At design time, select port numbers for each Directory Server and Directory Proxy Server instance. If possible, do not change port numbers after your directory service is deployed in a production environment.
Separate port numbers must be allocated for various services and components.
Specify the port number for accepting LDAP connections. The standard port for LDAP communication is 389, although other ports can be used. For example, if you must be able to start the server as a regular user, use an unprivileged port, by default 1389. Port numbers less than 1024 require privileged access. If you use a port number that is less than 1024, certain LDAP commands must be run as root.
Solaris systems enable a regular user to use a privileged port. For more information, see Chapter 8, Using Roles and Privileges (Overview), in System Administration Guide: Security Services.
Specify the port number for accepting SSL-based connections. The standard port for SSL-based LDAP (LDAPS) communication is 636, although other ports can be used, such as the default 1636 when running as a regular user. For example, an unprivileged port might be required so that the server can be started as a regular user.
If you specify a non-privileged port and a server instance is installed on a system to which other users have access, you might expose the port to a hijack risk by another application. In other words, another application can bind to the same address/port pair. The rogue application might then be able to process requests that are intended for the server. The application could also be used to capture passwords used in the authentication process, to alter client requests or server responses, or to produce a denial of service attack.
Both Directory Server and Directory Proxy Server allow you to restrict the list of IP addresses on which the server listens. Directory Server has configuration attributes nsslapd-listenhost and nsslapd-securelistenhost. Directory Proxy Server has listen-address properties on ldap-listener and ldaps-listener configuration objects. When you specify the list of interfaces on which to listen, other programs are prevented from using the same port numbers as your server.
In addition to processing requests in LDAP, Directory Server also responds to requests sent in the Directory Service Markup Language v2 (DSML). DSML is another way for a client to encode directory operations. Directory Server processes DSML as any other request, with the same access control and security features.
If your topology includes DSML access, identify the following:
A standard HTTP port for receiving DSML requests. The default port is 80.
If SSL is activated, an encrypted (HTTPS) port for receiving encrypted DSML requests. The default port is 443.
A relative URL that, when appended to the host and port, determines the complete URL that clients must use to send DSML requests
For information about configuring DSML, see To Enable the DSML-over-HTTP Service in Sun Java System Directory Server Enterprise Edition 6.1 Administration Guide.
Directory Service Control Center, DSCC, is a web application for Sun Java Web Console that enables you to administer Directory Server and Directory Proxy Server instances through a web browser. For a server to be recognized by DSCC, the server must be registered with DSCC. Unregistered servers can still be managed using command-line utilities.
DSCC communicates with DSCC agents located on the systems where servers are installed. The DSCC agents run inside a common agent container, which routes network traffic to them and provides them a framework in which to run.
If you plan to use DSCC to administer servers in your topology, identify the following port numbers.
The encrypted HTTPS port for accessing DSCC through Sun Java Web Console on the system where DSCC is installed. The default port is 6789.
The management traffic port for DSCC to access its agents local to the server through the common agent container, default: 11162, on the system where the server instances are installed.
The port numbers for the DSCC Registry instance, if you plan to replicate the configuration information. See dsccsetup(1M) for details.
Even if all components are installed on the same system, DSCC still communicates with its agents through these network ports.
If your deployment includes identity synchronization with Microsoft Active Directory, an available port is required for the Message Queue instance. This port must be available on each Directory Server instance that participates in the synchronization. The default non-secure port for Message Queue is 80, and the default secure port is 443.
You must also make additional installation decisions and configuration decisions when planning your deployment. For details on installing and configuring Identity Synchronization for Windows, see Sun Java System Identity Synchronization for Windows 6 2006Q1 Installation and Configuration Guide.