SJSDS Installation Guide
From AMCPU Wiki
The following is a quick step-by-step guide to getting your directory server up and running. I will try to include any "gotchas" that I experienced during the procedure. This installation was performed on a SPARC-based Sun Netra X1 running Solaris 9 with the latest "9_recommended" patch cluster as of May 2006. Also assume the csh or tcsh is to be used (for the steps that set environment variables).
Contents |
Pre-installation steps
Download SJSDS 5.2 2005Q4 from Sun's website. Of course, you need this to install! Unpack the gzip'd tarball:
# gzcat <filename>.tar.gz | tar xf -
Run the idsktune script to check out any tuning that needs to be done prior to installation. The messages returned range from "Notice" to "Warning" to "Error." The default installation of Solaris 9 & 10 usually only returns Notice's. Make any changes to variables sent back as Warnings or Errors before you continue.
# idsktune -q
Start the installation program
Start up the installation program. This can launch an installation GUI or be done from the command-line only by specifying the "-nodisplay" parameter. Also remember to set your X settings to forward to a remote terminal if running the GUI.
# setenv DISPLAY <remote hostname>:0.0 # ./setup
Follow the installation wizard and enter the values that are suitable for your environment. For the installation directory, I use a subdirectory of /opt rather than /var/Sun/mps as it suggests. /opt/SUNWsjsds5.2 seems more logical.
Post-installation tasks
Run the idsconfig script to complete installation and configuration of the directory server. This script basically makes some configuration changes to you r directory server and then generates a profile entry that client machines will download to configure themselves using the ldapclient command.
# /usr/lib/ldap/idsconfig
Note: For idsconfig to work with Sun DSEE 6.0 the following change must be made:
For PAM to work with Directory Server 6.0, you must edit the /usr/lib/ldap/idsconfig script and change 5 to 6 in the following code:
if [ "${IDS_MAJVER}" != "5" ]; then
Now, the interaction with the idsconfig script and recommended configuration options:
It is strongly recommended that you BACKUP the directory server
before running idsconfig.
Hit Ctrl-C at any time before the final confirmation to exit.
Do you wish to continue with server setup (y/n/h)? [n] y
Enter the iPlanet Directory Server's (iDS) hostname to setup: dev-ldap-tony
Enter the port number for iDS (h=help): [389]
Enter the directory manager DN: [cn=Directory Manager]
Enter passwd for cn=Directory Manager :
Enter the domainname to be served (h=help): [nnet] yourdomain.net
Enter LDAP Base DN (h=help): [dc=yourdomain,dc=net]
Enter the profile name (h=help): [default]
Default server list (h=help): [10.60.50.14]
Preferred server list (h=help):
Choose desired search scope (one, sub, h=help): [one]
The following are the supported credential levels:
1 anonymous
2 proxy
3 proxy anonymous
Choose Credential level [h=help]: [1] 2
The following are the supported Authentication Methods:
1 none
2 simple
3 sasl/DIGEST-MD5
4 tls:simple
5 tls:sasl/DIGEST-MD5
Choose Authentication Method (h=help): [1] 4
Current authenticationMethod: tls:simple
Do you want to add another Authentication Method? n
Do you want the clients to follow referrals (y/n/h)? [n]
Do you want to modify the server timelimit value (y/n/h)? [n]
Do you want to modify the server sizelimit value (y/n/h)? [n]
Do you want to store passwords in "crypt" format (y/n/h)? [n] y
Do you want to setup a Service Authentication Methods (y/n/h)? [n]
Client search time limit in seconds (h=help): [30]
Profile Time To Live in seconds (h=help): [43200]
Bind time limit in seconds (h=help): [10]
Do you wish to setup Service Search Descriptors (y/n/h)? [n] y
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] a
Enter the service id: passwd
Enter the base: ou=People,dc=yourdomain,dc=net
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] a
Enter the service id: group
Enter the base: ou=group,dc=yourdomain,dc=net
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] a
Enter the service id: shadow
Enter the base: ou=People,dc=yourdomain,dc=net
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] p
Current Service Search Descriptors:
==================================
passwd:ou=People,dc=yourdomain,dc=net?one
group:ou=group,dc=yourdomain,dc=net?one
shadow:ou=People,dc=yourdomain,dc=net?one
Hit return to continue.
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit]
Summary of Configuration
1 Domain to serve : yourdomain.net
2 Base DN to setup : dc=yourdomain,dc=net
3 Profile name to create : default
4 Default Server List : 10.60.50.14
5 Preferred Server List :
6 Default Search Scope : one
7 Credential Level : proxy
8 Authentication Method : tls:simple
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : TRUE
13 Service Auth Method pam_ldap :
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd:
16 Search Time Limit : 30
17 Profile Time to Live : 43200
18 Bind Limit : 10
19 Service Search Descriptors Menu
Enter config value to change: (1-19 0=commit changes) [0]
Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=yourdomain,dc=net]
Enter passwd for proxyagent:
Re-enter passwd:
WARNING: About to start committing changes. (y=continue, n=EXIT) y
1. Changed passwordstoragescheme to "crypt" in cn=config.
2. Schema attributes have been updated.
3. Schema objectclass definitions have been added.
4. NisDomainObject added to dc=yourdomain,dc=net.
5. Top level "ou" containers complete.
6. automount maps: auto_home auto_direct auto_master auto_shared processed.
7. ACI for dc=yourdomain,dc=net modified to disable self modify.
8. Add of VLV Access Control Information (ACI).
9. Proxy Agent cn=proxyagent,ou=profile,dc=yourdomain,dc=net added.
10. Give cn=proxyagent,ou=profile,dc=yourdomain,dc=net read permission for password.
11. Generated client profile and loaded on server.
12. Processing eq,pres indexes:
uidNumber (eq,pres) Finished indexing.
ipNetworkNumber (eq,pres) Finished indexing.
gidnumber (eq,pres) Finished indexing.
oncrpcnumber (eq,pres) Finished indexing.
automountKey (eq,pres) Finished indexing.
13. Processing eq,pres,sub indexes:
ipHostNumber (eq,pres,sub) Finished indexing.
membernisnetgroup (eq,pres,sub) Finished indexing.
nisnetgrouptriple (eq,pres,sub) Finished indexing.
14. Processing VLV indexes:
yourdomain.net.getgrent vlv_index Entry created
yourdomain.net.gethostent vlv_index Entry created
yourdomain.net.getnetent vlv_index Entry created
yourdomain.net.getpwent vlv_index Entry created
yourdomain.net.getrpcent vlv_index Entry created
yourdomain.net.getspent vlv_index Entry created
yourdomain.net.getauhoent vlv_index Entry created
yourdomain.net.getsoluent vlv_index Entry created
yourdomain.net.getauduent vlv_index Entry created
yourdomain.net.getauthent vlv_index Entry created
yourdomain.net.getexecent vlv_index Entry created
yourdomain.net.getprofent vlv_index Entry created
yourdomain.net.getmailent vlv_index Entry created
yourdomain.net.getbootent vlv_index Entry created
yourdomain.net.getethent vlv_index Entry created
yourdomain.net.getngrpent vlv_index Entry created
yourdomain.net.getipnent vlv_index Entry created
yourdomain.net.getmaskent vlv_index Entry created
yourdomain.net.getprent vlv_index Entry created
yourdomain.net.getip4ent vlv_index Entry created
yourdomain.net.getip6ent vlv_index Entry created
idsconfig: Setup of iDS server dev-ldap-tony is complete.
Note: idsconfig has created entries for VLV indexes. Use the
directoryserver(1m) script on dev-ldap-tony to stop
the server and then enter the following vlvindex
sub-commands to create the actual VLV indexes:
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getgrent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.gethostent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getnetent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getpwent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getrpcent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getspent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getauhoent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getsoluent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getauduent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getauthent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getexecent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getprofent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getmailent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getbootent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getethent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getngrpent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getipnent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getmaskent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getprent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getip4ent
directoryserver -s dev-ldap-tony vlvindex -n userRoot -T yourdomain.net.getip6ent
Don't use the commands to create the vlvindexes that they recommend, use the following (copy into a script in your /opt/SUNWsjsds5.2/slapd-hostname/ directory):
./vlvindex -n userRoot -T yourdomain.org.getgrent ./vlvindex -n userRoot -T yourdomain.org.gethostent ./vlvindex -n userRoot -T yourdomain.org.getnetent ./vlvindex -n userRoot -T yourdomain.org.getpwent ./vlvindex -n userRoot -T yourdomain.org.getrpcent ./vlvindex -n userRoot -T yourdomain.org.getspent ./vlvindex -n userRoot -T yourdomain.org.getauhoent ./vlvindex -n userRoot -T yourdomain.org.getsoluent ./vlvindex -n userRoot -T yourdomain.org.getauduent ./vlvindex -n userRoot -T yourdomain.org.getauthent ./vlvindex -n userRoot -T yourdomain.org.getexecent ./vlvindex -n userRoot -T yourdomain.org.getprofent ./vlvindex -n userRoot -T yourdomain.org.getmailent ./vlvindex -n userRoot -T yourdomain.org.getbootent ./vlvindex -n userRoot -T yourdomain.org.getethent ./vlvindex -n userRoot -T yourdomain.org.getngrpent ./vlvindex -n userRoot -T yourdomain.org.getipnent ./vlvindex -n userRoot -T yourdomain.org.getmaskent ./vlvindex -n userRoot -T yourdomain.org.getprent ./vlvindex -n userRoot -T yourdomain.org.getip4ent ./vlvindex -n userRoot -T yourdomain.org.getip6ent
Now your directory server is configured and ready to start entering data into it. Utilize LDIF files with the ldapadd or ldapmodify commands or bring up the administration GUI to add entries there.
Disable password hashes from being viewable
To disable the "userpassword" attribute from being returned when issuing the "ldaplist -l passwd username" command, you need to edit the ACI called "LDAP_Naming_Services_proxy_password_read" for the OU that you would like to further secure the environment.
Change the line in the ACI that reads:
allow (compare,read,search)
to:
allow (compare,search)
Doing this will require PAM to be used for authentication, but it is definitely better to disable password hashes to be returned to anyone, and keeping the shadow functionality intact.
Configure the server to use TLS/SSL encryption
As you saw in the idsconfig script output above, the "tls:simple" authentication method was selected only. This forces connections with the directory server to completely encrypted for all communications. This is important as password hashes will be sent over the network for authentication purposes and this should not be readable by anyone sniffing network traffic.
Install OpenSSL
First off, get openssl installed on your server and the clients. The clients will need the SSL libraries to establish an encrypted connection with the LDAP server to help prevent cleartext being sniffed on the network.
For Solaris 9 this package can be downloaded from http://www.sunfreeware.com and installed using the normal pkgadd command. Here is a link to the newest package posted there: http://www.sunfreeware.com/programlistsparc9.html#openssl098 It also depends on the libgcc-3.3 package which is linked to in the same paragraph.
Generate a certificate to use for testing
Use the following method for testing purposes. To use SSL in production, you should always generate a certificate request and send it to a CA (Certificate Authority) internally within your organization or through a company such as VeriSign.
To create a certificate and store it in the certificate db for Directory Server, see the great script that Gary Tay put together in his SJSDS installation guide at: http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20iPlanet%20Directory%20Server%20for%20Solaris9.htm
Install certificate on clients for SSL/TLS connections
Open up the server console (/opt/SUNWsjsds5.2/startconsole) and then open up the LDAP server. Click on the "tasks" tab and then click the "Manage Certificates" button. If you generated your certificate using the certutil in the script that Gary Tay put together (see link above), then the certificate will show up on the "Server Certs" tab. Otherwise, install your certificate using the wizard by clicking the "Install..." button at the bottom of the window.
