Previous     Contents     Index     Next     
iPlanet Directory Server Access Management Edition Installation and Configuration Guide



Chapter 4   Simple Installations with
No Existing Directory Server


This chapter provides instructions for installing iPlanet Directory Server Access Management Edition (DSAME) for evaluation purposes, or for deploying a DSAME directory or services for the first time. These instructions assume that you do not already have iPlanet Directory Server installed on the target computer system.

Topics in this chapter include:


Note

If you plan to use DSAME with an existing Directory Server that is already provisioned with users, see Chapter 5 "Using an Existing Directory Server on page 65.




Installing DSAME Services


Use these instructions when you want to do a quick and simple installation to explore the product. You can also use these instructions when you are installing multiple instances of DSAME Services to support directory replications. (For more information on directory replications, see"Installing Multiple DSAME Instances Against the Same Directory Server".

When you choose this option, the following components are installed:

  • Directory Server 5.1

  • DSAME Policy service and Management service

  • A Web Server that runs the DSAME Policy and Management services


To Install DSAME Services with Directory Server

You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.

  1. If you're installing DSAME from the product CD, insert the CD into the drive of the system on which you want to install the software.

    If you've downloaded the product, unpack the product binaries file using the following command:

      gunzip -dc dsame-5.0-domestic-us.sparc-sun-solaris2.8.tar.gz |     tar -xvof -

  2. Run the aminstall program. On the product CD, you'll find the program in the directory /cdrom/DSAME_50. If you've downloaded the product binariers, you'll find the program in the directory where you untarred the binary files.

    At the command line, enter aminstall.

    The aminstall command accepts the following -v [verbose] option. The verbose option gives brief progress messages as the actions of the install program take place. Otherwise, installation messages are written to log files in the following directory:

      /var/opt/SUNWam/install

  3. Read the License Agreement. When prompted, Do you agree to the license terms? Enter y for Yes.

  4. If the following message does not display, then skip to the step 5.
    One or more components that are part of DSAME 5.0 have been detected on this system.

    If you are going to install components which already exist, you must uninstall them first.

    What would you like to do?
    1)Remove existing components, then continue installation.
    2)Continue installation without removing existing components.
    3)Exit

    • If the above message is displayed, and you want to re-install components listed in the message, then enter 1 to remove the existing components. After uninstallation, the installation program will automatically start again from the beginning.

    • If the message (above) is displayed, and you want to install components that are not listed, then enter 2 to proceed to the next step.

  5. The following options are displayed.
    Select which option to install:

    1) DSAME Services
    2) DSAME Agent only
    3) iPlanet Directory Server 5.1
    4) iPlanet Directory Server Configuration for DSAME
    5) Exit

    When prompted, provide the following information:

    Select which component to install: Enter 1 to install DSAME Services.

    What directory do you want to install the Services in? Enter the path to the directory where DSAME Services will be installed. Plan to install the DSAME Services and Directory Server in different directories. Ideally, you would install DSAME Services and Directory Server on different computer systems.

    What is the host name of the machine where the DSAME Services will run? This is the computer system where a DSAME components and a dedicated web server are installed together. In the name mycomputer.organization_name.madisonparc.com, the host name is mycomputer.

    What is the sub-domain name ("." for none)? For example, in the name mycomputer.organization_name.madisonparc.com, the sub-domain name is organiation_name. If your host computer does not have a sub-domain, enter a period (.).

    What is the domain name? For example, in the name mycomputer.organization_name.madisonparc.com, the domain name is madisonparc.com

    What is the DSAME Services port? Enter a port number for the Web Server that runs the DSAME services.

    Web Server Administration user id: [admin] This is the server administrator who has access to the Web Server that runs DSAME services.

    Admin password (8 chars minimum): Enter a password for the Web Server Administrator.

    Re-enter Admin password: Re-enter the Web Server Administrator password to confirm it.

    What is the Web Server admin port? Enter the default port number 8888.

    System User: This is the user the Directory Server will run as. If you have a Directory Server already running, enter the same System User used by that Directory Server. Example: nobody.

    System Group: This is the group the user (above) belongs to. Example: nobody.

    Do you want to run in iPlanet Compliance mode? In most cases, enter n for No. For more information, see "Compliant vs. Default DIT".

    Will you be using an existing DIT and schema? Enter n for No.

    What is the root suffix of your directory tree? This is the DSAME root suffix, or the point in your directory where you want DSAME to start managing entries. Enter a relative distinguished name (RDN) that includes at least one equals sign (=).

    Examples:

      o=isp

      o=madisonparc

      dc=sun,dc=com,l=us

    If you want the default organization to be the root suffix, enter a period (.).


    Note

    The default organization uses the organization (o) object class. If you want to use a different naming attribute such as dc, you must follow the installation instructions in Chapter 5 "Using an Existing Directory Server" on page 65.


    What is your organization name? Enter a name for the first organization to be created in your DSAME Directory Information Tree (DIT). This name will be displayed in the DSAME graphical user interface. Examples: iPlanet or iplanet.com.

    Do you want to install the Agents on this host? Enter y for Yes. For more information, see Chapter 6 "Installing URL Policy Agents on page 47.

    Do you want to use an existing iPlanet Directory Server? Enter n for No.

    What directory do you want to install the Directory Server in? Enter the path to the directory where Directory Server will be installed. Do not install Directory Server in the same directory as DSAME Services. Ideally, you would install DSAME Services and Directory Server on different computer systems.

    <Path> does not exist, create? If this prompt displays, DSAME can automatically creates a new for you. Enter y for Yes.

    What port should the LDAP server use? The following is an excerpt from iPlanet Directory Server Installation Guide regarding this topic:

    "Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your Directory Server:

    • The standard Directory Server (LDAP) port number is 389.

    • Port 636 is reserved for LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP installation, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port.

    • Make sure the ports you choose are not already in use.

    • If you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical."

    Directory Server Administration user id: Administration Server user ID is used only when the Directory Server is down and you are unable to log in as the configuration directory administrator. The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting Directory Server, reading log files, and so forth.

    Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password.

    Admin password (8 chars minimum): Enter a password for the Directory Server administrator.

    Re-enter Admin password: Enter the password again to confirm it.

    What is the Directory Server admin port? The default port number is 8900.

    Directory Manager DN: The Directory Server administrative user, or Directory Manager, is the administrator who has unlimited access to Directory Server data and configuration. The default DN for the Directory Manager is cn=Directory Manager.

    Directory Manager password (8 chars minimum): Enter a password for the Directory Manager.

    Re-enter Directory Manager password: Enter the password again to confirm it.

    What is the deployment URI prefix for the DSAME Services? The Universal Resource Indicator (URI) prefix tells the Web Server where to look for HTML pages associated with a service.

    For example, an authentication service may store a customized login page for each organization in the enterprise. If you are an employee of the Jones Company, you'll see an HTML login page with the Jones logo. If you are an employee of the Smith Company, you'll see an HTML login page with the Smith logo. The HTML pages for each company should be stored in different locations.

    The default URI prefix is amserver. You can enter a different name.

    What is the deployment URI prefix for the DSAME Agents? The Universal Resource Indicator (URI) prefix tells the Web Server where to look for HTML pages the agent needs to display.

    For example, when a user attempts to access a URL, but cannot provide proper credentials, the agent must display an "Access denied" message. The URI prefix tells the Web Server where to look for the HTML page that contains this message.

    The default URI prefix is amagent. You can enter a different name.

    The Super Administrator user id is: This is the Administrator who has unlimited access to all entries managed by DSAME. The Super Administrator user id is hardcoded amAdmin. This ensures that the DSAME administrator role and its privileges are created and mapped properly in the Directory Server so that you can log into DSAME product immediately after installation. Since this is an administrator role, you can add other users to this role after installation.

    Admin password (8 chars minimum): Enter a password for the Super Administrator.

    Re-enter Admin password: Enter the Super Administrator password again to confirm it.

    Do you want to start the iPlanet Directory Server Access Management Edition Server when installation is complete? If you enter y for Yes, DSAME will automatically start up immediately after installation. If you enter n for No, you must start DSAME manually after installation.

    To start DSAME manually, at the command line enter the following command:

      /etc/init.d/amserver start

    Are all settings correct? If the settings displayed are not correct, enter n for No and the installation program will start again from close to the beginning. If the settings are correct, enter y for Yes to continue with the installation.

    Select which component to install: When you see the following options displayed, enter 5 to exit the installation program.
    Select which option to install:

    1) DSAME Services
    2) DSAME Agent only
    3) iPlanet Directory Server 5.1
    4) iPlanet Directory Server Configuration for DSAME
    5) Exit



Installing a Stand-Alone iPlanet Directory Server

You can use the DSAME product CD to install iPlanet Directory Server as a stand-alone product, either with or without the DSAME package format. For your convenience, there is a stand-alone version of iPlanet Directory Server 5.1 that you can install when you run the DSAME installation program. On the DSAME product CD, there is also a Directory Server 5.1 setup program.


Installing Directory Server With the DSAME Package Format

When you use the DSAME installation program, Directory Server is installed with the package format. When you use this installation option, you can only install one Directory Server per computer host.

If you're already using a pre-5.1 version of Directory Server, you'll need to upgrade to this version before you install other DSAME services. You can run the DSAME installation program to install this version of Directory Server along with the DSAME schema.


To Install iPlanet Directory Server With Package Format

You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.

  1. If you're installing DSAME from the product CD, insert the CD into the drive of the system on which you want to install the software.

    If you've downloaded the product, unpack the product binaries file using the following command:

       gunzip -dc dsame-5.0-domestic-us.sparc-sun-solaris2.8.tar.gz |       tar -xvof -

  2. Run the aminstall program. On the product CD, you'll find the program in the directory /cdrom/DSAME_50. If you've downloaded the product binariers, you'll find the program in the directory where you untarred the binary files.

    At the command line, enter aminstall.

    The aminstall command accepts the following -v [verbose] option. The verbose option gives brief progress messages as the actions of the install program take place. Otherwise, installation messages are written to log files in the following directory:

      /var/opt/SUNWam/install

  3. Read the License Agreement. At the prompt, Do you agree to the license terms? enter y for Yes.

  4. If the following message does not display, then skip to the step 5.
    One or more components that are part of DSAME 5.0 have been detected on this system.
    ...
    If you are going to install components which already exist, you must uninstall them first.

    What would you like to do?
    1) Remove existing components, then continue installation.
    2) Continue installation without removing existing components.
    3) Exit

    • If the message (above) is displayed, and Directory Server 5.1 is listed in the message, then enter 1 to remove it. After uninstallation, the installation program will automatically start again from the beginning and you can re-install all DSAME components.

    • If the above message is displayed, and Directory Server 5.1 is not listed in the message, then enter 2 to proceed to the next step.

  5. The following options are displayed.
    Select which component to install:

    1) DSAME Services
    2) DSAME Agent only
    3) iPlanet Directory Server 5.1
    4) iPlanet Directory Server Configuration for DSAME
    5) Exit

    When prompted, provide the following information:

    Select which component to install: Enter 3.

    What directory do you want to install the Directory Server in? Enter the path to the directory where Directory Server will be installed. Do not install Directory Server in the same directory as DSAME Services. Ideally, you would install DSAME Services and Directory Server on different computer systems.

    <Path> does not exist, create? If this prompt displays, DSAME can automatically creates a new for you. Enter y for Yes.

    What is the host name of the machine where the Directory Server will run? For example, in the fully qualified domain name mymachine.org_name.madisonparc.com, the host computer system name is mymachine.

    What is the sub-domain name ("." for none)? For example, in the name mycomputer.organization_name.madisonparc.com, the sub-domain name is organiation_name. If your host computer does not have a sub-domain, enter a period (.).

    What is the domain name? For example, in the name mycomputer.organization_name.madisonparc.com, the domain name is madisonparc.com

    What port should the LDAP server use? The following is an excerpt from iPlanet Directory Server Installation Guide regarding this topic:

    "Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your Directory Server:

    • The standard Directory Server (LDAP) port number is 389.

    • Port 636 is reserved for LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP installation, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port.

    • Make sure the ports you choose are not already in use.

    • If you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical."

    Directory Server Administration userid: Administration Server user ID is used only when the Directory Server is down and you are unable to log in as the configuration directory administrator. The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting Directory Server, reading log files, and so forth.

    Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password.

    Admin password (8 chars minimum): Enter a password for the Directory Server administrator.

    Re-enter Admin password: Enter the password again to confirm it.

    What is the Directory Server admin port? The default port number is 8900.

    System User: This is the user the Directory Server will run as. If you have a Directory Server already running, enter the same System User used by that Directory Server. Example: nobody.

    System Group: This is the group the user (above) belongs to. Example: nobody.

    What is the root suffix of your directory tree? This is the DSAME root suffix, or the point in your directory where you want DSAME to start managing entries. Enter a relative distinguished name (RDN) that includes at least one equals sign (=).

    Examples:

      o=isp

      o=madisonparc

      dc=sun,dc=com,l=us

    If you want the default organization to be the root suffix, enter a period (.).

    Do you want to configure this Directory Server for use by DSAME? Enter y for yes. This tells the installation program to install the DSAME schema. Enter n for No if you do not want to install the DSAME schema.

    Directory Manager DN: The Directory Server administrative user, or Directory Manager, is the administrator who has unlimited access to Directory Server data and configuration. The default DN for the Directory Manager is cn=Directory Manager. Enter the DN you specified when you first installed Directory Server.

    Directory Manager password (8 chars minimum): Enter a password for the Directory Manager. Confirm the password when prompted.

    Do you want to start the iPlanet Directory Server Access Management Edition iDS when installation is complete? If you enter y for Yes, then Directory Server will automatically start up immediately after installation. If you enter n for No, then you must restart DSAME manually after installation.

    To restart Directory Server, enter the commands with root permissions:

      cd Directory_Server_root/slapd-instance_name

      restart-slapd

    Are all settings correct? Confirm that the settings are correct. If they are not, choose n for no and the installation program will prompt you for the setting information again.

  6. Enter 5 to exit the installation program.

Once you've exited the installation program, iPlanet recommends that you optimize the Directory Server for use with the DSAME Policy service and Management service. For detailed instructions, see "Optimizing Directory Server for DSAME" in this chapter.


Installing Directory Server Without the DSAME Package Format

When you use the Directory Server setup program, Directory Server is installed without the DSAME package format. You can use the setup program to install multiple Directory Servers on a single computer host.

If you plan to use directory replications, you'll need to install stand-alone versions of Directory Server 5.1 on more than one computer system. If you want to set up your replications before you install DSAME schema, you can use the Directory Server setup program that comes on the DSAME product CD.


To Install Directory Server Without DSAME Package Format

You must have root privileges when installing Directory Server.

  1. Locate the Directory Server setup program.

    • If you're installing from the DSAME product CD, insert the CD into the drive of the machine where you want to install Directory Server.

    • If you've downloaded the product, unpack the product binaries file using the following command:

        gunzip -dc dsame-5.0-domestic-us.sparc-sun-solaris2.8.tar.gz     | tar -xvof -

  2. In the DSAME directory, at the command line, enter the following commands:

      cd SUNWamds/reloc/*/

      cp directory.5.1.us.sparc-solaris.tar /temp 

      cd /temp

      tar -xvof directory.5.1.us.sparc-solaris.tar

      setup

For detailed installation instructions, see the iPlanet Directory Server Installation Guide that comes with the product. Or access the documentation on the Internet at http://docs.iplanet.com/docs/manuals/directory.html.



Configuring an Existing Directory Server 5.1 to Work with DSAME


You only use Option 4 of the installation program when you already have a directory server that is provisioned with user data. When you use these instructions, only the DSAME schema is installed. None of your data is overwritten; no other server or services are installed.


To Configure an Existing Directory Server

You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.

  1. If you're installing DSAME from the product CD, insert the CD into the drive of the system on which you want to install the software.

    If you've downloaded the product, unpack the product binaries file using the following command:

      gunzip -dc dsame-5.0-domestic-us.sparc-sun-solaris2.8.tar.gz |     tar -xvof -

  2. Run the aminstall program. On the product CD, you'll find the program in the directory /cdrom/DSAME_50. If you've downloaded the product binariers, you'll find the program in the directory where you untarred the binary files.

    At the command line, enter aminstall.

    The aminstall command accepts the following -v [verbose] option. The verbose option gives brief progress messages as the actions of the install program take place. Otherwise, installation messages are written to log files in the following directory:

      /var/opt/SUNWam/install

  3. Read the License Agreement. When prompted, Do you agree to the license terms? Enter y for Yes.

    • If the following message does not display, then skip to the step 5.

    • If the message is displayed, and you want to install components that are not listed, then enter 2 to proceed to the next step.
      One or more components that are part of DSAME 5.0 have been detected on this system.

      If you are going to install components which already exist, you must uninstall them first.

      What would you like to do?
      1) Remove existing components, then continue installation.
      2) Continue installation without removing existing components.
      3) Exit

  4. The following options are displayed.
    Select which option to install:

    1) DSAME Services
    2) DSAME Agent only
    3) iPlanet Directory Server 5.1
    4) iPlanet Directory Server Configuration for DSAME
    5) Exit

    When prompted, provide the following information:

    Select which component to install: Enter 4.

    What is the host name of the machine where the Directory Server is located? Enter the full-qualified domain name for the computer system on which Directory Server is installed. In the name mycomputer.organization_name.madisonparc.com, the host name is mycomputer.

    What is the sub-domain name ("." for none)? For example, in the name mycomputer.organization_name.madisonparc.com, the sub-domain name is organiation_name. If your host computer does not have a sub-domain, enter a period (.).

    What is the domain name? For example, in the name mycomputer.organization_name.madisonparc.com, the domain name is madisonparc.com

    What port should the LDAP server use? Enter the port number for Directory Server.

    What directory is the Directory Server installed in? Enter the path to the directory where Directory Server is installed.

    What is the Directory Server Instance? Enter the Server ID for Directory Server. To determine the Server ID, look in the directory where Directory Server is installed. You'll see a subdirectory with a name formed by the prefix slapd- and the Directory Server ID. For example, in the directory where Directory Server is installed, the directory slapd-Directory1.mycompany.com was created. The Server ID is Directory1.mycompany.com.

    Will you be using an existing DIT and schema? Enter y for Yes.

    Do you want to restart the Directory Server when configuration is complete? Enter y for Yes.

  5. When this message displays, enter 5 to exit the installation program.
    Select which component to install:

    1) DSAME Services
    2) DSAME Agent only
    3) iPlanet Directory Server 5.1
    4) iPlanet Directory Server Configuration for DSAME
    5) Exit



Optimizing Directory Server for DSAME

You can optimize DSAME page handling and search performance by modifying the Directory Server configuration. The following measures are necessary when any organization in your directory exceeds 4000 users:

  • Add indexes for the memberof, and uid attributes.

  • Reset the lookthroughlimit parameter.

  • Set the All ID Threshold value appropriately.


To Add Appropriate Indexes to Your Directory

  1. Start the Directory Server console. At the command line, enter these commands:

      cd Directory_Server_root

      startconsole

  2. In iPlanet Console, in the navigation tree, double-click the Directory Server icon.

  3. In the Directory Server console, click the Configuration tab.

  4. In the navigation tree, click the Data icon, and then click Database Settings.

  5. In the right pane, click Default Indexes.

  6. To add the memberof attribute, click Add Attribute, and then do the following:

    1. In the Select Attributes window, select the memberof attribute and then click OK.

    2. In the Default Indexes list, select the memberof attribute and then check the boxes for Equality, Presence, and Substring.

  7. To add a substring index for the uid attribute, in the Default Indexes list:

    1. Select the uid attribute.

    2. Check the boxes for Equality, Presence, and Substring.

  8. Click Save.


To Reset the Lookthroughlimit

  1. In iPlanet Console, in the navigation tree, locate and double -click the Directory Server icon.

  2. In the Directory Server console, click the Configuration tab.

  3. In the navigation tree, click the Data icon and then click the Database Settings.

  4. In the right pane, click LDBM Plug-in Settings.

  5. In the Look Through Limit field, enter a number greater than the number of entries you want the Directory Server to check in response to a search request.

  6. Click Save.


Setting the All IDs Threshhold Value

By default, Directory Server is configured for an All IDs threshold of 4000. For DSAME, this value should be just higher than the number of users in your directory. For detailed information on changing this value, see "Chapter 10, Managing Indexes" in the Directory Server Administrator's Guide.


Previous     Contents     Index     Next     
Copyright 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated March 27, 2002