HP-UX Directory Server installation guide HP-UX Directory Server Version 8.
© Copyright 2009 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 Preparing for a Directory Server installation...............................................................7 1.1 Directory Server components............................................................................................................7 1.2 Considerations before setting up Directory Server...........................................................................7 1.2.1 Port numbers.............................................................................................
.2.1 Creating a new Directory Server instance interactively..........................................................39 4.2.2 Creating a new Directory Server instance silently..................................................................39 4.2.3 Creating a Directory Server instance manageable at the command line instead of Console............................................................................................................................................40 4.
Index.................................................................................................................................
1 Preparing for a Directory Server installation This manual provides a high-level overview of design and planning decisions you need to make before installing Directory Server, describes the different methods for setting up and installing the Directory Server, describes post-installation tasks, and provides general information about using Directory Server and how to troubleshoot problems. Before you install HP-UX Directory Server 8.
default. Alternatively, you can assign any port number between 1025 and 65535 for the Directory Server and Administration Server ports; you are not required to use the defaults or the randomly-generated ports. NOTE: Although the valid range of port numbers is 1 to 65535, do not assign a Directory Server port number below 1024 (except 389 for LDAP, or 636 for LDAP with TLS/SSL). The Internet Assigned Numbers Authority (IANA) has already assigned ports 1 to 1023 to common processes.
The Directory Manager is a special entry that does not have to conform to a Directory Server configured suffix; additionally, access controls. password policy, and database limits for size, time, and lookthrough limits do not apply to the Directory Manager. There is no directory entry for the Directory Manager user; it is used only for authentication. You cannot create an actual Directory Server entry that uses the same distinguished name (DN) as the Directory Manager DN.
setup file (see “Importing LDIF files for configuring Directory Server users, replication, and other entities” (page 36)). 1.2.7 Configuration directory The configuration directory (also referred to as the Configuration Directory Server) is the main directory that stores configuration information such as log files, configuration files, and port numbers. These configuration data get stored in the o=NetscapeRoot tree.
2 System requirements Before configuring the default HP-UX Directory Server 8.1 instances, it is important to verify that the host server has the required system settings and configuration: • • • The system must have the required packages, patches, and kernel parameter settings. DNS must be properly configured on the target system. The host server must have a static IP address.
Table 2-1 Hardware requirements (continued) Item Description of requirement Install Device CD-ROM drive to load the software or an Internet connection to Software Depot to download the software. Disk space The disk space requirements in /opt/dirsrv, /etc/opt/dirsrv/ and /var/opt/ dirsrv are as follows: • /opt/dirsrv The initial product installation requires 115 MB of space in /opt/dirsrv for executables, libraries, scripts and other related data.
Patch PHCO_37940 is an HP-UX 11i v2 pthread library cumulative patch. This patch improves performance of the HP-UX Directory Server on an HP-UX 11i v2 system. • HP-UX 11i v3 HP recommends, but does not require, that you install the HP-UX 11i v3 OS patch level OE September 2007 or later. You can download patches and Quality Patch bundles from the HP IT Resource Center patch database: http://itrc.hp.com/service/home/home.do Select patch database under maintenance and support (hp products). 2.
2.4.3 TIME_WAIT setting Normally, client applications that shut down correctly cause the socket to linger in a TIME_WAIT state. Verify that the TIME_WAIT entry is set to a reasonable duration. For example: # ndd -set /dev/tcp tcp_time_wait_interval 60000 This limits the socket TIME_WAIT state to 60 seconds. 2.4.4 Large file support To run Directory Server on HP-UX, you must enable large file support for the file system where the directory data is stored.
3 Setting up HP-UX Directory Server This chapter describes the complete process for installing Directory Server on HP-UX 11i. It includes instructions for installing the HP-UX Apache web server and the JRE and Directory Server packages, and describes the various options for setting up the Directory Server. 3.1 Overview Installing and configuring HP-UX Directory Server on HP-UX has four major steps: 1. Ensure that you have the required version of HP-UX Apache-based web server installed on the system. 2.
If a version of JRE 1.5 is already installed on the system and the version is equal to or greater than 1.5.0.11, you can skip the JRE installation requirement. To check if the correct version of JRE 1.5 is installed on the system, use the following command: # /usr/bin/swlist -l product | grep Jre If the JRE 1.5 version is less than 1.5.0.11, or if JRE 1.5 is not installed on the system, install JRE 1.5.0.11. To download and install JRE for Java 2 platform HP-UX Integrity version 1.5.0.11(.
for setting up large numbers of Directory Server instances, because it does not require any user involvement after the package is installed. You can also provide a setup file with certain parameters predefined for interactive mode. In addition, when you enter the command to run the script for interactive or silent mode, you can pass parameters in the command line.
• • • To return to a previous dialog screen prompt, type Ctrl-B and press Enter. You can backtrack all the way to the first screen prompt. Two prompts ask for a password. After entering a password for the first time, confirm the password by typing it in again. The password prompts do not echo the characters entered, so be sure to type them correctly. When the script finishes, it generates a temporary log file in the /tmp directory called setupXXXXXX.log, where XXXXXX is a series of random characters.
specify values specific to the Directory Server being set up. For example, parameters such as ConfigDirectoryLdapURL, which can be used for multiple instances, could be specified in the setup file. Parameters such as FullMachineName, which is specific to the host, could be specified in the command line. For example, with the following command, the setup script uses the common parameter values specified in the common.
Table 3-1 setup-ds-admin options (continued) Option Alternate Description -k --keepcache This saves the temporary configuration setup file (file name .inf) that is created when the setup script is run interactively. This file can then be reused for a silent setup. CAUTION: This file (also referred to as a cache file) contains the cleartext passwords supplied during setup. Use appropriate caution and protection with this file.
Table 3-2 Comparison of setup types Setup screen prompt Parameter input Continue with setup Yes or no N/A Choose setup type • 1 (express) N/A • 2 (typical) N/A • 3 (custom) N/A Set the computer name ldap.example.
Table 3-2 Comparison of setup types (continued) Setup screen prompt Parameter input Set the Directory Manager password password Install sample entries Yes or no Populate the Directory Server with entries • Supply the full path and file name to an LDIF file • Type suggest, which imports common container entries, such as ou=People • Type none, which does not import any data Set the Administration Server port 9830 Set the Administration Server IP address blank (all interfaces) Set user as which the
3. This step allows you to register your Directory Server with an existing Directory Server instance that serves as the Configuration Directory Server. This registers your new instance so it can be managed by the Console. If you are setting up the first Directory Server instance on your network, you cannot register it with another directory; you must set up your Directory Server as the Configuration Directory Server. To set up this Directory Server as a Configuration Directory Server, select n.
When the setup-ds-admin.pl script is done, the Directory Server is configured and running. To log into the Directory Server Console to begin setting up your directory service, do the following: 1. Get the Administration Server port number from the Listen parameter in the console.conf configuration file. # grep \^Listen /etc/opt/dirsrv/admin-serv/console.conf Listen 0.0.0.0:9830 2. Using the Administration Server port number, launch the Console.
HP recommends using the defaults. If you want to use a user or group other than the default, you must create the user or group before completing the setup script. 5. This step allows you to register your Directory Server with an existing Directory Server instance that serves as the Configuration Directory Server. This registers your new instance so it can be managed by the Console.
13. Set the Directory Manager password and confirm it. 14. Enter the Administration Server port number. The default is 9830 unless that port is in use, in which case the setup script supplies a randomly generated one. Administration port [9830]: 15. The last prompt asks if you are ready to set up your servers. Answer yes, after which messages such as the following are displayed.
NOTE: Run the setup-ds-admin.pl script as root. The custom setup has the following steps: CAUTION: If a Directory Server (notably Netscape Directory Server 6.21 or Red Hat Directory Server 7.1) is already installed on your machine, it is extremely important that you perform a migration, not a fresh installation. Migration is described in Chapter 6 “Migrating or upgrading to HP-UX Directory Server from Netscape or Red Hat Directory Server”. 1. Launch the setup-ds-admin.
• • • 6. The administrator user's password. The Configuration Directory Server Admin domain, such as example.com. The CA certificate to authenticate to the Configuration Directory Server. This is only required if the Directory Server instance will connect to the Configuration Directory Server over LDAPS. This should be the full path and file name the CA certificate in PEM/ASCII format. If you registered your Directory Server with an existing Configuration Directory Server, skip to step 9.
IP addresses automatically assigned to the system. Using 0.0.0.0 (the default) allows the Administration Server to acquire any IP address. 18. Set the user that the Administration Server process will run as. The default is www. For example: Run Administration Server as [www]: 19. The last prompt asks if you are ready to set up your servers. Answer yes, after which messages such as the following are displayed.
[General] FullMachineName= dir.example.com SuiteSpotUserID= www SuiteSpotGroup= other AdminDomain= example.com ConfigDirectoryAdminID= admin ConfigDirectoryAdminPwd= admin ConfigDirectoryLdapURL= ldap://dir.example.com:389/o=NetscapeRoot [slapd] SlapdConfigForMC= Yes UseExistingMC= No ServerPort= 389 ServerIdentifier= dir Suffix= dc=example,dc=com RootDN= cn=Directory Manager RootDNPwd= password123 [admin] Port= 9830 ServerIpAddress= 192.0.2.
slapd This supplies information about the specific Directory Server instance; this information, like the port and server ID, must be unique. admin It supplies information specific to the Administration Server instance; this is not used when creating additional Directory Server server instances or setting up a single Directory Server instance. The format of the .inf file is as follows: [General] directive=value directive=value ... [slapd] directive=value directive=value ...
Table 3-3 [General] directives (continued) Directive Description ConfigDirectoryAdminID Specifies the user No distinguished name (DN) of the user that has administration privileges to the configuration directory. This is usually admin. ConfigDirectoryAdminPwd Specifies the password for the admin user. Req'd? Example admin Yes Table 3-4 describes the directives for the [slapd] section of the .setup file.
Table 3-4 [slapd] directives (continued) Directive Description Req'd? Example InstallLdifFile Populates the new No directory with the contents of the specified LDIF file. suggest SchemaFile Lists the full path and file No name of additional schema files; this is used if there is custom schema with the old Directory Server. This directive may be specified more than once. SchemaFile=/home/files/50custom.
Table 3-5 [admin] directives (continued) Directive Description Required Example ServerAdminPwd Specifies the password for No the Administration Server user. ServerIpAddress Specifies the IP address on No which the Administration Server will listen. Use this directive if you are installing on a multi-homed system and you do not want to use the first IP address for the Administration Server. 3.6.7.
Example 3-2 Example of setup file for a typical setup [General] FullMachineName= dir.example.com SuiteSpotUserID= www SuiteSpotGroup= other AdminDomain= example.com ConfigDirectoryAdminID= admin ConfigDirectoryAdminPwd= admin ConfigDirectoryLdapURL= ldap://dir.example.
Using a setup file in conjunction with command line parameters is useful when you create a setup file to serve as the basis for setting up many Directory Servers. The command line parameters specify values specific to the Directory Server being set up. For example, parameters such as ConfigDirectoryLdapURL, which can be used for multiple instances, could be specified in the setup file. Parameters such as FullMachineName, which is specific to the host, could be specified in the command line.
4 Post-installation and advanced configuration tasks This chapter describes configuration tasks to perform after you have installed Directory Server including additional configuration steps for Administration Server and Directory Server instances and how to set up additional Directory Server and Administration Server instances. It also describes how to uninstall the Directory Server. 4.
This allows all IP addresses to access the Administration Server. CAUTION: By default, access to the Administration Server is limited to users in the same domain as the Administration Server itself. Adding additional IP addresses or proxy servers to the list of accepted addresses increases the number of users that can access the Administration Server. To reduce the possibility of undesirable access, limit the allowed access.
NOTE: You can create new Directory Server instances through the Directory Server Console, as described in theHP-UX Directory Server administrator guide. 4.2.1 Creating a new Directory Server instance interactively You can create additional instances of the Directory Server by running setup-ds-admin.pl at the command line. You can choose one of the setup choices (express, typical, or custom) described in Chapter 3 “Setting up HP-UX Directory Server ”.
4.2.3 Creating a Directory Server instance manageable at the command line instead of Console To create a Directory Server instance so that you can manage the instance through the command line or other tools instead of through the Console, use the /opt/dirsrv/sbin/setup-ds.pl command. All tasks that can be performed from the Console can be performed from the command line or by other means.
4.4.2 Uninstalling the HP-UX Directory Server To uninstall HP-UX Directory Server entirely, perform the following steps: CAUTION: This procedure completely removes the Directory Server product and all data served by the Directory Servers on the host. 1. Remove all the Directory Server instances. For example, you can use the following script, entering the appropriate password (for admin-password) and actual Directory Server instances (for instance1 instance2 instance3 ...
5 General usage information This chapter contains common information that you will use after installing HP-UX Directory Server 8.1, such as where files are installed; how to start and stop the Directory Server and Administration Server; how to start the Directory Server Console; obtaining the Administration Server port number; resetting the Directory Manager password; and basic troubleshooting information.
5.3 Starting the Directory Server Console To launch the Directory Server Console, use the hpds-idm-console script : # /opt/dirsrv/bin/hpds-idm-console When the login screen opens, you are prompted for the user name, password, and Administration Server location. The Administration Server has a standard HTTP address; the default is: http://hostname:9830/ If the Administration Server is using TLS/SSL, the URL begins with https://). You can send the Administration Server URL and port with the start script.
1. Stop the Directory Server. If the Directory Server is not stopped when the configuration files are edited, the changes are not applied. # /opt/dirsrv/slapd-instance/stop-slapd 2. Generate a new, hashed password using pwdhash in the /opt/dirsrv/bin directory. For example: # /opt/dirsrv/bin/pwdhash newpassword {SSHA}nbR/ZeVTwZLw6aJH6oE4obbDbL0OaeleUoT21w== 3. In the configuration directory, open the dse.
6 Migrating or upgrading to HP-UX Directory Server from Netscape or Red Hat Directory Server This chapter provides information about moving to HP-UX Directory Server 8.1 from Netscape Directory Server 6.11 or 6.21, or from Red Hat Directory Server 7.1 or 8.0. In this chapter, moving to HP-UX Directory Server 8.1 from Netscape Directory Server 6.11 or 6.21, or from Red Hat Directory Server 7.
Server Console on the second server (server2) so that it writes its own Console instance instead of server1's. 1. 2. Shut down the Administration Server and Directory Server. Change the adm.conf file for the Administration Server to reflect server2 Directory Servers values: ldapurl: ldap://server2.example.com:389/o=NetscapeRoot 3. Change the dse.ldif for the Directory Server to reflect server2 Directory Servers values: serverRoot/slapd-serverID/config/dse.ldif:nsslapd-pluginarg0: ldap:///server2.example.
Table 6-1 migrate-ds-admin Options and Argument (continued) Option or argument Alternate options Description (Optional) --cross -c or -x This parameter is used when the Directory Server is being migrated from one machine to another machine that has a different architecture. For cross-platform migrations, only certain data are migrated. This migration action takes database information exported to LDIF and imports LDIF data into the new 8.1 databases. Changelog information is not migrated.
or to a different platform. The migration script has different options available to facilitate migration. The following sections describe the different scenarios. • • • • “Migrating a server or single instance” (page 50) “Migrating replicated servers” (page 50) “Migrating a Directory Server from one machine to another” (page 51) “Migrating a Directory Server from one platform to another” (page 52) 6.1.3.
IMPORTANT: Do not set up the new Directory Server instances with setup-ds-admin.pl before running the migration script. # /opt/dirsrv/sbin/migrate-ds-admin.pl\ --oldsroot /var/opt/netscape/server7/ \ General.ConfigDirectoryAdminPwd=password Where /var/opt/netscape/server7 is the directory where the old Directory Server is installed. 6. The migration process starts. The legacy Directory Server is migrated, and a new Directory Server 8.
The --oldsroot option can also specify a local directory on the target machine that was created from a tarball. In that case, create a tarball of your old server root directory, and untar it on the target machine. In this example, a tarball was created of /var/opt/netscape/server7 on the source machine, and it was untarred under /migration on the target machine: # /opt/dirsrv/sbin/migrate-ds-admin.pl --oldsroot /migration/server7 \ --actualroot /var/opt/netscape/server7\ General.
option allows you to set the specific instance to migrate. For example, this command migrated a Directory Server instance named example: # /opt/dirsrv/sbin/migrate-ds-admin.pl \ --oldsroot /net/server2/migration/server7 \ --actualroot /var/opt/netscape/server7 --instance example \ General.ConfigDirectoryAdminPwd=password The procedure follows: 1. 2. 3. Stop all Directory Server instances and the Administration Server. Back up all the Directory Server user and configuration data.
# /opt/dirsrv/slapd-instance_name/db2bak\ /home/files/bak/slapd-instance_name To restore Red Hat Directory Server 8.0, reinstall the Red Hat Directory Server 8.0 product package, extract the configuration data to /etc/opt/dirsrv, and run bak2db to restore the data. For example: # # # # /opt/dirsrv/slapd-instance_name/stop-slapd cd /etc/opt/dirsrv tar xvf /home/files/rhds80cfg.tar /opt/dirsrv/slapd-instance_name/bak2db \ /home/files/bak/slapd-instance_name 6.2.
7 Support and other resources 7.1 Contacting HP 7.1.1 Information to collect before contacting HP Be sure to have the following information available before you call contact HP: • • • • • • Software product name Hardware product model number Operating system type and version Applicable error message Third-party hardware or software Technical support registration number (if applicable) 7.1.
• HP-UX Directory Server administration server guide The Administration Server is a support server that drives access to the Directory Server Console , provides a web server for Directory Server web applications, and stores some Directory Server configuration. This guide covers how to manage the Administration Server through the Console, through the command line, and through the web services. It also covers basic Administration Server concepts.
7.2.3 Troubleshooting resources • You can search a technical knowledge database available on the HP IT Resource Center (ITRC) website at: http://itrc.hp.com/ • To seek solutions to problems, you can post messages on the ITRC Forums page at the following website (select the HP-UX area in the Areas of peer problem solving section): http://forums.itrc.hp.com/ In addition, troubleshooting suggestions are included in the following section of this guide: • “Troubleshooting” (page 45) 7.
Glossary A access control instruction See ACI. access control list See ACL. access rights In the context of access control, specify the level of access granted or denied. Access rights are related to the type of operation that can be performed on the directory. The following rights can be granted or denied: read, write, add, delete, search, compare, selfwrite, proxy and all.
bind distinguished name See bind DN. bind DN Distinguished name used to authenticate to Directory Server when performing an operation. bind rule In the context of access control, the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information. branch entry An entry that represents the top of a subtree in the directory.
CoS definition entry Identifies the type of CoS you are using. It is stored as an LDAP subentry below the branch it affects. CoS template entry Contains a list of the shared attribute values. See also template entry. D daemon A background process on a Unix machine that is responsible for a particular system task. Daemon processes do not need human intervention to continue functioning. DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory.
file type The format of a given file. For example, graphics files are often saved in GIF format, while a text file is usually saved as ASCII text format. File types are usually identified by the file extension (for example, .GIF or .HTML). filter A constraint applied to a directory query that restricts the information returned. filtered role Allows you to assign entries to the role depending upon the attribute contained by each entry. You do this by specifying an LDAP filter.
L LDAP Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms. LDAP client Software used to request and view LDAP entries from an LDAP Directory Server. See also browser. LDAP Data Interchange Format See LDAP Data Interchange Format. LDAP URL Provides the means of locating Directory Servers using DNS and then completing the query via LDAP. A sample LDAP URL is ldap://ldap.example.com.
are automatically replicated to the other server. In case of conflict, a time stamp is used to determine which server holds the most recent version. multiplexor The server containing the database link that communicates with the remote server. N n + 1 directory problem The problem of managing multiple instances of the same information in different directories, resulting in increased hardware and personnel costs. name collisions Multiple entries with the same distinguished name.
presence index Allows searches for entries that contain a specific indexed attribute. protocol A set of rules that describes how devices on a network exchange information. protocol data unit See PDU. proxy authentication A special form of authentication where the user requesting access to the directory does not bind with its own DN but with a proxy DN. proxy DN Used with proxied authorization.
S SASL An authentication framework for clients as they attempt to bind to a directory. Also Simple Authentication and Security Layer . schema Definitions describing what types of information can be stored as entries in the directory. When information that does not match the schema is stored in the directory, clients attempting to access the directory may be unable to display the proper results. schema checking Ensures that entries added or modified in the directory conform to the defined schema.
superuser The most privileged user available on Unix machines. The superuser has complete access privileges to all files on the machine. Also called root. supplier Server containing the master copy of directory trees or subtrees that are replicated to replica servers. supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica.
Index Symbols E .
HP-UX 11i, 15 K Kerberos 5 HP-UX 11i, 16 M Migrating, 47 prerequisites, 47 configure the Directory Server Console (for multi-master replication only), 47 scenarios all or single instance, 50 different machines, 51 different platforms, 52 replicated site, 50 O Operating system requirements, 12 HP-UX patches, 12 system configuration, 13 P Passwords Directory Manager, 44 Patches HP-UX, 12 Perl HP-UX, 13 Port number finding Administration Server, 44 Directory Server only, 39 table, 20 setup script, 17 setu
