Red Hat NETSCAPE DIRECTORY SERVER 7.0 - DEPLOYMENT Installation Guide

Ella Deon LackeyRed Hat Directory Server Red HatDirectory Server 9Installation Guideupdated for Directory Server 9.1Edition 9.1

Other formatting styles draw attention to important text.NOTEA note provides additional information that can help illustrate the behavior of the syste

LDAPv3Version 3 of the LDAP protocol, upon which Directory Server bases its schema format.LDBM dat abaseA high-performance, disk-based database consis

master agentSee SNMP master agent.matching ruleProvides guidelines for how the server compares strings during a search operation. In aninternational s

The problem of managing multiple instances of the same information in different directories,resulting in increased hardware and personnel costs.name c

OIDSee object identifier.operational attributeContains information used internally by the directory to keep track of modifications and subtreeproperti

presence indexAllows searches for entries that contain a specific indexed attribute.protocolA set of rules that describes how devices on a network exc

string to form the full distinguished name. Also relative distinguished name.read- only replicaA replica that refers all update operations to read-wri

RFCRequest for Comments. Procedures or standards documents submitted to the Internetcommunity. People can send comments on the technologies before the

Server ConsoleJava-based application that allows you to perform administrative management of your DirectoryServer from a GUI.server daemonThe server d

SNMPUsed to monitor and manage application processes running on the servers by exchanging dataabout network activity. Also Simple Network Management P

supplier serverIn the context of replication, a server that holds a replica that is copied to a different server iscalled a supplier for that replica.

The Red Hat Directory Server Performance Tuning Guide contains features to monitor overallDirectory Server and database performance, to tune attribute

Transport Layer SecuritySee TLS.UuidA unique number associated with each user on a Unix system.URLUniform Resource Locater. T he addressing system use

- user, Admin Server UserAdministrat ion domain, Administ ration DomainCClients cannot locat e the server, Problem: Clients cannot locate the serverC

- starting, Starting the Directory Server ConsoleDirectory suffix, Directory Suffixdskt une, Using dsktuneEExpress set up- Red Hat Enterprise Linux, E

- setup-ds-admin.pl, Overview of Setup- silent, Overview of SetupMMigrat ing, Migrating from Previous VersionsOOpenJDK- Red Hat Enterprise Linux, Requ

- typical setup, Typical Setup- uninstalling Directory Server, Uninstalling Directory Serverregister-ds-admin.pl, Registering Servers Using register-d

setup-ds.pl, Installing Only the Directory ServerSilent setup, Silent Setup for Direct ory Server and Admin Server- Directory Server only, Silent Dire

Chapter 1. Preparing for a Directory Server InstallationBefore you install Red Hat Directory Server 9.1, there are required settings and information t

lab.eng.exam ple.com , so the domain name used by the setup script is lab.eng.exam ple.com .Any information in the /etc/resolv.conf file must match th

The Admin Server runs on a web server, so it uses HTTP or HTTPS. However, unlike the DirectoryServer which can run on secure (LDAPS) and insecure (LDA

* - nofile 81924. Edit the /etc/pam .d/system-auth, and add this entry:session required /lib/security/$ISA/pam_limits.so5. Rebo

Server Console. Every Directory Server is configured to grant this user administrative access.There are important differences between the Directory Ad

directory, and for larger sites, this write activity can create performance issues for other directory serviceactivities. T he configuration directory

For example, to set the machine name, suffix, and Directory Server port of the new instance, thecommand is as follows:setup-ds-adm in.pl General.FullM

TIPTo go back to a previous dialog screen, type Control-B and press Enter. You can backtrackall the way to the first screen.When the setup-ds-adm in.p

Red Hat Directory Server Red Hat Directory Server 9 Installation Guideupdated for Directory Server 9.1Edition 9.1Ella Deo n [email protected] m

Table 1.1. set up-ds- admin Opt ionsOption Alternate Options Description Example--silent -s This sets that thesetup script will run insilent mode, dra

inf.WARNINGThe cache filecontains thecleartextpasswordssupplied duringsetup. Useappropriatecaution andprotection withthis file.--logfile name -l This

information about the directory service, like suffix and configuration directory information, while stillproceeding quickly through the setup process.

Table 1.2. Comparison of Setup TypesSetupScreenParameterInputExpress Typical Custom Silent SetupFileParameterContinue withsetupYes or no N/AAccept lic

Give theConfigurationDirectoryServer user ID[a]admin[General]ConfigDirectoryAdminID=adminGive theConfigurationDirectoryServer userpassword [a]password

DirectoryManager IDManager[slapd]RootDN=cn=DirectoryManagerSet theDirectoryManagerpasswordpassword[slapd]RootDNPwd=passwordInstall sampleentriesYes or

runsnobodyAre you readyto configureyour servers?Yes or no N/A[a] This o p tio n is o nly availab le if yo u cho o se to reg is ter the Directo ry Se

Chapter 2. System RequirementsBefore configuring the default Red Hat Directory Server 9.1 instances, it is important to verify that thehost server has

IMPORTANTWhen the new JDK is installed for Directory Server 9.1, it is no longer possible to manage olderinstances of Directory Server using the Direc

The Directory Server Console is supported on the following platforms:Red Hat Enterprise Linux 5 i386 (32-bit)Red Hat Enterprise Linux 5 x86_64 (64-bit

Legal Not iceCopyright © 2013 Red Hat, Inc..This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 UnportedLicens

NOTEThe setup program also runs dsktune, reports the findings, and asks you if you want to continuewith the setup procedure every time a Directory Ser

Chapter 3. Setting up Red Hat Directory Server on Red HatEnterprise LinuxInstalling and configuring Red Hat Directory Server on Red Hat Enterprise Lin

3.1.1. Installing Using yumThe simplest method to install the packages is using the native tools (yum ) on Red Hat Enterprise Linux.1. A system has t

[root@server ~]# subscription-m anager list --installed...Product Name: Red Hat Directory ServerProduct ID: 200Version:

4. Set the product to filter for Red Hat Directory Server.5. Select the architecture.6. Download the packages from Red Hat Network, and burn them t

[root@server RPMS]# ls *.rpm | egrep -iv -e devel -e debuginfo | xargs rpm -ivh10. Verify that subscription status for Directory Server, with the val

NOTERun the setup-ds-admin.pl script as root.2. Select y to accept the Red Hat licensing terms.3. The dsktune utility runs. Select y to continue wit

IMPORTANTWhen resetting the Directory Manager's password from the command line, do not use curlybraces ({}) in the password. The root password is

3.3. Typical SetupThe typical setup process is the most commonly-used setup process. It offers control over the ports forthe Directory and Admin Serve

NOTEThe Directory Server requires the fully-qualified domain name to set up the servers, asdescribed in Section 1.2.1, “Resolving the Fully-qualified

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8. Set the administrator username. The default is adm in.9. Set the administrator password and confirm it.10. Set the administration domain. Thi

Are you ready to set up your servers? [yes]:Creating directory server . . .Your new DS instance 'example2' was successfully created.Creating

WARNINGIf Directory Server is already installed on your machine, it is extremely important that you performa migration, not a fresh installation. Migr

System User [nobody]:System Group [nobody]:7. The next step allows you to register your Directory Server with an existing Directory Serverinstance, c

14. Set the Directory Manager username. The default is cn=Directory Manager.15. Set the Directory Manager password and confirm it.IMPORTANTWhen rese

Are you ready to set up your servers? [yes]:Creating directory server . . .Your new DS instance 'example3' was successfully created.Creating

Chapter 4. Advanced Setup and ConfigurationAfter the default Directory Server and Admin Server have been configured, there are tools available tomanag

4.1.2. Configuring Proxy Servers for the Admin ServerIf there are proxies for the HTTP connections on the client machine running the Directory ServerC

IMPORTANTWhen resetting the Directory Manager's password from the command line, do not use curlybraces ({}) in the password. The root password is

Table 4 .1. regist er-ds-admin.pl OptionsOption Flag Description Example--debug -d[dddd] This parameter turnson debugginginformation. For the -dflag,

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Directory information, then re-registers each instance with the Configuration Directory. T he update andregistration process replaces any missing or o

directives are described more in Section 4.5.5.1, “.inf File Directives”.3. Run the setup-ds-admin script with the -s and -f options.[root@server ~]#

[root@server ~]# /usr/sbin/setup-ds-adm in.pl -s -f /export/ds-inf/setup-single.infRunning setup-ds-adm in.pl installs only a Directory Server instanc

NOTEThe section names and parameter names used in the .inf files and on the command line arecase sensitive. Refer to T able 4.2, “setup-ds-admin Optio

Table 4 .2. setup-ds-admin OptionsOption Alternate Options Description Example--silent -s This sets that thesetup script will run insilent mode, drawi

WARNINGThe cache filecontains thecleartextpasswordssupplied duringsetup. Useappropriatecaution andprotection withthis file.--logfile name -l This para

dn: cn=replica,cn=dc=example\,dc=com,cn=mapping tree,cn=configchangetype: addobjectclass: topobjectclass: nsds5replicaobjectclass: extensibleObjectcn:

[General] directive=value directive=value directive=value ...[slapd] directive=valuedirective=value directive=value ...[admin]directive=value directiv

Table 4 .3. [General] DirectivesDirective Description Required ExampleFullMachineName Specifies the fullyqualified domain nameof the machine onwhich y

This should bechanged for mostdeployments.ConfigDirectoryLdapURLSpecifies the LDAP URLthat is used to connectto your configurationdirectory. LDAP URLs

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table 4 .4 . [slapd] DirectivesDirective Description Required ExampleServerPort Specifies the port theserver will use for LDAPconnections. Forinformat

IMPORTANTDo not use curlybraces ({}) inthe password.The rootpassword isstored in theformat{password-storage-scheme}hashed_password. Anycharacters incu

InstallLdifFile Populates the newdirectory with thecontents of thespecified LDIF file.Using suggest fills incommon containerentries (like ou=People).

configuration data arestored in the newinstance.Table 4 .5. [admin] DirectivesDirective Description Required ExampleSysUser Specifies the user aswhich

4 .5.5.2. Sample .inf FilesExample 4 .1. .inf File for a Custom Installation[General]FullMachineName= ldap.example.comSuiteSpotUserID=

Example 4 .2. .inf File for Registering the Inst ance with a Configurat ion Directory Server(Typical Setup)[General] FullMachineName= dir.exam ple.com

3. Open the Downloads tab for the Directory Server channel.4. Download the appropriate version of the WinSync Installer. This is the Password Sync M

6. The Password Sync Setup window appears. Hit Next to begin installing.7. Fill in the Directory Server hostname, secure port number, user name (suc

11. Copy the exported certificate from the Directory Server to the Windows machine.12. Open a command prompt on the Windows machine, and open the Pa

Table 4 .6. Inst alled Password Sync LibrariesDirectory Library Directory LibraryC:\WINDOWS\system32passhook.dll C:\WINDOWS\system32 libnspr4.dllC:\WI

Red Hat Directory Server Red Hat Directory Server 9 Installation Guide4

NOTEThe Directory Server instance must be running for the script to bind to the server.The rem ove-ds.pl script unregisters the server from the Config

security databases (-a). Each Directory Server instance service must be running for the removescript to access it.remove-ds.pl -a -i exam ple1remove-d

Chapter 5. Migrating from Previous VersionsFor Red Hat Directory Server 8.x servers, an upgrade updates all of the Directory Server packages andthen u

WARNINGThe required migration scripts, m igrate-ds.pl and m igrate-ds-adm in.pl, are stillavailable in Red Hat Directory Server 9.1. It is possible to

SELinux ConsiderationsThe upgrade process could require you to create files or directories that are outside the usual setupprocedures, which could aff

[root@server ~]# service dirsrv-admin stop[root@server ~]# service dirsrv stop4. Back up all the Directory Server user and configuration data. For ex

operating system automatically. T he Red Hat Directory Server subscriptions are children ofthe Red Hat Enterprise Linux subscriptions, so if the Red H

11. Make sure that the new Directory Server instance is not running.[root@server1 ~]# service dirsrv-admin stop[root@server1 ~]# service dirsrv stop1

be removed.5.3.4. Moving from Solaris to Red Hat Enterprise LinuxThe upgrade process is largely similar when migrating from an 8.2 instance on Solaris

Directory Server instance. For example, the LDIF file for the userRoot database would be userRoot.upgrade.ldif.This script can be used to export all d

PrefaceThis installation guide describes the Red Hat Directory Server 9.1 installation process and the migrationprocess. This manual provides detailed

NOTEThe cldb location assumes that the changelog is located in the default changelogdirectory. If the changelog is in a different location, use the ap

Remove the entire cn=uniqueid generator,cn=config entry.d. For each /etc/dirsrv/slapd-* instance, make a corresponding directory, with thesame name,

ldapmodify -D "cn=directory m anager" -w secret -p 389 -xdn: cn=configchangetype: modifyreplace: nsslapd-syntaxchecknsslapd-syntaxcheck: on1

service dirsrv-admin start5.3.6. Upgrading Servers in ReplicationThe process for upgrading servers in replication is the same as for a single server,

NOTEThe Windows machine must be rebooted. Without the rebooting, PasswordHook.dll isnot enabled, and password synchronization will not function.Chapte

Chapter 6. General Usage InformationThis chapter contains common information that you will use after installing Red Hat Directory Server 9.1,such as w

Table 6.2. Red Hat Enterprise Linux 5 and 6 (x86_64 )File or Direct ory Locat ionLog files /var/log/dirsrv/slapd-instanceConfiguration files /etc/dirs

Table 6.3. redhat- idm-console OptionsOption Description-a adminURL Specifies a base URL for the instance of AdminServer to log into.-f fileName Write

6.4.1. Starting and Stopping Directory ServerThe most common way to start and stop the Directory Server service is using system tools on Red HatEnterp

/usr/bin/pwdhash newpassword {SSHA}nbR/ZeVTwZLw6aJH6oE4obbDbL0OaeleUoT21w==3. In the configuration directory, open the dse.ldif file. For example:[r

1.1. Command and File ExamplesAll of the examples for Red Hat Directory Server commands, file locations, and other usage are given forRed Hat Enterpri

Example 6.1. dsktune OutputRed Hat Directory Server system tuning analysis version 10-AUGUST-2007.NOTICE : System is i686-unknown-linux2.6.9-34.EL (

/etc/dirsrv/slapd-instance_name directory.GlossaryAaccess control instructionSee ACI.access control listSee ACL.access right sIn the context of access

regardless of the conditions of the bind.approximate indexAllows for efficient approximate or "sounds-like" searches.attributeHolds descript

bind DNDistinguished name used to authenticate to Directory Server when performing an operation.bind ruleIn the context of access control, the bind ru

server. Programs written to use CGI are called CGI programs or CGI scripts and can be writtenin many of the common programming languages. CGI programs

alphabet or how to compare letters with accents to letters without accents.consumerServer containing replicated directory trees or subtrees from a sup

definition ent rySee CoS definition entry.Directory Access Prot ocolSee DAP.Directory ManagerThe privileged database administrator, comparable to the

called realthing.yourdomain.domain where the server currently exists.Eent ryA group of lines in the LDIF file that contains information about an objec

GSS-APIGeneric Security Services. T he generic access protocol that is the native way for UNIX-basedsystems to access and authenticate Kerberos servic

indirect CoSAn indirect CoS identifies the template entry using the value of one of the target entry'sattributes.int ernational indexSpeeds up se