Bind the Directory Server to specific IP addresses. Replace IPaddress with the virtual IP address on which you want Directory Server to respond. Replace DShostname with the logical service name corresponding to the host you are configuring, for example ds-sfbay-02.sfbay on phys-bedge2–2.
# cd /var/bits/silent For USR server on BE: phys-bedge[123]-2# ./ldap_1.ldif DShostname IPaddress 389 For CFG server on BE: phys-bedge[123]-2# ./ldap_1.ldif DShostname IPaddress 34389 For CFG server on FE: fe-amer-NN# ./ldap_1.ldif DShostname IPaddress 34389 |
Enable the change log on the master replica of the user directory. The following command should create the directory /opt/ds/changelog. If it does not, create it with dsuser:dsgroup permissions and then run this script. This script also updates the schema with the Safeword object class and attribute.
phys-bedge1-2# ./ldap_2.ldif |
Configure Directory Server to start automatically at system boot. Edit the file /etc/init.d/directory on all nodes with directory. Comment out lines 115 and 116:
# Test if we are in a cluster and silently exit if so #is_cluster_mode #[ $? -eq 0 ] && exit 0 |
Change the userRoot db database directory to a different partition:
phys-bedge[123]-2# mkdir /var/ldap/db; chown dsuser:dsgroup /var/ldap/db phys-bedge[123]-2# cd /opt/ds/slapd-usr phys-bedge[123]-2# ./stop-slapd phys-bedge[123]-2# cd /opt/ds/slapd-usr/db phys-bedge[123]-2# mv userRoot /var/ldap/db phys-bedge[123]-2# cd /opt/ds/slapd-usr/config |
Modify the dse.ldif file in order to change the nsslapd-directory parameter to the new userRoot directory:
nsslapd-directory: /var/ldap/db/userRoot |
Start the USR directory instances
phys-bedge[123]-2# cd /opt/ds/slapd-usr phys-bedge[123]-2# ./start-slapd |
Configure ACIs (Access Control Instructions):
aci: (targetattr="mailQuota")(version 3.0; acl "ERL mailQuota"; allow (wr ite) use rdn="ldap:///uid=adminuser,ou=people,dc=example,dc=com";) aci: (targetattr != "userPassword || passwordHistory || passwordExpiratio nTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordAllowChangeTime || sunPortalDesktopDpDoc umentUser || sunPortalDesktopDpDocument || sunMobileAppMailConfig || sun MobileAppABConfig ") (version 3.0; acl "Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (target = "ldap:///ou=people,dc=example,dc=com")(targetattr = "*")(versi on 3.0; acl "Allow access to all under ou=people,dc=example,dc=com"; allow (all) userdn = "ldap:///uid=itmsgroot,ou=people,dc=example,dc=com";) aci: (target = "ldap:///o=pab")(targetattr = "*")(version 3.0; acl "Allow public ro access to PAB"; allow(read, search, compare) userdn = "ldap: ///anyone";) |
Create a root account:
dn: uid=itmsgroot,ou=people,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: account uid: itmsgroot cn: Messaging Server Root sn: Root userpassword: password |
Tune the USR instances to use more cache for their database.
phys-bedge[123]-2# cd /var/bits/silent phys-bedge[123]-2# ./tune-usr.ldif DShostname |
Tune the CFG instances to allow for more lookups at a time, in order for the alluser alias to work:
phys-bedge[123]-2# cd /var/bits/silent phys-bedge[123]-2# ./tune-cfg.ldif DShostname |
Copy the prepared directory schema and restart the USR instances:
phys-bedge[123]-2# cd /opt/ds/slapd-usr phys-bedge[123]-2# ./stop-slapd phys-bedge[123]-2# cd config phys-bedge[123]-2# mv schema schema.old phys-bedge[123]-2# cp /var/bits/silent/schema-usr.tar . phys-bedge[123]-2# tar -xvf schema-usr.tar phys-bedge[123]-2# rm -rf schema-usr.tar schema.old phys-bedge[123]-2# cd ..; ./start-slapd |
Look for errors during the restart:
phys-bedge[123]-2# tail -10 logs/errors |
Copy the prepared directory schema and restart the CFG instances:
phys-bedge[123]-2# cd /opt/ds/slapd-cfg phys-bedge[123]-2# ./stop-slapd phys-bedge[123]-2# cd config phys-bedge[123]-2# mv schema schema.old phys-bedge[123]-2# cp /var/bits/silent/schema-cfg.tar . phys-bedge[123]-2# tar -xvf schema-cfg.tar phys-bedge[123]-2# rm -rf schema-cfg.tar schema.old phys-bedge[123]-2# cd ..; ./start-slapd |
Look for errors during the restart:
phys-bedge[123]-2# tail -10 logs/errors |
Set up the USR instances for Messaging. These steps will mimic running the comms_dssetup.pl script for the slapd-usr instance:
Copy the prepared configuration file:
phys-bedge[123]-2# cd /var/bits/silent phys-bedge[23]-2# cp msg-ds-setup.sh msg-ds-setup.ldif /var/tmp phys-bedge[23]-2# chmod 750 /var/tmp/msg-ds-setup.sh |
Change the IP address in the script to be that of the current USR instance.
phys-bedge[23]-2# vi /var/tmp/msg-ds-setup.sh |
Run the script:
phys-bedge[23]-2# /var/tmp/msg-ds-setup.sh -D "cn=directory manager" -w password ... |
Examine /var/tmp/msg-ds-setup.ldif.rej for any unusual errors. It is normal to see a couple of entries in this file.
phys-bedge[23]-2# ps -ef |grep slapd ; cat /var/tmp/msg-ds-setup.ldif.rej |
Install the password syntax plug-in. This should be done only on the master replica of the URS instance. Saving the dictionary file as /usr/local/etc/words-english-big.txt.disabled will disable dictionary checks if desired.
phys-bedge1-2# cd /var/bits/silent/pass_syntax_plugin-2.30 phys-bedge1-2# mkdir -p /usr/local/etc; mkdir -p /usr/local/lib/64 phys-bedge1-2# cp libpstx-plugin.so /usr/local/lib phys-bedge1-2# cp 64/libpstx-plugin.so /usr/local/lib/64 phys-bedge1-2# cd /var/bits/silent phys-bedge1-2# cp words* /usr/local/etc/words-english-big.txt.disabled phys-bedge1-2# ldapmodify -v -h DShostname -D "cn=directory manager" \ -w password -a -f pass_syntax_plugin-2.30/pass_syntax_plugin.ldif |
Stop and restart the USR instance. Confirm that the plugin started successfully with information displayed on stdout. Fix any errors that are displayed.
Disable the Pass-Through Authentication (PTA) plug-in on CFG instances. Ignore any errors caused when the PTA plug-in is not enabled.
phys-bedge[123]-2# ldapmodify -p 34389 -h DShostname -D \ "cn=directory manager" -w password dn: cn=Pass Through Authentication,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off |
Setup the Directory Server instances with SSL. Edit the cert.sh file to use the correct virtual IP (VIP) address for the certificate being generated. For each server you do this, the VIP needs to be changed. Use same password every time you are prompted for one.
phys-bedge[123]-2# cd /var/bits/silent phys-bedge[123]-2# ./cert.sh ... phys-bedge[123]-2# ./ldap-ssl.ldif DShostname |
Configure Directory Server to start up without password prompt to accommodate SSL. Create a file that contains the password chosen in the previous step. For USR instances, create /opt/ds/alias/slapd-usr-pin.txt:
Internal (Software) Token:password |
For CFG instances, create /opt/ds/alias/slapd-cfg-pin.txt:
# cp /opt/ds/alias/slapd-usr-pin.txt /opt/ds/alias/slapd-cfg-pin.txt phys-bedge[123]-2# chown dsuser:dsgroup /opt/ds/alias/* phys-bedge[123]-2# chmod 600 /opt/ds/alias/* |
Restart both CFG and USR instances:
phys-bedge[123]-2# cd /opt/ds/slapd-usr; ./stop-slapd; ./start-slapd phys-bedge[123]-2# cd /opt/ds/slapd-cfg; ./stop-slapd; ./start-slapd |