step by step set up Sun Directory Server 5.2 on solaris (archive, replicator and plugin)
----------------------------------------------------------------------------------------
+ install directory server as user "http"
+ start admin server (it is a web server) and directory "config" server
port 3389: directory server
port 3390: config server
port 3391: directory archive server
port 3393: replicator server
+ run "startconsole -x nologo", create new directory server instance
called "directory"
+ export schema from production server:
[siwc@baghdadic data]$ /servers/netscape/directory4/shared/bin/ldapsearch -h directory -p 389 -D "cn=Directory Manager" -w goaway -b "cn=schema" "(objectclass=*)" > schema.ldif
+ build the objects and attributes ldif file, including all the additional
customised objects and attributes:
[siwc@baghdadic data]$ less schema-customised-attrib.ldif
dn: cn=schema
changetype: modify
attributetypes: ( unimacqARSaccountName-oid NAME 'unimacqarsaccountname' DESC
'User Defined Attribute' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
...
[siwc@baghdadic data]$ less schema-customised-object.ldif
dn: cn=schema
changetype: modify
objectclasses: ( unimacqldap-oid NAME 'unimacqldap' DESC 'User Defined ObjectC
lass' SUP 'top' MUST ( objectclass $ unimacqldapnextuid $ unimacqldapnextuid
lock ) MAY ( aci $ cn ) )
...
[siwc@baghdadic data]$ /servers/web/bin/ldapmodify -h directory -p 3389 -x -D "cn=Directory Manager" -w goaway!!! -f schema-customised-attrib.ldif
[siwc@baghdadic data]$ /servers/web/bin/ldapmodify -h directory -p 3389 -x -D "cn=Directory Manager" -w goaway!!! -f schema-customised-object.ldif
+ create and build index ldif file, including all the additional customised indexes:
[siwc@baghdadic data]$ less config-customised-index.ldif
dn: cn=departmentnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsIndex
cn: departmentnumber
nsSystemIndex: false
nsIndexType: pres
nsIndexType: eq
dn: cn=employeenumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsIndex
cn: employeenumber
nsSystemIndex: false
nsIndexType: pres
nsIndexType: eq
dn: cn=ntGroupDomainID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsIndex
cn: ntGroupDomainID
nsSystemIndex: false
nsIndexType: pres
nsIndexType: eq
nsIndexType: sub
...
add new indexes:
[siwc@baghdadic data]$ /servers/web/bin/ldapadd -h directory -p 3389 -x -D "cn=Directory Manager" -w goaway!!! -f config-customised-index.ldif
to check, run:
[siwc@baghdadic data]$ /servers/web/bin/ldapsearch -h directory -p 3389 -x -D "cn=Directory Manager" -w goaway -b "cn=config" "(objectclass=*)" > config.ldif
+ export production directory server data:
[http@baghdadic slapd-directory]$ pwd
/servers/netscape/directory4/slapd-directory
[http@baghdadic slapd-directory]$ ./db2ldif -fconfig/slapd.conf -a/tmp/all-data.ldif
Tip: db2ldif in Netscape Directory Server 4.2 doesn't seem to like spaces
between the flag and arguement.
OR with Directory Server 5.2:
[http@baghdadic slapd-directory]$ ./db2ldif -n userRoot -a /tmp/slapd-directory.ldif
+ import production data to new directory server:
[http@baghdadic slapd-directory]$ pwd
/servers/sun-ldap/directory52/slapd-directory
[http@baghdadic slapd-directory]$ ./stop-slapd
need to modify all-data.ldif file, add:
authorityRevocationList;binary::
into the entry "dn: ou=People,o=The University of Macquarie,c=AU" and "dn:
ou=Certificate Authority,o=The University of Macquarie,c=AU" because
attribute "authorityRevocationList" required by object class
"certificationAuthority" is missing
[http@baghdadic slapd-directory]$ ./ldif2db -n userRoot -i /servers/sun-ldap/data/new-data.ldif
importing data ...
[10/Mar/2005:13:03:38 +1100] - import userRoot: Index buffering is disabled.
[10/Mar/2005:13:03:38 +1100] - import userRoot: Beginning import job...
[10/Mar/2005:13:03:38 +1100] - import userRoot: Processing file "/servers/sun-ldap/data/new-data.ldif"
[10/Mar/2005:13:04:09 +1100] - import userRoot: Processed 3527 entries -- average rate 113.8/sec, recent rate 113.7/sec, hit ratio 0%
...
Each Directory Server instance contains the db directory for storing all the
database files. The following list shows the sample contents of the db
directory at installation.
DBVERSION
NetscapeRoot/
__db.001
__db.002
__db.003
__db.004
__db.005
log.0000017
userRoot/
* db.00x files - used internally by the database. These files should not
be moved, deleted, or modified in any way.
* log.xxxxxxxxxx files - store the transaction logs per database.
* DBVERSION - stores the version of the database.
* NetscapeRoot - this directory stores the o=NetscapeRoot database created
by default during a typical installation. This branch of the directory
stores admin server configuration information. The same configuration
directory can be used to store the admin server configuration
information for all directory instances. Refer to the Sun ONE Server
Console Server Management Guide for information on the appropriate
location of configuration, user and group data.
* userRoot - this directory stores the user-defined suffix (user-defined
databases) created during a typical installation, for example
dc=example,dc=com.
The following list shows the sample contents of the NetscapeRoot directory:
DBVERSION
NetscapeRoot_nsUniqueId.db3
NetscapeRoot_aci.db3
NetscapeRoot_numsubordinates.db3
NetscapeRoot_ancestorid.db3
NetscapeRoot_objectclass.db3
NetscapeRoot_cn.db3
NetscapeRoot_parentid.db3
NetscapeRoot_entrydn.db3
NetscapeRoot_sn.db3
NetscapeRoot_givenName.db3
NetscapeRoot_uid.db3
NetscapeRoot_id2entry.db3
NetscapeRoot_uniquemember.db3
Note:
To ensure that database filenames are unique across suffixes, the files are
prefixed with the suffix name. So, for the NetscapeRoot suffix in the above
example, all the filenames in the directory start with NetscapeRoot_.
The NetscapeRoot and userRoot subdirectories contain a file of the format
suffix_index_name.db3 for every index currently defined in the database (where
index_name is the name of the attribute being indexed). In addition to these
suffix_index_name.db3 files, the subdirectories contain a file named
suffix_id2entry.db3. This file contains the actual directory database entries.
All other database files can be recreated from this one, if necessary.
[http@baghdadic userRoot]$ cat DBVERSION
Sun-ONE-ldbm/5.2(64-bit) SunOS 5.8 sparc
+ generate and install the directory server certificate
Tasks -> Manage Certificate -> set security device password -> Server Certs -> Request...
Sign the certificate request in Certificat Management Server
Tasks -> Manage Certificate -> set security device password -> Server Certs -> install ...
+ install IPReg Certificate Issuer Certificate Authority
Tasks -> Manage Certificate -> set security device password -> CA Certs -> install ...
+ install University of Macquarie Certificate Authority
Tasks -> Manage Certificate -> set security device password -> CA Certs -> install ...
+ Map certificates to directory entries
[http@baghdadic config]$ pwd
/servers/sun-ldap/directory52/shared/config
[http@baghdadic config]$ diff certmap.conf certmap.conf.orig
46,48d45
< default:DNComps o,c
< default:FilterComps uid
< default:verifycert off
+ Set up radius plugin
[http@baghdadic radiusbind]$ pwd
/servers/sun-ldap/directory52/plugins/slapd/slapi/radiusbind
[http@baghdadic radiusbind]$ cat Makefile
#
# Copyright 2002 Sun Microsystems, Inc. All Rights Reserved
# Use of this product is subject to license terms.
#
# SOLARIS Makefile for 64-bit Directory Server plug-in examples
#
## Solaris cc
CC = /opt/SUNWspro/bin/cc
LD = /usr/ccs/bin/ld
CFLAGS = $(INCLUDE_FLAGS) -D_REENTRANT -KPIC -xarch=v9 -DUSE_64
## Don't use GNU gcc, error: "wrong ELF class: ELFCLASS32"
# CC = /usr/local/bin/gcc
# LD = /usr/local/bin/ld
# CFLAGS = $(INCLUDE_FLAGS) -D_REENTRANT -DUSE_64
INCLUDE_FLAGS = -I../include
LDFLAGS = -G -lmd5
DIR64 = 64
## Not safe use our md5 library on 64 bit solaris - keep crashing directory server
## use system md5 library instead - Terrence, 2004.09.14
# OBJS = radiusbind.o md5.o radius.o
OBJS = radiusbind.o radius.o
all: MKDIR64 $(DIR64)/libradiusbind-plugin.so
MKDIR64:
@if [ ! -d $(DIR64) ]; then mkdir $(DIR64); fi
$(DIR64)/libradiusbind-plugin.so: $(OBJS)
$(LD) $(LDFLAGS) -o $@ $(OBJS)
.c.o:
$(CC) $(CFLAGS) -c $<
clean:
-rm -f $(OBJS) $(DIR64)/libradiusbind-plugin.so
[http@baghdadic radiusbind]$ cat debuglevel.ldif
dn: cn=config
changetype: modify
replace: nsslapd-infolog-area
nsslapd-infolog-area: 65536
[http@baghdadic radiusbind]$ cat radiusbind.ldif
dn: cn=Radius Bind,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: Radius Bind
nsslapd-pluginPath: /servers/sun-ldap/directory/plugins/slapd/slapi/radiusbind/libradiusbind-plugin.so
nsslapd-pluginInitfunc: radiusbind_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: radius-bind
nsslapd-pluginVersion: 2.0
nsslapd-pluginVendor: The University of Macquarie
nsslapd-pluginDescription: Verifies the password with a radius server
[http@baghdadic radiusbind]$ /servers/web/bin/ldapadd -h directory -p 3389 -x -D "cn=Directory Manager" -w goaway -f radiusbind.ldif
[http@baghdadic config]$ pwd
/servers/sun-ldap/directory/slapd-directory/config
[http@baghdadic config]$ diff dse.ldif dse.ldif.orig
...
1048,1067d1047
< dn: cn=Radius Bind,cn=plugins,cn=config
< objectClass: top
< objectClass: nsSlapdPlugin
< objectClass: extensibleObject
< cn: Radius Bind
< nsslapd-pluginPath: /servers/sun-ldap/directory/plugins/slapd/slapi/radiusbind
< /libradiusbind-plugin.so
< nsslapd-pluginInitfunc: radiusbind_init
< nsslapd-pluginType: preoperation
< nsslapd-pluginEnabled: on
< nsslapd-plugin-depends-on-type: database
< nsslapd-pluginId: radius-bind
< nsslapd-pluginVersion: 2.0
< nsslapd-pluginVendor: The University of Macquarie
< nsslapd-pluginDescription: Verifies the password with a radius server
< creatorsName: cn=directory manager
< modifiersName: cn=directory manager
< createTimestamp: 20050310053339Z
< modifyTimestamp: 20050310053339Z
<
Have a test:
[http@baghdadic radiusbind]$ /servers/web/bin/ldapsearch -h directory -p 3389 -x -D "uid=terrence,ou=People,o=The University of Macquarie,c=AU" -W -b "uid=terrence,ou=People,o=The University of Macquarie,c=AU" -s base "(objectclass=*)"
+ get rid of internal (software) token (PIN) from certificate DB
[http@baghdadic alias]$ pwd
/servers/sun-ldap/directory/alias
[http@baghdadic alias]$ ls -al
total 611
drwxr-x--- 3 http 512 Mar 11 12:42 .
drwxrwxr-x 20 siwc 512 Mar 11 11:15 ..
-rw------- 1 http 32768 Mar 9 17:02 admin-serv-directory-cert7.db
-rw------- 1 http 32768 Mar 9 17:02 admin-serv-directory-key3.db
-rwxr-xr-x 1 http 370796 Mar 9 16:59 libnssckbi.so
-rw------- 1 http 32768 Mar 10 16:53 secmod.db
-rw------- 1 http 32768 Mar 10 16:53 secmod.db.orig
-rw------- 1 http 32768 Mar 10 16:03 slapd-directory-cert7.db
-rw------- 1 http 32768 Mar 10 16:03 slapd-directory-cert7.db.orig
-rw------- 1 http 32768 Mar 10 16:03 slapd-directory-key3.db
-rw------- 1 http 32768 Mar 10 16:03 slapd-directory-key3.db.orig
[http@baghdadic alias]$ cp slapd-directory-cert7.db cert7.db
[http@baghdadic alias]$ cp slapd-directory-key3.db key3.db
[http@baghdadic alias]$ ../shared/bin/certutil -L -d .
Certificate Name Trust Attributes
server-cert u,,
IPReg Certificate Issuer CT,,
The University of Macquarie CT,,
p Valid peer
P Trusted peer (implies p)
c Valid CA
T Trusted CA to issue client certs (implies c)
C Trusted CA to certs(only server certs for ssl) (implies c)
u User cert
w Send warning
[http@baghdadic alias]$ ../shared/bin/certutil -W -d .
Enter Password or Pin for "NSS Certificate DB":
In order to finish creating your database, you
must enter a password which will be used to
encrypt this key and any future keys.
The password must be at least 8 characters long,
and must contain at least one non-alphabetic character.
Enter new password: (you can't put a blank password here)
Re-enter password: (you can't put a blank password here)
Password changed successfully.
According to SUN document <http://docs.sun.com/source/816-6698-10/intro.html#16167>:
To start the server with SSL enabled, you must provide the password which
protects the server's certificates, you can create a password file to store
your certificate password. By placing your certificate database password in
a file, you can start your server from the server console, and also allow
your server to automatically restart when running unattended.
The password file must be placed in the following location:
ServerRoot/alias/slapd-serverID-pin.txt
where serverID is the identifier you specified for the server when you
installed it.
You need to include the name of the security token and its password in the
file as follows:
deviceName Token:password
The device name for the internal certificate database is shown in this
example (capitalization and spacing must be exactly as shown):
Internal (Software) Token:password
[http@baghdadic alias]$ ls -al slapd-directory-pin.txt
-rw------- 1 http 35 Mar 11 16:11 slapd-directory-pin.txt
[http@baghdadic alias]$ cat slapd-directory-pin.txt
Internal (Software) Token:goaway!!!
+ set up instance of directory archive:
Although enable SSL in this server, listen port is on non SSL port. Meanwhile,
you need create slapd-directory-archive-pin.txt file:
[http@baghdadic alias]$ pwd
/servers/sun-ldap/directory/alias
[http@baghdadic alias]$ cat slapd-directory-archive-pin.txt
Internal (Software) Token:goaway!!!
if you use same cert7.db and key3 files as instance "directory":
[http@baghdadic alias]$ ls -1
slapd-directory-archive-cert7.db
slapd-directory-archive-key3.db
slapd-directory-archive-pin.txt
+ set up instance of directory replicator:
Firstly, add new attributes and objects into the schema; and new indexes
[siwc@baghdadic data]$ cat add.sh
/servers/web/bin/ldapadd -h directory -p 3393 -x -D "cn=Directory Manager" -w goaway!!! -f $1
[siwc@baghdadic data]$ sh add.sh directory-replicator-schema-customised-attrib.ldif
modifying entry "cn=schema"
[siwc@baghdadic data]$ sh add.sh directory-replicator-schema-customised-object.ldif
modifying entry "cn=schema"
[siwc@baghdadic data]$ sh add.sh config-index-customised.ldif
adding new entry "cn=unimacqarsaccountname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
...
Setup replication on directory replicator server (port:3393), initialize the
consumer
Configuration -> Data -> o=The University of Macquarie,c=AU -> Replication
then, click "enable replication" button; there are 3 replica roles:
Consumer Replica: Data below this suffix cannot be modified by LDAP clients.
Data changes are not logged and cannot be replicated to other servers.
Master Replica: Data below this suffix can be modified by LDAP clients.
Data changes are logged and may be replicated to other servers.
Hub Replica: Data below this suffix cannot be modified by LDAP clients.
Data changes are logged and may be replicated to other servers.
Select Consumer Replica.
set up password for the replication manager (Other replica for this suffix need to bind to this server as replication manager in order to be able to send replication updates. The password you provide is the one they will use to perform authentication)
Setup replication on directory server (port:3389), initialize the supplier
Configuration -> Data -> o=The University of Macquarie,c=AU -> Replication
then, click "enable replication" button, select Master Replica; Assign an ID
to this master replica (This ID must be unique for all master replicas of this
suffix. Once it is assigned, this ID cannot be changed unless replication is
disabled), give it "1"; changelogdb directory is under:
/servers/sun-ldap/directory/slapd-directory/changelogdb
Under "Defined replication agreements" -> New -> Send updates to directory:3393
Connect using simple authentication:
DN: cn=replication manager, cn=replication, cn=config
Select Action!!!
|