(iPlanet Directory Server is now called SUN ONE Directory Server or Java System Directory Server)
(SimpleBind + SSL/TLS/start_tls + without-sasl + automount + netgroup + sudo + apache)
(See also related documents at http://web.singnet.com.sg/~garyttt/)
Purpose:
This document describes the steps involved in installing and configuring a SUN ONE (iPlanet) Directory Server (DS 5.2 or iDS 5.2) with SSL/TLS support on RedHat Enterprise Linux3. This is to be accessed by RedHat Linux or Solaris8/9 LDAP Client. Many useful productivity UNIX Shell scripts are also provided in this document.
To use LDAP centralized authentication with nss_ldap and pam_ldap, i.e. to use LDAP "uid" and "userPassword" for UNIX account id and password lookup, you must also complete the setup documented in “Installing and configuring OpenSSH with pam_ldap for Solaris9” and/or "Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3"
Download URL:
http://www.sun.com/software/products/directory_srvr_ee/get.jsp
Preparation Steps:
Please ensure that IP addresses of LDAP Server(s) are defined in DNS and/or /etc/hosts
It is important that the Fully Qualified Domain Name (eg: ldap1.example.com) be listed as the first entry right after the IP address, as shown below:
192.168.1.168 ldap1.example.com ldap1
Please ensure that LDAP domain example.com is defined in /etc/resolv.conf, in case of Solaris LDAP clients and servers, /etc/defaultdomain should contain "example.com" as the LDAP domain.
If this is an Upgrade of old iDS 5.0 or 5.1 Server to latest 5.2, it is always very wise to backup all *.db TLS security files in $IDS5_PATH/alias before proceeding.
The procedures in this document are also applicable to other Linux variances, provided compatibility libraries and JRE 1.5 have been installed.
# rpm -qa |
grep "compat"
compat-gcc-c++-7.3-2.96.128
compat-libstdc++-7.3-2.96.128
compat-libstdc++-devel-7.3-2.96.128
See also the “Linux” specific information of Release Notes if you are using SJES/DS5.2.
http://docs.sun.com/source/817-7611/index.html
This step is for LDAP Server(s) only.
Log in as root.
# tar xvf directory-5.2-us.i686--linux.tar
# ./setup
or
# ./setup –nodisplay
For SJES/DS5.2:
# jar xvf
java_es_05Q1_directory-ga-linux-x86.zip
# cd java_es_05Q1_directory
# chmod -R a+x *
# cd Linux_x86
# ./installer
or
# ./installer -nodisplay
Enter default value for each and every prompt is usually good for a testing LDAP Server.
Note 1: after running “setup” or “installer”and if you encounter error and wish to re-run “setup”, simply perform the following clean-up action:
# cd /var/tmp
# rm -f productregistry Directory_Server_install*
Administration_Server_install*
For SJES/DS5.2, more files to be cleaned-up:
# cd /var/opt/sun/install
# rm -f productregistry
# cd logs
# rm -f Java_Enterprise_System_*
Note 2: if some of the scripts extracted out from the tar file do not have execution permissions, perform the following action prior to running setup.
# chmod -R a+x
*
To confirm if Patch _4 of the RedHat Linux version of SJES/DS5.2 is already applied, please look at /var/Sun/mps/slapd-`hostname`/errors while restarting ns-slapd, there will be banner saying “Patch_4” if it is at Patch_4 level, if it is not at Patch_4 level, it is advisable to download and apply 117668-03.
117665-03: for Solaris8/9 SPARC
117666-03: for Solaris8/9 x86
117667-03: for Windows
117668-03: for Linux
117669-03: for HP-UX
117670-03: For AIX
Download Patch_4:
Apply Patch_4: (Skip if SJES/DS5.2 is used)
#
unzip 117668-03.zip
Archive: 117668-03.zip
creating: 117668-03/
inflating: 117668-03/patchzip-directory-5.2_Patch_3-us.i686--linux.tar.gz
inflating: 117668-03/README.117668-03
# cd 117668-03
#
gzip -d
patchzip-directory-5.2_Patch_4-us.i686--linux.tar.gz
# tar xvf patchzip-directory-5.2_Patch_4-us.i686--linux.tar
# sh install.sh /var/Sun/mps
Change dir to /var/Sun/mps/slapd-ldap1
Stopping instance : slapd-ldap1
./stop-slapd
Change dir to /var/Sun/mps
./stop-admin
Change dir to /var/tmp/117668-03
gunzip directory-5.2_Patch_3-us.i686--linux.tar.gz
cp directory-5.2_Patch_3-us.i686--linux.tar /var/Sun/mps
Change dir to /var/Sun/mps
tar xf directory-5.2_Patch_3-us.i686--linux.tar
Change dir to /var/tmp/117668-03
cp nsbase.zip /var/Sun/mps
cp nsclient.zip /var/Sun/mps
cp nsjre.zip /var/Sun/mps
cp nsadmin.zip /var/Sun/mps
cp nsadminclient.zip /var/Sun/mps
Change dir to /var/Sun/mps
saving /var/Sun/mps/shared/config/certmap.conf
saving /var/Sun/mps/userdb/certmap.conf
unzip -q -o nsbase.zip
unzip -q -o nsclient.zip
unzip -q -o nsjre.zip
unzip -q -o nsadmin.zip
unzip -q -o nsadminclient.zip
restoring /var/Sun/mps/shared/config/certmap.conf
restoring /var/Sun/mps/userdb/certmap.conf
cd /var/Sun/mps/slapd-ldap1
Change dir to /var/Sun/mps/slapd-ldap1
Starting instance : slapd-ldap1
./start-slapd
Please wait 20 seconds...
Change dir to /var/Sun/mps/bin/admin
Upgrading the Administration Server...
./sync-admin upgrade -r "/var/Sun/mps"
/var/Sun/mps/stop-admin: line 6: kill: (14180) - No such process
Updating the Configuration Directory Server for the Admin Server...
./sync-admin-cds -r "/var/Sun/mps"
Admin Id: admin
Admin Password:xxxxxxxx
Change dir to /var/Sun/mps/shared/bin
Updating the Configuration Directory Server for the directory server instances
./sync-product-cds -r "/var/Sun/mps" -i "cn=Sun ONE Directory Server, cn=Server Group, cn=ldap1.example.com, ou=example.com, o=NetscapeRoot" -j ds523.jar -g ds523.jar -v 5.2_Patch_3 -n "Sun Java(TM) System Directory Server" -b 2005.067.0415
Admin Id: admin
Admin Password:xxxxxxxx
Starting the admin server...
Change dir to /var/Sun/mps
./start-admin
SunONE-WebServer-Enterprise/6.0SP3 B05/19/2004 05:54
warning: daemon is running as super-user
[LS ls1] http://ldap1.example.com, port 38900 ready to accept requests
startup: server started successfully
Done
As there is no “idsconfig” in Linux packaging of SUN ONE DS5.2, the workaround is to run “idsconfig” from a Solaris box bundled or installed with this command, and enter the Linux host as the “target”.
Now run "idsconfig" from a Solaris box, note that this command is NOT searchable by $PATH.
NOTE: if SJES/DS5.2 is used and if the LDAP domain you are trying to setup is NOT “dc=example,dc=com”, the following hack to “idsconfig” is required to fix a road block issue: “ERROR: Can not determine the top of tree”.
# cd /usr/lib/ldap
# mv idsconfig idsconfig.orig
# cp idsconfig.orig idsconfig
# vi idsconfig
Replace this line
grep -i -v NetscapeRoot > ${TMPDIR}/treeTOP
with:
grep -i -v NetscapeRoot | grep -i -v dc=example
> ${TMPDIR}/treeTOP
Note: in some latest version of “idsconfig”, you would see “{GREP}” in place of “grep”.
Otherwise, please proceed.
# /usr/lib/ldap/idsconfig
It is strongly recommended that you BACKUP the directory server
before running idsconfig.
Hit Ctrl-C at any time before the final confirmation to exit.
Do you wish to continue with server setup (y/n/h)? [n] y
Enter the iPlanet Directory Server's (iDS) hostname to setup: ldap1
Enter the directory manager DN: [cn=Directory Manager]
Enter passwd for cn=Directory Manager :
Enter the domainname to be served (h=help): [example.com]
Enter LDAP Base DN (h=help): [dc=example,dc=com]
Enter the profile name (h=help): [default]
Default server list (h=help): [192.168.1.168] ldap1.example.com ldap2.example.com
Preferred server list (h=help):
Choose desired search scope (one, sub, h=help): [one]
The following are the supported credential levels:
1 anonymous
2 proxy
3 proxy anonymous
Choose Credential level [h=help]: [1] 2
The following are the supported Authentication Methods:
1 none
2 simple
3 sasl/DIGEST-MD5
4 tls:simple
5 tls:sasl/DIGEST-MD5
Choose Authentication Method (h=help): [1] 2
Current authenticationMethod: simple
Do you want to add another Authentication Method? n
Do you want the clients to follow referrals (y/n/h)? [n]
Do you want to modify the server timelimit value (y/n/h)? [n]
Do you want to store passwords in "crypt" format (y/n/h)? [n] y
Do you want to setup a Service Authentication Methods (y/n/h)? [n]
Client search time limit in seconds (h=help): [30]
Profile Time To Live in seconds (h=help): [43200]
Bind time limit in seconds (h=help): [10]
Do you wish to setup Service Search Descriptors (y/n/h)? [n] y
D Delete a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] A
Enter the service id: passwd
Enter the base: ou=People,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] A
Enter the service id: group
Enter the base: ou=group,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Enter menu choice: [Quit] A
Enter the service id: shadow
Enter the base: ou=People,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
X Clear all SSD's
Enter menu choice: [Quit] A
Enter the service id: netgroup
Enter the base: ou=Netgroup,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit]
Summary of Configuration
1 Domain to serve : example.com
2 Base DN to setup : dc=example,dc=com
3 Profile name to create : default
4 Default Server List : ldap1.example.com ldap2.example.com
5 Preferred Server List :
6 Default Search Scope : one
7 Credential Level : proxy
8 Authentication Method : simple
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : TRUE
13 Service Auth Method pam_ldap :
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd:
16 Search Time Limit : 30
17 Profile Time to Live : 43200
18 Bind Limit : 10
Enter config value to change: (1-19 0=commit changes) [0] 19
Do you wish to setup Service Search Descriptors (y/n/h)? [n] y
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] P
Current Service Search Descriptors:
==================================
passwd:ou=People,dc=example,dc=com?one
group:ou=group,dc=example,dc=com?one
shadow:ou=People,dc=example,dc=com?one
netgroup:ou=Netgroup,dc=example,dc=com?one
Hit return to continue.
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit]
Summary of Configuration
1 Domain to serve : example.com
2 Base DN to setup : dc=example,dc=com
3 Profile name to create : default
4 Default Server List : ldap1.example.com ldap2.example.com
5 Preferred Server List :
6 Default Search Scope : one
7 Credential Level : proxy
8 Authentication Method : simple
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : TRUE
13 Service Auth Method pam_ldap :
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd:
16 Search Time Limit : 30
17 Profile Time to Live : 43200
19 Service Search Descriptors Menu
Enter config value to change: (1-19 0=commit changes) [0]
Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=example,dc=com]
Enter passwd for proxyagent: password
Re-enter passwd: password
1. Changed passwordstoragescheme to "crypt" in cn=config.
2. Schema attributes have been updated.
3. Schema objectclass definitions have been added.
4. NisDomainObject added to dc=example,dc=com.
5. Top level "ou" containers complete.
6. automount maps: auto_home auto_direct auto_master auto_shared processed.
7. ACI for dc=example,dc=com modified to disable self modify.
8. Add of VLV Access Control Information (ACI).
9. Proxy Agent cn=proxyagent,ou=profile,dc=example,dc=com added.
10. Give cn=proxyagent,ou=profile,dc=example,dc=com read permission for
password.
11. Generated client profile and loaded on server.
12. Processing eq,pres indexes:
ipHostNumber (eq,pres) Finished indexing.
uidNumber (eq,pres) Finished indexing.
ipNetworkNumber (eq,pres) Finished indexing.
gidnumber (eq,pres) Finished indexing.
oncrpcnumber (eq,pres) Finished indexing.
automountKey (eq,pres) Finished indexing.
13. Processing eq,pres,sub indexes:
membernisnetgroup (eq,pres,sub) Finished indexing.
nisnetgrouptriple (eq,pres,sub) Finished indexing.
14. Processing VLV indexes:
example.com.getgrent vlv_index Entry created
example.com.gethostent vlv_index Entry created
example.com.getnetent vlv_index Entry created
example.com.getpwent vlv_index Entry created
example.com.getrpcent vlv_index Entry created
example.com.getspent vlv_index Entry created
idsconfig: Setup of iDS server ldap1 is complete.
Note: idsconfig has created entries for VLV indexes. Use the
directoryserver(1m) script on ldap1 to stop
the server and then enter the following vlvindex
sub-commands to create the actual VLV indexes:
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
tgrent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
thostent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
tnetent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
tpwent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
trpcent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
tspent
Go back to RedHat Linux LDAP Server.
# cat ids52_vlvindex.sh
/var/Sun/mps/slapd-ldap1/stop-slapd
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getgrent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.gethostent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getnetent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getpwent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getrpcent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getspent
/var/Sun/mps/slapd-ldap1/start-slapd
# ./ids52_vlvindex.sh
[24/Feb/2005:00:00:09 -0500] - userRoot: Indexing VLV: example.com.getgrent
[24/Feb/2005:00:00:09 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:12 -0500] - userRoot: Indexing VLV: example.com.gethostent
[24/Feb/2005:00:00:12 -0500] - userRoot: Indexed search unsuccessful, will perfo
rm unindexed search instead.
[24/Feb/2005:00:00:12 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:14 -0500] - userRoot: Indexing VLV: example.com.getnetent
[24/Feb/2005:00:00:14 -0500] - userRoot: Indexed search unsuccessful, will perfo
rm unindexed search instead.
[24/Feb/2005:00:00:14 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:17 -0500] - userRoot: Indexing VLV: example.com.getpwent
[24/Feb/2005:00:00:17 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:19 -0500] - userRoot: Indexing VLV: example.com.getrpcent
[24/Feb/2005:00:00:19 -0500] - userRoot: Indexed search unsuccessful, will perfo
rm unindexed search instead.
[24/Feb/2005:00:00:19 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:21 -0500] - userRoot: Indexing VLV: example.com.getspent
[24/Feb/2005:00:00:21 -0500] - userRoot: Finished indexing.
Note 1: you may also use SUN ONE Console “Create Browsing Index” function (right click object) to do the same for the above.
Note 2: Initially when there is no data under ou=People and ou=group, the vlv index creation will fail, this is normal.
Congratulation!!! You have just successfully completed the installation of SUN ONE Directory Server on a RedHat Enterprise Linux3 server.
You may consult the other related document, “Installing and configuring iPlanet Directory Server for Solaris9”, for similar instruction of the following steps: