This chapter discusses how to configure Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server 5.1). You must complete the procedures contained in this chapter before you can go on to configure Sun ONE Directory Server for use with Solaris LDAP naming services clients.
If you are using a directory server other than the Sun ONE Directory Server, skip this chapter. See Generic Directory Server Requirements for a list of basic requirements for other directory servers when used in conjunction with Solaris LDAP naming service clients.
Sun ONE Directory Server documentation is available on Sun's docs.sun.com web site.
Refer to the following manuals for in-depth information regarding Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server 5.1):
iPlanet Directory Server 5.1 Deployment Guide
iPlanet Directory Server 5.1 Installation Guide
iPlanet Directory Server 5.1 Administrator's Guide
iPlanet Directory Server 5.1 Configuration, Command, and File Reference
iPlanet Directory Server 5.1 Schema Reference
This chapter covers the following topics.
Before you begin configuring Sun ONE Directory Server, you should have an understanding of the various components and the design and configuration decisions you need to make.
To help you configure Sun ONE Directory Server, you should be familiar with the concepts contained in the following sections.
Components
Configuration Decisions
Configuration Process Overview
Configuration Privileges
The Deployment Guide for the Sun ONE Directory Server contains basic directory concepts as well as guidelines to help you design and successfully deploy your directory service.
Sun ONE Directory Server contains the following software components, which are installed by default when you install the entire Solaris disk suite.
Sun ONE Server Console
Sun ONE Server Console provides a common user interface for Sun ONE server products. From Sun ONE Server Console you can perform common server administration functions such as stopping and starting servers and installing new server instances. Sun ONE Server Console can be installed as a standalone application on any machine. You can also install it on your network and use it to manage remote servers.
Sun ONE Administration Server
Sun ONE Administration Server is a common server management module for Sun ONE servers. Administration Server receives communications from Sun ONE Server Console and passes those communications on to the appropriate Sun ONE server.
Sun ONE Directory Server
Sun ONE Directory Server is a high-performance, scalable LDAP server with an on-disk database. The Sun ONE Directory Server runs as the ns-slapd process on Solaris. This process is the server that manages the directory databases and responds to client requests. Sun ONE Directory Server is a required component.
During Directory Server configuration, you are prompted for basic information. Decide how you are going to configure these basic parameters before you begin the configuration process. You are prompted for the following information, depending on the type of configuration that you decide to perform.
Port number
Users and groups to run the server as
Your directory suffix
Several different authentication user IDs
The administration domain
Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your Sun ONE Directory Server.
The standard Sun ONE Directory Server (LDAP) port number is 389.
Port 636 is reserved for LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP configuration, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port.
Port numbers between 1 and 1024 have been assigned to various services by the Internet Assigned Numbers Authority. Do not use port numbers below 1024 other than 389 or 636 for directory services as they will conflict with other services. Additionally, port numbers below 1024 are accessible by root only.
Sun ONE Directory Server must run as root when using either port 389 or 636.
Make sure the ports you choose are not already in use. Additionally, if you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical.
If the LDAP naming service clients are using SSL encryption, you must use the default port numbers 389 and 636, so that the server runs as root. See Transport Layer Security (TLS) for more information.
For information on how to set up LDAP over SSL (LDAPS) for the Sun ONE Directory Server, see the administration guide for the version of Sun ONE Directory Server that you are using.
For security reasons, it is always best to run production servers with normal user privileges. That is, you do not want to run Directory Server with root privileges. However, you will have to run Directory Server with root privileges if you are using the default Directory Server ports. If Directory Server is to be started by Administration Server, Administration Server must run either as root or as the same user as Sun ONE Directory Server.
You must therefore decide what user accounts you will use for the following purposes.
The user and group under which you will run Sun ONE Directory Server
If you will not be running the Sun ONE Directory Server as root, it is strongly recommended that you create a user account for all Sun ONE servers. You should not use any existing operating system account, and must not use the nobody account. Also you should create a common group for the Sun ONE Directory Server files; again, you must not use the nobody group.
The user and group under which you will run Administration Server
For configurations that use the default port numbers, this must be root. However, if you use ports over 1024, then you should create a user account for all Sun ONE servers, and run Administration Server as this account.
As a security precaution, when Administration Server is being run as root, it should be shut it down when it is not in use.
You should use a common group for all Sun ONE servers, such as gid servers, to ensure that files can be shared between servers when necessary.
Before you can install Sun ONE Directory Server and Administration Server, you must make sure that the user and group accounts you use exist on your system.
As you configure Sun ONE Directory Server and Administration Server, you will be asked for various user names, distinguished names (DN), and passwords. This list of login and bind entities will differ depending on the type of configuration that you are performing.
Directory Manager DN and password
The Directory Manager DN is the special directory entry to which access control does not apply. Think of the directory manager as your directory's super user. (In former releases of Sun ONE Directory Server, the Directory Manager DN was known as the root DN).
The default Directory Manager DN is cn=Directory Manager. Because the Directory Manager DN is a special entry, the Directory Manager DN does not have to conform to any suffix configured for your Sun ONE Directory Server. Therefore, you must not manually create an actual Sun ONE Directory Server entry that has the same DN as the directory manager DN.
The Directory Manager password must be at least 8 characters long, and is limited to ASCII letters, digits, and symbols.
Consider using the same Directory Manager DN and password for all of your LDAP servers, especially if you have set the replicas to follow referrals to the master server during client add and modify operations.
Configuration Directory Administrator ID and password
The configuration directory administrator is the person responsible for managing all the Sun ONE servers accessible through Sun ONE Server Console. If you log in with this user ID, then you can administer any Sun ONE server that you can see in the server topology area of Sun ONE Server Console.
For security, the configuration directory administrator should not be the same as the directory manager. The default configuration directory administrator ID is admin.
The Administration Server User and password
You are prompted for this only during custom configurations. The Administration Server user is the special user that has all privileges for the local Administration Server. Authentication as this person allows you to administer all the Sun ONE servers stored on this server.
Administration Server user ID and password is used only when the Sun ONE Directory Server is down and you are unable to log in as the configuration directory administrator. The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting Sun ONE Directory Server, reading log files, and so forth.
Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password.
A directory suffix is the directory entry that represents the first entry in a directory tree. You need at least one directory suffix for the tree that contains your organization's data. It is common practice to select a directory suffix that corresponds to the DNS host name used by your organization. For example, if your organization uses the DNS name example.com, then select a suffix of dc=example,dc=com.
For more information on planning the suffixes for your directory service, see the deployment guide for the version of Sun ONE Directory Server that you are using.
Many Sun ONE servers, including Sun ONE Directory Server, use an instance of Sun ONE Directory Server to store configuration information. This information is stored in the o=NetscapeRoot directory tree. This directory tree does not need to be held on the same Sun ONE Directory Server as your directory data. Your configuration directory is the Sun ONE Directory Server that contains the o=NetscapeRoot.
If you are installing Sun ONE Directory Server only to support other Sun ONE servers, then that Sun ONE Directory Server is your configuration directory. If you are installing Sun ONE Directory Server to use as part of a general directory service, then you will have multiple instances of Sun ONE Directory Server installed in your organization and you must decide which one will host the configuration directory tree, o=NetscapeRoot. You must make this decision before you install any Sun ONE servers (including Sun ONE Directory Server).
For ease of upgrades, you should use a Sun ONE Directory Server instance that is dedicated to supporting the o=NetscapeRoot tree; this server instance should perform no other function with regard to managing your enterprise's directory data. Also, do not use port 389 for this server instance because doing so could prevent you from installing a Sun ONE Directory Server on that host that can be used for management of your organization's directory data.
Because the configuration directory normally experiences very little traffic, you can allow its server instance to coexist on a machine with another more heavily loaded Sun ONE Directory Server instance. However, for very large sites that are installing a large number of Sun ONE servers, you may want to dedicate a low-end machine to the configuration directory so as to not hurt the performance of production servers. Sun ONE server configurations result in write activities to the configuration directory. For large enough sites, this write activity could result in a short-term performance hit to your other directory activities.
Also, as with any directory configuration, consider replicating the configuration directory to increase availability and reliability. For information about using replication to increase directory availability, refer to the deployment guide for the version of Sun ONE Directory Server that you are using.
If the configuration directory tree is corrupted, you might need to reinstall all other Sun ONE servers that are registered in that configuration directory. Remember the following guidelines when dealing with the configuration directory.
Always back up your configuration directory after you install a new Sun ONE server.
Never change the host name or port number used by the configuration directory.
Never directly modify the configuration directory tree. Only the setup program for the various Sun ONE servers should ever modify the configuration.
Just as the configuration directory is the Directory Server instance used for server administration, the user directory is the Directory Server instance containing entries for users and groups in your organization. You cannot install a user directory until you have installed a configuration directory somewhere on your network.
The configuration directory can reside on the same Directory Server instance as the user directory. However, for most directory configurations, the user directory and the configuration directory should be two separate server instances. These server instances can be installed on the same machine. For best results, however, consider placing the configuration directory on a separate machine.
Between your user directory and your configuration directory, it is your user directory that will receive the overwhelming percentage of the directory traffic. For this reason, you should give the user directory the greatest computing resources. Because the configuration directory should receive very little traffic, it can be installed on a machine with very low-end resources.
Also, you should use the default directory ports (389 and 636) for the user directory. If your configuration directory is managed by a server instance dedicated to that purpose, you should use some non-standard port for the configuration directory.
The administration domain allows you to logically group Sun ONE servers together so that you can more easily distribute server administrative tasks. A common scenario is for two divisions in a company to want control of their individual Sun ONE servers. However, you may still want some centralized control of all the servers in your enterprise. Administration domains allow you to meet these conflicting goals.
Administration domains have the following qualities.
All servers share the same configuration directory, regardless of the domain to which they belong
Servers in two different domains may use two different user directories for authentication and user management
The configuration directory administrator has complete access to all installed Sun ONE servers, regardless of the domain to which they belong
Each administration domain can be configured with an administration domain owner. This owner has complete access to all the servers in the domain but does not have access to the servers in any other administration domain
The administration domain owner can grant individual users administrative access on a server by server basis within the domain
For many configurations, you can have just one administration domain. In this case, choose a name that is representative of your organization. For other configurations, you may want different domains because of the demands at your site. In the latter case, try to name your administration domains after the organizations that control the servers in that domain.
For example, if you are an ISP with three customers for whom you are installing and managing Sun ONE servers, create three administration domains each named after a different customer.
The configuration process involves the following steps:
Plan your directory service. By planning your directory tree in advance, you can design a service that is easy to manage and scale as your organization grows. For guidance on planning your directory service, refer to the deployment guide for the version of Sun ONE Directory Server that you are using.
Select the Sun ONE Directory Server configuration method you prefer to use. See Selecting a Directory Server Configuration Method for a list of Sun ONE Directory Server configuration methods.
Configure Sun ONE Directory Server as described in this chapter.
(Optional) Set up the Sun ONE Administration Server and Sun ONE Server Console. For Sun ONE Directory Server 5.1, Sun ONE Administration Server and Sun ONE Server Console are set up during the directory server installation process.
Create the directory suffixes and databases. You do not have to populate your directory now. You should, however, create the basic structure for your tree, including all major roots and branch points. For information about the different methods of creating a directory entry, refer to the administration guide for the version of Sun ONE Directory Server that you are using.
Create additional Sun ONE Directory Server instances and set up replication agreements between the instances to ensure availability of your data. For information about creating additional Directory Server instances and setting up replication agreements, refer to the administration guide for the version of Sun ONE Directory Server that you are using.
You can configure Sun ONE Directory Server software using one of the three different configuration methods supported by the configuration program.
Express configuration
Use this method if you are installing for the purposes of evaluating or testing Sun ONE Directory Server.
Typical configuration
Use this method if you are performing a normal install of Sun ONE Directory Server.
Custom configuration
In Sun ONE Directory Server, the custom configuration process is very similar to the typical configuration process. The main difference is that the custom configuration process allows you to import an LDIF file to initialize the user directory database that is created by default.
By preparing information in advance, you can complete the configuration process more quickly. Before configuring the servers, consider creating a worksheet to hold the installation information, as summarized for a typical installation in Table 11–1.
You can choose between the following configuration methods for Sun ONE Directory Server 5.1:
Express configuration
Typical configuration
Custom configuration
See Selecting a Directory Server Configuration Method for details about each configuration method.
Use express configuration if you are installing Sun ONE Directory Server 5.1 to evaluate or test the product. Because express configuration does not offer you the choice of selecting your server port number or your directory suffix, you should not use it for production configurations. To perform an express configuration, do the following.
Become superuser.
Run the Sun ONE Directory Server 5.1 program by typing the following.
# /usr/sbin/directoryserver setup |
When you are prompted for what you want to install, hit enter for [the default] Sun ONE servers.
When you are prompted for the type of configuration, choose Express.
For the user and group to run the servers as, enter the identity that you want this server to run as.
For Configuration Directory Administrator ID and password, enter the name and password that you will log in as when you want to authenticate to the console with full privileges. Think of this as the root or superuser identity for the Sun ONE Server Console.
The server is then minimally configured, and started. You are told what host and port number on which the Administration Server is listening.
Note the following about your new Sun ONE Directory Server 5.1 configuration.
Sun ONE Directory Server 5.1 is listening on port 389
The server is configured to use the following suffixes
dc=your_machine s_DNS_domain_name
That is, if your machine is named test.example.com, then you have the suffix dc=example, dc=com configured for this server.
o=NetscapeRoot
Do not modify the contents of the directory under the o=NetscapeRoot suffix. Either create data under the first suffix, or create a new suffix to be used for this purpose. For details on how to create new suffixes for your Sun ONE Directory Server 5.1, see the Sun ONE Directory Server 5.1 Administrator's Guide.
Most first time configurations of Sun ONE Directory Server 5.1 can be performed using the Typical option of the setup program.
Become superuser.
Run the Sun ONE Directory Server 5.1 program.
# /usr/sbin/directoryserver setup |
When you are prompted for what you want to install, press Enter for [the default] Sun ONE Servers.
When you are prompted for Directory Suite and Administration Services, press Enter to select all [the default].
Press Enter to select all Directory Suite components.
Press Enter to select all Administration components.
When prompted for the hostname, select the default [the host] or enter an alternative fully qualified domain name.
Note that the default hostname may be incorrect if the installer cannot locate a DNS name for your system. For example, you might not have a DNS name if your system uses NIS. The hostname must be a fully qualified host and domain name. If the default hostname is not a fully qualified host and domain name, configuration will fail.
The setup program then asks you for the System User and the System Group names. Enter the identity under which you want the servers to run.
For the configuration directory, select the default if this directory will host your o=NetscapeRoot tree. Otherwise, enter Yes. You will then be asked for the contact information for the configuration directory.
If the server you are currently installing is not the configuration directory, then the configuration directory must exist before you can continue this configuration.
The setup program then asks if the server you are currently installing will be the one for your user data. For most cases, you can select the default. However, if you intend this server instance to be used as a configuration directory only, then you should enter Yes.
For the Sun ONE Directory Server 5.1 port, select the default (389) unless you already have another application using that port.
For the Sun ONE Directory Server 5.1 Identifier, enter a unique value (normally the default is sufficient).
This value is used as part of the name of the directory in which the Sun ONE Directory Server 5.1 instance is installed. For example, if your machine's host name is phonebook, then this name is the default and selecting it will cause the Sun ONE Directory Server 5.1 instance to be installed into a directory labeled slapd-phonebook.
The Sun ONE Directory Server 5.1 identifier must not contain a period. For example, example.server.com is not a valid server identifier name.
For Configuration Directory Administrator ID and password, enter the name and password that you will log in as when you want to authenticate to the console with full privileges.
For a directory suffix, enter a distinguished name meaningful to your enterprise.
This string is used to form the name of all your organization's directory entries. Therefore, pick a name that is representative of your organization. It is recommended that you pick a suffix that corresponds to your internet DNS name.
For example, if your organization uses the DNS name example.com, then enter dc=example,dc=com here.
For Directory Manager DN, enter the distinguished name that you will use when managing the contents of your directory with unlimited privileges.
Any Distinguished Names must be entered in the UTF-8 character set encoding. Older encodings such as ISO-8859-1 are not supported.
In former releases of Sun ONE Directory Server 5.1, the Directory Manager was known as the root DN. This is the entry that you bind to the directory as when you want access control to be ignored. This distinguished name can be short and does not have to conform to any suffix configured for your directory. However, it should not correspond to an actual entry stored in your directory.
For the Directory Manager password, enter a value that is at least 8 characters long.
For Administration Domain, enter the domain that you want this server to belong to.
The name you enter should be a unique string that is descriptive of the organization responsible for administering the domain.
For the administration port number, enter a value that is not in use (for example, you might want to use the value 5100 to indicate Sun ONE Directory Server 5.1). Be sure to record this value somewhere you can remember.
For the user you want to run Administration Server as, enter root, the default.
The server is then minimally configured, and started. You are told what host and port number Administration Server is listening on. The server is configured to use the following suffixes.
The suffix that you configured
o=NetscapeRoot
Do not modify the contents of the directory under the o=NetscapeRoot suffix. Either create data under the first suffix, or create a new suffix to be used for this purpose. For details on how to create new suffixes for your Sun ONE Directory Server 5.1, see the Sun ONE Directory Server 5.1 Administrator's Guide.