Chapter 1   Preparing for a Directory Server Installation


Before you begin installing iPlanet Directory Server, you should have an understanding of the various Directory Server components and the design and configuration decisions you need to make.

To help you prepare for your iPlanet Directory Server installation, you should be familiar with the concepts contained in the following sections:

• Installation Components

• Configuration Decisions

• Installation Process Overview

• Installation Privileges

• Unsetting Environment Variables (AIX only)

The iPlanet Directory Server Deployment Guide contains basic directory concepts as well as guidelines to help you design and successfully deploy your directory service. Be sure you understand the concepts presented in this manual before proceeding with the installation process.

---

Caution

This manual does not apply to the iPlanet Directory Server which is already installed with the SolarisTM 9 Operating Environment. Solaris 9 users should refer to the System Administration Guide: Naming and Directory Services, Vol. 5, for information and instructions on configuring Directory Server. Solaris documentation is available at http://docs.sun.com/.

---

Installation Components

---

iPlanet Directory Server contains the following software components:

• iPlanet Console—iPlanet Console provides the common user interface for all iPlanet server products. From it you can perform common server administration functions such as stopping and starting servers, installing new server instances, and managing user and group information. iPlanet Console can be installed as a stand-alone application on any machine. You can also install it on your network and use it to manage remote servers.

• Administration Server—Administration Server is a common front-end to all iPlanet servers. It receives communications from iPlanet Console and passes those communications on to the appropriate iPlanet server. Your site will have at least one Administration Server for each server root in which you have installed an iPlanet server.

• Directory Server—Directory Server is iPlanet's LDAP implementation. The Directory Server runs as the ns-slapd process (on UNIX) or slapd service (on Windows NT, and Windows 2000). This is the server that manages the directory databases and responds to client requests. Directory Server is a required component.

The order in which you install and configure the various components depends on whether you are performing a new installation or an upgrade. See "Installation Process Overview" for details.

Configuration Decisions

---

During Directory Server installation, you are prompted for basic configuration information. Decide how you are going to configure these basic parameters before beginning the installation process. You are prompted for some or all of the following information, depending on the type of installation that you decide to perform:

• Port number (see "Choosing Unique Port Numbers").

• Server root (see "Creating a New Server Root").

• Users and groups under which you run the server (see "Choosing the User and Group for Your iPlanet Servers (UNIX® only)").

• Your directory suffix (see "Determining Your Directory Suffix").

• Several different authentication user IDs (see "Defining Authentication Entities").

• The location of the configuration and user Directory Servers (see "Determining the Location of the Configuration Directory" and "Determining the Location of the User Directory").

• The administration domain (see "Determining the Administration Domain").

Choosing Unique Port Numbers

Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your Directory Server:

• The standard Directory Server (LDAP) port number is 389.

• Port 636 is reserved from LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP installation, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port.

• Port numbers between 1 and 1024 have been assigned to various services by the Internet Assigned Numbers Authority. Do not use port numbers below 1024 other than 389 or 636 for directory services as they will conflict with other services.

• On UNIX platforms, Directory Server must be run as root if listens on either port 389 or 636.

• On Windows NT and Windows 2000, the directory service must have administrative privileges if it uses ports 389 or 636.

• Make sure the ports you choose are not already in use. Also, if you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical.

For information on how to set up LDAP over SSL (LDAPS) for Directory Server, see the iPlanet Directory Server Administrator's Guide.

Creating a New Server Root

Your server root is the directory where you install your iPlanet servers. The default server root for iPlanet Directory Server is /usr/iplanet/servers.

The server root must meet the following requirements:

• The server root must be a directory on a local disk drive; you cannot use a networked drive for installation purposes. The file sharing protocols such as AFS, NFS and SMB do not provide file locking and performance suitable for use by the Directory Server. The server database index files may be damaged if they are not held on a local file system.

• The directory must not already exist or must be empty.

• The server root directory must not be the same as the directory from which you are running the setup program.

By default, the server root directory is one of the following:

• /usr/iplanet/servers (on UNIX systems)

• c:\iplanet\servers (on Windows NT and Windows 2000 systems)

Choosing the User and Group for Your iPlanet Servers (UNIX® only)

For security reasons, it is always best to run UNIX-based production servers with normal user privileges. That is, you do not want to run Directory Server with root privileges. However, you have to run Directory Server with root privileges if you are using the default Directory Server ports. If Directory Server is started by Administration Server, Administration Server must run either as root or as the same user as Directory Server.

You must therefore choose which user accounts to use for the following purposes:

• The user and group under which you run Directory Server.

  If you are not running the directory server as root, it is strongly recommended that you create a user account for all iPlanet servers. You should not use any existing operating system account, and you must not use the nobody account. Also you should create a common group for the directory server files; again, you must not use the nobody group.

• The user and group under which you run Administration Server.

  For installations that use the default port numbers, this must be root. However, if you use ports over 1024, then you should create a user account for all iPlanet servers, and run Administration Server as this account.

  As a security precaution, when Administration Server is being run as root, it should be shut it down when it is not in use.

You should use a common group for all iPlanet servers, such as gid iPlanet, to ensure that files can be shared between servers when necessary.

Before you can install Directory Server and Administration Server, you must make sure that the user and group accounts you are using exist on your system.

Defining Authentication Entities

When you install iPlanet Directory Server and Administration Server, you are asked for various user names, distinguished names (DN), and passwords. This list of login and bind entities differs depending on the type of installation that you are performing:

• Directory Manager DN and password.

  The Directory Manager DN is the special directory entry to which access control does not apply. Think of the directory manager as your directory's superuser. (In former releases of Directory Server, the Directory Manager DN was known as the root DN).

  The default Directory Manager DN is cn=Directory Manager. Because the Directory Manager DN is a special entry, the Directory Manager DN does not have to conform to any suffix configured for your Directory Server. Therefore, you must not manually create an actual Directory Server entry that has the same DN as the directory manager DN.

  The Directory Manager password must be at least 8 characters long. It is limited to ASCII letters, digits, and symbols.

• Configuration Directory Administrator ID and password.

  The configuration directory administrator is the person responsible for managing all the iPlanet servers accessible through iPlanet Console. If you log in with this user ID, then you can administer any iPlanet server that you can see in the server topology area of iPlanet Console.

  For security, the configuration directory administrator should not be the same as the directory manager. The default configuration directory administrator ID is admin.

• Administration Server User and password.

  You are prompted for this only during custom installations. The Administration Server user is the special user that has all privileges for the local Administration Server. Authentication as this person allows you to administer all the iPlanet servers stored in the local server root.

  Administration Server user ID and password are used only when the Directory Server is down and you are unable to log in as the configuration directory administrator. The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting Directory Server, reading log files, and so forth.

  Normally, the Administration Server user ID and password should be identical to the configuration directory administrator ID and password. This is the default behavior during typical installations. The default value for the Administration Server user during custom installations is admin.

Determining Your Directory Suffix

A directory suffix is the directory entry that represents the first entry in a directory tree. You need at least one directory suffix for the tree that contains your enterprise's data. It is common practice to select a directory suffix that corresponds to the DNS host name used by your enterprise. For example, if your enterprise uses the DNS name siroe.com, then select a suffix of dc=siroe,dc=com.

For more information on planning the suffixes for your directory service, see the iPlanet Directory Server Deployment Guide.

Determining the Location of the Configuration Directory

Many iPlanet servers, including Directory Server 5.1, use an instance of Directory Server to store configuration information. This information is stored in the o=NetscapeRoot directory tree. It does not need to be held on the same Directory Server as your directory data. Your configuration directory is the Directory Server that contains the o=NetscapeRoot tree used by your iPlanet servers.

If you are installing Directory Server only to support other iPlanet servers, then that Directory Server is your configuration directory. If you are installing Directory Server to use as part of a general directory service, then you will have multiple Directory Servers installed in your enterprise and you must decide which one will host the configuration directory tree, o=NetscapeRoot. You must make this decision before you install any iPlanet servers (including iPlanet Directory Server).

For ease of upgrades, you should use a Directory Server instance that is dedicated to supporting the o=NetscapeRoot tree. This server instance should perform no other function with regard to managing your enterprise's directory data. Also, do not use port 389 for this server instance. Doing so could prevent you from installing a Directory Server on that host that can be used for management of your enterprise's directory data.

Because the configuration directory normally experiences very little traffic, you can allow its server instance to coexist on a machine with another more heavily loaded Directory Server instance. However, for very large sites that are installing a large number of iPlanet servers, you may want to dedicate a low-end machine to the configuration directory so that the performance of your other production servers is not affected. iPlanet server installations result in write activities to the configuration directory. For large enough sites, this write activity could result in a short-term performance hit to your other directory activities.

Also, as with any directory installation, consider replicating the configuration directory to increase availability and reliability. See the iPlanet Directory Server Deployment Guide for information on using replication and DNS round robins to increase directory availability.

---

Caution

Corrupting the configuration directory tree can result in the necessity of reinstalling all other iPlanet servers that are registered in that configuration directory. Remember the following guidelines when dealing with the configuration directory: Always back up your configuration directory after you install a new iPlanet server. Never change the host name or port number used by the configuration directory. Never directly modify the configuration directory tree. Only the setup program for the various iPlanet servers should ever modify the configuration.

---

Determining the Location of the User Directory

Just as the configuration directory is the Directory Server that is used for iPlanet server administration, the user directory is the Directory Server that contains the entries for users and groups in your enterprise.

For most directory installations, the user directory and the configuration directory should be two separate server instances. These server instances can be installed on the same machine, but for best results, consider placing the configuration directory on a separate machine.

Your user directory receives much more directory traffic than your configuration directory. For this reason, give the user directory the greatest computing resources. Because the configuration directory receives very little traffic, it can be installed on a machine with very low-end resources (such as a minimally-equipped Pentium).

Also, use the default directory ports (389 and 636) for the user directory. If your configuration directory is managed by a server instance dedicated to that purpose, use some non-standard port for the configuration directory.

You cannot install a user directory until you have installed a configuration directory somewhere on your network.

Determining the Administration Domain

The administration domain allows you to logically group iPlanet servers together so that you can more easily distribute server administrative tasks. A common scenario is for two divisions in a company to each want control of their individual iPlanet servers. However, you may still want some centralized control of all the servers in your enterprise. Administration domains allow you to meet these conflicting goals.

Administration domains have the following qualities:

• All servers share the same configuration directory, regardless of the domain they belong to.

• Servers in two different domains may use two different user directories for authentication and user management.

• The configuration directory administrator has complete access to all installed iPlanet servers, regardless of the domain that they belong to.

• Each administration domain can be configured with an administration domain owner. This owner has complete access to all the servers in the domain but does not have access to the servers in any other administration domain.

• The administration domain owner can grant individual users administrative access on a server by server basis within the domain.

For some installations, you can have just one administration domain. In this case, choose a name that is representative of your organization. For other installations, you may want different domains because of the demands at your site. In the latter case, try to name your administration domains after the organizations that will control the servers in that domain.

For example, if you are an ISP and you have three customers for whom you are installing and managing iPlanet servers, create three administration domains each named after a different customer.

Installation Process Overview

---

You can use one of several installation processes to install Directory Server. Each one guides you through the installation process and ensures that you install the various components in the correct order.

The following sections outline the installation processes available, how to upgrade from an earlier release of iPlanet Directory Server, and how to unpack the software to prepare for installation.

Selecting an Installation Process

You can install Directory Server software using one of the four different installation methods provided in the setup program:

• Express Installation. Use this if you are installing for the purposes of evaluating or testing iPlanet Directory Server. Express installation is described in "Using Express Installation".

• Typical Installation. Use this if you are performing a normal installation of Directory Server. Typical installation is described in "Using Typical Installation".

• Custom Installation. In iPlanet Directory Server 5.1, the custom installation process is very similar to the typical installation process. The main difference is that the custom installation process will allow you to import an LDIF file to initialize the user directory database that is created by default.

• Silent Installation. Use this if you want to script your installation process. This is especially useful for installing multiple consumer servers around your enterprise. Silent installation is described in Chapter 4, "Silent Installation."

Beyond determining which type of installation process to use, the process for installing iPlanet Directory Server is as follows:

1. Plan your directory service. By planning your directory tree in advance, you can design a service that is easy to manage and easy to scale as your organization grows. For guidance on planning your directory service, refer to the iPlanet Directory Server Deployment Guide.

2. Install your Directory Server as described in this manual.

3. Create the directory suffixes and databases. You do not have to populate your directory now; however, you should create the basic structure for your tree, including all major roots and branch points. For information about the different methods of creating a directory entry, refer to the iPlanet Directory Server Administrator's Guide.

4. Create additional Directory Server instances and set up replication agreements between your directory servers to ensure availability of your data.

Upgrade Process

iPlanet Directory Server 5.1 supports migration from Directory Server 4.1, 4.11, and 4.12 and 5.0 releases. The migration process is described in Chapter 6 "Migrating From Previous Versions."

For information on migrating servers involved in replication agreements, refer to the iPlanet Directory Server Administrator's Guide.

Unpacking the Software

If you have obtained iPlanet Directory Server 5.1 software from the iPlanet web site, you will need to unpack it before beginning installation.

1. Create a new directory for the installation:

   # mkdir ds5.1

   # cd ds5.1

2. Download the product binaries file to the installation directory.

3. On UNIX, unpack the product binaries file using the following command:

   # gzip -dc file_name.tar.gz | tar -xvof -

   where file_name corresponds to the product binaries that you want to unpack.

   On Windows NT and Windows 2000, unzip the product binaries.

Installation Privileges

---

On UNIX you must install as root if you choose to run the server on a port below 1024, such as the default ldap ports: 389, and 636 (ldap over SSL). If you choose port numbers higher than 1024, you can install using any valid UNIX login.

On Windows NT or Windows 2000 you must run the installation as administrator.

Unsetting Environment Variables (AIX only)

---

If you are installing Directory Server on an AIX machine, the installer will execute the following files (depending upon the shell you use):

Shell name	File
sh (bourne shell)	$HOME/.profile
csh and tcsh shell	$HOME/.login $HOME/.cshrc
ksh (korn shell)	$HOME/.profile $HOME/.kshrc
bash (bourne again shell)	$HOME/.profile $HOME/.bashrc

The installation program does not unset the environment variables in each shell. If the file contains printouts or other information, it may affect installation by causing unexpected error messages and behavior.

For example, to unset the .profile and .kshrc files in the korn shell, you issue the following command:

unset ENV