Installing and configuring iPlanet Directory Server for Solaris9

 

(iPlanet Directory Server is now called SUN ONE Directory Server or Java System Directory Server)

 

(SimpleBind + SSL/TLS/start_tls + without-SASL + automount + netgroup + sudo + apache)

(See also related documents at http://web.singnet.com.sg/~garyttt/)

 

Last Updated: 6-Dec-2007

 

Purpose:

 

This document describes the steps involved in installing and configuring a SUN ONE (iPlanet) Directory Server  (DS5.2 or iDS 5.2) with SSL/TLS support on Soalris8/9. This is to be accessed by RedHat Linux or Solaris8/9 LDAP Client. Many useful productivity UNIX Shell scripts are also provided in this document.

 

To use LDAP centralized authentication with nss_ldap and pam_ldap, i.e. to use LDAP "uid" and "userPassword" for UNIX account id and password lookup, you must also complete the setup documented in “Installing and configuring OpenSSH with pam_ldap for Solaris9” and/or" Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3"

 

Another related document "Deploying SUN Solaris Native LDAP Client by using automated scripts", describes the steps involved in building up an infrastructure environment for rapid deployment of Native LDAP Client.

 

Download URL:

http://www.sun.com/software/products/directory_srvr_ee/get.jsp

 

Public Mail Lists/Forums:

http://lists.fini.net/mailman/listinfo/ldap-interop

http://forum.java.sun.com/forum.jspa?forumID=761

http://www.ldapguru.com

http://www.dbforums.com (comp.unix.solaris)

http://bbs.chinaunix.net/ (Chinese web site)

 

Useful URLs:

·         SUN Blogs http://blogs.sun.com,

Search for “ldap” or “ldapclient” or “ldap ssl” or “ldap tls” or “ldap nis” depending on your need.

·         Raja’s SUN Native LDAP Product Support Document

http://blogs.sun.com/roller/resources/raja/ldap-psd.html

·         SUN Blue Print: Tom Bailaski and Michael Haines’s “LDAP in the Solaris Operating Environment”

http://www.sun.com/books/catalog/haines_bialaski_ldap.xml (not downloadable, got to buy it)

·         SUN Blue Print: Michael Haines’s  “Understanding NIS to LDAP Service (N2L) Architecture”

http://www.sun.com/blueprints/0306/819-4326.pdf

·         A twisted world - Rohan Pinto’s Weblog :: NIS to LDAP migration guide

http://blogs.sun.com/rohanpinto/entry/nis_to_ldap_migration_guide

·         SUN ONE Directory Server 5.2 Installation and Tunning Guide:

http://docs.sun.com/source/816-6697-10/contents.html

·         SUN Solaris9's “System Administration Guide: Naming and Directory Services - May 2002”:

http://docs.sun.com/app/docs/doc/816-4856

·         SUN Solaris10's “System Administration Guide: Naming and Directory Services”:

http://docs.sun.com/app/docs/doc/816-4556

·         SUN ONE Directory Server 5.2 documentations:

http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52

·         SUN Jave System/Directory Server 5 / 2005Q1 documentations:

http://docs.sun.com/app/docs/coll/DirectoryServer_05q1

·         SUN Jave System/Directory Server 5 / 2005Q4 documentations:

http://docs.sun.com/app/docs/coll/1316.1

·         John Berger’s Beginner Guide to SunONE DS

      http://www.thebergerbits.com/Beginners_Guide_to_SunONE_DS.pdf

·         SUN ONE Directory Server 5.2 release notes:

      http://docs.sun.com/source/816-6703-10/index.html

·         SUN Java System Directory Server 5.2 / 2005Q1 release notes:

      http://docs.sun.com/source/817-7611/index.html

·         SUN Java System/Directory Server 5.2 / 2005Q4 release notes

      http://docs.sun.com/source/819-2405/index.html

·         SUN Java System/Directory Server 5.2 / 2005Q1 release notes for Compressed Archive

      http://docs.sun.com/source/819-1815/index.html

·         SUN Java System/Directory Server 5.2 / 2005Q4 release notes for Patchzip

      http://docs.sun.com/source/819-4290/index.html

·         SUN Java System/Directory Server 5.2 Log File Access Log Content:

      http://docs.sun.com/source/817-7616/fileref.html#wp20452

·         OpenSSH LDAP Public Key Patch

http://www.opendarwin.org/projects/openssh-lpk/

·         LDAP Error and Status Codes

http://www.directory-info.com/LDAP/LDAPErrorCodes.html

·         BIND9.NET LDAP Page

http://www.bind9.net/ldap

·         SUN ONE Directory Server Error Code Reference:

http://docs.sun.com/source/816-6699-10/ax_errcd.html

·         Automating LDAP Client Installation (JumpStart)

      http://www.sun.com/blueprints/0701/LDAPinstall.pdf

·         LDAP Client Login Authentication

      http://yolinux.com/TUTORIALS/LDAP_Authentication.html

·         Integrating AIX into Heterogenous LDAP Environments

      http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf

·         Integrating  UNIX/Linux LDAP Clients into Active Directory – ad4unix

      http://sourceforge.net/projects/ad4unix/

·         Integrating  Windows Clients into UNIX/Linux LDAP Server - pGina

      http://sourceforge.net/projects/pgina/

·         SUN Directory Server Resource Kit

http://www.sun.com/software/products/directory_srvr_ee/get.jsp

 

Freeware tools used:

·         OpenSSL 0.9.7e or later – http://www.openssl.org

·         LDAP Browser/Editor: http://www-unix.mcs.anl.gov/~gawor/ldap/

·         BIND9.NET LDAP Tools: http://www.bind9.net/ldap-tools

·         JXplorer Java LDAP Browser/Editor: http://pegacat.com/jxplorer/  (can do SSL connection)

·         Other Graphical LDAP Tools: http://en.tldp.org/HOWTO/LDAP-HOWTO/graphicaltools.html

·         Novell LDAP CoolTools: http://www.novell.com/coolsolutions/tools/bycategory/168.html

·         LDAP Account Manager: http://lam.sf.net

·         Softerra LDAP Administrator: http://www.ldapadministrator.com/

·         SUN Directory Editor: http://www.sun.com/software/products/directory_srvr_ee/get.jsp

 

Example used:

 

·         MASTER LDAP Server: ldap1.example.com, 192.168.1.168

·         SLAVE LDAP Server: ldap2.example.com, 192.168.1.178

·         RedHat EL3 LDAP Client: client1.example.com, 192.168.1.188

·         Solaris8 LDAP Client: client2.example.com, 192.168.1.198

·         Solaris9 LDAP Client: client3.example.com, 192.168.1.208

 

It is highly recommended that OS level Security Hardening be applied to all LDAP Servers.

 

Preparation Steps:

 

This step is for BOTH LDAP Server(s) as well as Clients

 

Please ensure that IP addresses of LDAP Server(s) are defined in DNS and/or /etc/hosts

 

It is important that the Fully Qualified Domain Name (eg: ldap1.example.com) be listed as the first entry right after the IP address, as shown below:

192.168.1.168             ldap1.example.com    ldap1

 

Please ensure that LDAP domain example.com is defined in /etc/resolv.conf, in case of Solaris LDAP clients and servers, /etc/defaultdomain should contain "example.com" as the LDAP domain.

 

If this is an Upgrade of old iDS 5.0 or 5.1 Server to latest 5.2, it is always very wise to backup all *.db TLS security files in $IDS5_PATH/alias before proceeding.

 

The procedures in this document are also applicable to Solaris8 provided that patch 108993 has been applied, note that Solaris8 has different syntax for “ldapclient” command. For Solaris9, LDAP library patch 112960 are highly recommended. See also the following URL if you are using SJES/DS5.2.

 

http://docs.sun.com/source/817-7611/index.html#wp33336

 

Please refer to Appendix for a useful script to check patches.

 

The prcocedures are also applicable to Solaris10, there is specific step for “crle” command, you may like to refer to this URL:

http://www.sunmanagers.org/pipermail/summaries/2005-August/006688.html

 

For Solaris10 LDAP Client, it is noted that the entry “ipnodes: files ldap” in /etc/nsswitch.conf should be replaced with just “ipnodes: files” or else ldapclient initialization will hang.

 

Step 1: Install SUN ONE Directory Server 5.2 Patch_4

 

This step is for LDAP Server(s) only.

 

Log in as root.

 

# cd /var/tmp

# tar xvf ds.5.2.P4.Solaris.SPARC.full.tar

 

IMPORTANT NOTE: If you have previous version of iDS5 (5.0/ 5.1) installed, please shutdown its slapd process, uninstall its software components, and remove any references of 5.0/5.1 (eg: /usr/iplanet/ds5/lib) in LD_LIBRARY_PATH in /etc/profile and/or current login shells, as well as disable iDS5.0/5.1 startup script (cd /etc/rc2.d; mv S72directory s72directory; ./s72directory stop), before proceeding to run "setup"

 

# ./setup

or

# ./setup -nodisplay

 

Enter default value for each prompt is usually good for a testing LDAP Server.

 

For SJES/DS5.2:

 

# jar xvf  java_es_05Q1_directory-ga-solaris-sparc.zip
# cd java_es_05Q1_directory
# chmod -R a+x *

# cd Solaris_sparc
# ./installer

or

# ./installer -nodisplay

 

Enter default value for each and every prompt is usually good for a testing LDAP Server.

 

Note 1: after running “installer”and if you encounter error and wish to re-run “setup”, simply perform the following “uninstall” actions (Applicable to SJES/DS5.2):

In CDE X-Windows terminal, run “prodreg” to uninstall components.

# prodreg
If “prodreg” does not work, manual “clean-up” may be performed:

# rm –f /var/sadm/install/productregistry

# rm –f /var/sadm/install/logs/*_install*

# cd /var/sadm/pkg

# rm –rf SUNWdsv* SUNWasv* SUNWcomds

Then unset the “installed?” flag(s) in /etc/ds/versions:

#version|command path|installed?|default?

5.1|//usr/iplanet/ds5/sbin/directoryserver|YES|NO

5.2|//usr/ds/v5.2/sbin/directoryserver|NO|YES

 

Note 2: if some of the scripts extracted out from the tar file do not have execution permissions, perform the following action prior to running setup.

# chmod -R a+x *

Now start admin server and slapd if they are not started.

# ps –ef | egrep “admin-serv|slapd”

# /var/Sun/mps/start-admin

# /var/Sun/mps/slapd-`hostname`/start-slapd

 

Please note that the Solaris SPARC version of SJES/DS5.2 is already at Patch_4 level, it can be confirmed by looking /var/Sun/mps/slapd-`hostname`/errors while restarting ns-slapd, there will be banner saying it is Patch_4, if it is not at Patch_4, it is advisable to download and apply 117665-03.

 

Note: Latest Patches for various OS platforms listed below, note that –01 is Patch_2, -02 is Patch_3 and –03 is the current latest Patch_4.

 

117665-03: for Solaris8/9 SPARC
117666-03: for Solaris8/9 x86
117667-03: for Windows
117668-03: for Linux
117669-03: for HP-UX
117670-03: For AIX

 

Now run "idsconfig", note that this command is NOT searchable by $PATH.

 

NOTE: if SJES/DS5.2 is used and if the LDAP domain you are trying to setup is NOT “dc=example,dc=com”, the following hack to “idsconfig” is required to fix a road block issue: “ERROR: Can not determine the top of tree”.

 

# cd /usr/lib/ldap
# mv idsconfig idsconfig.orig
# cp idsconfig.orig idsconfig
# vi idsconfig

Replace line:
grep -i -v NetscapeRoot > ${TMPDIR}/treeTOP
with:
grep -i -v NetscapeRoot | grep -i -v dc=example > ${TMPDIR}/treeTOP

 

Note: in some latest version of “idsconfig”, you would see “{GREP}” in place of “grep”.

 

Otherwise, please proceed.

 

# /usr/lib/ldap/idsconfig

 

It is strongly recommended that you BACKUP the directory server

before running idsconfig.

 

Hit Ctrl-C at any time before the final confirmation to exit.

 

Do you wish to continue with server setup (y/n/h)? [n] y

Enter the iPlanet Directory Server's (iDS) hostname to setup: ldap1

Enter the port number for iDS (h=help): [389]

Enter the directory manager DN: [cn=Directory Manager]

Enter passwd for cn=Directory Manager :

Enter the domainname to be served (h=help): [example.com]

Enter LDAP Base DN (h=help): [dc=example,dc=com]

Enter the profile name (h=help): [default]

Default server list (h=help): [192.168.1.168] ldap1.example.com ldap2.example.com

Preferred server list (h=help):

Choose desired search scope (one, sub, h=help):  [one]

The following are the supported credential levels:

  1  anonymous

  2  proxy

  3  proxy anonymous

Choose Credential level [h=help]: [1] 2

The following are the supported Authentication Methods:

  1  none

  2  simple

  3  sasl/DIGEST-MD5

  4  tls:simple

  5  tls:sasl/DIGEST-MD5

Choose Authentication Method (h=help): [1] 2

 

Current authenticationMethod: simple

 

Do you want to add another Authentication Method? n

 

Do you want the clients to follow referrals (y/n/h)? [n]

Do you want to modify the server timelimit value (y/n/h)? [n]

Do you want to modify the server sizelimit value (y/n/h)? [n]

Do you want to store passwords in "crypt" format (y/n/h)? [n] y

Do you want to setup a Service Authentication Methods (y/n/h)? [n]

Client search time limit in seconds (h=help): [30]

Profile Time To Live in seconds (h=help): [43200]

Bind time limit in seconds (h=help): [10]

Do you wish to setup Service Search Descriptors (y/n/h)? [n] y

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit] A

Enter the service id: passwd

Enter the base: ou=People,dc=example,dc=com

Enter the scope: one

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit] A

Enter the service id: group

Enter the base: ou=group,dc=example,dc=com

Enter the scope: one

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit] A

Enter the service id: shadow

Enter the base: ou=People,dc=example,dc=com

Enter the scope: one

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit] A

Enter the service id: netgroup

Enter the base: ou=netgroup,dc=example,dc=com

Enter the scope: one

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit]

 

              Summary of Configuration

 

  1  Domain to serve               : example.com

  2  Base DN to setup              : dc=example,dc=com

  3  Profile name to create        : default

  4  Default Server List           : ldap1.example.com ldap2.example.com

  5  Preferred Server List         :

  6  Default Search Scope          : one

  7  Credential Level              : proxy

  8  Authentication Method         : simple

  9  Enable Follow Referrals       : FALSE

 10  iDS Time Limit                :

 11  iDS Size Limit                :

 12  Enable crypt password storage : TRUE

 13  Service Auth Method pam_ldap  :

 14  Service Auth Method keyserv   :

 15  Service Auth Method passwd-cmd:

 16  Search Time Limit             : 30

 17  Profile Time to Live          : 43200

 18  Bind Limit                    : 10

 19  Service Search Descriptors Menu

 

Enter config value to change: (1-19 0=commit changes) [0] 19

Do you wish to setup Service Search Descriptors (y/n/h)? [n] y

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit] P

 

Current Service Search Descriptors:

==================================

passwd:ou=People,dc=example,dc=com?one

group:ou=group,dc=example,dc=com?one

shadow:ou=People,dc=example,dc=com?one

netgroup:ou=netgroup,dc=example,dc=com?one

 

Hit return to continue.

 

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit]

              Summary of Configuration

 

  1  Domain to serve               : example.com

  2  Base DN to setup              : dc=example,dc=com

  3  Profile name to create        : default

  4  Default Server List           : ldap1.example.com ldap2.example.com

  5  Preferred Server List         :

  6  Default Search Scope          : one

  7  Credential Level              : proxy

  8  Authentication Method         : simple

  9  Enable Follow Referrals       : FALSE

 10  iDS Time Limit                :

 11  iDS Size Limit                :

 12  Enable crypt password storage : TRUE

 13  Service Auth Method pam_ldap  :

 14  Service Auth Method keyserv   :

 15  Service Auth Method passwd-cmd:

 16  Search Time Limit             : 30

 17  Profile Time to Live          : 43200

 18  Bind Limit                    : 10

 19  Service Search Descriptors Menu

 

Enter config value to change: (1-19 0=commit changes) [0]

Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=example,dc=com]

Enter passwd for proxyagent: password

Re-enter passwd: password

 

WARNING: About to start committing changes. (y=continue, n=EXIT) y

 

  1. Changed passwordstoragescheme to "crypt" in cn=config.

  2. Schema attributes have been updated.

  3. Schema objectclass definitions have been added.

  4. NisDomainObject added to dc=example,dc=com.

  5. Top level "ou" containers complete.

  6. automount maps: auto_home auto_direct auto_master auto_shared processed.

  7. ACI for dc=example,dc=com modified to disable self modify.

  8. Add of VLV Access Control Information (ACI).

  9. Proxy Agent cn=proxyagent,ou=profile,dc=example,dc=com added.

  10. Give cn=proxyagent,ou=profile,dc=example,dc=com read permission for

password.

  11. Generated client profile and loaded on server.

  12. Processing eq,pres indexes:

      ipHostNumber (eq,pres)   Finished indexing.

      uidNumber (eq,pres)   Finished indexing.

      ipNetworkNumber (eq,pres)   Finished indexing.

      gidnumber (eq,pres)   Finished indexing.

      oncrpcnumber (eq,pres)   Finished indexing.

      automountKey (eq,pres)   Finished indexing.

  13. Processing eq,pres,sub indexes:

      membernisnetgroup (eq,pres,sub)   Finished indexing.

      nisnetgrouptriple (eq,pres,sub)   Finished indexing.

  14. Processing VLV indexes:

      example.com.getgrent vlv_index   Entry created

      example.com.gethostent vlv_index   Entry created

      example.com.getnetent vlv_index   Entry created

      example.com.getpwent vlv_index   Entry created

      example.com.getrpcent vlv_index   Entry created

      example.com.getspent vlv_index   Entry created

 

idsconfig: Setup of iDS server ldap1 is complete.

 

 

Note: idsconfig has created entries for VLV indexes.  Use the

      directoryserver(1m) script on ldap1 to stop

      the server and then enter the following vlvindex

      sub-commands to create the actual VLV indexes:

 

  directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge

tgrent

  directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge

thostent

  directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge

tnetent

  directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge

tpwent

  directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge

trpcent

  directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge

tspent

 

IMPORTANT NOTE: DO NOT USE "directoryserver –s <server-instance> vlvindex …" to create vlvindex, as /usr/sbin/directoryserver may be pointing to Solaris OLD built-in iDS 5.0 or 5.1 executable, use the following short script instead.

 

# cat ids52_vlvindex.sh

/var/Sun/mps/slapd-ldap1/stop-slapd

/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getgrent

/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.gethostent

/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getnetent

/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getpwent

/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getrpcent

/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getspent

/var/Sun/mps/slapd-ldap1/start-slapd

 

# ./ids52_vlvindex.sh

[24/Feb/2005:00:00:09 -0500] - userRoot: Indexing VLV: example.com.getgrent

[24/Feb/2005:00:00:09 -0500] - userRoot: Finished indexing.

[24/Feb/2005:00:00:12 -0500] - userRoot: Indexing VLV: example.com.gethostent

[24/Feb/2005:00:00:12 -0500] - userRoot: Indexed search unsuccessful, will perfo

rm unindexed search instead.

[24/Feb/2005:00:00:12 -0500] - userRoot: Finished indexing.

[24/Feb/2005:00:00:14 -0500] - userRoot: Indexing VLV: example.com.getnetent

[24/Feb/2005:00:00:14 -0500] - userRoot: Indexed search unsuccessful, will perfo

rm unindexed search instead.

[24/Feb/2005:00:00:14 -0500] - userRoot: Finished indexing.

[24/Feb/2005:00:00:17 -0500] - userRoot: Indexing VLV: example.com.getpwent

 [24/Feb/2005:00:00:17 -0500] - userRoot: Finished indexing.

[24/Feb/2005:00:00:19 -0500] - userRoot: Indexing VLV: example.com.getrpcent

[24/Feb/2005:00:00:19 -0500] - userRoot: Indexed search unsuccessful, will perfo

rm unindexed search instead.

[24/Feb/2005:00:00:19 -0500] - userRoot: Finished indexing.

[24/Feb/2005:00:00:21 -0500] - userRoot: Indexing VLV: example.com.getspent

 [24/Feb/2005:00:00:21 -0500] - userRoot: Finished indexing.

 

Note 1: you may also use SUN ONE Console “Create Browsing Index” function (right click object)  to do the same for the above.

 

Note 2: Initially when there is no data under ou=People and ou=group, the vlv index creation will failur, this is normal.

 

Congratulation!!! You have just successfully completed the installation of SUN ONE Directory Server.

 

Step 2: Create SSL Certificate(s)

 

This step is for BOTH LDAP Server(s) as well as Clients which require SSL_TLS support for LDAP connection.

 

IMPORTANT NOTE 2: For Solaris8, Patch 112438 is required if /dev/random instead of prngd is used to support OpenSSL.

 

 

Prepare the following short script "cr_ssl_certs_ids5ldap.sh", content as follow, please customize the details of the Certificate,

 

IMPORTANT NOTE: Please note that the self-signed server certicate created is PURELY for TESTING and DEMONSTRATION PURPOSES ONLY, in production environment please create a Certificate Signing Request (CSR) using iPlanet Administration Console and contact trusted commercial vendors like Verisign to sign the certificate request and pay for the service fee. The Signed certificate can then be merged into current server using the iPlanet Administration Console.  SUN ONE DS5.2 (iDS 5.2) already comes built-in with a list of popular Certificate Authority Certificates including Verisign.

 

Tips: if you interested in an ONE-BUTTON productivity script that creates SSL Certificates for both slapd and admin-serv, please consult “Configuring Solaris Native LDAP Client for Fedora Directory Server” from my Home Page, for a script called “cr_ssl_certs.sh”, this script works for BOTH SUN ONE Directory Server as well as Fedora Directory Server.

 

#! /bin/sh

#

# cr_ssl_certs_ids5ldap.sh

#

# Gary Tay, 07-Jan-2005, written

#

# Ref. URL is http://docs.sun.com/source/816-5542-10/certutil.htm#13305

#

# Customize location of iDS5

IDS5_PATH=/var/Sun/mps; export IDS5_PATH

# Customize the followings

PATH=$PATH:$IDS5_PATH/shared/bin; export PATH

LD_LIBRARY_PATH=/var/Sun/mps/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH

DOW=`date | cut -d' ' -f1`

HOST=`hostname`

DOMAIN=`domainname`

FQDN="$HOST.$DOMAIN"

ORG="Example Companies"

LOCALITY="NewYork City"

STATE="NewYork"

COUNTRY="US"

cd $IDS5_PATH/alias

echo "Backing up $IDS5_PATH/alias/*.db to $IDS5_PATH/alias/backup_$DOW..."

mkdir -p $IDS5_PATH/alias/backup_$DOW >/dev/null 2>/dev/null

cp $IDS5_PATH/alias/*.db $IDS5_PATH/alias/backup_$DOW

rm -f $IDS5_PATH/alias/slapd-$HOST-*.db

# Please read "certutil" help information

# http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

echo "Creating Key and Certificate databases..."

certutil -N -d $IDS5_PATH/alias -P "slapd-$HOST-"

# -S = Standalone certificate, -s = Subject

# -t = trust attributes, -x = self-signed, -v 12 = valid for 12 months

# -P = Prefixed with string, -5 = prompt for type of certificate

echo "Creating a self-signed Server Certificate..."

certutil -S -d $IDS5_PATH/alias -n "$FQDN" -s "CN=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -t "CTPu,CTPu,CTPu" -x -v 12 -P "slapd-$HOST-" -5

echo "Listing the certificate..."

certutil -L -d $IDS5_PATH/alias -P "slapd-$HOST-"

certutil -L -d $IDS5_PATH/alias -P "slapd-$HOST-" -n $FQDN

echo "Verifying the certificate..."

certutil -V -d $IDS5_PATH/alias -P "slapd-$HOST-" -n $FQDN -u V -e -l

 

Run this script:

 

# ./cr_ssl_certs_ids5ldap.sh

Backing up /var/Sun/mps/alias/*.db to /var/Sun/mps/alias/backup_Thu...

Creating Key and Certificate databases...

In order to finish creating your database, you

must enter a password which will be used to

encrypt this key and any future keys.

 

The password must be at least 8 characters long,

and must contain at least one non-alphabetic character.

 

Enter new password: secret

Re-enter password: secret

Creating a self-signed Server Certificate...

 

A random seed must be generated that will be used in the

creation of your key.  One of the easiest ways to create a

random seed is to use the timing of keystrokes on a keyboard.

 

To begin, type keys on the keyboard until this progress meter

is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!

 

 

Continue typing until the progress meter is full:

 

|************************************************************|

 

Finished.  Press enter to continue:

Enter Password or Pin for "NSS Certificate DB": secret

 

 

Generating key.  This may take a few moments...

 

                          0 - SSL Client

                          1 - SSL Server

                          2 - S/MIME

                          3 - Object Signing

                          4 - Reserved for futuer use

                          5 - SSL CA

                          6 - S/MIME CA

                          7 - Object Signing CA

                          Other to finish

1

                          0 - SSL Client

                          1 - SSL Server

                          2 - S/MIME

                          3 - Object Signing

                          4 - Reserved for futuer use

                          5 - SSL CA

                          6 - S/MIME CA

                          7 - Object Signing CA

                          Other to finish

9

Is this a critical extension [y/n]?

y

Listing the certificate...

 

Certificate Name                                             Trust Attributes

 

ldap1.example.com                                    CTPu,CTPu,CTPu

 

p    Valid peer

P    Trusted peer (implies p)

c    Valid CA

T    Trusted CA to issue client certs (implies c)

C    Trusted CA to certs(only server certs for ssl) (implies c)

u    User cert

w    Send warning

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            00:cb:4f:a8:2b

        Signature Algorithm: PKCS #1 MD5 With RSA Encryption

        Issuer: CN=ldap1.example.com, O=Example Companies, L=NewYork City, ST=NewYork, C=US

        Validity:

            Not Before: Thu Feb 24 06:19:43 2005

            Not After: Wed May 24 06:19:43 2006

        Subject: CN=ldap1.example.com, O=Example Companies, L=NewYork City, ST=NewYork, C=US

        Subject Public Key Info:

            Public Key Algorithm: PKCS #1 RSA Encryption

            RSA Public Key:

                Modulus:

                    00:b0:79:44:72:b7:61:84:d9:c1:17:4d:a1:05:48:

                    0e:4b:3d:c8:02:52:9d:4e:de:9e:6b:b9:7e:2b:5b:

                    a4:40:d0:d4:e3:1c:3f:93:02:19:d7:5b:68:85:b6:

                    a9:d8:ef:85:ae:9b:09:33:ae:52:d6:78:d5:a9:de:

                    c8:bf:ce:f6:c7:d7:12:74:aa:21:fa:1a:9d:5d:45:

                    20:d9:4d:47:6c:1d:88:de:d9:c2:2b:bc:76:80:a6:

                    f5:8a:0d:fc:48:f6:fc:c0:38:e3:69:4a:3f:15:11:

                    b5:dc:a7:9f:1b:59:56:c8:3a:68:a4:9f:41:be:e9:

                    33:7b:e3:e3:89:39:0a:77:b5

                Exponent: 65537 (0x10001)

        Signed Extensions:

            Name:

                Certificate Type

            Critical:

                True

            Data: <SSL Server>

 

    Fingerprint (MD5):

        D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E

    Fingerprint (SHA1):

        DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09

 

    Signature Algorithm: PKCS #1 MD5 With RSA Encryption

    Signature:

        01:c7:8a:1d:55:7f:25:3d:fd:dd:db:5e:04:ac:de:16:7f:b2:

        07:c9:27:e0:c6:03:90:16:f9:3e:7d:8a:55:27:43:d1:d9:db:

        90:4c:38:1e:c1:14:2f:99:be:d4:46:90:f7:9c:64:f2:8c:f2:

        af:0e:62:da:55:9c:66:72:24:9f:46:52:46:ac:3a:73:a3:0d:

        31:b1:4e:36:86:f0:3d:8c:3d:09:14:71:15:30:ca:4b:41:cd:

        e5:4c:bf:4b:5d:8a:81:e2:fb:c4:51:72:c4:48:50:ba:02:d4:

        bc:bb:00:2c:a9:43:dc:80:e4:90:8b:c0:2c:55:7d:94:b4:63:

        59:d4

    Certificate Trust Flags:

        SSL Flags:

            Valid Peer

            Trusted

            Valid CA

            Trusted CA

            User

            Trusted Client CA

        Email Flags:

            Valid Peer

            Trusted

            Valid CA

            Trusted CA

            User

            Trusted Client CA

        Object Signing Flags:

            Valid Peer

            Trusted

            Valid CA

            Trusted CA

            User

            Trusted Client CA

 

Verifying the certificate...

Enter Password or Pin for "NSS Certificate DB": secret

certutil: certificate is valid

 

The above run will create slapd-ldap1-key3.db and slapd-ldap1-cert7.db in $LDAP_ROOT/alias directory.

 

Now we have to configure iDS 5.2 to use SSL encryption.

 

Start the iPlanet Administration Server if it is not started.

 

# /var/Sun/mps/start-admin

 

Run the local iPlanet Administation Console (/var/Sun/mps/startconsole) or run Windows based "SUN ONE Server Console".

 

# /var/Sun/mps/startconsole

 

Login as cn=Directory Manager

 

Go to Directory Server Tasks/Manage Certificates tab, notice that there is a certificate created called "ldap1.example.com" issued to "ldap1.example.com" and by itself "ldap1.example.com", valid for use as SSL Server Certificate for 12+3=15 months.

 

Go to Directory Server Configuration/Encryption tab, check "Enable SSL for this server" and also "Use this cipher family: RSA", ensure that the "Certificate" field is referencing the slapd-ldap1-cert7.db we have created, i.e. it is called ldap1.example.com

 

Click Save

 

Go to Directory Server Configuration/Network tab, ensure that LDAP server will be run to listen on "Both secure and non-secure ports", i.e. port 389 as well as 636.

 

Go to Directory Server Tasks, stop the LDAP Server, when you try to restart it, you would notice it will need a password file.

 

You can EITHER start it using command line or try to create this password file for slapd-ldap1-key3.db we have created, it MUST be in this format: $LDAP_ROOT/alias/slapd-ldap1-pin.txt

 

# echo "Internal (Software) Token:secret" >/var/Sun/mps/alias/slapd-ldap1-pin.txt

 

IMPORTANT NOTE: DO NOT LEAVE ANY SPACES after the "Token:" and at the end of the line or else the password will not be recognized by "start-slapd".

 

# chmod 400 /var/Sun/mps/alias/slapd-ldap1-pin.txt

 

If ns-slapd is run of non-root user, example “nobody” or “ns-slapd” or “ldap”, make sure the pin file is readable by the slapd owner.

 

# chown $NS-SLAPD_OWNER /var/Sun/mps/alias/slapd-ldap1-pin.txt

 

Restart LDAP Server now.

 

# /var/Sun/mps/slapd-ldap1/start-slapd

 

Congratulation!!! You have configured a LDAP Server with SSL/TLS support.

 

You may now try to retrieve the directory data:

 

# /usr/bin/ldapsearch -b "dc=example,dc=com" -L "objectclass=*"

 

Log in as root and install OpenSSL and supporting LibGCC, both of which could be downloaded from http://www.sunfreeware.com.

 

# pkgadd -d openssl-0.9.7X-sol9-sparc-local

# pkgadd d libgcc-3.X.X-sol9-sparc-local

 

This will install OpenSSL into the standard /usr/local/ssl directory, and supporting libgcc into /usr/local/lib.

 

You may now try to test SSL_TLS locally using the following command:

 

# env LD_LIBRARY_PATH=/usr/local/ssl/lib:/usr/local/lib /usr/local/ssl/bin/openssl s_client -connect localhost:636 -showcerts

CONNECTED(00000003)

depth=0 /C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

verify error:num=18:self signed certificate

verify return:1

depth=0 /C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

verify return:1

---

Certificate chain

 0 s:/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

   i:/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

-----BEGIN CERTIFICATE-----

MIICfjCCAeegAwIBAgIFAMtPqCswDQYJKoZIhvcNAQEEBQAwdjELMAkGA1UEBhMC

VVMxEDAOBgNVBAgTB05ld1lvcmsxFTATBgNVBAcTDE5ld1lvcmsgQ2l0eTEaMBgG

A1UEChMRRXhhbXBsZSBDb21wYW5pZXMxIjAgBgNVBAMTGW55cHBsZGV2MjEucGxh

dHRzLm1obS5taGMwHhcNMDUwMjI0MDYxOTQzWhcNMDYwNTI0MDYxOTQzWjB2MQsw

CQYDVQQGEwJVUzEQMA4GA1UECBMHTmV3WW9yazEVMBMGA1UEBxMMTmV3WW9yayBD

aXR5MRowGAYDVQQKExFFeGFtcGxlIENvbXBhbmllczEiMCAGA1UEAxMZbnlwcGxk

ZXYyMS5wbGF0dHMubWhtLm1oYzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA

sHlEcrdhhNnBF02hBUgOSz3IAlKdTt6ea7l+K1ukQNDU4xw/kwIZ11tohbap2O+F

rpsJM65S1njVqd7Iv872x9cSdKoh+hqdXUUg2U1HbB2I3tnCK7x2gKb1ig38SPb8

wDjjaUo/FRG13KefG1lWyDpopJ9Bvukze+PjiTkKd7UCAwEAAaMYMBYwFAYJYIZI

AYb4QgEBAQH/BAQDAgZAMA0GCSqGSIb3DQEBBAUAA4GBAAHHih1VfyU9/d3bXgSs

3hZ/sgfJJ+DGA5AW+T59ilUnQ9HZ25BMOB7BFC+ZvtRGkPecZPKM8q8OYtpVnGZy

JJ9GUkasOnOjDTGxTjaG8D2MPQkUcRUwyktBzeVMv0tdioHi+8RRcsRIULoC1Ly7

ACypQ9yA5JCLwCxVfZS0Y1nU

-----END CERTIFICATE-----

---

Server certificate

subject=/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

issuer=/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

---

Acceptable client certificate CA names

/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

---

SSL handshake has read 909 bytes and written 342 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-MD5

Server public key is 1024 bit

SSL-Session:

    Protocol  : TLSv1

    Cipher    : RC4-MD5

    Session-ID: 4CBF01674425A9E455393A843FA6AEA8838372F7DC13531168B9B3C9AF5857FE

    Session-ID-ctx:

    Master-Key: D04984C9F325DD4CBEBE8A4BD63A182C98CB2C0AE3CD9F0A8FF6102A4C499512E757D996F2F80C9906288673BF52E0D7

    Key-Arg   : None

    Start Time: 1109232085

    Timeout   : 300 (sec)

    Verify return code: 18 (self signed certificate)

---

^C#

 

<Ctrl-C or Ctrl-Break to exit>

 

IMPORTANT NOTE: please ensure that the FQDN (Fully Qualified Domain Name) as shown by CN=<FQDN> is defined in /etc/hosts file.

 

Step 3:  Populate the directory server with People, group and TLS profile data

 

This step is for LDAP Server(s).

 

Prepare People.ldif and group.ldif and add them into directory data. You may also manually add directory data using iPlanet Console.

 

Tips 1: when you use iPlanet Console to add People entry, remember to check the “posix” user (posixAccount) option, so that uidNumber and gidNumber could be entered.

 

Tips 2: Use $LDAP_ROOT/slapd-ldap1/getpwenc command to find the encrypted format of LDAP userPassword.

 

# cd /var/Sun/mps/slapd-ldap1

# ./getpwenc CRYPT testpassword

{crypt}GFOZa/ZLlDdng

 

A sample People.ldif with only two entries is shown here

 

dn: uid=gtay, ou=People, dc=example,dc=com

givenName: Gary

sn: Tay

loginShell: /bin/bash

uidNumber: 6167

gidNumber: 102

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: posixAccount

objectClass: shadowAccount

uid: gtay

cn: Gary Tay

homeDirectory: /home/gtay

shadowLastChange: -1

shadowMin: -1

shadowMax: 99999

shadowWarning: 7

shadowInactive: -1

shadowExpire: -1

shadowFlag: 0

gecos: Gary Tay

userPassword: {CRYPT}U8bo2twhJ9Kkg

 

dn: uid=tuser, ou=People, dc=example,dc=com

givenName: Test

sn: User

loginShell: /bin/bash

uidNumber: 9999

gidNumber: 102

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: posixAccount

objectClass: shadowAccount

uid: tuser

cn: Test User

homeDirectory: /home/tuser

shadowLastChange: -1

shadowMin: -1

shadowMax: 99999

shadowWarning: 7

shadowInactive: -1

shadowExpire: -1

shadowFlag: 0

gecos: Test User

userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=

 

A sample group.ldif with only one entry is shown here

 

dn: cn=Users,ou=group,dc=example,dc=com

cn: Users

gidNumber: 102

objectClass: top

objectClass: posixGroup

memberUid: gtay

memberUid: tuser

 

If you need SSL/TLS to protect the LDAP connection sessions, prepare tls_profile.ldif.

 

dn: cn=tls_profile,ou=profile,dc=example,dc=com

ObjectClass: top

ObjectClass: DUAConfigProfile

defaultServerList: ldap1.example.com ldap2.example.com

defaultSearchBase: dc=example,dc=com

authenticationMethod: tls:simple

followReferrals: FALSE

defaultSearchScope: one

searchTimeLimit: 30

profileTTL: 43200

bindTimeLimit: 10

cn: tls_profile

credentialLevel: proxy

serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one

serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one

serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one

serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one

 

# /usr/bin/ldapadd -c -D "cn=Directory Manager" -f People.ldif

Bind Password:

adding new entry uid=gtay, ou=People, dc=example,dc=com

adding new entry uid=tuser, ou=People, dc=example,dc=com

 

# /usr/bin/ldapadd -c -D "cn=Directory Manager" -f group.ldif

Bind Password:

adding new entry cn=Users,ou=group,dc=example,dc=com

 

# /usr/bin/ldapadd -c -D "cn=Directory Manager" -f tls_profile.ldif

Bind Password:

adding new entry cn=tls_profile,ou=profile,dc=example,dc=com

 

For massive import of People and group entries, you may use “/usr/sbin/ldapaddent” command, see “man ldapaddent” for more details, or you may use PADL’s MigrationTools.

 

http://www.padl.com/OSS/MigrationTools.html

 

Examples of ldapaddent are listed below, note the sequences, passwd DB first then shadow, note also the use of “-p” to create userPassword attribute and the CRYPT password is only added when the DB is shadow.

 

# cat test.txt
test9991:x:9991:102:test9991:/var/tmp:/bin/sh
 
# ldapaddent -v -f test.txt -D "cn=Directory Manager" -p passwd
Enter password:
SERVICE = passwd
Adding entry : test9991
1 entries added
 
# cat tests.txt
test9991:ElnMr/iU805dA:12881::::::
 
# ldapaddent -v -f tests.txt -D "cn=Directory Manager" shadow
Enter password:
SERVICE = shadow
Adding entry : test9991
1 entries added
#

 

IMPORTANT NOTE ABOUT LDIF IMPORT FILES:

 

When you copy and paste the content of People.ldif and group.ldif, or any other .ldif files from this document for preparation of  LDAP data import using ldapadd command, please make sure that ALL LEADING AND TRAILING SPACES at every line in the .ldif files be removed or else “ldapadd” command will throw errors.

 

Create iDS5 LDAP server start/stop script /etc/init.d/ids5ldap.server, modify Run Control startup script as needed.

 

# touch /etc/init.d/ids5ldap.server

# chmod 744 /etc/init.d/ids52.server

# mv /etc/rc2.d/S72directory /etc/rc2.d/s72directory

# ln -s /etc/init.d/ids5ldap.server /etc/rc2.d/S72directory

# vi /etc/init.d/ids5ldap.server

 

Content of /etc/init.d/ids5ldap.server

 

#! /bin/sh

#

# ids5ldap.server – iDS5 LDAP Server start script

#

# Gary Tay, 19-Feb-2005

#

IDS5_PATH=/var/Sun/mps

SERVER_ID=`hostname`

SERVER_OWNER="root"
SERVER_GROUP="root
"

LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/ssl/lib:/var/Sun/mps/lib:/usr/lib/mps

case "$1" in

'start')

        echo 'SUN ONE Directory Server service starting.'

        $IDS5_PATH/slapd-$SERVER_ID/start-slapd

        chown $SERVER_OWNER:$SERVER_GROUP $SERVER_ROOT/alias/*.db
        su - $SERVER_OWNER -c $SERVER_ROOT/start-admin
        ;;

'stop')

        echo 'SUN ONE Directory Server service stopping.'

        $IDS5_PATH/slapd-$SERVER_ID/stop-slapd

        $IDS5_PATH/stop-admin

        ;;

*)

        echo "Usage: $0 { start | stop }"

        exit 1

        ;;

esac

 

Try stopping and starting LDAP server

 

# /etc/init.d/ids5ldap.server stop

# /etc/init.d/ids5ldap.server start

 

To verify:

 

# ps -ef | grep ns-slapd

    root 19647     1  0 02:46:26 ?        0:03 ./ns-slapd -D /var/Sun/mps/slapd-ldap1 -i /var/Sun/mps/slapd-ldap1/lo

    root 20286 16953  0 03:47:46 pts/1    0:00 grep ns-slapd

 

Tips: whenever you have problem starting LDAP server, i.e. it is not shown in process status, check the errors log file in /var/Sun/mps/slapd-ldap1/logs directory.

 

Try to list the LDAP content locally at the server by binding "anonymous"ly (without "-D" option), note that userPassword never get listed.

 

# /usr/bin/ldapsearch –h ldap1.example.com -b "dc=example,dc=com" -L "objectclass=*"

dn: dc=example,dc=com

dc: example

objectClass: top

objectClass: domain

objectClass: nisDomainObject

nisDomain: example.com

 

dn: cn=Directory Administrators, dc=example,dc=com

objectClass: top

objectClass: groupofuniquenames

cn: Directory Administrators

 

dn: ou=Groups, dc=example,dc=com

objectClass: top

objectClass: organizationalunit

ou: Groups

 

dn: ou=People, dc=example,dc=com

objectClass: top

objectClass: organizationalunit

ou: People

 

dn: ou=Special Users,dc=example,dc=com

objectClass: top

objectClass: organizationalUnit

ou: Special Users

description: Special Administrative Accounts

 

dn: cn=Accounting Managers,ou=groups,dc=example,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: Accounting Managers

ou: groups

description: People who can manage accounting entries

 

dn: cn=HR Managers,ou=groups,dc=example,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: HR Managers

ou: groups

description: People who can manage HR entries

 

dn: cn=QA Managers,ou=groups,dc=example,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: QA Managers

ou: groups

description: People who can manage QA entries

 

dn: cn=PD Managers,ou=groups,dc=example,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: PD Managers

ou: groups

description: People who can manage engineer entries

 

dn: ou=group,dc=example,dc=com

ou: group

objectClass: top

objectClass: organizationalUnit

 

dn: ou=rpc,dc=example,dc=com

ou: rpc

objectClass: top

objectClass: organizationalUnit

 

dn: ou=protocols,dc=example,dc=com

ou: protocols

objectClass: top

objectClass: organizationalUnit

 

dn: ou=networks,dc=example,dc=com

ou: networks