Red Hat Enterprise Linux 5 Administration Unleashed

274CHAPTER 12Identity ManagementTo make the changes in Listing 12.7, execute the following:ldapmodify -D ‘cn=root,dc=example,dc=com’ -W -f modify.ldifUnlike slapadd, ldapmodify must be run while the daemon is running. It connects to thedaemon for modification of the database. If encryption is not being used, also specify the-x option to use simple authentication. The value following -D must be the value ofrootdn from slapd.conf. The -W option specifies that the user should be prompted for thepassword from the rootpw option in slapd.conf, which is more secure than listing it onthe command line with the -w option. If the password is listed on the command line, it isstored in the user’s command history, which can be read by unauthorized users easierthan slapd.conf. Also remember that, even if you are prompted for the password, thepassword is sent unencrypted over the network unless encryption is enabled as describedin the “Enabling TLS Encryption for LDAP” section.As with slapadd, the slapcat or ldapsearch utilities can be used to verify if the entrieshave been modified or deleted. The slapcat command works regardless of whether theservice is started. The ldapsearch command only works if slapd is running.Customizing LDAP IndexingThe directory can be indexed based on particular attributes so that searches withldapsearch are faster. Keep in mind that too much indexing can slow down performance.Indexing should only be enabled for frequent searches.Indexing is defined in slapd.conf in the following format:index Replace with an attribute name or a list of attributes separated by commas.Replace with one of the following or a comma-separated list of two or more:. pres: Use if searches have the form objectclass=person or attribute-mail. approx: Must be used for searches with the form sn~=person. eq: Use for equality searches without wildcards. sub: Use for searches with wildcard substitutions. nolang: Can be used for searches with lang subtype. nosubtypes: Can be used for searches with subtypesOptionally, the keyword default can be placed between the attributes and indices lists todefine a set of default indices to use if an attribute is given on subsequent lines withoutindices:index default Listing 12.8 shows examples, which are also the defaults in the slapd.conf file.