[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

step by step set up Sun Directory Server 5.2 (archive, replicator and plugin)



 
    
step by step set up Sun Directory Server 5.2 on solaris (archive, replicator and plugin)
----------------------------------------------------------------------------------------


+ install directory server as user "http"

+ start admin server (it is a web server) and directory "config" server

port 3389: directory server
port 3390: config server
port 3391: directory archive server
port 3393: replicator server

+ run "startconsole -x nologo", create new directory server instance 
  called "directory" 

+ export schema from production server:

[siwc@baghdadic data]$ /servers/netscape/directory4/shared/bin/ldapsearch -h directory -p 389 -D "cn=Directory Manager" -w goaway -b "cn=schema" "(objectclass=*)" > schema.ldif

+ build the objects and attributes ldif file, including all the additional 
  customised objects and attributes:

[siwc@baghdadic data]$ less schema-customised-attrib.ldif
dn: cn=schema
changetype: modify
attributetypes: ( unimacqARSaccountName-oid NAME 'unimacqarsaccountname' DESC 
 'User Defined Attribute' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
...

[siwc@baghdadic data]$ less schema-customised-object.ldif
dn: cn=schema
changetype: modify
objectclasses: ( unimacqldap-oid NAME 'unimacqldap' DESC 'User Defined ObjectC
 lass' SUP 'top' MUST ( objectclass $ unimacqldapnextuid $ unimacqldapnextuid
 lock )  MAY ( aci $ cn ) )
...

[siwc@baghdadic data]$ /servers/web/bin/ldapmodify -h directory -p 3389 -x -D "cn=Directory Manager" -w goaway!!! -f schema-customised-attrib.ldif
[siwc@baghdadic data]$ /servers/web/bin/ldapmodify -h directory -p 3389 -x -D "cn=Directory Manager" -w goaway!!! -f schema-customised-object.ldif

+ create and build index ldif file, including all the additional customised indexes:

[siwc@baghdadic data]$ less config-customised-index.ldif 
dn: cn=departmentnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsIndex
cn: departmentnumber
nsSystemIndex: false
nsIndexType: pres
nsIndexType: eq

dn: cn=employeenumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsIndex
cn: employeenumber
nsSystemIndex: false
nsIndexType: pres
nsIndexType: eq

dn: cn=ntGroupDomainID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsIndex
cn: ntGroupDomainID
nsSystemIndex: false
nsIndexType: pres
nsIndexType: eq
nsIndexType: sub
...

add new indexes:

[siwc@baghdadic data]$ /servers/web/bin/ldapadd -h directory -p 3389 -x -D "cn=Directory Manager" -w goaway!!! -f config-customised-index.ldif

to check, run:

[siwc@baghdadic data]$ /servers/web/bin/ldapsearch -h directory -p 3389 -x -D "cn=Directory Manager" -w goaway -b "cn=config" "(objectclass=*)" > config.ldif

+ export production directory server data:

[http@baghdadic slapd-directory]$ pwd
/servers/netscape/directory4/slapd-directory

[http@baghdadic slapd-directory]$ ./db2ldif -fconfig/slapd.conf -a/tmp/all-data.ldif

Tip: db2ldif in Netscape Directory Server 4.2 doesn't seem to like spaces 
     between the flag and arguement.

OR with Directory Server 5.2:

[http@baghdadic slapd-directory]$ ./db2ldif -n userRoot -a /tmp/slapd-directory.ldif

+ import production data to new directory server:

[http@baghdadic slapd-directory]$ pwd
/servers/sun-ldap/directory52/slapd-directory

[http@baghdadic slapd-directory]$ ./stop-slapd 

need to modify all-data.ldif file, add:

	authorityRevocationList;binary:: 

into the entry "dn: ou=People,o=The University of Macquarie,c=AU" and "dn: 
ou=Certificate Authority,o=The University of Macquarie,c=AU" because 
attribute "authorityRevocationList" required by object class 
"certificationAuthority" is missing

[http@baghdadic slapd-directory]$ ./ldif2db -n userRoot -i /servers/sun-ldap/data/new-data.ldif 
importing data ...
[10/Mar/2005:13:03:38 +1100] - import userRoot: Index buffering is disabled.
[10/Mar/2005:13:03:38 +1100] - import userRoot: Beginning import job...
[10/Mar/2005:13:03:38 +1100] - import userRoot: Processing file "/servers/sun-ldap/data/new-data.ldif"
[10/Mar/2005:13:04:09 +1100] - import userRoot: Processed 3527 entries -- average rate 113.8/sec, recent rate 113.7/sec, hit ratio 0%
...

Each Directory Server instance contains the db directory for storing all the 
database files. The following list shows the sample contents of the db 
directory at installation.

DBVERSION
NetscapeRoot/
__db.001
__db.002
__db.003
__db.004
__db.005
log.0000017
userRoot/

    * db.00x files - used internally by the database. These files should not 
      be moved, deleted, or modified in any way.

    * log.xxxxxxxxxx files - store the transaction logs per database.

    * DBVERSION - stores the version of the database.

    * NetscapeRoot - this directory stores the o=NetscapeRoot database created 
      by default during a typical installation. This branch of the directory 
      stores admin server configuration information. The same configuration 
      directory can be used to store the admin server configuration 
      information for all directory instances. Refer to the Sun ONE Server 
      Console Server Management Guide for information on the appropriate 
      location of configuration, user and group data.

    * userRoot - this directory stores the user-defined suffix (user-defined 
      databases) created during a typical installation, for example 
      dc=example,dc=com.

The following list shows the sample contents of the NetscapeRoot directory:

DBVERSION 
NetscapeRoot_nsUniqueId.db3
NetscapeRoot_aci.db3 
NetscapeRoot_numsubordinates.db3
NetscapeRoot_ancestorid.db3 
NetscapeRoot_objectclass.db3
NetscapeRoot_cn.db3 
NetscapeRoot_parentid.db3
NetscapeRoot_entrydn.db3 
NetscapeRoot_sn.db3
NetscapeRoot_givenName.db3 
NetscapeRoot_uid.db3
NetscapeRoot_id2entry.db3 
NetscapeRoot_uniquemember.db3

Note:	

To ensure that database filenames are unique across suffixes, the files are 
prefixed with the suffix name. So, for the NetscapeRoot suffix in the above 
example, all the filenames in the directory start with NetscapeRoot_.

The NetscapeRoot and userRoot subdirectories contain a file of the format 
suffix_index_name.db3 for every index currently defined in the database (where 
index_name is the name of the attribute being indexed). In addition to these 
suffix_index_name.db3 files, the subdirectories contain a file named 
suffix_id2entry.db3. This file contains the actual directory database entries. 
All other database files can be recreated from this one, if necessary.

[http@baghdadic userRoot]$ cat DBVERSION 
Sun-ONE-ldbm/5.2(64-bit) SunOS 5.8 sparc

+ generate and install the directory server certificate

Tasks -> Manage Certificate -> set security device password -> Server Certs -> Request...

Sign the certificate request in Certificat Management Server

Tasks -> Manage Certificate -> set security device password -> Server Certs -> install ...

+ install IPReg Certificate Issuer Certificate Authority

Tasks -> Manage Certificate -> set security device password -> CA Certs -> install ...

+ install University of Macquarie Certificate Authority

Tasks -> Manage Certificate -> set security device password -> CA Certs -> install ...

+ Map certificates to directory entries

[http@baghdadic config]$ pwd
/servers/sun-ldap/directory52/shared/config

[http@baghdadic config]$ diff certmap.conf certmap.conf.orig 
46,48d45
< default:DNComps         o,c
< default:FilterComps     uid
< default:verifycert      off

+ Set up radius plugin

[http@baghdadic radiusbind]$ pwd
/servers/sun-ldap/directory52/plugins/slapd/slapi/radiusbind

[http@baghdadic radiusbind]$ cat Makefile 
#
# Copyright 2002 Sun Microsystems, Inc. All Rights Reserved
# Use of this product is subject to license terms.
# 
# SOLARIS Makefile for 64-bit Directory Server plug-in examples
#

## Solaris cc 
CC = /opt/SUNWspro/bin/cc
LD = /usr/ccs/bin/ld
CFLAGS = $(INCLUDE_FLAGS) -D_REENTRANT -KPIC -xarch=v9 -DUSE_64

## Don't use GNU gcc, error: "wrong ELF class: ELFCLASS32"
# CC = /usr/local/bin/gcc
# LD = /usr/local/bin/ld
# CFLAGS = $(INCLUDE_FLAGS) -D_REENTRANT -DUSE_64

INCLUDE_FLAGS = -I../include
LDFLAGS = -G -lmd5
DIR64 = 64

## Not safe use our md5 library on 64 bit solaris - keep crashing directory server
## use system md5 library instead - Terrence, 2004.09.14
# OBJS = radiusbind.o md5.o radius.o
OBJS = radiusbind.o radius.o

all: MKDIR64 $(DIR64)/libradiusbind-plugin.so

MKDIR64:
        @if [ ! -d $(DIR64) ]; then mkdir $(DIR64); fi

$(DIR64)/libradiusbind-plugin.so: $(OBJS)
        $(LD) $(LDFLAGS) -o $@ $(OBJS)

.c.o:
        $(CC) $(CFLAGS) -c $<

clean:
        -rm -f $(OBJS) $(DIR64)/libradiusbind-plugin.so

[http@baghdadic radiusbind]$ cat debuglevel.ldif 
dn: cn=config
changetype: modify
replace: nsslapd-infolog-area
nsslapd-infolog-area: 65536 

[http@baghdadic radiusbind]$ cat radiusbind.ldif 
dn: cn=Radius Bind,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: Radius Bind
nsslapd-pluginPath: /servers/sun-ldap/directory/plugins/slapd/slapi/radiusbind/libradiusbind-plugin.so
nsslapd-pluginInitfunc: radiusbind_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: radius-bind
nsslapd-pluginVersion: 2.0
nsslapd-pluginVendor: The University of Macquarie
nsslapd-pluginDescription: Verifies the password with a radius server

[http@baghdadic radiusbind]$ /servers/web/bin/ldapadd -h directory -p 3389 -x -D "cn=Directory Manager" -w goaway -f radiusbind.ldif

[http@baghdadic config]$ pwd
/servers/sun-ldap/directory/slapd-directory/config

[http@baghdadic config]$ diff dse.ldif dse.ldif.orig 
...
1048,1067d1047
< dn: cn=Radius Bind,cn=plugins,cn=config
< objectClass: top
< objectClass: nsSlapdPlugin
< objectClass: extensibleObject
< cn: Radius Bind
< nsslapd-pluginPath: /servers/sun-ldap/directory/plugins/slapd/slapi/radiusbind
<  /libradiusbind-plugin.so
< nsslapd-pluginInitfunc: radiusbind_init
< nsslapd-pluginType: preoperation
< nsslapd-pluginEnabled: on
< nsslapd-plugin-depends-on-type: database
< nsslapd-pluginId: radius-bind
< nsslapd-pluginVersion: 2.0
< nsslapd-pluginVendor: The University of Macquarie
< nsslapd-pluginDescription: Verifies the password with a radius server
< creatorsName: cn=directory manager
< modifiersName: cn=directory manager
< createTimestamp: 20050310053339Z
< modifyTimestamp: 20050310053339Z
< 

Have a test:

[http@baghdadic radiusbind]$ /servers/web/bin/ldapsearch -h directory -p 3389 -x -D "uid=terrence,ou=People,o=The University of Macquarie,c=AU" -W -b "uid=terrence,ou=People,o=The University of Macquarie,c=AU" -s base "(objectclass=*)"

+ get rid of internal (software) token (PIN) from certificate DB

[http@baghdadic alias]$ pwd
/servers/sun-ldap/directory/alias

[http@baghdadic alias]$ ls -al
total 611
drwxr-x---   3 http          512 Mar 11 12:42 .
drwxrwxr-x  20 siwc          512 Mar 11 11:15 ..
-rw-------   1 http        32768 Mar  9 17:02 admin-serv-directory-cert7.db
-rw-------   1 http        32768 Mar  9 17:02 admin-serv-directory-key3.db
-rwxr-xr-x   1 http       370796 Mar  9 16:59 libnssckbi.so
-rw-------   1 http        32768 Mar 10 16:53 secmod.db
-rw-------   1 http        32768 Mar 10 16:53 secmod.db.orig
-rw-------   1 http        32768 Mar 10 16:03 slapd-directory-cert7.db
-rw-------   1 http        32768 Mar 10 16:03 slapd-directory-cert7.db.orig
-rw-------   1 http        32768 Mar 10 16:03 slapd-directory-key3.db
-rw-------   1 http        32768 Mar 10 16:03 slapd-directory-key3.db.orig

[http@baghdadic alias]$ cp slapd-directory-cert7.db cert7.db
[http@baghdadic alias]$ cp slapd-directory-key3.db key3.db

[http@baghdadic alias]$ ../shared/bin/certutil -L -d . 

Certificate Name                                             Trust Attributes

server-cert                                                  u,,  
IPReg Certificate Issuer                                     CT,, 
The University of Macquarie                                  CT,, 

p    Valid peer
P    Trusted peer (implies p)
c    Valid CA
T    Trusted CA to issue client certs (implies c)
C    Trusted CA to certs(only server certs for ssl) (implies c)
u    User cert
w    Send warning

[http@baghdadic alias]$ ../shared/bin/certutil -W -d . 
Enter Password or Pin for "NSS Certificate DB":
In order to finish creating your database, you
must enter a password which will be used to
encrypt this key and any future keys.

The password must be at least 8 characters long,
and must contain at least one non-alphabetic character.

Enter new password: (you can't put a blank password here)
Re-enter password: (you can't put a blank password here)
Password changed successfully.

According to SUN document <http://docs.sun.com/source/816-6698-10/intro.html#16167>:

To start the server with SSL enabled, you must provide the password which 
protects the server's certificates, you can create a password file to store 
your certificate password. By placing your certificate database password in 
a file, you can start your server from the server console, and also allow 
your server to automatically restart when running unattended.

The password file must be placed in the following location:

    ServerRoot/alias/slapd-serverID-pin.txt 

where serverID is the identifier you specified for the server when you 
installed it.

You need to include the name of the security token and its password in the 
file as follows:

    deviceName Token:password 

The device name for the internal certificate database is shown in this 
example (capitalization and spacing must be exactly as shown):

    Internal (Software) Token:password 

[http@baghdadic alias]$ ls -al slapd-directory-pin.txt
-rw-------   1 http           35 Mar 11 16:11 slapd-directory-pin.txt

[http@baghdadic alias]$ cat slapd-directory-pin.txt
Internal (Software) Token:goaway!!!


+ set up instance of directory archive:

Although enable SSL in this server, listen port is on non SSL port. Meanwhile, 
you need create slapd-directory-archive-pin.txt file:

[http@baghdadic alias]$ pwd
/servers/sun-ldap/directory/alias

[http@baghdadic alias]$ cat slapd-directory-archive-pin.txt
Internal (Software) Token:goaway!!!

if you use same cert7.db and key3 files as instance "directory":

[http@baghdadic alias]$ ls -1
slapd-directory-archive-cert7.db
slapd-directory-archive-key3.db
slapd-directory-archive-pin.txt


+ set up instance of directory replicator:

Firstly, add new attributes and objects into the schema; and new indexes

[siwc@baghdadic data]$ cat add.sh 
/servers/web/bin/ldapadd -h directory -p 3393 -x -D "cn=Directory Manager" -w goaway!!! -f $1

[siwc@baghdadic data]$ sh add.sh directory-replicator-schema-customised-attrib.ldif
modifying entry "cn=schema"

[siwc@baghdadic data]$ sh add.sh directory-replicator-schema-customised-object.ldif 
modifying entry "cn=schema"

[siwc@baghdadic data]$ sh add.sh config-index-customised.ldif
adding new entry "cn=unimacqarsaccountname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
...

Setup replication on directory replicator server (port:3393), initialize the 
consumer

Configuration -> Data -> o=The University of Macquarie,c=AU -> Replication

then, click "enable replication" button; there are 3 replica roles:

Consumer Replica: Data below this suffix cannot be modified by LDAP clients. 
                  Data changes are not logged and cannot be replicated to other servers.
  Master Replica: Data below this suffix can be modified by LDAP clients.
                  Data changes are logged and may be replicated to other servers.
     Hub Replica: Data below this suffix cannot be modified by LDAP clients.
                  Data changes are logged and may be replicated to other servers.

Select Consumer Replica.

set up password for the replication manager (Other replica for this suffix need to bind to this server as replication manager in order to be able to send replication updates. The password you provide is the one they will use to perform authentication)

Setup replication on directory server (port:3389), initialize the supplier

Configuration -> Data -> o=The University of Macquarie,c=AU -> Replication

then, click "enable replication" button, select Master Replica; Assign an ID 
to this master replica (This ID must be unique for all master replicas of this 
suffix. Once it is assigned, this ID cannot be changed unless replication is 
disabled), give it "1"; changelogdb directory is under:

/servers/sun-ldap/directory/slapd-directory/changelogdb

Under "Defined replication agreements" -> New -> Send updates to directory:3393

Connect using simple authentication:

      DN: cn=replication manager, cn=replication, cn=config

Select Action!!!


Google