This chapter contains detailed instructions for the following tasks:
Use the following as your checklist for installing the Directory Servers:
The Java ES installer must be mounted on the host computer system where you will install Directory Server. See the section “To Download and Unpack the Java Enterprise System 2005Q4 Installer”3.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer in this document.
As a root user, log in to the host DirectoryServer–1.
Start the installer with the nodisplay option. Example:
# cd /mnt/Solaris_sparc # ./installer -nodisplay
When prompted, provided the following information:
|
Press Enter. |
|
|
Press Enter. |
|
|
Enter y. |
|
|
Enter 8 to select “English only.” |
|
|
Enter 6,20. Be sure you've specified Sun Java System Administration Server 5 2005Q4 and Sun Java System Directory Server 5 2005Q4. |
|
|
Press Enter. |
|
|
If upgrades are required, enter 1 to upgrade shared components. |
|
|
Accept the default value for each product. |
|
|
Enter 1 to continue. |
|
|
Enter 1 to configure now. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter d1r4dmin. |
|
|
Enter the same password again. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter d1r4dmin. |
|
|
Enter the same password again. |
|
|
Accept the default value. |
|
|
For this example, enter d1rm4n4ger. |
|
|
Enter the same password again. |
|
|
Accept the default value. |
|
|
Enter ds-config. |
|
|
Enter 1390. |
|
|
Enter dc=example,dc=com. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter 1 to choose “The new instance will be the configuration directory server.” |
|
|
Enter 1 to store data in the new directory server. |
|
|
Enter 4 to choose “Populate with no data.” |
|
|
Enter n. |
|
|
Accept the default value. |
|
|
Enter 1391. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter d1r4dmin. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter 1 to install now. |
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs
# tail —f Java_Enterprise_System_install.B xxxxxx
Upon successful installation, enter ! to exit.
Verify that Directory Server was successfully installed.
As a root user, log into the host DirectoryServer–1.
Start the Directory Server.
# cd /var/opt/mps/serverroot/slapd-ds-config # ./stop-slapd; ./start-slapd
Use the tail command to monitor the Directory Server error log and see that the server successfully starts up.
# tail -50 logs/errors
Use the netstat command to verify that the Directory Server port is open and listening.
# netstat -an | grep 1390 * 1390 *.* 0 0 49152 0 LISTEN
Start the Administration Server that manages Directory Server.
cd /var/opt/mps/serverroot ./stop-admin; ./start-admin
Installation is successful if the Administration Server displays a start-up message.
Use the netstat command to verify that the Administration Server port is open and listening.
# netstat -an | grep 1391 * 1391 *.* 0 0 49152 0 LISTEN
As a root user, log in to the host DirectoryServer–2.
Start the installer with the nodisplay option. Example:
# cd /mnt/Solaris_sparc # ./installer -nodisplay
When prompted, provided the following information:
|
Press Enter. |
|
|
Press Enter. |
|
|
Enter y. |
|
|
Enter 8 to select “English only.” |
|
|
Enter 6,20. Be sure you've specified Sun Java System Administration Server 5 2005Q4 and Sun Java System Directory Server 5 2005Q4. |
|
|
Press Enter. |
|
|
If upgrades are required, enter 1 to upgrade shared components. |
|
|
Accept the default value for each product. |
|
|
Enter 1 to continue. |
|
|
Enter 1 to configure now. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter d1r4dmin. |
|
|
Enter the same password again. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter d1r4dmin. |
|
|
Enter the same password again. |
|
|
Accept the default value. |
|
|
For this example, enter d1rm4n4ger. |
|
|
Enter the same password again. |
|
|
Accept the default value. |
|
|
Enter ds-config. |
|
|
Enter 1390. |
|
|
Enter dc=example,dc=com. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter 1 to choose “The new instance will be the configuration directory server.” |
|
|
Enter 1 to store data in the new directory server. |
|
|
Enter 4 to choose “Populate with no data.” |
|
|
Enter n. |
|
|
Accept the default value. |
|
|
Enter 1391. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter d1r4dmin. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter 1 to install now. |
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs
# tail —f Java_Enterprise_System_install.B xxxxxx
Upon successful installation, enter ! to exit.
Verify that Directory Server was successfully installed.
Log in as a root user to DirectoryServer–2.
Start the Directory Server.
# cd /var/opt/mps/serverroot/slapd-ds-config # ./stop-slapd; ./start-slapd
Use the tail command to monitor the Directory Server error log and verify that the server successfully starts up.
# tail -50 logs/errors
Use the netstat command to verify that the Directory Server port is open and listening.
# netstat -an | grep 1390 * 1390 *.* 0 0 49152 0 LISTEN
Start the Administration Server that manages Directory Server.
cd /var/opt/mps/serverroot ./stop-admin; ./start-admin
Installation is successful if the Administration Server displays a start-up message.
Use the netstat command to verify that the Administration Server port is open and listening.
# netstat -an | grep 1391 * 1391 *.* 0 0 49152 0 LISTEN
Create a new data instance for storing the Access Manager configuration data. This ensures that if you ever have to uninstall or restore Access Manager configuration, the Directory Server configuration remains untouched and will not have to be restored.
As a root user, log in to host DirectoryServer-1.
Set the X window display variable, and start the Directory Server console.
# cd /var/opt/mps/serverroot/ # export DISPLAY=DirectoryServer-1.example.com:1 # ./startconsole &
Log in to the Directory Server 1 console using the following information:
cn=Directory Manager
d1rm4n4ger
http://DirectoryServer-1.example.com:1391
In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.
Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”
In the Create New Instance dialog box, provide the following information:
Enter am-config.
Enter 1389.
Enter o=example.com.
Enter cn=Directory Manager
For this example, enter d1rm4n4ger.
Enter the same password to confirm it.
Enter nobody.
Click OK, and then close the status window.
Verify that the new Directory Server instance named am-config successfully starts up .
As a root user, log into host DirectoryServer–2.
Set the X window display variable, and start the Directory Server console.
# cd /var/opt/mps/serverroot/ # export DISPLAY=DirectoryServer-2.example.com:1 # ./startconsole &
Log in to the Directory Server 2 console using the following information:
cn=Directory Manager
d1rm4n4ger
http://DirectoryServer-2.example.com:1391
In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see Server Group item.
Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”
In the Create New Instance dialog box, provide the following information:
Enter am-config.
Enter 1389.
Enter o=example.com.
Enter cn=Directory Manager
For this example, enter d1rm4n4ger.
Enter the same password to confirm it.
Enter root.
Click OK, and then close the status window.
Verify that the new Directory Server instance named am-config successfully starts up .
As a root user, log into host DirectoryServer–2.
Start the new data Directory Server instance.
# cd /var/opt/mps/serverroot/slapd-am-config # ./stop-slapd; ./start-slapd |
Use the tail command to monitor the Directory Server error log and see that the server starts up successfully.
# tail —f logs/errors |
In this procedure you enable multi-master replication (MMR) between two directory masters. Then you use the data and schema from the first directory master to initialize the second directory master. When you're finished, you will have two Directory Servers, and each will contain two instances. The instance named ds-config stores Directory Server administration configuration. The instance named am-config stores the user data and Access Manager configuration.
On each Directory Server, the ds-config instance is a local configuration instance. Do not replicate this instance to other host systems. On each Directory Server, the am-config instance is the directory data instance. You enable the am-config instance for MMR with its counterpart on the other Directory Server host.
Use the following as your checklist for enabling multi-master replication:
On Directory Server 1, start the Directory Server console.
# cd /var/opt/mps/serverroot/ # ./startconsole & |
Log in to the Directory Server 1 console using the following information:
cn=Directory Manager
d1rm4n4ger
http://DirectoryServer-1.example.com:1391
In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.
Click to expand the Server Group.
You should see three items: an Administration Server, a Directory Server (am-config), and a Directory Server (ds-config).
Double-click the instance name Directory Server (am-config) to display the console for managing the instance am-config.
Click the Configuration tab and navigate to the Replication pane.
Click the “Enable replication” button to start the Replication Wizard.
Select Master Replica, and then click Next to continue.
Enter a Replica ID, and then click Next.
For this example, when enabling replication on DirectoryServer-1, assign the number 11.
If you have not already been prompted to select the change log file, you are prompted to select one now.
The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.
If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.
The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter replm4n4ger.
The Replication Wizard displays a status message while updating the replication configuration.
Click Close when replication is finished.
On Directory Server 2, start the Directory Server console.
# cd /var/opt/mps/serverroot/ # ./startconsole & |
Log in to the Directory Server 2 console using the following information:
cn=Directory Manager
d1rm4n4ger
http://DirectoryServer-2.example.com:1391
In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.
Click to expand the Server Group.
You should see three items: an Administration Server, a Directory Server (am-config), and a Directory Server (ds-config).
Double-click the instance name Directory Server (am-config) to display the console for managing the instance am-config.
Click the Configuration tab and navigate to the Replication pane.
Click the “Enable replication” button to start the Replication Wizard.
Select Master Replica, and then click Next to continue.
Enter a Replica ID, and then click Next.
For this example, when enabling replication on DirectoryServer-2, assign the number 22.
If you have not already been prompted to select the change log file, you are prompted to select one now.
The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.
If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.
The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter replm4n4ger .
The Replication Wizard displays a status message while updating the replication configuration.
Click Close when replication is finished.
On DirectoryServer-1, in the Directory Server console, display the general properties for the Directory Server instance named am-config .
Navigate through the tree in the left panel to find the Directory Server instance named am-config, and click on the instance name to display its general properties.
Click the Open button to display the console for managing the am-config instance.
Click the Configuration tab and navigate to the Replication pane.
Click the New button.
In the Replication Agreement dialog box, click the Other button.
In the Remote Server dialog box, provide the following information, and then click OK.
DirectoryServer-2.example.com
1389
Leave this box unmarked.
In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.
By default, the DN is that of the default replication manager.
For the password of the replication manager, enter replm4n4ger.
(Optional) Provide a description string for this agreement.
For this example, enter Replication from DirectoryServer-1 to DirectoryServer-2.
Click OK when done.
In the confirmation dialog, click Yes to test the connection to the server and port number.
Use the given replication manager and password replm4n4ger.
If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.
On DirectoryServer-2, in the Directory Server console, display the general properties for the Directory Server instance named am-config.
Navigate through the tree in the left panel to find the Directory Server instance named am-config, and click on the instance name to display its general properties.
Click the Open button to display the console for managing the am-config instance.
Click the Configuration tab and navigate to the Replication pane.
Click the New button.
In the Replication Agreement dialog box, click the Other button.
In the Remote Server dialog box, provide the following information, and then click OK.
DirectoryServer-1.example.com
1389
Leave this box unmarked.
In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.
By default, the DN is that of the default replication manager.
For the password of the replication manager, enter replm4n4ger.
(Optional) Provide a description string for this agreement.
For this example, enter Replication from DirectoryServer-2 to DirectoryServer-1.
Click OK when done.
In the confirmation dialog, click Yes to test the connection to the server and port number.
Use the given replication manager and password.
If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.
On DirectoryServer–1, in the Directory Server console, navigate through the tree in the left panel to find the Directory Server instance named am-config, and click on the instance name to display its general properties.
Double-click the instance name Directory Server (am-config) in the tree to display the console for managing the data.
Click the Configuration tab and navigate to the Replication pane.
In the list of defined agreements, select the replication agreement corresponding to DirectoryServer-2, the consumer you want to initialize.
Click Action > Initialize remote replica.
A confirmation message warns you that any information already stored in the replica on the consumer will be removed.
In the Confirmation dialog, click Yes.
Online consumer initialization begins immediately. The icon of the replication agreement shows a red gear to indicate the status of the initialization process.
Click Refresh > Continuous Refresh to follow the status of the consumer initialization.
Any messages for the highlighted agreement will appear in the text box below the list.
Verify that replication is working properly.
Log in to both Directory Server hosts as a root user, and start both Directory Server consoles.
Log in to each Directory Server console.
In each Directory Server console, enable the audit log on both Directory Server instances.
Go to Configuration > Logs > Audit Log. Check Enable Logging, and then click Save.
In separate terminal windows , use the tail -f command to watch the audit log files change.
On DirectoryServer-1, in the Directory Server console, create a new user entry.
Go to the Directory tab, and right-click the suffix o=example. Then click New > Group.
Name the new group People, and then click OK.
Click People, and then right-click to choose New > User.
In the Create New User dialog, enter a first name and last name, an then click OK.
Note the user entry is created in the instance audit log. Check to be sure the same entry is also created in on DirectoryServer-2 in the Directory Server instance audit log
On DirectoryServer-2, in the Directory Server console, create a new user entry.
Go to the Directory tab, and right—click the suffix o=example.comClick People, and then right-click to choose New > User.
In the Create New User dialog, enter a first name and last name, an then click OK.
Note the user entry is created in the instance audit log. Check to be sure the same entry is also created in on DirectoryServer-1 in the Directory Server instance audit log
Delete both new user entries in the Directory Server 2 console.
Look in the Directory Server 1 console to verify that both users have been deleted.
In the following procedures, you configure the load balancer in front of the two Directory Servers. Then you configure the load balancer for simple persistence. When the load balancer is configured for simple persistence, all Access Manager requests sent within a specified interval are sent to the same Directory Server for processing. Simple persistence ensures that within the specified interval, no errors or delays occur due to replication time or redirects when retrieving data.
When a request requires information to be written to Directory Server 1, that information is also replicated in Directory Server 2. But the replication takes time to complete. During that time, if a related request is directed by the load balancer to Directory Server 2, the request may fail.
For example, when simple persistence is not configured properly, creating a realm from the Access Manager administration console could fail in the following way. A request for the parent entry creation is routed to Directory Server 1, and a second request to create the subentry is routed to Directory Server 2. But if the parent entry request is not yet fully replicated to Directory Server 2, the subentry request fails. The result is a partially created realm which may not contain all its subentries such as realm administration roles. Simple persistence eliminates this type of error. When persistence is properly configured, both the parent entry request and the subentry request are routed to Directory Server 1. The requests are processed in consecutive order. The parent entry is fully created before the subentry request begins processing.
Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.
You must also know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.
The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.
You must also have ready the IP addresses for Directory Server 1 and Directory Server 2.
To obtain these IP addresses, on each Directory Server host, run the following command:
ifconfig —a
Create a Pool.
A pool contains all the backend server instances.
Go to URL for the Big IP load balancer login page.
Open the Configuration Utility.
Click “Configure your BIG-IP (R) using the Configuration Utility.”
In the left pane, click Pools.
On the Pools tab, click the Add button.
In the Add Pool dialog, provide the following information:
Example: directoryserver-pool
Round Robin
Add the IP address of both Directory Server hosts. In this case, add the IP address and port number for DirectoryServer-1:1389 and for DirectoryServer-2:1389.
Click the Done button.
Add a Virtual Server.
If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
In the left frame, Click Virtual Servers.
On the Virtual Servers tab, click the Add button.
In the Add a Virtual Server dialog box, provide the following information:
xxx.xx.69.14 (for LoadBalancer-1.example.com )
389
directoryserver-pool
Continue to click Next until you reach the Pool Selection dialog box.
In the Pool Selection dialog box, assign the Pool (DirectoryServer-POOL) that you have just created.
Click the Done button.
Add Monitors
Monitors are required for the load balancer to detect the backend server failures.
In the left frame, click Monitors.
Click the Basic Associations tab.
Add an LDAP monitor for the Directory Server 1 node.
Three columns exist on this page: Node, Node Address, and Service. In the Node column, locate the IP address and port number DirectoryServer–1:1389. Select the Add checkbox.
Add an LDAP monitor for the Directory Server 2 node.
In the Node column, locate the IP address and port number for DirectoryServer–2:1389 . Select the Add checkbox.
At the top of the Node column, in the drop-down list, choose ldap-tcp .
Click Apply.
Configure the load balancer for simple persistence.
Simple persistence returns a client to the same node to which it connected previously. Simple persistence tracks connections based only on the client IP address.
Verify the Directory Server load-balancer configuration.
Log in as a root user to the host of each Directory Server.
On each Directory Server host, use the tail command to monitor the Directory Server access log.
# cd /var/opt/mps/serverroot/slapd-am-config/logs
# tail -f access
You should see connections to the load balancer IP address opening and closing. Example:
[12/Oct/2006:13:10:20-0700] conn=54 op=-1 msgId=-1 — fd=22 slot=22 LDAP connection from xxx.xx.69.18 to xxx.xx.72.33
[12/Oct/2006:13:10:20-0700] conn=54 op=-1 msgId=-1 — closing — B1
[12/Oct/2006:13:10:20-0700] conn=54 op=-1 msgId=-1 — closed.
Execute the following LDAP search multiple times against the Directory Server load balancer:
# cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-1.example.com -p 389 -b "o=example.com" -D "cn=directory manager" -w d1rm4n4ger "(objectclass=*)" |
The ldapsearch operation should return entries. Make sure the LDAP search operations display in the same Directory Server access log.
Stop Directory Server 1, and again perform the following LDAP search against the Directory Server load balancer:
# cd /var/opt/mps/serverroot/slapd-am-config # ./stop # cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-1.example.com -p 389 -b "o=example.com" -D "cn=directory manager" -w d1rm4n4ger "(objectclass=*)" |
The ldapsearch operation should return entries. Verify that the Directory Server access entries display in only one Directory Server access log.
You may encounter the following error message:
# ./ldapsearch —h LoadBalancer-1.example.com —p 1389 —b “o=example.com“ —D “cn=Directory Manager” —w d1rm4n4ger
ldap_simple_bind: Cant' connect to the LDAP server — Connection refused
The load balancer may not fully detect that Directory Server 1 is stopped. Or you may have started the search too soon based on the polling interval setting. For example, if the polling interval is set to 10 seconds, you can wait ten seconds to start the search again. Or you can reset the timeout properties to a lower value.
Click the Monitors tab, and click the ldap-tcp monitor name.
In the Interval field, set the value to 5.
This tells the load balancer to poll the server every 5 seconds.
In the Timeout field, set the value to 16.
The default is 16 seconds. You can change this number to any value. In this deployment example, the BigIP documentation recommends the value should be at least three times the interval number of seconds plus one second.
Click Apply.
Repeat the LDAP search.
Restart the stopped Directory Server 1, and then stop Directory Server 2.
Confirm that the requests are forwarded to the running Directory Server 2.
Perform the following LDAP search against the Directory Server load balancer.
# cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-1.example.com -p 389 -b "o=example.com" -D "cn=Directory Manager" -w d1rm4n4ger "(objectclass=*)" |
The ldapsearch operation should return entries. Make sure the directory access entries display in only the one Directory Server access log.