
Some of the most commonly used plugins and how to configure them in RadiantOne are described in this section.
The Attribute Uniqueness plugin in legacy LDAP directories ensures that the value of a given attribute is unique among all entries of a subtree.
To enable comparable functionality in RadiantOne, from the Main Control Panel, navigate to the Setting tab > Interception section (requires Expert Mode) > Special Attributes Handling. Locate the Attribute Uniqueness setting and configure the attributes here.
The referential integrity plug-in in legacy LDAP directories performs integrity updates on specified attributes immediately after a delete, rename, or move operation. It ensures that all attributes that reference the deleted, renamed or moved entry are updated accordingly.
To enable comparable functionality in RadiantOne, from Main Control Panel, navigate to the Setting tab -> Interception section (requires Expert Mode) > Special Attributes Handling. Locate the Referential Integrity setting and configure the references here.
The isMemberOf plug-in in legacy LDAP directories enables clients to check a user’s group membership by requesting the isMemberOf attribute in the user entries. This can be more efficient than searching in group entries looking for a uniquemember (especially in situations where group entries can be large/have many members).
To enable comparable functionality in RadiantOne, from Main Control Panel, navigate to the Setting tab > Interception section (requires Expert Mode) > Special Attributes Handling. Locate the Linked Attributes setting and configure the link between the location of users and the location of potential groups they are a member of here. RadiantOne computes isMemberOf only when the attribute is explicitly requested from clients.
This setting can be used for other back-link/forward-link attributes also (e.g. manager, owner, reportsTo…etc.).
Strong Password Check
The Strong Password Check plug-in enables the Directory Server to verify that a user’s password doesn’t contain unallowed strings from a specified dictionary file. This can be used as a method to enforce strong password policies. To enable comparable functionality in RadiantOne, from Main Control Panel, navigate to the Setting tab ->Security -> Password policies. Locate the Password Content section and check the option to Enable Dictionary Check. Click Browse to navigate to the dictionary file.
The dictionary file must be a text-formatted file containing one dictionary word per line.
The RadiantOne LDAP schema is comprised a series of LDIF files located: <RLI_HOME>\vds_server\conf\ldaschema_XX.ldif. XX being the number indicating the order in which the files are loaded. To extend the schema, the easiest approach is to get the object classes and attributes in LDIF format and then name the file ldapschema_XX.ldif where XX is the sequence you want the file loaded.
IMPORTANT NOTE - If you apply a new ldapschema_XX.ldif file and it has a number GREATER than 50 (e.g. ldapschema_51.ldif) and this definition includes object classes or attributes that are already defined in the VDS schema (in lower numbered schema files), the existing definitions are overridden with the latest definitions. This only starts AFTER the ldapschema_50.ldif file. Otherwise, the definition in the lower numbered files are not overridden.
If the LDAP directory stores the schema information in the cn=schema naming context, connect to this naming context from the RadiantOne LDAP Browser and you can export the schema to LDIF from there. Name the file ldapschema_XX.ldif (where XX is the sequence you want the schema loaded in) and save in <RLI_HOME>/vds_server/conf.
RadiantOne provides migration utilities to assist with translating the existing access controls into RadiantOne format. aciUtils and ibmAciMigration utilities are located in <RLI_HOME>/bin/advanced.
For details on using these utilities to migrate ACLs from the backend LDAP directory to RadiantOne Universal Directory (HDAP), see the RadiantOne ACI Migration Guide.
Access controls can be viewed and defined manually from the Main Control Panel > Settings tab > Security > Access Controls section.
To support best practices around auditing and maintenance, RadiantOne only supports password policies assigned to LDAP groups or sub-trees (user’s located in a given container in the FID namespace). Password policies defined at the user level are not supported. If you are replacing an LDAP directory that enforces password policies at the user level (e.g. in the passwordpolicysubentry attribute), when preparing the LDIF from the underlying directory (that you will use to initialize RadiantOne Universal Directory) do not include the passwordPolicySubentry attribute and move to use password policies defined at the group and/or “OU” (subtree) level. Details about the RadiantOne password policy implementation are here:
The screen shot below shows the possible properties for RadiantOne Universal Directory password policies. For details on the properties see the RadiantOne System Administration Guide.