Skip to ContentSun and Oracle Channel Sun How to Buy Log In

System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

この本を見る:

その他の言語
日本語

内に含ま

Solaris 9 9/02 System Administrator Collection

その他のドキュメント

サポートリソース

PDF 文書ファイルをダウンロードする (1161 KB)

Part IV iPlanet Directory Server 5.1 Configuration

The following chapter discusses how to configure the iPlanet Directory Server 5.1.

Chapter 11 iPlanet Directory Server 5.1 Configuration

This chapter discusses how to configure the iPlanet Directory Server 5.1. You must complete the procedures contained in this chapter before you can go on to configure the iPlanet Directory Server 5.1 for use with Solaris LDAP clients.

Note –

If you are using a directory server other than the iPlanet Directory Server 5.1, skip this chapter. See Generic Directory Server Requirements for list of basic requirements for other directory servers when used in conjunction with Solaris LDAP naming service clients.

Refer to the following iPlanet manuals for in-depth information regarding the iPlanet Directory Server 5.1.

iPlanet Directory Server 5.1 Schema Reference Guide
iPlanet Directory Server 5.1 Deployment Manual
iPlanet Directory Server 5.1 Configuration, Command, and File Reference
iPlanet Directory Server 5.1 Administrator's Guide

This chapter covers the following topics.

Preparing for Configuration

Before you begin configuring the iPlanet Directory Server 5.1, you should have an understanding of the various components and the design and configuration decisions you need to make.

To help you configure iPlanet Directory Server 5.1, you should be familiar with the concepts contained in the following sections.

Components
Configuration Decisions
Configuration Process Overview
Configuration Privileges

The iPlanet Directory Server 5.1 Deployment Guide contains basic directory concepts as well as guidelines to help you design and successfully deploy your directory service.

Configuration Components

iPlanet Directory Server 5.1 contains the following software components, which are installed by default when you install the entire Solaris disk suite.

iPlanet Console

The iPlanet Console provides the common user interface for all iPlanet server products. From it you can perform common server administration functions such as stopping and starting servers and installing new server instances. iPlanet Console can be installed as a stand-alone application on any machine. You can also install it on your network and use it to manage remote servers.
Administration Server

The Administration Server is a common front-end to all iPlanet servers. It receives communications from iPlanet Console and passes those communications on to the appropriate iPlanet server.
iPlanet Directory Server 5.1

The iPlanet Directory Server 5.1 is a high-performance, scalable LDAP server with an on-disk database. The iPlanet Directory Server 5.1 runs as the ns-slapd process on Solaris. This is the server that manages the directory databases and responds to client requests. iPlanet Directory Server 5.1 is a required component.

Configuration Choices

During Directory Server configuration, you are prompted for basic information. Decide how you are going to configure these basic parameters before you begin the configuration process. You are prompted for some or all of following information, depending on the type of configuration that you decide to perform the following.

Port number
Users and groups to run the server as
Your directory suffix
Several different authentication user IDs
The administration domain

Choosing Unique Port Numbers

Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your iPlanet Directory Server 5.1.

The standard iPlanet Directory Server 5.1 (LDAP) port number is 389.
Port 636 is reserved for LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP configuration, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port.
Port numbers between 1 and 1024 have been assigned to various services by the Internet Assigned Numbers Authority. Do not use port numbers below 1024 other than 389 or 636 for directory services as they will conflict with other services. Additionally, port numbers below 1024 are accessible by root only.
iPlanet Directory Server 5.1 must run as root using either port 389 or 636.
Make sure the ports you choose are not already in use. Additionally, if you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical.

Note –

If the LDAP naming service clients are using SSL encryption, you must use the default port numbers 389 and 636, so that the server runs as root. See Transport Layer Security (TLS) for information on Transport Layer Security.

For information on how to set up LDAP over SSL (LDAPS) for the iPlanet Directory Server 5.1, see the iPlanet Directory Server 5.1 Administrator's Guide.

Choosing User and Group

For security reasons, it is always best to run UNIX-based production servers with normal user privileges. That is, you do not want to run Directory Server with root privileges. However, you will have to run Directory Server with root privileges if you are using the default Directory Server ports. If Directory Server is to be started by Administration Server, Administration Server must run either as root or as the same user as iPlanet Directory Server 5.1.

You must therefore decide what user accounts you will use for the following purposes.

The user and group under which you will run iPlanet Directory Server 5.1.

If you will not be running the iPlanet Directory Server 5.1 as root, it is strongly recommended that you create a user account for all iPlanet servers. You should not use any existing operating system account, and must not use the nobody account. Also you should create a common group for the iPlanet Directory Server 5.1 files; again, you must not use the nobody group
The user and group under which you will run Administration Server.

For configurations that use the default port numbers, this must be root. However, if you use ports over 1024, then you should create a user account for all iPlanet servers, and run Administration Server as this account.

As a security precaution, when Administration Server is being run as root, it should be shut it down when it is not in use.

You should use a common group for all iPlanet servers, such as gid iPlanet, to ensure that files can be shared between servers when necessary.

Before you can install iPlanet Directory Server 5.1 and Administration Server, you must make sure that the user and group accounts you will use exist on your system.

Defining Authentication Entities

As you configure iPlanet Directory Server 5.1 and Administration Server, you will be asked for various user names, distinguished names (DN), and passwords. This list of login and bind entities will differ depending on the type of configuration that you are performing.

Directory Manager DN and password

The Directory Manager DN is the special directory entry to which access control does not apply. Think of the directory manager as your directory's superuser. (In former releases of iPlanet Directory Server, the Directory Manager DN was known as the root DN).

The default Directory Manager DN is cn=Directory Manager. Because the Directory Manager DN is a special entry, the Directory Manager DN does not have to conform to any suffix configured for your iPlanet Directory Server 5.1. Therefore, you must not manually create an actual iPlanet Directory Server 5.1 entry that has the same DN as the directory manager DN.

The Directory Manager password must be at least 8 characters long, and is limited to ASCII letters, digits, and symbols.

Note –
It is wise to use the same Directory Manager DN and password for all of your LDAP servers, especially if you have set the replicas to follow referrals to the master server during client add and modify operations.
Configuration Directory Administrator ID and password

The configuration directory administrator is the person responsible for managing all the iPlanet servers accessible through iPlanet Console. If you log in with this user ID, then you can administer any iPlanet server that you can see in the server topology area of iPlanet Console.

For security, the configuration directory administrator should not be the same as the directory manager. The default configuration directory administrator ID is admin.
The Administration Server User and password

You are prompted for this only during custom configurations. The Administration Server user is the special user that has all privileges for the local Administration Server. Authentication as this person allows you to administer all the iPlanet servers stored on this server.

Administration Server user ID and password is used only when the iPlanet Directory Server 5.1 is down and you are unable to log in as the configuration directory administrator. The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting iPlanet Directory Server 5.1, reading log files, and so forth.

Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password.

Choosing Your Directory Suffix

A directory suffix is the directory entry that represents the first entry in a directory tree. You will need at least one directory suffix for the tree that will contain your enterprise's data. It is common practice to select a directory suffix that corresponds to the DNS host name used by your enterprise. For example, if your organization uses the DNS name example.com, then select a suffix of dc=example,dc=com.

For more information on planning the suffixes for your directory service, see the iPlanet Directory Server 5.1 Deployment Guide.

Choosing the Location of the Configuration Directory

Many iPlanet servers including Directory Server 5.1 use an instance of iPlanet Directory Server 5.1 to store configuration information. This information is stored in the o=NetscapeRoot directory tree. It does not need to be held on the same iPlanet Directory Server 5.1 as your directory data. Your configuration directory is the iPlanet Directory Server 5.1 that contains the o=NetscapeRoot.

If you are installing iPlanet Directory Server 5.1 only to support other iPlanet servers, then that iPlanet Directory Server 5.1 is your configuration directory. If you are installing iPlanet Directory Server 5.1 to use as part of a general directory service, then you will have multiple iPlanet Directory Server 5.1s installed in your enterprise and you must decide which one will host the configuration directory tree, o=NetscapeRoot. You must make this decision before you install any iPlanet servers (including iPlanet Directory Server 5.1).

For ease of upgrades, you should use a iPlanet Directory Server 5.1 instance that is dedicated to supporting the o=NetscapeRoot tree; this server instance should perform no other function with regard to managing your enterprise's directory data. Also, do not use port 389 for this server instance because doing so could prevent you from installing a iPlanet Directory Server 5.1 on that host that can be used for management of your enterprise's directory data.

Because the configuration directory normally experiences very little traffic, you can allow its server instance to coexist on a machine with another more heavily loaded iPlanet Directory Server 5.1 instance. However, for very large sites that are installing a large number of iPlanet servers, you may want to dedicate a low-end machine to the configuration directory so as to not hurt the performance of your other production servers. iPlanet server configurations result in write activities to the configuration directory. For large enough sites, this write activity could result in a short-term performance hit to your other directory activities.

Also, as with any directory configuration, consider replicating the configuration directory to increase availability and reliability. See the iPlanet Directory Server 5.1 Deployment Guide for information on using replication and DNS round robins to increase directory availability.

Caution –

If the configuration directory tree if corrupted, you might need to reinstall all other iPlanet servers that are registered in that configuration directory. Remember the following guidelines when dealing with the configuration directory.

Always back up your configuration directory after you install a new iPlanet server
Never change the host name or port number used by the configuration directory
Never directly modify the configuration directory tree. Only the setup program for the various iPlanet servers should ever modify the configuration

Choosing the Location of the User Directory

Just as the configuration directory is the iPlanet Directory Server 5.1 that is used for iPlanet server administration, the user directory is the iPlanet Directory Server 5.1 that contains the entries for users and groups in your enterprise.

For most directory configurations, the user directory and the configuration directory should be two separate server instances. These server instances can be installed on the same machine, but for best results you should consider placing the configuration directory on a separate machine.

Between your user directory and your configuration directory, it is your user directory that will receive the overwhelming percentage of the directory traffic. For this reason, you should give the user directory the greatest computing resources. Because the configuration directory should receive very little traffic, it can be installed on a machine with very low-end resources.

Also, you should use the default directory ports (389 and 636) for the user directory. If your configuration directory is managed by a server instance dedicated to that purpose, you should use some non-standard port for the configuration directory.

You cannot install a user directory until you have installed a configuration directory somewhere on your network.

Choosing the Administration Domain

The administration domain allows you to logically group iPlanet servers together so that you can more easily distribute server administrative tasks. A common scenario is for two divisions in a company to each want control of their individual iPlanet servers. However, you may still want some centralized control of all the servers in your enterprise. Administration domains allow you to meet these conflicting goals.

Administration domains have the following qualities.

All servers share the same configuration directory, regardless of the domain to which they belong
Servers in two different domains may use two different user directories for authentication and user management
The configuration directory administrator has complete access to all installed iPlanet servers, regardless of the domain to which they belong
Each administration domain can be configured with an administration domain owner. This owner has complete access to all the servers in the domain but does not have access to the servers in any other administration domain
The administration domain owner can grant individual users administrative access on a server by server basis within the domain

For many configurations, you can have just one administration domain. In this case, choose a name that is representative of your organization. For other configurations, you may want different domains because of the demands at your site. In the latter case, try to name your administration domains after the organizations that will control the servers in that domain.

For example, if you are an ISP and you have three customers for whom you are installing and managing iPlanet servers, create three administration domains each named after a different customer.

Configuration Process Overview

You can use one of several configuration processes to install iPlanet Directory Server 5.1. Each one guides you through the configuration process and ensures that you configure the various components in the correct order.

The following sections outline the configuration processes available.

Selecting an Configuration Process

You can configure iPlanet Directory Server 5.1 software using one of the four different configuration methods provided in the setup program.

Express configuration

Use this if you are installing for the purposes of evaluating or testing iPlanet Directory Server 5.1. See Using Express Configuration.
Typical configuration

Use this if you are performing a normal install of iPlanet Directory Server 5.1. See Using Typical Configuration.
Custom configuration

In iPlanet Directory Server 5.1, the custom configuration process is very similar to the typical configuration process. The main difference is that the custom configuration process will allow you to import an LDIF file to initialize the user directory database that is created by default.

Beyond determining which type of configuration process you will use, the process for configuring iPlanet Directory Server 5.1 is as follows:

Plan your directory service. By planning your directory tree in advance, you can design a service that is easy to manage and easy to scale as your organization grows. For guidance on planning your directory service, refer to the iPlanet Directory Server 5.1 Deployment Guide.
Configure your iPlanet Directory Server 5.1 as described in this chapter.
Create the directory suffixes and databases. You do not have to populate your directory now; however, you should create the basic structure for your tree, including all major roots and branch points. For information about the different methods of creating a directory entry, refer to the iPlanet Directory Server 5.1 Administrator's Guide.
Create additional iPlanet Directory Server 5.1 instances and set up replication agreements between your iPlanet Directory Server 5.1 instances to ensure availability of your data.

Using Express and Typical Configuration

Using Express Configuration

Use express configuration if you are installing iPlanet Directory Server 5.1 to evaluate or test the product. Because express configuration does not offer you the choice of selecting your server port number or your directory suffix, you should not use it for production configurations. To perform an express configuration, do the following.

How to configure iPlanet Directory Server 5.1 using express configuration

Become superuser.

Run the iPlanet Directory Server 5.1 program by typing the following.

# /usr/sbin/directoryserver setup

When you are prompted for what you want to install, hit enter for [the default] iPlanet servers.

When you are prompted for the type of configuration, choose Express.

For the user and group to run the servers as, enter the identity that you want this server to run as.

For Configuration Directory Administrator ID and password, enter the name and password that you will log in as when you want to authenticate to the console with full privileges. Think of this as the root or superuser identity for the iPlanet Console.

The server is then minimally configured, and started. You are told what host and port number on which the Administration Server is listening.

Note the following about your new iPlanet Directory Server 5.1 configuration.

The iPlanet Directory Server 5.1 is listening on port 389
The server is configured to use the following suffixes

dc=your_machine s_DNS_domain_name

That is, if your machine is named test.example.com, then you have the suffix dc=example, dc=com configured for this server.

o=NetscapeRoot

Do not modify the contents of the directory under the o=NetscapeRoot suffix. Either create data under the first suffix, or create a new suffix to be used for this purpose. For details on how to create new suffixes for your iPlanet Directory Server 5.1, see the iPlanet Directory Server 5.1 Administrator's Guide.

Using Typical Configuration

Most first time configurations of iPlanet Directory Server 5.1 can be performed using the Typical option of the setup program.

How to configure iPlanet Directory Server 5.1 using typical configuration

Become superuser.

Run the iPlanet Directory Server 5.1 program.

# /usr/sbin/directoryserver setup

When you are prompted for what you want to install, hit enter for [the default] iPlanet Servers.

When you are prompted for Directory Suite and Administration Services, hit enter to select all [the default].

Hit enter to select all Directory Suite components.

Hit enter to select all Administration components.

When prompted for the hostname, select the default [the host] or enter an alternative fully qualified domain name.

Caution –
Note that the default hostname may be incorrect if the installer cannot locate a DNS name for your system. For example, you might not have a DNS name if your system uses NIS. The hostname must be a fully qualified host and domain name. If the default hostname is not a fully qualified host and domain name, configuration will fail.

The setup program then asks you for the System User and the System Group names. Enter the identity under which you want the servers to run.

For the configuration directory, select the default if this directory will host your o=NetscapeRoot tree. Otherwise, enter Yes. You will then be asked for the contact information for the configuration directory.

If the server you are currently installing is not the configuration directory, then the configuration directory must exist before you can continue this configuration.

The setup program then asks if the server you are currently installing will be the one for your user data. For most cases, you can select the default. However, if you intend this server instance to be used as a configuration directory only, then you should enter Yes.

For the iPlanet Directory Server 5.1 port, select the default (389) unless you already have another application using that port.

For the iPlanet Directory Server 5.1 Identifier, enter a unique value (normally the default is sufficient).

This value is used as part of the name of the directory in which the iPlanet Directory Server 5.1 instance is installed. For example, if your machine's host name is phonebook, then this name is the default and selecting it will cause the iPlanet Directory Server 5.1 instance to be installed into a directory labeled slapd-phonebook.

Caution –
The iPlanet Directory Server 5.1 identifier must not contain a period. For example, example.server.com is not a valid server identifier name.

For Configuration Directory Administrator ID and password, enter the name and password that you will log in as when you want to authenticate to the console with full privileges.

For a directory suffix, enter a distinguished name meaningful to your enterprise.

This string is used to form the name of all your organization's directory entries. Therefore, pick a name that is representative of your organization. It is recommended that you pick a suffix that corresponds to your internet DNS name.

For example, if your organization uses the DNS name example.com, then enter dc=example,dc=com here.

For Directory Manager DN, enter the distinguished name that you will use when managing the contents of your directory with unlimited privileges.

Note –
Any Distinguished Names must be entered in the UTF-8 character set encoding. Older encodings such as ISO-8859-1 are not supported.

In former releases of iPlanet Directory Server 5.1, the Directory Manager was known as the root DN. This is the entry that you bind to the directory as when you want access control to be ignored. This distinguished name can be short and does not have to conform to any suffix configured for your directory. However, it should not correspond to an actual entry stored in your directory.

For the Directory Manager password, enter a value that is at least 8 characters long.

For Administration Domain, enter the domain that you want this server to belong to.

The name you enter should be a unique string that is descriptive of the organization responsible for administering the domain.

For the administration port number, enter a value that is not in use (for example, you might want to use the value 5100 to indicate a 5.1 iPlanet Directory Server 5.1). Be sure to record this value somewhere you can remember.

For the user you want to run Administration Server as, enter root, the default.

The server is then minimally configured, and started. You are told what host and port number Administration Server is listening on. The server is configured to use the following suffixes.
- The suffix that you configured
- o=NetscapeRoot
Do not modify the contents of the directory under the o=NetscapeRoot suffix. Either create data under the first suffix, or create a new suffix to be used for this purpose. For details on how to create new suffixes for your iPlanet Directory Server 5.1, see the iPlanet Directory Server 5.1 Administrator's Guide.