System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

Configuration Choices

During Directory Server configuration, you are prompted for basic information. Decide how you are going to configure these basic parameters before you begin the configuration process. You are prompted for some or all of following information, depending on the type of configuration that you decide to perform the following.

Choosing Unique Port Numbers

Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your iPlanet Directory Server 5.1.


Note –

If the LDAP naming service clients are using SSL encryption, you must use the default port numbers 389 and 636, so that the server runs as root. See Transport Layer Security (TLS) for information on Transport Layer Security.


For information on how to set up LDAP over SSL (LDAPS) for the iPlanet Directory Server 5.1, see the iPlanet Directory Server 5.1 Administrator's Guide.

Choosing User and Group

For security reasons, it is always best to run UNIX-based production servers with normal user privileges. That is, you do not want to run Directory Server with root privileges. However, you will have to run Directory Server with root privileges if you are using the default Directory Server ports. If Directory Server is to be started by Administration Server, Administration Server must run either as root or as the same user as iPlanet Directory Server 5.1.

You must therefore decide what user accounts you will use for the following purposes.

You should use a common group for all iPlanet servers, such as gid iPlanet, to ensure that files can be shared between servers when necessary.

Before you can install iPlanet Directory Server 5.1 and Administration Server, you must make sure that the user and group accounts you will use exist on your system.

Defining Authentication Entities

As you configure iPlanet Directory Server 5.1 and Administration Server, you will be asked for various user names, distinguished names (DN), and passwords. This list of login and bind entities will differ depending on the type of configuration that you are performing.

Choosing Your Directory Suffix

A directory suffix is the directory entry that represents the first entry in a directory tree. You will need at least one directory suffix for the tree that will contain your enterprise's data. It is common practice to select a directory suffix that corresponds to the DNS host name used by your enterprise. For example, if your organization uses the DNS name example.com, then select a suffix of dc=example,dc=com.

For more information on planning the suffixes for your directory service, see the iPlanet Directory Server 5.1 Deployment Guide.

Choosing the Location of the Configuration Directory

Many iPlanet servers including Directory Server 5.1 use an instance of iPlanet Directory Server 5.1 to store configuration information. This information is stored in the o=NetscapeRoot directory tree. It does not need to be held on the same iPlanet Directory Server 5.1 as your directory data. Your configuration directory is the iPlanet Directory Server 5.1 that contains the o=NetscapeRoot.

If you are installing iPlanet Directory Server 5.1 only to support other iPlanet servers, then that iPlanet Directory Server 5.1 is your configuration directory. If you are installing iPlanet Directory Server 5.1 to use as part of a general directory service, then you will have multiple iPlanet Directory Server 5.1s installed in your enterprise and you must decide which one will host the configuration directory tree, o=NetscapeRoot. You must make this decision before you install any iPlanet servers (including iPlanet Directory Server 5.1).

For ease of upgrades, you should use a iPlanet Directory Server 5.1 instance that is dedicated to supporting the o=NetscapeRoot tree; this server instance should perform no other function with regard to managing your enterprise's directory data. Also, do not use port 389 for this server instance because doing so could prevent you from installing a iPlanet Directory Server 5.1 on that host that can be used for management of your enterprise's directory data.

Because the configuration directory normally experiences very little traffic, you can allow its server instance to coexist on a machine with another more heavily loaded iPlanet Directory Server 5.1 instance. However, for very large sites that are installing a large number of iPlanet servers, you may want to dedicate a low-end machine to the configuration directory so as to not hurt the performance of your other production servers. iPlanet server configurations result in write activities to the configuration directory. For large enough sites, this write activity could result in a short-term performance hit to your other directory activities.

Also, as with any directory configuration, consider replicating the configuration directory to increase availability and reliability. See the iPlanet Directory Server 5.1 Deployment Guide for information on using replication and DNS round robins to increase directory availability.


Caution – Caution –

If the configuration directory tree if corrupted, you might need to reinstall all other iPlanet servers that are registered in that configuration directory. Remember the following guidelines when dealing with the configuration directory.


Choosing the Location of the User Directory

Just as the configuration directory is the iPlanet Directory Server 5.1 that is used for iPlanet server administration, the user directory is the iPlanet Directory Server 5.1 that contains the entries for users and groups in your enterprise.

For most directory configurations, the user directory and the configuration directory should be two separate server instances. These server instances can be installed on the same machine, but for best results you should consider placing the configuration directory on a separate machine.

Between your user directory and your configuration directory, it is your user directory that will receive the overwhelming percentage of the directory traffic. For this reason, you should give the user directory the greatest computing resources. Because the configuration directory should receive very little traffic, it can be installed on a machine with very low-end resources.

Also, you should use the default directory ports (389 and 636) for the user directory. If your configuration directory is managed by a server instance dedicated to that purpose, you should use some non-standard port for the configuration directory.

You cannot install a user directory until you have installed a configuration directory somewhere on your network.

Choosing the Administration Domain

The administration domain allows you to logically group iPlanet servers together so that you can more easily distribute server administrative tasks. A common scenario is for two divisions in a company to each want control of their individual iPlanet servers. However, you may still want some centralized control of all the servers in your enterprise. Administration domains allow you to meet these conflicting goals.

Administration domains have the following qualities.

For many configurations, you can have just one administration domain. In this case, choose a name that is representative of your organization. For other configurations, you may want different domains because of the demands at your site. In the latter case, try to name your administration domains after the organizations that will control the servers in that domain.

For example, if you are an ISP and you have three customers for whom you are installing and managing iPlanet servers, create three administration domains each named after a different customer.