(iPlanet Directory Server is now called SUN ONE Directory Server or Java System Directory Server)
(SimpleBind + SSL/TLS/start_tls + without-SASL + automount + netgroup + sudo + apache)
(See also related documents at http://web.singnet.com.sg/~garyttt/)
Purpose:
This document describes the steps involved in installing and configuring a SUN ONE (iPlanet) Directory Server (DS5.2 or iDS 5.2) with SSL/TLS support on Soalris8/9. This is to be accessed by RedHat Linux or Solaris8/9 LDAP Client. Many useful productivity UNIX Shell scripts are also provided in this document.
To use LDAP centralized authentication with nss_ldap and pam_ldap, i.e. to use LDAP "uid" and "userPassword" for UNIX account id and password lookup, you must also complete the setup documented in “Installing and configuring OpenSSH with pam_ldap for Solaris9” and/or" Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3"
Another related document "Deploying SUN Solaris Native LDAP Client by using automated scripts", describes the steps involved in building up an infrastructure environment for rapid deployment of Native LDAP Client.
Download URL:
http://www.sun.com/software/products/directory_srvr_ee/get.jsp
Public Mail Lists/Forums:
http://lists.fini.net/mailman/listinfo/ldap-interop
http://forum.java.sun.com/forum.jspa?forumID=761
http://www.dbforums.com (comp.unix.solaris)
http://bbs.chinaunix.net/ (Chinese web site)
Useful URLs:
· SUN Blogs http://blogs.sun.com,
Search for “ldap” or “ldapclient” or “ldap ssl” or “ldap tls” or “ldap nis” depending on your need.
· Raja’s SUN Native LDAP Product Support Document
http://blogs.sun.com/roller/resources/raja/ldap-psd.html
· SUN Blue Print: Tom Bailaski and Michael Haines’s “LDAP in the Solaris Operating Environment”
http://www.sun.com/books/catalog/haines_bialaski_ldap.xml (not downloadable, got to buy it)
· SUN Blue Print: Michael Haines’s “Understanding NIS to LDAP Service (N2L) Architecture”
http://www.sun.com/blueprints/0306/819-4326.pdf
· A twisted world - Rohan Pinto’s Weblog :: NIS to LDAP migration guide
http://blogs.sun.com/rohanpinto/entry/nis_to_ldap_migration_guide
· SUN ONE Directory Server 5.2 Installation and Tunning Guide:
http://docs.sun.com/source/816-6697-10/contents.html
· SUN Solaris9's “System Administration Guide: Naming and Directory Services - May 2002”:
http://docs.sun.com/app/docs/doc/816-4856
· SUN Solaris10's “System Administration Guide: Naming and Directory Services”:
http://docs.sun.com/app/docs/doc/816-4556
· SUN ONE Directory Server 5.2 documentations:
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52
· SUN Jave System/Directory Server 5 / 2005Q1 documentations:
http://docs.sun.com/app/docs/coll/DirectoryServer_05q1
· SUN Jave System/Directory Server 5 / 2005Q4 documentations:
http://docs.sun.com/app/docs/coll/1316.1
· John Berger’s Beginner Guide to SunONE DS
http://www.thebergerbits.com/Beginners_Guide_to_SunONE_DS.pdf
· SUN ONE Directory Server 5.2 release notes:
http://docs.sun.com/source/816-6703-10/index.html
· SUN Java System Directory Server 5.2 / 2005Q1 release notes:
http://docs.sun.com/source/817-7611/index.html
· SUN Java System/Directory Server 5.2 / 2005Q4 release notes
http://docs.sun.com/source/819-2405/index.html
· SUN Java System/Directory Server 5.2 / 2005Q1 release notes for Compressed Archive
http://docs.sun.com/source/819-1815/index.html
· SUN Java System/Directory Server 5.2 / 2005Q4 release notes for Patchzip
http://docs.sun.com/source/819-4290/index.html
· SUN Java System/Directory Server 5.2 Log File Access Log Content:
http://docs.sun.com/source/817-7616/fileref.html#wp20452
· OpenSSH LDAP Public Key Patch
http://www.opendarwin.org/projects/openssh-lpk/
· LDAP Error and Status Codes
http://www.directory-info.com/LDAP/LDAPErrorCodes.html
· BIND9.NET LDAP Page
· SUN ONE Directory Server Error Code Reference:
http://docs.sun.com/source/816-6699-10/ax_errcd.html
· Automating LDAP Client Installation (JumpStart)
http://www.sun.com/blueprints/0701/LDAPinstall.pdf
· LDAP Client Login Authentication
http://yolinux.com/TUTORIALS/LDAP_Authentication.html
· Integrating AIX into Heterogenous LDAP Environments
http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf
· Integrating UNIX/Linux LDAP Clients into Active Directory – ad4unix
http://sourceforge.net/projects/ad4unix/
· Integrating Windows Clients into UNIX/Linux LDAP Server - pGina
http://sourceforge.net/projects/pgina/
· SUN Directory Server Resource Kit
http://www.sun.com/software/products/directory_srvr_ee/get.jsp
Freeware tools used:
· OpenSSL 0.9.7e or later – http://www.openssl.org
· LDAP Browser/Editor: http://www-unix.mcs.anl.gov/~gawor/ldap/
· BIND9.NET LDAP Tools: http://www.bind9.net/ldap-tools
· JXplorer Java LDAP Browser/Editor: http://pegacat.com/jxplorer/ (can do SSL connection)
· Other Graphical LDAP Tools: http://en.tldp.org/HOWTO/LDAP-HOWTO/graphicaltools.html
· Novell LDAP CoolTools: http://www.novell.com/coolsolutions/tools/bycategory/168.html
· LDAP Account Manager: http://lam.sf.net
· Softerra LDAP Administrator: http://www.ldapadministrator.com/
· SUN Directory Editor: http://www.sun.com/software/products/directory_srvr_ee/get.jsp
Example used:
· MASTER LDAP Server: ldap1.example.com, 192.168.1.168
· SLAVE LDAP Server: ldap2.example.com, 192.168.1.178
· RedHat EL3 LDAP Client: client1.example.com, 192.168.1.188
· Solaris8 LDAP Client: client2.example.com, 192.168.1.198
· Solaris9 LDAP Client: client3.example.com, 192.168.1.208
It is highly recommended that OS level Security Hardening be applied to all LDAP Servers.
Preparation Steps:
Please ensure that IP addresses of LDAP Server(s) are defined in DNS and/or /etc/hosts
It is important that the Fully Qualified Domain Name (eg: ldap1.example.com) be listed as the first entry right after the IP address, as shown below:
192.168.1.168 ldap1.example.com ldap1
Please ensure that LDAP domain example.com is defined in /etc/resolv.conf, in case of Solaris LDAP clients and servers, /etc/defaultdomain should contain "example.com" as the LDAP domain.
If this is an Upgrade of old iDS 5.0 or 5.1 Server to latest 5.2, it is always very wise to backup all *.db TLS security files in $IDS5_PATH/alias before proceeding.
The procedures in this document are also applicable to Solaris8 provided that patch 108993 has been applied, note that Solaris8 has different syntax for “ldapclient” command. For Solaris9, LDAP library patch 112960 are highly recommended. See also the following URL if you are using SJES/DS5.2.
http://docs.sun.com/source/817-7611/index.html#wp33336
Please refer to Appendix for a useful script to check patches.
The prcocedures are also applicable to Solaris10, there is specific step for “crle” command, you may like to refer to this URL:
http://www.sunmanagers.org/pipermail/summaries/2005-August/006688.html
For Solaris10 LDAP Client, it is noted that the entry “ipnodes: files ldap” in /etc/nsswitch.conf should be replaced with just “ipnodes: files” or else ldapclient initialization will hang.
This step is for LDAP Server(s) only.
Log in as root.
# cd /var/tmp
# tar xvf ds.5.2.P4.Solaris.SPARC.full.tar
IMPORTANT NOTE: If you have previous version of iDS5 (5.0/ 5.1) installed, please shutdown its slapd process, uninstall its software components, and remove any references of 5.0/5.1 (eg: /usr/iplanet/ds5/lib) in LD_LIBRARY_PATH in /etc/profile and/or current login shells, as well as disable iDS5.0/5.1 startup script (cd /etc/rc2.d; mv S72directory s72directory; ./s72directory stop), before proceeding to run "setup"
# ./setup
or
# ./setup -nodisplay
Enter default value for each prompt is usually good for a testing LDAP Server.
For SJES/DS5.2:
# jar xvf
java_es_05Q1_directory-ga-solaris-sparc.zip
# cd java_es_05Q1_directory
# chmod -R a+x *
# cd Solaris_sparc
# ./installer
or
# ./installer -nodisplay
Enter default value for each and every prompt is usually good for a testing LDAP Server.
Note 1: after running “installer”and if you encounter error and wish to re-run “setup”, simply perform the following “uninstall” actions (Applicable to SJES/DS5.2):
In CDE X-Windows terminal, run “prodreg” to uninstall components.
# prodreg
If “prodreg” does not work, manual “clean-up”
may be performed:
# rm –f /var/sadm/install/productregistry
# rm –f /var/sadm/install/logs/*_install*
# cd /var/sadm/pkg
# rm –rf SUNWdsv* SUNWasv* SUNWcomds
Then unset the “installed?” flag(s) in /etc/ds/versions:
#version|command path|installed?|default?
5.1|//usr/iplanet/ds5/sbin/directoryserver|YES|NO
5.2|//usr/ds/v5.2/sbin/directoryserver|NO|YES
Note 2: if some of the scripts extracted out from the tar file do not have execution permissions, perform the following action prior to running setup.
# chmod -R a+x
*
Now start admin server and slapd if they are not started.
# ps –ef | egrep “admin-serv|slapd”
# /var/Sun/mps/start-admin
# /var/Sun/mps/slapd-`hostname`/start-slapd
Please note that the Solaris SPARC version of SJES/DS5.2 is already at Patch_4 level, it can be confirmed by looking /var/Sun/mps/slapd-`hostname`/errors while restarting ns-slapd, there will be banner saying it is Patch_4, if it is not at Patch_4, it is advisable to download and apply 117665-03.
117665-03: for Solaris8/9 SPARC
117666-03: for Solaris8/9 x86
117667-03: for Windows
117668-03: for Linux
117669-03: for HP-UX
117670-03: For AIX
Now run "idsconfig", note that this command is NOT searchable by $PATH.
NOTE: if SJES/DS5.2 is used and if the LDAP domain you are trying to setup is NOT “dc=example,dc=com”, the following hack to “idsconfig” is required to fix a road block issue: “ERROR: Can not determine the top of tree”.
# cd /usr/lib/ldap
# mv idsconfig idsconfig.orig
# cp idsconfig.orig idsconfig
# vi idsconfig
Replace line:
grep -i -v NetscapeRoot > ${TMPDIR}/treeTOP
with:
grep -i -v NetscapeRoot | grep -i -v dc=example >
${TMPDIR}/treeTOP
Note: in some latest version of “idsconfig”, you would see “{GREP}” in place of “grep”.
Otherwise, please proceed.
# /usr/lib/ldap/idsconfig
It is strongly recommended that you BACKUP the directory server
before running idsconfig.
Hit Ctrl-C at any time before the final confirmation to exit.
Do you wish to continue with server setup (y/n/h)? [n] y
Enter the iPlanet Directory Server's (iDS) hostname to setup: ldap1
Enter the directory manager DN: [cn=Directory Manager]
Enter passwd for cn=Directory Manager :
Enter the domainname to be served (h=help): [example.com]
Enter LDAP Base DN (h=help): [dc=example,dc=com]
Enter the profile name (h=help): [default]
Default server list (h=help): [192.168.1.168] ldap1.example.com ldap2.example.com
Preferred server list (h=help):
Choose desired search scope (one, sub, h=help): [one]
The following are the supported credential levels:
1 anonymous
2 proxy
3 proxy anonymous
Choose Credential level [h=help]: [1] 2
The following are the supported Authentication Methods:
1 none
2 simple
3 sasl/DIGEST-MD5
4 tls:simple
5 tls:sasl/DIGEST-MD5
Choose Authentication Method (h=help): [1] 2
Current authenticationMethod: simple
Do you want to add another Authentication Method? n
Do you want the clients to follow referrals (y/n/h)? [n]
Do you want to modify the server timelimit value (y/n/h)? [n]
Do you want to store passwords in "crypt" format (y/n/h)? [n] y
Do you want to setup a Service Authentication Methods (y/n/h)? [n]
Client search time limit in seconds (h=help): [30]
Profile Time To Live in seconds (h=help): [43200]
Bind time limit in seconds (h=help): [10]
Do you wish to setup Service Search Descriptors (y/n/h)? [n] y
D Delete a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] A
Enter the service id: passwd
Enter the base: ou=People,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] A
Enter the service id: group
Enter the base: ou=group,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Enter menu choice: [Quit] A
Enter the service id: shadow
Enter the base: ou=People,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
X Clear all SSD's
Enter menu choice: [Quit] A
Enter the service id: netgroup
Enter the base: ou=netgroup,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit]
Summary of Configuration
1 Domain to serve : example.com
2 Base DN to setup : dc=example,dc=com
3 Profile name to create : default
4 Default Server List : ldap1.example.com ldap2.example.com
5 Preferred Server List :
6 Default Search Scope : one
7 Credential Level : proxy
8 Authentication Method : simple
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : TRUE
13 Service Auth Method pam_ldap :
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd:
16 Search Time Limit : 30
17 Profile Time to Live : 43200
18 Bind Limit : 10
Enter config value to change: (1-19 0=commit changes) [0] 19
Do you wish to setup Service Search Descriptors (y/n/h)? [n] y
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] P
Current Service Search Descriptors:
==================================
passwd:ou=People,dc=example,dc=com?one
group:ou=group,dc=example,dc=com?one
shadow:ou=People,dc=example,dc=com?one
netgroup:ou=netgroup,dc=example,dc=com?one
Hit return to continue.
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit]
Summary of Configuration
1 Domain to serve : example.com
2 Base DN to setup : dc=example,dc=com
3 Profile name to create : default
4 Default Server List : ldap1.example.com ldap2.example.com
5 Preferred Server List :
6 Default Search Scope : one
7 Credential Level : proxy
8 Authentication Method : simple
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : TRUE
13 Service Auth Method pam_ldap :
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd:
16 Search Time Limit : 30
17 Profile Time to Live : 43200
19 Service Search Descriptors Menu
Enter config value to change: (1-19 0=commit changes) [0]
Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=example,dc=com]
Enter passwd for proxyagent: password
Re-enter passwd: password
1. Changed passwordstoragescheme to "crypt" in cn=config.
2. Schema attributes have been updated.
3. Schema objectclass definitions have been added.
4. NisDomainObject added to dc=example,dc=com.
5. Top level "ou" containers complete.
6. automount maps: auto_home auto_direct auto_master auto_shared processed.
7. ACI for dc=example,dc=com modified to disable self modify.
8. Add of VLV Access Control Information (ACI).
9. Proxy Agent cn=proxyagent,ou=profile,dc=example,dc=com added.
10. Give cn=proxyagent,ou=profile,dc=example,dc=com read permission for
password.
11. Generated client profile and loaded on server.
12. Processing eq,pres indexes:
ipHostNumber (eq,pres) Finished indexing.
uidNumber (eq,pres) Finished indexing.
ipNetworkNumber (eq,pres) Finished indexing.
gidnumber (eq,pres) Finished indexing.
oncrpcnumber (eq,pres) Finished indexing.
automountKey (eq,pres) Finished indexing.
13. Processing eq,pres,sub indexes:
membernisnetgroup (eq,pres,sub) Finished indexing.
nisnetgrouptriple (eq,pres,sub) Finished indexing.
14. Processing VLV indexes:
example.com.getgrent vlv_index Entry created
example.com.gethostent vlv_index Entry created
example.com.getnetent vlv_index Entry created
example.com.getpwent vlv_index Entry created
example.com.getrpcent vlv_index Entry created
example.com.getspent vlv_index Entry created
idsconfig: Setup of iDS server ldap1 is complete.
Note: idsconfig has created entries for VLV indexes. Use the
directoryserver(1m) script on ldap1 to stop
the server and then enter the following vlvindex
sub-commands to create the actual VLV indexes:
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
tgrent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
thostent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
tnetent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
tpwent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
trpcent
directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge
tspent
IMPORTANT NOTE: DO NOT USE "directoryserver –s <server-instance> vlvindex …" to create vlvindex, as /usr/sbin/directoryserver may be pointing to Solaris OLD built-in iDS 5.0 or 5.1 executable, use the following short script instead.
# cat ids52_vlvindex.sh
/var/Sun/mps/slapd-ldap1/stop-slapd
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getgrent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.gethostent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getnetent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getpwent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getrpcent
/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getspent
/var/Sun/mps/slapd-ldap1/start-slapd
# ./ids52_vlvindex.sh
[24/Feb/2005:00:00:09 -0500] - userRoot: Indexing VLV: example.com.getgrent
[24/Feb/2005:00:00:09 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:12 -0500] - userRoot: Indexing VLV: example.com.gethostent
[24/Feb/2005:00:00:12 -0500] - userRoot: Indexed search unsuccessful, will perfo
rm unindexed search instead.
[24/Feb/2005:00:00:12 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:14 -0500] - userRoot: Indexing VLV: example.com.getnetent
[24/Feb/2005:00:00:14 -0500] - userRoot: Indexed search unsuccessful, will perfo
rm unindexed search instead.
[24/Feb/2005:00:00:14 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:17 -0500] - userRoot: Indexing VLV: example.com.getpwent
[24/Feb/2005:00:00:17 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:19 -0500] - userRoot: Indexing VLV: example.com.getrpcent
[24/Feb/2005:00:00:19 -0500] - userRoot: Indexed search unsuccessful, will perfo
rm unindexed search instead.
[24/Feb/2005:00:00:19 -0500] - userRoot: Finished indexing.
[24/Feb/2005:00:00:21 -0500] - userRoot: Indexing VLV: example.com.getspent
[24/Feb/2005:00:00:21 -0500] - userRoot: Finished indexing.
Note 1: you may also use SUN ONE Console “Create Browsing Index” function (right click object) to do the same for the above.
Note 2: Initially when there is no data under ou=People and ou=group, the vlv index creation will failur, this is normal.
Congratulation!!! You have just successfully completed the installation of SUN ONE Directory Server.
This step is for BOTH LDAP Server(s) as well as Clients which require SSL_TLS support for LDAP connection.
IMPORTANT NOTE 2: For Solaris8, Patch 112438 is required if /dev/random instead of prngd is used to support OpenSSL.
Prepare the following short script "cr_ssl_certs_ids5ldap.sh", content as follow, please customize the details of the Certificate,
IMPORTANT NOTE: Please note that the self-signed server certicate created is PURELY for TESTING and DEMONSTRATION PURPOSES ONLY, in production environment please create a Certificate Signing Request (CSR) using iPlanet Administration Console and contact trusted commercial vendors like Verisign to sign the certificate request and pay for the service fee. The Signed certificate can then be merged into current server using the iPlanet Administration Console. SUN ONE DS5.2 (iDS 5.2) already comes built-in with a list of popular Certificate Authority Certificates including Verisign.
Tips: if you interested in an ONE-BUTTON productivity script that creates SSL Certificates for both slapd and admin-serv, please consult “Configuring Solaris Native LDAP Client for Fedora Directory Server” from my Home Page, for a script called “cr_ssl_certs.sh”, this script works for BOTH SUN ONE Directory Server as well as Fedora Directory Server.
#! /bin/sh
#
# cr_ssl_certs_ids5ldap.sh
#
# Gary Tay, 07-Jan-2005, written
#
# Ref. URL is http://docs.sun.com/source/816-5542-10/certutil.htm#13305
#
# Customize location of iDS5
IDS5_PATH=/var/Sun/mps; export IDS5_PATH
# Customize the followings
PATH=$PATH:$IDS5_PATH/shared/bin; export PATH
LD_LIBRARY_PATH=/var/Sun/mps/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
DOW=`date | cut -d' ' -f1`
HOST=`hostname`
DOMAIN=`domainname`
FQDN="$HOST.$DOMAIN"
ORG="Example Companies"
LOCALITY="NewYork City"
STATE="NewYork"
COUNTRY="US"
cd $IDS5_PATH/alias
echo "Backing up $IDS5_PATH/alias/*.db to $IDS5_PATH/alias/backup_$DOW..."
mkdir -p $IDS5_PATH/alias/backup_$DOW >/dev/null 2>/dev/null
cp $IDS5_PATH/alias/*.db $IDS5_PATH/alias/backup_$DOW
rm -f $IDS5_PATH/alias/slapd-$HOST-*.db
# Please read "certutil" help information
# http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
echo "Creating Key and Certificate databases..."
certutil -N -d $IDS5_PATH/alias -P "slapd-$HOST-"
# -S = Standalone certificate, -s = Subject
# -t = trust attributes, -x = self-signed, -v 12 = valid for 12 months
# -P = Prefixed with string, -5 = prompt for type of certificate
echo "Creating a self-signed Server Certificate..."
certutil -S -d $IDS5_PATH/alias -n "$FQDN" -s "CN=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -t "CTPu,CTPu,CTPu" -x -v 12 -P "slapd-$HOST-" -5
echo "Listing the certificate..."
certutil -L -d $IDS5_PATH/alias -P "slapd-$HOST-"
certutil -L -d $IDS5_PATH/alias -P "slapd-$HOST-" -n $FQDN
echo "Verifying the certificate..."
certutil -V -d $IDS5_PATH/alias -P "slapd-$HOST-" -n $FQDN -u V -e -l
Run this script:
# ./cr_ssl_certs_ids5ldap.sh
Backing up /var/Sun/mps/alias/*.db to /var/Sun/mps/alias/backup_Thu...
Creating Key and Certificate databases...
In order to finish creating your database, you
must enter a password which will be used to
encrypt this key and any future keys.
The password must be at least 8 characters long,
and must contain at least one non-alphabetic character.
Enter new password: secret
Re-enter password: secret
Creating a self-signed Server Certificate...
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Enter Password or Pin for "NSS Certificate DB": secret
Generating key. This may take a few moments...
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for futuer use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
1
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for futuer use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
9
Is this a critical extension [y/n]?
y
Listing the certificate...
Certificate Name Trust Attributes
ldap1.example.com CTPu,CTPu,CTPu
p Valid peer
P Trusted peer (implies p)
c Valid CA
T Trusted CA to issue client certs (implies c)
C Trusted CA to certs(only server certs for ssl) (implies c)
u User cert
w Send warning
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:cb:4f:a8:2b
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: CN=ldap1.example.com, O=Example Companies, L=NewYork City, ST=NewYork, C=US
Validity:
Not Before: Thu Feb 24 06:19:43 2005
Not After: Wed May 24 06:19:43 2006
Subject: CN=ldap1.example.com, O=Example Companies, L=NewYork City, ST=NewYork, C=US
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
00:b0:79:44:72:b7:61:84:d9:c1:17:4d:a1:05:48:
0e:4b:3d:c8:02:52:9d:4e:de:9e:6b:b9:7e:2b:5b:
a4:40:d0:d4:e3:1c:3f:93:02:19:d7:5b:68:85:b6:
a9:d8:ef:85:ae:9b:09:33:ae:52:d6:78:d5:a9:de:
c8:bf:ce:f6:c7:d7:12:74:aa:21:fa:1a:9d:5d:45:
20:d9:4d:47:6c:1d:88:de:d9:c2:2b:bc:76:80:a6:
f5:8a:0d:fc:48:f6:fc:c0:38:e3:69:4a:3f:15:11:
b5:dc:a7:9f:1b:59:56:c8:3a:68:a4:9f:41:be:e9:
33:7b:e3:e3:89:39:0a:77:b5
Exponent: 65537 (0x10001)
Signed Extensions:
Name:
Certificate Type
Critical:
True
Data: <SSL Server>
Fingerprint (MD5):
D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
Fingerprint (SHA1):
DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
01:c7:8a:1d:55:7f:25:3d:fd:dd:db:5e:04:ac:de:16:7f:b2:
07:c9:27:e0:c6:03:90:16:f9:3e:7d:8a:55:27:43:d1:d9:db:
90:4c:38:1e:c1:14:2f:99:be:d4:46:90:f7:9c:64:f2:8c:f2:
af:0e:62:da:55:9c:66:72:24:9f:46:52:46:ac:3a:73:a3:0d:
31:b1:4e:36:86:f0:3d:8c:3d:09:14:71:15:30:ca:4b:41:cd:
e5:4c:bf:4b:5d:8a:81:e2:fb:c4:51:72:c4:48:50:ba:02:d4:
bc:bb:00:2c:a9:43:dc:80:e4:90:8b:c0:2c:55:7d:94:b4:63:
59:d4
Certificate Trust Flags:
SSL Flags:
Valid Peer
Trusted
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
Valid Peer
Trusted
Valid CA
Trusted CA
User
Trusted Client CA
Object Signing Flags:
Valid Peer
Trusted
Valid CA
Trusted CA
User
Trusted Client CA
Verifying the certificate...
Enter Password or Pin for "NSS Certificate DB": secret
certutil: certificate is valid
The above run will create slapd-ldap1-key3.db and slapd-ldap1-cert7.db in $LDAP_ROOT/alias directory.
Now we have to configure iDS 5.2 to use SSL encryption.
Start the iPlanet Administration Server if it is not started.
# /var/Sun/mps/start-admin
Run the local iPlanet Administation Console (/var/Sun/mps/startconsole) or run Windows based "SUN ONE Server Console".
# /var/Sun/mps/startconsole
Login as cn=Directory Manager
Go to Directory Server Tasks/Manage Certificates tab, notice that there is a certificate created called "ldap1.example.com" issued to "ldap1.example.com" and by itself "ldap1.example.com", valid for use as SSL Server Certificate for 12+3=15 months.
Go to Directory Server Configuration/Encryption tab, check "Enable SSL for this server" and also "Use this cipher family: RSA", ensure that the "Certificate" field is referencing the slapd-ldap1-cert7.db we have created, i.e. it is called ldap1.example.com
Click Save
Go to Directory Server Configuration/Network tab, ensure that LDAP server will be run to listen on "Both secure and non-secure ports", i.e. port 389 as well as 636.
Go to Directory Server Tasks, stop the LDAP Server, when you try to restart it, you would notice it will need a password file.
You can EITHER start it using command line or try to create this password file for slapd-ldap1-key3.db we have created, it MUST be in this format: $LDAP_ROOT/alias/slapd-ldap1-pin.txt
# echo "Internal (Software) Token:secret" >/var/Sun/mps/alias/slapd-ldap1-pin.txt
IMPORTANT NOTE: DO NOT LEAVE ANY SPACES after the "Token:" and at the end of the line or else the password will not be recognized by "start-slapd".
# chmod 400 /var/Sun/mps/alias/slapd-ldap1-pin.txt
If ns-slapd is run of non-root user, example “nobody” or “ns-slapd” or “ldap”, make sure the pin file is readable by the slapd owner.
# chown $NS-SLAPD_OWNER /var/Sun/mps/alias/slapd-ldap1-pin.txt
Restart LDAP Server now.
# /var/Sun/mps/slapd-ldap1/start-slapd
Congratulation!!! You have configured a LDAP Server with SSL/TLS support.
You may now try to retrieve the directory data:
# /usr/bin/ldapsearch -b "dc=example,dc=com" -L "objectclass=*"
Log in as root and install OpenSSL and supporting LibGCC, both of which could be downloaded from http://www.sunfreeware.com.
# pkgadd -d openssl-0.9.7X-sol9-sparc-local
# pkgadd d libgcc-3.X.X-sol9-sparc-local
This will install OpenSSL into the standard /usr/local/ssl directory, and supporting libgcc into /usr/local/lib.
You may now try to test SSL_TLS locally using the following command:
# env LD_LIBRARY_PATH=/usr/local/ssl/lib:/usr/local/lib /usr/local/ssl/bin/openssl s_client -connect localhost:636 -showcerts
CONNECTED(00000003)
depth=0 /C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
i:/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
-----BEGIN CERTIFICATE-----
MIICfjCCAeegAwIBAgIFAMtPqCswDQYJKoZIhvcNAQEEBQAwdjELMAkGA1UEBhMC
VVMxEDAOBgNVBAgTB05ld1lvcmsxFTATBgNVBAcTDE5ld1lvcmsgQ2l0eTEaMBgG
A1UEChMRRXhhbXBsZSBDb21wYW5pZXMxIjAgBgNVBAMTGW55cHBsZGV2MjEucGxh
dHRzLm1obS5taGMwHhcNMDUwMjI0MDYxOTQzWhcNMDYwNTI0MDYxOTQzWjB2MQsw
CQYDVQQGEwJVUzEQMA4GA1UECBMHTmV3WW9yazEVMBMGA1UEBxMMTmV3WW9yayBD
aXR5MRowGAYDVQQKExFFeGFtcGxlIENvbXBhbmllczEiMCAGA1UEAxMZbnlwcGxk
ZXYyMS5wbGF0dHMubWhtLm1oYzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
sHlEcrdhhNnBF02hBUgOSz3IAlKdTt6ea7l+K1ukQNDU4xw/kwIZ11tohbap2O+F
rpsJM65S1njVqd7Iv872x9cSdKoh+hqdXUUg2U1HbB2I3tnCK7x2gKb1ig38SPb8
wDjjaUo/FRG13KefG1lWyDpopJ9Bvukze+PjiTkKd7UCAwEAAaMYMBYwFAYJYIZI
AYb4QgEBAQH/BAQDAgZAMA0GCSqGSIb3DQEBBAUAA4GBAAHHih1VfyU9/d3bXgSs
3hZ/sgfJJ+DGA5AW+T59ilUnQ9HZ25BMOB7BFC+ZvtRGkPecZPKM8q8OYtpVnGZy
JJ9GUkasOnOjDTGxTjaG8D2MPQkUcRUwyktBzeVMv0tdioHi+8RRcsRIULoC1Ly7
ACypQ9yA5JCLwCxVfZS0Y1nU
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
issuer=/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
---
Acceptable client certificate CA names
/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com
---
SSL handshake has read 909 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 4CBF01674425A9E455393A843FA6AEA8838372F7DC13531168B9B3C9AF5857FE
Session-ID-ctx:
Master-Key: D04984C9F325DD4CBEBE8A4BD63A182C98CB2C0AE3CD9F0A8FF6102A4C499512E757D996F2F80C9906288673BF52E0D7
Key-Arg : None
Start Time: 1109232085
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
^C#
<Ctrl-C or Ctrl-Break to exit>
IMPORTANT NOTE: please ensure that the FQDN (Fully Qualified Domain Name) as shown by CN=<FQDN> is defined in /etc/hosts file.
This step is for LDAP Server(s).
Prepare People.ldif and group.ldif and add them into directory data. You may also manually add directory data using iPlanet Console.
Tips 1: when you use iPlanet Console to add People entry, remember to check the “posix” user (posixAccount) option, so that uidNumber and gidNumber could be entered.
Tips 2: Use $LDAP_ROOT/slapd-ldap1/getpwenc command to find the encrypted format of LDAP userPassword.
# cd /var/Sun/mps/slapd-ldap1
# ./getpwenc CRYPT testpassword
{crypt}GFOZa/ZLlDdng
A sample People.ldif with only two entries is shown here
dn: uid=gtay, ou=People, dc=example,dc=com
givenName: Gary
sn: Tay
loginShell: /bin/bash
uidNumber: 6167
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: gtay
cn: Gary Tay
homeDirectory: /home/gtay
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Gary Tay
userPassword: {CRYPT}U8bo2twhJ9Kkg
dn: uid=tuser, ou=People, dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Test User
userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
A sample group.ldif with only one entry is shown here
dn: cn=Users,ou=group,dc=example,dc=com
cn: Users
gidNumber: 102
objectClass: top
objectClass: posixGroup
memberUid: gtay
memberUid: tuser
If you need SSL/TLS to protect the LDAP connection sessions, prepare tls_profile.ldif.
dn: cn=tls_profile,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
bindTimeLimit: 10
cn: tls_profile
credentialLevel: proxy
serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one
# /usr/bin/ldapadd -c -D "cn=Directory Manager" -f People.ldif
Bind Password:
adding new entry uid=gtay, ou=People, dc=example,dc=com
adding new entry uid=tuser, ou=People, dc=example,dc=com
# /usr/bin/ldapadd -c -D "cn=Directory Manager" -f group.ldif
Bind Password:
adding new entry cn=Users,ou=group,dc=example,dc=com
# /usr/bin/ldapadd -c -D "cn=Directory Manager" -f tls_profile.ldif
Bind Password:
adding new entry cn=tls_profile,ou=profile,dc=example,dc=com
For massive import of People and group entries, you may use “/usr/sbin/ldapaddent” command, see “man ldapaddent” for more details, or you may use PADL’s MigrationTools.
http://www.padl.com/OSS/MigrationTools.html
Examples of ldapaddent are listed below, note the sequences, passwd DB first then shadow, note also the use of “-p” to create userPassword attribute and the CRYPT password is only added when the DB is shadow.
# cat test.txttest9991:x:9991:102:test9991:/var/tmp:/bin/sh # ldapaddent -v -f test.txt -D "cn=Directory Manager" -p passwdEnter password:SERVICE = passwdAdding entry : test99911 entries added # cat tests.txttest9991:ElnMr/iU805dA:12881:::::: # ldapaddent -v -f tests.txt -D "cn=Directory Manager" shadowEnter password:SERVICE = shadowAdding entry : test99911 entries added#
IMPORTANT NOTE ABOUT LDIF IMPORT FILES:
When you copy and paste the content of People.ldif and group.ldif, or any other .ldif files from this document for preparation of LDAP data import using ldapadd command, please make sure that ALL LEADING AND TRAILING SPACES at every line in the .ldif files be removed or else “ldapadd” command will throw errors.
Create iDS5 LDAP server start/stop script /etc/init.d/ids5ldap.server, modify Run Control startup script as needed.
# touch /etc/init.d/ids5ldap.server
# chmod 744 /etc/init.d/ids52.server
# mv /etc/rc2.d/S72directory /etc/rc2.d/s72directory
# ln -s /etc/init.d/ids5ldap.server /etc/rc2.d/S72directory
# vi /etc/init.d/ids5ldap.server
#! /bin/sh
#
# ids5ldap.server – iDS5 LDAP Server start script
#
# Gary Tay, 19-Feb-2005
#
IDS5_PATH=/var/Sun/mps
SERVER_ID=`hostname`
SERVER_OWNER="root"
SERVER_GROUP="root"
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/ssl/lib:/var/Sun/mps/lib:/usr/lib/mps
case "$1" in
'start')
echo 'SUN ONE Directory Server service starting.'
$IDS5_PATH/slapd-$SERVER_ID/start-slapd
chown $SERVER_OWNER:$SERVER_GROUP
$SERVER_ROOT/alias/*.db
su - $SERVER_OWNER -c
$SERVER_ROOT/start-admin
;;
'stop')
echo 'SUN ONE Directory Server service stopping.'
$IDS5_PATH/slapd-$SERVER_ID/stop-slapd
$IDS5_PATH/stop-admin
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
Try stopping and starting LDAP server
# /etc/init.d/ids5ldap.server stop
# /etc/init.d/ids5ldap.server start
To verify:
# ps -ef | grep ns-slapd
root 19647 1 0 02:46:26 ? 0:03 ./ns-slapd -D /var/Sun/mps/slapd-ldap1 -i /var/Sun/mps/slapd-ldap1/lo
root 20286 16953 0 03:47:46 pts/1 0:00 grep ns-slapd
Tips: whenever you have problem starting LDAP server, i.e. it is not shown in process status, check the errors log file in /var/Sun/mps/slapd-ldap1/logs directory.
Try to list the LDAP content locally at the server by binding "anonymous"ly (without "-D" option), note that userPassword never get listed.
# /usr/bin/ldapsearch –h ldap1.example.com -b "dc=example,dc=com" -L "objectclass=*"
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
objectClass: nisDomainObject
nisDomain: example.com
dn: cn=Directory Administrators, dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
dn: ou=Groups, dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups
dn: ou=People, dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
dn: ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
dn: cn=Accounting Managers,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
dn: cn=HR Managers,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
dn: cn=QA Managers,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
dn: cn=PD Managers,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
dn: ou=group,dc=example,dc=com
ou: group
objectClass: top
objectClass: organizationalUnit
dn: ou=rpc,dc=example,dc=com
ou: rpc
objectClass: top
objectClass: organizationalUnit
dn: ou=protocols,dc=example,dc=com
ou: protocols
objectClass: top
objectClass: organizationalUnit
dn: ou=networks,dc=example,dc=com
ou: networks