Chapter 4 Implementation Module 1: Directory Server With Multimaster Replication
This chapter provides an overview of the directory service module in Figure 2–2 and documents the tasks that are required to implement it. The chapter includes the following sections:
Overview of the Directory Service Module
The directory service module of the reference configuration's deployment architecture illustrated in Figure 2–2 consists of two instances of Sun Java System Directory Server running on two different computers. The module makes use of a hardware load balancer that is configured to provide service failover capability between the two Directory Server instances. All requests for directory services are addressed to the virtual service name and IP address of the load balancer. The load balancer then directs each request to one of the two Directory Server instances.
In this module, the two Directory Server instances use multimaster replication to synchronize their data and to provide for a highly available directory service.
The architecture of the directory service module is shown in the following illustration.
Figure 4–1 Directory Service Module
When implementing the directory service module, you set up the Directory Server instances on ds1 and ds2. However, you do not implement multimaster replication until after you have installed and configured all of the other components in the reference configuration. The process of installing and configuring the other components writes configuration data to the directory, and in some cases will extend the schema. It is is easier to ensure that the directory is updated correctly if the configuration data and schema extensions are written to a single Directory Server instance. The data is replicated on the other Directory Server instance only after such configuration is complete.
Note –
The procedures in this chapter use the host names, domain name, and IP addresses shown in Figure 3–1 and Figure 4–1. However, you must map these host names, domain name, and IP addresses to equivalent names and addresses in your environment. For this reason, the procedures in this chapter show host names, domain name, and IP addresses as variables.
Setting Up Directory Server on ds1
This task consists of the following procedures:
To Install Directory Server on ds1
This procedure assumes that you are installing Directory Server on Solaris 10 8/07 OS or later version. Hence, no operating system patches need to be installed. The Java ES installer evaluates the state of the operating system and indicates if you need to install a patch. If you are using versions of the operating system older than Solaris 10 8/07 OS, it is better to install any required patches before you begin the actual Directory Server installation procedure.
The following procedure runs the Java ES installer without saving a state file. You can choose to run the installer and capture your input in a state file (-saveState state-filename). You could then use the state file to re-create the installation if, for example, you needed to reinstall Directory Server.
-
Download the Java ES software distribution to ds1.
The procedure is documented in To Download the Software Distribution.
-
Log in as root or become superuser.
# su -
-
Start the Java ES installer.
# cd /portdist_71u2/Solaris_sparc
# ./installer
This procedure uses the GUI installer. The installer can also be run in text mode by using the - nodisplay option.
The Welcome panel opens.
-
In the Welcome panel, click Next.
The Software License Agreement panel opens.
-
In the Software License Agreement panel, review the license terms and click Yes, Accept License.
The Choose Software Components panel opens.
-
In the Choose Software Components panel, select the following components:
-
Directory Server Enterprise Edition 6.2
-
Directory Server 6 Core Server
-
Directory Service Control Center
-
Directory Server Command-line Utility
-
-
Directory Preparation Tool 6.4 (selected automatically)
-
Install Multilingual Package(s) for all selected components (selected automatically, but optional if using English)
-
-
Click Next.
The Java SE Software Development Kit Upgrade Required panel opens.
-
In the Java SE Software Development Kit Upgrade Required panel, select Automatic Upgrade to the Version Included with the Installer and click Next.
The installer evaluates the Java ES shared components on the computer and determines if any upgrades are required. On a fresh copy of the Solaris 10 8/07 OS, shared component upgrades are needed, and the Shared Components Upgrades Required panel opens.
-
In the Shared Components Upgrades Required panel, click Next.
The installer upgrades the shared components. The Specify Installation Directories panel opens.
-
In the Specify Installation Directories panel, type the following values and click Next.
Input Field
Value
Directory Preparation Tool
/opt/SUNWcomds
Directory Server
/opt/SUNWdsee
The installer checks the system, and the System Check panel opens.
-
In the System Check panel, evaluate the results of the system check.
If the system check is favorable, click Next.
The Choose a Configuration Type panel opens.
-
In the Choose a Configuration Type panel, select Configure Now and click Next.
The Common Server Settings panel opens.
-
In the Common Server Settings panel, type the following values and click Next.
Be sure to first read Administrator Account Specification.
Input Field
Value
Host Name
ds1
DNS Domain Name
pstest.com
Host IP Address
10.0.1.1
Administrator User ID
admin
Administrator Password
directory-admin-password
System User
root
System Group
root
The Directory Server: Create Directory Instance panel opens.
-
In the Directory Server: Create Directory Instance panel, type the following value and click Next.
Input Field
Value
Create a Directory Server Instance
Yes
The Directory Server: Specify Instance Creation Information panel opens.
-
In the Directory Server: Specify Instance Creation Information panel, type the following values and click Next.
Input Field
Value
Instance Directory
/var/opt/SUNWdsee/ds-inst-ds1
Directory Instance Port
389
Directory Instance SSL Port
636
Directory Manager DN
cn=Directory Manager
System User
root
System Group
root
Directory Manager Password
directory-manager-password
Suffix
dc=pstest,dc=com
The Ready to Install panel opens.
-
In the Ready to Install panel, indicate whether you want to open the software registration window during installation.
This panel enables you to register the components that you have selected for installation with Sun Connection. Sun Connection is a Sun-hosted service that helps you track, organize, and maintain Sun hardware and software. For example, Sun Connection can inform you of the latest available security fixes, recommended updates, and feature enhancements.
If you choose to register, information about the installation is sent to the Sun Connection database. You can also register at a later date, after installation has been completed.
-
Click Install.
The installer copies files to the computer, creates a Directory Server instance and a database using the information in Step 15.
-
During the installation process, click N to decline an Internet connection.
Directory Server is being installed behind two firewalls, so it is unlikely that an Internet connection can be established for updates.
-
When the installation is complete, review the installation in the Summary field.
-
Click Exit to exit the installer.
-
Check the installation log files for any installation errors.
# cd /var/sadm/install/logs
# egrep -i 'fall|error' Java*
To Start and Verify Directory Server on ds1
The following procedure confirms that Directory Server has been installed by starting and connecting to a Directory Server instance on ds1.
-
Start the Directory Server instance on ds1.
# /opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/ds-inst-ds1
-
Check that the Directory Server instance is running.
# /opt/SUNWdsee/ds6/bin/dsadm info /var/opt/SUNWdsee/ds-inst-ds1
The State: line in the output should indicate that the instance is running.
-
Check that you can connect to the Directory Server instance and perform a basic operation.
# ldapsearch -b "dc=pstest,dc=com" -h ds1 -p 389 -D "cn=Directory Manager" "objectClass=*"
When prompted, type the directory-manager-password.
The response should resemble the following:
version: 1 dn: dc=pstest,dc=com dc: pstest objectClass: top objectClass: domain
Setting Up Directory Server on ds2
This task consists of the following procedures:
To Install Directory Server on ds2
-
Repeat the procedure that appears in To Install Directory Server on ds1, except for the following:
-
Replace all occurrences of ds1 with ds2.
-
When you are prompted for the host IP address, type 10.0.1.2 instead of 10.0.1.1.
-
To Start and Verify Directory Server on ds2
-
Repeat the procedure that appears in To Start and Verify Directory Server on ds1, except for the following:
-
Replace all occurrences of ds1 with ds2.
-
Replace the instance name of ds-inst-ds1 with ds-inst-ds2.
-
Configuring the Directory Server Control Center
The Directory Server Control Center (DSCC) is a tool for managing Directory Server instances. DSCC is accessed through Sun Java Web ConsoleTM (Web Console), a web application that provides a single user interface framework for Sun system management applications.
This task consists of the following procedures:
To Create an Instance of the Directory Server Control
Center
-
Assess the current status of the control center.
On ds1, run the following commands:
# cd /opt/SUNWdsee/dscc6/bin
# ./dsccsetup status
The response should resemble the following:
*** DSCC Application is registered in Sun Java (TM) Web Console *** DSCC Agent is registered in Cacao *** DSCC Registry has not been created yet ***
This response indicates that the installer has installed the DSCC packages but did not create a DSCC instance.
-
Start the DSCC configurator.
# ./dsccsetup install
The response should resemble the following:
### 'install' subcommand is obsolete. ### Use 'ads-create' subcommand instead. Choose password for Directory Server Manager:
-
When prompted, type the directory-admin-password.
The response should resemble the following:
Confirm password for Directory Service Manager: Creating DSCC registry... DSCC Registry has been created successfully.
-
Confirm that your new DSCC instance is running.
# ps -ef | grep dscc6
The response should resemble the following:
/opt/SUNWdsee/ds6/lib/64/ns-slapd -D /var/opt/SUNWdsee/dscc6/dcc/ads -i /var/opt
-
If the DSCC instance is not running, start it.
# /opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/dscc6/dcc/ads
To Register Your DSCC Instance With the Web Console
If the dsccsetup status command in Step 1 of To Create an Instance of the Directory Server Control Center does not indicate that the DSCC application is registered in the Web Console, then perform the following steps.
-
Check the status of Web Console.
# cd /usr/share/webconsole/bin
# ./smcwebserver status
The output should resemble the following:
Sun Java(TM) Web Console is stopped
-
If the Web Console is not running, start the Web Console.
# ./smcwebserver start
-
Register your DSCC instance.
To Register Your Directory Server Instances With DSCC
To manage your Directory Server instances, you must register your instances with the DSCC. Doing so modifies the Directory Server instance's cn=config tree.
To complete this task, you work in both the command-line and the DSCC Web Console interfaces.
-
Start a Browser.
-
Go to the Web Console login page.
https://ds1.pstest.com:6789
The Web Console login page opens.
-
Log in to the Web Console by typing the following values and clicking Login.
Input Field
Value
User ID
root
(Any authorized user can log in to the Web Console, but you must log in as root to register the DSCC.
password
root-password
The DSCC main page in Web Console opens.
-
In the DSCC main page, locate the list of services and click the link for the Directory Server Control Center.
The Directory Server Control Center page opens.
-
Type the following values and click Login.
Input Field
Value
User ID
admin
Password
directory-admin-password
The Directory Service Control Center Common Tasks panel appears.
-
Interrupt the registration procedure to Enable DSCC audit logging.
The audit logs will show the DSCC entries to be added in the registration steps that follow.
-
Run the following command on ds1:
# /opt/SUNWdsee/ds6/bin/dsconf set-log-prop -p 389 audit enabled:on
You are prompted to accept a certificate.
-
Type Y to accept the certificate and press Return.
-
When prompted, type the directory-manager-password and press Return.
The response should resemble the following:
time: 20080220175511 dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on
-
-
Returning to the Web Console, click the Directory Servers tab.
The Directory Servers tab is displayed, and the Enter Host Info panel opens.
-
Register the Directory Server instance on ds1.
-
In the Directory Servers tab, locate the More Server Actions drop-down menu and select Register Existing Server.
The Register Existing Directory Server wizard opens, displaying the Step 1. Enter Host and Server Information panel.
-
In the Enter Host and Server Information panel, type the following values and click Next.
Otherwise, keep the default values.
Input Field
Value
Instance Path
/var/opt/SUNWdsee/ds-inst-ds1
Description
ds-inst-ds1
The Review Server Certificate panel opens.
-
Click Next to accept the certificate.
The Provide Authentication Information panel opens. Keep the default values.
-
Type the directory-manager-password and click Next.
The Summary panel opens stating that a restart is required
-
Click Finish.
Your Directory Server instance (ds-inst-ds1) restarts and registers with the DSCC.
-
When the registration process is complete, click Close.
The Register Existing Directory Server wizard closes.
-
-
Register the Directory Server instance on ds2.
Repeat Step 8, except replace all occurrences of ds1 with ds2 (for example, in the instance name, ds-inst-ds2).
You now see your Directory Server instances (ds-inst-ds1 and ds-inst-ds2) in the DSCC's list of registered servers.
-
Check the audit logs for both Directory Server instances.
# tail -100 /var/opt/SUNWdsee/ds-inst-ds1/logs/audit
# tail -100 /var/opt/SUNWdsee/ds-inst-ds2/logs/audit
The audit logs should resemble the following:
time: 20080421170848 dn: cn=pass through authentication,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginarg0 nsslapd-pluginarg0: ldap://localhost:3998/cn=dscc - replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on - replace: modifiersname modifiersname: cn=directory manager - replace: modifytimestamp modifytimestamp: 20080421160847Z - time: 20080421170848 dn: changetype: modify add: aci aci: (targetattr = "*") (version 3.0; acl "Enable full access for Directory Services Managers"; allow (all)(userdn = "ldap:///cn=*,cn=Administrators,cn=dscc");) aci: (targetattr = "aci") (targetscope = "base") (version 3.0; acl "Enable root ACI modification by Directory Services Managers"; allow (all)(userdn = "ldap:///cn=*,cn=Administrators,cn=dscc");)
-
Check the audit logs for the DSCC registry instance.
# tail -100 /var/opt/SUNWdsee/dscc6/dcc/ads/logs/audit
To Verify Configuration of the DSCC
-
List the Directory Server instances that are registered with DSCC.
# /opt/SUNWdsee/dscc6/bin/dsccreg list-servers
When prompted, type the directory-admin-password.
-
Press Enter.
The response should resemble the following:
Hostname Port sPort Type Owner iPath Description ds1 389 636 DS root /var/opt/SUNWdsee/ds-inst-ds1 ds-inst-ds1 on ds1 ds2 389 636 DS root /var/opt/SUNWdsee/ds-inst-ds2 ds-inst-ds2 on ds2
Implementing Load Balancing for the Directory Service
This task consists of the following procedures:
To Configure the Directory Service Load Balancer
This procedure describes how to configure the directory service load balancer (ds.pstest.com at IP address 10.0.2.10). The steps are relatively generic; the details depend on the load balancer you are using.
-
Populate the load balancer's Hosts Table.
Add the IP address for ds1.pstest.com and ds2.pstest.com to the load balancer's hosts table.
-
Populate the load balancer's Real Service Table.
Add the real services for ds1.pstest.com and ds2.pstest.com. A real service is identified by its IP address and port. Add 10.0.1.1:389 and 10.0.1.2:389.
-
Populate the load balancer's Service Group Table
Add the service group for directory services. The service groups are sets of the real services that you defined in Step 2. The real services in the group must be capable of fulfilling the same type of request. The load balancer will distribute requests among the real services in the service group. When you define the service group for ds.pstest.com, you add the real services that specify the Directory Server instances, 10.0.1.1:389 and 10.0.1.2:389.
-
Populate the load balancer's Virtual IP Table.
A virtual service definition includes the outward facing IP address and the port at which the load balancer accepts requests for a service, as well as the service group that you specified in Step 3, which actually handles the requests. The load balancer will accept requests at the virtual service address and distribute them among the service group. The virtual service definition for the directory service should be ds.pstest.com, with the virtual IP address of 10.0.2.10:389, and with the service group consisting of the computers ds1.pstest.com and ds2.pstest.com.
-
Configure the load balancer to use Layer-4 (TCP layer) load balancing.
If you are using a load balancer that supports long, persistent TCP connections, this is the best option. There is no need for stickiness at the directory service load balancer because the TCP connections remain open.
-
Configure the load balancer with a scheduling type of either least connections or round robin.
Both scheduling types initially distribute the connections evenly between the Directory Server instances. Both scheduling types keep connections evenly distributed if the connections are restarted.
-
Configure the health-check settings for the load balancer.
The recommended settings are specified in Table 3–5.
To Configure Directory Server Instances for Load Balancing
Timeout problems can arise when a load balancer (or firewall) is placed between Access Manager and Directory Server, as explained in Setting Connection Timeouts for Access Manager . To prevent such problems, set the idle timeout for the Directory Server connections that are used by Access Manager to a value less than the idle timeout value of the load balancer (or firewall).
To perform this procedure, an amldapuser entry must exist in the directory. However, this entry is not created until you deploy Access Manager, as documented in Implementation Module 2: Access Manager Running on Application Server. You therefore must set the Directory Server idle timeout value after you install and configure Access Manager.
For this reason, the procedure for setting the idle timeout for Directory Server connections used by Access Manager is documented in Module 2.
-
See the procedure in To Configure the Connection Timeout of the Directory Service .
To Verify Directory Service Load Balancing
This procedure assumes that ds-inst-ds1 on ds1 and ds-inst-ds2 on ds2 are running.
-
Shut down the Directory Server instance on ds1.
# /opt/SUNWdsee/ds6/bin/dsadm stop /var/opt/SUNWdsee/ds-inst-ds1
-
Verify that you can access the Directory Server instance on ds2 through the load balancer.
Run the following command from a computer that can access ds.pstest.com.
# ldapsearch -b "dc=pstest,dc=com" -h ds.pstest.com -p 389 -D "cn=Directory Manager" "objectClass=*"
When prompted, type the directory-manager-password.
A list of object classes currently in the directory is displayed.
-
Start the Directory Server instance on ds1.
# /opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/ds-inst-ds1
-
Shut down the Directory Server instance on ds2.
# /opt/SUNWdsee/ds6/bin/dsadm stop /var/opt/SUNWdsee/ds-inst-ds2
-
Verify that you can access the Directory Server instance on ds1 through the load balancer.
Run the following command from a computer that can access ds.pstest.com.
# ldapsearch -b "dc=pstest,dc=com" -h ds.pstest.com -p 389 —D "cn=Directory Manager" "objectClass=*"
When prompted, type the directory-manager-password.
A list of object classes currently in the directory is displayed.
Confirming That the Directory Server Instance on ds2 Is Stopped.
In the previous procedure (To Verify Directory Service Load Balancing) the Directory Server instance on ds2 was stopped in order to verify proper operation of the directory service load balancer. This instance must remain shut down while the remaining modules in the reference configuration are implemented. Once these modules have been implemented, and configuration data has been written to the Directory Server instance on ds1, then the Directory Server instance on ds2 can be restarted and multimaster replication can be implemented.
To Confirm That the Directory Server Instance on ds2 Is Stopped
-
Run the following command on ds2:
# /opt/SUNWdsee/ds6/bin/dsadm info /var/opt/SUNWdsee/ds-inst-ds2
The State: line in the output should indicate that the instance is stopped. If it does not, then shut down the Directory Server instance on ds2, and perform the above step to confirm that it is stopped.
Implementing Multimaster Replication
Note –
Do not implement multimaster replication until you have installed and configured all of the other components in the reference configuration deployment. Otherwise required configuration data will be missing from the Directory Server instance on ds1.
Multimaster replication ensures that both Directory Server instances are synchronized as data is changed for either instance. During the implementation of the Access Manager, Portal Server, and Portal Server Secure Remote Access modules, configuration data is written to the Directory Server instance on ds1. When implementing multimaster replication, the Directory Server instance on ds2 is restarted and synchronized with the Directory Server instance on ds1. The only complication is that the directory indexes that support other components must be re-created manually on the Directory Server instance on ds2.
This task consists of the following procedures:
To Restart the Directory Server Instance on ds2
-
Start the Directory Server instance on ds2.
# /opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/ds-inst-ds2
-
Check that the Directory Server instance is running.
# /opt/SUNWdsee/ds6/bin/dsadm info /var/opt/SUNWdsee/ds-inst-ds2
The State: line in the output should indicate that the instance is running.
To Enable Multimaster Replication
The steps for enabling replication on both Directory Server instances are performed only on ds1.
-
Enable multimaster replication for the dc=pstest,dc=com suffix on ds1.
# cd /opt/SUNWdsee/ds6/bin
# ./dsconf enable-repl -h ds1 -p 389 -i -d 1 master dc=pstest,dc=com
When prompted, type the directory-admin-password.
-
Enable multimaster replication for the dc=pstest,dc=com suffix on ds2.
# ./dsconf enable-repl -h ds2 -p 389 -i –d 2 master dc=pstest,dc=com
When prompted, type the directory-admin-password.
To Create Replication Agreements
The steps for creating replication agreements between the Directory Server instances are performed only on ds1.
-
Create a replication agreement between ds1 and ds2 for the dc=pstest,dc=com suffix.
# ./dsconf create-repl-agmt -i -h ds1 -p 389 dc=pstest,dc=com ds2:389
When prompted, type the directory-admin-password.
-
Create a replication agreement between ds2 and ds1 for the dc=pstest,dc=com suffix.
# ./dsconf create-repl-agmt -i -h ds2 -p 389 dc=pstest,dc=com ds1:389
When prompted, type the directory-admin-password.
To Replicate Directory Data
-
Copy data from ds1 to ds2 by running the following command on ds1:
# ./dsconf init-repl-dest -i -h ds1 -p 389 dc=pstest,dc=com ds2:389
When prompted, type the directory-admin-password.
The response should resemble the following:
Started initialization of “ds2:389”; MMM DD YYYY HH:MM:SS Sent 644 entries... Sent 1229 entries... Sent 2170 entries... Sent 2965 entries... Sent 3463 entries... Sent 3902 entries... Sent 4361 entries... Sent 4362 entries... Completed initialization of “ds2:389; MMM DD YYYY HH:MM:SS
To Verify Multimaster Replication
-
Check that your Directory Server instances are synchronized.
Run the following command on ds1:
# /opt/SUNWdsee/ds6/bin/insync -D "cn=Directory Manager" -s ds2:389
When prompted, type the directory-manager-password.
The response should resemble the following:
Replica DN Consumer Supplier Delay dc=pstest,dc=com ds1:389 -1 *CSN has not been intialized. No changes received.
-
Add an entry to the Directory Server instance on ds1.
# ldapmodify -h ds1 -p 389 -D "cn=Directory Manager" <<EOF
dn: o=id1,dc=pstest,dc=com
changetype: add
objectClass: top
objectClass: organization
description: ds1
EOF
When prompted, type the directory-manager-password.
The response should resemble the following:
adding new entry o=id1,dc=pstest,dc=com
-
Verify that the entry is replicated on ds2.
# ldapsearch -h ds2 -p 389 -D "cn=Directory Manager" -b o=id1,dc=pstest,dc=com objectClass=*
When prompted, type the directory-manager-password.
The response should resemble the following:
dn: o=id1,dc=pstest,dc=com objectClass: top objectClass: organization description: ds1 o: id1 version: 1
-
Add an entry to the Directory Server instance on ds2.
# ldapmodify -h ds2 -p 389 -D "cn=Directory Manager" <<EOF
dn: o=id2,dc=pstest,dc=com
changetype: add
objectClass: top
objectClass: organization
description: ds2
EOF
When prompted, type the directory-manager-password.
The response should resemble the following:
adding new entry o=id2,dc=pstest,dc=com
-
Verify that the entry is replicated on ds1.
# ldapsearch -h ds1 -p 389 -D "cn=Directory Manager" -b o=id2,dc=pstest,dc=com "objectClass=*"
When prompted, type the directory-manager-password.
The response should resemble the following:
dn: o=id2,dc=pstest,dc=com objectClass: top objectClass: organization description: ds2 o: id2 version: 1
To Update the Directory Indexes
This procedure uses the index file on am1 to update the Directory Server instance on ds2 with indexes that support Access Manager.
-
Copy the following file from am1 to /tmp on ds2:
/etc/opt/SUNWam/config/ldif/index.ldif
-
Add the indexes to the Directory Server instance on ds2.
# ldapmodify -D "cn=Directory Manager" -c -a -h ds2 -p 389 -f /tmp/index.ldif
When prompted, type the directory-manager-password.
The response should resemble the following:
adding new entry cn=nsroledn,cn=index,cn=pstest, cn=ldbm database,cn=plugins,cn=config ldap_add: Already exists adding new entry cn=memberof,cn=index,cn=pstest, cn=ldbm database, cn=plugins,cn=config adding new entry cn=iplanet-am-static-group-dn,cn=index,cn=pstest, cn=ldbm database,cn=plugins,cn=config adding new entry cn=iplanet-am-static-group-dn,cn=index,cn=pstest, cn=ldbm database,cn=plugins,cn=config adding new entry cn=iplanet-am-modifiable-by,cn=index,cn=pstest, cn=ldbm database,cn=plugins,cn=config adding new entry cn=iplanet-am-user-federation-info-key,cn=index,cn=pstest, cn=ldbm database,cn=plugins,cn=config adding new entry cn=sunxmlkeyvalue,cn=index,cn=pstest, cn=ldbm database,cn=plugins,cn=config adding new entry cn=o,cn=index,cn=pstest, cn=ldbm database,cn=plugins,cn=config adding new entry cn=ou,cn=index,cn=pstest, cn=ldbm database,cn=plugins,cn=config adding new entry cn=sunPreferredDomain,cn=index,cn=pstest, cn=ldbm database,cn=plugins,cn=config adding new entry cn=associatedDomain,cn=index,cn=pstest, cn=ldbm database,cn=plugins,cn=config adding new entry cn=sunOrganizationAlias,cn=index,cn=pstest, cn=ldbm database,cn=plugins,cn=config -
Using the Web Console, re-index the dc=pstest, dc=com suffix.
-
Start a Browser.
-
Go to the Web Console login page.
https://ds1.pstest.com:6789
The Web Console login page opens.
-
Log in to the Web Console by typing the following values and clicking Login.
Input Field
Value
User ID
root
password
root-password
The DSCC main page in Web Console opens.
-
In the DSCC main page, click the Servers tab.
-
Locate the link for ds2:389 and click the link.
-
Click the Suffix tab.
-
Locate the link for dc=pstest,dc=com and click the link.
-
Click the Indexes tab.
-
Locate the list of Suffix Actions and select Regenerate Indexes.
The Index Regeneration panel opens.
-
In the Index Regeneration panel, click Add All.
All the listed attributes move from the Available list to the Selected list.
-
Click OK.
The indexes are regenerated.
-
Wait for the regeneration process to complete and click Close.
-
Taking a Snapshot of the Module
When you have completed deploying the directory service module of the reference configuration, and before you move on to the next module, it is good practice to take a snapshot of the data in the Directory Server instance. By exporting ds-inst-ds1, you preserve the current state of your deployment in case you subsequently need to roll back directory information to this point in the reference configuration deployment process. The directory serves as the repository for service and user configuration information and therefore changes as each reference configuration module is deployed.
To take a snapshot of the directory on ds1
In this procedure you use the db2ldif command to export the directory to an ldif file. If you want to subsequently restore the directory, use an equivalent procedure with the ldif2db command.
-
On ds1 change directory as follows:
# cd /var/opt/SunWdsee/ds-inst-ds1
-
Stop the Directory Server instance.
# ./stop-slapd
-
Export the current state of the pstest directory to an ldif file.
# ./db2ldif -n pstest
The output should resemble the following:
ldiffile: /var/opt/SunWdsee/ds-inst-ds1/ldif/2008_05_20_140750.ldif [20/May/2008:14:07:56 +0100] - export pstest: Precessed 1000 entries (26%) ... [20/May/2008:14:08:02 +0100] - export pstest: Precessed 4165 entries (100%)
-
Rename the ldif file to something meaningful.
# mv /var/opt/SunWdsee/ds-inst-ds1/ldif/2008_05_20_140750.ldif /var/opt/SunWdsee/ds-inst-ds1/ldif/ds_module_complete.ldif
-
Restart the Directory Server instance.
# ./start-slapd
- © 2010, Oracle Corporation and/or its affiliates