Sun logo      Previous      Contents      Index      Next     

Sun ONE Meta-Directory 5.1.1 Deployment Guide

Chapter 3
Directory Server Configuration Settings for Meta-Directory

Once the Sun ONE Directory Server and Meta-Directory software is installed, you must modify several Directory Server configuration settings to support the Meta-Directory system. This chapter describes the various configuration settings you need to make before you can begin using Meta-Directory.

Although the Meta-Directory console provides automatic support for making some of the configuration settings, this chapter explains in detail what is needed to configure Directory Server instances hosting Meta-Directory components, and it describes how to manually configure these settings.

The topics covered in this chapter are:

Installing and Configuring Directory Server

Directory Server must be installed and configured before you can run Meta-Directory. Detailed documentation for the Sun ONE Directory Servers, including installation and configuration instructions, can be found at the following Sun ONE web site:

To support the Sun ONE Meta-Directory components, you must modify several Sun ONE Directory Server server settings. In particular, you must:

Directory Server Configuration Steps

The following steps describe what is needed to correctly install and configure Sun ONE Directory Server so it can properly support Meta-Directory:

  1. Install and start the Directory Server instance that will host the Meta-Directory configuration database (o=netscaperoot) or one of its components.
  2. See Chapter 2, "Planning the Meta-Directory System"for considerations on planning your Meta-Directory system setup.

  3. Configure the Directory Server instance for use with Meta-Directory by performing the following tasks (these tasks are described in the sections that follow):
    1. Enable the Retro change log plugin
    2. Load the Meta-Directory schema. This is done automatically if prompted when creating Sun ONE Meta-Directory Meta View or Connector View
    3. Adjust the Directory Server plug-ins, if required.
    4. Modify/Create necessary Directory Server indexes.
  4. Shut down and restart the Directory Server instance.
  5. The Directory Server instance is now ready to support Meta-Directory components. Depending on your system setup, you might locate a Meta View, or one or more Connector Views, on this instance. In addition, you will have a Directory Server instance supporting the Meta-Directory configuration files.

    The configuration for all Sun ONE servers and components are stored in the directory tree under NETSITE_ROOT. This directory tree is configured when you install the Meta-Directory software.

  6. Edit the configuration parameters of the user Directory Server instance to tune its performance.
  7. Once it is configured, you can fine tune the Directory Server settings to optimize its performance with Meta-Directory. Fine tuning Directory Server is described in Chapter 4, "Meta-Directory Performance Tuning."

Modifying Directory Server Settings

There are three ways in which you can edit the Directory Server configuration settings. The following list ranks these three methods from the easiest to the technically most difficult:

Configuring UTF8 Support

Earlier versions of the Meta-Directory only consistently supported ASCII characters. Sun ONE Meta-Directory 5.1 synchronizes attribute values which contain UTF-8 encoded Unicode characters as well. Please consult the Sun ONE Meta-Directory Administration Guide for more information about this.

Enabling the Retro Change Log

Enabling the Directory Server change log (cn=changelog) allows Meta-Directory to participate in change notifications with other components. If it is not enabled, Meta-Directory will not function.

If the Directory Server Retro change log is not enabled, Meta-Directory will display a dialog that prompts you to enable the change log when you create an instance of a Meta-Directory component. The procedures in the section describe how to manually enable this Directory Server feature.

Enabling the Sun ONE Directory Server Change Log

Sun ONE Directory Server version 5.x implements two different change log mechanisms. One is used for multi-master replication and the other tracks updates made to the Directory Server database. The latter, the retro change log, must be enabled to support Meta-Directory processing.

In Sun ONE Directory Server, the retro change log is implemented as a plug-in. To enable it, do the following:

  1. Open the Sun ONE Directory Server console.
  2. Select the Configuration tab; the Configuration window appears.
  3. In the navigation tree, expand the Plug-Ins node.
  4. In the list of plug-ins, select the Retro Changelog Plug-In.
  5. The settings for the retro change log display in the right pane, as shown in Figure 3-1.

  6. Check the Enable Plug-In box and choose Save to save the setting.
  7. Once you enable the change log, you must restart the Directory Server for the settings to take effect.
  8. Figure 3-1  Enabling the Change Log in Sun ONE Directory Server
    Figure displays the options to enable the Change Log in iPlanet Directory server.

Enabling the Netscape Directory Server Change Log

To enable the change log for Netscape Directory Server version 4.1x:

  1. Open the Directory Server console.
  2. Select the Configuration tab; the Configuration window appears.
  3. Select the Replication Agreements node in the navigation tree, then select the Supplier Settings tab in the right pane (shown in Figure 3-2).
  4. Click the Use Default button to specify the default file path for the change log files.
  5. Check the Max Changelog Records and Max Changelog Age settings so these parameters are set to “unlimited.”
  6. Once you enable the change log, you must restart the Directory Server for the settings to take effect.
  7. Figure 3-2  Enabling the Change Log in Netscape Directory Server
    Figure displays the options to enable the Change Log in Netscape Directory server.

Change Log Location

The location of the change log is important with regard to system performance. Since the change log can potentially produce many writes, you do not want activity to the change log to conflict with activity to other Directory Server databases. You might consider configuring Directory Server so that it creates and stores the change log in a disk partition that is different from where your LDAP databases are stored. Specifying a separate disk partition for the change log will reduce the seek time and disk latency of the disk(s) housing other LDAP databases.

In iPlanet Directory Server 5.x, the default path for the retro change log is related to the directory tree where the Directory Server instance is located: DS_Instance/db/changelog. You can modify this default path by editing the nsslapd-changelogdir attribute under dn: cn=Retro Changelog Plugin,cn=plugins,cn=config.

Alternately, you can have Meta-Directory configure the path of the retro change log. If the retro change log is not enabled when you create an instance of a Meta-Directory component (such as the join engine), the Meta-Directory console will enable it for you and will prompt you for the directory where you want the log to be located.

In Directory Server 4.1x, you can set the change log location when you enable the feature.

Setting Write Permissions on Solaris Systems

On Solaris systems, Directory Server is normally installed by a user with root privileges. Because of this, the directory containing Directory Server and all its subdirectories will contain a file permission mask of 755. If you create a special directory for the change log, you must ensure that Meta-Directory can write to this directory. It is recommended that the directory containing the change log has a file permission mask of 777. The following UNIX command will change the file permission of a directory to the desired 777:

chmod -R 777

Loading Meta-Directory Schema

To process Meta-Directory requests, Directory Server must recognize the extended schema (LDAP object classes and attributes) used by Meta-Directory components. Loading the Meta-Directory schema into Directory Server allows the Meta-Directory components to communicate with the Directory Server over LDAP.

Whenever you create an new instance of a Meta-Directory component, the Meta-Directory console will prompt you to load the extended schema into the Directory Server hosting the component.

The schema needs to be loaded into each Directory Server instance only once; after it is loaded, you need not reload it. However, because Sun ONE Console cannot verify that the schema has been loaded, it will prompt you to do so, even if it has already been loaded.

Manually Loading the Meta-Directory Schema

The Meta-Directory schema is provided in the LDIF file md-schema.ldif, which is located in the NETSITE_ROOT/bin/join50/install/templates subdirectory of your Meta-Directory installation. You can manually add the Meta-Directory schema to the Directory Server configuration directory (NETSITE_ROOT\config) using either ldapmodify or through the Directory Server console.

Use the following command as an example if you want to add the Meta-Directory schema to a Directory Server instance using ldapmodify:

ldapmodify -h hostname -p 389 -D “cn=directory manager
    -w password -a -c -v -f md-schema.ldif

The Meta-Directory schema contained in md-schema.ldif can also be imported using the Directory Server console. For more information on importing schema, refer to the Sun ONE Directory Server Administrator’s Guide.


While possible, it is not necessary to add the Meta-Directory schema to an instance of Directory Server that does not host a Meta-Directory component. (For example, if you directly connect to a Directory Server instance to populate a Connector View, that Directory Server instance does not host a Meta-Directory join engine or indirect connector component). If you do load the Meta-Directory schema into such an instance of Directory Server, you will get a string of error messages stating No Such Attribute ... Cannot delete. These messages do not indicate a problem—they are generated because the ldapmodify tool is attempting to delete the Meta-Directory attribute before it adds a new copy of the attribute.

Adjusting Write Permissions (Solaris Only)

On Solaris, the Directory Server instance may run with an identity different from its managing Administration Server. To grant Directory Server the permissions necessary to modify the Directory Server schema, issue the following commands from the UNIX command line:

% chmod ugo+w slapd-*/config/slapd-user_*.conf

Adjusting Directory Server Plug-Ins

There are two Directory Server plug-ins that need to be disabled in most Meta-Directory deployments: uid-uniqueness and referential integrity postoperation.

Setting uid-uniqueness Plug-In

If the data for the Connector View and the Meta View are in the same Directory Server instance, it may be required to turn off the Directory Server uid-uniqueness plug-in. You can turn off the plug-in from the Directory Server console.

The setting of the uid-uniqueness plug-in depends on the data you are hosting on a particular Directory Server instance. The uid-uniqueness plug-in applies a check to a particular suffix in a Directory Server instance. If you are flowing entries that have identical uid attributes in the same suffix, then you must turn off the uid-uniqueness plug-in in the Directory Server. Turning off the plug-in prevents errors arising from the check. Errors arising from a uid-uniqueness violation will be written to the join engine logs with an OBJECT_VIOLATION message.

For example, if you have the entry uid=x,ou=cv1 in a Connector View containing the suffix, and you flow the entry to the Meta View, o=mv, the uid-uniqueness can remain enabled because the uid-uniqueness applies to a particular suffix and there is no conflict. You will be creating uid=x,o=mv for the meta-view entry and uid=x,o=sunone for the Connector View.

However, if the Meta View has ou=mv1,, then there will be a conflict with the Connector View under the same suffix: uid=x,ou=cv1, In this case, you must disable the uid-uniqueness plug-in if the data contains a uid attribute.

Disabling the uid-uniqueness Plug-In

  1. Open the Directory Server console.
  2. Choose the Configuration tab and select Plug-Ins in the navigation tree.
  3. The list of available Directory Server plug-ins displays in the navigation tree.

  4. Select the uid-uniqueness plug-in.
  5. Details for the plug-in display in the right pane.

  6. Deselect the Enable Plug-In check box.
  7. Click Save and restart the Directory Server.

Setting the Referential Integrity Postoperation Plug-In

Normally, you will need to disable the Directory Server referential integrity plug-in in the Directory Server instance(s) that host Meta-Directory components.

When referential integrity is enabled, Directory Server will not write the changes that it makes to the change log. As a result, changes made to data cannot be detected by the Meta-Directory components and the Meta-Directory views will not be properly updated.


In cases where there are users and groups, you must watch out for a side effect when you disable the referential integrity plug-in.

If you delete users belonging to a group (the user entries, as opposed to their group memberships), the group will still list the memberships of the users you have deleted. In these cases, you must manually delete the respective memberships from any groups listing the deleted users.

In very special circumstances, it is possible to keep the referential integrity plug-in enabled. Specifically, you can enable the referential integrity plug-in if all changes to data occur in one Meta-Directory view (for example, if all modifications are made in the Meta View or if they are made in an external data source that populates a Connector View). In this scenario, data modifications made in one view will be synchronized to the other Meta-Directory views when that view is refreshed. Here, data modifications do not rely on the change log to be synchronized to other views since all changes will flow from a single out to the other views. Note, however, that there may be a significant lag time between the refresh and the clean up done by the plug-in. Because of this, it is best to manually refresh the view after you make any data modifications.

Disabling the Referential Integrity Postoperation Plug-In

  1. Open the Directory Server console.
  2. Choose the Configuration tab and select Plug-Ins in the navigation tree.
  3. The list of available Directory Server plug-ins displays in the navigation tree.

  4. Select the referential integrity postoperation plug-in.
  5. Details for the plug-in display in the right pane.

  6. Deselect the Enable Plug-In check box.
  7. Click Save and restart the Directory Server.

Enabling Retro Change Log Trimming

The modification process of Add, Delete, or Modify is stored in the Directory Server Retro Change Log suffix database. After a period of time, depending upon the number of updates, the cn=changelog suffix could reach its maximum limit. Thus, it is recommended to minimize the number of old entries to enhance database performance. Once the Join Engine processes the changelog entries, then, the entries can be deleted. The time period between recorded changelog entry and the Join Engine processing the entry depends upon the site configuration. Typically, if the Join Engine is running the default DCNS scheduling for every 15 seconds, then, the Join Engine would check the changelog suffix in the Directory Server for the entries. You can use the “Retro change log trimming” feature of the Directory Server to limit the size of this database.

For more information, see Chapter 8, “Using the Retro Change Log Plug-in”, “Trimming the Retro Change Log” section in the Sun ONE Directory Server 5.2 Administration Guide.

Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.