Chapter 4 Installing and Configuring the Directory Servers

This chapter contains detailed information about the following groups of tasks:

• 4.1 Installing Two Directory Servers

• 4.2 Creating New Directory Server Instances

• 4.3 Enabling Multi-Master Replication of the Configuration Instances

• 4.4 Enabling Multi-Master Replication of the User Data Instances

• 4.5 Configuring the Directory Server Load Balancers

4.1 Installing Two Directory Servers

The Java ES installer must be mounted on the host computer system where you will install Directory Server. See the section 2.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer in this manual.

Use the following as your checklist or installing two Directory Server:

1. Install Directory Server 3SP.

2. Install Directory Server 4SP.

To Install Directory Server 3SP

1. As a root user, log in to the Directory Server 3SP host.

2. Start the installer with the nodisplay option. Example:

   # cd /mnt/Solaris_sparc
   # ./installer -nodisplay

3. When prompted, provided the following information:

   Welcome to the Sun Java(TM) Enterprise System; serious software made simple... <Press ENTER to Continue>	Press Enter.
   <Press ENTER to display the Software License Agreement>	Press Enter.
   Have you read, and do you accept, all of the terms of the preceding Software License Agreement?	Enter y.
   Please enter a comma separated list of languages you would like supported with this installation	Enter 8 to select “English only.”
   Enter a comma separated list of products to install, or press R to refresh the list.	Enter 6,20. Be sure you've specified Sun Java System Administration Server 5 2005Q4 and Sun Java System Directory Server 5 2005Q4.
   Press "Enter" to Continue or Enter a comma separatedlist of products to deselect.	Press Enter.
   Enter 1 to upgrade these shared components and 2 to cancel.	If upgrades are required, enter 1 to upgrade shared components.
   Enter the name of the target installation directory for each product:	Accept the default value for each product.
   System ready for installation...	Enter 1 to continue.
   Select Type of Configuration	Enter 1 to configure now.
   Enter Host Name [DirectoryServer-3SP]	Accept the default value.
   Enter DNS Domain Name [siroe.com]	Accept the default value.
   Enter IP Address [10.5.82.207]	Accept the default value.
   Enter Server admin User ID [admin]	Accept the default value.
   Enter Admin User's Password (Password cannot be less than 8 characters)	For this example, enter admin123.
   Confirm Admin User's Password []	Enter the same password again.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   Enter Server Admin ID [admin]	Accept the default value.
   Enter Admin User's Password (At least 8 characters long)	For this example, enter admin123.
   Retype Password []	Enter the same password again.
   Enter Directory Manager DN [cn=Directory Manager]	Accept the default value.
   Enter Directory Manager's Password (At least 8 characters long)	For this example, enter 11111111.
   Retype Password []	Enter the same password again.
   Directory Server Root [/var/opt/mps/serverroot]	Accept the default value.
   Enter Server Identifier [DirectoryServer-3SP]	Accept the default value.
   Enter Server Port [390]	Enter 1390.
   Enter a valid Suffix [siroe.com]	Enter dc=siroe,dc=com.
   Enter Administration Domain [siroe.com]	Accept the default value.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   This server's configuration can be stored in this new directory server or in another previously prepared configuration server.	Enter 1 to choose “The new instance will be the configuration directory server.”
   This server can store its own user data and group data, or it can access user data and group data from another instance of directory server.	Enter 1 to store data in the new directory server.
   The new directory server can be populated with sample or real data.	Enter 4 to choose “Populate with no data.”
   Do you wish to disable Schema Checking when importing data?	Enter n.
   Enter the Server Root [/var/opt/mps/serverroot]	Accept the default value.
   Enter the Administration Port [390]	Enter 1391.
   Enter the Administration Domain [siroe.com]	Accept the default value.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   Enter Administration ID for Configuration Server Administration ID[admin]	Accept the default value.
   Enter the admin Password []	For this example, enter admin123.
   Enter the Configuration Directory Host [DirectoryServer-3SP.siroe.com]	Accept the default value.
   Enter the Configuration Directory Port [1390]	Accept the default value.
   Ready to Install. The following components will be installed: Directory Server Preparation Tool Directory Server 5 Administration Server	Enter 1 to install now.

4. (Optional) During installation, you can monitor the log to watch for installation errors. Example:

   # cd /var/sadm/install/logs

   # tail —f Java_Enterprise_System_install.B xxxxxx

5. Upon successful installation, enter ! to exit.

6. Verify that Directory Server was successfully installed.

   1. As a root user, log in to Directory Server 3SP.

   2. Start the Directory Server.

      # cd /var/opt/mps/serverroot/slapd-DirectoryServer-3SP
      # ./stop-slapd; ./start-slapd

   3. Use the tail command to monitor the Directory Server error log and see that the server successfully starts up.

      # tail -50 logs/errors

   4. Use the netstat command to verify that the Directory Server port is open and listening.

      # netstat -an | grep 1390
      * 1390			*.*			0			0 49152			0 LISTEN

   5. Start the Administration Server that manages Directory Server.

       cd /var/opt/mps/serverroot 
      ./stop-admin; ./start-admin 

      Installation is successful if the Administration Server displays a start-up message.

   6. Use the netstat command to verify that the Administration Server port is open and listening.

      # netstat -an | grep 1391
      * 1391			*.*			0			0 49152			0 LISTEN

To Install Directory Server 4SP

1. As a root user, log in to the Directory Server 4SP host.

2. Start the installer with the nodisplay option. Example:

   # cd /mnt/Solaris_sparc
   # ./installer -nodisplay

3. When prompted, provided the following information:

   Welcome to the Sun Java(TM) Enterprise System; serious software made simple... <Press ENTER to Continue>	Press Enter.
   <Press ENTER to display the Software License Agreement>	Press Enter.
   Have you read, and do you accept, all of the terms of the preceding Software License Agreement?	Enter y.
   Please enter a comma separated list of languages you would like supported with this installation	Enter 8 to select “English only.”
   Enter a comma separated list of products to install, or press R to refresh the list.	Enter 6,20. Be sure you've specified Sun Java System Administration Server 5 2005Q4 and Sun Java System Directory Server 5 2005Q4.
   Press "Enter" to Continue or Enter a comma separatedlist of products to deselect.	Press Enter.
   Enter 1 to upgrade these shared components and 2 to cancel.	If upgrades are required, enter 1 to upgrade shared components.
   Enter the name of the target installation directory for each product:	Accept the default value for each product.
   System ready for installation...	Enter 1 to continue.
   Select Type of Configuration	Enter 1 to configure now.
   Enter Host Name [DirectoryServer-4SP]	Accept the default value.
   Enter DNS Domain Name [siroe.com]	Accept the default value.
   Enter IP Address [10.5.82.207]	Accept the default value.
   Enter Server admin User ID [admin]	Accept the default value.
   Enter Admin User's Password (Password cannot be less than 8 characters)	For this example, enter admin123.
   Confirm Admin User's Password []	Enter the same password again.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   Enter Server Admin ID [admin]	Accept the default value.
   Enter Admin User's Password (At least 8 characters long)	For this example, enter admin123.
   Retype Password []	Enter the same password again.
   Enter Directory Manager DN [cn=Directory Manager]	Accept the default value.
   Enter Directory Manager's Password (At least 8 characters long)	For this example, enter 11111111.
   Retype Password []	Enter the same password again.
   Directory Server Root [/var/opt/mps/serverroot]	Accept the default value.
   Enter Server Identifier [DirectoryServer-4SP]	Accept the default value.
   Enter Server Port [390]	Enter 1390.
   Enter a valid Suffix [siroe.com]	Enter dc=siroe,dc=com.
   Enter Administration Domain [siroe.com]	Accept the default value.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   This server's configuration can be stored in this new directory server or in another previously prepared configuration server.	Enter 1 to choose “The new instance will be the configuration directory server.”
   This server can store its own user data and group data, or it can access user data and group data from another instance of directory server.	Enter 1 to store data in the new directory server.
   The new directory server can be populated with sample or real data.	Enter 4 to choose “Populate with no data.”
   Do you wish to disable Schema Checking when importing data?	Enter n.
   Enter the Server Root [/var/opt/mps/serverroot]	Accept the default value.
   Enter the Administration Port [390]	Enter 1391
   Enter the Administration Domain [siroe.com]	Accept the default value.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   Enter Administration ID for Configuration Server Administration ID[admin]	Accept the default value.
   Enter the admin Password []	For this example, enter admin123.
   Enter the Configuration Directory Host [DirectoryServer-4SP.siroe.com]	Accept the default value.
   Enter the Configuration Directory Port [1390]	Accept the default value.
   Ready to Install. The following components will be installed: Directory Server Preparation Tool Directory Server 5 Administration Server	Enter 1 to install now.

4. (Optional) During installation, you can monitor the log to watch for installation errors. Example:

   # cd /var/sadm/install/logs

   # tail —f Java_Enterprise_System_install.B xxxxxx

5. Upon successful installation, enter ! to exit.

6. Verify that Directory Server was successfully installed.

   1. As a root user, log in to Directory Server 4SP.

   2. Start the Directory Server.

      # cd /var/opt/mps/serverroot/slapd-DirectoryServer-4SP
      # ./stop-slapd; ./start-slapd

   3. Use the tail command to monitor the Directory Server error log and verify that the server successfully starts up.

      # tail -50 logs/errors

   4. Use the netstat command to verify that the Directory Server port is open and listening.

      # netstat -an | grep 1390
      * 1390			*.*			0			0 49152			0 LISTEN

   5. Start the Administration Server that manages Directory Server.

       cd /var/opt/mps/serverroot 
      ./stop-admin; ./start-admin 

      Installation is successful if the Administration Server displays a start-up message.

   6. Use the netstat command to verify that the Administration Server port is open and listening.

      # netstat -an | grep 1391
      * 1391			*.*			0			0 49152			0 LISTEN

4.2 Creating New Directory Server Instances

On each Directory Server, create a new configuration instance and a new user data instance. When you're finished, Directory Server 3SP and Directory Server 4SP will each contain three instances. For example, Directory Server 3SP will contain three instances: DirectoryServer-3SP, fm-config, and fm-users. DirectoryServer-3SP stores Directory Server administration configuration. The instance named fm-config stores Federation Manager configuration, and the instance named fm-users stores Federation Manager user data. Directory Server 4SP will contain the identical directory structure.

Use the following as your checklist for creating new Directory Server instances:

1. Create a new Configuration Instance in Directory Server 3SP.

2. Create a new User Data Instance in Directory Server 3SP.

3. Create a new Configuration Instance in Directory Server 4SP.

4. Create a new User Data Instance in Directory Server 4SP.

To Create a New Configuration Instance in Directory Server 3SP

Create a new data instance for storing Federation Manager configuration. This ensures that if you ever have to uninstall or restore Federation Manager configuration, the Directory Server configuration remains untouched and will not have to be restored.

1. As a root user, log in to Directory Server 3SP.

   Set the X window display variable, and start the Directory Server 3SP console.

   # cd /var/opt/mps/serverroot/ 
   # export DISPLAY=DirectoryServer-3SP.siroe.com:1 
   # ./startconsole &

2. Log in to the Directory Server 3SP console.

   Username

   cn=Directory Manager

   Password

   11111111

   Administration URL

   http://DirectoryServer-3SP.siroe.com:1391

3. In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

4. Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”

5. In the Create New Instance dialog box, provide the following information:

   Server identifier:

   Enter fm-config.

   Network port:

   Enter 1389.

   Base suffix:

   Enter o=siroe.com.

   Directory Manager DN:

   Enter cn=Directory Manager

   Password:

   For this example, enter 11111111.

   Confirm Password:

   Enter the same password to confirm it.

   Server Runtime (UNIX) user ID:

   Enter root.

6. Click OK, and then close the status window.

7. Verify that the new Directory Server instance named fm-config successfully starts up .

   1. As a root user, log in to Directory Server 3SP.

   2. Start the new data Directory Server instance.

      # cd /var/opt/mps/serverroot/slapd-fm-config # ./stop-slapd; ./start-slapd

   3. Use the tail command to monitor the Directory Server error log and see that the server starts up successfully.

      # tail —f logs/errors

To Create a New User Data Instance in Directory Server 3SP

Create a new data instance for storing both Federation Manager configuration and user data. This ensures that if you ever have to uninstall or restore Federation Manager configuration, the Directory Server configuration remains untouched and will not have to be restored.

1. As a root user, log in to Directory Server 3SP.

   Set the X window display variable, and start the Directory Server console.

   # cd /var/opt/mps/serverroot/ 
   # export DISPLAY=DirectoryServer-3SP.siroe.com:1 
   # ./startconsole &

2. Log in to the Directory Server 3SP console.

   Username

   cn=Directory Manager

   Password

   11111111

   Administration URL

   http://DirectoryServer-3SP.siroe.com:1391

3. In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

4. Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”

5. In the Create New Instance dialog box, provide the following information:

   Server identifier:

   Enter fm-users.

   Network port:

   Enter 1489.

   Base suffix:

   Enter o=siroeusers.com.

   Directory Manager DN:

   Enter cn=Directory Manager

   Password:

   For this example, enter 11111111.

   Confirm Password:

   Enter the same password to confirm it.

   Server Runtime (UNIX) user ID:

   Enter root.

6. Click OK, and then close the status window.

7. Verify that the new Directory Server instance named fm-users successfully starts up .

   1. As a root user, log in to Directory Server 3SP.

   2. Start the new data Directory Server instance.

      # cd /var/opt/mps/serverroot/slapd-fm-users # ./stop-slapd; ./start-slapd

   3. Use the tail command to monitor the Directory Server error log and see that the server starts up successfully.

      # tail —f logs/errors

To Create a New Configuration Instance in Directory Server 4SP

1. As a root user, log in to Directory Server 4SP.

   Set the X window display variable, and start the Directory Server console.

   # cd /var/opt/mps/serverroot/ 
   # export DISPLAY=DirectoryServer-4SP.siroe.com:1 
   # ./startconsole &

2. Log in to the Directory Server 4SP console.

   Username

   cn=Directory Manager

   Password

   11111111

   Administration URL

   http://DirectoryServer-4SP.siroe.com:1391

3. In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see Server Group item.

4. Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”

5. In the Create New Instance dialog box, provide the following information:

   Server identifier:

   Enter fm-config.

   Network port:

   Enter 1389.

   Base suffix:

   Enter o=siroe.com.

   Directory Manager DN:

   Enter cn=Directory Manager

   Password:

   For this example, enter 11111111.

   Confirm Password:

   Enter the same password to confirm it.

   Server Runtime (UNIX) user ID:

   Enter root.

6. Click OK, and then close the status window.

7. Verify that the new Directory Server instance named fm-config successfully starts up .

   1. As a root user, log in to Directory Server 4SP.

   2. Start the new data Directory Server instance.

      # cd /var/opt/mps/serverroot/slapd-fm-config # ./stop-slapd; ./start-slapd

   3. Use the tail command to monitor the Directory Server error log and see that the server starts up successfully.

      # tail —f logs/errors

To Create a New User Data Instance in Directory Server 4SP

1. As a root user, log in to Directory Server 4SP.

   Set the X window display variable, and start the Directory Server console.

   # cd /var/opt/mps/serverroot/ 
   # export DISPLAY=DirectoryServer-4SP.siroe.com:1 
   # ./startconsole &

2. Log in to the Directory Server 4SP console.

   Username

   cn=Directory Manager

   Password

   11111111

   Administration URL

   http://DirectoryServer-4SP.siroe.com:1391

3. In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see Server Group item.

4. Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”

5. In the Create New Instance dialog box, provide the following information:

   Server identifier:

   Enter fm-users.

   Network port:

   Enter 1489.

   Base suffix:

   Enter o=siroeusers.com.

   Directory Manager DN:

   Enter cn=Directory Manager

   Password:

   For this example, enter 11111111.

   Confirm Password:

   Enter the same password to confirm it.

   Server Runtime (UNIX) user ID:

   Enter root.

6. Click OK, and then close the status window.

7. Verify that the new Directory Server instance named fm-users successfully starts up .

   1. Log in as root to Directory Server 4SP.

   2. Start the new data Directory Server instance.

      # cd /var/opt/mps/serverroot/slapd-fm-users # ./stop-slapd; ./start-slapd

   3. Use the tail command to monitor the Directory Server error log and see that the server starts up successfully.

      # tail —f logs/errors

4.3 Enabling Multi-Master Replication of the Configuration Instances

In this procedure you enable multi-master replication (MMR) between two directory masters. With MMR enabled, whenever a directory entry is changed in Directory Server 3SP, the change is automatically replicated in Directory Server 4SP. The reverse is also true.

Use the following as your checklist for enabling MMR among the configuration instances:

1. Enable multi-master replication of the Configuration Instance on Directory Server 3SP.

2. Enable multi-master replication of the Configuration Instance on Directory Server 4SP.

3. Create a replication agreement for the Configuration Instance on Directory Server 3SP.

4. Create a replication agreement for the Configuration Instance on Directory Server 4SP.

5. Initialize the Configuration Instance master replica.

To Enable Multi-Master Replication of the Configuration Instance on Directory Server 3SP

1. Start the Directory Server 3SP console.

   # cd /var/opt/mps/serverroot/ # ./startconsole &

2. Log in to the Directory Server 3SP console.

   Username

   cn=Directory Manager

   Password

   11111111

   Administration URL

   http://DirectoryServer-3SP.siroe.com:1391

3. In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

4. Click to expand the Server Group.

   You should see three items: an Administration Server, a Directory Server (fm-config), and a Directory Server (fm-config).

5. Double-click the instance name Directory Server (fm-config) to display the console for managing the instance fm-config.

6. Click the Configuration tab and navigate to the Replication pane.

   1. Expand the Data node.

   2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix o=siroe.com.

   3. Click Replication.

7. Click the “Enable replication” button to start the Replication Wizard.

8. Select Master Replica, and then click Next to continue.

9. Enter a Replica ID, and then click Next.

   For this example, when enabling replication on DirectoryServer-3SP, assign the number 11.

10. If you have not already been prompted to select the change log file, you are prompted to select one now.

    The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.

11. If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.

    The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter 11111111.

    1. Click Next.

    The Replication Wizard displays a status message while updating the replication configuration.

12. Click Close when replication is finished.

To Enable Multi-Master Replication of the Configuration Instance on Directory Server 4SP

1. Start the Directory Server 4SP console.

   # cd /var/opt/mps/serverroot/ # ./startconsole &

2. Log in to the Directory Server 4SP console.

   Username

   cn=Directory Manager

   Password

   11111111

   Administration URL

   http://DirectoryServer-4SP.siroe.com:1391

3. In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

4. Click to expand the Server Group.

   You should see three items: an Administration Server, a Directory Server (fm-config), and a Directory Server (fm-users).

5. Double-click the instance name Directory Server (fm-config) to display the console for managing the instance fm-config.

6. Click the Configuration tab and navigate to the Replication pane.

   1. Expand the Data node.

   2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix o=siroe.com.

   3. Click Replication.

7. Click the “Enable replication” button to start the Replication Wizard.

8. Select Master Replica, and then click Next to continue.

9. Enter a Replica ID, and then click Next.

   For this example, when enabling replication on DirectoryServer-4SP, assign the number 22.

10. If you have not already been prompted to select the change log file, you are prompted to select one now.

    The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.

11. If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.

    The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter 11111111 .

    1. Click Next.

    The Replication Wizard displays a status message while updating the replication configuration.

12. Click Close when replication is finished.

To Create a Replication Agreement for the Configuration Instance on Directory Server 3SP

1. On DirectoryServer-3SP, in the Directory Server console, display the general properties for the Directory Server instance named fm-config .

   Navigate through the tree in the left panel to find the Directory Server instance named fm-config, and click on the instance name to display its general properties.

2. Click the Open button to display the console for managing the fm-config instance.

3. Click the Configuration tab and navigate to the Replication pane.

   1. Expand the Data node.

   2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix o=siroe.com.

   3. Click Replication.

4. Click the New button.

5. In the Replication Agreement dialog box, click the Other button.

6. In the Remote Server dialog box, provide the following information, and then click OK.

   Host

   DirectoryServer-4SP.siroe.com

   Port

   1389

   Secure Port

   Leave this box unmarked.

7. In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.

   By default, the DN is that of the default replication manager.

8. For the password of the replication manager, enter 11111111.

9. (Optional) Provide a description string for this agreement.

   For this example, enter Replication from DirectoryServer-3SP to DirectoryServer-4SP.

10. Click OK when done.

11. In the confirmation dialog, click Yes to test the connection to the server and port number.

    Use the given replication manager and password 11111111.

    If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.

To Create a Replication Agreement for the Configuration Instance on Directory Server 4SP

1. On DirectoryServer-4, in the Directory Server console, display the general properties for the Directory Server instance named fm-config.

   Navigate through the tree in the left panel to find the Directory Server instance named fm-config, and click on the instance name to display its general properties.

2. Click the Open button to display the console for managing the fm-config instance.

3. Click the Configuration tab and navigate to the Replication pane.

   1. Expand the Data node.

   2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix o=siroe.com.

   3. Click Replication.

4. Click the New button.

5. In the Replication Agreement dialog box, click the Other button.

6. In the Remote Server dialog box, provide the following information, and then click OK.

   Host

   DirectoryServer-3SP.siroe.com

   Port

   1389

   Secure Port

   Leave this box unmarked.

7. In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.

   By default, the DN is that of the default replication manager.

8. For the password of the replication manager, enter 11111111.

9. (Optional) Provide a description string for this agreement.

   For this example, enter Replication from DirectoryServer-4SP to DirectoryServer-3SP.

10. Click OK when done.

11. In the confirmation dialog, click Yes to test the connection to the server and port number.

    Use the given replication manager and password.

    If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.

To Initialize the Configuration Instance Master Replica

1. In the Directory Server 3SP console, navigate through the tree in the left panel to find the Directory Server instance named fm-config.

   Click on the instance name to display its general properties.

2. Double-click the instance name Directory Server (fm-config) in the tree to display the console for managing the data.

3. Click the Configuration tab and navigate to the Replication pane.

   1. Expand the Data node.

   2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix o=siroe.com.

   3. Click Replication.

4. In the list of defined agreements, select the replication agreement corresponding to Directory Server 4SP, the consumer you want to initialize.

5. Click Action > Initialize remote replica.

   A confirmation message warns you that any information already stored in the replica on the consumer will be removed.

6. In the Confirmation dialog, click Yes.

   Online consumer initialization begins immediately. The icon of the replication agreement shows a red gear to indicate the status of the initialization process.

7. Click Refresh > Continuous Refresh to follow the status of the consumer initialization.

   Any messages for the highlighted agreement will appear in the text box below the list.

8. Verify that replication is working properly.

   1. Log in to both Directory Server hosts as a root user, and start both Directory Server consoles.

   2. Log in to each Directory Server console.

   3. In each Directory Server console, enable the audit log on both Directory Server instances.

      Go to Configuration > Logs > Audit Log. Check Enable Logging, and then click Save.

   4. In separate terminal windows , use the tail -f command to watch the audit log files change.

   5. In the Directory Server 3SP console, create a new user entry.

      • Go to the Directory tab, and right-click the suffix o=siroe. Then click New > Group.

        Name the new group People, and then click OK.

      • Click People, and then right-click to choose New > User.

      • In the Create New User dialog, enter a first name and last name, an then click OK.

      Note the user entry is created in the instance audit log. Check to be sure the same entry is also created in Directory Server 4SP in the Directory Server instance audit log

   6. On DirectoryServer-4SP, in the Directory Server console, create a new user entry.

      • Go to the Directory tab, and right—click the suffix o=siroe.com. Click People, and then right-click to choose New > User.

      • In the Create New User dialog, enter a first name and last name, an then click OK.

        Note the user entry is created in the instance audit log. Check to be sure the same entry is also created in Directory Server 3SP in the Directory Server instance audit log

   7. Delete both new user entries in the Directory Server 4SP console.

      Look in the Directory Server 3SP console to verify that both users have been deleted.

4.4 Enabling Multi-Master Replication of the User Data Instances

Use the following as your checklist for enabling MMR among the user data instances:

1. Enable multi-master replication for the User Data Instance on Directory Server 3SP.

2. Enable multi-master replication for the User Data Instance on Directory Server 4SP.

3. Create a replication agreement for the User Data Instance on Directory Server 3SP.

4. Create a replication agreement for the User Data Instance on Directory Server 4SP.

5. Initialize the User Data Instance master replica.

To Enable Multi-Master Replication for the User Data Instance on Directory Server 3SP

1. On Directory Server 3SP, start the Directory Server console.

   # cd /var/opt/mps/serverroot/ # ./startconsole &

2. Log in to the Directory Server 3SP console.

   Username

   cn=Directory Manager

   Password

   11111111

   Administration URL

   http://DirectoryServer-3SP.siroe.com:1391

3. In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

4. Click to expand the Server Group.

   You should see three items: an Administration Server, a Directory Server (fm-config), and a Directory Server (fm-users).

5. Double-click the instance name Directory Server (fm-users) to display the console for managing the instance fm-users.

6. Click the Configuration tab and navigate to the Replication pane.

   1. Expand the Data node.

   2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix o=siroeusers.com.

   3. Click Replication.

7. Click the “Enable replication” button to start the Replication Wizard.

8. Select Master Replica, and then click Next to continue.

9. Enter a Replica ID, and then click Next.

   For this example, when enabling replication on Directory Server 3SP, assign the number 33.

10. If you have not already been prompted to select the change log file, you are prompted to select one now.

    The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.

11. If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.

    The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter 11111111.

    1. Click Next.

    The Replication Wizard displays a status message while updating the replication configuration.

12. Click Close when replication is finished.

To Enable Multi-Master Replication for the User Data Instance on Directory Server 4SP

1. Start the Directory Server 4SP console.

   # cd /var/opt/mps/serverroot/ # ./startconsole &

2. Log in to the Directory Server 4SP console.

   Username

   cn=Directory Manager

   Password

   11111111

   Administration URL

   http://DirectoryServer-4SP.siroe.com:1391

3. In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

4. Click to expand the Server Group.

   You should see three items: an Administration Server, a Directory Server (fm-config), and a Directory Server (fm-users).

5. Double-click the instance name Directory Server (fm-users) to display the console for managing the instance fm-users.

6. Click the Configuration tab and navigate to the Replication pane.

   1. Expand the Data node.

   2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix o=siroeusers.com.

   3. Click Replication.

7. Click the “Enable replication” button to start the Replication Wizard.

8. Select Master Replica, and then click Next to continue.

9. Enter a Replica ID, and then click Next.

   For this example, when enabling replication on Directory Server 4SP, assign the number 44.

10. If you have not already been prompted to select the change log file, you are prompted to select one now.

    The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.

11. If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.

    The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter 11111111 .

    1. Click Next.

    The Replication Wizard displays a status message while updating the replication configuration.

12. Click Close when replication is finished.

To Create a Replication Agreement for the User Data Instance on Directory Server 3SP

1. In the Directory Server 3SP console, display the general properties for the Directory Server instance named fm-users .

   Navigate through the tree in the left panel to find the Directory Server instance named fm-users, and click on the instance name to display its general properties.

2. Click the Open button to display the console for managing the fm-users instance.

3. Click the Configuration tab and navigate to the Replication pane.

   1. Expand the Data node.

   2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix o=siroeusers.com.

   3. Click Replication.

4. Click the New button.

5. In the Replication Agreement dialog box, click the Other button.

6. In the Remote Server dialog box, provide the following information, and then click OK.

   Host

   DirectoryServer-4SP.siroe.com

   Port

   1489

   Secure Port

   Leave this box unmarked.

7. In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.

   By default, the DN is that of the default replication manager.

8. For the password of the replication manager, enter 11111111.

9. (Optional) Provide a description string for this agreement.

   For this example, enter Replication from DirectoryServer-3SP to DirectoryServer-4SP.

10. Click OK when done.

11. In the confirmation dialog, click Yes to test the connection to the server and port number.

    Use the given replication manager and password 11111111.

    If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.

To Create a Replication Agreement for the User Data Instance on Directory Server 4SP

1. On DirectoryServer-4SP, in the Directory Server console, display the general properties for the Directory Server instance named fm-users.

   Navigate through the tree in the left panel to find the Directory Server instance named fm-users, and click on the instance name to display its general properties.

2. Click the Open button to display the console for managing the fm-users instance.

3. Click the Configuration tab and navigate to the Replication pane.

   1. Expand the Data node.

   2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix o=siroeusers.com.

   3. Click Replication.

4. Click the New button.

5. In the Replication Agreement dialog box, click the Other button.

6. In the Remote Server dialog box, provide the following information, and then click OK.

   Host

   DirectoryServer-3SP.siroe.com

   Port

   1489

   Secure Port

   Leave this box unmarked.

7. In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.

   By default, the DN is that of the default replication manager.

8. For the password of the replication manager, enter 11111111.

9. (Optional) Provide a description string for this agreement.

   For this example, enter Replication from DirectoryServer-4SP to DirectoryServer-3SP.

10. Click OK when done.

11. In the confirmation dialog, click Yes to test the connection to the server and port number.

    Use the given replication manager and password.

    If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.

To Initialize the User Data Instance Master Replica

1. In the Directory Server 3SP console, navigate through the tree in the left panel to find the Directory Server instance named fm-users.

   Click on the instance name to display its general properties.

2. Double-click the instance name Directory Server (fm-users) in the tree to display the console for managing the data.

3. Click the Configuration tab and navigate to the Replication pane.

   1. Expand the Data node.

   2. Expand the node for the suffix you want to be a master replica.

      In this example, double-click the suffix o=siroeusers.com.

   3. Click Replication.

4. In the list of defined agreements, select the replication agreement corresponding to Directory Server 4SP, the consumer you want to initialize.

5. Click Action > Initialize remote replica.

   A confirmation message warns you that any information already stored in the replica on the consumer will be removed.

6. In the Confirmation dialog, click Yes.

   Online consumer initialization begins immediately. The icon of the replication agreement shows a red gear to indicate the status of the initialization process.

7. Click Refresh > Continuous Refresh to follow the status of the consumer initialization.

   Any messages for the highlighted agreement will appear in the text box below the list.

8. Verify that replication is working properly.

   1. As a root user, log in to both Directory Server hosts, and start both Directory Server consoles.

   2. Log in to each Directory Server console.

   3. In each Directory Server console, enable the audit log on both Directory Server instances.

      Go to Configuration > Logs > Audit Log. Check Enable Logging, and then click Save.

   4. In separate terminal windows , use the tail -f command to watch the audit log files change.

   5. In the Directory Server 3SP console, create a new user entry.

      • Go to the Directory tab, and right-click the suffix o=siroeusers.com. Then click New > Group.

        Name the new group People, and then click OK.

      • Click People, and then right-click to choose New > User.

      • In the Create New User dialog, enter a first name and last name, an then click OK.

      Note the user entry is created in the instance audit log. Check to be sure the same entry is also created in on DirectoryServer-4SP in the Directory Server instance audit log

   6. In the Directory Server 4SP console, create a new user entry.

      • Go to the Directory tab, and right—click the suffix o=siroeusers.comClick People, and then right-click to choose New > User.

   7. Delete both new user entries in the Directory Server 4SP console.

      Look in the Directory Server 3SP console to verify that both users have been deleted.

4.5 Configuring the Directory Server Load Balancers

In the following procedures, you configure one load balancer in front the Directory Server configuration instances, and one load balancer in front of the Directory Server user data instances.

Use the following as your checklist for configuring the Directory Server load balancers:

1. Configure Load Balancer 7 for the Directory Server Configuration instances.

2. Configure Load Balancer 8 for the Directory Server User Data instances.

4.5.1 Simple Persistence

In this deployment, both Directory Server load balancers are configured for simple persistence. When the load balancer is configured for simple persistence, all Federation Manager requests sent within a specified interval are sent to the same Directory Server for processing. Simple persistence ensures that within the specified interval, no errors or delays occur due to replication time or redirects when retrieving data.

When a request requires information to be written to Directory Server 3SP, that information is also replicated in Directory Server 4SP. But the replication takes time to complete. During that time, if a related request is directed by the load balancer to Directory Server 4SP, the request may fail.

For example, when simple persistence is not configured properly, creating a realm from the Federation Manager administration console could fail in the following way. A request for the parent entry creation is routed to Directory Server 3SP, and a second request to create the subentry is routed to Directory Server 4SP. But if the parent entry request is not yet fully replicated to Directory Server 4SP, the subentry request fails. The result is a partially created realm which may not contain all its subentries such as realm administration roles. Simple persistence eliminates this type of error. When persistence is properly configured, both the parent entry request and the subentry request are routed to Directory Server 3SP. The requests are processed in consecutive order. The parent entry is fully created before the subentry request begins processing.

To Configure Load Balancer 7 for the Directory Server Configuration Instances

Before You Begin

• Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.

  You must also know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.

  ---

  Note –

  The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.

  ---

• You must also have ready the IP addresses for Directory Server 3SP and Directory Server 4SP.

  To obtain these IP addresses, on each Directory Server host, run the following command:

  ifconfig —a

1. Create a Pool.

   A pool contains all the backend server instances.

   1. Go to URL for the Big IP load balancer login page.

   2. Open the Configuration Utility.

      Click “Configure your BIG-IP (R) using the Configuration Utility.”

   3. In the left pane, click Pools.

   4. On the Pools tab, click the Add button.

   5. In the Add Pool dialog, provide the following information:

      Pool Name

      Example: federation_ds_pool

      Load Balancing Method

      Round Robin

      Resources

      Add the IP address of both Directory Server hosts. In this example:

      192.18.69.135( for DirectoryServer-3SP:1389)

      192.18.72.136 (for DirectoryServer-4SP:1389)

   6. Click the Done button.

2. Add a Virtual Server.

   If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.

   1. In the left frame, Click Virtual Servers.

   2. On the Virtual Servers tab, click the Add button.

   3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      192.18.69.16 (for LoadBalancer-7.siroe.com )

      Service

      389

      Pool

      federation_ds_pool

   4. Continue to click Next until you reach the Pool Selection dialog box.

   5. In the Pool Selection dialog box, assign the Pool (federation_ds_pool) that you have just created.

   6. Click the Done button.

3. Add Monitors

   Monitors are required for the load balancer to detect the backend server failures.

   1. In the left frame, click Monitors.

   2. Click the Basic Associations tab.

   3. Add an LDAP monitor for the Directory Server 3SP node.

      Three columns exist on this page: Node, Node Address, and Service. In the Node column, locate the IP address and port number DirectoryServer-3SP:1389. Select the Add checkbox.

   4. Add an LDAP monitor for the Directory Server 4SP node.

      In the Node column, locate the IP address and port number for DirectoryServer-4SP:1389 . Select the Add checkbox.

   5. At the top of the Node column, in the drop-down list, choose tcp .

   6. Click Apply.

4. Configure the load balancer for simple persistence.

   1. In the left frame, click Pools.

   2. Click the name of the pool you want to configure.

      In this example, federation_ds_pool.

   3. Click the Persistence tab.

   4. On the Persistence tab, under Persistence Type, select the Simple.

   5. Set the timeout interval.

      In the Timeout field, enter 300 seconds.

   6. Click Apply.

5. Verify the Directory Server load balancer configuration.

   1. Log in as a root user to the host of each Directory Server.

   2. On each Directory Server host, use the tail command to monitor the Directory Server access log.

      # cd /var/opt/mps/serverroot/slapd-DirectorySerer-3SP/logs

      # tail -f access

      You should see connections to the load balancer IP address opening and closing. Example:

      conn=54 op=-1 msgId=-1 — fd=22 slot=22 LDAP connection from 
      192.18.69.18 to 192.18.72.33

      conn=54 op=-1 msgId=-1 — closing — B1

      conn=54 op=-1 msgId=-1 — closed.

   3. Execute the following LDAP search against the Directory Server load balancer:

      # cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-7.siroe.com -p 389 -b "o=siroe.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)"

      The ldapsearch operation should return entries. Make sure the directory access entries display in only one Directory Server access log.

   4. Stop Directory Server 3SP, and again perform the following LDAP search against the Directory Server load balancer:

      # ./ldapsearch -h LoadBalancer-7.siroe.com -p 389 -b "o=siroeusers.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)"

      The ldapsearch operation should return entries. Verify that the Directory Server access entries display in only one Directory Server access log.

   5. If you encounter the following error message:

      # ./ldapsearch —h 192.18.69.13 —p 1389 —b “o=siroeusers.com“ —D “cn=Directory Manager” —w 11111111 ldap_simple_bind: Cant' connect to the LDAP server — Connection refused

      You can reset the timeout properties to lower values:

      • In the load balancer console, click the Monitors tab, and then click the ldap-tcp monitor name.

      • In the Interval field, set the value to 5.

      • In the Timeout field, set the value to 16.

      • Click Apply.

      Repeat the LDAP search.

   6. Restart the stopped Directory Server 3SP, and then stop Directory Server 4SP.

      Confirm that the requests are forwarded to the running Directory Server 4SP.

   7. Perform the following LDAP search against the Directory Server load balancer.

      # ./ldapsearch -h LoadBalancer-7.siroe.com -p 389 -b "o=siroe.com" -D "cn=Directory Manager" -w 11111111 "(objectclass=*)"

      The ldapsearch operation should return entries. Make sure the directory access entries display in only the one Directory Server access log.

To Configure Load Balancer 8 for the Directory Server User Data Instances

Before You Begin

• Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.

  You must also know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.

  ---

  Note –

  The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.

  ---

• You must also have ready the IP addresses for Directory Server 3SP and Directory Server 4SP.

  To obtain these IP addresses, on each Directory Server host, run the following command:

  ifconfig —a

1. Create a Pool.

   A pool contains all the backend server instances.

   1. Go to URL for the Big IP load balancer login page.

   2. Open the Configuration Utility.

      Click “Configure your BIG-IP (R) using the Configuration Utility.”

   3. In the left pane, click Pools.

   4. On the Pools tab, click the Add button.

   5. In the Add Pool dialog, provide the following information:

      Pool Name

      Example: federation_users_pool

      Load Balancing Method

      Round Robin

      Resources

      Add the IP address of both Directory Server hosts. In this example: .

      192.18.69.135(for DirectoryServer-3SP:1489)

      192.18.72.136 (for DirectoryServer-4SP:1489)

   6. Click the Done button.

2. Add a Virtual Server.

   If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.

   1. In the left frame, Click Virtual Servers.

   2. On the Virtual Servers tab, click the Add button.

   3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      192.18.69.16 (for LoadBalancer-8.siroe.com )

      Service

      1389

      Pool

      federation_users_pool

   4. Continue to click Next until you reach the Pool Selection dialog box.

   5. In the Pool Selection dialog box, assign the Pool (federation_users_pool) that you have just created.

   6. Click the Done button.

3. Add Monitors

   Monitors are required for the load balancer to detect the backend server failures.

   1. In the left frame, click Monitors.

   2. Click the Basic Associations tab.

   3. Add an LDAP monitor for the Directory Server 3SP node.

      Three columns exist on this page: Node, Node Address, and Service. In the Node column, locate the IP address and port number DirectoryServer-3SP:1489. Select the Add checkbox.

   4. Add an LDAP monitor for the Directory Server 4SP node.

      In the Node column, locate the IP address and port number for DirectoryServer-4SP:1489 . Select the Add checkbox.

   5. At the top of the Node column, in the drop-down list, choose ldap-tcp .

   6. Click Apply.

4. Configure the load balancer for simple persistence.

   1. In the left frame, click Pools.

   2. Click the name of the pool you want to configure.

      In this example, federation_users_pool.

   3. Click the Persistence tab.

   4. On the Persistence tab, under Persistence Type, select the Simple.

   5. Set the timeout interval.

      In the Timeout field, enter 300 seconds.

   6. Click Apply.

5. Verify the Directory Server load-balancer configuration.

   1. Log in as a root user to the host of each Directory Server.

   2. On each Directory Server host, use the tail command to monitor the Directory Server access log.

      # cd /var/opt/mps/serverroot/slapd-fm-users/logs

      # tail -f access

      You should see connections to the load balancer IP address opening and closing. Example:

      conn=54 op=-1 msgId=-1 — fd=22 slot=22 LDAP connection from 
      192.18.69.18 to 192.18.72.33

      conn=54 op=-1 msgId=-1 — closing — B1

      conn=54 op=-1 msgId=-1 — closed.

   3. Execute the following LDAP search against the Directory Server load balancer:

      # cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-8.siroe.com -p 1389 -b "o=siroeusers.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)"

      The ldapsearch operation should return entries. Make sure the directory access entries display in only one Directory Server access log.

   4. Stop Directory Server 3SP, and again perform the following LDAP search against the Directory Server load balancer:

      # ./ldapsearch -h LoadBalancer-8.siroe.com -p 1389 -b "o=siroeusers.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)"

      The ldapsearch operation should return entries. Verify that the Directory Server access entries display in only one Directory Server access log.

   5. If you encounter the following error message:

      # ./ldapsearch —h 192.18.69.13 —p 1389 —b “o=siroeusers.com“ 
      —D “cn=Directory Manager” —w 11111111
      ldap_simple_bind: Cant' connect to the LDAP 
      server — Connection refused

      You can reset the timeout properties to lower values:

      • In the load balancer console, click the Monitors tab, and then click the ldap-tcp monitor name.

      • In the Interval field, set the value to 5.

      • In the Timeout field, set the value to 16.

      • Click Apply.

      Repeat the LDAP search.

   6. Restart the stopped Directory Server 3SP, and then stop Directory Server 4SP.

      Confirm that the requests are forwarded to the running Directory Server 4SP.

   7. Perform the following LDAP search against the Directory Server load balancer.

      # ./ldapsearch -h LoadBalancer-8.siroe.com -p 389 -b "o=siroeusers.com" -D "cn=Directory Manager" -w 11111111 "(objectclass=*)"

      The ldapsearch operation should return entries. Make sure the directory access entries display in only the one Directory Server access log.