HP HP-UX Directory Server Installation Guide

HP-UX Directory Server installation guide

HP-UX Directory Server Version 8.1

HP Part Number: 5900-0310 Published: September 2009 Edition: 1

Confidential computersoftware. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial

Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under

vendor's standard commercial license.

The informationcontained hereinis subject to change without notice. Theonly warranties for HPproducts andservices are set forth in the express

warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP

shall not be liable for technical or editorial errors or omissions contained herein.

1 Preparing for a Directory Server installation...............................................................7

1.1 Directory Server components............................................................................................................7

1.2 Considerations before setting up Directory Server...........................................................................7

1.2.1 Port numbers.............................................................................................................................7

1.2.2 Directory Server user and group...............................................................................................8

1.2.3 Directory manager....................................................................................................................8

1.2.4 Directory administrator............................................................................................................9

1.2.5 Administration Server user.......................................................................................................9

1.2.6 Directory suffix.........................................................................................................................9

1.2.7 Configuration directory..........................................................................................................10

1.2.8 Administration domain...........................................................................................................10

2 System requirements.....................................................................................................11

2.1 Hardware requirements..................................................................................................................11

2.2 Operating system requirements......................................................................................................12

2.3 HP-UX patches................................................................................................................................12

2.4 HP-UX system configuration..........................................................................................................13

2.4.1 Perl prerequisites.....................................................................................................................13

2.4.2 Kernel parameters...................................................................................................................13

2.4.3 TIME_WAIT setting.................................................................................................................14

2.4.4 Large file support....................................................................................................................14

3 Setting up HP-UX Directory Server ............................................................................15

3.1 Overview.........................................................................................................................................15

3.2 HP-UX Apache-based web server requirement..............................................................................15

3.3 Installing the JRE.............................................................................................................................15

3.4 Installing the Kerberos 5 libraries...................................................................................................16

3.5 Installing the Directory Server package..........................................................................................16

3.6 Setting up the Directory Server and Administration Server...........................................................16

3.6.1 Setup overview........................................................................................................................16

3.6.2 Options for running the setup script.......................................................................................17

3.6.3 Interactive setup modes..........................................................................................................20

3.6.4 Performing express setup........................................................................................................22

3.6.5 Performing typical setup.........................................................................................................24

3.6.6 Performing custom setup........................................................................................................26

3.6.7 Performing silent setup...........................................................................................................29

3.6.7.1 Setup file structure..........................................................................................................30

3.6.7.2 Setup file directives.........................................................................................................31

3.6.7.3 Sample setup files............................................................................................................34

3.6.8 Sending parameters in the command line..............................................................................35

3.6.9 Importing LDIF files for configuring Directory Server users, replication, and other

entities..............................................................................................................................................36

4 Post-installation and advanced configuration tasks..................................................37

4.1 Configuring Administration Server instances................................................................................37

4.1.1 Configuring IP authorization on the Administration Server..................................................37

4.1.2 Configuring proxy servers for the Administration Server......................................................38

4.2 Creating additional Directory Server instances..............................................................................38

Table of Contents 3

4.2.1 Creating a new Directory Server instance interactively..........................................................39

4.2.2 Creating a new Directory Server instance silently..................................................................39

4.2.3 Creating a Directory Server instance manageable at the command line instead of

Console............................................................................................................................................40

4.3 Registering an existing Directory Server instance with the Configuration Directory Server.........40

4.4 Uninstalling Directory Server..........................................................................................................40

4.4.1 Removing a single Directory Server instance.........................................................................40

4.4.2 Uninstalling the HP-UX Directory Server...............................................................................41

5 General usage information.........................................................................................43

5.1 Directory Server file locations.........................................................................................................43

5.2 LDAP tool locations.........................................................................................................................43

5.3 Starting the Directory Server Console.............................................................................................44

5.4 Getting the Administration Server port number............................................................................44

5.5 Starting and stopping servers..........................................................................................................44

5.5.1 Starting and stopping the Directory Server............................................................................44

5.5.2 Starting and stopping the Administration Server...................................................................44

5.6 Resetting the Directory Manager password....................................................................................44

5.7 Troubleshooting...............................................................................................................................45

5.7.1 Problem: Clients cannot locate the server...............................................................................45

5.7.2 Problem: The port is in use......................................................................................................45

5.7.3 Problem: Forgotten directory manager DN and password....................................................45

6 Migrating or upgrading to HP-UX Directory Server from Netscape or Red Hat

Directory Server...............................................................................................................47

6.1 Migrating from Netscape Directory Server 6.x, or from Red Hat Directory Server 7.1.................47

6.1.1 Tasks to perform before migrating..........................................................................................47

6.1.1.1 Configuring the Directory Server Console......................................................................47

6.1.2 Migration script.......................................................................................................................48

6.1.3 Migration scenarios.................................................................................................................49

6.1.3.1 Migrating a server or single instance..............................................................................50

6.1.3.2 Migrating replicated servers...........................................................................................50

6.1.3.3 Migrating a Directory Server from one machine to another...........................................51

6.1.3.4 Migrating a Directory Server from one platform to another..........................................52

6.2 Upgrading from Red Hat Directory Server 8.0...............................................................................53

6.2.1 Backing up the Directory Server data and configuration prior to the upgrade.....................53

6.2.2 Performing the upgrade to HP-UX Directory Server 8.1........................................................54

7 Support and other resources.......................................................................................55

7.1 Contacting HP.................................................................................................................................55

7.1.1 Information to collect before contacting HP...........................................................................55

7.1.2 How to contact HP technical support.....................................................................................55

7.1.3 HP authorized resellers...........................................................................................................55

7.1.4 Documentation feedback.........................................................................................................55

7.2 Related information.........................................................................................................................55

7.2.1 HP-UX Directory Server documentation set...........................................................................55

7.2.2 HP-UX documentation set......................................................................................................56

7.2.3 Troubleshooting resources......................................................................................................57

7.3 Typographic conventions................................................................................................................57

Glossary............................................................................................................................59

4 Table of Contents

Index.................................................................................................................................69

Table of Contents 5

1 Preparing for a Directory Server installation

This manual provides a high-level overview of design and planning decisions you need to make before installing Directory Server, describes the different methods for setting up and installing the Directory Server, describes post-installation tasks, and provides general information about using Directory Server and how to troubleshoot problems.

Before you install HP-UX Directory Server 8.1, there are required settings and information that you need to plan in advance. This chapter describes the kind of information that you must provide. It also describes relevant directory service concepts, Directory Server components, and the impact and scope of integrating Directory Server into your computing infrastructure.

The information that is covered here and supplied during the Directory Server setup procedure relates to the design of your directory tree (the hierarchical arrangement of your directory, including all major roots and branch points) and relates to your directory suffixes and databases. For more information on suffixes and databases, see the HP-UX Directory Server administrator guide.

1.1 Directory Server components

Directory Server 8.1 is comprised of several components, which work in tandem:

• Directory Server

The Directory Server is the core LDAP server daemon. It is compliant with LDAP v3 standards. This component includes command-line server management and administration programs, and scripts for common operations like export and backing up databases.

• Directory Server Console

The Directory Server Console is the user interface that simplifies managing users, groups, and other LDAP data for your enterprise. The Console is used for all aspects of server management, including making backups; configuring security, replication, and databases; adding entries; and monitoring servers and viewing statistics.

• Administration Server

The Administration Server is the management agent that administers Directory Servers. It communicates with the Directory Server Console and performs operations on the Directory Server instances. It also provides a simple HTML interface and on-line help pages. There must be one Administration Server running on each machine that has a Directory Server instance running on it.

1.2 Considerations before setting up Directory Server

Depending on the type of setup that you perform, you will be asked to provide instance-specific information for both the Administration Server and Directory Server during the installation procedure, includingport numbers, server names, and user names and passwords for the Directory Manager and administrator. If you will have multiple Directory Server instances, then it is better to plan these configuration settings in advance so that the setup processes can run without conflict. The installation and setup steps are described in detail in Chapter 3 (page 15).

1.2.1 Port numbers

The Directory Server setup requires two TCP/IP port numbers: one for the Directory Server and one for the Administration Server. These port numbers must be unique.

The Directory Server instance (LDAP) has a default port number of 389. The Administration Server port number has a default number of 9830. If the default port number for either server is in use, then the setup script randomly generates a port number larger than 1024 to use as the

1.1 Directory Server components 7

default. Alternatively, you can assign any port number between 1025 and 65535 for the Directory Server and Administration Server ports; you are not required to use the defaults or the randomly-generated ports.

NOTE:

Although the valid range of port numbers is 1 to 65535, do not assign a Directory Server port number below 1024 (except 389 for LDAP, or 636 for LDAP with TLS/SSL). The Internet Assigned Numbers Authority (IANA) has already assigned ports 1 to 1023 to common processes.

When determining the port numbers to use, verify that the specified port numbers are not already in use by running a command like netstat.

For LDAPS (LDAP with TLS/SSL), the default port number is 636. The server can listen to both the LDAP and LDAPS port at the same time. However, the setup script will not allow you to configure TLS/SSL. To use LDAPS, assign the LDAP port number in the setup process, then reconfigure the Directory Server to use the LDAPS port and the other TLS/SSL parameters afterward. For information on how to configure LDAPS, see the HP-UX Directory Server administrator guide.

The Administration Server runs on a web server, so it uses HTTP or HTTPS. However, unlike the Directory Server, which can run on secure (LDAPS) and insecure (LDAP) ports at the same time, the Administration Server cannot run over both HTTP and HTTPS simultaneously. The setup script, setup-ds-admin.pl, does not allow you to configure the Administration Server to use TLS/SSL. To use TLS/SSL (meaning HTTPS) with the Administration Server, first set up the Administration Server to use HTTP, then reconfigure it to use HTTPS.

If you are using ports below 1024, such as the default LDAP port (389), you must run the setup script and start the servers as root. However, you do not have to set the server user ID to root. When the server starts, the server binds and listens to its port as root, then immediately drops its privileges and runs as the non-root server user ID. When the system restarts, the server is started as root by the init script. For more detailed technical information, see the setuid(2) manpage.

For more information about the server user ID, see “Directory Server user and group” (page 8).

1.2.2 Directory Server user and group

The setup process sets a user ID (UID) and group ID (GID) as which the servers will run. The default UID isa non-privileged (non-root) user, www. HP strongly recommendsusing this default value. To simplify administration, you can use the same UID for both the Directory Server and the Administration Server. If you choose a different UID for each server, these UIDs must belong to the group assigned to Directory Server.

For security reasons, HP strongly discourages you from setting the Directory Server or Administration Server user to root. If an attacker gains access to the server, he might be able to execute arbitrary system commands as the root user. Using a non-privileged UID adds another layer of security.

Listening to restricted ports as unprivileged users Even though port numbers less than 1024 are restricted, the LDAP server can listen to port 389 (and any port number less than 1024), as long as the server is started by the root user or by init when the system starts up. The server first binds and listens to the restricted port as root, then immediately drops privileges to the non-root server UID. For more detailed technical information, see the setuid(2) manpage.

For more information on port numbers, see “Port numbers” (page 7).

1.2.3 Directory manager

The Directory Server setup creates a special user named the Directory Manager. The Directory Manager is a unique, powerful entry that is used to administer all user and configuration tasks.

8 Preparing for a Directory Server installation

The Directory Manager is a special entry that does not have to conform to a Directory Server configured suffix; additionally, access controls. password policy, and database limits for size, time, and lookthrough limits do not apply to the Directory Manager. There is no directory entry for the Directory Manager user; it is used only for authentication. You cannot create an actual Directory Server entry that uses the same distinguished name (DN) as the Directory Manager DN.

The Directory Server setup process prompts for a DN and a password for the Directory Manager. The default value for the Directory Manager DN is cn=Directory Manager. The Directory Manager password must contain at least 8 characters, which must be ASCII letters, digits, or symbols.

1.2.4 Directory administrator

The Directory Server setup also creates an administrator user named Directory Administrator, which is specifically for Directory Server and Administration Server server management. The Directory Administratoris the “super user” that manages all DirectoryServer and Administration Server instances through the Directory Server Console. Every Directory Server is configured to grant this user administrative access.

There are important differences between the Directory Administrator and the Directory Manager:

• The administrator cannot create top level entries for a new suffix through an add operation,

neither by adding an entry in the Directory Server Console nor by using ldapadd, a tool provided with OpenLDAP. By default, only the Directory Manager can add top-level entries. To allow other users to add top-level entries, create entries with the appropriate access control statements in an LDIF file, and perform an import or database initialization procedure using that LDIF file.

• Password policies do apply to the administrator, but you can set a user-specific password

policy for the administrator.

• Size, time, and lookthrough limits apply to the administrator, but you can set different

resource limits for this user.

The Directory Server setup process prompts for a user name and a password for the Directory Administrator. The default Directory Administrator user name is admin. For security, the Directory Administrator's password must not be the same as the Directory Manager's password.

1.2.5 Administration Server user

By default, the Administration Server runs as the same non-root user as the Directory Server. Custom and silent setups provide the option to run the Administration Server as a different user than the Directory Server.

The default Administration Server user is the same as the Directory Server user, which is www. If the Administration Server is given a different UID, then that user must belong to the group to which the Directory Server user is assigned.

1.2.6 Directory suffix

The directory suffix is the first entry within the directory tree. At least one directory suffix must be provided when the Directory Server is set up. The recommended directory suffix name is one that matches your organization's Domain Name System (DNS) domain name. For example, if the Directory Server host name is ldap.example.com, the directory suffix is dc=example,dc=com. The setup script constructs a default suffix based on the DNS domain or thefully-qualified host and domainname provided during setup.This suffix naming convention is not required, but HP strongly recommends it.

After setup, you can create additional suffixes for the Directory Server instance using the Console or the command line (for more information, see the HP-UX Directory Server administrator guide). In addition, you can use the ConfigFile parameter in the setup command line or within a

1.2 Considerations before setting up Directory Server 9

setup file (see “Importing LDIF files for configuring Directory Server users, replication, and other

entities” (page 36)).

1.2.7 Configuration directory

The configuration directory (also referred to as the Configuration Directory Server) is the main directory that stores configuration information such as log files, configuration files, and port numbers. These configuration data get stored in the o=NetscapeRoot tree. A single Directory Server instance can be both the configuration directory and the user directory.

If you install Directory Server for general directory services, and more than one Directory Server exists in your organization, you must determine which Directory Server instance will host the configuration directory tree, o=NetscapeRoot. Make this decision before installing any compatible Directory Server applications. The Directory Server setup script asks if you want to register the new Directory Server instance with an existing Configuration Directory Server, and if you do, it prompts you for information about the Configuration Directory Server. If you are setting up the first Directory Server instance on the network, then the new Directory Server instance will be set up as the Configuration Directory Server as well.

Because the main configuration directory generally experiences low traffic, you can permit its server instances to coexist on any machine with a heavier-loaded Directory Server instance. However, for large sites that deploy a large number of Directory Server instances, improve performance by dedicating a low-end machine for the configuration directory. Directory Server instances write to the configuration directory, and for larger sites, this write activity can create performance issues for other directory service activities. The configuration directory can be replicated to increase availability and reliability.

If the configuration directory tree gets corrupted, you may have to re-register or re-configure all Directory Server instances. To prevent this:

• Always back up the configuration directory after setting up a new instance

• Never change a host name or port number while active in the configuration directory

• Do not modify the configuration directory tree; only the setup script can directly modify

a configuration

1.2.8 Administration domain

The administration domain allows servers to be grouped together logically when splitting administrative tasks. This level of organization is beneficial, for example, when different divisions within an organization want individual control of their servers while system administrators require centralized control of all servers.

When setting up the administration domain, consider the following:

• Each administration domain must have an administration domain owner with complete

access to all the domain servers but noaccess to the servers in other administration domains. The administration domain owner may grant individual users administrative access on a server-by-server basis within the domain.

• All servers must share the same configuration directory. The Configuration Directory

Administrator has complete access to all installed Directory Servers, regardless of the domain.

• Servers on two different domains can use different user directories for authentication and

user management.

The Directory Server setup script allows you to set up a separate Administration domain for the new Directory Server instance. If you do not need to set up a different domain for the new instance, the default is the host's domain (the domain of the new Directory Server instance).

10 Preparing for a Directory Server installation

2 System requirements

Before configuring the default HP-UX Directory Server 8.1 instances, it is important to verify that the host server has the required system settings and configuration:

• The system must have the required packages, patches, and kernel parameter settings.

• DNS must be properly configured on the target system.

• The host server must have a static IP address.

System settings, like the number of file descriptors and TCP information, should be reconfigured to optimize the Directory Server performance.

This chapter covers the software and hardware requirements, operating system patches and settings, and system configurations that are necessary for Directory Server to perform well.

NOTE:

The requirements outlined in this chapter apply to production systems. For evaluating or prototyping Directory Server, you may choose not to fulfill all these requirements.

2.1 Hardware requirements

Table 2-1details the hardware requirements for HP-UX Directory Server:

Table 2-1 Hardware requirements

Physical Memory

Description of requirementItem

HP 9000 (PA2.0) or HP Integrity systemComputer System

At least 256 MB of memory.

HP recommends that you have 512 MB to 4 GB of memory for best performance on large production systems.

The physical memory requirements for each Directory Server process depend on your particular configuration and database. Each server process requires at least 15MB of memory. However, the server caches recently used entries. Depending on the size of the database served and the size of the entries cached, the memory requirements for a typical Directory Server process can exceed 2 GB.

2.1 Hardware requirements 11

Table 2-1 Hardware requirements (continued)

Description of requirementItem

Install Device

Disk space

CD-ROM drive to load the softwareor an Internet connection to Software Depot to download the software.

The disk space requirements in /opt/dirsrv, /etc/opt/dirsrv/ and /var/opt/ dirsrv are as follows:

• /opt/dirsrv

The initial product installation requires 115 MB of space in /opt/dirsrv for executables, libraries, scripts and other related data. Each directory server instance created requires 1 MB of space in /opt/dirsrv.

• /etc/opt/dirsrv

The initial product installation requires 0.5 MB of spacein /etc/opt/dirsrv for shared configuration files. Each directory server instance created requires 1MBof space in /etc/ opt/dirsrv. The space usage in /etc/opt/dirsrv increases if customized schema is added for the directory server instance and as certain PKI-related material is added such as trusted issuers in the certificate database.

• /var/opt/dirsrv

Each Directory Server instance created requires an absolute minimum of 33 MB of space in /var/opt/dirsrvfor logs and database files. The space usage in /var/opt/dirsrv increases as LDAP entries are added to the directory server, as log files grow, and if the back-end database cache is increased.

The file system used for database files must have large file system support enabled. For more information, see “Large file support” (page 14).

Use the bdf command to determine the available disk space on your system:

bdf /opt/dirsrv bdf /etc/opt/dirsrv bdf /var/opt/dirsrv

For more information on the bdf command, see the bdf(1M) manpage.

2.2 Operating system requirements

Directory Server runs on a 64-bit HP-UX 11i environment as a 64-bit process.

Directory Server runs on HP-UX version 11i v2 and v3 only; it is not supported on earlier HP-UX versions.

For information on the configuration of the operating system, see “HP-UX system configuration”

(page 13).

2.3 HP-UX patches

The HP-UX 11i host must have the correct packages and dependencies installed to run Directory Server. The patch list changes daily, so check the HP web site regularly to ensure you have the latest releases:

• http://www.software.hp.com/SUPPORT_PLUS/qpk.html

• http://welcome.hp.com/country/us/eng/support.htm

The following list describes patch and OS patch recommendations:

• HP-UX 11i v2

HP recommends, but does not require, that you install the HP-UX 11i v2 OS patch level OE September 2004 or later.

HP also recommends, but does not require, that you install patch PHCO_37940. To install patch PHCO_37940, you must update your system to B.11.23 September 2004 release.

12 System requirements

Patch PHCO_37940 is an HP-UX 11i v2 pthread library cumulative patch. This patch improves performance of the HP-UX Directory Server on an HP-UX 11i v2 system.

• HP-UX 11i v3

HP recommends, but does not require, that you install the HP-UX 11i v3 OS patch level OE September 2007 or later.

You can download patches and Quality Patch bundles from the HP IT Resource Center patch database:

http://itrc.hp.com/service/home/home.do

Select patch database under maintenance and support (hp products).

2.4 HP-UX system configuration

Before setting up Directory Server, tune your HP-UX system so Directory Server can access the respective kernel parameters. To tune HP-UX systems, enable large file support, set the TIME_WAIT value, and modify kernel parameters, as described in the following sections.

• “Perl prerequisites”

• “Kernel parameters” (page 13)

• “TIME_WAIT setting” (page 14)

• “Large file support” (page 14)

2.4.1 Perl prerequisites

The HP-UX Directory Server uses the Perl version installed with the operating system in /opt/ perl_64/bin/perl. If this Perl version is not installed, contact HP support.

2.4.2 Kernel parameters

HP Recommends that you set the following kernel parameters with the system default values:

max_thread_proc

maxfiles

maxfiles_lim

nproc

maxdsiz_64bit

System Default ValueKernel Parameter

256

2048

4096

4200

Recommended ValueKernel Parameter

If you use the default values for the above parameters, set the value for this parameter to at least 512 MB. This assumes that the Directory Server processes are tuned to use a single heap arena.

If you configure a large entry cache for your Directory Server, you will require more heap space, which means assigning a higher value to maxdsiz_64bit. Instead of attempting to predict how high the value should be (this is difficult to do), HPrecommends setting it high initially and then tuning it to a lower size if desired.

To determine the current values of these kernel parameters, use sysdef(1M) or the following commands on an HP 9000 or an HP Integrity (IA64) system:

# kctune | grep -e max_thread_proc -e maxfiles -e maxfiles_lim -e nproc

After reconfiguration, you can expect the output of that command to match the values in the table above.

2.4 HP-UX system configuration 13

2.4.3 TIME_WAIT setting

Normally, client applications that shut down correctly cause the socket to linger in a TIME_WAIT state. Verify that the TIME_WAIT entry is set to a reasonable duration. For example:

# ndd -set /dev/tcp tcp_time_wait_interval 60000

This limits the socket TIME_WAIT state to 60 seconds.

2.4.4 Large file support

To run Directory Server on HP-UX, you must enable large file support for the file system where the directory data is stored. By default, directory data is stored below the /var/opt/dirsrv directory. If large file support is not enabled for the file system for this directory, use the fsadm command to enable it. In the following example, the root of the file system for the /var/opt/

dirsrv directory is /var:

# fsadm -F vxfs -o largefiles /var

If the file system for the /var/opt/dirsrv directory does not support online administration, you must unmount the file systemand specify the device file. For more information, see fsadm(1m).

14 System requirements

3 Setting up HP-UX Directory Server

This chapter describes the complete process for installing Directory Server on HP-UX 11i. It includes instructions for installing the HP-UX Apache web server and the JRE and Directory Server packages, and describes the various options for setting up the Directory Server.

3.1 Overview

Installing and configuring HP-UX Directory Server on HP-UX has four major steps:

1. Ensure that you have the required version of HP-UX Apache-based web server installed on

the system.

2. Install the required version of the Java® Runtime Environment (JRE).

3. If the Directory Server will use GSS-API (Generic Security Services Application Program

Interface) for authentication, install the Kerberos 5 client (KRB5CLIENT) libraries.

4. Install the Directory Server package.

5. Run the setup script. In this step, you provide all the information about the new Directory

Server instance. You can run the script interactively, responding to prompts to provide the setup information, or run the script in silent mode, providing a setup file that provides the setup information. You can also pass setup parameters in the command line.

CAUTION: If a Directory Server (notably Netscape Directory Server 6.21 or Red Hat Directory

Server 7.1) is already installed on your machine, it is extremely important that you perform a migration, not a fresh installation. Migration is described in Chapter 6 (page 47).

NOTE:

Before beginning the installation process, make sure that your system meets the requirements in Chapter 2 (page 11).

3.2 HP-UX Apache-based web server requirement

The Directory Administration Server 8.1 requires Apache plug-ins and dependent libraries. Before you attempt to install HP-UX Directory Server 8.1, ensure that the HP-UX Apache web server software B.2.0.50.01 or greater is installed . To verify the HP-UX Apache web server software version, use the following command:

# swlist -l product | grep hpuxwsAPACHE

hpuxwsAPACHE B.2.0.55.03 HP-UX Apache-based Web Server

The HP-UX Apache-based Web Server is available for download at:

http://www.hp.com/go/softwaredepot

To locate the software at this site, enter HP-UX Apache-based Web Server in the search field.

3.3 Installing the JRE

The Java JRE libraries are not bundled with HP-UX Directory Server. You must install them before installing HP-UX Directory Server. HP-UX Directory Server 8.1 depot is built with dependency on JRE version 1.5.0.11 or greater. HP-UX Directory Server has been tested with the JRE revision 1.5.0.11. A JRE15 version which is greater than JRE 1.5.0.11 may also work. Installation of HP-UX Directory Server using swinstall verifies whether JRE package requirements are met.

3.1 Overview 15

If a version of JRE 1.5 is already installed on the system and the version is equal to or greater than 1.5.0.11, you can skip the JRE installation requirement.

To check if the correct version of JRE 1.5 is installed on the system, use the following command:

# /usr/bin/swlist -l product | grep Jre

If the JRE 1.5 version is less than 1.5.0.11, or if JRE 1.5 is not installed on the system, install JRE

1.5.0.11. To download and install JRE for Java 2 platform HP-UX Integrity version 1.5.0.11(.depot)

or HP-UX PA-RISC version 1.5.0.11(.depot), use the following procedure:

1. Go to the following web site:

http://www.hp.com/go/java

Look for the following or supported later versions (5.0.xx, where xx is 11 or later), as applicable to your environment:

• Itanium® JRE 5.0.11 - Nov 7

• PA-RISC JRE 5.0.11 - Nov 7

2. Complete the form and choose Download.

3. Install the depot on your machine.

3.4 Installing the Kerberos 5 libraries

The Directory Server can use GSS-API for authentication. To use GSS-API, you must first install the Kerberos 5 client (KRB5CLIENT) libraries, version 1.6.2 or later. You can download the KRB5CLIENT package from the following location:

http://www.hp.com/go/softwaredepot

3.5 Installing the Directory Server package

Install the Directory Server package from the following location:

http://www.hp.com/go/softwaredepot

3.6 Setting up the Directory Server and Administration Server

3.6.1 Setup overview

After you have completed the steps recommended in the preceding sections, you can create and configure the Directory Server and Administration Server instances by using the setup-ds-admin.pl script. The following is the basic command for running the script interactively:

/opt/dirsrv/sbin/setup-ds-admin.pl

If you choose to run the script interactively, the script allows you to choose one of the following setup modes:

• Express

• Typical

• Custom

These setup modes provide different levels of control over the configuration settings, such as port numbers, directory suffixes, and users and groups for the Directory Server processes.

Express setup has the least amount of input, meaning it uses more default or randomly-generated settings, while custom setup gives you the most control over the configuration (you provide much of the configuration information). These setup modes are described in Table 3-2. For most deployments, the typical installation type suffices.

If you choose to run the script silently instead of interactively, you provide a file with predefined settings to create a new Directory Server without any user interaction. This is extremely useful

16 Setting up HP-UX Directory Server

for setting up large numbers of Directory Server instances, because it does not require any user involvement after the package is installed.

You can also provide a setup file with certain parameters predefined for interactive mode. In addition, when you enter the command to run the script for interactive or silent mode, you can pass parameters in the command line. They can be used to determine default parameter values for certain interactive setup prompts or to override the values defined in a provided setup file. Options that you can specify with the command line are described in Table 3-1.

The remainder of this section covers the following topics:

• “Options for running the setup script” (page 17)

• “Interactive setup modes” (page 20)

• “Performing express setup” (page 22)

• “Performing typical setup” (page 24)

• “Performing custom setup” (page 26)

• “Performing silent setup” (page 29)

• “Sending parameters in the command line” (page 35)

• “Importing LDIF files for configuring Directory Server users, replication, and other entities”

(page 36)

NOTE:

Directory Server version 8.1 conforms to the Filesystem Hierarchy Standards (FHS). This means that the directories and files are in different locations than previousversions. For more information on FHS, see the following web address:

http://www.pathname.com/fhs/

For information on new file locations, see “Directory Server file locations” (page 43).

3.6.2 Options for running the setup script

In interactive mode, the setup-ds-admin script launches a series of dialog screens prompting you for a yes or no answer or simple text input.

When running the script, you can pass arguments in the command line that provide values for specific setup parameters. You can also specify options in the command line that allow you to supply predefined values from a specified file (using the -f option). In addition, you can run the script silently instead of interactively, using the predefined values from a specified file (using the -s option in conjunction with the -f option). Passing arguments in the command line, or specifying a file with predefined values, sets the defaults used in the script's interactive prompts. If you specify the -s (silent) option, there are no interactive prompts; values specified in the command line or predefined in the specified file automatically determine the values used for setting up a Directory Server instance. For a list of the command line options available with the setup-ds-admin script, see Table 3-1.

Responding to prompts and navigating between screen prompts

When you run the script interactively, the setup script prompts you for input. Observe these guidelines:

-k

• Each prompt includes a default answer in square brackets. In the following example, the

default answer is yes.

Would you like to continue with setup? [yes]:

• Pressing Enter accepts the default answer and proceeds to the next dialog screen prompt.

Yes or No prompts accept y for Yes and n for No.

3.6 Setting up the Directory Server and Administration Server 17

• To return to a previous dialog screen prompt, type Ctrl-B and press Enter. You can backtrack

all the way to the first screen prompt.

• Two prompts ask for a password. After entering a password for the first time, confirm the

password by typing it in again. The password prompts do not echo the characters entered, so be sure to type them correctly.

• When the script finishes, it generates a temporary log file in the /tmp directory called

setupXXXXXX.log, where XXXXXX is a series of random characters. This log file contains all the prompts and answers (except for passwords) supplied to those prompts. You can specify a path and name of a log file to which the script writes output by specifying the -l option in the command line that runs the script. For more information on this and other options available with the script command line, see Table 3-1 (page 19).

Specifying parameter values or a setup file at the command line

• Passing values for specific setup parameters

When passing values for parameters in the command line that runs the script, you specify the parameters (directives) in the format used in the configuration file that the script generates for the Directory Server instance. This setup configuration file has three sections, one for each of the major components of Directory Server: General (host server), slapd (LDAP server), and admin (Administration Server). Command-line arguments specify the setup file section, parameter, and value in the following form:

section.parameter=value

The following command example sets the machine name, suffix, and Directory Server port of the new Directory Server instance. The interactive setup script displays these values as the defaults for the associated parameters. In silent mode, these are the values used for configuring the Directory Server.

# /opt/dirsrv/sbin/setup-ds-admin.pl General.FullMachineName=ldap.example.com \ "slapd.Suffix=dc=example, dc=com" slapd.ServerPort=389

If argument values contain spaces or other shell special characters, prevent the shell from interpreting them by enclosing the values in quotes. In the previous example, the suffix value has a space character, so the entire directive has to be quoted. If many of the directives have to be quoted or escaped, use a setup file with predefined values instead of passing these arguments in the command line.

• Specifying a setup file with predefined values

In the command line, you can use the -f option to specifya setup file that includes predefined parameter values. The following command specifies that the script use file custom.inf to determine the default values for prompts in interactive mode:

# /opt/dirsrv/sbin/setup-ds-admin.pl -f custom.inf

• Running the setup script in silent mode

To run the script in silent mode, include the -s option in the command line, along with the

-f option and a specified setup file. The following command specifies that the setup script run silently, using setup file common.inf to provide the values for Directory Server parameters.

# /opt/dirsrv/sbin/setup-ds-admin.pl -s -f common.inf

The setup configuration file used for silent mode is described in more detail in “Performing

silent setup” (page 29).

• Passing specific parameter values in conjunction with a specified setup file

When you specify a setup file in the command line in conjunction with command line parameters, the parameters passed in the command line override the predefined values specified in the setup file. This is useful when you have created a setup file to serve as the basis for setting up multiple Directory Server instances. The command line parameters

18 Setting up HP-UX Directory Server

specify values specific to the Directory Server being set up. For example, parameters such as ConfigDirectoryLdapURL,which can be usedfor multiple instances, could be specified in the setup file. Parameters such as FullMachineName, which is specific to the host, could be specified in the command line. For example, with the following command, the setup script uses the common parameter values specified in the common.inf file, but overrides the host-specific parameter values for FullMachineName and ServerIdentifier with those specified in the command line. This command runs the script in silent mode.

# /opt/dirsrv/sbin/setup-ds-admin.pl -s -f common.inf \ General.FullMachineName=ldap37.example.com slapd.ServerIdentifier=ldap37

NOTE:

The section names and parameter names used in setup files and on the command line are case sensitive. For information on correct capitalization, see Table 3-1.

The setup file can include a parameter that imports the contents of any LDIF file into the Directory Server. This parameter, ConfigFile, is set in the [slapd] section of the setup file. This is extremely useful for preconfiguring users, replication, and other directory management entries. For more information on using the ConfigFile parameter to configure the Directory Server, see “Importing LDIF files for configuring Directory Server users, replication, and other entities”

(page 36).

Setup script command line options

Table 3-1 setup-ds-admin options

--file=name-f name

--silent-s

--debug-d[dddd]

DescriptionAlternateOption

This sets the path and name of the file which contains configurationsettings for the new Directory Server instance. You can use this option with the -s option. If you use the -f option without the -s, the specified file sets the default values for the setup interactive prompts. For example:

/opt/dirsrv/sbin/setup-ds-admin.pl -f ./sample.inf

This causes the setup script to run in silent mode, using the configuration information predefined in a file rather than specified interactively; specify the file name with the -f option. For example:

/opt/dirsrv/sbin/setup-ds-admin.pl -f ./setup.inf -s

. (Configuration information can also be specified in the command line; this information overrides the corresponding information defined in the setup file.)

This turns on debugging information. With the -d flag, increasing the number of ds increases the debug level.

3.6 Setting up the Directory Server and Administration Server 19

Table 3-1 setup-ds-admin options (continued)

DescriptionAlternateOption

--keepcache-k

--logfile name-l

3.6.3 Interactive setup modes

When you launch the setup-ds-admin.pl script to configure the new Directory Server and Administration Server instance interactively, the script allows you to choose one of three kinds of setup modes:

Express The fastest setup mode. This requires minimal interaction. For almost all settings,

default settings are provided by HP. Because express installation does not offer the choice of selecting the Directory Server server port number or the directory suffix, among other settings, HP recommends that you not use it for evaluation purposes only, not for production deployments. Also, express setups can fail if default configuration values are not available (there is no way to offer an alternative).

Typical The default and most common setup mode. This prompts you to supply more

detailed information about the directory service, such as suffix and configuration directory information, while still proceeding quickly through the setup process.

Custom The most detailed setup mode. This provides more control over Administration

Server settings and also allows data to be imported into the Directory Server at setup, so that entries are already populated in the databases when the setup is complete.

This saves the temporary configuration setup file (file name .inf) that is created when the setup script is run interactively. This file can then be reused for a silent setup.

CAUTION: This file (also referred to as a cache file) contains the cleartext

passwords supplied during setup. Use appropriate caution and protection with this file.

This specifies the log file to which the script writes the output, including errors. You can specify the path and name. In an interactively run script, the file contains all prompts and answers (except for passwords). If this is option is not set, the output is written to a temporary file in the /tmp directory called setupXXXXXX.log, where XXXXXX is a series of random characters.

The following command directs the script to write output to the file /tmp/

2009–jun.log:

# /opt/dirsrv/sbin/setup-ds-admin.pl -l

/tmp/2009-jun.log

TIP:

If you are installing Directory Server for evaluation, use the Express or Typical setup mode. These processes are very fast, and can help get your directory service up and running quickly.

The information requested by the interactive setup script is described in Table 3-2. More information about all setup file parameters, and whether they are optional or required, is provided in “Setup file directives” (page 31).

As already discussed in “Options for running the setup script” (page 17), another setup option is silent setup, which uses a configuration file and command-line options to supply the Directory Server settings automatically. In this case, the script requires no user interaction. You can also pass setup arguments in the command line that launches the script. The rightmost column of

Table 3-2 indicates which setup parameters can be addressed in the silent setup.

20 Setting up HP-UX Directory Server

Table 3-2 Comparison of setup types

Set the computer name

Set the user as which the Directory Server will run

Set the group as which the Directory Server will run

Server with an existing Configuration DirectoryServer

Set the Configuration Directory Server URL

ldap.example.com

www

other

ldap://ldap.example.com:389/o=NetscapeRoot

CustomTypicalExpressParameter inputSetup screen prompt

Silent setup

N/AYes or noContinue with setup

N/A• 1 (express)Choose setup type

N/A• 2 (typical)

N/A• 3 (custom)

N/AYes or noRegister the new Directory

Give the Configuration Directory Server user distinguished name (DN)

Give the Configuration Directory Server user password

Give the Configuration Directory Server administration domain

Give the path to the CA certificate (if using LDAPS)

Set the Configuration Directory Server Administrator user

name

Set the Configuration Directory Server Administrator password

Set the Configuration Directory Server domain

Set the Directory Server port

Set the Directory Server identifier

admin

password

example.com

/tmp/cacert.asc

admin

password

389

ldap

Set the Directory Server suffix

Set theDirectory Manager (DN)

dc=domain, dc=domain

cn=Directory Manager

3.6 Setting up the Directory Server and Administration Server 21

Table 3-2 Comparison of setup types (continued)

CustomTypicalExpressParameter inputSetup screen prompt

Set the Directory Manager password

Populate the Directory Server with entries

Set the Administration Server port

IP address

Set user as which the Administration Server runs

your servers?

1 This option is only available if you choose to register the Directory Server instance with an existing Configuration

Directory Server.

2 This option is only available ifyou choose not to register the Directory Server instance with anexisting Configuration

Directory Server. In that case, theDirectory Serverbeing set up is createdand configured as a Configuration Directory

Server, using the Configuration Directory Server name and password that you specify.

password

Yes or noInstall sample entries

• Supply the full path and file name to an

LDIF file

• Type suggest, which imports common

container entries, such as ou=People

• Type none, which does not import any

data

9830

blank (all interfaces)Set the Administration Server

daemon

Silent setup

N/AYes or noAre you ready to configure

3.6.4 Performing express setup

Use express installation if you are installing Directory Server for an evaluation or trial. Because express installation does not offer the choice of selecting the Directory Server server port number or the directory suffix, among other settings, HP recommends not using it for production deployments.

CAUTION: If a Directory Server (notably Netscape Directory Server 6.21 or Red Hat Directory

Server 7.1) is already installed on your machine, it is extremely important that you perform a migration, not a fresh installation. Migration is described in Chapter 6 “Migrating or upgrading

to HP-UX Directory Server from Netscape or Red Hat Directory Server”.

NOTE:

The setup script gets the host information from the /etc/resolv.conf file. If the /etc/hosts file includes aliases (such as ldap.example.com) that do not match the /etc/resolv.conf settings, the setup script cannot use the default host name option, and setup will fail.

1. Launch the setup-ds-admin.pl script using the following command.

NOTE:

Run the setup-ds-admin.pl script as root.

# /opt/dirsrv/sbin/setup-ds-admin.pl

2. When asked to choose the setup type, enter 1 to perform an express setup.

22 Setting up HP-UX Directory Server

+ 50 hidden pages