Complete Contents
Preface
Chapter 1 Gateway Features
Chapter 2 Setting Up the Gateway
Chapter 3 Gateway Localization
Chapter 4 Files Controlling Gateway Functionality
Chapter 5 Entry Types and Object Class Attributes
Chapter 6 Search Attributes, Features, and Results
Chapter 7 Customizing Color and Graphics
Appendix A .conf Parameters
Appendix B Gateway Directives Reference
Appendix C CGI Usage
Appendix D Gateway User Help
Previous Next Contents Index


Chapter 2 Setting Up the Gateway

This chapter describes the planning decisions and tasks required to install and initially configure a gateway for access by end users. Topics include:


Gateway Installation Planning
When preparing to deploy a gateway in the enterprise, consider the following planning issues:

 Location of Gateway Files

Table 2.1 and Table 2.2 show the locations of gateway files for release 4.0 and release 3.x.

Gateway Release 4.0

Two gateway instances are installed during Directory Server 4.0 installation: Directory Express and the default gateway. The .conf files (pb.conf and dsgw.conf) are stored in /dsgw/context. Additional gateways can be created by customizing Directory Express or the default gateway.

Table 2.1 Location of gateway files for release 4.0

File Type
Location
default gateway .conf file
<NSHOME>/dsgw/context/dsgw.conf
default gateway (dsgw) HTML and template files
<NSHOME>/dsgw/html
<NSHOME>/dsgw/config
Directory Express .conf file
<NSHOME>/dsgw/context/pb.conf
Directory Express (pb) HTML and template files
<NSHOME>/dsgw/pbhtml
<NSHOME>/dsgw/pbconfig

Gateway Cloning

Unique gateway instances may have unique HTML directories (for example, ..dsgw/mythml) and template directories (/for example, ..dsgw/myconfig). However, gateways may also be cloned to use identical HTML and template directories while pointing to different Directory Servers or different suffixes on a Directory Server.

See Also

"Gateway Cloning" on page 23

Gateway Release 3.x

One gateway is installed for each instantiation of the Directory Server. The .conf file is stored in /dsgw (under slapd-<instance>).

Table 2.2 Location of gateway files for release 3.x

File Type
Location
default gateway .conf file
<NSHOME>/slapd-<server>/dsgw/dsgw.conf
default gateway HTML and template files
<NSHOME>/slapd-<server>/html
<NSHOME>/slapd-<server>/config

Securing 4.0 Gateway Configuration and Settings

Protecting Bind DN and Password

Release 4.0 gateway .conf files reference files that contain sensitive information, including the binddnfile containing the bind DN and bind password used to permit non-anonymous searching of the directory. The binddnfile should not be stored under the gateway configuration directory (<NSHOME>/dsgw), or in any directory that is served up over HTTP.

Protecting Root Processes on UNIX Systems

On UNIX systemsm, it is not advisable to run the gateway from a Netscape Administration server that is also running a Netscape server process as root. This may expose sensitive information about the configuration of Netscape servers.

Migrating 3.x default Gateways to Release 4.0

Release 4.0 of the Netscape Directory server supports 3.x gateways, so it is not necessary to modify a 3.x gateway in order for it to access a 4.0 directory. However, a 3.x gateway can not co-exist with 4.0 gateways unless it is first migrated to the 4.0 gateway structure.

An upgrade script, dsgwmig, is available which completes the migration of dsgw.conf and its relevant files. The script does not overwrite the existing 3.x gateway, but renames it as a new gateway instance (dsgw-30.conf) that runs from the 4.0 /dsgw installation directory. The 3.x gateway will continue to work with the 3.x Directory Server installation.

 The migration script is installed in <NSHOME>/bin/slapd/admin/bin during Directory Server installation. The script makes the following changes to the 3.x gateway.

 Location of migrated dsgw.conf file

When the migration script finishes, the migrated 3.x dsgw.conf file can be accessed from:

http://<host>:<port>/dsgw/bin/lang?context=dsgw-30

Running the Gateway Migration Script

The dsgwmig script runs automatically during the 3.x -> 4.0 Directory Server migration process.

Directory server migration is described in the Release Notes for Directory Server 4.0.

 Updating the Gateway with Changes to Directory Server Configuration

Release 4.0 of the Directory Server provides a script, updatedsgw, that can be used to update all gateway instances with changes to the Directory Server configuration, including changes to Directory Server port, host, suffix, and root DN (the ability to update the suffix is not available in the server administration console). The updatedsgw script is stored in <NSHOME>/bin/slapd/admin/bin.

Changes made to the Directory Server configuration (slapd.conf) through the Netscape Console are posted to updatedsgw and the relevant gateway files are updated. These files are updated when the host and port for the gateway match the host and port of the Directory Server.

Note. The Directory Server's root DN (the Directory Server's superuser) must match the value of the gateway's dirmgr parameter.

 HTTP Server Recommendations for Directory Server Gateway Release 4.0

The Netscape Administration Server is the default HTTP server for the two gateway clients that are installed with the Netscape Directory Server. Both Directory Express and the default gateway are preconfigured to run under the Netscape Administration Server without additional setup.

Factors Affecting Gateway Usage

Many factors affect gateway performance on an HTTP server, including:

In general, gateway performance on the Netscape Administration Server begins to slow down when the number of users accessing the gateway throughout the enterprise reaches 6,000 people. (Note that this is a very general recommendation that does not take into account factors listed above, especially the speed of the host machine.)

Note. It is not advisable to run the gateway from a Netscape Administration server that is also running a Netscape server process as root. This may expose sensitive information about the configuration of Netscape servers.

 Running the Gateway in High-Usage Networks

Network administrators expecting high gateway usage may want to move the gateway to a high-performance HTTP server that is dedicated to running the gateway.

Note. If you do decide to migrate the gateway's configuration files to a high-performance HTTP server, Netscape recommends Netscape Enterprise Server or FastTrack Server.

See Also

"Name Translation Mapping" on page 17


HTTP Server Configuration
Name Translation Mapping

The HTTP server uses Name Translation mapping to translate a virtual path provided by a gateway client to a physical path used by an HTTP server. This Name Translation mapping specifies the gateway's HTML directory. The gateway's CGIs use this information to output the correct URL (HTTP redirection). In release 4.0 of the gateway, the NameTrans mapping is specified in the gateway's .conf file using the gwnametrans parameter.In release 3.x, the NameTrans mappings are hard-coded (the binary files stored in /dsgw/bin are mapped to /dshtml and the HTML files stored in /dsgw/html are mapped to /ds).

See Also

"gwnametrans" on page 84

Gateway Root Suffix

In release 4.0, Directory Express and the default gateway are set to the root suffix specified during Directory Server installation. This suffix specifies the DN for the LDAP database and represents a root in the directory tree (for example, o=airius.com). Multiple gateways can be set up on an HTTP server that provide access to directory entries that correspond to this root suffix.

When the Directory Server's suffix changes, it is necessary to run the updatedsgw script manually in order to propagate the change to all gateway instances.

See Also

"Updating the Gateway with Changes to Directory Server Configuration" on page 15

In release 3.x, to access a different suffix, another HTTP server and another gateway must be configured on the host where the Directory Server is installed.

Note. When the root suffix, directory manager, or port change, the gateway settings in dsgw.conf must be updated to reflect the changes (if they haven't been updated through the Netscape Console).

 Configuring the Gateway for Enterprise or FastTrack Servers

The configuration procedures provided in this section assume that a Netscape FastTrack (or Enterprise) HTTP server is installed and configured to communicate with the Netscape LDAP Directory server.

In release 4.0, Directory Express and the default gateway are installed with the Directory Server and configured to run under the Netscape Administration Server, which is the default HTTP server for the gateway clients. No additional configuration is necessary. However, customers in high-usage networks may wish to move their gateways (or set up new gateways) on a high-performance HTTP server, following the procedures provided in this section.

 In release 3.x, the gateway must be configured to communicate with the LDAP Directory Server, following the procedures provided in this section. The 3.x gateway allows one instance of the gateway per HTTP server.

Figure 2.1 shows the Netscape FastTrack Server configuration screen used to configure an additional document directory. Figure 2.2 shows the Netscape Enterprise Manager configuration screen used to configure an additional CGI directory.

Figure 2.1 Configuring an Additional Document Directory

Figure 2.2 Configuring an Additional CGI Directory

 Add an Additional Document Directory (4.0 Gateways)

Adding an additional document directory is necessary to establish access to the gateway files. From the server manager for the FastTrack or Enterprise Server:

  1. Go to Content Mgmt | Additional Document Directories.

  2. In the URL prefix field, enter
    3. dsgw

  3. In the Map to Directory field, enter
    4. <NSHOME>/dsgw/

    where <NSHOME> is the Directory Server's installation directory.

  4. Click OK, then Save and Apply.
Add an Additional Document Directory (3.x Gateways)

Adding an additional document directory is necessary to establish access to the gateway files.

From the server manager for the Enterprise Server:

  1. Go to Content Mgmt | Additional Document Directories.

  2. In the URL prefix field, enter dshtml.

  3. In the Map to Directory field, enter:
    4. <NSHOME>/slapd-<serverID>/dsgw/html

    where <NSHOME> is the Directory Server's installation directory, and <serverID> is the Directory Server's identifier.

  4. Click OK, then Save and Apply.
Add an Additional CGI Directory (for 4.0 gateways)

 Adding an additional CGI directory is necessary to make the gateway's CGI programs available. From the server manager for the HTTP server:

  1. Go to Programs | CGI Directory.

  2. In the URL prefix field, enter
    3. /dsgw/bin

  3. In the CGI directory field, enter:
    4. <NSHOME>/dsgw/bin

  4. Click OK, then Save and Apply.
Add an Additional CGI Directory (for 3.x Gateways)

Adding an additional CGI directory is necessary to make the gateway's CGI programs available. From the server manager for the HTTP server:

  1. Go to Programs | CGI Directory.

  2. In the URL prefix field, enter ds.

  3. In the CGI directory field, enter
    4. <NSHOME>/slapd-<serverID>/dsgw/bin

  4. Click OK, then Save and Apply.
Change Permissions of Cookie Directory (UNIX only)

To enable the gateway to store cookies on the HTTP server, the gateway must have write access to the HTTP server's cookie directory. From the server manager for the HTTP server:

  1. Go to System Settings|View Server Settings and note the value set for the User field.

    2. If this value is set to nobody, check to make sure that the server is not running as a named user. For example, on Solaris grep for the http process:

    ps -ef | grep http

    The process listed identifies the name under which the HTTP process is running.

  2. Log into the machine as root.

  3. Go to the <NSHOME>/dsgw and enter:
    4. # chown <uid> authck

    where <uid> is the user name determined in step 1.

  4. Verify that the directory is accessible by opening the URL:
    5. http://<webserver-host>:<port>/ds/search

    where <webserver-host> is the HTTP server's host name, and <port> is the port number used by the server.

Note. When the HTTP server is using the standard HTTP port number (80), the port number does not need to be included in the URL.
Creating a New Gateway Instance (4.0 only)
These instructions assume that the new gateway instance is running under the Netscape Administration server or a similarly capable HTTP server.

Example 2.1 Setting up .conf file and directories for new gateway instance

  1. Rename dsgw.conf or pb.conf to a new gateway context. For example, dsgw/context/dsgw.conf might become dsgw/context/airius.conf.

  2. Set the gwnametrans parameter in the new gateway's .conf file to point to the HTML directory. For example, the gwnametrans parameter setting for airius.conf should point to /dsgw/airiushtml.

  3. To support non-anonymous searching (one individual user DN and password per directory instance) using the new gateway, set the binddnfile parameter in airius.conf to point to the location of the file containing the bind DN and bind password be used to access information in the user directory (the binddnfile contains sensitive information; for security purposes, do not store the binddnfile within the /dsgw directory or within any directory served up over HTTP).

  4. Create an HTML directory for the new gateway: For example, to provide an HTML directory for airius.conf, copy and rename an existing HTML directory (dsgw/html or dsgw/pbhtml) to /dsgw/airiushtml.

  5. Create a template directory containing object class templates and other configuration files. For example, to provide a template directory for airius.conf, copy and rename an existing template directory (/dsgw/config or /dsgw/pbconfig) to /dsgw/airiusconfig.

  6. Edit the htmldir and configdir parameters in airius.conf to point to the new HTML and template directories.

  7. To access the new gateway instance--in this example, airius.conf--navigate the browser to
    8. http://admin:port/dsgw/bin/lang?context=airius

Gateway Cloning

The HTML and template directories for one gateway can serve as the HTML and template directory for many others. Maintaining the functionality of multiple gateways in a centralized /config and /html directories is useful when the only values that are likely to change are parameter setting in the .conf file. (for example, the host and port specified by the baseurl parameter, the root DN specified by dirmgr, and the root suffix specified by the location-suffix parameter).


Gateway .conf File Configuration
Changing the Default Port Setting

The LDAP port is set during Directory server installation. This value can be changed in the baseurl parameter. Example 2.2 shows the syntax used to specify a port number that is different than the default port number of 389.

Example 2.2 Changing LDAP port in the baseurl parameter

baseurl "ldaps://dirserver.airius.com:3000/o%3Dairius.com"

Setting Up the Directory Manager

When the Directory server is installed, the Directory Manager is by default set to the root DN. The Directory Server 4.0 installation requires a root DN. If no root DN was configured when the Directory server was installed, then no default Directory Manager is configured for the gateway.

Note. For security reasons, Netscape recommends setting the Directory Manager to an entry other than the root DN.

 Configuring the Directory Manager DN

Use this procedure to configure the gateway Directory Manager to reference the correct DN.

  1. Create an entry for the Directory Manager, making sure to set a password for the entry.

  2. Set the permissions for the Directory Manager so that it has read and write authority for the entries it manages.

  3. When necessary, change the dirmgr parameter to refer to the Directory Manager's distinguished name.
Note. End users frequently forget their passwords, so give the Directory Manager write access to the userPassword attribute for the entries it manages.

 The dirmgr parameter is described in "dirmgr" on page 83. Creating directory entries is described in the Netscape Directory Server Administrator's Guide.

Authenticating as Directory Manager

Figure 2.3 shows the authentication login screen for the default gateway. Administrators can use it to authenticate as the Directory Manager. The Authenticate as Directory Manager button is displayed only when a Directory Manager has been configured for the gateway.

The authlifetime parameter, which defines the number of seconds that a user may remain authenticated, is described in "location" on page 85.

Figure 2.3 Authenticating as Directory Manager

 Setting up the Suffix for Adding Entries

The location-suffix parameter is defined in dsgw.conf, and identifies the suffix under which the gateway creates new entries in the directory. The location-suffix parameter can point to any suffix in a directory.

Setting the location-suffix parameter is described in "include" on page 85. The Netscape Directory Server Administrator's Guide describes the Suffix parameter and provides syntax examples. Setting the root suffix is also described in the Netscape Directory Server Installation Guide.

Setting Up SSL Support

When the Directory server is installed, the gateway is configured to communicate with the Directory server using a non-SSL host name and port number. This information is stored in the baseurl parameter.

Configuring the gateway to use SSL when communicating with the Directory server requires modification of the securitypath and baseurl parameters in dsgw.conf.

Enabling SSL communications on the Directory Server is described in the Netscape Directory Server Administrator's Guide. Information about managing key and certificate databases is provided in Managing Netscape Servers.

 Configuring the Gateway to Use SSL

The syntax in Example 2.3 shows the securitypath parameter specifying the location of the certificate database.

Example 2.3 Specifying the Path for Certificate Database

securitypath "/export/TEST/alias/cert.db"

The syntax in Example 2.4 shows the baseurl parameter configured to use ldaps (instead of ldap, the default) and standard SSL port number 636.

Example 2.4 Specifying SSL Communication

baseurl "ldaps://dir.airius.com:636/o%3Dairius.com"

Note. Before configuring SSL, verify that the gateway's Certificate database contains a server certificate or Certificate Authority certificate needed to communicate with the Directory Server.

See Also

"baseurl" on page 80

Setting Up Localization

There are two considerations for configuring the gateway character set: the directory contents and the HTTP clients. The ideal character set supports all the characters in the directory, and is displayed properly by all HTTP clients. UTF-8 best supports the Directory Server's internal character (which is UTF-8). However, HTTP clients that are not designed for localization may display UTF-8 poorly.

If a single character set works well for most gateway users, define it using the charset parameter in the gateway's .conf file. For users who require a character set that supports another language, create the appropriate ../dsgw/LANG/dsgwcharset.conf file (where LANG represents a language, such as "en" or "fr") and configure the HTTP clients for these users to specify their language in the HTTP Accept-language header.

 Setting the language and character set for communication with HTTP clients is described in Chapter 3, "Gateway Localization"

Setting Locations and newtypes

See Also

"Mapping Locations and Entry Types" on page 48

Setting vCard Properties

Mappings between VCARD properties and LDAP attribute type are described in "vcard-property" on page 90.


Configuring Gateway Clients
Language Support for HTTP Clients

When a user accesses information in the directory from an HTTP client—through the gateway or another HTTP-based LDAP interface—the client provides the Directory server with information indicating the optimal character set and collation order to use in transmitting information to the browser.

Unicode and Latin-1 Character Sets

When the user is using Netscape Communicator 4.x, the Directory server sends Unicode characters. Netscape Navigator 2.x and 3.x clients are not capable of displaying Unicode characters.

When the user is using Netscape Navigator 3.x and lower, the Directory server sends Latin-1 characters unless the charset parameter has been configured in the gateway's .conf file. The Latin-1 character set includes most Western languages, including German, French, English, and Spanish.

Displaying a Non-English Alphabet

To display directory content that uses a non-English alphabet, a font capable of displaying a non-English alphabet must be installed on the user's system.

The Directory server can store any Unicode character, so Communicator users should install a font that supports all of Unicode. Bitstream Cyberbit, which is bundled with Netscape Communicator, supports Unicode.

Users who are not using Communicator should use a font that supports Latin-1 (or Western) character sets. Most of the commonly used fonts (Courier, Times Roman, Helvetica) have a Latin-1 variant.

 Configuring Communicator 4.x for Preferred Language

  1. Install a font that supports Unicode.

  2. Go to Edit | Preferences | Appearance | Fonts.

  3. From the For the Encoding pull-down menu, select Unicode.

  4. From the Variable Width Font pull-down menu, select a Unicode font set (for example, Bitstream Cyberbit).

  5. From the Fixed Width Font pull-down menu, select a Unicode font set (for example, Bitstream Cyberbit).

  6. Go to Edit | Preferences | Navigator | Languages and configure the list of languages so that the best description of the user's language is first, followed by other acceptable languages. For example, a speaker of British English who also reads Spanish might list English/United Kingdom [en-GB] first, followed by English [en] and then Spanish [es].
Configuring Navigator 3.01 for Preferred Language

  1. Install a font that supports Unicode.

  2. Go to Options | General Preferences | Fonts.

  3. From the For the Encoding pull-down menu, select (on NT) Latin-1 or (on UNIX) Western (ISO-8559-1).

  4. For Use the Proportional Font, select a Latin-1 font set.

  5. From the Fixed Font pull-down menu, select a Latin-1 font set.

  6. Go to Options | General Preferences| Languages and configure the list of languages so that the best description of the user's language is first, followed by less-exact descriptions and other acceptable languages. For example, a speaker of British English who also reads Spanish might list English/United Kingdom [en-GB] first, followed by English [en] and then Spanish [es].
Customizing Communicator's LDAP Settings

Administrators can reconfigure Javascript preference settings in Communicator to allow users to interact with information stored in the user directory.

See Also

Customizing LDAP Settings for Communicator 4.0x

 

© Copyright 1999 Netscape Communications Corporation