Red Hat Directory Server Red Hat Directory Server 9 Installation Guide updated for Directory Server 9.1 Edition 9.
Red Hat Directory Server Red Hat Directory Server 9 Installation Guide updated for Directory Server 9.1 Edition 9.1 Ella Deo n Lackey dlackey@redhat.
Legal Notice Copyright © 2013 Red Hat, Inc.. T his document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Table of Contents Table of Contents .Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5. . . . . . . . . . 1. Examples and Formatting 5 1.1. Command and File Examples 6 1.2. Brackets 6 1.3. Client T ool Information 6 1.4. T ext Formatting and Styles 6 2. Additional Reading 7 3. Giving Feedback 8 4. Documentation History 8 .Chapter . . . . . . . . 1. . . .Preparing . .
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide 4.2.1. Creating a New Directory Server Instance 44 4.2.2. Installing Only the Directory Server 45 4.3. Registering Servers Using register-ds-admin.pl 45 4.3.1. register-ds-admin.pl Options 45 4.3.2. Registering an Existing Directory Server Instance with the Configuration Directory Server 46 4.4. Updating Directory Server Instances 46 4.5. Silent Setup 47 4.5.1. Silent Setup for Directory Server and Admin Server 47 4.5.2.
Table of Contents H I K L M N O P R S T U V X 95 95 96 96 97 98 99 100 101 103 106 107 107 107 .Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 .............
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide 4
Preface Preface T his installation guide describes the Red Hat Directory Server 9.1 installation process and the migration process. T his manual provides detailed step-by-step procedures for all supported operating systems, along with explanations of the different setup options (express, typical, custom, and silent), additional options for Directory Server instance creation, migrating previous versions of Directory Server, and troubleshooting and basic usage. IMPORTANT Directory Server 9.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide 1.1. Command and File Examples All of the examples for Red Hat Directory Server commands, file locations, and other usage are given for Red Hat Enterprise Linux 6.2 (64-bit) systems. Be certain to use the appropriate commands and files for your platform. Example 1. Example Command T o start the Red Hat Directory Server: service dirsrv start 1.2. Brackets Square brackets ([]) are used to indicate an alternative element in a name.
Preface Other formatting styles draw attention to important text. NOTE A note provides additional information that can help illustrate the behavior of the system or provide more detail for a specific issue. IMPORTANT Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot. WARNING A warning indicates potential data loss, as may happen when tuning hardware for maximum performance. 2.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide T he Red Hat Directory Server Performance Tuning Guide contains features to monitor overall Directory Server and database performance, to tune attributes for specific operations, and to tune the server and database for optimum performance.
Chapter 1. Preparing for a D irectory Server Installation Chapter 1. Preparing for a Directory Server Installation Before you install Red Hat Directory Server 9.1, there are required settings and information that you need to plan in advance. T his chapter describes the kind of information that you should provide, relevant directory service concepts Directory Server components, and the impact and scope of integrating Directory Server into your computing infrastructure.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide lab.eng.exam ple.com , so the domain name used by the setup script is lab.eng.exam ple.com . Any information in the /etc/resolv.conf file must match the information maintained in the local /etc/hosts file. If there are aliases in the /etc/hosts file, such as ldap1.exam ple.com , that do not match the specified domains in the /etc/resolv.
Chapter 1. Preparing for a D irectory Server Installation T he Admin Server runs on a web server, so it uses HT T P or HT T PS. However, unlike the Directory Server which can run on secure (LDAPS) and insecure (LDAP) ports at the same time, the Admin Server cannot run over both HT T P and HT T PS simultaneously. T he setup program, setup-ds-adm in.pl, does not allow you to configure the Admin Server to use T LS/SSL.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide * - nofile 8192 4. Edit the /etc/pam .d/system -auth, and add this entry: session required /lib/security/$ISA/pam_limits.so 5. Reboot the Linux machine to apply the changes. 1.2.5. Directory Server User and Group T he setup process sets a user ID (UID) and group ID (GID) as which the servers will run. T he default UID is a non-privileged (non-root) user, nobody on Red Hat Enterprise Linux.
Chapter 1. Preparing for a D irectory Server Installation Server Console. Every Directory Server is configured to grant this user administrative access. T here are important differences between the Directory Administrator and the Directory Manager: T he administrator cannot create top level entries for a new suffix through an add operation. either adding an entry in the Directory Server Console or using ldapadd, a tool provided with OpenLDAP. Only the Directory Manager can add top-level entries by default.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide directory, and for larger sites, this write activity can create performance issues for other directory service activities. T he configuration directory can be replicated to increase availability and reliability. If the configuration directory tree gets corrupted, you may have to re-register or re-configure all Directory Server instances.
Chapter 1. Preparing for a D irectory Server Installation For example, to set the machine name, suffix, and Directory Server port of the new instance, the command is as follows: setup-ds-admin.pl General.FullMachineName=ldap.example.com slapd.Suffix=dc=example, dc=com” slapd.ServerPort=389 NOTE Passing arguments in the command line or specifying an .inf sets the defaults used in the interactive prompt unless they are used with the s (silent) option.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide TIP T o go back to a previous dialog screen, type Control-B and press Enter. You can backtrack all the way to the first screen. When the setup-ds-adm in.pl finishes, it generates a log file in the /tm p directory called setupXXXXXX.log where XXXXXX is a series of random characters. T his log file contains all of the prompts and answers supplied to those prompts, except for passwords.
Chapter 1. Preparing for a D irectory Server Installation T able 1.1. setup-ds-admin Options Option Alternate Options Description Example --silent -s T his sets that the setup script will run in silent mode, drawing the configuration information from a file (set with the --file parameter) or from arguments passed in the command line rather than interactively. --file=name -f name T his sets the path and /usr/sbin/setup-dsname of the file which admin.pl -f contains the /export/sample.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide inf. WARNING T he cache file contains the cleartext passwords supplied during setup. Use appropriate caution and protection with this file. --logfile name -l T his parameter specifies a log file to which to write the output. If this is not set, then the setup information is written to a temporary file. -l /export/example2007.
Chapter 1. Preparing for a D irectory Server Installation information about the directory service, like suffix and configuration directory information, while still proceeding quickly through the setup process. Custom — T he most detailed setup mode. T his provides more control over Admin Server settings and also allows data to be imported into the Directory Server at setup, so that entries are already populated in the databases when the setup is complete.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide T able 1.2. Comparison of Setup T ypes Setup Screen Parameter Input Continue with setup Yes or no N/A Accept license agreement Yes or no N/A Accept dsktune output and continue with setup Yes or no N/A Choose setup type 1 (express) 2 (typical) 3 (custom) Set the computer name ldap.example.
Chapter 1. Preparing for a D irectory Server Installation Give the Configuration Directory Server user ID admin [General] ConfigDirector yAdminID= admin [a] Give the Configuration Directory Server user password [General] ConfigDirector yAdminPwd= password [a] Give the Configuration Directory Server administration domain password example.com [General] AdminDomain= example.com [a] Give the path to the CA certificate (if using LDAPS) /tmp/cacert.asc [General] CACertificate=/ tmp/cacert.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide Directory Manager ID Manager Set the Directory Manager password password Install sample entries Yes or no [slapd] RootDN= cn=Directory Manager [slapd] RootDNPwd= password [slapd] AddSampleEnt ries= Yes Populate the Directory Server with entries Supply the full path and filename to an LDIF file T ype suggest, which imports common container entries, such as ou=People T ype none, which does not import any data Equivalent to sugg
Chapter 1. Preparing for a D irectory Server Installation runs Are you ready to configure your servers? nobody Yes or no N/A [a] This o p tio n is o nly availab le if yo u c ho o s e to reg is ter the Direc to ry Server ins tanc e with a Co nfig uratio n Direc to ry Server. [b ] This o p tio n is o nly availab le if yo u c ho o s e not to reg is ter the Direc to ry Server ins tanc e with a Co nfig uratio n Direc to ry Server.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide Chapter 2. System Requirements Before configuring the default Red Hat Directory Server 9.1 instances, it is important to verify that the host server has the required system settings and configuration: T he system must have the required packages, patches, and kernel parameter settings. DNS must be properly configured on the target system. T he host server must have a static IP address (IPv4 or IPv6).
Chapter 2. System Requirements IMPORTANT When the new JDK is installed for Directory Server 9.1, it is no longer possible to manage older instances of Directory Server using the Directory Server Console because the required JDKs for the different Directory Server versions are different. You must migrate any older instance to Directory Server 9.1 if you need to manage that instance with the Directory Server Console. T o install OpenJDK: [root@server ~]# yum install java-1.6.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide T he Directory Server Console is supported on the following platforms: Red Hat Enterprise Linux 5 i386 (32-bit) Red Hat Enterprise Linux 5 x86_64 (64-bit) Red Hat Enterprise Linux 6 i386 (32-bit) Red Hat Enterprise Linux 6 x86_64 (64-bit) Microsoft Windows Server 2008 R2 (32-bit) Microsoft Windows Server 2008 R2 (64-bit) NOTE T he Directory Server Console can be installed on additional Windows platforms at an additional cost. 2.1.6.
Chapter 2. System Requirements NOTE T he setup program also runs dsktune, reports the findings, and asks you if you want to continue with the setup procedure every time a Directory Server instance is configured. Red Hat recommends running dsktune before beginning to set up the Directory Server instances so that you can properly configure your kernel settings and install any missing patches. T he dsktune utility is in the /usr/bin directory.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide Chapter 3. Setting up Red Hat Directory Server on Red Hat Enterprise Linux Installing and configuring Red Hat Directory Server on Red Hat Enterprise Linux has two primary steps: 1. Install the Directory Server packages. 2. Run the setup-ds-adm in.pl script. T his is where all of the information about the new Directory Server instance is supplied.
Chapter 3. Setting up Red Hat D irectory Server on Red Hat Enterprise Linux 3.1.1. Installing Using yum T he simplest method to install the packages is using the native tools (yum ) on Red Hat Enterprise Linux. 1. A system has to be registered to Red Hat (or to an on-premise application such as Subscription Asset Manager) to be able to download content. Additionally, the appropriate subscriptions must be attached to the system. T his is done using the subscription-m anager client tools. a.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide [root@server ~]# subscription-manager list --installed .... Product Name: Product ID: Version: Arch: Status: Starts: Ends: Red Hat Directory Server 200 9.0 x86_64 Subscribed 08/14/2013 01/01/2022 ... 3.1.2. Installing from an ISO Image 1. A system has to be registered to Red Hat (or to an on-premise application such as Subscription Asset Manager) to be able to download content.
Chapter 3. Setting up Red Hat D irectory Server on Red Hat Enterprise Linux 4. Set the product to filter for Red Hat Directory Server. 5. Select the architecture. 6. Download the packages from Red Hat Network, and burn them to CD or DVD. 7. Insert the media; the system should automatically recognize and mount the disc. 8. T here is no autorun feature with the Directory Server packages, so open the directory on the disc containing the Directory Server packages.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide [root@server RPMS]# ls *.rpm | egrep -iv -e devel -e debuginfo | xargs rpm -ivh 10. Verify that subscription status for Directory Server, with the validity period of the subscription: [root@server ~]# subscription-manager list --installed .... Product Name: Product ID: Version: Arch: Status: Starts: Ends: Red Hat Directory Server 200 9.0 x86_64 Subscribed 08/14/2013 01/01/2022 ... 3.2.
Chapter 3. Setting up Red Hat D irectory Server on Red Hat Enterprise Linux NOTE Run the setup-ds-adm in.pl script as root. 2. Select y to accept the Red Hat licensing terms. 3. T he dsktune utility runs. Select y to continue with the setup. dsktune checks the available disk space, processor type, physical memory, and other system data and settings such as T CP/IP ports and file descriptor settings. If your system does not meet these basic Red Hat Directory Server requirements, dsktune returns a warning.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide IMPORTANT When resetting the Directory Manager's password from the command line, do not use curly braces ({}) in the password. T he root password is stored in the format {passwordstorage-scheme}hashed_password. Any characters in curly braces are interpreted by the server as the password storage scheme for the root password.
Chapter 3. Setting up Red Hat D irectory Server on Red Hat Enterprise Linux 3.3. Typical Setup T he typical setup process is the most commonly-used setup process. It offers control over the ports for the Directory and Admin Servers, the domain name, and directory suffix. WARNING If Directory Server is already installed on your machine, it is extremely important that you perform a migration, not a fresh installation. Migration is described in Chapter 5, Migrating from Previous Versions. 1.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide NOTE T he Directory Server requires the fully-qualified domain name to set up the servers, as described in Section 1.2.1, “Resolving the Fully-qualified Domain Name”. T he setup script uses the system's gethostnam e() function to obtain the hostname (such as ldap) and the /etc/resolv.conf file to identify the domain name (such as exam ple.com ).
Chapter 3. Setting up Red Hat D irectory Server on Red Hat Enterprise Linux 8. Set the administrator username. T he default is adm in. 9. Set the administrator password and confirm it. 10. Set the administration domain. T his defaults to the host's domain. For example: Administration Domain [example.com]: 11. Enter the Directory Server port number. T he default is 389, but if that port is in use, the setup program supplies a randomly generated one. Directory server network port [30860]: 1025 12.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide Are you ready to set up your servers? [yes]: Creating directory server . . . Your new DS instance 'example2' was successfully created. Creating the configuration directory server . . . Beginning Admin Server reconfiguration . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.
Chapter 3. Setting up Red Hat D irectory Server on Red Hat Enterprise Linux WARNING If Directory Server is already installed on your machine, it is extremely important that you perform a migration, not a fresh installation. Migration is described in Chapter 5, Migrating from Previous Versions. 1. After the Directory Server packages are installed as described in Section 3.1, “Installing the Directory Server Packages”, then launch the setup-ds-adm in.pl script. # /usr/sbin/setup-ds-admin.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide System User [nobody]: System Group [nobody]: 7. T he next step allows you to register your Directory Server with an existing Directory Server instance, called the Configuration Directory Server. T his registers the new instance so it can be managed by the Console. If this is the first Directory Server instance set up on your network, it is not possible to register it with another directory.
Chapter 3. Setting up Red Hat D irectory Server on Red Hat Enterprise Linux 14. Set the Directory Manager username. T he default is cn=Directory Manager. 15. Set the Directory Manager password and confirm it. IMPORTANT When resetting the Directory Manager's password from the command line, do not use curly braces ({}) in the password. T he root password is stored in the format {passwordstorage-scheme}hashed_password.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide Are you ready to set up your servers? [yes]: Creating directory server . . . Your new DS instance 'example3' was successfully created. Creating the configuration directory server . . . Beginning Admin Server reconfiguration . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.
Chapter 4. Advanced Setup and Configuration Chapter 4. Advanced Setup and Configuration After the default Directory Server and Admin Server have been configured, there are tools available to manage, create, and remove server instances. T hese include Admin Server configurations to allow people to access the Directory Server files remotely, silent setup tools for installing instances from file configuration, and instance setup and removal scripts. 4.1.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide 4.1.2. Configuring Proxy Servers for the Admin Server If there are proxies for the HT T P connections on the client machine running the Directory Server Console, the configuration must be changed in one of two ways: T he proxy settings must be removed from the client machine. Removing proxies on the machine running Directory Server Console allows the client to access the Admin Server directly.
Chapter 4. Advanced Setup and Configuration IMPORTANT When resetting the Directory Manager's password from the command line, do not use curly braces ({}) in the password. T he root password is stored in the format {password-storagescheme}hashed_password. Any characters in curly braces are interpreted by the server as the password storage scheme for the root password.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide T able 4 .1. register-ds-admin.pl Options Option Flag Description --debug -d[dddd] T his parameter turns on debugging information. For the -d flag, increasing the number of d's increases the debug level. --logfile name -l T his parameter specifies a log file to which to write the output. If this is not set, then the setup information is written to a temporary file. Example -l /export/example2007.
Chapter 4. Advanced Setup and Configuration Directory information, then re-registers each instance with the Configuration Directory. T he update and registration process replaces any missing or outdated packages. /usr/sbin/setup-ds-admin.pl -u 4.5. Silent Setup Silent setup uses a file to predefine all the Directory Server configuration parameters that are normally supplied interactively with the setup program.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide directives are described more in Section 4.5.5.1, “.inf File Directives”. 3. Run the setup-ds-adm in script with the -s and -f options. [root@server ~]# /usr/sbin/setup-ds-admin.pl -s -f /export/ds-inf/setup.inf Running setup-ds-adm in installs both the Directory Server instance and the Admin Server instance. T his means that the setup file must specify parameters for both the Directory Server and the Admin Server.
Chapter 4. Advanced Setup and Configuration [root@server ~]# /usr/sbin/setup-ds-admin.pl -s -f /export/ds-inf/setupsingle.inf Running setup-ds-adm in.pl installs only a Directory Server instance, so the setup file must specify parameters only for the Directory Server. -s runs the script in silent mode, and -f /export/ds-inf/setup.inf specifies the setup file to use. After the script runs, the new Directory Server instance is configured and running, as with a standard setup. 4.5.3.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide NOTE T he section names and parameter names used in the .inf files and on the command line are case sensitive. Refer to T able 4.2, “setup-ds-admin Options” to check the correct capitalization.
Chapter 4. Advanced Setup and Configuration T able 4 .2. setup-ds-admin Options Option Alternate Options Description Example --silent -s T his sets that the setup script will run in silent mode, drawing the configuration information from a file (set with the --file parameter) rather than interactively. --file=name -f name T his sets the path and /usr/sbin/setup-dsname of the file which admin.pl -f contains the /export/sample.inf configuration settings for the new Directory Server instance.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide WARNING T he cache file contains the cleartext passwords supplied during setup. Use appropriate caution and protection with this file. --logfile name -l T his parameter specifies a log file to which to write the output. If this is not set, then the setup information is written to a temporary file. -l /export/example2007.lo g For no log file, set the file name to /dev/null: -l /dev/null 4.5.4.
Chapter 4. Advanced Setup and Configuration dn: cn=replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: dc=example,dc=com nsds5replicaid: 7 nsds5replicatype: 3 nsds5flags: 1 nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=replication manager,cn=config For more information on LDIF, see the Directory Server Administrator's Guide.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide [General] directive=value directive=value directive=value ... [slapd] directive=value directive=value directive=value ... [admin] directive=value directive=value directive=value T he .inf file directives are explained more in the following sections. Section 4.5.5.1, “.inf File Directives” Section 4.5.5.2, “Sample .inf Files” 4 .5.5.1. .
Chapter 4. Advanced Setup and Configuration T able 4 .3. [General] Directives Directive Description Required Example FullMachineName Specifies the fully qualified domain name of the machine on which you are installing the server. T he default is the local host name. No ldap.example.com NOTE T he given hostname must be a fullyqualified domain name that can be resolved using gethostnam e( ) and then can be reverseresolved by IP address back to the original hostname.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide T his should be changed for most deployments. ConfigDirectoryLdapUR L Specifies the LDAP URL Yes that is used to connect to your configuration directory. LDAP URLs are described in the Directory Server Administrator's Guide. ldap://ldap.example.com :389/o=NetscapeRoot AdminDomain Specifies the administration domain under which this Directory Server instance is registered. See Section 1.2.
Chapter 4. Advanced Setup and Configuration T able 4 .4 . [slapd] Directives Directive Description Required Example ServerPort Specifies the port the No server will use for LDAP connections. For information on selecting server port numbers, see Section 1.2.2, “Port Numbers”. 389 ServerIdentifier Specifies the server identifier. T his value is used as part of the name of the directory in which the Directory Server instance is installed.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide IMPORTAN T Do not use curly braces ({}) in the password. T he root password is stored in the format {passwordstoragescheme}hashed _password. Any characters in curly braces are interpreted by the server as the password storage scheme for the root password. If that text is not a valid storage scheme or if the password that follows is not properly hashed, then the Directory Manager cannot bind to the server.
Chapter 4. Advanced Setup and Configuration InstallLdifFile Populates the new directory with the contents of the specified LDIF file. Using suggest fills in common container entries (like ou=People). Entering a path to an LDIF file imports all of the entries in that file. No InstallLdifFile = /tmp/entries/myldif.ldif SchemaFile Lists the full path and file name of additional schema files; this is used if there is custom schema with the old Directory Server.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide configuration data are stored in the new instance. T able 4 .5. [admin] Directives Directive Description Required Example SysUser Specifies the user as which the Admin Server will run. T he default is user nobody on Linux. T his should be changed for most deployments. For information as to what users your servers should run, see Section 1.2.5, “Directory Server User and Group”.
Chapter 4. Advanced Setup and Configuration 4 .5.5.2. Sample .inf Files Example 4 .1. .inf File for a Custom Installation [General] FullMachineName= ldap.example.com SuiteSpotUserID= nobody SuiteSpotGroup= nobody AdminDomain= example.com ConfigDirectoryAdminID= admin ConfigDirectoryAdminPwd= Admin123 ConfigDirectoryLdapURL= ldap://ldap.example.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide Example 4 .2. .inf File for Registering the Instance with a Configuration Directory Server (T ypical Setup) [General] FullMachineName= dir.example.com SuiteSpotUserID= nobody SuiteSpotGroup= nobody AdminDomain= example.com ConfigDirectoryAdminID= admin ConfigDirectoryAdminPwd= admin ConfigDirectoryLdapURL= ldap://dir.example.
Chapter 4. Advanced Setup and Configuration 3. Open the Downloads tab for the Directory Server channel. 4. Download the appropriate version of the WinSync Installer. T his is the Password Sync MSI file (RedHat-PassSync-1.1.5-arch.m si). Save it to the Active Directory machine. NOTE T here are two PassSync packages available, one for 32-bit Windows servers and one for 64-bit. Make sure to select the appropriate packages for your Windows platform. 5. Double-click the Password Sync MSI file to install it.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide 6. T he Password Sync Setup window appears. Hit Next to begin installing. 7. Fill in the Directory Server hostname, secure port number, user name (such as cn=sync m anager,cn=config), the certificate token (password), and the search base (e.g., ou=People,dc=exam ple,dc=com ). Hit Next, then Finish to install Password Sync. 8. Reboot the Windows machine to start Password Sync. NOTE T he Windows machine must be rebooted.
Chapter 4. Advanced Setup and Configuration 11. Copy the exported certificate from the Directory Server to the Windows machine. 12. Open a command prompt on the Windows machine, and open the Password Sync installation directory. C:\Users\jsmith>cd "C:\Program Files\Red Hat Directory Password Synchronization" 13. Create new cert8.db and key.db databases on the Windows machine. C:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -N 14.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide T able 4 .6. Installed Password Sync Libraries Directory Library Directory Library C:\WINDOWS\system3 2 passhook.dll C:\WINDOWS\system32 libnspr4.dll C:\WINDOWS\system3 2 nss3.dll C:\WINDOWS\system32 sqlite3.dll C:\WINDOWS\system3 2 softokn3.dll C:\WINDOWS\system32 nssdbm3.dll C:\WINDOWS\system3 2 nssutil3.dll C:\WINDOWS\system3 2 smime3.dll C:\WINDOWS\system32 freebl3.
Chapter 4. Advanced Setup and Configuration NOTE T he Directory Server instance must be running for the script to bind to the server. T he rem ove-ds.pl script unregisters the server from the Configuration Directory Server and removes any related files and directories. By default, the key and cert files are left in the instance configuration directory, and the configuration directory is renamed rem oved.instance-name. Using the -a option (as shown) removes the security databases, as well.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide security databases (-a). Each Directory Server instance service must be running for the remove script to access it. remove-ds.pl -a -i example1 remove-ds.pl -a -i example2 remove-ds.pl -a -i example3 Alternatively, if an Admin Server instance is also installed on the system, then use the rem oveds-adm in.pl script to remove all Directory Server instances and the Admin Server instance. remove-ds-admin.pl -a -y 2.
Chapter 5. Migrating from Previous Versions Chapter 5. Migrating from Previous Versions For Red Hat Directory Server 8.x servers, an upgrade updates all of the Directory Server packages and then uses the setup script to update the server configuration. Because Red Hat Directory Server 8.x and Red Hat Directory Server 9.1 are supported on different platforms — Red Hat Enterprise Linux 5.x and Red Hat Enterprise Linux 6.x, respectively — it is not possible to do an in-place upgrade.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide WARNING T he required migration scripts, m igrate-ds.pl and m igrate-ds-adm in.pl, are still available in Red Hat Directory Server 9.1. It is possible to use those scripts to perform a crossplatform migration directly from 7.1 to 9.0. However, this migration path is not fully supported. Please contact Red Hat Support Services before attempting to perform a direct 7.1 to 9.1 migration. 5.3. Upgrading 8.
Chapter 5. Migrating from Previous Versions SELinux Considerations T he upgrade process could require you to create files or directories that are outside the usual setup procedures, which could affect SELinux labels. Follow SELinux directions or references whenever they are given. 5.3.3. Migrating an 8.x Directory Server to 9.1 T o upgrade Directory Server and move the instance from one machine to another, the 8.x information must be copied to the new machine manually.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide [root@server ~]# service dirsrv-admin stop [root@server ~]# service dirsrv stop 4. Back up all the Directory Server user and configuration data. For example: [root@server1 ~]# db2bak /var/lib/dirsrv/slapd-instance_name/bak/instance_name-2013_04_30_16_27_56 5. T ar (almost) all of the files and directories for the original Directory Server 8.2 instance. T he adm serv.conf and httpd.
Chapter 5. Migrating from Previous Versions operating system automatically. T he Red Hat Directory Server subscriptions are children of the Red Hat Enterprise Linux subscriptions, so if the Red Hat Enterprise Linux subscriptions are attached and Red Hat Directory Server is included in the account, then Red Hat Directory Server is covered. [root@server ~]# subscription-manager register --auto-attach Username: admin@example.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide 11. Make sure that the new Directory Server instance is not running. [root@server1 ~]# service dirsrv-admin stop [root@server1 ~]# service dirsrv stop 12. Run the setup-ds.pl command in offline mode to upgrade only the Directory Server configuration. T his performs all of the basic setup required to perform any schema or data changes. For example: [root@server1 ~]# setup-ds.pl -u -s General.UpdateMode=offline 13. Start the servers.
Chapter 5. Migrating from Previous Versions be removed. 5.3.4. Moving from Solaris to Red Hat Enterprise Linux T he upgrade process is largely similar when migrating from an 8.2 instance on Solaris to a 9.1 instance on Red Hat Enterprise Linux, but there are two significant differences: You cannot use the regular system tar command in bin/tar or /usr/bin/tar on Solaris. T his version of tar is incompatible with the Red Hat Enterprise Linux version of tar.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide Directory Server instance. For example, the LDIF file for the userRoot database would be userRoot.upgrade.ldif. T his script can be used to export all databases, automatically, in the correct format.
Chapter 5. Migrating from Previous Versions NOTE T he cldb location assumes that the changelog is located in the default changelog directory. If the changelog is in a different location, use the appropriate directory. If replication is not enabled, this directory can be omitted. For migrating to a different architecture: [root@server ~]# cd / [root@server ~]# tar cpfz rhds-upgrade.tar -C / --no-recursion --exclude httpd.conf --exclude admserv.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide Remove the entire cn=uniqueid generator,cn=config entry. d. For each /etc/dirsrv/slapd-* instance, make a corresponding directory, with the same name, in the /usr/lib[64 ]/dirsrv directory. e. Change the ownership to the Directory Server user ID. For example: for i in `find /usr /var /etc -name dirsrv`; do chown -R nobody:nobody $i; done 10.
Chapter 5. Migrating from Previous Versions ldapmodify -D "cn=directory manager" -w secret -p 389 -x dn: cn=config changetype: modify replace: nsslapd-syntaxcheck nsslapd-syntaxcheck: on 16. Verify that the directory databases have been successfully migrated. Directory Server 9.1 normalizes DN syntax during the upgrade import process. Make sure that the upgraded database is functional and contains all the data before deleting the backups.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide service dirsrv-admin start 5.3.6. Upgrading Servers in Replication T he process for upgrading servers in replication is the same as for a single server, but the order in which the Directory Server instances is important to keep from interrupting replication. First upgrade all supplier servers, then all hubs, and then all consumers. Always stop directory writes to the master or hub server before beginning the upgrade process.
Chapter 5. Migrating from Previous Versions NOTE T he Windows machine must be rebooted. Without the rebooting, PasswordHook.dll is not enabled, and password synchronization will not function.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide Chapter 6. General Usage Information T his chapter contains common information that you will use after installing Red Hat Directory Server 9.1, such as where files are installed; how to start the Directory Server, Admin Server, and Directory Server Console; and basic troubleshooting information. For more detailed information on using Directory Server, see the Directory Server Administrator's Guide. 6.1.
Chapter 6. General Usage Information T able 6.2. Red Hat Enterprise Linux 5 and 6 (x86_64 ) File or Directory Location Log files /var/log/dirsrv/slapd-instance Configuration files /etc/dirsrv/slapd-instance Instance directory /usr/lib64 /dirsrv/slapd-instance Certificate and key databases /etc/dirsrv/slapd-instance Database files /var/lib/dirsrv/slapd-instance Runtime files /var/lock/dirsrv/slapd-instance /var/run/dirsrv/slapd-instance Init scripts /etc/rc.d/init.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide T able 6.3. redhat-idm-console Options Option Description -a adminURL Specifies a base URL for the instance of Admin Server to log into. -f fileName Writes errors and system messages to fileName. -h Prints out the help message for redhat-idm console. -s Specifies the directory instance to access, either by specifying the DN of the server instance entry (SIE) or the instance name, such as slapdexam ple.
Chapter 6. General Usage Information 6.4.1. Starting and Stopping Directory Server T he most common way to start and stop the Directory Server service is using system tools on Red Hat Enterprise Linux. For example, Linux uses the service tool: service dirsrv {start|stop|restart} instance Passing the instance name stops or starts only that instance; not giving any name starts or stops all instances. NOTE T he service name for the Directory Server service on Red Hat Enterprise Linux is dirsrv.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide /usr/bin/pwdhash newpassword {SSHA}nbR/ZeVTwZLw6aJH6oE4obbDbL0OaeleUoT21w== 3. In the configuration directory, open the dse.ldif file. For example: [root@server ~]# vim /etc/dirsrv/slapd-instance_name/dse.ldif 4. Locate the nsslapd-rootpw parameter. nsslapd-rootpw: {SSHA}x03lZLMyOPaGH5VB8fcys1IV+TVNbBIOwZEYoQ== Delete the old password, and enter in the new hashed password.
Chapter 6. General Usage Information Example 6.1. dsktune Output Red Hat Directory Server system tuning analysis version 10-AUGUST-2007. NOTICE : System is i686-unknown-linux2.6.9-34.EL (1 processor). WARNING: 1011MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system. NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide /etc/dirsrv/slapd-instance_name directory. Glossary A access control instruction See ACI. access control list See ACL. access rights In the context of access control, specify the level of access granted or denied. Access rights are related to the type of operation that can be performed on the directory. T he following rights can be granted or denied: read, write, add, delete, search, compare, selfwrite, proxy and all.
Glossary regardless of the conditions of the bind. approximate index Allows for efficient approximate or "sounds-like" searches. attribute Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value. attribute list A list of required and optional attributes for a given entry type or object class.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide bind DN Distinguished name used to authenticate to Directory Server when performing an operation. bind rule In the context of access control, the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information. branch entry An entry that represents the top of a subtree in the directory.
Glossary server. Programs written to use CGI are called CGI programs or CGI scripts and can be written in many of the common programming languages. CGI programs handle forms or perform output parsing that is not done by the server itself. chaining A method for relaying requests to another server. Results for the request are collected, compiled, and then returned to the client. changelog A changelog is a record that describes the modifications that have occurred on a replica.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide alphabet or how to compare letters with accents to letters without accents. consumer Server containing replicated directory trees or subtrees from a supplier server. consumer server In the context of replication, a server that holds a replica that is copied from a different server is called a consumer for that replica. CoS A method for sharing attributes between entries in a way that is invisible to applications.
Glossary definition entry See CoS definition entry. Directory Access Protocol See DAP. Directory Manager T he privileged database administrator, comparable to the root user in UNIX. Access control does not apply to the Directory Manager. directory service A database application designed to manage descriptive, attribute-based information about people and resources within an organization. directory tree T he logical representation of the information stored in the directory.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide called realthing.yourdomain.domain where the server currently exists. E entry A group of lines in the LDIF file that contains information about an object. entry distribution Method of distributing directory entries across more than one server in order to scale to support large numbers of entries. entry ID list Each index that the directory uses is composed of a table of index keys and matching entry ID lists.
Glossary GSS-API Generic Security Services. T he generic access protocol that is the native way for UNIX-based systems to access and authenticate Kerberos services; also supports session encryption. H hostname A name for a machine in the form machine.domain.dom, which is translated into an IP address. For example, www.exam ple.com is the machine www in the subdomain exam ple and com domain. HT ML Hypertext Markup Language. T he formatting language used for documents on the World Wide Web.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide indirect CoS An indirect CoS identifies the template entry using the value of one of the target entry's attributes. international index Speeds up searches for information in international directories. International Standards Organization See ISO. IP address Also Internet Protocol address. A set of numbers, separated by dots, that specifies the actual location of a machine on the Internet (for example, 198.93.93.10).
Glossary LDAPv3 Version 3 of the LDAP protocol, upon which Directory Server bases its schema format. LDBM database A high-performance, disk-based database consisting of a set of large files that contain all of the data assigned to it. T he primary data store in Directory Server. LDIF LDAP Data Interchange Format. Format used to represent Directory Server entries in text form. leaf entry An entry under which there are no other entries. A leaf entry cannot be a branch point in a directory tree.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide master agent See SNMP master agent. matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use. MD5 A message digest algorithm by RSA Data Security, Inc.
Glossary T he problem of managing multiple instances of the same information in different directories, resulting in increased hardware and personnel costs. name collisions Multiple entries with the same distinguished name. nested role Allows the creation of roles that contain other roles.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide OID See object identifier. operational attribute Contains information used internally by the directory to keep track of modifications and subtree properties. Operational attributes are not returned in response to a search unless explicitly requested. P parent access When granted, indicates that users have access to entries below their own in the directory tree if the bind DN is the parent of the targeted entry.
Glossary presence index Allows searches for entries that contain a specific indexed attribute. protocol A set of rules that describes how devices on a network exchange information. protocol data unit See PDU. proxy authentication A special form of authentication where the user requesting access to the directory does not bind with its own DN but with a proxy DN. proxy DN Used with proxied authorization.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide string to form the full distinguished name. Also relative distinguished name. read-only replica A replica that refers all update operations to read-write replicas. A server can hold any number of read-only replicas. read-write replica A replica that contains a master copy of directory information and can be updated. A server can hold any number of read-write replicas.
Glossary RFC Request for Comments. Procedures or standards documents submitted to the Internet community. People can send comments on the technologies before they become accepted standards. role An entry grouping mechanism. Each role has members, which are the entries that possess the role. role-based attributes Attributes that appear on an entry because it possesses a particular role within an associated CoS template. root T he most privileged user available on Unix machines.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide Server Console Java-based application that allows you to perform administrative management of your Directory Server from a GUI. server daemon T he server daemon is a process that, once running, listens for and accepts requests from clients. Server Selector Interface that allows you select and configure servers using a browser. server service A process on Windows that, once running, listens for and accepts requests from clients.
Glossary SNMP Used to monitor and manage application processes running on the servers by exchanging data about network activity. Also Simple Network Management Protocol. SNMP master agent Software that exchanges information between the various subagents and the NMS. SNMP subagent Software that gathers information about the managed device and passes the information to the master agent. Also called a subagent.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica. supplier-initiated replication Replication configuration where supplier servers replicate directory data to any replica servers. symmetric encryption Encryption that uses the same key for both encrypting and decrypting. DES is an example of a symmetric encryption algorithm.
Index T ransport Layer Security See T LS. U uid A unique number associated with each user on a Unix system. URL Uniform Resource Locater. T he addressing system used by the server and the client to request documents. It is often called a location. T he format of a URL is protocol://machine:port/document. T he port number is necessary only on selected servers, and it is often assigned by the server, freeing the user of having to place it in the URL.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide - user, Admin Server User Administration domain, Administration Domain C Clients cannot locate the server, Problem: Clients cannot locate the server Command-line arguments, Sending Parameters in the Command Line Configuration directory, Configuration Directory Custom setup - Red Hat Enterprise Linux, Custom Setup D Directory Administrator, Directory Administrator Directory Manager, Directory Manager - password, Resetting the Direct
Index - starting, Starting the Directory Server Console Directory suffix, Directory Suffix dsktune, Using dsktune E Express setup - Red Hat Enterprise Linux, Express Setup F File locations, Directory Server File Locations Filesystem Hierarchy Standard, Directory Server File Locations Forgotten Directory Manager DN and password, Problem: Forgotten Directory Manager DN and password H Hardware requirements - based on directory size, General Hardware Requirements I Installing - explained, Preparing for a
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide - setup-ds-admin.
Index - typical setup, T ypical Setup - uninstalling Directory Server, Uninstalling Directory Server register-ds-admin.pl, Registering Servers Using register-ds-admin.pl - options, register-ds-admin.
Red Hat D irectory Server Red Hat D irectory Server 9 Installation Guide setup-ds.
