background image

Firewall Considerations

3

setup-ds-admin.pl

, does not allow you to configure the Administration Server to use TLS/SSL. To

use TLS/SSL (meaning HTTPS) with the Administration Server, first set up the Administration Server
to use HTTP, then reconfigure it to use HTTPS.

NOTE

When determining the port numbers you will use, verify that the specified port numbers
are not already in use by running a command like 

netstat

.

If you are using ports below 

1024

, such as the default LDAP port (

389

), you must run the setup

program and start the servers as 

root

. You do 

not

, however, have to set the server user ID to 

root

.

When it starts, the server binds and listens to its port as 

root

, then immediately drops its privileges

and runs as the non-

root

 server user ID. When the system restarts, the server is started as 

root

 by

the init script. The 

setuid(2) man page

1

 has detailed technical information.

Section 1.2.4, “Directory Server User and Group”

 has more information about the server user ID.

1.2.3. Firewall Considerations

The Directory Server instance may be on a different server or network than clients which need to
access it. For example, the Red Hat Certificate System subsystems require a Directory Server LDAP
database to store their certificate, key, and user information, but these servers do not need to be on
the same machine.

When installing Directory Server, make sure that you consider the location of the instance on the
network and that all firewalls, DMZs, and other network services allow the client to access the
Directory Server. There are two considerations about using firewalls with Directory Server and
directory clients:

• Protecting sensitive subsystems from unauthorized access

• Allowing appropriate access to other systems and clients outside of the firewall

Make sure that the firewalls allow access to the Directory Server secure (

636

) and standard (

389

)

ports, so that any clients which must access the Directory Server instance are able to contact it.

1.2.4. Directory Server User and Group

The setup process sets a user ID (UID) and group ID (GID) as which the servers will run. The default
UID is a non-privileged (non-root) user, 

nobody

 on Red Hat Enterprise Linux and 

daemon

 on HP-UX.

Red Hat strongly recommends using this default value.

IMPORTANT

The same UID is used for both the Directory Server and the Administration Server by
default, which simplifies administration. If you choose a different UID for each server,
those UIDs 

must

 both belong to the group assigned to Directory Server.

For security reasons, Red Hat strongly discourages you from setting the Directory Server or
Administration Server user to 

root

. If an attacker gains access to the server, he might be able to

1

 http://grove.ufl.edu/cgi-bin/webman?man2+setuid.2.gz

Summary of Contents for 8.1

Page 1: ...Red Hat Directory Server 8 1 Installation Guide Ella Deon Lackey Publication date April 28 2009 updated on January 11 2010 ...

Page 2: ...nd agrees not to assert Section 4d of CC BY SA to the fullest extent permitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered trademark of Linus Torvalds in the United States and other countries All other trademarks are ...

Page 3: ...1 4 Overview of Setup 9 2 System Requirements 15 2 1 General Hardware Requirements 15 2 2 Using dsktune 15 2 3 Red Hat Enterprise Linux 4 and 5 16 2 3 1 Red Hat Enterprise Linux Patches 17 2 3 2 Red Hat Enterprise Linux System Configuration 17 2 4 HP UX 11i 18 2 4 1 HP UX Patches 19 2 4 2 HP UX System Configuration 19 3 Setting up Red Hat Directory Server on Red Hat Enterprise Linux 23 3 1 Install...

Page 4: ...y Server Instance 69 5 7 2 Uninstalling Directory Server 69 6 Migrating from Previous Versions 71 6 1 Migration and Upgrade Overview 71 6 2 Migrating 7 1 Servers 72 6 2 1 About migrate ds admin pl 73 6 2 2 Before Migration 75 6 2 3 Migrating a Server or Single Instance 76 6 2 4 Migrating Replicated Servers 77 6 2 5 Migrating a Directory Server from One Machine to Another 78 6 2 6 Migrating a Direc...

Page 5: ...istrator s Guide The Directory Server setup process requires information specific to the Directory Server instance being configured information about the host names port numbers passwords and IP addresses that will be used The setup program attempts to determine reasonable default values for these settings based on your system environment Read through this manual before beginning to configure the ...

Page 6: ...ib mozldap directory on Red Hat Enterprise Linux 5 32 bit or usr lib64 mozldap for 64 bit systems However Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the usr bin directory It is possible to use the OpenLDAP commands as shown in the examples but you must use the x argument to disable SASL which OpenLDAP tools use by default 1 4 Text Formatting and Styles Certain words ...

Page 7: ... with Directory Server concepts and have done some preliminary planning for your directory service install the Directory Server The instructions for installing the various Directory Server components are contained in the Red Hat Directory Server Installation Guide Many of the scripts and commands used to install and administer the Directory Server are explained in detail in the Red Hat Directory S...

Page 8: ...on about Directory Server including current release notes complete product documentation technical notes and deployment information see the Red Hat Directory Server documentation site at http www redhat com docs manuals dir server 3 Giving Feedback If there is any error in this Installation Guide or there is any way to improve the documentation please let us know Bugs can be filed against the docu...

Page 9: ...e silent configuration parameters for the register ds admin pl script per Bugzilla 514231 Revision 8 1 2 September 9 2009 Ella Deon Lackey Removing any references to the Directory Server Gateway or Org Chart Revision 8 1 1 May 2 2009 Ella Deon Lackey dlackey redhat com Correcting 8 0 to 8 1 update procedure Revision 8 1 0 April 28 2009 Ella Deon Lackey dlackey redhat com Initial draft for version ...

Page 10: ...x ...

Page 11: ...databases adding entries and monitoring servers and viewing statistics The Administration Server is the management agent which administers Directory Servers It communicates with the Directory Server Console and performs operations on the Directory Server instances It also provides a simple HTML interface and on line help pages There must be one Administration Server running on each machine which h...

Page 12: ...te fully qualified domain name for their configuration 1 2 2 Port Numbers The Directory Server setup requires two TCP IP port numbers one for the Directory Server and one for the Administration Server These port numbers must be unique The Directory Server instance LDAP has a default port number of 389 The Administration Server port number has a default number of 9830 If the default port number for...

Page 13: ...e servers do not need to be on the same machine When installing Directory Server make sure that you consider the location of the instance on the network and that all firewalls DMZs and other network services allow the client to access the Directory Server There are two considerations about using firewalls with Directory Server and directory clients Protecting sensitive subsystems from unauthorized...

Page 14: ...ory Manager DN is cn Directory Manager The Directory Manager password must contain at least 8 characters which must be ASCII letters digits or symbols 1 2 6 Directory Administrator The Directory Server setup also creates an administrator user specifically for Directory Server and Administration Server server management called the Directory Administrator The Directory Administrator is the super use...

Page 15: ...user directory If you install Directory Server for general directory services and there is more than one Directory Server in your organization you must determine which Directory Server instance will host the configuration directory tree o NetscapeRoot Make this decision before installing any compatible Directory Server applications The configuration directory is usually the first one you set up Si...

Page 16: ...l script If simply the setup script is run then the script launches an interactive installer which prompts for configuration settings for the Directory Server and Administration Server instances For example setup ds admin pl The setup ds admin pl script can also accept a setup file or have arguments passed with the command to supply configuration information automatically setup ds admin pl s f exp...

Page 17: ... inf file but overrides FullMachineName and ServerIdentifier with the command line arguments NOTE The section names and parameter names used in the inf files and on the command line are case sensitive Refer to Table 1 1 setup ds admin Options to check the correct capitalization The inf file has an additional option ConfigFile which imports the contents of any LDIF file into the Directory Server Th...

Page 18: ...nce This can be used with the silent parameter if used alone it sets the default values for the setup prompts The inf parameters are described in Section 5 5 5 1 inf File Directives usr sbin setup ds admin pl f export sample inf debug d dddd This parameter turns on debugging information For the d flag increasing the number of d s increases the debug level keepcache k This saves the temporary insta...

Page 19: ...ile name to dev null l dev null update u This parameter updates existing Directory Server instances If an installation is broken in some way this option can be used to update or replace missing packages and then re register all of the local instances with the Configuration Directory Table 1 1 setup ds admin Options 1 4 Overview of Setup After the Directory Server packages are installed there is a ...

Page 20: ...er Administration Server settings and also allows data to be imported into the Directory Server at setup so that entries are already populated in the databases when the setup is complete The information requested with the setup process is described in Table 1 2 Comparison of Setup Types There is a fourth setup option silent setup which uses a configuration file and command line options to supply t...

Page 21: ...N A Set the Configuration Directory Server URL 1 ldap ldap example com 389 o NetscapeRoot General ConfigDirectoryLdapURL ldap ldap example com 389 o NetscapeRoot Give the Configuration Directory Server user ID 1 admin General ConfigDirectoryAdminID admin Give the Configuration Directory Server user password 1 password General ConfigDirectoryAdminPwd password Give the Configuration Directory Server...

Page 22: ...ix dc domain dc component slapd Suffix dc example dc com Set the Directory Manager ID cn Directory Manager slapd RootDN cn Directory Manager Set the Directory Manager password password slapd RootDNPwd password Install sample entries Yes or no slapd AddSampleEntries Yes Populate the Directory Server with entries Supply the full path and filename to an LDIF file Type suggest which imports common con...

Page 23: ...Red Hat Enterprise Linux or daemon on HP UX admin SysUser nobody Are you ready to configure your servers Yes or no N A This option is only available if you choose to register the Directory Server instance with a Configuration Directory Server This option is only available if you choose not to register the Directory Server instance with a Configuration Directory Server In that case the Directory Se...

Page 24: ...14 ...

Page 25: ...d libraries are listed for each 2 1 General Hardware Requirements Red Hat recommends minimum of 4 GB of disk space for a typical installation while directories with more than a million entries can require 8 GB or more Red Hat suggests 1 GB of RAM Table 2 1 Hardware Requirements Based on Number of Entries contains guidelines for Directory Server disk space and memory requirements based upon on the ...

Page 26: ...best performance on large production system NOTICE The net ipv4 tcp_keepalive_time is set to 7200000 milliseconds 120 minutes This may cause temporary server congestion from lost client connections WARNING There are only 1024 file descriptors hard limit available which limit the number of simultaneous connections WARNING There are only 1024 file descriptors soft limit available which limit the num...

Page 27: ...orm kernel x x x x If the machine has multiple CPUs the kernel must be presented the form kernel smp x x x x To determine the components running on the machine run rpm qa Run the dsktune utility to see if you need to install any other patches dsktune helps verify whether the appropriate patches are installed on the system and provides useful information for tuning your kernel parameters for best p...

Page 28: ...llowing entry nofile 8192 4 Edit the etc pam d system auth and add this entry session required lib security ISA pam_limits so 5 Reboot the Linux machine to apply the changes 2 3 2 3 DNS Requirements It is very important that DNS and reverse DNS be working correctly on the host machine especially if you are using TLS SSL or Kerberos with Directory Server Configure the DNS resolver and the NIS domai...

Page 29: ...atest releases http www software hp com SUPPORT_PLUS qpk html http welcome hp com country us eng support htm The first package to install is the PHSS_30966 ld 1 and linker tools cumulative patch The other required patches are listed in Table 2 5 HP UX 11i Patches Run the dsktune utility to see if you need to install any other patches dsktune helps verify whether the appropriate patches are install...

Page 30: ... 11i Kernel Parameters Parameter Setting maxfiles 1024 nkthread 1328 max_thread_proc 512 maxuser 64 maxuprc 512 nproc 750 Table 2 6 HP UX 11i Kernel Parameters 2 4 2 3 TIME_WAIT Setting Normally client applications that shut down correctly cause the socket to linger in a TIME_WAIT state Verify that the TIME_WAIT entry is set to a reasonable duration For example ndd set dev tcp tcp_time_wait_interv...

Page 31: ... Server Configure the DNS resolver and the NIS domain name by the modifying the etc resolv conf etc nsswitch conf and etc netconfig files and set the DNS resolver for name resolution Edit the etc defaultdomain file to include the NIS domain name This ensures that the fully qualified host and domain names used for the Directory Server resolve to a valid IP address and that that IP address resolves ...

Page 32: ...22 ...

Page 33: ... express typical and custom These setup types provide different levels of control over the configuration settings such as port numbers directory suffixes and users and groups for the Directory Server processes Express has the least amount of input meaning it uses more default or randomly generated settings while custom allows the most control over the configuration by having the user supply a lot ...

Page 34: ...ny older instance to Directory Server 8 1 if you need to manage that instance with the Directory Server Console To install OpenJDK yum install java 1 6 0 openjdk OpenJDK is also available from http openjdk java net install After installing the JDK run usr sbin alternatives as root to insure that the proper JDK is available usr sbin alternatives config java There are 3 programs which provide java S...

Page 35: ...n the setup ds admin pl script to set up and configure the default Directory Server instance and the Administration Server usr sbin setup ds admin pl This script allows parameters to be passed with it or to specify configuration files to use The options are described more in Section 1 3 About the setup ds admin pl Script 3 Accept the licensing agreement 4 On the next screen review the dsktune outp...

Page 36: ...is extremely important that you perform a migration not a fresh installation Migration is described in Chapter 6 Migrating from Previous Versions 1 After the Directory Server packages are installed as described in Section 3 2 Installing the Directory Server Packages then launch the setup ds admin pl script usr sbin setup ds admin pl This script allows parameters to be passed with it or to specify ...

Page 37: ...ory Server administrator s user ID by default this is admin The administrator user s password The Configuration Directory Server Admin domain such as example com The CA certificate to authenticate to the Configuration Directory Server This is only required if the Directory Server instance will connect to the Configuration Directory Server over LDAPS This should be the full path and filename the CA...

Page 38: ... up your directory service do the following 1 Get the Administration Server port number from the Listen parameter in the console conf configuration file grep Listen etc dirsrv admin serv console conf Listen 0 0 0 0 9830 2 Using the Administration Server port number launch the Console usr bin redhat idm console a http localhost 9830 NOTE If you do not pass the Administration Server port number with...

Page 39: ...puter name ldap example com NOTE The Directory Server requires the fully qualified domain name to set up the servers as described in Section 1 2 1 Resolving the Fully qualified Domain Name The setup script uses the system s gethostname function to obtain the hostname such as ldap and the etc resolv conf file to identify the domain name such as example com Therefore if there are aliases in the etc ...

Page 40: ...ldap example com 389 o NetscapeRoot To use TLS SSL set the protocol as ldaps instead of ldap For LDAPS use the secure port 636 instead of the standard port 389 and provide a CA certificate The Configuration Directory Server administrator s user ID by default this is admin The administrator user s password The Configuration Directory Server Admin domain such as example com The CA certificate to aut...

Page 41: ...s successfully created Creating the configuration directory server Beginning Admin Server reconfiguration Creating Admin Server files and directories Updating adm conf Updating admpw Registering admin server with the configuration directory server Updating adm conf with information from configuration directory server Updating the configuration for the httpd engine Restarting admin server The admin...

Page 42: ...igrating from Previous Versions 1 After the Directory Server packages are installed as described in Section 3 2 Installing the Directory Server Packages then launch the setup ds admin pl script usr sbin setup ds admin pl This script allows parameters to be passed with it or to specify configuration files to use The options are described more in Section 1 3 About the setup ds admin pl Script 2 Sele...

Page 43: ...cess will run The default is nobody nobody For example System User nobody System Group nobody 7 The next step allows you to register your Directory Server with an existing Directory Server instance called the Configuration Directory Server This registers the new instance so it can be managed by the Console If this is the first Directory Server instance set up on your network it is not possible to ...

Page 44: ...gram supplies a randomly generated one Directory server network port 389 1066 12 Enter the Directory Server identifier this defaults to the hostname Directory server identifier example The server identifier must not contain a period or space character 13 Enter the directory suffix This defaults to dc domain name For example Suffix dc example dc com 14 Set the Directory Manager username The default...

Page 45: ...ks if you are ready to set up your servers Select yes Are you ready to set up your servers yes Creating directory server Your new DS instance example3 was successfully created Creating the configuration directory server Beginning Admin Server reconfiguration Creating Admin Server files and directories Updating adm conf Updating admpw Registering admin server with the configuration directory server...

Page 46: ...Server on Red Hat Enterprise Linux 36 usr bin redhat idm console a http localhost 9830 NOTE If you do not pass the Administration Server port number with the redhat idm console command then you are prompted for it at the Console login screen ...

Page 47: ... meaning it uses more default or randomly generated settings while custom allows the most control over the configuration by having the user supply a lot of configuration information These setup types are described more in Table 1 2 Comparison of Setup Types For most deployments the typical installation type is all that is required NOTE There is a fourth setup option called a silent installation Th...

Page 48: ... docs hp com en internet html Netscape 20Directory 20Server Red 20Hat 20Directory 20Server After the Directory Server packages are installed run the setup program to set up and configure the default Directory Server instance and the Administration Server opt dirsrv sbin setup ds admin pl Accept the initial screens for licensing and dsktune output then select the setup type and proceed with configu...

Page 49: ... script allows parameters to be passed with it or to specify configuration files to use The options are described more in Section 1 3 About the setup ds admin pl Script NOTE Run the setup ds admin pl script as root 2 Select y to accept the Red Hat licensing terms 3 The dsktune utility runs Select y to continue with the setup dsktune checks the available disk space processor type physical memory an...

Page 50: ...ed if the Directory Server instance will connect to the Configuration Directory Server over LDAPS This should be the full path and filename the CA certificate in PEM ASCII format This information is supplied in place of creating an admin user for the new Directory Server in steps 6 and 7 6 Set the administrator username The default is admin 7 Set the administrator password and confirm it 8 Set the...

Page 51: ...nsole conf Listen 0 0 0 0 9830 2 Using the Administration Server port number launch the Console opt dirsrv bin redhat idm console a http localhost 9830 NOTE If you do not pass the Administration Server port number with the redhat idm console command then you are prompted for it at the Console login screen 4 4 Typical Setup The typical setup process is the most commonly used setup process It offers...

Page 52: ...d Domain Name The setup script uses the system s gethostname function to obtain the hostname such as ldap and the etc resolv conf file to identify the domain name such as example com Therefore if there are aliases in the etc hosts file that do not match the specified domains in the etc resolv conf settings the setup script cannot correctly generate the fully qualified domain name as it is used by ...

Page 53: ...e administrator user s password The Configuration Directory Server Admin domain such as example com The CA certificate to authenticate to the Configuration Directory Server This is only required if the Directory Server instance will connect to the Configuration Directory Server over LDAPS This should be the full path and filename the CA certificate in PEM ASCII format This information is supplied ...

Page 54: ... server Beginning Admin Server reconfiguration Creating Admin Server files and directories Updating adm conf Updating admpw Registering admin server with the configuration directory server Updating adm conf with information from configuration directory server Updating the configuration for the httpd engine Restarting admin server The admin server was successfully started Admin server was successfu...

Page 55: ...r packages are installed as described in Section 4 2 Installing the Directory Server Packages then launch the setup ds admin pl script opt dirsrv sbin setup ds admin pl This script allows parameters to be passed with it or to specify configuration files to use The options are described more in Section 1 3 About the setup ds admin pl Script 2 Select y to accept the Red Hat licensing terms 3 The dsk...

Page 56: ...he Directory Server process will run The default is daemon daemon For example System User daemon System Group daemon 7 The next step allows you to register your Directory Server with an existing Directory Server instance called the Configuration Directory Server This registers the new instance so it can be managed by the Console If this is the first Directory Server instance set up on your network...

Page 57: ...ated one Directory server network port 389 1066 12 Enter the Directory Server identifier this defaults to the hostname Directory server identifier example The server identifier must not contain a period or space character 13 Enter the directory suffix This defaults to dc domain name For example Suffix dc example dc com 14 Set the Directory Manager username The default is cn Directory Manager 15 Se...

Page 58: ...n 21 The last screen asks if you are ready to set up your servers Select yes Are you ready to set up your servers yes Creating directory server Your new DS instance example3 was successfully created Creating the configuration directory server Beginning Admin Server reconfiguration Creating Admin Server files and directories Updating adm conf Updating admpw Registering admin server with the configu...

Page 59: ... 49 opt dirsrv bin redhat idm console a http localhost 9830 NOTE If you do not pass the Administration Server port number with the redhat idm console command then you are prompted for it at the Console login screen ...

Page 60: ...50 ...

Page 61: ...Server you may have to edit the Administration Server configuration directly via LDAP See http directory fedoraproject org wiki Howto AdminServerLDAPMgmt for information on editing the Administration Server configuration 5 1 1 Configuring IP Authorization on the Administration Server The Directory Server Console can be launched from remote machines to access an instance of Directory Server The cli...

Page 62: ...ion Server After Installing Directory Server A Directory Server instance alone can be installed a machine using setup ds pl It is possible to go back later and install an Administration Server instance using the register ds admin pl command For example register ds admin pl When this script runs it creates a local Administration Server 5 2 Working with Directory Server Instances The setup scripts c...

Page 63: ...figuration Directory Server and Administration Server are omitted Using this command to create a Directory Server instance means that the instance has to be managed through the command line or other tools or it can be registered with the Configuration Directory Server to manage it with the Console See Section 5 3 2 Registering an Existing Directory Server Instance with the Configuration Directory ...

Page 64: ... the register ds admin pl script usr sbin register ds admin pl IMPORTANT Running register ds admin pl creates a default instance of the Administration Server and Configuration Directory Server if they do not already exist then registers any existing Directory Servers with the Configuration Directory Server IMPORTANT The register ds admin pl script does not support external LDAP URLs so the Directo...

Page 65: ...yLdapURL ldap dir example com 389 o NetscapeRoot slapd SlapdConfigForMC Yes UseExistingMC 0 ServerPort 389 ServerIdentifier dir Suffix dc example dc com RootDN cn Directory Manager RootDNPwd secret ds_bename exampleDB AddSampleEntries No admin Port 9830 ServerIpAddress 111 11 11 11 ServerAdminID admin ServerAdminPwd admin There are three sections of directives in the inf file to create the default...

Page 66: ... FullMachineName dir example com SuiteSpotUserID nobody SuiteSpotGroup nobody slapd ServerPort 389 ServerIdentifier dir Suffix dc example dc com RootDN cn Directory Manager RootDNPwd secret ds_bename exampleDB SlapdConfigForMC Yes UseExistingMC 0 AddSampleEntries No There are two sections of directives in the instance creation General and slapd Installing the Administration Server which is done in...

Page 67: ...rs must quoted to prevent the shell from interpreting them In the previous example the suffix value has a space character so the entire parameter has to be quoted If many of the parameters have to be quoted or escaped use an inf file instead You can use an inf file in conjunction with command line parameters Parameters set in the command line override those specified in an inf file which is useful...

Page 68: ...s for the setup prompts usr sbin setup ds admin pl f export sample inf debug d dddd This parameter turns on debugging information For the d flag increasing the number of d s increases the debug level keepcache k This saves the temporary installation file inf that is created when the setup script is run This file can then be reused for a silent setup This file is always generated but is usually del...

Page 69: ...File parameter can be used multiple times it is a good idea to have multiple LDIF files so that the individual entries are easy to manage The ConfigFile parameter is set in the slapd section of the inf For example to configure a new Directory Server instance as a supplier in replication ConfigFile can be used to create the replication manager replica and replication agreement entries slapd ConfigF...

Page 70: ... with the setup ds admin pl command is described in Section 1 3 About the setup ds admin pl Script The inf file has three sections General which supplies information about the server machine these are global directives that are common to all your Directory Servers slapd which supplies information about the specific Directory Server instance this information like the port and server ID must be uniq...

Page 71: ... Linux and daemon on HP UX This should be changed for most deployments No nobody SuiteSpotGroup Specifies the group as which the servers will run The default is group nobodyon Linux and daemon on HP UX This should be changed for most deployments No nobody ConfigDirectoryLdapURL Specifies the LDAP URL that is used to connect to your configuration directory LDAP URLs are described in the Directory S...

Page 72: ...onnections For information on selecting server port numbers see Section 1 2 2 Port Numbers No 389 ServerIdentifier Specifies the server identifier This value is used as part of the name of the directory in which the Directory Server instance is installed For example if the machine s hostname is phonebook then this name is the default and selecting it installs the Directory Server instance in a dir...

Page 73: ...ve has no effect The default is no No Yes InstallLdifFile Populates the new directory with the contents of the specified LDIF file Using suggest fills in common container entries like ou People Entering a path to an LDIF file imports all of the entries in that file No InstallLdifFile tmp entries myldif ldif AddSampleEntries Sets whether to load an LDIF file with entries for the user directory duri...

Page 74: ... whether to store the configuration data in the new Directory Server instance If this is not used then the default is yes meaning the configuration data are stored in the new instance No SlapdConfigForMC no UseExistingMC Sets whether to store the configuration data in a separate Configuration Directory Server If this is not used then the default is 0 meaning the configuration data are stored in th...

Page 75: ...ctive See Section 1 2 6 Directory Administrator No admin ServerAdminPwd Specifies the password for the Administration Server user No ServerIpAddress Specifies the IP address on which the Administration Server will listen Use this directive if you are installing on a multi homed system and you do not want to use the first IP address for the Administration Server No Table 5 5 admin Directives 5 5 5 ...

Page 76: ...rverIdentifier directory Suffix dc example dc com RootDN cn Directory Manager UseReplication No AddSampleEntries No InstallLdifFile suggest AddOrgEntries Yes DisableSchemaChecking No RootDNPwd admin123 admin Port 33646 ServerIpAddress 111 11 11 11 ServerAdminID admin ServerAdminPwd admin Example 5 2 inf File for Registering the Instance with a Configuration Directory Server Typical Setup 5 6 Insta...

Page 77: ...ample dc com Hit Next then Finish to install Password Sync 5 Reboot the Windows machine to start Password Sync NOTE The Windows machine must be rebooted Without the rebooting PasswordHook dll is not enabled and password synchronization will not function The first attempt to synchronize passwords which happened when the Password Sync application is installed will always fail because the SSL connect...

Page 78: ...word Sync is first installed then the passwords for those user accounts cannot be synchronized until they are changed because Password Sync cannot decrypt a password once it has been hashed in Active Directory Directory Library Directory Library C WINDOWS system32 passhook dll C WINDOWS system32 libnspr4 dll C WINDOWS system32 nss3 dll C WINDOWS system32 sqlite3 dll C WINDOWS system32 softokn3 dll...

Page 79: ...Directory Server without uninstalling the system usr sbin ds_removal s server_id w admin_password f The ds_removal script unregisters the server from the Configuration Directory Server and removes any related files and directories The key and cert files are left in the instance configuration directory and the configuration directory is renamed removed instance name NOTE If there is a problem with ...

Page 80: ...re mozldap mozldap tools perl Mozilla LDAP nodeps rpm ev redhat ds base nodeps rpm ev redhat ds admin redhat ds console redhat admin console nodeps rpm ev idm console framework redhat idm console nodeps 5 7 2 2 HP UX To uninstall Red Hat Directory Server entirely do the following 1 Remove all of the Directory Server instances opt dirsrv sbin ds_removal s example1 w itsasecret opt dirsrv sbin ds_re...

Page 81: ...ation scenario the migration script only requires two pieces of information with the command the old server root path and the password for the directory administrator usr sbin migrate ds admin pl oldsroot opt redhat ds General ConfigDirectoryAdminPwd password The different migration scenarios and migration script options are described in this chapter 6 1 Migration and Upgrade Overview Moving from ...

Page 82: ...g a Directory Server from One Machine to Another Section 6 2 6 Migrating a Directory Server from One Platform to Another WARNING If Directory Server databases have been moved from their default location opt redhat ds slapd instancename db migration will not copy these databases but will use the directly This means that if you run migration you may not be able to go back to the old version Migratio...

Page 83: ...t machines the migrate ds admin tool is in the usr sbin directory On HP UX machines the migrate ds admin is in the opt dirsrv sbin directory Option Alternate Options Description General ConfigDirectoryAdminPwd password Required This is the password for the configuration directory administrator of the old Directory Server the default username is admin oldsroot o Required This is the path to the ser...

Page 84: ...cross c or x This parameter is used when the Directory Server is being migrated from one machine to another with a different architecture For cross platform migrations only certain data are migrated This migration action takes database information exported to LDIF and imports into the new 8 1 databases Changelog information is not migrated If a supplier or hub is migrated then all its replicas mus...

Page 85: ...ctory Server configuration parameters are only taken from the old instance It is not possible to change the configuration settings such as the hostname or port using the migration script 6 2 2 Before Migration For the safety of the Directory Server data do these things before beginning to migrate the Directory Server instances Shut down all Directory Server instances and the Administration Server ...

Page 86: ...pd pluginEnabled off 5 Restart the Directory Server and Administration Server 6 2 3 Migrating a Server or Single Instance To migrate a Directory Server installation to a new one on the same machine run the migration script specifying the old server root directory usr sbin migrate ds admin pl oldsroot opt redhat ds General ConfigDirectoryAdminPwd password That command automatically migrates every D...

Page 87: ...anges before putting the system into production 6 2 4 Migrating Replicated Servers The process for migrating a replicated system is the same as for a single server but the order in which the Directory Server instances is important to keep from interrupting replication First migrate all master servers then all hubs and then all consumers If any Directory Server the in replicated system will be move...

Page 88: ...correctly 8 After you finish this process for all of the master server repeat the steps for the hub servers and then for the replicas IMPORTANT Always verify the Directory Server configuration after migrating from 7 1 to 8 1 Some configuration settings like passwordMinLength for a global password policy are not migrated Review all policy settings in the new 8 1 instance and make any changes before...

Page 89: ...ample this script migrates a Directory Server on server1 to server2 using an NFS mounted directory usr sbin migrate ds admin pl oldsroot server2 migration opt redhat ds actualsroot opt redhat ds General ConfigDirectoryAdminPwd password The oldsroot can also specify a local directory on the target machine that was created from a tarball In that case create a tarball of your old server root director...

Page 90: ... 8 1 instance and make any changes before putting the system into production 6 2 6 Migrating a Directory Server from One Platform to Another To migrate a Directory Server installation from one platform to another is similar to migrating from one machine to another The difference between a migration between platforms and other migration scenarios is the information migrated from the old Directory S...

Page 91: ...re readable by the setup script chmod 444 opt redhat ds slapd instance db userRoot ldif chmod 444 opt redhat ds slapd instance db NetscapeRoot ldif 5 Install the Directory Server 8 1 packages on the new machine which will host Directory Server 6 Make the old Directory Server accessible to the new machine either through an NFS mounted drive or tarball 7 Run the migration script as root Specify the ...

Page 92: ...r lib dirsrv slapd instance_name bak instance_name 2009_04_30_16_27_56 2 Get the repo name by running yum check update For example yum check update Loaded plugins rhnplugin security rhel x86_64 server 5 rhdirserv 8 3 Install or upgrade the Directory Server 8 1 packages For example yum update y This automatically updates the Red Hat Directory Server packages as well as any other required packages R...

Page 93: ...packages For example rpm qf usr sbin setup ds admin pl redhat ds admin 8 1 0 9 el5dsrv Also restart the Directory Server Console to make sure that the version and build numbers are appropriately updated 7 The Distributed Numeric Assignment and MemberOf Plug ins are new with Directory Server 8 1 Their configuration is not automatically added to the dse ldif file with the in place upgrade so you nee...

Page 94: ...emberOf Plugin cn plugins cn config Hit Enter twice or type Ctrl D to close the ldapmodify operation NOTE If you edit the dse ldif file directly you need to stop the server first 8 Restart the Directory Server You must always restart the Directory Server after editing the plug in configuration service dirsrv restart The process for upgrading servers in replication is the same as for a single serve...

Page 95: ...rver user and configuration data For example cd usr lib dirsrv slapd instance_name db2bak var lib dirsrv slapd instance_name bak instance_name 2009_04_30_16_27_56 2 Export all of the database information to LDIF The LDIF file must be named the name of the database with ldif appended For example db2ldif r n userRoot a var lib dirsrv slapd instance_name db userRoot ldif db2ldif r n NetscapeRoot a va...

Page 96: ...to the Active Directory machine IMPORTANT Although the Password Sync packages are listed in every Directory Server channel in Red Hat Network Solaris Red Hat Enterprise Linux 32 bit and Red Hat Enterprise Linux 64 bit Password Sync is only supported on 32 bit Windows machines 2 Double click on the PassSync msi file to install it 3 All of the previous information should be included so click Finish ...

Page 97: ...s ldap example com the instance name is ldap by default The Administration Server directories are named the same as the Directory Server directories only instead of the instance as a directory name the Administration Server directories are named admin serv For any directory or folder named slapd instance substitute admin serv such as etc dirsrv slapd example and etc dirsrv admin serv File or Direc...

Page 98: ...tools such as ldapsearch ldapmodify and ldapdelete for command line operations The MozLDAP tools are installed with Directory Server and are located in the usr lib mozldap and usr bin mozldap6 directories on Red Hat Enterprise Linux and in the opt dirsrv bin mozldap directory on HP UX When running any LDAP command make sure that you are using the MozLDAP utilities otherwise the command will return...

Page 99: ...ord from the standard output x options Specifies extra options There are three values for extraOptions nowinpos which puts the Console window in the upper left corner of the screen nologo which keeps the splash screen from being displayed and only opens the login dialog javalaf which uses the Java look and feel for the Console interface rather than the platform specific style To use multiple optio...

Page 100: ...istration Server There are two ways to start stop or restart the Administration Server There are scripts in the usr sbin directory usr sbin start stop restart ds admin The Administration Server service can also be stopped and started using system tools on Red Hat Enterprise Linux For example service dirsrv admin start stop restart 7 6 Resetting the Directory Manager Password Passwords are stored i...

Page 101: ...at ds start 7 When the Directory Server restarts log into the Console again as Directory Manager and verify that the password works 7 7 Troubleshooting 7 7 1 Running dsktune dsktune runs when the Directory Server is first set up to check for minimum operating requirements After the setup the dsktune utility can determine the Directory Server patch levels and kernel parameter settings To launch dsk...

Page 102: ...Problem Clients cannot locate the server Solution First modify the hostname If that does not work use the fully qualified domain name like www domain com and make sure the server is listed in the DNS If that does not work check the IP address If the NIS domain is not the same as your DNS domain check your fully qualified host and domain name 7 7 2 2 Problem The port is in use When setting up a Dir...

Page 103: ...st reaches this limit the server replaces that ID list with an All IDs token See Also ID list scan limit All IDs token A mechanism which causes the server to assume that all directory entries match the index key In effect the All IDs token causes the server to behave as if no index was available for the search request anonymous access When granted allows anyone to access directory information with...

Page 104: ...base DN bind DN Distinguished name used to authenticate to Directory Server when performing an operation bind distinguished name See bind DN bind rule In the context of access control the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information branch entry An entry that represents the top of a subtree in the d...

Page 105: ...cation character type Distinguishes alphabetic characters from numeric or other characters and the mapping of upper case to lower case letters ciphertext Encrypted information that cannot be read by anyone without the proper key to decrypt the information class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation t...

Page 106: ...per database instance Default indexes can be modified although care should be taken before removing them as certain plug ins may depend on them definition entry See CoS definition entry Directory Access Protocol See DAP directory tree The logical representation of the information stored in the directory It mirrors the tree model used by most filesystems with the tree s root point appearing at the ...

Page 107: ...arch request equality index Allows you to search efficiently for entries containing a specific attribute value F file extension The section of a filename after the period or dot that typically defines the type of file for example GIF and HTML In the filename index html the file extension is html file type The format of a given file For example graphics files are often saved in GIF format while a t...

Page 108: ...hub In the context of replication a server that holds a replica that is copied from a different server and in turn replicates it to a third server See Also cascading replication I ID list scan limit A size limit which is globally applied to any indexed search operation When the size of an individual ID list reaches this limit the server replaces that ID list with an all IDs token index key Each in...

Page 109: ...t used to represent Directory Server entries in text form leaf entry An entry under which there are no other entries A leaf entry cannot be a branch point in a directory tree Lightweight Directory Access Protocol See LDAP locale Identifies the collation order character type monetary format and time date format used to present data for users of a specific region culture and or custom This includes ...

Page 110: ...a to be named and referenced Also called the directory tree monetary format Specifies the monetary symbol used by specific region whether the symbol goes before or after its value and how monetary units are represented multi master replication An advanced replication scenario in which two servers each hold a copy of the same read write replica Each server maintains a changelog for the replica Modi...

Page 111: ...identifier operational attribute Contains information used internally by the directory to keep track of modifications and subtree properties Operational attributes are not returned in response to a search unless explicitly requested P parent access When granted indicates that users have access to entries below their own in the directory tree if the bind DN is the parent of the targeted entry pass ...

Page 112: ...er In pass through authentication PTA the PTA Directory Server is the server that sends passes through bind requests it receives to the authenticating directory server PTA LDAP URL In pass through authentication the URL that defines the authenticating directory server pass through subtree s and optional parameters R RAM Random access memory The physical semiconductor based memory in a computer Inf...

Page 113: ...replica servers to which the data is pushed the times during which replication can occur the DN and credentials used by the supplier to bind to the consumer and how the connection is secured RFC Request for Comments Procedures or standards documents submitted to the Internet community People can send comments on the technologies before they become accepted standards role An entry grouping mechanis...

Page 114: ...ible for a particular system task Service processes do not need human intervention to continue functioning SIE Server Instance Entry The ID assigned to an instance of Directory Server during installation Simple Authentication and Security Layer See SASL Simple Network Management Protocol See SNMP single master replication The most basic replication scenario in which multiple servers up to four eac...

Page 115: ...d to replica servers supplier server In the context of replication a server that holds a replica that is copied to a different server is called a supplier for that replica supplier initiated replication Replication configuration where supplier servers replicate directory data to any replica servers symmetric encryption Encryption that uses the same key for both encrypting and decrypting DES is an ...

Page 116: ... a URL is protocol machine port document The port number is necessary only on selected servers and it is often assigned by the server freeing the user of having to place it in the URL V virtual list view index Speeds up the display of entries in the Directory Server Console Virtual list view indexes can be created on any branch point in the directory tree to improve display performance See Also br...

Page 117: ...ating to another platform 80 port 2 re registering Directory Server with Configuration Directory Server 54 Red Hat Enterprise Linux custom 32 express 26 typical 28 registering Directory Server with Configuration Directory Server 54 removing a single instance 69 starting and stopping 90 starting the Console 88 uninstalling Directory Server HP UX 70 Red Hat Enterprise Linux 69 user and group 3 Direc...

Page 118: ...4 Operating system requirements 15 dsktune 15 HP UX 18 patches 19 system configuration 19 Red Hat Enterprise Linux 16 hardware 17 patches 17 17 system configuration 17 P Password Sync installed files 68 installing 67 Passwords Directory Manager 90 Patches dsktune 15 HP UX 19 Red Hat Enterprise Linux 17 17 Perl HP UX 20 Red Hat Enterprise Linux 18 Port number finding Administration Server 89 R Red ...

Page 119: ...etup ds pl 53 Silent setup 55 Directory Server only 56 Starting and stopping Directory Server and Administration Server 90 Directory Server Console 88 System configuration HP UX 19 DNS 21 kernel parameter 20 Large file support 20 Perl 20 TIME_WAIT setting 20 Red Hat Enterprise Linux 17 DNS 18 File descriptors 18 Perl 18 T The port is in use 92 Troubleshooting dsktune 91 installation 92 Typical set...

Page 120: ...110 ...

Reviews: