| Previous Contents Index Next |
| iPlanet Directory Access Router Installation Guide |
Chapter 1 Preparing for Installation
Before you begin installing iPlanet Directory Access Router (iDAR), you should have installed an iPlanet 5.0 or higher configuration directory.We also recommend that you have an understanding of the various iDAR components and the design and configuration decisions you need to make.
To help you prepare for your iDAR installation, you should be familiar with the concepts contained in the following sections:
Installation Components
The iPlanet Directory Server Deployment Guide contains basic directory concepts as well as guidelines to help you design and successfully deploy your directory service. Be sure you understand the concepts presented in this manual before proceeding with the installation process.
Note iDAR requires that an instance of iPlanet Directory Server 4.13 or later is already installed and accessible on the network.
Installation Components
iDAR contains the following software components:
iPlanet Console—iPlanet Console provides the common user interface for all iPlanet directory-related server products. From it you can perform common server administration functions such as stopping and starting servers, installing new server instances, and managing user and group information. iPlanet Console can be installed as a standalone application on any machine. You can also install it on your network and use it to manage remote servers.
iPlanet Administration Server—iPlanet Administration Server is a common front-end to all iPlanet servers. It receives communications from iPlanet Console and passes those communications on to the appropriate iPlanet server. Your site will have at least one Administration Server for each server root in which you have installed an iPlanet server.
iPlanet Directory Access Router (iDAR)—An LDAP gateway that routes requests from the client to Directory Server. iDAR runs as a daemon process (UNIX system) or service (Windows NT system).
Configuration Decisions
During iDAR installation, you are prompted for basic configuration information. Decide how you are going to configure these basic parameters before you begin the installation process. You are prompted for some or all of following information, depending on the type of installation that you decide to perform:
Port number (see Choosing Unique Port Numbers).
Server root (see Creating a New Server Root).
Users and groups to run the server as (see Deciding the User and Group for Your iDAR (UNIX Only)).
Configuration administrator and password (see Defining Authentication Entities).
The location of the configuration and user iDARs (see Determining the Location of the Configuration Directory).
The administration domain (see Determining the Administration Domain).
Choosing Unique Port Numbers
Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your iDAR:
The standard iDAR (LDAP) port number is 389.
For information on how to set up LDAP over SSL (LDAPS) for iDAR, check the iDAR Administrator's Guide.Port 636 is reserved for LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP installation, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port.
Port numbers between 1 and 1024 have been assigned to various services by the Internet Assigned Numbers Authority. Do not use port numbers below 1024 other than 389 or 636 for directory services as they will conflict with other services.
On UNIX platforms, iDAR must be run as root if it will listen on either port 389 or 636.
On Windows NT, the directory service must have administrative privileges if it will use ports 389 or 636.
Make sure the ports you choose are not already in use. Additionally, if you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical.
Creating a New Server Root
Your server root is the directory where you install your iPlanet servers. The server root must meet the following requirements:
The server root must be a directory on a local disk drive; you cannot use a networked drive for installation purposes. The file sharing protocols such as AFS, NFS, and SMB do not provide suitable performance for use by iDAR's logging.
By default, the server root directory is one of the following:The server root directory must not be the same as the directory from which you are running the setup program.
Deciding the User and Group for Your iDAR (UNIX Only)
For security reasons, it is always best to run UNIX-based production servers with normal user privileges. That is, you do not want to run iDAR with root privileges. However, you will have to run iDAR with root privileges if you are using the default directory ports. If iDAR is to be started by Administration Server, Administration Server must run either as root or as the same user as iDAR.You must therefore decide what user accounts you will use for the following purposes:
The user and group under which you will run iDAR.
You should use a common group for all iPlanet servers to ensure that files can be shared between servers when necessary.
The user and group under which you will run Administration Server.
- If you will not be running iDAR as root, it is strongly recommended that you create a user account for all iPlanet servers. You should not use any existing operating system account, and should not use the nobody account. Also you should create a common group for the iDAR files; again, you should not use the nobody group.
- For installations that use the default port numbers, this must be root. However, if you use ports over 1024, then you should create a user account for all iPlanet servers, and run Administration Server as this account.
- As a security precaution, when Administration Server is being run as root, it should be shut down when it is not in use.
Before you can install iDAR and Administration Server, you must make sure that the user and group accounts you will use exist on your system.
Defining Authentication Entities
As you install iDAR and Administration Server, you will be asked for user names and passwords. This list of login and bind entities will differ depending on the type of installation that you are performing:
Configuration Directory Administrator ID and password.
- The configuration directory administrator is the person responsible for managing all the iPlanet servers accessible through iPlanet Console. If you log in with this user ID, then you can administer any iPlanet server that you can see in the server topology area of iPlanet Console.
- For security, the configuration directory administrator should not be the same as the directory manager. The default configuration directory administrator ID is admin.
Determining the Location of the Configuration Directory
Many iPlanet servers, including iDAR, use an instance of iPlanet Directory Server to store configuration information. This information is stored in the o=NetscapeRoot directory tree. Your configuration directory is the Directory Server that contains the o=NetscapeRoot tree used by your iPlanet servers.For ease of upgrades, you should use a Directory Server instance that is dedicated to supporting the o=NetscapeRoot tree; this instance should perform no other function with regard to managing your enterprise's directory data.
Because the configuration directory normally experiences very little traffic, you can allow its server instance to coexist on a machine with an iDAR instance. However, for very large sites that are installing a large number of iPlanet servers, you may want to dedicate a low-end machine to the configuration directory so as to not hurt the performance of your other production servers.
Also, as with any directory installation, consider replicating the configuration directory to increase availability and reliability. See the iPlanet Directory Server Deployment Guide for information on using replication and DNS round robins to increase directory availability.
Determining the Administration Domain
The administration domain allows you to logically group iPlanet servers together so that you can more easily distribute server administrative tasks. A common scenario is for two divisions in a company to each want control of their individual iPlanet servers. However, you may still want some centralized control of all the servers in your enterprise. Administration domains allow you to meet these conflicting goals.Administration domains have the following qualities:
All servers share the same configuration directory, regardless of the domain to which they belong.
For many installations, you can have just one administration domain. In this case, choose a name that is representative of your organization. For other installations, you may want different domains because of the demands at your site. In the latter case, try to name your administration domains after the organizations that will control the servers in that domain.Servers in two different domains may use two different user directories for authentication and user management.
The configuration directory administrator has complete access to all installed iPlanet servers, regardless of the domain to which they belong.
Each administration domain can be configured with an administration domain owner. This owner has complete access to all the servers in the domain but does not have access to the servers in any other administration domain.
The administration domain owner can grant individual users administrative access on a server by server basis within the domain.
For example, if you are an ISP and you have three customers for whom you are installing and managing iPlanet servers, create three administration domains each named after a different customer.
Installation Process Overview
You can use one of several installation processes to install iDAR. Each one guides you through the installation process and ensures that you install the various components in the correct order.The following sections outline the installation processes available, how to upgrade from an earlier release of iDAR, and how to unpack the software to prepare for installation.
Selecting an Installation Process
You can install iDAR software using one of the three installation methods provided in the setup program:
Typical Installation. Use this if you are performing a normal install of iDAR. Typical installation is described in Chapter 3 "Using Typical Installation."
Custom Installation. In iDAR 5.0, the custom installation process is very similar to the typical installation process. The only difference is that the custom installation process allows finer control over Administration Server configuration and the ability to supress the installation of iDAR's services on Windows NT installations.
Silent Installation. Use this if you want to script your installation process. This is especially useful for installing multiple consumer servers around your enterprise. Silent install is described in Chapter 4 "Silent Installation."
Unpacking the Software
If you have obtained iDAR software from the iPlanet web site, you will need to unpack it before beginning installation.
Create a new directory for the installation:
Download the product binaries file to the installation directory.
- # mkdir idar5
- # cd idar5
On a UNIX system, unpack the product binaries file using the following command:
- # gzip -dc file_name.tar.gz | tar -xvof -
- where file_name corresponds to the product binaries that you want to unpack.
- On a Windows NT system, unzip the product binaries.
Installation Privileges
On UNIX systems, you must install as root if you choose to run the server on a port below 1024, such as the default LDAP ports: 389, and 636 (LDAP over SSL). If you choose port numbers higher than 1024, you can install using any valid UNIX login.On Windows NT systems, you must run the installation as administrator.
Previous Contents Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.
Last Updated July 26, 2001