<?xml version="1.0" encoding="UTF-8"?>
! This work is licensed under the Creative Commons
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
! To view a copy of this license, visit
! or send a letter to Creative Commons, 444 Castro Street,
! Suite 900, Mountain View, California, 94041, USA.
! You can also obtain a copy of the license at
! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
! See the License for the specific language governing permissions
! and limitations under the License.
! If applicable, add the following below this CCPL HEADER, with the fields
! enclosed by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
! Copyright 2011-2013 ForgeRock AS
<chapter xml:id='chap-admin-tools'
xmlns='' version='5.0' xml:lang='en'
<title>Administration Interfaces &amp; Tools</title>
<para>OpenDJ server software installs with a cross-platform, Java Swing-based
Control Panel for many day-to-day tasks. OpenDJ server software also installs
command-line tools for configuration and management tasks.</para>
<para>This chapter is one of the few to include screen shots of the control
panel. Most examples make use of the command-line tools. Once you understand
the concepts, and how to perform a task using the command-line tools, you
no doubt need no more than to know where to start in the Control Panel to
accomplish what you set out to do.</para>
<para>At a protocol level, administration tools and interfaces connect to
servers through a different network port than that used to listen for traffic
from other client applications.</para>
<para>This chapter takes a quick look at the tools for managing directory
<section xml:id="control-panel">
<title>Control Panel</title>
<indexterm><primary>Control panel</primary></indexterm>
<para>OpenDJ Control Panel offers a graphical user interface for
managing both local and remote servers. You choose the server to manage
when you start the Control Panel. The Control Panel connects to the
administration server port, making a secure LDAPS connection.</para>
<para>Start OpenDJ Control Panel.</para>
<para>(UNIX) Run <command>opendj/bin/control-panel</command>.</para>
<para>(Windows) Double-click <filename>opendj\bat\control-panel.bat</filename>.</para>
<para>(Mac OS X) Double-click <filename>opendj/bin/</filename>.</para>
<para>When you login to OpenDJ Control Panel, you authenticate over LDAP.
This means that if users can run the Control Panel, they can use it to manage
a running server. Yet, to start and stop the server process through OpenDJ
Control Panel, you must start the Control Panel on the system where OpenDJ
runs, as the user who owns the OpenDJ server files (such as the user who
installed OpenDJ). In other words, the OpenDJ Control Panel does not do
remote process management.</para>
<mediaobject xml:id="figure-opendj-control-panel">
<imagedata fileref="images/OpenDJ-Control-Panel.png" format="PNG" />
<caption><para>OpenDJ Control Panel displays key information about the
<para>Down the left side of OpenDJ Control Panel, notice what you can
<term>Directory Data</term>
<para>Directory data provisioning is typically not something you do
by hand in most deployments. Usually entries are created, modified, and
deleted through specific directory client applications. The Manage
Entries window can be useful, however, both in the lab as you design
and test directory data, and also if you modify individual ACIs or
debug issues with particular entries.</para>
<mediaobject xml:id="figure-manage-entries">
<imagedata fileref="images/Manage-Entries.png" format="PNG" />
<caption><para>The Manage Entries window can check that your changes are
valid before sending the request to the directory.</para></caption>
<para>Additionally, the Directory Data list makes it easy to create
a new base DN, and then import user data for the new base DN from LDIF.
You can also use the tools in the list to export user data to LDIF,
and to backup and restore user data.</para>
<para>The Manage Schema window lets you browse and modify the rules
that define how data is stored in the directory. You can add new schema
definitions such as new attribute types and new object classes while the
server is running, and the changes you make take effect immediately.</para>
<para>The Manage Indexes window gives you a quick overview of all
the indexes currently maintained for directory attributes. To protect
your directory resources from being absorbed by costly searches on
unindexed attributes, you may choose to keep the default behavior,
preventing unindexed searches, instead adding indexes required by specific
applications. (Notice that if the number of user data entries is smaller
than the default resource limits, you can still perform what appear
to be unindexed searches. That is because the <literal>dn2id</literal>
index returns all user data entries without hitting a resource limit that
would make the search unindexed.)</para>
<para>OpenDJ Control Panel also allows you to verify and rebuild
existing indexes, which you may have to do after an upgrade operation,
or if you have reason to suspect index corruption.</para>
<para>The Monitoring list gives you windows to observe information
about the system, the JVM used, and indications about how the cache is
used, whether the work queue has been filling up, as well as details
about the database. You can also view the numbers and types of requests
arriving over the connection handlers, and the current tasks in progress
as well.</para>
<term>Runtime Options</term>
<para>If you did not set appropriate JVM runtime options during the
installation process, this is the list that allows you to do so through
the Control Panel.</para>
<section xml:id="cli-overview">
<title>Command-Line Tools</title>
<para>All OpenDJ command-line tools take the <option>--help</option> option.</para>
<para>All commands call Java programs and therefore involve starting a
<para>Setup, upgrade, and uninstall tools are located in the directory where
you unpacked OpenDJ, such as <filename>/path/to/opendj</filename>. Find the
additional command-line tools for your platform.</para>
<para>(UNIX) In <filename>opendj/bin</filename>.</para>
<para>(Windows) In <filename>opendj\bat</filename>.</para>
<para>The following list uses the UNIX names for the tools. On Windows
all command-line tools have the extension .bat.</para>
<term><link xlink:href="admin-guide#backup-1"
<para>Backup or schedule backup of directory data.</para>
<term><link xlink:href="admin-guide#base64-1"
<para>Encode and decode data in base64 format.</para>
<para>Base64 encoding represents binary data in ASCII, and can be used to
encode character strings in LDIF, for example.</para>
<term><link xlink:href="admin-guide#create-rc-script-1"
<para>Generate a script you can use to start, stop, and restart the server
either directly or at system boot and shutdown. Use <command>create-rc-script -f
<term><link xlink:href="admin-guide#dbtest-1"
<para>Debug JE databases.</para>
<term><link xlink:href="admin-guide#dsconfig-1"
<para>The <command>dsconfig</command> command is the primary command-line
tool for viewing and editing OpenDJ configuration. When started without
arguments, <command>dsconfig</command> prompts you for administration
connection information. Once connected it presents you with a menu-driven
interface to the server configuration.</para>
<para>When you pass connection information, subcommands, and additional
options to <command>dsconfig</command>, the command runs in script mode
and so is not interactive.</para>
<para>You can prepare <command>dsconfig</command> batch scripts by running
the tool with the <option>--commandFilePath</option> option in interactive
mode, then reading from the batch file with the
<option>--batchFile</option> option in script mode. Batch files can be
useful when you have many <command>dsconfig</command> commands to run
and want to avoid starting the JVM and setting up a new connection for
each command.</para>
<para>In addition to the <link xlink:href="admin-guide#dsconfig-1"
xlink:role="">dsconfig</link> reference
that covers subcommands, the <link xlink:show="new"
><citetitle>Configuration Reference</citetitle></link> covers the
properties you can set using the <command>dsconfig</command>
<term><link xlink:href="admin-guide#dsframework-1"
<para>Manage server registration, server groups, and administrative
<term><link xlink:href="admin-guide#dsjavaproperties-1"
<para>Apply changes you make to
<filename>opendj/config/</filename>, which sets Java
runtime options.</para>
<term><link xlink:href="admin-guide#dsreplication-1"
<para>Configure data replication between directory servers to keep their
contents in sync.</para>
<term><link xlink:href="admin-guide#encode-password-1"
<para>Encode a clear text password according to one of the available
storage schemes.</para>
<term><link xlink:href="admin-guide#export-ldif-1"
<para>Export directory data to LDAP Data Interchange Format, a standard,
portable, text-based representation of directory content.</para>
<term><link xlink:href="admin-guide#import-ldif-1"
<para>Load LDIF content into the directory, overwriting existing
<term><link xlink:href="admin-guide#ldapcompare-1"
<para>Compare the attribute values you specify with those stored on
entries in the directory.</para>
<term><link xlink:href="admin-guide#ldapdelete-1"
<para>Delete one entry or an entire branch of subordinate entries in the
<term><link xlink:href="admin-guide#ldapmodify-1"
<para>Modify the specified attribute values for the specified
<para>Use the <command>ldapmodify</command> command with the
<option>-a</option> option to add new entries.</para>
<term><link xlink:href="admin-guide#ldappasswordmodify-1"
<para>Modify user passwords.</para>
<term><link xlink:href="admin-guide#ldapsearch-1"
<para>Search a branch of directory data for entries matching the LDAP
filter that you specify.</para>
<term><link xlink:href="admin-guide#ldif-diff-1"
<para>Display differences between two LDIF files, with the resulting output
having LDIF format.</para>
<term><link xlink:href="admin-guide#ldifmodify-1"
<para>Similar to the <command>ldapmodify</command> command, modify
specified attribute values for specified entries in an LDIF file.</para>
<term><link xlink:href="admin-guide#ldifsearch-1"
<para>Similar to the <command>ldapsearch</command> command, search a branch
of data in LDIF for entries matching the LDAP filter you specify.</para>
<term><link xlink:href="admin-guide#list-backends-1"
<para>List backends and base DNs served by OpenDJ.</para>
<term><link xlink:href="admin-guide#make-ldif-1"
<para>Generate directory data in LDIF, based on templates that define how
the data should appear.</para>
<para>The <command>make-ldif</command> command is designed to help you
quickly generate test data that mimics data you expect to have in
production, but without compromising private information.</para>
<term><link xlink:href="admin-guide#manage-account-1"
<para>Lock and unlock user accounts, and view and manipulate password
policy state information.</para>
<term><link xlink:href="admin-guide#manage-tasks-1"
<para>View information about tasks scheduled to run in the server, and
cancel specified tasks.</para>
<term><link xlink:href="admin-guide#rebuild-index-1"
<para>Rebuild an index stored in a JE backend.</para>
<term><link xlink:href="admin-guide#restore-1"
<para>Restore user data from backup.</para>
<term><link xlink:href="admin-guide#start-ds-1"
<para>Start OpenDJ directory server.</para>
<term><link xlink:href="admin-guide#status-1"
<para>Display information about the server.</para>
<term><link xlink:href="admin-guide#stop-ds-1"
<para>Stop OpenDJ directory server.</para>
<term><link xlink:href="admin-guide#verify-index-1"
<para>Verify that an index stored in a JE backend is not corrupt.</para>
<term>windows-service.bat (Windows)</term>
<para>Register OpenDJ as a Windows Service.</para>