Configuring the Sun Java System Directory Server on a Trusted Extensions System

The LDAP naming service is the supported naming service for Trusted Extensions. If your site is not yet running the LDAP naming service, configure a Sun Java System Directory Server (Directory Server) on a system that is configured with Trusted Extensions.

If your site is already running a Directory Server, then you need to add the Trusted Extensions databases to the server. To access the Directory Server, you then set up an LDAP proxy on a Trusted Extensions system.

Note - If you do not use this LDAP server as an NFS server or as a server for Sun Ray clients, then you do not need to install any labeled zones on this server.

Collect Information for the Directory Server for LDAP

Determine the values for the following items.

The items are listed in the order of their appearance in the Sun Java Enterprise System Install Wizard.

This table lists the Install Wizard prompts and the recommended action for each prompt. The first row of the table is the title of the wizard.

Install Wizard Prompt	Action or Information
Sun Java System Directory Server `version`
Administrator User ID	The default value is `admin`.
Administrator Password	Create a password, such as `admin123`.
Directory Manager DN	The default value is `cn=Directory Manager`.
Directory Manager Password	Create a password, such as `dirmgr89`.
Directory Server Root	The default value is `/var/Sun/mps`. This path is also used later if the proxy software is installed.
Server Identifier	The default value is the local system.
Server Port	If you plan to use the Directory Server to provide standard LDAP naming services to client systems, use the default value, `389`. If you plan to use the Directory Server to support a subsequent installation of a proxy server, enter a nonstandard port, such as `10389`.
Suffix	Include your domain component, as in `dc=example-domain,dc=com`.
Administration Domain	Construct to correspond to the Suffix, as in, `example-domain.com`.
System User	The default value is `root`.
System Group	The default value is `root`.
Data Storage Location	The default value is `Store configuration data on this server`.
Data Storage Location	The default value is `Store user data and group data on this server`.
Administration Port	The default value is the Server Port. A suggested convention for changing the default is `software-version TIMES 1000`. For software version 5.2, this convention would result in port `5200`.

Install the Sun Java System Directory Server

The Directory Server packages are available from the Sun Software Gateway web site.

Before You Begin

You are on a Trusted Extensions system with a global zone. The system has no labeled zones.

Trusted Extensions LDAP servers are configured for clients that use pam_unix to authenticate to the LDAP repository. With pam_unix, the password operations, and therefore the password policy, are determined by the client. Specifically, the policy set by the LDAP server is not used. For the password parameters that you can set on the client, see Managing Password Information in System Administration Guide: Security Services. For information about pam_unix, see the pam.conf(4) man page.

Note - The use of pam_ldap on an LDAP client is not an evaluated configuration for Trusted Extensions.

Before you install the Directory Server packages, add the FQDN to your system's hostname entry.
The FQDN is the Fully Qualified Domain Name. This name is a combination of the host name and the administration domain, as in:
```
## /etc/hosts
...
192.168.5.5 myhost myhost.example-domain.com
```
Find the Sun Java System Directory Server packages on the Oracle Sun web site.
1. On the Sun Software Gateway page, click the Get It tab.
2. Click the checkbox for the Sun Java Identity Management Suite.
3. Click the Submit button.
4. If you are not registered, register.
5. Log in to download the software.
6. Click the Download Center at the upper left of the screen.
7. Under Identity Management, download the most recent software that is appropriate for your platform.
Install the Directory Server packages.
Answer the questions by using the information from Collect Information for the Directory Server for LDAP. For a full list of questions, defaults, and suggested answers, see Chapter 11, Setting Up Sun Java System Directory Server With LDAP Clients (Tasks), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) and Chapter 12, Setting Up LDAP Clients (Tasks), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

(Optional) Add the environment variables for the Directory Server to your path.

# $PATH
/usr/sbin:.../opt/SUNWdsee/dsee6/bin:/opt/SUNWdsee/dscc6/bin:/opt/SUNWdsee/ds6/bin:
/opt/SUNWdsee/dps6/bin

(Optional) Add the Directory Server man pages to your MANPATH.
```
/opt/SUNWdsee/dsee6/man
```

Enable the cacaoadm program and verify that the program is enabled.

# /usr/sbin/cacaoadm enable
# /usr/sbin/cacaoadm start
start: server (pid n) already running

Ensure that the Directory Server starts at every boot.
Templates for the SMF services for the Directory Server are in the Sun Java System Directory Server packages.
- For a Trusted Extensions Directory Server, enable the service.
```
# dsadm stop /export/home/ds/instances/your-instance
# dsadm enable-service -T SMF /export/home/ds/instances/your-instance
# dsadm start /export/home/ds/instances/your-instance
```
  For information about the dsadm command, see the dsadm(1M) man page.
- For a proxy Directory Server, enable the service.
```
# dpadm stop /export/home/ds/instances/your-instance
# dpadm enable-service -T SMF /export/home/ds/instances/your-instance
# dpadm start /export/home/ds/instances/your-instance
```
  For information about the dpadm command, see the dpadm(1M) man page.

Verify your installation.

# dsadm info /export/home/ds/instances/your-instance
Instance Path:         /export/home/ds/instances/your-instance
Owner:                 root(root)
Non-secure port:       389
Secure port:           636
Bit format:            32-bit
State:                 Running
Server PID:            298
DSCC url:              -
SMF application name:  ds--export-home-ds-instances-your-instance
Instance version:      D-A00

Troubleshooting

For strategies to solve LDAP configuration problems, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

Create an LDAP Client for the Directory Server

You use this client to populate your Directory Server for LDAP. You must perform this task before you populate the Directory Server.

You can create the client temporarily on the Trusted Extensions Directory Server, then remove the client on the server, or you can create an independent client.

Add Trusted Extensions software to a system.
You can use the Trusted Extensions Directory Server, or add Trusted Extensions to a separate system.

On the client, modify the default /etc/nsswitch.ldap file.

The entries in bold indicate the modifications. The file appears similar to the following:

# /etc/nsswitch.ldap
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# LDAP service requires that svc:/network/ldap/client:default be enabled
# and online.

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd:     files ldap
group:      files ldap

# consult /etc "files" only if ldap is down. 
hosts: files ldap dns [NOTFOUND=return] files

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes: files ldap [NOTFOUND=return] files

networks: files ldap [NOTFOUND=return] files
protocols: files ldap [NOTFOUND=return] files
rpc: files ldap [NOTFOUND=return] files
ethers: files ldap [NOTFOUND=return] files
netmasks: files ldap [NOTFOUND=return] files
bootparams: files ldap [NOTFOUND=return] files
publickey: files ldap [NOTFOUND=return] files

netgroup:   ldap

automount:  files ldap
aliases:    files ldap

# for efficient getservbyname() avoid ldap
services:   files ldap

printers:   user files ldap

auth_attr:  files ldap
prof_attr:  files ldap

project:    files ldap

tnrhtp:     files ldap
tnrhdb:     files ldap

In the global zone, run the ldapclient init command.

This command copies the nsswitch.ldap file to the nsswitch.conf file.

In this example, the LDAP client is in the example-domain.com domain. The server's IP address is 192.168.5.5.

# ldapclient init -a domainName=example-domain.com -a profileNmae=default \
> -a proxyDN=cn=proxyagent,ou=profile,dc=example-domain,dc=com \
> -a proxyDN=cn=proxyPassword={NS1}ecc423aad0 192.168.5.5
System successfully configured

Set the server's enableShadowUpdate parameter to TRUE.
```
# ldapclient -v mod -a enableShadowUpdate=TRUE \
> -a adminDN=cn=admin,ou=profile,dc=example-domain,dc=com
System successfully configured
```
For information about the enableShadowUpdate parameter, see enableShadowUpdate Switch in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) and the ldapclient(1M) man page.

Configure the Logs for the Sun Java System Directory Server

This procedure configures three types of logs: access logs, audit logs, and error logs. The following default settings are not changed:

All logs are enabled and buffered.
Logs are placed in the appropriate /export/home/ds/instances/your-instance/logs/LOG_TYPE directory.
Events are logged at log level 256.
Logs are protected with 600 file permissions.
Access logs are rotated daily.
Error logs are rotated weekly.

The settings in this procedure meet the following requirements:

Audit logs are rotated daily.
Log files that are older than 3 months expire.
All log files use a maximum of 20,000 MBytes of disk space.
A maximum of 100 log files is kept, and each file is at most 500 MBytes.
The oldest logs are deleted if less than 500 MBytes free disk space is available.
Additional information is collected in the error logs.

Configure the access logs.

The LOG_TYPE for access is ACCESS. The syntax for configuring logs is the following:

dsconf set-log-prop LOG_TYPE property:value

# dsconf set-log-prop ACCESS max-age:3M
# dsconf set-log-prop ACCESS max-disk-space-size:20000M
# dsconf set-log-prop ACCESS max-file-count:100
# dsconf set-log-prop ACCESS max-size:500M
# dsconf set-log-prop ACCESS min-free-disk-space:500M

Configure the audit logs.

# dsconf set-log-prop AUDIT max-age:3M
# dsconf set-log-prop AUDIT max-disk-space-size:20000M
# dsconf set-log-prop AUDIT max-file-count:100
# dsconf set-log-prop AUDIT max-size:500M
# dsconf set-log-prop AUDIT min-free-disk-space:500M
# dsconf set-log-prop AUDIT rotation-interval:1d

By default, the rotation interval for audit logs is one week.

Configure the error logs.

In this configuration, you specify additional data to be collected in the error log.

# dsconf set-log-prop ERROR max-age:3M
# dsconf set-log-prop ERROR max-disk-space-size:20000M
# dsconf set-log-prop ERROR max-file-count:30
# dsconf set-log-prop ERROR max-size:500M
# dsconf set-log-prop ERROR min-free-disk-space:500M
# dsconf set-log-prop ERROR verbose-enabled:on

(Optional) Further configure the logs.
You can also configure the following settings for each log:
```
# dsconf set-log-prop LOG_TYPE rotation-min-file-size:undefined
# dsconf set-log-prop LOG_TYPE rotation-time:undefined
```
For information about the dsconf command, see the dsconf(1M) man page.

Configure a Multilevel Port for the Sun Java System Directory Server

To work in Trusted Extensions, the server port of the Directory Server must be configured as a multilevel port (MLP) in the global zone.

Start the txzonemgr.
```
# /usr/sbin/txzonemgr &
```
Add a multilevel port for the TCP protocol to the global zone.
The port number is 389.
Add a multilevel port for the UDP protocol to the global zone.
The port number is 389.

Populate the Sun Java System Directory Server

Several LDAP databases have been created or modified to hold Trusted Extensions data about label configuration, users, and remote systems. In this procedure, you populate the Directory Server databases with Trusted Extensions information.

Before You Begin

You must populate the database from an LDAP client where shadow updating is enabled. For the prerequisites, see Create an LDAP Client for the Directory Server.

Create a staging area for files that you plan to use to populate the naming service databases.
```
# mkdir -p /setup/files
```

Copy the sample /etc files into the staging area.

# cd /etc
# cp aliases group networks netmasks protocols /setup/files
# cp rpc services auto_master /setup/files

# cd /etc/security
# cp auth_attr prof_attr exec_attr /setup/files/
#
# cd /etc/security/tsol
# cp tnrhdb tnrhtp /setup/files

# cd /etc/inet
# cp ipnodes /setup/files

Remove the +auto_master entry from the /setup/files/auto_master file.
Remove the ?:::::? entry from the /setup/files/auth_attr file.
Remove the :::: entry from the /setup/files/prof_attr file.
Create the zone automaps in the staging area.
In the following list of automaps, the first of each pair of lines shows the name of the file. The second line of each pair shows the file contents. The zone names identify labels from the default label_encodings file that is included with the Trusted Extensions software.
- Substitute your zone names for the zone names in these lines.
- myNFSserver identifies the NFS server for the home directories.
```
/setup/files/auto_home_public
 * myNFSserver_FQDN:/zone/public/root/export/home/&

/setup/files/auto_home_internal
 * myNFSserver_FQDN:/zone/internal/root/export/home/&

/setup/files/auto_home_needtoknow
 * myNFSserver_FQDN:/zone/needtoknow/root/export/home/&

/setup/files/auto_home_restricted
 * myNFSserver_FQDN:/zone/restricted/root/export/home/&
```
Add every system on the network to the /setup/files/tnrhdb file.
No wildcard mechanism can be used here. The IP address of every system to be contacted, including the IP addresses of labeled zones, must be in this file.
1. Open the trusted editor and edit /setup/files/tnrhdb.
2. Add every IP address on a labeled system in the Trusted Extensions domain.
  Labeled systems are of type cipso. Also, the name of the security template for labeled systems is cipso. Therefore, in the default configuration, a cipso entry is similar to the following:
```
192.168.25.2:cipso
```
  Note - This list includes the IP addresses of global zones and labeled zones.
3. Add every unlabeled system with which the domain can communicate.
  Unlabeled systems are of type unlabeled. The name of the security template for unlabeled systems is admin_low. Therefore, in the default configuration, an entry for an unlabeled system is similar to the following:
```
192.168.35.2:admin_low
```
4. Save the file, and exit the editor.
5. Check the syntax of the file.
```
# tnchkdb -h /setup/files/tnrhdb
```
6. Fix any errors before continuing.
Copy the /setup/files/tnrhdb file to the /etc/security/tsol/tnrhdb file.
Use the ldapaddent command to populate the Directory Server with every file in the staging area.
For example, the following command populates the server from the hosts file in the staging area.
```
# /usr/sbin/ldapaddent -D "cn=directory manager" \ -w dirmgr123 -a simple -f /setup/files/hosts hosts
```
If you ran the ldapclient command on the Trusted Extensions Directory Server, disable the client on that system.
In the global zone, run the ldapclient uninit command. Use verbose output to verify that the system is no longer an LDAP client.
```
# ldapclient -v uninit
```
For more information, see the ldapclient(1M) man page.

Skip Navigation Links
Exit Print View
	Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10