background image

Chapter 6.

65

Advanced Setup and Configuration

After the default Directory Server and Administration Server have been configured, there are tools
available to manage, create, and remove server instances. These include Administration Server
configurations to allow people to access the Directory Server files remotely, silent setup tools for
installing instances from file configuration, and instance setup and removal scripts.

6.1. Working with Administration Server Instances

There are two additional setup steps that can be done with the Administration Server. This first allows
the Administration Server to be accessed by remote clients, so that users can install and launch the
Directory Server Console and still access the remote Directory Server file, such as help files.

NOTE

If you lock yourself out of the Console or Administration Server, you may have
to edit the Administration Server configuration directly via LDAP. See 

http://

directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt

 for information on editing

the Administration Server configuration.

6.1.1. Configuring IP Authorization on the Administration Server

The Directory Server Console can be launched from remote machines to access an instance of
Directory Server. The client running Directory Server Console needs access to the Administration
Server to access support files like the help content and documentation.

There are six steps to configure the Administration Server to accept the client IP address:

1. On the same machine on which the Administration Server is running launch the Console.

/usr/bin/redhat-idm-console

2. In the Administration Server Console, click the 

Configuration

 tab, then click the 

Network

 tab.

3. In the 

Connection Restrictions Settings

 section, select 

IP Addresses to Allow

 from the pull

down menu.

4. Click 

Edit

.

5. In the 

IP Addresses

 field, enter the following:

*.*.*.*

This allows all IP addresses to access the Administration Server.

6. Restart the Administration Server.

Summary of Contents for DIRECTORY SERVER 8.0

Page 1: ...Red Hat Directory Server 8 0 Installation Guide Ella Deon Lackey Publication date January 11 2010 Update ...

Page 2: ...ees not to assert Section 4d of CC BY SA to the fullest extent permitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered trademark of Linus Torvalds in the United States and other countries All other trademarks are the pr...

Page 3: ...nterprise Linux 4 and 5 15 2 2 3 HP UX 11i 17 2 2 4 Sun Solaris 9 20 3 Setting up Red Hat Directory Server on Red Hat Enterprise Linux 25 3 1 Installing the JRE 26 3 2 Installing the Directory Server Packages 26 3 3 Express Setup 28 3 4 Typical Setup 30 3 5 Custom Setup 33 4 Setting up Red Hat Directory Server on HP UX 11i 39 4 1 Installing the JRE 39 4 2 Installing the Directory Server Packages 4...

Page 4: ...4 2 Uninstalling Directory Server 80 7 General Usage Information 83 7 1 Directory Server File Locations 83 7 2 LDAP Tool Locations 84 7 3 Starting the Directory Server Console 85 7 4 Getting the Administration Server Port Number 85 7 5 Starting and Stopping Servers 86 7 5 1 Starting and Stopping Directory Server 86 7 5 2 Starting and Stopping Administration Server 86 7 6 Resetting the Directory Ma...

Page 5: ... based on your system environment Read through this manual before beginning to configure the Directory Server to plan ahead what values to use TIP If you are installing Directory Server for evaluation use the express or typical setup mode These processes are very fast and can help get your directory service up and running quickly IMPORTANT Red Hat Directory Server 8 0 introduces filesystem paths f...

Page 6: ... of the phrase being highlighted Formatting Style Purpose Monospace font Monospace is used for commands package names files and directory paths and any text displayed in a prompt Monospace with a background This type of formatting is used for anything entered or returned in a command prompt Italicized text Any text which is italicized is a variable such as instance_name or hostname Occasionally th...

Page 7: ...ing your Directory Server as well as procedures for migrating from a previous installation of Directory Server For the latest information about Directory Server including current release notes complete product documentation technical notes and deployment information see the Red Hat Directory Server documentation site at http www redhat com docs manuals dir server 3 Giving Feedback If there is any ...

Page 8: ...ase draft Revision 8 0 0 4 Thurs Jan 10 2008 Ella Deon Lackey dlackey redhat com Added note that Directory Server is supported as a virtual guest on Red Hat Enterprise Linux 5 Minor bug fixes and text edits from post beta review Revision 8 0 0 3 Wed Oct 31 2007 Ella Deon Lackey dlackey redhat com Updated all content per engineering review Added sections on Administration Server ports and LDAP tool...

Page 9: ...monitoring servers and viewing statistics The Administration Server is the management agent which administers Directory Servers It communicates with the Directory Server Console and performs operations on the Directory Server instances It also provides a simple HTML interface and on line help pages There must be one Administration Server running on each machine which has a Directory Server instanc...

Page 10: ...o use HTTPS NOTE When determining the port numbers you will use verify that the specified port numbers are not already in use by running a command like netstat If you are using ports below 1024 such as the default LDAP port 389 you must run the setup program and start the servers as root You do not however have to set the server user ID to root When it starts the server binds and listens to its po...

Page 11: ...n Directory Manager The Directory Manager password must contain at least 8 characters which must be ASCII letters digits or symbols 1 2 4 Directory Administrator The Directory Server setup also creates an administrator user specifically for Directory Server and Administration Server server management called the Directory Administrator The Directory Administrator is the super user that manages all ...

Page 12: ...ectory and the user directory If you install Directory Server for general directory services and there is more than one Directory Server in your organization you must determine which Directory Server instance will host the configuration directory tree o NetscapeRoot Make this decision before installing any compatible Directory Server applications The configuration directory is usually the first on...

Page 13: ...p yes Pressing Enter accepts the default answer and proceeds to the next dialog screen Yes No prompts accept y for Yes and n for No To go back to a previous dialog screen type Control B and press Enter You can backtrack all the way to the first screen Two prompts ask for a password After entering it the first time confirm the password by typing it in again The password prompts do not echo the char...

Page 14: ... be unique For example setup ds admin pl s f common inf General FullMachineName ldap37 example com slapd ServerIdentifier ldap37 This command uses the common parameters specified in the common inf file but overrides FullMachineName and ServerIdentifier with the command line arguments NOTE The section names and parameter names used in the inf files and on the command line are case sensitive Refer t...

Page 15: ...sample inf debug d dddd This parameter turns on debugging information For the d flag increasing the number of d s increases the debug level keepcache k This saves the temporary installation file inf that is created when the setup script is run This file can then be reused for a silent setup WARNING The cache file contains the cleartext passwords supplied during setup Use appropriate caution and pr...

Page 16: ... choice of selecting the Directory Server server port number or the directory suffix among other settings Red Hat recommends that you not use it for production deployments Also express setups can fail if default configuration values are not available because there is no way to offer an alternative Typical The default and most common setup mode This prompts you to supply more detailed information a...

Page 17: ...3 custom N A Set the computer name ldap example com General FullMachineName ldap example com Set the user as which the Directory Server will run nobody Sun and Red Hat Enterprise Linux or daemon HP UX General SuiteSpotUserID nobody Set the group as which the Directory Server will run nobody Sun and Red Hat Enterprise Linux or daemon HP UX General SuiteSpotGroup nobody Register the new Directory Se...

Page 18: ...1 example com General AdminDomain example com Give the path to the CA certificate if using LDAPS 1 tmp cacert asc General CACertificate tmp cacert asc Set the Configuration Directory Server Administrator username admin 2 General ConfigDirectoryAdminID admin Set the Configuration Directory Server Administrator password password 2 General ConfigDirectoryAdminPwd password Set the Directory Server por...

Page 19: ...not import any data Equivalent to suggest slapd AddOrgEntries Yes InstallLdifFile suggest Equivalent to setting the path slapd AddOrgEntries Yes InstallLdifFile export data ldif Set the Administration Server port 9830 admin Port 9830 Set the Administration Server IP address blank all interfaces admin ServerIpAddress 111 11 11 11 Set user as which the Administration Server runs nobody on Red Hat En...

Page 20: ...ption is only available if you choose not to register the Directory Server instance with a Configuration Directory Server In that case the Directory Server being set up is created and configured as a Configuration Directory Server Table 1 2 Comparison of Setup Types ...

Page 21: ...ab environments can require 2 GB to support the complete deployment including product binaries databases and log files Very large directories may require 4 GB and above Red Hat suggests 256 MB of RAM for average environments and 1 GB of RAM for large test lab environments for increased performance Table 2 1 Hardware Requirements contains guidelines for Directory Server disk space and memory requir...

Page 22: ...with the setup procedure every time a Directory Server instance is configured Red Hat recommends running dsktune before beginning to set up the Directory Server instances so that you can properly configure your kernel settings and install any missing patches On Red Hat Enterprise Linux and Solaris the dsktune utility is in the usr bin directory on HP UX it is in opt dirsrv bin To run it simply use...

Page 23: ...the system limit on 32 bit systems typically 3 GB RAM or 4 GB RAM with hugemem kernel for large environments Hard Disk 200 MB of disk space minimum for a typical deployment 2 GB minimum for larger environments 4 GB minimum for very large environments more than a million entries Other To run the Directory Server using port numbers less than 1024 such as the default port 389 you must setup and start...

Page 24: ...on 2 2 2 2 1 Perl Prerequisites Section 2 2 2 2 2 File Descriptors Section 2 2 2 2 3 DNS Requirements 2 2 2 2 1 Perl Prerequisites For Red Hat Enterprise Linux systems use the Perl version that is installed with the operating system in usr bin perl for both 32 bit and 64 bit versions of Red Hat Directory Server 2 2 2 2 2 File Descriptors Editing the number of file descriptors on the Linux system c...

Page 25: ... HP UX 11i Directory Server runs on HP UX version 11i only earlier HP UX versions are not supported Directory Server runs on a 64 bit HP UX 11i environment as a 64 bit process Table 2 4 HP UX 11i lists the hardware requirements Section 2 2 3 1 HP UX Patches lists the required patches and the recommended system configurations are in Section 2 2 3 2 HP UX System Configuration Criteria Requirements O...

Page 26: ...11 0406 5 Gold Applications Patches for HP UX 11i v1 June 2004 GOLDBASE11i B 11 11 0406 5 Gold Base Patches for HP UX 11i v1 June 2004 GOLDQPK11i HP UX 11i Quality Pack patch from June 2004 or later Table 2 5 HP UX 11i Patches 2 2 3 2 HP UX System Configuration Before setting up Directory Server tune your HP UX system so Directory Server can access the respective kernel parameters To tune HP UX sy...

Page 27: ...Create the large filesystem fsadm F vxfs o largefiles dev vg01 rexport 3 Remount the filesystem usr sbin mount F vxfs o largefiles dev vg01 export 2 2 3 2 5 DNS Requirements It is very important that DNS and reverse DNS be working correctly on the host machine especially if you are using TLS SSL or Kerberos with Directory Server Configure the DNS resolver and the NIS domain name by the modifying t...

Page 28: ...a typical deployment 2 GB minimum for larger environments 4 GB minimum for very large environments more than a million entries You must use the largefile command to configure database files larger than 2 GB Other To run the Directory Server using port numbers less than 1024 such as the default port 389 you must setup and start the Directory Server as root but it is not necessary to run the Directo...

Page 29: ... ssd patch 113579 06 SunOS 5 9 ypserv ypxfrd patch 112908 14 SunOS 5 9 krb5 shared object patch 113073 14 SunOS 5 9 ufs and fsck patch Table 2 8 Sun Solaris Patches 2 2 4 2 Solaris System Configuration After installing any required patches or modules tune the Solaris system to work with Directory Server There are three areas that may need modified for optimum Directory Server performance the TCP s...

Page 30: ...v tcp tcp_conn_req_max_q 1024 The tcp_keepalive_interval setting determines the duration in seconds between the keepalive packets sent for each open TCP connection Edit this setting to remove client connections that disconnect from the network Check the tcp_rexmit_interval_initial parameter value for server maintenance testing on a high speed LAN MAN or other network connection For wide area netwo...

Page 31: ...escriptor table The governing parameter rlim_fd_max is in the etc system file By default if this parameter is not present the allowed maximum value is 1024 You can increase this to 4096 by adding the line set rlim_fd_max 4096 to the etc system file Reboot the Solaris machine to apply these changes To determine the soft limit for file descriptors run the command ulimit n You can also use the dsktun...

Page 32: ...24 ...

Page 33: ...ing up Directory Server express typical and custom These setup types provide different levels of control over the configuration settings such as port numbers directory suffixes and users and groups for the Directory Server processes Express has the least amount of input meaning it uses more default or randomly generated settings while custom allows the most control over the configuration by having...

Page 34: ...4 use the up2date command up2date java 1 5 0 ibm On Red Hat Enterprise Linux 5 use the yum command yum install java 1 5 0 ibm Using yum or up2date is the preferred and recommended way to install Java However it is also possible to download the JRE from the Java site 1 Download the Java libraries from http www java com 2 Log in as root and install the JRE For example rpm Uvh java 1 5 0 ibm 1 5 0 5 ...

Page 35: ...rep iv e devel e debuginfo xargs rpm ivh 2 After the Directory Server packages are installed run the setup ds admin pl script to set up and configure the default Directory Server instance and the Administration Server usr sbin setup ds admin pl 3 Accept the licensing agreement 4 On the next screen review the dsktune output If there are any issues that you should address exit the setup ds admin pl ...

Page 36: ...alling the Directory Server Packages then launch the setup ds admin pl script usr sbin setup ds admin pl NOTE Run the setup ds admin pl script as root 2 Select y to accept the Red Hat licensing terms 3 The dsktune utility runs Select y to continue with the setup dsktune checks the available disk space processor type physical memory and other system data and settings such as TCP IP ports and file d...

Page 37: ...ver instance will connect to the Configuration Directory Server over LDAPS This should be the full path and filename the CA certificate in PEM ASCII format This information is supplied in place of creating an admin user for the new Directory Server in steps 6 and 7 6 Set the administrator username The default is admin 7 Set the administrator password and confirm it 8 Set the Directory Manager user...

Page 38: ...file grep Listen etc dirsrv admin serv console conf Listen 0 0 0 0 9830 2 Using the Administration Server port number launch the Console usr bin redhat idm console a http localhost 9830 NOTE If you do not pass the Administration Server port number with the redhat idm console command then you are prompted for it at the Console login screen 3 4 Typical Setup The typical setup process is the most com...

Page 39: ...e name the admin domain and the base suffix among others If you are using SSL TLS or Kerberos the computer name must be the exact name that clients use to connect to the system If you will use DNS make sure the name resolves to a valid IP address and that IP address resolves back to this name 6 Set the user and group as which the Directory Server process will run The default is nobody nobody For e...

Page 40: ...e full path and filename the CA certificate in PEM ASCII format This information is supplied in place of creating an admin user and domain for the new Directory Server steps 8 9 and 10 8 Set the administrator username The default is admin 9 Set the administrator password and confirm it 10 Set the administration domain This defaults to the host s domain For example Administration Domain example com...

Page 41: ...g Log file is tmp setupulSykp log When the setup ds admin pl script is done then the Directory Server is configured and running To log into the Directory Server Console to begin setting up your directory service do the following 1 Get the Administration Server port number from the Listen parameter in the console conf configuration file grep Listen etc dirsrv admin serv console conf Listen 0 0 0 0 ...

Page 42: ...sktune returns a warning dsktune warnings do not block the setup process simply entree y to go to the next step 4 Next choose the setup type Accept the default option 3 to perform a custom setup 5 Set the computer name of the machine on which the Directory Server is being configured This defaults to the fully qualified domain name FQDN for the host For example Computer name ldap example com NOTE T...

Page 43: ...iguration Directory Server The Configuration Directory Server URL such as ldap ldap example com 389 o NetscapeRoot To use TLS SSL set the protocol as ldaps instead of ldap For LDAPS use the secure port 636 instead of the standard port 389 and provide a CA certificate The Configuration Directory Server administrator s user ID by default this is admin The administrator user s password The Configurat...

Page 44: ...he Directory Server with data this means whether to import an LDIF file with existing data into the Directory Server database If the answer is yes then supply a path to the LDIF file or select the suggested file If the LDIF file requires custom schema perform a silent setup instead and use the SchemaFile directive in the inf to specify additional schema files See Section 6 3 5 1 inf File Directive...

Page 45: ...er The admin server was successfully started Admin server was successfully reconfigured and started Exiting Log file is tmp setupul88C1 log When the setup ds admin pl script is done then the Directory Server is configured and running To log into the Directory Server Console to begin setting up your directory service do the following 1 Get the Administration Server port number from the Listen param...

Page 46: ...38 ...

Page 47: ...esses Express has the least amount of input meaning it uses more default or randomly generated settings while custom allows the most control over the configuration by having the user supply a lot of configuration information These setup types are described more in Table 1 2 Comparison of Setup Types For most deployments the typical installation type is all that is required NOTE There is a fourth s...

Page 48: ...erver opt dirsrv sbin setup ds admin pl Accept the initial screens for licensing and dsktune output then select the setup type and proceed with configuring the new Directory Server instance Section 4 3 Express Setup Section 4 4 Typical Setup Section 4 5 Custom Setup NOTE Directory Server version 8 0 conforms to the Filesystem Hierarchy Standards This means that the directories and files are in dif...

Page 49: ...er requirements dsktune returns a warning dsktune warnings do not block the setup process simply enter y to go to the next step 4 Next choose the setup type Enter 1 to perform an express setup 5 The next step allows you to register your Directory Server with an existing Directory Server instance called the Configuration Directory Server This registers the new instance so it can be managed by the C...

Page 50: ...10 The last screen asks if you are ready to set up your servers Select yes Are you ready to set up your servers yes Creating directory server Your new DS instance example was successfully created Creating the configuration directory server Beginning Admin Server reconfiguration Creating Admin Server files and directories Updating adm conf Updating admpw Registering admin server with the configurat...

Page 51: ...ot The typical setup has the following steps WARNING If Directory Server is already installed on your machine it is extremely important that you perform a migration not a fresh installation Migration is described in Chapter 8 Migrating from Previous Versions 1 After the Directory Server packages are installed as described in Section 4 2 Installing the Directory Server Packages then launch the setu...

Page 52: ...the Directory Server process will run The default is daemon daemon For example System User daemon System Group daemon 7 The next step allows you to register your Directory Server with an existing Directory Server instance called the Configuration Directory Server This registers the new instance so it can be managed by the Console If this is the first Directory Server instance set up on your networ...

Page 53: ...d confirm it 10 Set the administration domain This defaults to the host s domain For example Administration Domain example com 11 Enter the Directory Server port number The default is 389 but if that port is in use the setup program supplies a randomly generated one Directory server network port 30860 1025 12 Enter the Directory Server identifier this defaults to the hostname Directory server iden...

Page 54: ...ectory Server Console to begin setting up your directory service do the following 1 Get the Administration Server port number from the Listen parameter in the console conf configuration file grep Listen etc dirsrv admin serv console conf Listen 0 0 0 0 9830 2 Using the Administration Server port number launch the Console opt dirsrv bin redhat idm console a http localhost 9830 NOTE If you do not pa...

Page 55: ...tom setup 5 Set the computer name of the machine on which the Directory Server is being configured This defaults to the fully qualified domain name FQDN for the host For example Computer name ldap example com NOTE The setup program gets the host information from the etc resolv conf file If there are aliases in the etc hosts file such as ldap example com that do not match the etc resolv conf settin...

Page 56: ...the standard port 389 and provide a CA certificate The Configuration Directory Server administrator s user ID by default this is admin The administrator user s password The Configuration Directory Server Admin domain such as example com The CA certificate to authenticate to the Configuration Directory Server This is only required if the Directory Server instance will connect to the Configuration D...

Page 57: ...n the inf to specify additional schema files See Section 6 3 5 1 inf File Directives for information on inf directives The default option is none which does not import any data 18 Enter the Administration Server port number The default is 9830 but if that port is in use the setup program supplies a randomly generated one Administration port 9830 19 Set an IP address for the new Administration Serv...

Page 58: ...en the setup ds admin pl script is done then the Directory Server is configured and running To log into the Directory Server Console to begin setting up your directory service do the following 1 Get the Administration Server port number from the Listen parameter in the console conf configuration file grep Listen etc dirsrv admin serv console conf Listen 0 0 0 0 9830 2 Using the Administration Serv...

Page 59: ...ing the user supply a lot of configuration information These setup types are described more in Table 1 2 Comparison of Setup Types For most deployments the typical installation type is all that is required NOTE There is a fourth setup option called a silent installation This uses a file with predefined settings to create a new Directory Server without any user interaction This is extremely useful ...

Page 60: ...ity and extract the contents using the tar utility 4 The contents of the 32 bit file jdk 1_5_0_09 solaris sparc tar Z are COPYRIGHT LICENSE README html SUNWj5cfg SUNWj5dev SUNWj5dmo SUNWj5jmp SUNWj5man and SUNWj5rt The contents of the 64 bit file jdk 1_5_0_09 solaris sparcv9 tar Z are SUNWj5dmx SUNWj5dvx and SUNWj5rtx 5 Since only the JRE is needed on Solaris 9 systems use the pkgadd utility to ad...

Page 61: ...en the pkgadd program completes move all pkg files from the current directory to a backup directory 5 Delete the temporary directory rm rf tmp rhds80 6 After the Directory Server packages are installed run the setup program to set up and configure the default Directory Server instance and the Administration Server usr sbin setup ds admin pl 7 Accept the initial screens for licensing and dsktune ou...

Page 62: ...ed packages Make sure that the pkgadd program replaces any existing versions with the packages included with Directory Server 5 After the Directory Server packages are installed run the setup program to set up and configure the default Directory Server instance and the Administration Server usr sbin setup ds admin pl 6 Accept the initial screens for licensing and dsktune output then select the set...

Page 63: ...o continue with the setup dsktune checks the available disk space processor type physical memory and other system data and settings such as TCP IP ports and file descriptor settings If your system does not meet these basic Red Hat Directory Server requirements dsktune returns a warning dsktune warnings do not block the setup process simply enter y to go to the next step 4 Next choose the setup typ...

Page 64: ... admin user for the new Directory Server in steps 6 and 7 6 Set the administrator username The default is admin 7 Set the administrator password and confirm it 8 Set the Directory Manager username The default is cn Directory Manager 9 Set the Directory Manager password and confirm it 10 The last screen asks if you are ready to set up your servers Select yes Are you ready to set up your servers yes...

Page 65: ...stration Server port number with the redhat idm console command then you are prompted for it at the Console login screen 5 4 Typical Setup The typical setup process is the most commonly used setup process It offers control over the ports for the Directory and Administration Servers the domain name and directory suffix WARNING If Directory Server is already installed on your machine it is extremely...

Page 66: ... TLS or Kerberos the computer name must be the exact name that clients use to connect to the system If you will use DNS make sure the name resolves to a valid IP address and that IP address resolves back to this name 6 Set the user and group as which the Directory Server process will run The default is nobody nobody For example System User nobody System Group nobody 7 The next step allows you to r...

Page 67: ...new Directory Server steps 8 9 and 10 8 Set the administrator username The default is admin 9 Set the administrator password and confirm it 10 Set the administration domain This defaults to the host s domain For example Administration Domain example com 11 Enter the Directory Server port number The default is 389 but if that port is in use the setup program supplies a randomly generated one Direct...

Page 68: ...ds admin pl script is done then the Directory Server is configured and running To log into the Directory Server Console to begin setting up your directory service do the following 1 Get the Administration Server port number from the Listen parameter in the console conf configuration file grep Listen etc dirsrv admin serv console conf Listen 0 0 0 0 9830 2 Using the Administration Server port numbe...

Page 69: ...ne warnings do not block the setup process simply entree y to go to the next step 4 Next choose the setup type Accept the default option 3 to perform a custom setup 5 Set the computer name of the machine on which the Directory Server is being configured This defaults to the fully qualified domain name FQDN for the host For example Computer name ldap example com NOTE The setup program gets the host...

Page 70: ...formation about the Configuration Directory Server The Configuration Directory Server URL such as ldap ldap example com 389 o NetscapeRoot To use TLS SSL set the protocol as ldaps instead of ldap For LDAPS use the secure port 636 instead of the standard port 389 and provide a CA certificate The Configuration Directory Server administrator s user ID by default this is admin The administrator user s...

Page 71: ...this means whether to import an LDIF file with existing data into the Directory Server database If the answer is yes then supply a path to the LDIF file or select the suggested file If the LDIF file requires custom schema perform a silent setup instead and use the SchemaFile directive in the inf to specify additional schema files See Section 6 3 5 1 inf File Directives for information on inf direc...

Page 72: ...ne Restarting admin server The admin server was successfully started Admin server was successfully reconfigured and started Exiting Log file is tmp setupul88C1 log When the setup ds admin pl script is done then the Directory Server is configured and running To log into the Directory Server Console to begin setting up your directory service do the following 1 Get the Administration Server port numb...

Page 73: ...stration Server configuration directly via LDAP See http directory fedoraproject org wiki Howto AdminServerLDAPMgmt for information on editing the Administration Server configuration 6 1 1 Configuring IP Authorization on the Administration Server The Directory Server Console can be launched from remote machines to access an instance of Directory Server The client running Directory Server Console n...

Page 74: ...ty hole 6 2 Working with Directory Server Instances 6 2 1 Creating a New Directory Server Instance Additional instances of the Directory Server can be created from the command line using the setup ds admin pl command This offers the setup choices express typical and custom that are described in Chapter 3 Setting up Red Hat Directory Server on Red Hat Enterprise Linux Chapter 4 Setting up Red Hat D...

Page 75: ...is used by the Console and the Administration Servers This database can belong to a separate Directory Server instance called the Configuration Directory Server There is an option when an instance is first set up to register it with a Configuration Directory Server It is possible to register an existing Directory Server instance with a Configuration Directory Server using the register ds admin scr...

Page 76: ...toryAdminID admin ConfigDirectoryAdminPwd admin ConfigDirectoryLdapURL ldap dir example com 389 o NetscapeRoot slapd SlapdConfigForMC Yes UseExistingMC 0 ServerPort 389 ServerIdentifier dir Suffix dc example dc com RootDN cn Directory Manager RootDNPwd password123 AddSampleEntries No admin Port 9830 ServerIpAddress 111 11 11 11 ServerAdminID admin ServerAdminPwd admin NOTE There are three sections...

Page 77: ...ing a single instance of Directory Server the Directory Server packages must already be installed and the Administration Server must already be configured and running 1 Make the setup inf file It must specify the following directives General FullMachineName dir example com SuiteSpotUserID nobody SuiteSpotGroup nobody slapd ServerPort 389 ServerIdentifier dir Suffix dc example dc com RootDN cn Dire...

Page 78: ...etup ds admin pl General FullMachineName ldap example com slapd Suffix dc example dc com slapd ServerPort 389 NOTE Passing arguments in the command line or specifying an inf sets the defaults used in the interactive prompt unless they are used with the s silent option Argument values containing spaces or other shell special characters must quoted to prevent the shell from interpreting them In the ...

Page 79: ...actively file name f name This sets the path and name of the file which contains the configuration settings for the new Directory Server instance This can be used with the silent parameter if used alone it sets the default values for the setup prompts usr sbin setup ds admin pl f export sample inf debug d dddd This parameter turns on debugging information For the d flag increasing the number of d ...

Page 80: ...ry Since the ConfigFile parameter can be used multiple times it is a good idea to have multiple LDIF files so that the individual entries are easy to manage The ConfigFile parameter is set in the slapd section of the inf For example to configure a new Directory Server instance as a supplier in replication ConfigFile can be used to create the replication manager replica and replication agreement en...

Page 81: ...on parameters with the setup ds admin pl command is described in Section 1 3 About the setup ds admin pl Script The inf file has three sections General which supplies information about the server machine these are global directives that are common to all your Directory Servers slapd which supplies information about the specific Directory Server instance this information like the port and server ID...

Page 82: ...nux and Solaris and daemon on HP UX This should be changed for most deployments No nobody SuiteSpotGroup Specifies the group as which the servers will run The default is group nobodyon Linux and Solaris and daemon on HP UX This should be changed for most deployments No nobody ConfigDirectoryLdapURL Specifies the LDAP URL that is used to connect to your configuration directory LDAP URLs are describ...

Page 83: ...cting server port numbers see Section 1 2 1 Port Numbers No 389 ServerIdentifier Specifies the server identifier This value is used as part of the name of the directory in which the Directory Server instance is installed For example if the machine s hostname is phonebook then this name is the default and selecting it installs the Directory Server instance in a directory labeled slapd phonebook No ...

Page 84: ...uration The default is no No AddSampleEntries yes InstallLdifFile Populates the new directory with the contents of the specified LDIF file Using suggest fills in common container entries like ou People Entering a path to an LDIF file imports all of the entries in that file No InstallLdifFile tmp entries myldif ldif SchemaFile Lists the full path and file name of additional schema files this is use...

Page 85: ...guration Directory Server If this is not used then the default is 0 meaning the configuration data are stored in the new instance No UseExistingMC 1 Table 6 3 slapd Directives Directive Description Required Example SysUser Specifies the user as which the Administration Server will run The default is user nobody on Linux and Solaris and daemon on HP UX This should be changed for most deployments Fo...

Page 86: ... listen Use this directive if you are installing on a multi homed system and you do not want to use the first IP address for the Administration Server No Table 6 4 admin Directives 6 3 5 2 Sample inf Files General FullMachineName ldap example com SuiteSpotUserID nobody SuiteSpotGroup nobody AdminDomain example com ConfigDirectoryAdminID admin ConfigDirectoryAdminPwd Admin123 ConfigDirectoryLdapURL...

Page 87: ...fFile suggest AddOrgEntries Yes DisableSchemaChecking No RootDNPwd admin123 admin Port 33646 ServerIpAddress 111 11 11 11 ServerAdminID admin ServerAdminPwd admin Example 6 2 inf File for Registering the Instance with a Configuration Directory Server Typical Setup 6 4 Uninstalling Directory Server 6 4 1 Removing a Single Directory Server Instance It is possible to remove a single instance of Direc...

Page 88: ... Mozilla LDAP nodeps rpm ev redhat ds base nodeps rpm ev redhat ds admin redhat ds console redhat admin console nodeps rpm ev idm console framework redhat idm console nodeps On Red Hat Enterprise Linux 5 32 bit the packages to remove are as follows rpm ev svrcore mozldap mozldap tools perl Mozilla LDAP nodeps rpm ev redhat ds base nodeps rpm ev redhat ds admin redhat ds console redhat admin consol...

Page 89: ... Directory Server instances usr sbin ds_removal s example1 w itsasecret usr sbin ds_removal s example2 w itsasecret usr sbin ds_removal s example3 w itsasecret 2 Stop the Administration Server etc init d dirsrv admin stop 3 Then use the system tools to remove the packages For example bin bash for i in pkginfo grep i rhat grep vi rhatperlx awk print 2 do pkgrm n i done echo looking for any leftover...

Page 90: ...82 ...

Page 91: ...s ldap example com the instance name is ldap by default The Administration Server directories are named the same as the Directory Server directories only instead of the instance as a directory name the Administration Server directories are named admin serv For any directory or folder named slapd instance substitute admin serv such as etc dirsrv slapd example and etc dirsrv admin serv File or Direc...

Page 92: ... d init d dirsrv admin and etc default dirsrv admin Tools usr bin usr sbin Table 7 3 Sun Solaris 9 sparc File or Directory Location Log files var opt log dirsrv slapd instance Configuration files etc opt dirsrv slapd instance Instance directory opt dirsrv slapd instance Database files var opt dirsrv slapd instance Runtime files var opt dirsrv instance Binaries opt dirsrv bin opt dirsrv sbin Librar...

Page 93: ... send the Administration Server URL and port with the start script For example usr bin redhat idm console a http localhost 9830 The a option is a convenience particularly if you are logging into a Directory Server for the first time On subsequent logins the URL is saved If you do not pass the Administration Server port number with the redhat idm console command then you are prompted for it at the ...

Page 94: ...in both the start stop restart slapd and system scripts If an instance name is not given the start or stop operation applies to all instances on the machine 7 5 2 Starting and Stopping Administration Server There are two ways to start stop or restart the Administration Server There are scripts in the usr sbin directory usr sbin start stop restart ds admin The Administration Server service can also...

Page 95: ...se ldif file For example cd etc dirsrv slapd instance vi dse ldif 4 Locate the nsslapd rootpw parameter nsslapd rootpw SSHA x03lZLMyOPaGH5VB8fcys1IV TVNbBIOwZEYoQ Delete the old password and enter in the new hashed password For example nsslapd rootpw SSHA nbR ZeVTwZLw6aJH6oE4obbDbL0OaeleUoT21w 5 Save the change 6 Start the Directory Server For example service dirsv start 7 When the Directory Serve...

Page 96: ...utes This may cause temporary server congestion from lost client connections WARNING There are only 1024 file descriptors hard limit available which limit the number of simultaneous connections WARNING There are only 1024 file descriptors soft limit available which limit the number of simultaneous connections Example 7 1 dsktune Output 7 7 2 Common Installation Problems There are several common pr...

Page 97: ...gration Shut down the existing server and then restart the upgrade process If this occurs during a setup process it may mean another server is already using this port Verify that the port you selected is not in use by another server 7 7 2 3 Problem Forgotten Directory Manager DN and password Solution By default the Directory Manager DN is cn Directory Manager If you forget the Directory Manager DN...

Page 98: ...90 ...

Page 99: ...on scenarios and migration script options are described in this chapter 8 1 Migration Overview Migrating from a 6 x or 7 x version of Directory Server to Directory Server 8 0 is a simple process Migration moves all of the user data and configuration settings such as replication and synchronization agreements from the older instance to the new one The general process is as follows 1 Stop all of the...

Page 100: ...2 About migrate ds admin pl The migration script migrate ds admin pl has flexible options that allow a variety of different migration scenarios including migrating between different different platforms This options are listed in Table 8 1 migrate ds admin Options There is one required option with the migration script oldsroot which gives the directory path to the old Directory Server There is also...

Page 101: ... be used multiple time to migrate several instances simultaneously By default the migration script migrates all Directory Server instances on the machine file name f name This sets the path and name of the inf file provided with the migration script The only parameter is the General ConfigDirectoryAdminPwd parameter which is the configuration directory administrator s password Any other configurat...

Page 102: ...nly required argument is the Configuration Directory Server administrator password ConfigDirectoryAdminPwd usr sbin migrate ds admin pl oldsroot opt redhat ds General ConfigDirectoryAdminPwd password To avoid having this password in the clear on the command line you can use a inf file with the migration script that gives the administrator s password usr sbin migrate ds admin pl oldsroot opt redhat...

Page 103: ...ou have a multi master replication setup which replicates o NetscapeRoot replicated between the two master servers server1 and server2 By default writes made through server2 s Directory Server Console are written to server1 then replicated over Modify the Directory Server Console on the second server server2 so that it writes its own Console instance instead of server1 s 1 Shut down the Administra...

Page 104: ...ery Directory Server instance configured To migrate specific instances use the instance with the migrate ds admin tool For example to migrate the Directory Server instance named example and example3 but not example2 the migration command would be as follows usr sbin migrate ds admin pl oldsroot opt redhat ds instance example instance example3 General ConfigDirectoryAdminPwd password NOTE On Red Ha...

Page 105: ...n script 4 Run the migration script as root usr sbin migrate ds admin pl oldsroot opt redhat ds General ConfigDirectoryAdminPwd password opt redhat ds is the directory where the old Directory Server is installed The migration process starts The legacy Directory Server is migrated and a new Directory Server 8 0 instance is installed using the configuration information from the legacy Directory Serv...

Page 106: ...db but will instead assume that the databases should be in their non standard location and configure the new server to use the databases in the old location This issue does not occur in cross platform migrations or migrating using LDIF files instead of the binary databases because these already work with an LDIF copy of the database To migrate a replicated site do the following 1 Stop all old Dire...

Page 107: ...a cross platform migration described in Section 8 4 4 Migrating a Directory Server from One Platform to Another The procedure in this section assumes that the Directory Server is being migrated from one machine to another of the same architecture such as i386 to i386 WARNING Migration cannot change the hostname used by the Directory Server and Administration Server The old machine must have the sa...

Page 108: ...r 4 Make the old Directory Server accessible to the new machine either through an NFS mounted drive or tarball 5 Run the migration script as root Specify the current physical location of the Directory Server with the oldsroot parameter and the location on the old machine with the actualsroot parameter IMPORTANT Do not set up the new Directory Server instances with setup ds admin pl before running ...

Page 109: ...ion opt redhat ds actualsroot opt redhat ds instance example General ConfigDirectoryAdminPwd password 1 Stop all Directory Server instances and the Administration Server 2 Back up all the Directory Server user and configuration data 3 Export all of the database information to LDIF The LDIF file must be named the name of the database with ldif appended For example cd opt redhat ds slapd instance db...

Page 110: ...alsroot opt redhat ds General ConfigDirectoryAdminPwd password The migration process starts The legacy Directory Server is migrated and a new Directory Server 8 0 instance is installed using the configuration information from the legacy Directory Server ...

Page 111: ...st reaches this limit the server replaces that ID list with an All IDs token See Also ID list scan limit All IDs token A mechanism which causes the server to assume that all directory entries match the index key In effect the All IDs token causes the server to behave as if no index was available for the search request anonymous access When granted allows anyone to access directory information with...

Page 112: ...base DN bind DN Distinguished name used to authenticate to Directory Server when performing an operation bind distinguished name See bind DN bind rule In the context of access control the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information branch entry An entry that represents the top of a subtree in the d...

Page 113: ...ication character type Distinguishes alphabetic characters from numeric or other characters and the mapping of upper case to lower case letters ciphertext Encrypted information that cannot be read by anyone without the proper key to decrypt the information class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation ...

Page 114: ... per database instance Default indexes can be modified although care should be taken before removing them as certain plug ins may depend on them definition entry See CoS definition entry Directory Access Protocol See DAP directory tree The logical representation of the information stored in the directory It mirrors the tree model used by most filesystems with the tree s root point appearing at the...

Page 115: ...earch request equality index Allows you to search efficiently for entries containing a specific attribute value F file extension The section of a filename after the period or dot that typically defines the type of file for example GIF and HTML In the filename index html the file extension is html file type The format of a given file For example graphics files are often saved in GIF format while a ...

Page 116: ...hub In the context of replication a server that holds a replica that is copied from a different server and in turn replicates it to a third server See Also cascading replication I ID list scan limit A size limit which is globally applied to any indexed search operation When the size of an individual ID list reaches this limit the server replaces that ID list with an all IDs token index key Each in...

Page 117: ...at used to represent Directory Server entries in text form leaf entry An entry under which there are no other entries A leaf entry cannot be a branch point in a directory tree Lightweight Directory Access Protocol See LDAP locale Identifies the collation order character type monetary format and time date format used to present data for users of a specific region culture and or custom This includes...

Page 118: ...a to be named and referenced Also called the directory tree monetary format Specifies the monetary symbol used by specific region whether the symbol goes before or after its value and how monetary units are represented multi master replication An advanced replication scenario in which two servers each hold a copy of the same read write replica Each server maintains a changelog for the replica Modi...

Page 119: ...identifier operational attribute Contains information used internally by the directory to keep track of modifications and subtree properties Operational attributes are not returned in response to a search unless explicitly requested P parent access When granted indicates that users have access to entries below their own in the directory tree if the bind DN is the parent of the targeted entry pass ...

Page 120: ...er In pass through authentication PTA the PTA Directory Server is the server that sends passes through bind requests it receives to the authenticating directory server PTA LDAP URL In pass through authentication the URL that defines the authenticating directory server pass through subtree s and optional parameters R RAM Random access memory The physical semiconductor based memory in a computer Inf...

Page 121: ...replica servers to which the data is pushed the times during which replication can occur the DN and credentials used by the supplier to bind to the consumer and how the connection is secured RFC Request for Comments Procedures or standards documents submitted to the Internet community People can send comments on the technologies before they become accepted standards role An entry grouping mechanis...

Page 122: ...ible for a particular system task Service processes do not need human intervention to continue functioning SIE Server Instance Entry The ID assigned to an instance of Directory Server during installation Simple Authentication and Security Layer See SASL Simple Network Management Protocol See SNMP single master replication The most basic replication scenario in which multiple servers up to four eac...

Page 123: ...d to replica servers supplier server In the context of replication a server that holds a replica that is copied to a different server is called a supplier for that replica supplier initiated replication Replication configuration where supplier servers replicate directory data to any replica servers symmetric encryption Encryption that uses the same key for both encrypting and decrypting DES is an ...

Page 124: ... a URL is protocol machine port document The port number is necessary only on selected servers and it is often assigned by the server freeing the user of having to place it in the URL V virtual list view index Speeds up the display of entries in the Directory Server Console Virtual list view indexes can be created on any branch point in the directory tree to improve display performance See Also br...

Page 125: ...le instance 96 migrating replicated site 97 migrating to a different machine 99 migrating to another platform 100 port 1 re registering Directory Server with Configuration Directory Server 67 Red Hat Enterprise Linux custom 33 express 28 typical 30 registering Directory Server with Configuration Directory Server 67 removing a single instance 79 Solaris custom 60 express 54 typical 57 starting and ...

Page 126: ...UX 11i 39 Red Hat Enterprise Linux 26 Solaris 51 M Migrating 91 overview 91 prerequisites 95 back up databases 95 configure the Directory Server Console for multi master replication only 95 scenarios all or single instance 96 different machines 99 different platforms 100 replicated site 97 O Operating system requirements 13 dsktune 14 HP UX 17 patches 18 system configuration 18 Red Hat Enterprise ...

Page 127: ...tup 68 Directory Server only 69 setup ds pl 67 Silent setup 68 Directory Server only 69 Solaris 51 custom setup 60 express setup 54 hardware requirements 20 installing Directory Server packages from ISO 54 installing Directory Server packages individually 52 installing JRE 51 required patches 20 system configuration 21 DNS and NIS 22 File descriptors 23 Perl 21 TCP tuning 22 typical setup 57 unins...

Page 128: ...120 ...

Reviews: