Professional Documents
Culture Documents
http://www.sun.com/bigadmin/features/articles/nis_ldap_part1.jsp
Apr 04, 2010
This article provides instructions for deploying Sun Java System Directory Server 6.0
(hereafter referred to as "Directory Server"), which is part of Sun Java System Directory
Server 6.0 Enterprise Edition, as a naming service for UNIX clients that run AIX 5.3, Red
Hat Linux Release 4 Update 4, or the Solaris 8, 9, or 10 Operating System.
Article Contents
Note: When you run the commands shown in the procedures of this article, replace COMPANY
with a value that is appropriate for your environment.
Part 1 covers the following topics, which provide information related to installing and
configuring Directory Server as a naming service for native LDAP clients:
1 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
When LDAP is used as a naming service for UNIX clients, then one unique UID number is
established for each user and one unique GID number for each group. This means that if
there is no consistent naming and numbering of users and groups prior to migration, then
the following activities have to occur as part of the migration.
1. A consolidation effort will have to take place to select a unique UID number for each
user and GID number for each group. This is a manual process of gathering all the
/etc/passwd and /etc/group files from each client. Thereafter the data is analyzed in a
spreadsheet. If there are many disparate UID and GID numbers for users and groups with
the same name then a typical strategy is to select unique UID and GID numbers which
have the most users and groups. For example, consolidating the dba group on two servers:
dba:x:1115:duncan,marion In server1 /etc/group
dba:x:2000:kevin,jim In server2 /etc/group
When the files are merged, the entry for group dba may be:
dba:x:2000:duncan,marion,kevin,jim
2 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
2. Since a new UID and GID numbers are assigned, there may be UNIX clients which have
different UID and GID numbers for users and groups and thus when migrated the UID and
GID numbers have to change. There may also be instances where home-grown
applications have GID and UID numbers hard-coded. The impact of changing UID and
GID numbers of UNIX workstations and servers means that chown and chgrp commands
have to be run across the file system. Depending on the number of files this can be a
time-consuming process. It also requires downtime since users should not be accessing
files as the UID and GID numbers are changing. Thus it is highly recommended that the
chown and chgrp commands be run when the server is in single-user mode (execute boot-s or
init 0).
3. A server may have files with UID or GID numbers that no longer exist in /etc/passwd and
/etc/group. It is possible to find such files with this command:
find / '(' -nouser -o -nogroup ')' -ls
This produces a list of files that probably should be examined manually to determine
which new or existing users and/or groups should be reassigned.
The migration of UNIX servers and workstations to an LDAP naming service must make
business allowances for the downtime of servers and impact to users and applications of a
new UID or GID number.
Directory Server is installed on two servers in each data center (hereafter called
"directory servers"), as shown in Figure 1. Two directory servers in each data center
are replicated between one another and two directory servers between each data
3 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
Historically, UNIX and Linux systems were typically configured for the NIS naming service
or individually managed using local files in the /etc directory. Directory Server can be used
as a naming service for native LDAP clients. This means Directory Server serves as a
repository for:
Users who log in to AIX, Linux, and Solaris servers and workstations
Groups of users
Password policies governing user passwords
Netgroups restricting user access to specified servers and workstations
Policies governing inactive users
The Directory Server LDAP naming service architecture provides the following
advantages:
4 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
Environment Requirements
It is assumed that the following conditions apply to your environment currently or they will
apply after you use the procedures in this document:
Directory Server version 6.0 is installed on the four directory servers, which run the
Solaris 10 OS with all the required patches.
SSL will be used for all communication between the directory servers and between the
directory servers and the AIX, Linux, and Solaris OS clients.
There is no existing NIS/NIS+ environment.
You will consolidate user data from the local /etc/passwd and /etc/group files on all native
LDAP clients, and you will enforce uidNumber uniqueness.
The pam_ldap Solaris pluggable authentication module (PAM) is used exclusively for
directory users and account management.
Netgroups will be used to control user access to any server managed by the Directory
Server naming service.
1. Install and configure Directory Server to support LDAP naming services for the clients.
2. Configure UNIX servers that run the Solaris 8, 9, or 10 OS, Red Hat Linux Release 4
Update 4 or AIX 5.3 to use the directory servers.
3. Load user data into the Directory Server software.
Sun Java System Directory Server Enterprise Edition 6.0 documentation collection
Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide
Useful blog entry about installing Sun Java System Directory Server Enterprise Edition
6.0
Note: It is highly recommended that the Directory Server software be installed in the
sequence shown in this section.
5 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
Note: Ensure that you download and install the Native Package (PKG) version of Directory
Server.
# /usr/sbin/cacaoadm start
6 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
7. Register the Directory Server instance in the Directory Service Control Center (DSCC):
# pwd
/opt/SUNWdsee/ds6/bin
# cd ../../dscc6/bin
# ./dsccreg add-server /var/opt/SUNWdsee/dsins1
Enter DSCC administrator's password:
/var/opt/SUNWdsee/dsins1 is an instance of DS
Enter password of "cn=Directory Manager" for
/var/opt/SUNWdsee/dsins1:
This operation will restart /var/opt/SUNWdsee/dsins1.
Do you want to continue? (y/n) y
Connecting to /var/opt/SUNWdsee/dsins1
Enabling DSCC access to /var/opt/SUNWdsee/dsins1
Restarting /var/opt/SUNWdsee/dsins1
Registering /var/opt/SUNWdsee/dsins1 in DSCC on localhost.
7 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^CConnection to localhost closed by foreign host.
9. (Optional) Configure the Sun Java Web Console to start automatically using the
following command:
# smcwebserver enable
10. (Optional) Set the Common Agent Container (cacao) to start automatically using the
following command:
# cacaoadm enable
1. Request CA certificates.
The exact information required depends on your Certificate Authority (CA). The following
example is for an arbitrary city in California, USA.
The request above is in ASCII format (-F ascii), and the output file reads as follows:
8 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
# more /tmp/CertReq
The server certificate you receive from your CA is in PEM format. Copy the text from
-----BEGIN CERTIFICATE ----- through -----END CERTIFICATE -----, paste it into a text editor, and
save as a file on your workstation.
Note: In addition to requesting a server certificate, you must request the CA signing
certificates from your CA, so that other Directory Servers and clients trust the CA-signed
server certificate. These should be the root and any intermediate CA signing certificates.
Upload these to the Directory Server as /tmp/CACert.
Using dsadm:
#/opt/SUNWdsee/ds6/bin/dsadm add-cert /var/opt/sun/dsins1
ServerCert /tmp/CerFile
b. Set the newly added server certificate as the default Directory Server certificate:
/opt/SUNWEdsee/ds6/bin/dsconf set-server-prop -e -p 389
ssl-rsa-cert-name:ServerCert
Using dsadm:
9 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
/opt/SUNWdsee/ds6/bin dsadm add-cert -C /var/opt/sun/dsins1
CACert /tmp/cacert.pem
Using dsadm:
# /opt/SUNWdsee/ds6/bin/dsadm list-certs /var/opt/SUNWdsee/dsins1
<output clipped>
defaultCert CTu,u,u
ServerCert u,u,u
Root CA CT,,
10 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
The purpose of the idsconfig script is to configure Directory Server for use by native LDAP
clients. The script adds schema, objects, and indexes required for native LDAP clients to
authenticate and obtain UNIX information from Directory Server. The script is located in
/usr/lib/ldap/idsconfig.
Use the following procedure if Directory Server is installed on a server running the Solaris
10 11/06 OS or an earlier version of the Solaris OS.
1. The script checks whether Directory Server is version 5 and exits if any other version is
used. Therefore, you need to comment out the second exit 1 statement, as shown in bold
in the following example:
chk_ids_version()
{
[ $DEBUG -eq 1 ] && "In chk_ids_version()"
# check iDS version number.
eval " -b cn=monitor -s base
\"objectclass=*\" version | \"^version=\" | cut -f2 -d'/'
| cut -f1 -d' ' > /checkDSver 2>&1"
if [ $? -ne 0 ]; then
"ERROR: Can not determine the version number of iDS!"
exit 1
fi
IDS_VER=`cat /checkDSver`
IDS_MAJVER=` | cut -f1 -d.`
IDS_MINVER=` | cut -f2 -d.`
if [ "" != "5" ]; then
"ERROR: $PROG only works with iDS version 5.x, not
."
# exit 1
fi
if [ $DEBUG -eq 1 ]; then
" IDS_MAJVER = $IDS_MAJVER"
" IDS_MINVER = $IDS_MINVER"
fi
2. The end of the script instructs you to manually run directoryserver commands for virtual
list view (VLV) indexes, but /usr/sbin/directoryserver does not apply to Directory Server 6.0.
Here are the equivalent commands for Directory Server 6.0. Replace company and the
instance of your Directory Server, as needed.
.../dsadm reindex -l -t company.com.getgrent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.gethostent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getnetent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getrpcent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getspent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getauhoent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getauhoent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getsoluent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
11 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
.../dsadm reindex -l -t company.com.getauhoent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getauduent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getauthent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getexecent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getprofent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getmailent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getbootent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getethent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getngrpent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getipnent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getmaskent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getprent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getip4ent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
.../dsadm reindex -l -t company.com.getip6ent
/var/opt/SUNWdsee/dsins2 dc=company,dc=com
#pwd
/usr/lib/ldap
# ./idsconfig
12 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
proceed as follows to set up replication over SSL on each of the two pairs of directory
servers (referred to below as "directory server #1" and "directory server #2").
Note: See the "To Export and Import a CA-Signed Server Certificate" section of the
administration guide for more information.
13 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
Note: In the following example, dsins1 is acting as directory server #1, and dsins2 is acting
as directory server #2.
# /opt/SUNWdsee/ds6/bin/dsadm add-cert /var/opt/SUNWdsee/dsins1
"COMPANYCert" certfile2
# /opt/SUNWdsee/ds6/bin/dsadm add-cert --ca /var/opt/SUNWdsee/dsins2/
"ds2 Repl Manager Cert" certfile1
# /opt/SUNWdsee/ds6/bin/dsadm import-cert /var/opt/SUNWdsee/dsins1
certfile2
Enter the PKCS#12 file password:
A certificate with the same subject (CN=VI CATest2,O=COMPANY,C=US)
already exists in the database.
Do you want to continue [y/n]? y
A certificate with the same subject (CN=TEST COMPANY, O=COMPANY,C=US)
already exists in the database.
Do you want to continue [y/n]? y
Note: Secure LDAP ports are used for the replication agreements.
14 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
8. (Optional) Initialize the suffix on directory server #1 with data from directory server #2 by
running the following command on directory server #1:
#/opt/SUNWdsee/ds6/bin/dsconf init-repl-dest -e -h
server1.COMPANY.com -p 389 dc=COMPANY,dc=com
server2.COMPANY.com.server:636
Started initialization of "server1.COMPANY.com:389"; May 7,
2007 11:08:28 PM
Sent 109 entries...
Sent 349 entries...
Sent 549 entries...
Sent 550 entries.
Completed initialization of "server1.COMPANY.com:389"; May 7,
2007 11:08:35 PM
Since the directory servers are in a multi-master replication, if one directory server fails, its
data can be replicated easily from one of the other directory servers. Since there is not a
large amount of data, this is the preferred method for restoring data.
See the "Initializing Replicas" section of the administration guide for more information.
To add netgroups using the console, access the console and then perform the following
steps.
15 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
16 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
dn: cn=mynisnetgroup,ou=netgroup,dc=COMPANY,dc=com
changetype: add
nisNetgroupTriple: (,user345789,)
description: SunServer
objectClass: nisNetgroup
objectClass: top
memberNisNetgroup: server3
# ldapmodify -h server2.COMPANY.com -D "cn=Directory Manager" -f
netgroup.ldif
Enter bind password:
adding new entry cn=mynisnetgroup,ou=netgroup,dc=COMPANY,
dc=com
version: 1
dn: cn=mynisnetgroup,ou=netgroup,dc=COMPANY,dc=com
nisNetgroupTriple: (,user345789,)
description: SunServer
objectClass: nisNetgroup
objectClass: top
memberNisNetgroup: server3
cn: mynisnetgroup
To modify netgroups using the console, access the console and then perform the following
steps.
17 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
2. Execute ldapmodify:
# ldapmodify -h server2.COMPANY.com -D "cn=Directory Manager" -f
netgroup.ldif
Enter bind password:
modifying entry cn=mynisnetgroup,ou=netgroup,dc=COMPANY,dc=com
18 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
Enter bind password:
version: 1
dn: cn=mynisnetgroup,ou=netgroup,dc=COMPANY,
dc=com
nisNetgroupTriple: (,user345,)
description: ss7ed06Server
objectClass: nisNetgroup
objectClass: top
memberNisNetgroup: ss72ed06
cn: mynisnetgroup
To delete netgroups using the console, access the console and then perform the following
steps.
1. Search for the netgroup, as described in Modifying Netgroups Using the Console.
2. Execute ldapmodify:
# ldapmodify -h server2.COMPANY.com -D "cn=Directory Manager" -f netgroup.ldif
Enter bind password:
deleting entry cn=mynisnetgroup,ou=netgroup,dc=COMPANY,dc=com
19 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
# ldapsearch -v -b "ou=netgroup,dc=COMPANY,dc=com" -D "cn=Directory
Manager" -w password "cn=mynisnetgroup"
ldapsearch: started Tue May 8 21:58:10 2007
ldap_init( localhost, 389 )
filter pattern: cn=mynisnetgroup
returning: ALL
filter is: (cn=mynisnetgroup)
0 matches
To add groups using the console, access the console and then perform the following
steps.
2. Enter the DN, and ensure you select ou=group, not ou=Groups.
20 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
4. Fill in the attributes, as shown in Figure 14, and refer to Figure 15, as needed.
2. Execute ldapmodify:
21 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
# ldapmodify -h server2.COMPANY.com -D "cn=Directory Manager" -f
group.ldif
Enter bind password:
adding new entry cn=solarisgroup,ou=group,dc=COMPANY,dc=com
ldapsearch: started Tue May 8 22:49:33 2007
ldap_init( localhost, 389 )
filter pattern: cn=solarisgroup
returning: ALL
filter is: (cn=solarisgroup)
version: 1
dn: cn=solarisgroup,ou=group,dc=COMPANY,dc=com
objectClass: posixGroup
objectClass: top
memberUid: sunuser300
gidNumber: 4001
cn: solarisgroup
1 matches
To modify groups using the console, access the console and then perform the following
steps.
22 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
# more group.ldif
dn: cn=solarisgroup,ou=group,dc=COMPANY,dc=com
changetype: modify
memberuid: sunuser300, sunuser999
2. Execute ldapmodify:
# ldapmodify -h server2.COMPANY.com -D "cn=Directory Manager" -f
group.ldif
Enter bind password:
modifying entry cn=solarisgroup,ou=group,dc=COMPANY,dc=com
ldap_init( localhost, 389 )
filter pattern: cn=solarisgroup
returning: ALL
filter is: (cn=solarisgroup)
version: 1
dn: cn=solarisgroup,ou=group,dc=COMPANY,dc=com
objectClass: posixGroup
objectClass: top
memberUid: sunuser300
memberUid: sunuser300, sunuser999
gidNumber: 4001
cn: solarisgroup
1 matches
23 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
To delete groups using the console, access the console and then perform the following
steps.
1. Search for the group, as described in Modifying Groups Using the Console.
2. Execute ldapmodify:
# ldapmodify -h server2.COMPANY.com -D "cn=Directory Manager" -f
group.ldif
Enter bind password:
deleting entry cn=solarisgroup,ou=group,dc=COMPANY,dc=com
ldap_init( localhost, 389 )
filter pattern: cn=solarisgroup
returning: ALL
filter is: (cn=solarisgroup)
0 matches
Tuning Settings
The following two procedures describe tuning steps you should perform for optimal
performance of Directory Server. Perform these procedures on all four directory servers.
Refer to the article Solaris OS Networking -- The Magic Revealed for tuning Solaris 10
networking settings.
24 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
2. For TCP stack tuning, in the /etc/init.d/inetinit file, set the following:
ndd -set /dev/tcp tcp_time_wait_interval 30000
ndd -set /dev/tcp tcp_conn_req_max_q 4096
ndd -set /dev/tcp tcp_keepalive_interval 600000
ndd -set /dev/tcp tcp_rexmit_interval_initial 500
ndd -set /dev/tcp tcp_smallest_anon_port 8192
ndd -set /dev/tcp tcp_deferred_ack_interval 5
You must stop each Directory Server instance before modifying dse.ldif.
Note: If you are using the nsslapd-db-home-directory setting above, ensure that the directory is
created during system startup time and that there is enough swap space (tmpfs/0 to hold
the 2GB of cache and the remaining temp files).
Downloads:
Sun Java System Directory Server Enterprise Edition
Solaris 10 OS
Sun training courses at http://www.sun.com/training/:
Sun Java System Directory Server Enterprise Edition 6.x: Analysis and Planning
(DIR-2217)
Sun Java System Directory Server Enterprise Edition 6.x: Maintenance and
Operations (DIR-2337D)
Sun Java System Directory Server Enterprise Edition: LDAP Concepts
(WMT-DIR-1344)
Using LDAP as a Naming Service (IN-351)
LDAP Design and Deployment (WI-3501)
Open source resources:
25 of 26 04/04/2010 11:02 PM
BigAdmin Feature Article: Sun Java System Direct... http://www.sun.com/bigadmin/jsp/utils/PrintCusto...
OpenSolaris software
OpenDS, an open directory service
Other open source resources
Developer forums:
Sun Java System Directory Server forum
Sun Java Enterprise System forums
Solaris OS forums
Documents at http://docs.sun.com:
System Administration Guide: Naming and Directory Services (DNS, NIS, and
LDAP)
Solaris 10 System Administrator Collection
Wikis:
Sun Java System wiki
BigAdmin wiki
Related sites and articles:
BigAdmin Sun Java Enterprise System hub
BigAdmin Solaris information center
Sun Java System Directory Server Enterprise Edition FAQ
Events:
Worldwide Developer Events: Sun Tech Days
Other current events
26 of 26 04/04/2010 11:02 PM