Setting Up a Pure Proxy
In this section we will describe a generic configuration of a pure message access proxy. Details, such as where in relation to the firewall your proxy is placed or the configuration of a round-robin DNS server for a multiple proxy setup, will not be described.
After proxy is installed, it needs to be configured with the SIMS LDAP directory before it can be operational. The proxy uses the directory to authenticate users and forward requests to the appropriate server. The proxy directory must be designated as a replicated slave to the master SIMS directory located on one of the mail servers. This is depicted in FIGURE A-5.
Note - IMPORTANT! The master and slave server must have the same replication configuration for the updates to work properly. It is also required that the master and slave have the same schema since replication between servers with dissimilar schemas may lead to unpredictable results. Also, slapdrepl must be run on the system with the master server if it is to be replicated. See the SIMS Reference Manual.
FIGURE A-5 Proxy Mail System Showing Master to Slave Directory Updates
 |
To Configure the Proxy Slave and Master Directories
|
This section describes how to configure the message access proxy server with a replicated LDAP directory slave server, and to specify to the LDAP directory master server that is has another slave server to support. In this example the fully qualified proxy hostname is called slave1.eng.adagio.com. The master LDAP directory server is called master.eng.adagio.com.
| |
1. |
Access the SIMS Proxy LDAP Server Admin Console. |
| |
|
On a HotJava browser, go to http://<proxy_hostname>/sims |
| |
|
Log on with your login name (default: admin) and password (default: secret). The SIMS proxy LDAP Server property book appears. |
FIGURE A-6 SIMS Proxy Directory Interface
| |
|
Directory information is organized in a tree structure called the Directory Information Tree (DIT). A naming context refers to a particular branch or subtree of the DIT. A data store is where directory information is stored in naming contexts. |
FIGURE A-7 Proxy Data Store
| |
3. |
Double click the data store name (o=adagio,c=US) to bring up the data store property book. Then click on Naming Contexts section. |
FIGURE A-8 Proxy Naming Contexts
| |
|
Although two naming contexts are shown, they actually refer to the same subtree. The top naming context in the figure above is called the OSI tree and the one below is called the Domain Component tree, and they are mapped to each other. The reason for having two naming contexts referring to the same subtree has to do with dual standards. You must configure both as slaves if they are not already configured as such. |
| |
4. |
Modify the naming contexts to be slaves. |
FIGURE A-9 Proxy Modify Naming Context Window
| |
|
Subtree type should be left as subtree and the suffix should be left as o=adagio,c=us. Change the mode to Slave. Type in the fully qualified name of the host, where the master server is entered next to Referral hostname. |
| |
|
Update DN is the distinguished name of a user under whom the master server will login to the slave server to modify entries. This DN must have the appropriate ACL to modify entries in the specified suffix of the slave server. Remember this DN because you will have to enter it when you configure the master server, which must be configured to update this new slave. The example shows that Update DN is set to cn=admin,o=adagio,c=us. After making all changes, press OK to save. |
| |
|
Now double click the second naming context (Domain Component subtree). In the Modify Naming Context window, repeat the above steps for the Domain Component subtree (naming context: dc=adagio,dc=com). After making both naming contexts slaves, press Apply on the property book. The directory server on the proxy-only system is now set up as a slave. |
| |
|
The next step is to set up a new replica on the master LDAP server. Many of the steps are similar to the setting up the proxy as a slave directory. |
| |
5. |
On a HotJava browser, go to the Naming Context section of the Data Store property book on the LDAP master host. |
| |
|
Load http://<master_hostname>/sims. Log on with your login name (default: admin) and password (default: secret). |
| |
a. |
Click on the Sun Directory Services icon.
|
| |
b. |
From the property book, select the Data Store section and double click on the
"o=adagio,c=us" naming context.
|
| |
6. |
Create a directory replica. |
FIGURE A-10 Add an LDAP Replica from Master Server Admin Console
| |
|
Select Subtree and fill in the subtree that you want to replicate to the slave server slave1.eng.adagio.com. In our example, we are replicating the entire directory, so type "o=adagio,c=us" in the subtree field. Select All attributes. In the Host field, enter the fully qualified domain name of the slave server, slave1.eng and the port number on which the slave LDAP server is listening (default=389). Update DN field should be the same name of Update DN that you entered in the slave server (in this example cn=admin,o=adagio,c=us). The password must be the password for the Update DN on the slave. This is the password used by the master server to make updates to the slave server, so make sure that this DN has the appropriate access control permissions for making the changes to the slave. |
| |
|
Since you need updates to both the OSI tree and the Domain component tree, define another replica, this time entering dc=adagio,dc=com in the subtree field.] |
FIGURE A-11 Applying Modifications to the Data Store.
| |
7. |
Execute slapdrepl(1M) on the system with the master server if it has never been executed on this server before. |
| |
|
This command puts the master and replica data stores in the same state so that the replica can receive replication updates from the master. slapdrepl(1M) creates an initial replication file and populate the replica using slurpd. See the SIMS Reference Manual. |
| |
8. |
Synchronize the replica and set synchronization schedule. |
FIGURE A-12 Applying Modifications to the Data Store.
| |
|
At Replica Synchronization, above the Naming Context table, select "immediate" for immediate updates (every time an entry is modified, added, or deleted, the change is sent to the slave) or if you choose Delayed, specify a schedule for the updates. You can also perform a complete synchronization of the master with the slave by pressing the "synchronize" button. |
| |
9. |
When synchronization occurs, the proxy is operational. |
Pure Proxy Administration
Because the SIMS pure proxy does not have an Admin Console, administration procedures are performed on the command line. This section describes these procedures.
| |
To Change the Maximum Number of Connections on a Proxy
|
To change the maximum number of connections that can be simultaneously supported on the proxy open the ims.cnf file and set parameter
ims-maxconnections to the desired number. The default is 10,000.
| |
To Start/Stop imaccessd
|
To start imaccessd use the im.server start command. To stop use
im.server stop.
| |
To Configure IMAP Capabilities in the Proxy
|
Note - Read this section if you are configuring a SIMS proxy with a non-SIMS back end mail server.
CAPABILITY is an IMAP command that lists commands in addition to the standard (RFC2060) commands that a given server will support. Since CAPABILITY is valid even before the client has been authenticated (capabilities can include authentication mechanisms), the proxy has no way of knowing in advance to which server the user will be connected to, and therefore can't list the capabilities supported by this server.
So, when the proxy is enabled in imaccessd, the only capabilities that will be returned to the client when capability is executed are:
* CAPABILITY IMAP4 IMAP4rev1
plus the authentication mechanisms supported by the proxy.
This means that all the remote server(s) MUST support IMAP4 and IMAP4rev1. If you have servers connected to the proxy that do not support both protocols, or, if you need to have the proxy advertise capabilities supported by the real servers, then you need to define the parameter ims-caps-proxy in ims.cnf that will contain these capabilities. This can also be done in the Admin Console (see "To Configure IMAP Capabilities in the Proxy" on page 297).
This parameter, if absent, is equivalent to IMAP4 IMAP4rev1. You can disable either IMAP4 or IMAP4rev1 if the back end server doesn't support both, or you can add new capabilities to the list.
One caveat: some additional capabilities include commands that are supported once the client is authenticated (example: the SCAN command in SIMS). There is no harm in advertising these in the proxy since the client can only issue them at a time the real server will receive and process them. However, for some extensions that enable a behavior of the server (such as IMAP4SUNVERSION in SIMS), it is not recommended that you add these to the list because the client could send the command before authentication is completed, and the proxy server would not forward the command to the real server.
Copyright © 1999 Sun Microsystems, Inc. All Rights Reserved.