test

Sun Java System Directory Server Enterprise Edition 6.0 Release Notes

Chapter 2 Installation Notes

This chapter tells you where to download Directory Server Enterprise Edition software, and lists primary installation requirements.

This chapter includes the following sections:

Getting the Software

You can download Sun Java System Directory Server Enterprise Edition 6.0 software from the following location.

http://www.sun.com/software/products/directory_srvr_ee/get.jsp

The download page serves as a starting point to direct you to the proper downloads depending on the distribution type you need to download. Directory Server Enterprise Edition 6.0 is available in the following distributions.

For a comparison of the two distributions, see Directory Server Enterprise Edition Software Distributions in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.

Hardware Requirements

This section covers hardware requirements for Directory Server Enterprise Edition component products.

Directory Proxy Server Hardware Requirements

Directory Proxy Server software requires the following hardware support.

Component 

Platform Requirement 

RAM 

1-2 GB for evaluation purposes 

4 GB for production servers 

Local disk space 

300 MB disk space for binaries. By default, binaries installed from native packages are placed in /opt on UNIX® systems.

For evaluation purposes, an additional 2 GB local disk space per server instance is sufficient to hold server logs when the default configuration is used. 

Directory Proxy Server does not support installation on NFS-mounted file systems. Sufficient space should be provided for the instance, and for all files used by the instance on a local file system in, for example, /var/opt or /local.

Directory Server Hardware Requirements

Directory Server software requires the following hardware support.

Component 

Platform Requirement 

RAM 

1-2 GB for evaluation purposes 

At least 4 GB and probably more for production servers 

Local disk space 

300 MB disk space for binaries. By default, binaries installed from native packages are placed in /opt on UNIX systems. For evaluation purposes, an additional 2 GB local disk space for server software might be sufficient.

If you are using Directory Server, consider that entries stored in Directory Server use local disk space. Directory Server does not support logs and databases installed on NFS-mounted file systems. Sufficient space should be provided for the database on a local file system in, for example, /var/opt or /local. For a typical production deployment with a maximum of 250,000 entries and no binary attributes such as photos, 4 GB might be sufficient.

Identity Synchronization for Windows Hardware Requirements

Identity Synchronization for Windows software requires the following hardware support.

Component 

Platform Requirement 

RAM 

512 MB for evaluation purposes wherever components are installed. More memory is preferred. 

Local disk space 

400 MB disk space for minimal installation alongside Directory Server. 

Directory Editor Hardware Requirements

Make sure you read Chapter 6, Directory Editor Bugs Fixed and Known Problems in these release notes before you install Directory Editor.

Also, see the Directory Editor documentation at http://docs.sun.com/coll/DirEdit_05q1 for details.

Operating System Requirements

This section covers operating systems, patches and service packs required to support Directory Server Enterprise Edition component products.

Directory Server, Directory Proxy Server, and Directory Server Resource Kit Operating System Requirements

Directory Server, Directory Proxy Server, and Directory Server Resource Kit which includes Directory SDK for C and Directory SDK for Java share the same operating system requirements. These software components run on the operating system versions listed here. Certain operating systems require additional service packs or patches as shown in the following table.

Operating System 

Supported OS Versions 

Additional Required Software 

SolarisTM Operating System

Solaris 10 Operating System for SPARC®, x86, and AMD x64 architectures

Patches:

Solaris 9 Operating System for SPARC, x86, and AMD x64 architectures 

Patches:

HP-UX 

HP-UX 11.11 for PA-RISC 2.0 

Patches:

  • PHSS_30966

  • PHCO_29328

  • PHKL_25842

TOUR 3.1 depots 

Red Hat Linux 

(On 64–bit Red Hat systems, Directory Server runs in 32-bit mode.) 

Red Hat Advanced Server 3.0 U4 for x86 and AMD x64 

No additional software is required. 

Red Hat Advanced Server 4.0 U2 for x86 and AMD x64 

The following compatibility libraries are recommended: 

compat-gcc-32-3.2.3-47.3.i386.rpm

compat-gcc-32-c++-3.2.3-47.3.i386.rpm

The following compatibility library is required: 

compat-libstdc++-33-3.2.3-47.3.rpm

Even when running Red Hat on a 64-bit system, you install 32-bit system libraries. 

Microsoft Windows 

(On 64–bit Windows systems, Directory Server runs in 32-bit mode.) 

Windows 2000 Server 

Service Pack 4 

Windows 2000 Advanced Server 

Service Pack 4 

Windows 2003 Server Standard Edition 

Service Pack 1 

Windows 2003 Server Enterprise Edition 

Service Pack 1 

    You can obtain Solaris patch clusters and avoid downloading most individual patches. To obtain Solaris patch clusters, follow these steps:

  1. Go to the SunSolve patch page at http://sunsolve.sun.com/pub-cgi/show.pl?target=patchpage.

  2. Click the Recommended Patch Clusters link.

  3. Download the patch cluster for your Solaris OS and Java ES versions.

Directory Server Enterprise Edition software is validated with full installations of the operating systems listed here, not with reduced “base” or “core” installations.

Directory Server runs on Solaris SPARC, on Solaris 10 AMD x64 systems, and on HP-UX PA-RISC systems in 64-bit mode. Directory Server runs on Solaris x86 systems, on Solaris 9 AMD x64 systems, on Red Hat systems, and on Windows systems in 32-bit mode.

Identity Synchronization for Windows Operating System Requirements

Identity Synchronization for Windows components run on the operating system versions listed here. Certain operating systems require additional service packs or patches as shown in the following tables.

Identity Synchronization for Windows Requirements for Core Components and Connectors

The following table lists operating system requirements for core components, and connectors for Directory Server and Active Directory.

Operating System 

Supported OS Versions 

Additional Required Software 

Solaris Operating System 

Solaris 10 Operating System for UltraSPARC®, and x86 (Pentium) architectures

No additional software is required. 

Solaris 9 Operating System for SPARC architectures 

No additional software is required. 

Solaris 8 Operating System for UltraSPARC architectures 

No additional software is required. 

Red Hat Linux 

Red Hat Advanced Server 3.0 

No additional software is required. 

Microsoft Windows 

Windows 2000 Server 

Service Pack 4 

Windows 2000 Advanced Server 

Service Pack 4 

Windows 2003 Server Standard Edition 

Latest security updates 

Windows 2003 Server Enterprise Edition 

Latest security updates 

Identity Synchronization for Windows Requirements for Windows NT

The following table lists operating system requirements for Windows NT components and connectors.

Operating System 

Supported OS Versions 

Additional Required Software 

Microsoft Windows 

Windows NT 4.0 Server Primary Domain Controller, x86 architectures 

Service Pack 6A 

Directory Editor Operating System Requirements

Make sure you read Chapter 6, Directory Editor Bugs Fixed and Known Problems in these release notes before you install Directory Editor.

Also, see the Directory Editor documentation at http://docs.sun.com/coll/DirEdit_05q1 for details.

Software Dependency Requirements

Directory Server relies on the Network Security Services, NSS, layer for cryptographic algorithms. NSS has been validated to work with the Sun cryptographic framework provided on Solaris 10 systems, which supports cryptographic acceleration devices.

On Windows systems, Directory Server requires ActivePerl software to use account activation and manual schema replication commands. Directory Server Enterprise Edition does not provide ActivePerl. The dependency concerns the following commands.

Directory Proxy Server requires a Java runtime environment, JRE, version of at least 1.5.0_09 on Solaris, Red Hat and Windows systems and 1.5.0_03 on HP-UX systems. The zip distribution installs JRE. When you install from the zip distribution with the JAVA_HOME environment variable set, the Java runtime environment specified by JAVA_HOME is used. If JAVA_HOME is set for your environment, make sure the version is up to date.

Directory Proxy Server has been validated with the following JDBC data sources, using the drivers provided with the software.

On Windows systems, the dsee_deploy command cannot properly register software with the Common Agent Container, cacao, when you run the command from an MKS shell. This can occur when your MKS PATH does not include the system-drive:\system32 folder. Alternatively, run the command on the Windows native command line.

Although Part II, Installing Identity Synchronization for Windows, in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide lists support only for Directory Server 6.0, Identity Synchronization for Windows directory server connectors do support Directory Server 5.2 Patch 5.

Before you can install Identity Synchronization for Windows, you must install the prerequisite Sun Java System software components, including JRE and Message Queue.

On Windows systems, the JRE installed with Console and Administration Server does not include fixes for daylight savings time changes. You must apply fixes for daylight savings time changes after installation. To fix the JRE, use the tzupdater tool, described at http://java.sun.com/javase/tzupdater_README.html. The JRE to fix is found after installation under ServerRoot/bin/base/jre/ where you installed the Console and Administration Server.

You can run Identity Synchronization for Windows in a firewall environment. The following sections list the server ports that you must expose through the firewall.

Identity Synchronization for Windows Message Queue Requirements in a Firewall Environment

By default, Message Queue uses dynamic ports for all services except for its port mapper. To access the Message Queue broker through a firewall, the broker should use fixed ports for all services.

After installing the core, you must set the imq.<service_name>.<protocol_type>.port broker configuration properties. Specifically, you must set the imq.ssljms.tls.port option. Refer to the Message Queue documentation for more information.

Identity Synchronization for Windows Installer Requirements in a Firewall Environment

The Identity Synchronization for Windows installer must be able to communicate with the Directory Server acting as the configuration directory.

Identity Synchronization for Windows Core Component Requirements in a Firewall Environment

The Message Queue, system manager, and command line interface must be able to reach the Directory Server where the Identity Synchronization for Windows configuration is stored.

Identity Synchronization for Windows Console Requirements in a Firewall Environment

The Identity Synchronization for Windows console must be able to reach the following:

Identity Synchronization for Windows Connector Requirements in a Firewall Environment

All connectors must be able to communicate with Message Queue.

In addition, the following connector requirements must be met.

Identity Synchronization for Windows Directory Server Plug-in Requirements in a Firewall Environment

Each Directory Server plug-in must be able to reach the Directory Server connector’s server port, which was chosen when the connector was installed. Plug-ins that run in Directory Server Master replicas must be able to connect to Active Directory’s LDAP, port 389, or LDAPS, port 636. The plug-ins that run in other Directory Server replicas must be able to reach the master Directory Server LDAP and LDAPS ports.

Installation Privileges and Credentials

This section covers privileges or credentials required for installation of Directory Server Enterprise Edition component products.

Directory Server, Directory Proxy Server, Directory Service Control Center, and Directory Server Resource Kit Privileges

You must have the following privileges when installing Directory Server, Directory Proxy Server, or Directory Service Control Center from the Java Enterprise System native package based distribution.

You can install Directory Server, Directory Proxy Server, and Directory Server Resource Kit from the zip distribution without special privileges.

See Directory Server Enterprise Edition Software Distributions in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide for details.

Identity Synchronization for Windows Installation Privileges and Credentials

To install Identity Synchronization for Windows, you must provide credentials for the following.

In addition, you must have the following privileges to install Identity Synchronization for Windows.

Note –

When you enter passwords by using the text-based installer, the program automatically masks the passwords so passwords are not echoed in the clear. The text-based installer is supported on Solaris and Red Hat systems only.

Installation Notes for Identity Synchronization for Windows

Before installing fresh bits of Identity Synchronization for Windows, be sure to read Chapter 4, Preparing for Installation, in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.

Enabling Account Lockout on Identity Synchronization for Windows

To enable the Account Lockout feature, you must map certain attributes, which are different in Directory Server and in Active Directory. Account Lockout must be enabled. Password policies must be the same on both AD and Directory Server. With this configuration, lockout and unlockout events can flow bidirectionally between Active Directory and Directory Server.

Identity Synchronization for Windows can synchronize the following events between Active Directory and Directory Server:

Prerequisites for Account Lockout

The attribute lockoutDuration should be set to the same value at both the places before enabling the account lockout feature. Make sure that the system time is also uniform across the distributed setup. Otherwise, the lockout events can expire if the lockoutDuration is less than the difference in the system dates.

Using the Account Lockout Feature

To enable Account lockout synchronization, you need to map attributes accountUnlockTime (Directory Server) and lockoutTime (AD). accountUnlockTime can be selected in the console after loading the schema with passwordObject object class.

Requirement to Use Account Lockout Feature

Account Lockout policy should be similar on Active Directory and on Directory Server data sources.

See the README that accompanies the software for installation details.

Using Windows 2003 Server and Identity Synchronization for Windows

On Windows 2003 Server, the default password policy enforces strict passwords, which is not the default password policy on Windows 2000.