Red Hat DIRECTORY SERVER 7.1 - GATEWAY CUSTOMIZATION Guide d'installation

Red Hat Directory Server 8.08.0Installation GuideISBN:Publication date: January 11, 2008

x

Directive Description Requireduser nobody on Linux andSolaris and daemon onHP-UX. This should bechanged for mostdeployments.SuiteSpotGroup Specifies t

Directive Description Required ExampleSection 2.1, “PortNumbers”.ServerIdentifier Specifies the serveridentifier. This valueis used as part of thename

Directive Description Required Exampledirective is used andInstallLdifFile isalso used, then thisdirective has noeffect. The default isno.InstallLdifF

Directive Description Required ExampleThis should bechanged for mostdeployments. Forinformation as to whatusers your serversshould run, seeSection 2.2

Directive Description Required ExampleServer.Table 6.4. [admin] Directives3.5.2. Sample .inf Files[General]FullMachineName= ldap.example.comSuiteSpotU

UseExistingUG= NoServerPort= 18257ServerIdentifier= directorySuffix= dc=example,dc=comRootDN= cn=Directory ManagerUseReplication= NoAddSampleEntries=

/usr/sbin/ds_removal -s example3 -w itsasecret2. Stop the Administration Server./etc/init.d/dirsrv-admin stop3. Then use the system tools to remove th

rm -Rf /export/ds804. Remove the symlinks to the directories. For example:rm -f /opt/dirsrv /var/opt/dirsrv /etc/opt/dirsrv4.2.3. SolarisTo uninstall

98

General Usage InformationThis chapter contains common information that you will use after installing Red Hat DirectoryServer 8.0, such as where files

Preparing for a Directory ServerInstallationBefore you install Red Hat Directory Server 8.0, there are required settings and information thatyou need

File or Directory LocationLog files /var/log/dirsrv/slapd-instanceConfiguration files /etc/dirsrv/slapd-instanceInstance directory /usr/lib64/dirsrv/s

File or Directory LocationLog files /var/opt/log/dirsrv/slapd-instanceConfiguration files /etc/opt/dirsrv/slapd-instanceInstance directory /opt/dirsrv

NOTEMake sure that the correct JRE — the program called java — is set in the PATHbefore launching the Console.When the login screen opens, you are pro

/usr/lib/dirsrv/slapd-instance/start-slapd/usr/lib/dirsrv/slapd-instance/restart-slapd/usr/lib/dirsrv/slapd-instance/stop-slapd• The Directory Server

Passwords are stored in the Directory Server databases and can be modified with tools likeldapmodify and through the Directory Server Console. The Dir

7. Troubleshooting7.1. Running dsktunedsktune runs when the Directory Server is first set up to check for minimum operatingrequirements. After the set

7.2. Common Installation ProblemsThere are several common problems that can come up during the setup process, generallyrelating to network or naming p

Migrating from Previous VersionsRed Hat Directory Server 6.x and 7.x instances can be migrated to Directory Server 8.0.Migration carries over all data

WARNINGIf Directory Server databases have been moved from their default location(/opt/redhat-ds/slapd-instancename/db), migration will not copy thesed

On Red Hat Enterprise Linux and Solaris machines, the migrate-ds-admin toolis in the /usr/sbin/ directory. On HP-UX machines, the migrate-ds-admin isi

one for the Administration Server. These port numbers must be unique.The Directory Server instance (LDAP) has a default port number of 389. The Admini

Option Alternate Options Descriptionon the machine.--file=name -f name This sets the path and nameof the .inf file provided withthe migration script.

Option Alternate Options DescriptionTable 8.1. migrate-ds-admin Optionsmigrate-ds-admin.pl allows the password parameter to be provided on the command

• Shut down all Directory Server instances and the Administration Server.• Back up all of your databases.• For servers which have a different configur

4. Migration ScenariosThe migration scenario differs depending on the type of existing Directory Server configurationyou have. It is possible to migra

WARNINGIf Directory Server databases have been moved from their default location(/opt/redhat-ds/slapd-instancename/db), migration will not copy thesed

/opt/redhat-ds/ is the directory where the old Directory Server is installed.The migration process starts. The legacy Directory Server is migrated, an

This issue does not occur in cross-platform migrations or migrating using LDIFfiles instead of the binary databases because these already work with an

and then for the replicas.4.3. Migrating a Directory Server from One Machine to AnotherTo migrate a Directory Server installation from one machine to

NFS-mounted directory:# /usr/sbin/migrate-ds-admin.pl --oldsroot server2:/migration/opt/redhat-ds--actualroot /opt/redhat-ds General.ConfigDirectoryAd

For example:# /usr/sbin/migrate-ds-admin.pl --oldsroot server2:/migration/opt/redhat-ds--actualsroot /opt/redhat-dsGeneral.ConfigDirectoryAdminPwd=pas

Section 2.2, “Directory Server User and Group” has more information about the server user ID.2.2. Directory Server User and GroupThe setup process set

1. Stop all Directory Server instances and the Administration Server.2. Back up all the Directory Server user and configuration data.3. Export all of

GlossaryAaccess control instruction See ACI.ACI An instruction that grants or denies permissions to entries inthe directory.See Also access control in

value.attribute list A list of required and optional attributes for a given entry typeor object class.authenticating directoryserverIn pass-through au

uses the HTTP protocol to communicate with the host server.browsing index Speeds up the display of entries in the Directory ServerConsole. Browsing in

ciphertext Encrypted information that cannot be read by anyone withoutthe proper key to decrypt the information.class definition Specifies the informa

data master The server that is the master source of a particular piece ofdata.database link An implementation of chaining. The database link behaves l

to a different host#specifically a DNS CNAME record.Machines always have one real name, but they can have oneor more aliases. For example, an alias su

gateway See Directory Server Gateway.general access When granted, indicates that all authenticated users canaccess directory information.GSS-API Gener

indirect CoS An indirect CoS identifies the template entry using the value ofone of the target entry's attributes.international index Speeds up s

Access Protocol See LDAP.locale Identifies the collation order, character type, monetary formatand time / date format used to present data for users o

this user administrative access.There are important differences between the Directory Administrator and the Directory Manager:• The administrator cann

directory tree.monetary format Specifies the monetary symbol used by specific region,whether the symbol goes before or after its value, and howmonetar

object class Defines an entry type in the directory by defining whichattributes are contained in the entry.object identifier A string, usually of deci

protocol A set of rules that describes how devices on a networkexchange information.protocol data unit See PDU.proxy authentication A special form of

process is called a referral.read-only replica A replica that refers all update operations to read-write replicas.A server can hold any number of read

schema Definitions describing what types of information can be storedas entries in the directory. When information that does notmatch the schema is st

See Also ns-slapd.SNMP Used to monitor and manage application processes running onthe servers by exchanging data about network activity. AlsoSimple Ne

Ttarget In the context of access control, the target identifies thedirectory information to which a particular ACI applies.target entry The entries wi

X.500 standard The set of ISO/ITU-T documents outlining the recommendedinformation model, object classes and attributes used bydirectory server implem

138

Appendix A. Revision HistoryRevision HistoryRevision 8.0.0-4 Thurs. Jan. 10, 2008 EllaDeonLackey<[email protected]>Added note that Directory Se

Server in your organization, you must determine which Directory Server instance will host theconfiguration directory tree, o=NetscapeRoot. Make this d

140

IndexSymbols.inf file, 88directives, 89samples, 94AAdministration domain, 5Administration Serverconfiguring IP authorization, 79configuring proxy serv

HP-UX, 20Solaris, 24HP-UXhardware requirements, 20required patches, 21system configuration, 22DNS, 23kernel parameters, 22Large file support, 23Perl,

Solaris, 24PerlHP-UX, 22Red Hat Enterprise Linux, 19Solaris, 26Port numberfinding Administration Server, 102RRed Hat Enterprise Linux, 29custom setup,

File descriptors, 19Perl, 19Solaris, 25DNS and NIS, 27File descriptors, 27Perl, 26TCP tuning, 26TThe port is in use, 106Troubleshootingdsktune, 105ins

Would you like to continue with setup? [yes]:• Pressing Enter accepts the default answer and proceeds to the next dialog screen. Yes/Noprompts accept

• An .inf file can be used in conjunction with command line parameters. Parameters set in thecommand line override those specified in an .inf file, wh

Option Alternate Options Description Example--silent parameter;if used alone, it setsthe default values forthe setup prompts.--debug -d[dddd] This par

Option Alternate Options Description Examplewhich to write theoutput. If this is notset, then the setupinformation is writtento a temporary file./expo

This manual provides a high-level overview of design and planning decisions you need to makebefore installing Directory Server, and describes the diff

NOTEIt is possible to use y and n with the yes and no inputs described in Section 3.5,“About .inf File Parameters”.SetupScreenParameterInputExpress Ty

SetupScreenParameterInputExpress Typical Custom Silent SetupFileParameternew DirectoryServer withan existingConfigurationDirectoryServerSet theConfigu

SetupScreenParameterInputExpress Typical Custom Silent SetupFileParameterAdministratorpasswordSet theDirectoryServer port389[slapd]ServerPort=389Set t

SetupScreenParameterInputExpress Typical Custom Silent SetupFileParametersuch asou=People• Type none,which doesnot importany data[slapd]AddOrgEntries=

14

System RequirementsBefore configuring the default Red Hat Directory Server 8.0 instances, it is important to verifythat the host server has the requir

Number of Entries Disk Space/Required MemoryFree disk space: 8 GBFree memory: 1 GBTable 2.1. Hardware Requirements2. Operating System RequirementsDire

instances so that you can properly configure your kernel settings and install any missingpatches. On Red Hat Enterprise Linux and Solaris, the dsktune

Linux Patches”, and the recommended system configuration changes are described inSection 2.2.2, “Red Hat Enterprise Linux System Configuration”.Criter

Criteria RequirementsRed Hat Enterprise Linux 5 Server (x86 andx86_64)Required Filesystem ext3Table 2.3. System Versions2.2.2. Red Hat Enterprise Linu

Red Hat Directory Server 8.0: Installation GuideCopyright © 2008Copyright © You need to override this in your local ent file Red Hat. This material ma

3. Then increase the maximum number of open files on the system by editing the/etc/security/limits.conf configuration file. Add the following entry:*

Criteria Requirementsdeployment2 GB minimum for larger environments4 GB minimum for very large environments(more than a million entries)You must use t

2.3.2. HP-UX System ConfigurationBefore setting up Directory Server, tune your HP-UX system so Directory Server can access therespective kernel parame

This limits the socket TIME_WAIT state to 60 seconds.2.3.2.4. Large File SupportTo run Directory Server on HP-UX, you must enable large file support.1

are listed in Section 2.4.1, “Solaris Patches”, and the recommended configuration changes aredescribed in Section 2.4.2, “Solaris System Configuration

Patch ID Description112233-12 SunOS 5.9: Kernel patch112964-08 SunOS 5.9: /usr/bin/ksh patch112808 CDE1.5: Tooltalk patch113279-01 SunOS 5.9: klmmod p

• Section 2.4.2.4, “File Descriptors”2.4.2.1. Perl PrerequisitesOn Solaris systems, Red Hat Directory Server is installed with a Perl package, RHATper

connections. If you increase the rlim_fd_max value to over 4096, you must decrease thetcp_smallest_anon_port value in the /etc/init.d/inetinit file.nd

28

Setting up Red Hat Directory Serveron Red Hat Enterprise LinuxInstalling and configuring Red Hat Directory Server on Red Hat Enterprise Linux has thre

Red Hat Directory Server 8.0

NOTEThere is a fourth setup option called a silent installation. This provides two waysof performing the setup without user interaction, either by pas

2. Log in as root, and install the JRE. For example:rpm -Uvh java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.i386.rpmAfter installing the JRE, install the Directory

ls *.rpm | egrep -iv -e devel -e debuginfo | xargs rpm -ivh2. After the Directory Server packages are installed, run the setup-ds-admin.pl script to s

match the /etc/resolv.conf settings, the setup program cannot use the defaulthostname option, and setup will fail.WARNINGIf Directory Server is alread

NOTETo register the Directory Server instance with an existing Configuration DirectoryServer, select yes. This continues with the registration process

Updating adm.conf . . .Updating admpw . . .Registering admin server with the configuration directory server . . .Updating adm.conf with information fr

ports for the Directory and Administration Servers, the domain name, and directory suffix.WARNINGIf Directory Server is already installed on your mach

The hostname is very important. It is used generate the Directory Server instance name, theadmin domain, and the base suffix, among others. If you are

This information is supplied in place of creating an admin user and domain forthe new Directory Server, steps 8, 9, and 10.8. Set the administrator us

Creating directory server . . .Your new DS instance 'example2' was successfully created.Creating the configuration directory server . . .Beg

Preface ... vii1. Document Convention

you have existing information. The other imports sample data that is included with DirectoryServer; this is useful for testing features of Directory S

NOTEThe setup program gets the host information from the /etc/resolv.conf file. Ifthere are aliases in the /etc/hosts file, such as ldap.example.com,

• The Configuration Directory Server administrator's user ID; by default, this isadmin.• The administrator user's password.• The Configurati

16.Select whether you want to install sample entries with the Directory Server instance. Thismeans that an example LDIF, with preconfigured users, gro

Exiting . . .Log file is '/tmp/setupul88C1.log'When the setup-ds-admin.pl script is done, then the Directory Server is configured andrunning

Setting up Red Hat Directory Serveron HP-UX 11iInstalling and configuring Red Hat Directory Server on HP-UX has three major steps:1. Install the requi

Server and Administration Server”.This chapter describes the complete process for installing Directory Server on HP-UX 11i,including both the JRE and

NOTEDirectory Server version 8.0 conforms to the Filesystem Hierarchy Standards.This means that the directories and files are in different locations t

2. Select y to accept the Red Hat licensing terms.3. The dsktune utility runs. Select y to continue with the setup.dsktune checks the available disk s

Directory Server in steps 6 and 7.6. Set the administrator username. The default is admin.7. Set the administrator password and confirm it.8. Set the

1.2. Configuring Proxy Servers for the Administration Server ...802. Working with Directory Server Instances ...

2. Using the Administration Server port number, launch the Console./opt/dirsrv/bin/redhat-idm-console -a http://localhost:9830NOTEIf you do not pass t

3. The dsktune utility runs. Select y to continue with the setup.dsktune checks the available disk space, processor type, physical memory, and othersy

NOTETo register the Directory Server instance with an existing Configuration DirectoryServer, select yes. This continues with the registration process

12.Enter the Directory Server identifier; this defaults to the hostname.Directory server identifier [example]:13.Enter the directory suffix. This defa

grep \^Listen /etc/dirsrv/admin-serv/console.confListen 0.0.0.0:98302. Using the Administration Server port number, launch the Console./opt/dirsrv/bin

# /opt/dirsrv/sbin/setup-ds-admin.pl2. Select y to accept the Red Hat licensing terms.3. The dsktune utility runs. Select y to continue with the setup

network, it is not possible to register it with another directory. Select n to set up this DirectoryServer as a Configuration Directory Server and mov

Directory server network port [389]: 106612.Enter the Directory Server identifier; this defaults to the hostname.Directory server identifier [example]

example:Run Administration Server as [daemon]:21.The last screen asks if you are ready to set up your servers. Select yes.Are you ready to set up your

If you do not pass the Administration Server port number with theredhat-idm-console command, then you are prompted for it at the Consolelogin screen.C

PrefaceThis installation guide describes the Red Hat Directory Server 8.0 installation process and themigration process. This manual provides detailed

60

Setting up Red Hat Directory Serveron Sun SolarisInstalling and configuring Red Hat Directory Server on Sun Solaris has three major steps:1. Install t

Necessary Java JRE libraries are not bundled with Directory Server. They must be downloadedand extracted separately before installing the Directory Se

After installing the JRE, install the Directory Server packages, as described in Section 2,“Installing the Directory Server Packages”.2. Installing th

backup directory.5. Delete the temporary directory.rm -rf /tmp/rhds806. After the Directory Server packages are installed, run the setup program to se

cd /directory/tmp/RedHat/PKGS3. Translate the package to the Solaris filesystem format:for i in `ls *.pkg`; do yes all | pkgtrans $i /directory/ ; don

NOTEThe setup program gets the host information from the /etc/resolv.conf file. Ifthere are aliases in the /etc/hosts file, such as ldap.example.com,

up the administrator user.NOTETo register the Directory Server instance with an existing Configuration DirectoryServer, select yes. This continues wit

Creating Admin Server files and directories . . .Updating adm.conf . . .Updating admpw . . .Registering admin server with the configuration directory

The typical setup process is the most commonly-used setup process. It offers control over theports for the Directory and Administration Servers, the d

1. Document ConventionsCertain words in this manual are represented in different fonts, styles, and weights. Thishighlighting indicates that the word

match the /etc/resolv.conf settings, you cannot use the default hostnameoption.The hostname is very important. It is used generate the Directory Serve

• The Configuration Directory Server Admin domain, such as example.com.• The CA certificate to authenticate to the Configuration Directory Server. Thi

Administration port [9830]:17.The last screen asks if you are ready to set up your servers. Select yes.Are you ready to set up your servers? [yes]:Cre

login screen.5. Custom SetupCustom setup provides two special configuration options that allow you to add information to theDirectory Server databases

5. Set the computer name of the machine on which the Directory Server is being configured.This defaults to the fully-qualified domain name (FQDN) for

ldap://ldap.example.com:389/o=NetscapeRootTo use TLS/SSL, set the protocol as ldaps:// instead of ldap:// ForLDAPS, use the secure port (636) instead

Suffix [dc=redhat, dc=com]:14.Set the Directory Manager username. The default is cn=Directory Manager.15.Set the Directory Manager password and confir

Creating Admin Server files and directories . . .Updating adm.conf . . .Updating admpw . . .Registering admin server with the configuration directory

78

Advanced Setup and ConfigurationAfter the default Directory Server and Administration Server have been configured, there aretools available to manage,

TipA tip is typically an alternative way of performing a task.ImportantImportant information is necessary, but possibly unexpected, such as aconfigura

*.*.*.*This allows all IP addresses to access the Administration Server.6. Restart the Administration Server.CAUTIONAdding the client machine proxy IP

It is also possible to provide Directory Server parameters on the command line, so that theinstance is created with pre-defined defaults. For example:

register-ds-admin script./usr/sbin/register-ds-admin.plIMPORTANTRunning register-ds-admin creates a default instance of the AdministrationServer and C

RootDNPwd= password123[admin]Port= 9830ServerIpAddress= 111.11.11.11ServerAdminID= adminServerAdminPwd= adminNOTEThere are three sections of directive

packages must already be installed, and the Administration Server must alreadybe configured and running.1. Make the setup .inf file. It must specify t

The setup utility, setup-ds-admin.pl, allows settings for all three configuration components —General (host server), slapd (LDAP server), and admin (A

The section names and parameter names used in the .inf files and on thecommand line are case sensitive. Refer to Table 6.1, “setup-ds-admin Options”to

Option Alternate Options Description ExampleWARNINGThecachefilecontainsthecleartextpasswordssuppliedduringsetup.Useappropriatecautionandprotectionwith

For example, to configure a new Directory Server instance as a supplier in replication,ConfigFile can be used to create the replication manager, repli

• General — which supplies information about the server machine; these are global directivesthat are common to all your Directory Servers.• slapd — wh