Installing and configuring Java ES components creates both your LDAP schema and your LDAP directory tree. This section describes how the directory schema and the directory tree structure are established by the values that you input when you install and configure a solution. Specifications for the schema and the directory tree structure must be developed before installation begins, and your installation plan must list input values that create the specified schema and directory tree structure.
The directory tree structure and the schema must support the services your solution provides. This section provides basic descriptions of the options that are available, and the services that each option supports. The main purpose of this section, however, is describing how to select input values for the installation and configuration tools in order to create a specified schema and a directory tree structure.
For more information on choosing a schema and designing a directory tree, see additional documentation, such as Sun Java System Directory Server 5 2005Q1 Deployment Plannning Guide and Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide.
Java ES solutions that use Directory Server can use either of two versions of a standard LDAP schema, which are known as Schema 1 and Schema 2. The user management specification for a solution specifies whether the solution uses Schema 1 or Schema 2. The configuration values in the installation plan ensure that the installation process creates the correct schema.
Schema 2 supports the use of Access Manager, and Access Manager's single sign-on to feature. If a solution uses single sign-on, it must use Schema 2.
The installation process configures the directory for the specified schema as follows:
To establish a Schema 2 directory, install Directory Server and Access Manager. Installing Access Manager modifies the directory and converts it to a Schema 2 directory.
If Directory Server and Access Manager are installed on one computer in one installer session, the directory is configured for Schema 2.
If the solution is distributed, Directory Server is installed first, on one computer. Access Manager is installed next, on a separate computer. Installer input values for the Access Manager installation specify the existing directory, and the directory's schema is modified.
If the solution uses Messaging Server and or Calendar Server, the installation process must apply some additional schema extensions with the Directory Preparation Tool. These extensions are applied before Messaging Server or Calendar Server is installed. They can be applied to either Schema 1 or Schema 2 directories. For more information on adding instructions for running the Directory Preparation Tool to an installation plan, see Messaging Server. The installation plan includes instructions for running Directory Preparation Tool.
If the solution uses Schema 2, the installation process must apply some additional schema extensions with Delegated Administrator to support Access Manager authentication and authorization for the messaging and calendar services. For an example of the commands that apply these schema extensions, see Chapter 7, User Management for the Evaluation Solution, in Sun Java Enterprise System 2005Q1 Deployment Example Series: Evaluation Scenario. The installation plan includes instructions for these schema extensions. These extensions are applied after Delegated Administrator is installed and configured, but before Delegated Administrator adds any user data. For more information on adding instructions for extending the schema to an installation plan, see Adding Procedures for Delegated Administrator to Your Installation Plan.
The LDAP schema specification identifies the schema used in the solution and any schema extensions required by the solution. The installation plan includes procedures that establish the correct schema and perform any specified schema extensions.
The LDAP directory for a Java ES solution can be simple or complex, depending on the solution's needs for organizing user data. LDAP directories are, by their nature, flexible in structure. Java ES does not impose structure on the directory, but the installation and configuration process does implement the specified structure. The structure must be specified before the installation and configuration process begins, and the installation plan must list the input values that create the specified directory structure.
The installation and configuration process establishes the directory structure as follows:
Running the installer to install Directory Server requires an input value for the directory's base suffix (also referred to as root suffix or root DN). The Java ES installer uses the input value to establish the directory's base suffix. The installation plan includes the includes the base suffix name.
Solutions with simple directory trees, that do not use Messaging Server or Calendar Server, can store user and group data directly under the base suffix.
Running the Messaging Server configuration wizard to create a Messaging Server instance requires an input value for an LDAP organization DN. The configuration wizard branches the directory tree and creates an LDAP organization using the DN input in the wizard. This organization represents the email domain managed by the Messaging Server instance. The wizard also configures the Messaging Server instance to use the email domain organization for user and group data. The installation plan includes the DN for the email domain organization. For an example of a directory tree structure created by this process, see Figure 2–3. In the example, the base suffix created by the installer is o=examplecorp. The email domain organization created by the Messaging Server configuration wizard is o=examplecorp.com,o=examplecorp.
The configuration wizards for Calendar Server, Communications Express, Instant Messaging, and Delegated Administrator require an input value for an LDAP DN. (The names that appear in the wizards vary.) If a solution uses single sign-on, the same value is input in all of the configuration wizards. The input value is the email domain organization created by the Messaging Server wizard. The result of this configuration is that all of the components store and look up user data in the same LDAP organization. All of the information about a user can be stored in a single directory entry, and the Access Manager single sign-on feature can be used.
An example of a directory tree structure created by this process is illustrated in Figure 2–3. In this example, the Java ES installer established the base suffix o=examplecorp and the Messaging Server configuration wizard added the organization o=examplecorp.com,o=examplecorp. This organization represents the email domain named examplecorp.com. The user data for the mail domain is stored in ou=people,o=examplecorp.com,o=examplecorp. The other Java ES components in the solution are also configured to look up user data in ou=people,o=examplecorp.com,o=examplecorp.
To create the directory tree shown in Figure 2–3, the names for the base suffix and the organization representing the email domain are chosen and added to the user management specification. When the installation plan is prepared, it includes instructions to input the specified LDAP names in the appropriate installer and configuration wizard fields. For information on adding the LDAP names to an installation plan, see Choosing Configuration Values for Directory Server, Choosing Configuration Values for Access Manager,Choosing Configuration Values for Messaging Server,Choosing Configuration Values for Calendar Server,Choosing Configuration Values for Communications Express,Choosing Configuration Values for Instant Messaging, and Choosing Configuration Values for Delegated Administrator.
The example directory tree includes only one mail domain. Many solutions require more complex trees to organize user data. The same basic installation and configuration procedure can establish more complex directory structures. For example, a directory can be configured to support multiple email domains if the solution requires it.
To establish multiple email domains, configure multiple instances of Messaging Server. Each instance manages one email domain.
It is possible to use other LDAP directories in a Java ES solution, if the solution uses Access Manager to interact with the directory. The directory server must be an LDAP version 3 (LDAP v3) compliant directory server. For more information about the directory tree structure required for such a solution, see Sun Java System Access Manager 7 2005Q4 Technical Overview