Red Hat NETSCAPE DIRECTORY SERVER 6.2 - DEPLOYMENT Installationsanleitung

Ella Deon Lackey Red Hat Directory Server 8.0Installation Guidefor installation and upgradeEdition 8.0.5

WARNINGA warning indicates potential data loss, as may happen when tuning hardware for maximumperformance.2. Additional ReadingThe Directory Server Ad

WARNINGIf Directory Server databases have been moved from their default location (/opt/redhat-ds/slapd-instancenam e/db), migration will not copy thes

Table 8.1. migrate-ds-admin OptionsOption Alternate Options DescriptionGeneral.ConfigDirectoryAdminPwd=passwordRequired. This is the passwordfor the c

the Directory Server is beingmigrated from one machine toanother with a differentarchitecture. For cross-platformmigrations, only certain data aremigr

parameters are only taken from the old instance. It is not possible to change the configuration settings,such as the hostname or port, using the migra

The migration script has different options available to facilitate migration; the different usage scenariosare explained in the following sections.Sec

1. Stop all old Directory Server instances and the Administration Server.2. Back up all the Directory Server user and configuration data.3. On the

WARNINGIf Directory Server databases have been moved from their default location (/opt/redhat-ds/slapd-instancenam e/db), migration will not copy thes

8.4.3. Migrating a Directory Server from One Machine to AnotherTo migrate a Directory Server installation from one machine to a new Directory Server i

The m igrate-ds-adm in command automatically migrates every Directory Server instance configured.As with migrating Directory Server on the same machin

# /usr/sbin/migrate-ds-admin.pl --cross --oldsroot server2:/migration/opt/redhat-ds --actualsroot /opt/redhat-ds General.ConfigDirectoryAdminPwd

4. Document HistoryRevision 8.0.5 January 11, 2010 Ella Deon Lackey Adding [slapd] directives per Bugzilla #500475.Revision 8.0.4 September 9, 2009 E

access control listSee ACL.access right sIn the context of access control, specify the level of access granted or denied. Access rightsare related to

also follows a standard syntax for the type of information that can be stored as the attributevalue.attribute listA list of required and optional attr

branch entryAn entry that represents the top of a subtree in the directory.browserSoftware, such as Mozilla Firefox, used to request and view World Wi

changelogA changelog is a record that describes the modifications that have occurred on a replica. T hesupplier server then replays these modification

called a consumer for that replica.CoSA method for sharing attributes between entries in a way that is invisible to applications.CoS definition entryI

Directory ManagerThe privileged database administrator, comparable to the root user in UNIX. Access controldoes not apply to the Directory Manager.dir

ent ry distributionMethod of distributing directory entries across more than one server in order to scale tosupport large numbers of entries.ent ry ID

hostnameA name for a machine in the form machine.domain.dom, which is translated into an IP address.For example, www.exam ple.com is the machine www

Int ernational Standards OrganizationSee ISO.IP addressAlso Internet Protocol address. A set of numbers, separated by dots, that specifies the actuall

LDIFLDAP Data Interchange Format. Format used to represent Directory Server entries in text form.leaf entryAn entry under which there are no other ent

Chapter 1. Preparing for a Directory Server InstallationBefore you install Red Hat Directory Server 8.0, there are required settings and information t

MD5A message digest algorithm by RSA Data Security, Inc., which can be used to produce a shortdigest of data that is unique with high probability and

Allows the creation of roles that contain other roles.net work management applicat ionNetwork Management Station component that graphically displays

requested.Pparent accessWhen granted, indicates that users have access to entries below their own in the directory treeif the bind DN is the parent of

protocol data unitSee PDU.proxy authenticat ionA special form of authentication where the user requesting access to the directory does notbind with it

A replica that contains a master copy of directory information and can be updated. A server canhold any number of read-write replicas.referential inte

role-based att ributesAttributes that appear on an entry because it possesses a particular role within an associatedCoS template.rootThe most privileg

Server SelectorInterface that allows you select and configure servers using a browser.server serviceA process on Windows that, once running, listens f

SNMP subagentSoftware that gathers information about the managed device and passes the information to themaster agent. Also called a subagent.SSLA sof

symmetric encryptionEncryption that uses the same key for both encrypting and decrypting. DES is an example of asymmetric encryption algorithm.system

A unique number associated with each user on a Unix system.URLUniform Resource Locater. The addressing system used by the server and the client to req

NOTEWhile the legal range of port numbers is 1 to 65535, the Internet Assigned Numbers Authority(IANA) has already assigned ports 1 to 1024 to common

Configuration direct ory, Configuration Direct oryCustom setup- HP-UX 11i, Custom Setup- Red Hat Enterprise Linux, Custom Setup- Solaris, Custom Setup

- starting and stopping, Starting and Stopping Directory Server- starting the Console, Starting the Directory Server Console- uninstalling Directory S

HP-UX 11i, Sett ing up Red Hat Direct ory Server on HP-UX 11i- custom setup, Custom Setup- express setup, Express Setup- installing Directory Server p

JRE- HP-UX 11i, Installing the JRE- Red Hat Enterprise Linux, Installing the JRE- Solaris, Installing the JREMMigrat ing, Migrating from Previous Vers

- HP-UX, HP-UX Patches- Red Hat Enterprise Linux, Red Hat Enterprise Linux Patches- Solaris, Solaris PatchesPerl- HP-UX, Perl Prerequisites- Red Hat E

Re-registering Directory Server Instances- registering Directory Server with Configuration Directory Server, Registering anExisting Directory Server I

- required patches, Solaris Patches- system configuration, Solaris System Configuration- DNS and NIS, DNS and NIS Requirements- File descriptors, File

UUninst alling Directory Server- HP-UX, HP-UX- Red Hat Enterprise Linux, Linux- Solaris, SolarisRed Hat Directory Server 8.0 Installation Guide134

Listening to Restricted Ports as Unprivileged UsersEven though port numbers less than 1024 are restricted, the LDAP server can listen to port 389 (and

IMPORTANTThe default Administration Server user is the same as the Directory Server user, which is nobody. If the Administration Server is given a dif

has complete access to all installed Directory Servers, regardless of the domain.Servers on two different domains can use different user directories f

to set up many Directory Servers. Many of the parameters can be the same, such as ConfigDirectoryLdapURL, ones specific to the host, such as FullMachi

Table 1.1. set up-ds- admin Opt ionsOption Alternate Options Description Example--silent -s This sets that thesetup script will run insilent mode, dra

--logfile name -l This parameterspecifies a log file towhich to write theoutput. If this is not set,then the setupinformation is written toa temporary

Red Hat Directory Server 8.0 Installation Guidefor installation and upgradeEdition 8.0.5Ella Deo n Lackey

NOTEIt is possible to use y and n with the yes and no inputs described in Section 6.3.5, “About .inf FileParameters”.Chapter 1. Preparing for a D irec

Table 1.2. Comparison of Setup TypesSetupScreenParameterInputExpress Typical Custom Silent SetupFileParameterContinue withsetupYes or no N/AAccept lic

o=NetscapeRootGive theConfigurationDirectoryServer user ID[a]admin[General]ConfigDirectoryAdminID=adminGive theConfigurationDirectoryServer userpasswo

=comSet theDirectoryManager IDcn=DirectoryManager[slapd]RootDN=cn=DirectoryManagerSet theDirectoryManagerpasswordpassword[slapd]RootDNPwd=passwordInst

which theAdministrationServer runsRed HatEnterpriseLinux andSolaris) ordaemon (onHP-UX)[admin]SysUser=nobodyAre you readyto configureyour servers?Yes

Chapter 2. System RequirementsBefore configuring the default Red Hat Directory Server 8.0 instances, it is important to verify that thehost server has

Directory Server is supported on these operating systems: Red Hat Enterprise Linux 4 and 5 (x86 andx86_64), HP-UX 11i (IA 64), and Sun Solaris 9 (spar

NOTEdsktune is run every time the Directory Server configuration script, setup-ds-adm in, is run.2.2.2. Red Hat Enterprise Linux 4 and 5Directory Serv

2.2.2.1. Red Hat Ent erprise Linux Pat chesThe default kernel and glibc versions for Red Hat Enterprise Linux 4 and 5 are the only requiredversions fo

3. Then increase the maximum number of open files on the system by editing the /etc/security/lim its.conf configuration file. Add the following entry

Legal Not iceCopyright © 2008 Red Hat, Inc..This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 UnportedLicens

Table 2.4 . HP-UX 11iCriteria RequirementsOperating System HP-UX 11i with the latest patches and upgradesCPU Type HP 9000 architecture with an Itanium

2.2.3.2. HP-UX System Configurat ionBefore setting up Directory Server, tune your HP-UX system so Directory Server can access therespective kernel par

3. Remount the filesystem./usr/sbin/mount -F vxfs -o largefiles /dev/vg01/export2.2.3.2.5. DNS RequirementsIt is very important that DNS and reverse

Table 2.7. Sun Solaris sparcv9Criteria RequirementsOperating System Solaris 9 with the latest patches and upgradesCPU Type UltraSparc-IIi SPARC v9 300

Table 2.8. Sun Solaris Pat chesPatch ID Description112998-03 SunOS 5.9: patch /usr/sbin/syslogd112875-01 SunOS 5.9: patch /usr/lib/netsvc/rwall/rpc.rw

used. T his package contains a 64-bit version of Perl 5.8. It is not possible to use the Perl versioninstalled in /usr/bin/perl on Solaris because it

2.2.4 .2.4 . File Descript orsFor a large deployment or to support a large number of concurrent connections, increase the number offile descriptors av

Chapter 3. Setting up Red Hat Directory Server on Red HatEnterprise LinuxInstalling and configuring Red Hat Directory Server on Red Hat Enterprise Lin

3.1. Installing the JRENecessary Java JRE libraries are not bundled with Directory Server. T hey must be downloaded andextracted separately before ins

Alternatively, download the latest packages from the Red Hat Directory Server 8.0channel on Red Hat Network, http://rhn.redhat.com.It is also possible

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

WARNINGIf Directory Server is already installed on your machine, it is extremely important that you performa migration, not a fresh installation. Migr

NOTETo register the Directory Server instance with an existing Configuration Directory Server,select yes. T his continues with the registration proces

1. Get the Administration Server port number from the Listen parameter in the console.confconfiguration file.grep \^Listen /etc/dirsrv/admin-serv/con

Computer name [ldap.exam ple.com]:NOTEThe setup program gets the host information from the /etc/resolv.conf file. If thereare aliases in the /etc/host

10. Set the administration domain. T his defaults to the host's domain. For example:Administration Domain [example.com]:11. Enter the Director

/usr/bin/redhat-idm-console -a http://localhost:9830NOTEIf you do not pass the Administration Server port number with the redhat-idm -consolecommand,

NOTEThe setup program gets the host information from the /etc/resolv.conf file. If thereare aliases in the /etc/hosts file, such as ldap.exam ple.com

Administration Domain [redhat.com]:11. Enter the Directory Server port number. T he default is 389, but if that port is in use, the setupprogram supp

Are you ready to set up your servers? [yes]:Creating directory server . . .Your new DS instance 'example3' was successfully created.Creating

Chapter 4. Setting up Red Hat Directory Server on HP-UX 11iInstalling and configuring Red Hat Directory Server on HP-UX has three major steps:1. Inst

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

NOTEDirectory Server 8.0 requires JRE version 1.5.0.Download the JRE from http://www.hp.com/products1/unix/java/, and install it according to the HP J

NOTEThe setup program gets the host information from the /etc/resolv.conf file. If there arealiases in the /etc/hosts file, such as ldap.example.com ,

NOTETo register the Directory Server instance with an existing Configuration Directory Server,select yes. T his continues with the registration proces

1. Get the Administration Server port number from the Listen parameter in the console.confconfiguration file.grep \^Listen /etc/dirsrv/admin-serv/con

Computer name [ldap.exam ple.com]:NOTEThe setup program gets the host information from the /etc/resolv.conf file. If thereare aliases in the /etc/host

10. Set the administration domain. T his defaults to the host's domain. For example:Administration Domain [example.com]:11. Enter the Director

/opt/dirsrv/bin/redhat-idm -console -a http://localhost:9830NOTEIf you do not pass the Administration Server port number with the redhat-idm -consolec

NOTEThe setup program gets the host information from the /etc/resolv.conf file. If thereare aliases in the /etc/hosts file, such as ldap.exam ple.com

Administration Domain [redhat.com]:11. Enter the Directory Server port number. T he default is 389, but if that port is in use, the setupprogram supp

Are you ready to set up your servers? [yes]:Creating directory server . . .Your new DS instance 'example3' was successfully created.Creating

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 5. Setting up Red Hat Directory Server on Sun SolarisInstalling and configuring Red Hat Directory Server on Sun Solaris has three major steps:

IMPORTANTSolaris requires installing the 32-bit version of the JRE as well as installing the 64-bit version.The 32-bit version is used for the applet

2. Download the Directory Server packages from Red Hat Network. This can be done through a webbrowser by logging into Red Hat Network and selecting t

for i in `ls *.pkg`; do yes all | pkgtrans $i /directory/ ; done4. Add the package:yes yes | pkgadd -d /directory/ allIf another application such as

1. After the Directory Server packages are installed as described in Section 5.2, “Installing theDirectory Server Packages”, then launch the setup-ds

10. T he last screen asks if you are ready to set up your servers. Select yes.Are you ready to set up your servers? [yes]:Creating directory server .

WARNINGIf Directory Server is already installed on your machine, it is extremely important that you performa migration, not a fresh installation. Migr

not possible to register it with another directory. Select n to set up this Directory Server as aConfiguration Directory Server and move to the next t

17. The last screen asks if you are ready to set up your servers. Select yes.Are you ready to set up your servers? [yes]:Creating directory server .

WARNINGIf Directory Server is already installed on your machine, it is extremely important that you performa migration, not a fresh installation. Migr

Red Hat Directory Server 8.0 Installation Guide4

NOTETo register the Directory Server instance with an existing Configuration Directory Server,select yes. T his continues with the registration proces

silent setup instead, and use the SchemaFile directive in the .inf to specify additional schemafiles. See Section 6.3.5.1, “.inf File Directives” for

NOTEIf you do not pass the Administration Server port number with the redhat-idm -consolecommand, then you are prompted for it at the Console login sc

Chapter 6. Advanced Setup and ConfigurationAfter the default Directory Server and Administration Server have been configured, there are toolsavailable

If there are proxies for the HT T P connections on the client machine running the Directory ServerConsole, the configuration must be changed in one of

adm in.pl except that the questions about the Configuration Directory Server and AdministrationServer are omitted. Using this command to create a Dire

[General] FullMachineName= dir.example.com SuiteSpotUserID= nobody SuiteSpotGroup= nobody AdminDomain= example.com ConfigDirectoryAdminID= admin Confi

NOTEWhen creating a single instance of Directory Server, the Directory Server packages must alreadybe installed, and the Administration Server must al

For example, to set the machine name, suffix, and Directory Server port of the new instance, thecommand is as follows:/usr/sbin/setup-ds-admin.pl Gene

Table 6.1. set up-ds- admin Opt ionsOption Alternate Options Description Example--silent -s This sets that thesetup script will run insilent mode, dra

PrefaceThis installation guide describes the Red Hat Directory Server 8.0 installation process and the migrationprocess. T his manual provides detaile

specifies a log file towhich to write theoutput. If this is not set,then the setupinformation is written toa temporary file./export/example2007.logFor

adm in.pl command.NOTEProviding configuration parameters with the setup-ds-adm in.pl command is described inSection 1.3, “About the setup-ds-admin.pl

Table 6.2. [General] DirectivesDirective Description Required ExampleFullMachineName Specifies the fullyqualified domain nameof the machine onwhich yo

configuration directory.This is usually admin.ConfigDirectoryAdminPwdSpecifies the passwordfor the admin user.YesRed Hat Directory Server 8.0 Installa

Table 6.3. [slapd] DirectivesDirective Description Required ExampleServerPort Specifies the port theserver will use for LDAPconnections. Forinformatio

directive has no effect.The default is no.AddSampleEntries Sets whether to load anLDIF file with entries forthe user directoryduring configuration.The

used, then the defaultis 0, meaning theconfiguration data arestored in the newinstance.Chapter 6. Advanced Setup and Configuration 83

Table 6.4 . [admin] DirectivesDirective Description Required ExampleSysUser Specifies the user aswhich theAdministration Serverwill run. T he default

Example 6.1. .inf File for a Custom Installation[General]FullMachineName= ldap.example.comSuiteSpotUserID= nobodySuiteSpotGroup=

Example 6.2. .inf File for Registering the Instance with a Configuration Directory Server(Typical Setup)[General] FullMachineName= dir.example.com Sui

Example 1. Example CommandTo start the Red Hat Directory Server:service dirsv startAll of the tools for Red Hat Directory Server are located in the /u

/usr/sbin/ds_removal -s example1 -w itsasecret/usr/sbin/ds_removal -s example2 -w itsasecret/usr/sbin/ds_removal -s example3 -w itsasecret2. Stop the

2. Stop the Administration Server./etc/init.d/dirsrv-admin stop3. Then use the system tools to remove the packages. For example:#!/bin/bash for i i

Chapter 7. General Usage InformationThis chapter contains common information that you will use after installing Red Hat Directory Server 8.0,such as w

Table 7.2. Red Hat Enterprise Linux 4 and 5 (x86_64 )File or Direct ory Locat ionLog files /var/log/dirsrv/slapd-instanceConfiguration files /etc/dir

Table 7.4 . HP-UX 11i (IA64 )File or Direct ory Locat ionLog files /var/opt/log/dirsrv/slapd-instanceConfiguration files /etc/opt/dirsrv/slapd-instanc

subsequent logins, the URL is saved. If you do not pass the Administration Server port number with the redhat-idm -console command, then you are promp

service dirsrv-adm in {start|stop|restart}On Solaris, the service is init.d:/etc/init.d/dirsrv-admin {start|stop|restart}7.6. Resetting the Directory

After the setup, the dsktune utility can determine the Directory Server patch levels and kernelparameter settings. T o launch dsktune, Directory Serve

7.7.2.2. Problem: The port is in useWhen setting up a Directory Server instance, you receive an error that the port is in use. This is verycommon whe

Chapter 8. Migrating from Previous VersionsRed Hat Directory Server 6.x and 7.x instances can be migrated to Directory Server 8.0. Migration carriesov