4.3 Installing and Configuring Directory Server

Directory will be installed only as a standalone service on the second node of each back-end cluster. Each installation will be configured to have a configuration directory branch called CFG and a user directory branch called USR.

Obtain the following state files from your Sun representative and store them in the directory /var/bits/silent of the designated host.

Installing the Directory Server Instances

Steps

1. Plumb all interfaces. Make sure /etc/netmasks is updated correctly before you proceed.

   phys-bedge[123]-2# ifconfig ce1:5 plumb phys-bedge[123]-2# ifconfig ce1:5 129.147.156.132 netmask + broadcast + up phys-bedge[123]-2# echo "ds-amer-N" > /etc/hostname.ce1:5

2. The file /etc/hosts should also be updated with IP address and host mapping for all Directory Server hosts at the site:

   phys-bedge[123]-2# grep "ds-" /etc/hosts 129.147.156.132 ds-amer-01 ds-amer-01.us ds-amer-01.us.example.com 129.147.156.133 ds-amer-02 ds-amer-02.us ds-amer-02.us.example.com 129.147.156.134 ds-amer-03 ds-amer-02.us ds-amer-03.us.example.com

3. Install the Directory Server binaries with the Java ES installer on BE clusters 1, 2, and 3, and on all FE hosts. Nothing in the silent install state file ds.cnf needs changing.

   phys-bedge[123]-2# cd /var/bits/java_es/Solaris_sparc phys-bedge[123]-2# ./installer -noconsole -state /var/bits/silent/ds.cnf fe-amer-NN# cd /var/bits/java_es/Solaris_sparc fe-amer-NN# ./installer -noconsole -state /var/bits/silent/ds.cnf

4. Create the configuration branches (CFG) on the BE servers. CFG need to be installed on all servers where USR will be.

   phys-bedge1-2# /usr/sbin/directoryserver -u 5.2 configure -noconsole \ -nodisplay -state /var/bits/silent/ds-cfg-1.cnf Update of the Directory Server layout ... done Update of the links between server root and Directory Server Layout ... done [slapd-cfg]: starting up server ... [slapd-cfg]: [26/Jan/2005:14:20:28 -0800] - Sun-ONE-Directory/5.2_Patch_2 B2004.107.0034 (64-bit) starting up [slapd-cfg]: [26/Jan/2005:14:20:31 -0800] - Listening on all interfaces port 34389 for LDAP requests [slapd-cfg]: [26/Jan/2005:14:20:31 -0800] - slapd started. Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server. Configuration of the server(s) succeeded. phys-bedge2-2# /var/bits/silent/ds-cfg-2.sh ... phys-bedge3-2# /var/bits/silent/ds-cfg-3.sh ...

5. Create CFG instances on the FE servers with the following commands:

   fe-amer-NN# /usr/sbin/directoryserver -u 5.2 configure -noconsole \ -nodisplay -state /var/bits/silent/ds-cfg-fe.cnf

6. Create the USR instance on the master directory (phys-bedge1–2), and configure the USR instance on the replicas:

   phys-bedge1-2# /var/bits/silent/ds-usr-1.sh [slapd-usr]: starting up server ... [slapd-usr]: [26/Jan/2005:14:21:58 -0800] - Sun-ONE-Directory/5.2_Patch_2 B2004.107.0034 (64-bit) starting up [slapd-usr]: [26/Jan/2005:14:22:01 -0800] - Listening on all interfaces port 389 for LDAP requests [slapd-usr]: [26/Jan/2005:14:22:01 -0800] - slapd started. Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server. phys-bedge2-2# /usr/sbin/directoryserver -u 5.2 configure -noconsole \ -nodisplay -state /var/bits/silent/ds-usr-2.cnf ... phys-bedge3-2# /usr/sbin/directoryserver -u 5.2 configure -noconsole \ -nodisplay -state /var/bits/silent/ds-usr-3.cnf ...

Configuring the Directory Server

Steps

1. Bind the Directory Server to specific IP addresses. Replace IPaddress with the virtual IP address on which you want Directory Server to respond. Replace DShostname with the logical service name corresponding to the host you are configuring, for example ds-sfbay-02.sfbay on phys-bedge2–2.

   # cd /var/bits/silent For USR server on BE: phys-bedge[123]-2# ./ldap_1.ldif DShostname IPaddress 389 For CFG server on BE: phys-bedge[123]-2# ./ldap_1.ldif DShostname IPaddress 34389 For CFG server on FE: fe-amer-NN# ./ldap_1.ldif DShostname IPaddress 34389

2. Enable the change log on the master replica of the user directory. The following command should create the directory /opt/ds/changelog. If it does not, create it with dsuser:dsgroup permissions and then run this script. This script also updates the schema with the Safeword object class and attribute.

   phys-bedge1-2# ./ldap_2.ldif

3. Configure Directory Server to start automatically at system boot. Edit the file /etc/init.d/directory on all nodes with directory. Comment out lines 115 and 116:

   # Test if we are in a cluster and silently exit if so #is_cluster_mode #[ $? -eq 0 ] && exit 0

4. Change the userRoot db database directory to a different partition:

   phys-bedge[123]-2# mkdir /var/ldap/db; chown dsuser:dsgroup /var/ldap/db phys-bedge[123]-2# cd /opt/ds/slapd-usr phys-bedge[123]-2# ./stop-slapd phys-bedge[123]-2# cd /opt/ds/slapd-usr/db phys-bedge[123]-2# mv userRoot /var/ldap/db phys-bedge[123]-2# cd /opt/ds/slapd-usr/config

5. Modify the dse.ldif file in order to change the nsslapd-directory parameter to the new userRoot directory:

   nsslapd-directory: /var/ldap/db/userRoot

6. Start the USR directory instances

   phys-bedge[123]-2# cd /opt/ds/slapd-usr phys-bedge[123]-2# ./start-slapd

7. Configure ACIs (Access Control Instructions):

   aci: (targetattr="mailQuota")(version 3.0; acl "ERL mailQuota"; allow (wr ite) use rdn="ldap:///uid=adminuser,ou=people,dc=example,dc=com";) aci: (targetattr != "userPassword || passwordHistory || passwordExpiratio nTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordAllowChangeTime || sunPortalDesktopDpDoc umentUser || sunPortalDesktopDpDocument || sunMobileAppMailConfig || sun MobileAppABConfig ") (version 3.0; acl "Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (target = "ldap:///ou=people,dc=example,dc=com")(targetattr = "*")(versi on 3.0; acl "Allow access to all under ou=people,dc=example,dc=com"; allow (all) userdn = "ldap:///uid=itmsgroot,ou=people,dc=example,dc=com";) aci: (target = "ldap:///o=pab")(targetattr = "*")(version 3.0; acl "Allow public ro access to PAB"; allow(read, search, compare) userdn = "ldap: ///anyone";)

8. Create a root account:

   dn: uid=itmsgroot,ou=people,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: account uid: itmsgroot cn: Messaging Server Root sn: Root userpassword: password

9. Tune the USR instances to use more cache for their database.

   phys-bedge[123]-2# cd /var/bits/silent phys-bedge[123]-2# ./tune-usr.ldif DShostname

10. Tune the CFG instances to allow for more lookups at a time, in order for the alluser alias to work:

    phys-bedge[123]-2# cd /var/bits/silent phys-bedge[123]-2# ./tune-cfg.ldif DShostname

11. Copy the prepared directory schema and restart the USR instances:

    phys-bedge[123]-2# cd /opt/ds/slapd-usr phys-bedge[123]-2# ./stop-slapd phys-bedge[123]-2# cd config phys-bedge[123]-2# mv schema schema.old phys-bedge[123]-2# cp /var/bits/silent/schema-usr.tar . phys-bedge[123]-2# tar -xvf schema-usr.tar phys-bedge[123]-2# rm -rf schema-usr.tar schema.old phys-bedge[123]-2# cd ..; ./start-slapd

12. Look for errors during the restart:

    phys-bedge[123]-2# tail -10 logs/errors

13. Copy the prepared directory schema and restart the CFG instances:

    phys-bedge[123]-2# cd /opt/ds/slapd-cfg phys-bedge[123]-2# ./stop-slapd phys-bedge[123]-2# cd config phys-bedge[123]-2# mv schema schema.old phys-bedge[123]-2# cp /var/bits/silent/schema-cfg.tar . phys-bedge[123]-2# tar -xvf schema-cfg.tar phys-bedge[123]-2# rm -rf schema-cfg.tar schema.old phys-bedge[123]-2# cd ..; ./start-slapd

14. Look for errors during the restart:

    phys-bedge[123]-2# tail -10 logs/errors

15. Set up the USR instances for Messaging. These steps will mimic running the comms_dssetup.pl script for the slapd-usr instance:

    1. Copy the prepared configuration file:

       phys-bedge[123]-2# cd /var/bits/silent phys-bedge[23]-2# cp msg-ds-setup.sh msg-ds-setup.ldif /var/tmp phys-bedge[23]-2# chmod 750 /var/tmp/msg-ds-setup.sh

    2. Change the IP address in the script to be that of the current USR instance.

       phys-bedge[23]-2# vi /var/tmp/msg-ds-setup.sh

    3. Run the script:

       phys-bedge[23]-2# /var/tmp/msg-ds-setup.sh -D "cn=directory manager" -w password ...

    4. Examine /var/tmp/msg-ds-setup.ldif.rej for any unusual errors. It is normal to see a couple of entries in this file.

       phys-bedge[23]-2# ps -ef |grep slapd ; cat /var/tmp/msg-ds-setup.ldif.rej

16. Install the password syntax plug-in. This should be done only on the master replica of the URS instance. Saving the dictionary file as /usr/local/etc/words-english-big.txt.disabled will disable dictionary checks if desired.

    phys-bedge1-2# cd /var/bits/silent/pass_syntax_plugin-2.30 phys-bedge1-2# mkdir -p /usr/local/etc; mkdir -p /usr/local/lib/64 phys-bedge1-2# cp libpstx-plugin.so /usr/local/lib phys-bedge1-2# cp 64/libpstx-plugin.so /usr/local/lib/64 phys-bedge1-2# cd /var/bits/silent phys-bedge1-2# cp words* /usr/local/etc/words-english-big.txt.disabled phys-bedge1-2# ldapmodify -v -h DShostname -D "cn=directory manager" \ -w password -a -f pass_syntax_plugin-2.30/pass_syntax_plugin.ldif

17. Stop and restart the USR instance. Confirm that the plugin started successfully with information displayed on stdout. Fix any errors that are displayed.

18. Disable the Pass-Through Authentication (PTA) plug-in on CFG instances. Ignore any errors caused when the PTA plug-in is not enabled.

    phys-bedge[123]-2# ldapmodify -p 34389 -h DShostname -D \ "cn=directory manager" -w password dn: cn=Pass Through Authentication,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off

19. Setup the Directory Server instances with SSL. Edit the cert.sh file to use the correct virtual IP (VIP) address for the certificate being generated. For each server you do this, the VIP needs to be changed. Use same password every time you are prompted for one.

    phys-bedge[123]-2# cd /var/bits/silent phys-bedge[123]-2# ./cert.sh ... phys-bedge[123]-2# ./ldap-ssl.ldif DShostname

20. Configure Directory Server to start up without password prompt to accommodate SSL. Create a file that contains the password chosen in the previous step. For USR instances, create /opt/ds/alias/slapd-usr-pin.txt:

    Internal (Software) Token:password

    For CFG instances, create /opt/ds/alias/slapd-cfg-pin.txt:

    # cp /opt/ds/alias/slapd-usr-pin.txt /opt/ds/alias/slapd-cfg-pin.txt phys-bedge[123]-2# chown dsuser:dsgroup /opt/ds/alias/* phys-bedge[123]-2# chmod 600 /opt/ds/alias/*

    Restart both CFG and USR instances:

    phys-bedge[123]-2# cd /opt/ds/slapd-usr; ./stop-slapd; ./start-slapd phys-bedge[123]-2# cd /opt/ds/slapd-cfg; ./stop-slapd; ./start-slapd

Configuring Administration Server

Administration Server will need to be installed on every first node BE for use by Messaging Server. The following state files will be used in this section:

Steps

1. Copy the base binaries and install the Administration Server on the first node of the messaging clusters and all FE hosts:

   phys-bedge[1234]-1# cd /var/bits/Solaris_sparc phys-bedge[1234]-1# ./installer -noconsole -state /var/bits/silent/adm.cnf phys-bedge1-2# cd /var/bits/Solaris_sparc phys-bedge1-2# ./installer -noconsole -state /var/bits/silent/adm.cnf fe-amer-NN# cd /var/bits/Solaris_sparc fe-amer-NN# ./installer -noconsole -state /var/bits/silent/adm.cnf

2. Configure Administration Serverfor Messaging Server on all first nodes and FE hosts:

   phys-bedge[1234]-1# /usr/sbin/mpsadmserver configure -nodisplay -noconsole \ -state /var/bits/silent/ms-adm-N-1.cnf Checking connection to the Configuration Directory Server... done. Updating Administration Server layout... done. Updating links between Server Root and Administration Server layout... done. Registering Administration Server with Configuration Directory Server... done. Loading Administration Server tasks... done. Loading global Administration Server configuration... done. Generating configuration files ... done. Configuration of the Administration Server succeeded. fe-amer-NN# /usr/sbin/mpsadmserver configure -nodisplay -noconsole \ -state /var/bits/silent/ms-adm-fe.cnf Checking connection to the Configuration Directory Server... done. Updating Administration Server layout... done. Updating links between Server Root and Administration Server layout... done. Registering Administration Server with Configuration Directory Server... done. Loading Administration Server tasks... done. Loading global Administration Server configuration... done. Generating configuration files ... done. Configuration of the Administration Server succeeded.

3. Configure Administration Server for Directory Server:

   phys-bedge1-2# /usr/sbin/mpsadmserver configure -nodisplay -noconsole \ -state /var/bits/silent/ds-adm-1.cnf Checking connection to the Configuration Directory Server... done. Updating Administration Server layout... done. Updating links between Server Root and Administration Server layout... done. Registering Administration Server with Configuration Directory Server... done. Loading Administration Server tasks... done. Loading global Administration Server configuration... done. Generating configuration files ... done. Configuration of the Administration Server succeeded.

Setting Up Replication

This deployment example shows the installation of a single Edge complex. However, several complexes are meant to be deployed geographically, and directory information must be shared among them through replication. Each site has a master and two consumer replicas. The master at each site is configured in multi-master replication with the other site masters. The following table shows the Directory Server instances at each site, their type and the unique replica ID chosen for each.

Steps

1. Obtain the setup-mmr.ldif and setup-replica.ldif files from your Sun representative. Edit these files to contain the correct host names and replica ID values for your Edge complex.

2. Set up multi-master replication on the servers designated -01 only. Edit the setup file to contain the suffix name each time prior to running the command:

   • o=NetscapeRoot

   • dc=example,dc=com

   • o=pab

   • o=PiServerDb

   Run the setup command once for each suffix in the directory:

   phys-bedge1-2# vi setup-mmr.ldif phys-bedge1-2# ./setup-mmr.ldif

3. Set up the consumer replicas on the servers designated -02 and -03. Run the following commands once for each suffix of the same suffixes listed in the previous step. Edit the setup file to contain the suffix name each time prior to running the command:

   phys-bedge[23]-2# vi setup-replica.ldif phys-bedge[23]-2# ./setup-replica.ldif