test

Deployment Example: Sun Java System Communications Services for Access Anywhere (EdgeMail)

ProcedureConfiguring the Directory Server

Steps

  1. Bind the Directory Server to specific IP addresses. Replace IPaddress with the virtual IP address on which you want Directory Server to respond. Replace DShostname with the logical service name corresponding to the host you are configuring, for example ds-sfbay-02.sfbay on phys-bedge2–2.


    # cd /var/bits/silent

For USR server on BE:
phys-bedge[123]-2# ./ldap_1.ldif DShostname IPaddress 389

For CFG server on BE:
phys-bedge[123]-2# ./ldap_1.ldif DShostname IPaddress 34389

For CFG server on FE:
fe-amer-NN# ./ldap_1.ldif DShostname IPaddress 34389

  2. Enable the change log on the master replica of the user directory. The following command should create the directory /opt/ds/changelog. If it does not, create it with dsuser:dsgroup permissions and then run this script. This script also updates the schema with the Safeword object class and attribute.


    phys-bedge1-2# ./ldap_2.ldif

  3. Configure Directory Server to start automatically at system boot. Edit the file /etc/init.d/directory on all nodes with directory. Comment out lines 115 and 116:


    # Test if we are in a cluster and silently exit if so
#is_cluster_mode
#[ $? -eq 0 ] && exit 0

  4. Change the userRoot db database directory to a different partition:


    phys-bedge[123]-2# mkdir /var/ldap/db; chown dsuser:dsgroup /var/ldap/db
phys-bedge[123]-2# cd /opt/ds/slapd-usr
phys-bedge[123]-2# ./stop-slapd
phys-bedge[123]-2# cd /opt/ds/slapd-usr/db
phys-bedge[123]-2# mv userRoot /var/ldap/db
phys-bedge[123]-2# cd /opt/ds/slapd-usr/config

  5. Modify the dse.ldif file in order to change the nsslapd-directory parameter to the new userRoot directory:


    nsslapd-directory: /var/ldap/db/userRoot

  6. Start the USR directory instances


    phys-bedge[123]-2# cd /opt/ds/slapd-usr
phys-bedge[123]-2# ./start-slapd

  7. Configure ACIs (Access Control Instructions):


    aci: (targetattr="mailQuota")(version 3.0; acl "ERL mailQuota"; allow (wr
 ite) use rdn="ldap:///uid=adminuser,ou=people,dc=example,dc=com";)

aci: (targetattr != "userPassword || passwordHistory || passwordExpiratio
 nTime || passwordExpWarned || passwordRetryCount || retryCountResetTime 
 || accountUnlockTime || passwordAllowChangeTime || sunPortalDesktopDpDoc
 umentUser || sunPortalDesktopDpDocument || sunMobileAppMailConfig || sun
 MobileAppABConfig ") (version 3.0; acl "Anonymous access"; allow (read, 
 search, compare) userdn = "ldap:///anyone";)

aci: (target = "ldap:///ou=people,dc=example,dc=com")(targetattr = "*")(versi
 on 3.0;  acl "Allow access to all under ou=people,dc=example,dc=com"; allow 
 (all) userdn = "ldap:///uid=itmsgroot,ou=people,dc=example,dc=com";)

aci: (target = "ldap:///o=pab")(targetattr = "*")(version 3.0; acl "Allow
  public ro  access to PAB"; allow(read, search, compare) userdn = "ldap:
 ///anyone";)

  8. Create a root account:


    dn: uid=itmsgroot,ou=people,dc=example,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: account
uid: itmsgroot
cn: Messaging Server Root
sn: Root
userpassword: password

  9. Tune the USR instances to use more cache for their database.


    phys-bedge[123]-2# cd /var/bits/silent
phys-bedge[123]-2# ./tune-usr.ldif DShostname

  10. Tune the CFG instances to allow for more lookups at a time, in order for the alluser alias to work:


    phys-bedge[123]-2# cd /var/bits/silent
phys-bedge[123]-2# ./tune-cfg.ldif DShostname

  11. Copy the prepared directory schema and restart the USR instances:


    phys-bedge[123]-2# cd /opt/ds/slapd-usr
phys-bedge[123]-2# ./stop-slapd
phys-bedge[123]-2# cd config
phys-bedge[123]-2# mv schema schema.old
phys-bedge[123]-2# cp /var/bits/silent/schema-usr.tar .
phys-bedge[123]-2# tar -xvf schema-usr.tar
phys-bedge[123]-2# rm -rf schema-usr.tar schema.old
phys-bedge[123]-2# cd ..; ./start-slapd

  12. Look for errors during the restart:


    phys-bedge[123]-2# tail -10 logs/errors

  13. Copy the prepared directory schema and restart the CFG instances:


    phys-bedge[123]-2# cd /opt/ds/slapd-cfg
phys-bedge[123]-2# ./stop-slapd
phys-bedge[123]-2# cd config
phys-bedge[123]-2# mv schema schema.old
phys-bedge[123]-2# cp /var/bits/silent/schema-cfg.tar .
phys-bedge[123]-2# tar -xvf schema-cfg.tar
phys-bedge[123]-2# rm -rf schema-cfg.tar schema.old
phys-bedge[123]-2# cd ..; ./start-slapd

  14. Look for errors during the restart:


    phys-bedge[123]-2# tail -10 logs/errors

  15. Set up the USR instances for Messaging. These steps will mimic running the comms_dssetup.pl script for the slapd-usr instance:

    1. Copy the prepared configuration file:


      phys-bedge[123]-2# cd /var/bits/silent
phys-bedge[23]-2# cp msg-ds-setup.sh msg-ds-setup.ldif /var/tmp
phys-bedge[23]-2# chmod 750 /var/tmp/msg-ds-setup.sh

    2. Change the IP address in the script to be that of the current USR instance.


      phys-bedge[23]-2# vi /var/tmp/msg-ds-setup.sh

    3. Run the script:


      phys-bedge[23]-2# /var/tmp/msg-ds-setup.sh -D "cn=directory manager" -w password
  ...

    4. Examine /var/tmp/msg-ds-setup.ldif.rej for any unusual errors. It is normal to see a couple of entries in this file.


      phys-bedge[23]-2# ps -ef |grep slapd ; cat /var/tmp/msg-ds-setup.ldif.rej

  16. Install the password syntax plug-in. This should be done only on the master replica of the URS instance. Saving the dictionary file as /usr/local/etc/words-english-big.txt.disabled will disable dictionary checks if desired.


    phys-bedge1-2# cd /var/bits/silent/pass_syntax_plugin-2.30
phys-bedge1-2# mkdir -p /usr/local/etc; mkdir -p /usr/local/lib/64
phys-bedge1-2# cp libpstx-plugin.so /usr/local/lib
phys-bedge1-2# cp 64/libpstx-plugin.so /usr/local/lib/64
phys-bedge1-2# cd /var/bits/silent
phys-bedge1-2# cp words* /usr/local/etc/words-english-big.txt.disabled
phys-bedge1-2# ldapmodify -v -h DShostname -D "cn=directory manager" \
    -w password -a -f pass_syntax_plugin-2.30/pass_syntax_plugin.ldif

  17. Stop and restart the USR instance. Confirm that the plugin started successfully with information displayed on stdout. Fix any errors that are displayed.

  18. Disable the Pass-Through Authentication (PTA) plug-in on CFG instances. Ignore any errors caused when the PTA plug-in is not enabled.


    phys-bedge[123]-2# ldapmodify -p 34389 -h DShostname -D \
    "cn=directory manager" -w password
dn: cn=Pass Through Authentication,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: off

  19. Setup the Directory Server instances with SSL. Edit the cert.sh file to use the correct virtual IP (VIP) address for the certificate being generated. For each server you do this, the VIP needs to be changed. Use same password every time you are prompted for one.


    phys-bedge[123]-2# cd /var/bits/silent
phys-bedge[123]-2# ./cert.sh
  ...
phys-bedge[123]-2# ./ldap-ssl.ldif DShostname

  20. Configure Directory Server to start up without password prompt to accommodate SSL. Create a file that contains the password chosen in the previous step. For USR instances, create /opt/ds/alias/slapd-usr-pin.txt:


    Internal (Software) Token:password

    For CFG instances, create /opt/ds/alias/slapd-cfg-pin.txt:


    # cp /opt/ds/alias/slapd-usr-pin.txt /opt/ds/alias/slapd-cfg-pin.txt
phys-bedge[123]-2# chown dsuser:dsgroup /opt/ds/alias/*
phys-bedge[123]-2# chmod 600 /opt/ds/alias/*

    Restart both CFG and USR instances:


    phys-bedge[123]-2# cd /opt/ds/slapd-usr; ./stop-slapd; ./start-slapd
phys-bedge[123]-2# cd /opt/ds/slapd-cfg; ./stop-slapd; ./start-slapd