HP HP-UX Directory Server Installation Guide

HP-UX Directory Server installation guide

HP-UX Directory Server Version 8.1

HP Part Number: 5900-0310 Published: September 2009 Edition: 1

Confidential computersoftware. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial

Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under

vendor's standard commercial license.

The informationcontained hereinis subject to change without notice. Theonly warranties for HPproducts andservices are set forth in the express

warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP

shall not be liable for technical or editorial errors or omissions contained herein.

1 Preparing for a Directory Server installation...............................................................7

1.1 Directory Server components............................................................................................................7

1.2 Considerations before setting up Directory Server...........................................................................7

1.2.1 Port numbers.............................................................................................................................7

1.2.2 Directory Server user and group...............................................................................................8

1.2.3 Directory manager....................................................................................................................8

1.2.4 Directory administrator............................................................................................................9

1.2.5 Administration Server user.......................................................................................................9

1.2.6 Directory suffix.........................................................................................................................9

1.2.7 Configuration directory..........................................................................................................10

1.2.8 Administration domain...........................................................................................................10

2 System requirements.....................................................................................................11

2.1 Hardware requirements..................................................................................................................11

2.2 Operating system requirements......................................................................................................12

2.3 HP-UX patches................................................................................................................................12

2.4 HP-UX system configuration..........................................................................................................13

2.4.1 Perl prerequisites.....................................................................................................................13

2.4.2 Kernel parameters...................................................................................................................13

2.4.3 TIME_WAIT setting.................................................................................................................14

2.4.4 Large file support....................................................................................................................14

3 Setting up HP-UX Directory Server ............................................................................15

3.1 Overview.........................................................................................................................................15

3.2 HP-UX Apache-based web server requirement..............................................................................15

3.3 Installing the JRE.............................................................................................................................15

3.4 Installing the Kerberos 5 libraries...................................................................................................16

3.5 Installing the Directory Server package..........................................................................................16

3.6 Setting up the Directory Server and Administration Server...........................................................16

3.6.1 Setup overview........................................................................................................................16

3.6.2 Options for running the setup script.......................................................................................17

3.6.3 Interactive setup modes..........................................................................................................20

3.6.4 Performing express setup........................................................................................................22

3.6.5 Performing typical setup.........................................................................................................24

3.6.6 Performing custom setup........................................................................................................26

3.6.7 Performing silent setup...........................................................................................................29

3.6.7.1 Setup file structure..........................................................................................................30

3.6.7.2 Setup file directives.........................................................................................................31

3.6.7.3 Sample setup files............................................................................................................34

3.6.8 Sending parameters in the command line..............................................................................35

3.6.9 Importing LDIF files for configuring Directory Server users, replication, and other

entities..............................................................................................................................................36

4 Post-installation and advanced configuration tasks..................................................37

4.1 Configuring Administration Server instances................................................................................37

4.1.1 Configuring IP authorization on the Administration Server..................................................37

4.1.2 Configuring proxy servers for the Administration Server......................................................38

4.2 Creating additional Directory Server instances..............................................................................38

Table of Contents 3

4.2.1 Creating a new Directory Server instance interactively..........................................................39

4.2.2 Creating a new Directory Server instance silently..................................................................39

4.2.3 Creating a Directory Server instance manageable at the command line instead of

Console............................................................................................................................................40

4.3 Registering an existing Directory Server instance with the Configuration Directory Server.........40

4.4 Uninstalling Directory Server..........................................................................................................40

4.4.1 Removing a single Directory Server instance.........................................................................40

4.4.2 Uninstalling the HP-UX Directory Server...............................................................................41

5 General usage information.........................................................................................43

5.1 Directory Server file locations.........................................................................................................43

5.2 LDAP tool locations.........................................................................................................................43

5.3 Starting the Directory Server Console.............................................................................................44

5.4 Getting the Administration Server port number............................................................................44

5.5 Starting and stopping servers..........................................................................................................44

5.5.1 Starting and stopping the Directory Server............................................................................44

5.5.2 Starting and stopping the Administration Server...................................................................44

5.6 Resetting the Directory Manager password....................................................................................44

5.7 Troubleshooting...............................................................................................................................45

5.7.1 Problem: Clients cannot locate the server...............................................................................45

5.7.2 Problem: The port is in use......................................................................................................45

5.7.3 Problem: Forgotten directory manager DN and password....................................................45

6 Migrating or upgrading to HP-UX Directory Server from Netscape or Red Hat

Directory Server...............................................................................................................47

6.1 Migrating from Netscape Directory Server 6.x, or from Red Hat Directory Server 7.1.................47

6.1.1 Tasks to perform before migrating..........................................................................................47

6.1.1.1 Configuring the Directory Server Console......................................................................47

6.1.2 Migration script.......................................................................................................................48

6.1.3 Migration scenarios.................................................................................................................49

6.1.3.1 Migrating a server or single instance..............................................................................50

6.1.3.2 Migrating replicated servers...........................................................................................50

6.1.3.3 Migrating a Directory Server from one machine to another...........................................51

6.1.3.4 Migrating a Directory Server from one platform to another..........................................52

6.2 Upgrading from Red Hat Directory Server 8.0...............................................................................53

6.2.1 Backing up the Directory Server data and configuration prior to the upgrade.....................53

6.2.2 Performing the upgrade to HP-UX Directory Server 8.1........................................................54

7 Support and other resources.......................................................................................55

7.1 Contacting HP.................................................................................................................................55

7.1.1 Information to collect before contacting HP...........................................................................55

7.1.2 How to contact HP technical support.....................................................................................55

7.1.3 HP authorized resellers...........................................................................................................55

7.1.4 Documentation feedback.........................................................................................................55

7.2 Related information.........................................................................................................................55

7.2.1 HP-UX Directory Server documentation set...........................................................................55

7.2.2 HP-UX documentation set......................................................................................................56

7.2.3 Troubleshooting resources......................................................................................................57

7.3 Typographic conventions................................................................................................................57

Glossary............................................................................................................................59

4 Table of Contents

Index.................................................................................................................................69

Table of Contents 5

1 Preparing for a Directory Server installation

This manual provides a high-level overview of design and planning decisions you need to make before installing Directory Server, describes the different methods for setting up and installing the Directory Server, describes post-installation tasks, and provides general information about using Directory Server and how to troubleshoot problems.

Before you install HP-UX Directory Server 8.1, there are required settings and information that you need to plan in advance. This chapter describes the kind of information that you must provide. It also describes relevant directory service concepts, Directory Server components, and the impact and scope of integrating Directory Server into your computing infrastructure.

The information that is covered here and supplied during the Directory Server setup procedure relates to the design of your directory tree (the hierarchical arrangement of your directory, including all major roots and branch points) and relates to your directory suffixes and databases. For more information on suffixes and databases, see the HP-UX Directory Server administrator guide.

1.1 Directory Server components

Directory Server 8.1 is comprised of several components, which work in tandem:

• Directory Server

The Directory Server is the core LDAP server daemon. It is compliant with LDAP v3 standards. This component includes command-line server management and administration programs, and scripts for common operations like export and backing up databases.

• Directory Server Console

The Directory Server Console is the user interface that simplifies managing users, groups, and other LDAP data for your enterprise. The Console is used for all aspects of server management, including making backups; configuring security, replication, and databases; adding entries; and monitoring servers and viewing statistics.

• Administration Server

The Administration Server is the management agent that administers Directory Servers. It communicates with the Directory Server Console and performs operations on the Directory Server instances. It also provides a simple HTML interface and on-line help pages. There must be one Administration Server running on each machine that has a Directory Server instance running on it.

1.2 Considerations before setting up Directory Server

Depending on the type of setup that you perform, you will be asked to provide instance-specific information for both the Administration Server and Directory Server during the installation procedure, includingport numbers, server names, and user names and passwords for the Directory Manager and administrator. If you will have multiple Directory Server instances, then it is better to plan these configuration settings in advance so that the setup processes can run without conflict. The installation and setup steps are described in detail in Chapter 3 (page 15).

1.2.1 Port numbers

The Directory Server setup requires two TCP/IP port numbers: one for the Directory Server and one for the Administration Server. These port numbers must be unique.

The Directory Server instance (LDAP) has a default port number of 389. The Administration Server port number has a default number of 9830. If the default port number for either server is in use, then the setup script randomly generates a port number larger than 1024 to use as the

1.1 Directory Server components 7

default. Alternatively, you can assign any port number between 1025 and 65535 for the Directory Server and Administration Server ports; you are not required to use the defaults or the randomly-generated ports.

NOTE:

Although the valid range of port numbers is 1 to 65535, do not assign a Directory Server port number below 1024 (except 389 for LDAP, or 636 for LDAP with TLS/SSL). The Internet Assigned Numbers Authority (IANA) has already assigned ports 1 to 1023 to common processes.

When determining the port numbers to use, verify that the specified port numbers are not already in use by running a command like netstat.

For LDAPS (LDAP with TLS/SSL), the default port number is 636. The server can listen to both the LDAP and LDAPS port at the same time. However, the setup script will not allow you to configure TLS/SSL. To use LDAPS, assign the LDAP port number in the setup process, then reconfigure the Directory Server to use the LDAPS port and the other TLS/SSL parameters afterward. For information on how to configure LDAPS, see the HP-UX Directory Server administrator guide.

The Administration Server runs on a web server, so it uses HTTP or HTTPS. However, unlike the Directory Server, which can run on secure (LDAPS) and insecure (LDAP) ports at the same time, the Administration Server cannot run over both HTTP and HTTPS simultaneously. The setup script, setup-ds-admin.pl, does not allow you to configure the Administration Server to use TLS/SSL. To use TLS/SSL (meaning HTTPS) with the Administration Server, first set up the Administration Server to use HTTP, then reconfigure it to use HTTPS.

If you are using ports below 1024, such as the default LDAP port (389), you must run the setup script and start the servers as root. However, you do not have to set the server user ID to root. When the server starts, the server binds and listens to its port as root, then immediately drops its privileges and runs as the non-root server user ID. When the system restarts, the server is started as root by the init script. For more detailed technical information, see the setuid(2) manpage.

For more information about the server user ID, see “Directory Server user and group” (page 8).

1.2.2 Directory Server user and group

The setup process sets a user ID (UID) and group ID (GID) as which the servers will run. The default UID isa non-privileged (non-root) user, www. HP strongly recommendsusing this default value. To simplify administration, you can use the same UID for both the Directory Server and the Administration Server. If you choose a different UID for each server, these UIDs must belong to the group assigned to Directory Server.

For security reasons, HP strongly discourages you from setting the Directory Server or Administration Server user to root. If an attacker gains access to the server, he might be able to execute arbitrary system commands as the root user. Using a non-privileged UID adds another layer of security.

Listening to restricted ports as unprivileged users Even though port numbers less than 1024 are restricted, the LDAP server can listen to port 389 (and any port number less than 1024), as long as the server is started by the root user or by init when the system starts up. The server first binds and listens to the restricted port as root, then immediately drops privileges to the non-root server UID. For more detailed technical information, see the setuid(2) manpage.

For more information on port numbers, see “Port numbers” (page 7).

1.2.3 Directory manager

The Directory Server setup creates a special user named the Directory Manager. The Directory Manager is a unique, powerful entry that is used to administer all user and configuration tasks.

8 Preparing for a Directory Server installation

The Directory Manager is a special entry that does not have to conform to a Directory Server configured suffix; additionally, access controls. password policy, and database limits for size, time, and lookthrough limits do not apply to the Directory Manager. There is no directory entry for the Directory Manager user; it is used only for authentication. You cannot create an actual Directory Server entry that uses the same distinguished name (DN) as the Directory Manager DN.

The Directory Server setup process prompts for a DN and a password for the Directory Manager. The default value for the Directory Manager DN is cn=Directory Manager. The Directory Manager password must contain at least 8 characters, which must be ASCII letters, digits, or symbols.

1.2.4 Directory administrator

The Directory Server setup also creates an administrator user named Directory Administrator, which is specifically for Directory Server and Administration Server server management. The Directory Administratoris the “super user” that manages all DirectoryServer and Administration Server instances through the Directory Server Console. Every Directory Server is configured to grant this user administrative access.

There are important differences between the Directory Administrator and the Directory Manager:

• The administrator cannot create top level entries for a new suffix through an add operation,

neither by adding an entry in the Directory Server Console nor by using ldapadd, a tool provided with OpenLDAP. By default, only the Directory Manager can add top-level entries. To allow other users to add top-level entries, create entries with the appropriate access control statements in an LDIF file, and perform an import or database initialization procedure using that LDIF file.

• Password policies do apply to the administrator, but you can set a user-specific password

policy for the administrator.

• Size, time, and lookthrough limits apply to the administrator, but you can set different

resource limits for this user.

The Directory Server setup process prompts for a user name and a password for the Directory Administrator. The default Directory Administrator user name is admin. For security, the Directory Administrator's password must not be the same as the Directory Manager's password.

1.2.5 Administration Server user

By default, the Administration Server runs as the same non-root user as the Directory Server. Custom and silent setups provide the option to run the Administration Server as a different user than the Directory Server.

The default Administration Server user is the same as the Directory Server user, which is www. If the Administration Server is given a different UID, then that user must belong to the group to which the Directory Server user is assigned.

1.2.6 Directory suffix

The directory suffix is the first entry within the directory tree. At least one directory suffix must be provided when the Directory Server is set up. The recommended directory suffix name is one that matches your organization's Domain Name System (DNS) domain name. For example, if the Directory Server host name is ldap.example.com, the directory suffix is dc=example,dc=com. The setup script constructs a default suffix based on the DNS domain or thefully-qualified host and domainname provided during setup.This suffix naming convention is not required, but HP strongly recommends it.

After setup, you can create additional suffixes for the Directory Server instance using the Console or the command line (for more information, see the HP-UX Directory Server administrator guide). In addition, you can use the ConfigFile parameter in the setup command line or within a

1.2 Considerations before setting up Directory Server 9

setup file (see “Importing LDIF files for configuring Directory Server users, replication, and other

entities” (page 36)).

1.2.7 Configuration directory

The configuration directory (also referred to as the Configuration Directory Server) is the main directory that stores configuration information such as log files, configuration files, and port numbers. These configuration data get stored in the o=NetscapeRoot tree. A single Directory Server instance can be both the configuration directory and the user directory.

If you install Directory Server for general directory services, and more than one Directory Server exists in your organization, you must determine which Directory Server instance will host the configuration directory tree, o=NetscapeRoot. Make this decision before installing any compatible Directory Server applications. The Directory Server setup script asks if you want to register the new Directory Server instance with an existing Configuration Directory Server, and if you do, it prompts you for information about the Configuration Directory Server. If you are setting up the first Directory Server instance on the network, then the new Directory Server instance will be set up as the Configuration Directory Server as well.

Because the main configuration directory generally experiences low traffic, you can permit its server instances to coexist on any machine with a heavier-loaded Directory Server instance. However, for large sites that deploy a large number of Directory Server instances, improve performance by dedicating a low-end machine for the configuration directory. Directory Server instances write to the configuration directory, and for larger sites, this write activity can create performance issues for other directory service activities. The configuration directory can be replicated to increase availability and reliability.

If the configuration directory tree gets corrupted, you may have to re-register or re-configure all Directory Server instances. To prevent this:

• Always back up the configuration directory after setting up a new instance

• Never change a host name or port number while active in the configuration directory

• Do not modify the configuration directory tree; only the setup script can directly modify

a configuration

1.2.8 Administration domain

The administration domain allows servers to be grouped together logically when splitting administrative tasks. This level of organization is beneficial, for example, when different divisions within an organization want individual control of their servers while system administrators require centralized control of all servers.

When setting up the administration domain, consider the following:

• Each administration domain must have an administration domain owner with complete

access to all the domain servers but noaccess to the servers in other administration domains. The administration domain owner may grant individual users administrative access on a server-by-server basis within the domain.

• All servers must share the same configuration directory. The Configuration Directory

Administrator has complete access to all installed Directory Servers, regardless of the domain.

• Servers on two different domains can use different user directories for authentication and

user management.

The Directory Server setup script allows you to set up a separate Administration domain for the new Directory Server instance. If you do not need to set up a different domain for the new instance, the default is the host's domain (the domain of the new Directory Server instance).

10 Preparing for a Directory Server installation

2 System requirements

Before configuring the default HP-UX Directory Server 8.1 instances, it is important to verify that the host server has the required system settings and configuration:

• The system must have the required packages, patches, and kernel parameter settings.

• DNS must be properly configured on the target system.

• The host server must have a static IP address.

System settings, like the number of file descriptors and TCP information, should be reconfigured to optimize the Directory Server performance.

This chapter covers the software and hardware requirements, operating system patches and settings, and system configurations that are necessary for Directory Server to perform well.

NOTE:

The requirements outlined in this chapter apply to production systems. For evaluating or prototyping Directory Server, you may choose not to fulfill all these requirements.

2.1 Hardware requirements

Table 2-1details the hardware requirements for HP-UX Directory Server:

Table 2-1 Hardware requirements

Physical Memory

Description of requirementItem

HP 9000 (PA2.0) or HP Integrity systemComputer System

At least 256 MB of memory.

HP recommends that you have 512 MB to 4 GB of memory for best performance on large production systems.

The physical memory requirements for each Directory Server process depend on your particular configuration and database. Each server process requires at least 15MB of memory. However, the server caches recently used entries. Depending on the size of the database served and the size of the entries cached, the memory requirements for a typical Directory Server process can exceed 2 GB.

2.1 Hardware requirements 11

Table 2-1 Hardware requirements (continued)

Description of requirementItem

Install Device

Disk space

CD-ROM drive to load the softwareor an Internet connection to Software Depot to download the software.

The disk space requirements in /opt/dirsrv, /etc/opt/dirsrv/ and /var/opt/ dirsrv are as follows:

• /opt/dirsrv

The initial product installation requires 115 MB of space in /opt/dirsrv for executables, libraries, scripts and other related data. Each directory server instance created requires 1 MB of space in /opt/dirsrv.

• /etc/opt/dirsrv

The initial product installation requires 0.5 MB of spacein /etc/opt/dirsrv for shared configuration files. Each directory server instance created requires 1MBof space in /etc/ opt/dirsrv. The space usage in /etc/opt/dirsrv increases if customized schema is added for the directory server instance and as certain PKI-related material is added such as trusted issuers in the certificate database.

• /var/opt/dirsrv

Each Directory Server instance created requires an absolute minimum of 33 MB of space in /var/opt/dirsrvfor logs and database files. The space usage in /var/opt/dirsrv increases as LDAP entries are added to the directory server, as log files grow, and if the back-end database cache is increased.

The file system used for database files must have large file system support enabled. For more information, see “Large file support” (page 14).

Use the bdf command to determine the available disk space on your system:

bdf /opt/dirsrv bdf /etc/opt/dirsrv bdf /var/opt/dirsrv

For more information on the bdf command, see the bdf(1M) manpage.

2.2 Operating system requirements

Directory Server runs on a 64-bit HP-UX 11i environment as a 64-bit process.

Directory Server runs on HP-UX version 11i v2 and v3 only; it is not supported on earlier HP-UX versions.

For information on the configuration of the operating system, see “HP-UX system configuration”

(page 13).

2.3 HP-UX patches

The HP-UX 11i host must have the correct packages and dependencies installed to run Directory Server. The patch list changes daily, so check the HP web site regularly to ensure you have the latest releases:

• http://www.software.hp.com/SUPPORT_PLUS/qpk.html

• http://welcome.hp.com/country/us/eng/support.htm

The following list describes patch and OS patch recommendations:

• HP-UX 11i v2

HP recommends, but does not require, that you install the HP-UX 11i v2 OS patch level OE September 2004 or later.

HP also recommends, but does not require, that you install patch PHCO_37940. To install patch PHCO_37940, you must update your system to B.11.23 September 2004 release.

12 System requirements

Patch PHCO_37940 is an HP-UX 11i v2 pthread library cumulative patch. This patch improves performance of the HP-UX Directory Server on an HP-UX 11i v2 system.

• HP-UX 11i v3

HP recommends, but does not require, that you install the HP-UX 11i v3 OS patch level OE September 2007 or later.

You can download patches and Quality Patch bundles from the HP IT Resource Center patch database:

http://itrc.hp.com/service/home/home.do

Select patch database under maintenance and support (hp products).

2.4 HP-UX system configuration

Before setting up Directory Server, tune your HP-UX system so Directory Server can access the respective kernel parameters. To tune HP-UX systems, enable large file support, set the TIME_WAIT value, and modify kernel parameters, as described in the following sections.

• “Perl prerequisites”

• “Kernel parameters” (page 13)

• “TIME_WAIT setting” (page 14)

• “Large file support” (page 14)

2.4.1 Perl prerequisites

The HP-UX Directory Server uses the Perl version installed with the operating system in /opt/ perl_64/bin/perl. If this Perl version is not installed, contact HP support.

2.4.2 Kernel parameters

HP Recommends that you set the following kernel parameters with the system default values:

max_thread_proc

maxfiles

maxfiles_lim

nproc

maxdsiz_64bit

System Default ValueKernel Parameter

256

2048

4096

4200

Recommended ValueKernel Parameter

If you use the default values for the above parameters, set the value for this parameter to at least 512 MB. This assumes that the Directory Server processes are tuned to use a single heap arena.

If you configure a large entry cache for your Directory Server, you will require more heap space, which means assigning a higher value to maxdsiz_64bit. Instead of attempting to predict how high the value should be (this is difficult to do), HPrecommends setting it high initially and then tuning it to a lower size if desired.

To determine the current values of these kernel parameters, use sysdef(1M) or the following commands on an HP 9000 or an HP Integrity (IA64) system:

# kctune | grep -e max_thread_proc -e maxfiles -e maxfiles_lim -e nproc

After reconfiguration, you can expect the output of that command to match the values in the table above.

2.4 HP-UX system configuration 13

2.4.3 TIME_WAIT setting

Normally, client applications that shut down correctly cause the socket to linger in a TIME_WAIT state. Verify that the TIME_WAIT entry is set to a reasonable duration. For example:

# ndd -set /dev/tcp tcp_time_wait_interval 60000

This limits the socket TIME_WAIT state to 60 seconds.

2.4.4 Large file support

To run Directory Server on HP-UX, you must enable large file support for the file system where the directory data is stored. By default, directory data is stored below the /var/opt/dirsrv directory. If large file support is not enabled for the file system for this directory, use the fsadm command to enable it. In the following example, the root of the file system for the /var/opt/

dirsrv directory is /var:

# fsadm -F vxfs -o largefiles /var

If the file system for the /var/opt/dirsrv directory does not support online administration, you must unmount the file systemand specify the device file. For more information, see fsadm(1m).

14 System requirements

3 Setting up HP-UX Directory Server

This chapter describes the complete process for installing Directory Server on HP-UX 11i. It includes instructions for installing the HP-UX Apache web server and the JRE and Directory Server packages, and describes the various options for setting up the Directory Server.

3.1 Overview

Installing and configuring HP-UX Directory Server on HP-UX has four major steps:

1. Ensure that you have the required version of HP-UX Apache-based web server installed on

the system.

2. Install the required version of the Java® Runtime Environment (JRE).

3. If the Directory Server will use GSS-API (Generic Security Services Application Program

Interface) for authentication, install the Kerberos 5 client (KRB5CLIENT) libraries.

4. Install the Directory Server package.

5. Run the setup script. In this step, you provide all the information about the new Directory

Server instance. You can run the script interactively, responding to prompts to provide the setup information, or run the script in silent mode, providing a setup file that provides the setup information. You can also pass setup parameters in the command line.

CAUTION: If a Directory Server (notably Netscape Directory Server 6.21 or Red Hat Directory

Server 7.1) is already installed on your machine, it is extremely important that you perform a migration, not a fresh installation. Migration is described in Chapter 6 (page 47).

NOTE:

Before beginning the installation process, make sure that your system meets the requirements in Chapter 2 (page 11).

3.2 HP-UX Apache-based web server requirement

The Directory Administration Server 8.1 requires Apache plug-ins and dependent libraries. Before you attempt to install HP-UX Directory Server 8.1, ensure that the HP-UX Apache web server software B.2.0.50.01 or greater is installed . To verify the HP-UX Apache web server software version, use the following command:

# swlist -l product | grep hpuxwsAPACHE

hpuxwsAPACHE B.2.0.55.03 HP-UX Apache-based Web Server

The HP-UX Apache-based Web Server is available for download at:

http://www.hp.com/go/softwaredepot

To locate the software at this site, enter HP-UX Apache-based Web Server in the search field.

3.3 Installing the JRE

The Java JRE libraries are not bundled with HP-UX Directory Server. You must install them before installing HP-UX Directory Server. HP-UX Directory Server 8.1 depot is built with dependency on JRE version 1.5.0.11 or greater. HP-UX Directory Server has been tested with the JRE revision 1.5.0.11. A JRE15 version which is greater than JRE 1.5.0.11 may also work. Installation of HP-UX Directory Server using swinstall verifies whether JRE package requirements are met.

3.1 Overview 15

If a version of JRE 1.5 is already installed on the system and the version is equal to or greater than 1.5.0.11, you can skip the JRE installation requirement.

To check if the correct version of JRE 1.5 is installed on the system, use the following command:

# /usr/bin/swlist -l product | grep Jre

If the JRE 1.5 version is less than 1.5.0.11, or if JRE 1.5 is not installed on the system, install JRE

1.5.0.11. To download and install JRE for Java 2 platform HP-UX Integrity version 1.5.0.11(.depot)

or HP-UX PA-RISC version 1.5.0.11(.depot), use the following procedure:

1. Go to the following web site:

http://www.hp.com/go/java

Look for the following or supported later versions (5.0.xx, where xx is 11 or later), as applicable to your environment:

• Itanium® JRE 5.0.11 - Nov 7

• PA-RISC JRE 5.0.11 - Nov 7

2. Complete the form and choose Download.

3. Install the depot on your machine.

3.4 Installing the Kerberos 5 libraries

The Directory Server can use GSS-API for authentication. To use GSS-API, you must first install the Kerberos 5 client (KRB5CLIENT) libraries, version 1.6.2 or later. You can download the KRB5CLIENT package from the following location:

http://www.hp.com/go/softwaredepot

3.5 Installing the Directory Server package

Install the Directory Server package from the following location:

http://www.hp.com/go/softwaredepot

3.6 Setting up the Directory Server and Administration Server

3.6.1 Setup overview

After you have completed the steps recommended in the preceding sections, you can create and configure the Directory Server and Administration Server instances by using the setup-ds-admin.pl script. The following is the basic command for running the script interactively:

/opt/dirsrv/sbin/setup-ds-admin.pl

If you choose to run the script interactively, the script allows you to choose one of the following setup modes:

• Express

• Typical

• Custom

These setup modes provide different levels of control over the configuration settings, such as port numbers, directory suffixes, and users and groups for the Directory Server processes.

Express setup has the least amount of input, meaning it uses more default or randomly-generated settings, while custom setup gives you the most control over the configuration (you provide much of the configuration information). These setup modes are described in Table 3-2. For most deployments, the typical installation type suffices.

If you choose to run the script silently instead of interactively, you provide a file with predefined settings to create a new Directory Server without any user interaction. This is extremely useful

16 Setting up HP-UX Directory Server

for setting up large numbers of Directory Server instances, because it does not require any user involvement after the package is installed.

You can also provide a setup file with certain parameters predefined for interactive mode. In addition, when you enter the command to run the script for interactive or silent mode, you can pass parameters in the command line. They can be used to determine default parameter values for certain interactive setup prompts or to override the values defined in a provided setup file. Options that you can specify with the command line are described in Table 3-1.

The remainder of this section covers the following topics:

• “Options for running the setup script” (page 17)

• “Interactive setup modes” (page 20)

• “Performing express setup” (page 22)

• “Performing typical setup” (page 24)

• “Performing custom setup” (page 26)

• “Performing silent setup” (page 29)

• “Sending parameters in the command line” (page 35)

• “Importing LDIF files for configuring Directory Server users, replication, and other entities”

(page 36)

NOTE:

Directory Server version 8.1 conforms to the Filesystem Hierarchy Standards (FHS). This means that the directories and files are in different locations than previousversions. For more information on FHS, see the following web address:

http://www.pathname.com/fhs/

For information on new file locations, see “Directory Server file locations” (page 43).

3.6.2 Options for running the setup script

In interactive mode, the setup-ds-admin script launches a series of dialog screens prompting you for a yes or no answer or simple text input.

When running the script, you can pass arguments in the command line that provide values for specific setup parameters. You can also specify options in the command line that allow you to supply predefined values from a specified file (using the -f option). In addition, you can run the script silently instead of interactively, using the predefined values from a specified file (using the -s option in conjunction with the -f option). Passing arguments in the command line, or specifying a file with predefined values, sets the defaults used in the script's interactive prompts. If you specify the -s (silent) option, there are no interactive prompts; values specified in the command line or predefined in the specified file automatically determine the values used for setting up a Directory Server instance. For a list of the command line options available with the setup-ds-admin script, see Table 3-1.

Responding to prompts and navigating between screen prompts

When you run the script interactively, the setup script prompts you for input. Observe these guidelines:

-k

• Each prompt includes a default answer in square brackets. In the following example, the

default answer is yes.

Would you like to continue with setup? [yes]:

• Pressing Enter accepts the default answer and proceeds to the next dialog screen prompt.

Yes or No prompts accept y for Yes and n for No.

3.6 Setting up the Directory Server and Administration Server 17

• To return to a previous dialog screen prompt, type Ctrl-B and press Enter. You can backtrack

all the way to the first screen prompt.

• Two prompts ask for a password. After entering a password for the first time, confirm the

password by typing it in again. The password prompts do not echo the characters entered, so be sure to type them correctly.

• When the script finishes, it generates a temporary log file in the /tmp directory called

setupXXXXXX.log, where XXXXXX is a series of random characters. This log file contains all the prompts and answers (except for passwords) supplied to those prompts. You can specify a path and name of a log file to which the script writes output by specifying the -l option in the command line that runs the script. For more information on this and other options available with the script command line, see Table 3-1 (page 19).

Specifying parameter values or a setup file at the command line

• Passing values for specific setup parameters

When passing values for parameters in the command line that runs the script, you specify the parameters (directives) in the format used in the configuration file that the script generates for the Directory Server instance. This setup configuration file has three sections, one for each of the major components of Directory Server: General (host server), slapd (LDAP server), and admin (Administration Server). Command-line arguments specify the setup file section, parameter, and value in the following form:

section.parameter=value

The following command example sets the machine name, suffix, and Directory Server port of the new Directory Server instance. The interactive setup script displays these values as the defaults for the associated parameters. In silent mode, these are the values used for configuring the Directory Server.

# /opt/dirsrv/sbin/setup-ds-admin.pl General.FullMachineName=ldap.example.com \ "slapd.Suffix=dc=example, dc=com" slapd.ServerPort=389

If argument values contain spaces or other shell special characters, prevent the shell from interpreting them by enclosing the values in quotes. In the previous example, the suffix value has a space character, so the entire directive has to be quoted. If many of the directives have to be quoted or escaped, use a setup file with predefined values instead of passing these arguments in the command line.

• Specifying a setup file with predefined values

In the command line, you can use the -f option to specifya setup file that includes predefined parameter values. The following command specifies that the script use file custom.inf to determine the default values for prompts in interactive mode:

# /opt/dirsrv/sbin/setup-ds-admin.pl -f custom.inf

• Running the setup script in silent mode

To run the script in silent mode, include the -s option in the command line, along with the

-f option and a specified setup file. The following command specifies that the setup script run silently, using setup file common.inf to provide the values for Directory Server parameters.

# /opt/dirsrv/sbin/setup-ds-admin.pl -s -f common.inf

The setup configuration file used for silent mode is described in more detail in “Performing

silent setup” (page 29).

• Passing specific parameter values in conjunction with a specified setup file

When you specify a setup file in the command line in conjunction with command line parameters, the parameters passed in the command line override the predefined values specified in the setup file. This is useful when you have created a setup file to serve as the basis for setting up multiple Directory Server instances. The command line parameters

18 Setting up HP-UX Directory Server

specify values specific to the Directory Server being set up. For example, parameters such as ConfigDirectoryLdapURL,which can be usedfor multiple instances, could be specified in the setup file. Parameters such as FullMachineName, which is specific to the host, could be specified in the command line. For example, with the following command, the setup script uses the common parameter values specified in the common.inf file, but overrides the host-specific parameter values for FullMachineName and ServerIdentifier with those specified in the command line. This command runs the script in silent mode.

# /opt/dirsrv/sbin/setup-ds-admin.pl -s -f common.inf \ General.FullMachineName=ldap37.example.com slapd.ServerIdentifier=ldap37

NOTE:

The section names and parameter names used in setup files and on the command line are case sensitive. For information on correct capitalization, see Table 3-1.

The setup file can include a parameter that imports the contents of any LDIF file into the Directory Server. This parameter, ConfigFile, is set in the [slapd] section of the setup file. This is extremely useful for preconfiguring users, replication, and other directory management entries. For more information on using the ConfigFile parameter to configure the Directory Server, see “Importing LDIF files for configuring Directory Server users, replication, and other entities”

(page 36).

Setup script command line options

Table 3-1 setup-ds-admin options

--file=name-f name

--silent-s

--debug-d[dddd]

DescriptionAlternateOption

This sets the path and name of the file which contains configurationsettings for the new Directory Server instance. You can use this option with the -s option. If you use the -f option without the -s, the specified file sets the default values for the setup interactive prompts. For example:

/opt/dirsrv/sbin/setup-ds-admin.pl -f ./sample.inf

This causes the setup script to run in silent mode, using the configuration information predefined in a file rather than specified interactively; specify the file name with the -f option. For example:

/opt/dirsrv/sbin/setup-ds-admin.pl -f ./setup.inf -s

. (Configuration information can also be specified in the command line; this information overrides the corresponding information defined in the setup file.)

This turns on debugging information. With the -d flag, increasing the number of ds increases the debug level.

3.6 Setting up the Directory Server and Administration Server 19

Table 3-1 setup-ds-admin options (continued)

DescriptionAlternateOption

--keepcache-k

--logfile name-l

3.6.3 Interactive setup modes

When you launch the setup-ds-admin.pl script to configure the new Directory Server and Administration Server instance interactively, the script allows you to choose one of three kinds of setup modes:

Express The fastest setup mode. This requires minimal interaction. For almost all settings,

default settings are provided by HP. Because express installation does not offer the choice of selecting the Directory Server server port number or the directory suffix, among other settings, HP recommends that you not use it for evaluation purposes only, not for production deployments. Also, express setups can fail if default configuration values are not available (there is no way to offer an alternative).

Typical The default and most common setup mode. This prompts you to supply more

detailed information about the directory service, such as suffix and configuration directory information, while still proceeding quickly through the setup process.

Custom The most detailed setup mode. This provides more control over Administration

Server settings and also allows data to be imported into the Directory Server at setup, so that entries are already populated in the databases when the setup is complete.

This saves the temporary configuration setup file (file name .inf) that is created when the setup script is run interactively. This file can then be reused for a silent setup.

CAUTION: This file (also referred to as a cache file) contains the cleartext

passwords supplied during setup. Use appropriate caution and protection with this file.

This specifies the log file to which the script writes the output, including errors. You can specify the path and name. In an interactively run script, the file contains all prompts and answers (except for passwords). If this is option is not set, the output is written to a temporary file in the /tmp directory called setupXXXXXX.log, where XXXXXX is a series of random characters.

The following command directs the script to write output to the file /tmp/

2009–jun.log:

# /opt/dirsrv/sbin/setup-ds-admin.pl -l

/tmp/2009-jun.log

TIP:

If you are installing Directory Server for evaluation, use the Express or Typical setup mode. These processes are very fast, and can help get your directory service up and running quickly.

The information requested by the interactive setup script is described in Table 3-2. More information about all setup file parameters, and whether they are optional or required, is provided in “Setup file directives” (page 31).

As already discussed in “Options for running the setup script” (page 17), another setup option is silent setup, which uses a configuration file and command-line options to supply the Directory Server settings automatically. In this case, the script requires no user interaction. You can also pass setup arguments in the command line that launches the script. The rightmost column of

Table 3-2 indicates which setup parameters can be addressed in the silent setup.

20 Setting up HP-UX Directory Server

Table 3-2 Comparison of setup types

Set the computer name

Set the user as which the Directory Server will run

Set the group as which the Directory Server will run

Server with an existing Configuration DirectoryServer

Set the Configuration Directory Server URL

ldap.example.com

www

other

ldap://ldap.example.com:389/o=NetscapeRoot

CustomTypicalExpressParameter inputSetup screen prompt

Silent setup

N/AYes or noContinue with setup

N/A• 1 (express)Choose setup type

N/A• 2 (typical)

N/A• 3 (custom)

N/AYes or noRegister the new Directory

Give the Configuration Directory Server user distinguished name (DN)

Give the Configuration Directory Server user password

Give the Configuration Directory Server administration domain

Give the path to the CA certificate (if using LDAPS)

Set the Configuration Directory Server Administrator user

name

Set the Configuration Directory Server Administrator password

Set the Configuration Directory Server domain

Set the Directory Server port

Set the Directory Server identifier

admin

password

example.com

/tmp/cacert.asc

admin

password

389

ldap

Set the Directory Server suffix

Set theDirectory Manager (DN)

dc=domain, dc=domain

cn=Directory Manager

3.6 Setting up the Directory Server and Administration Server 21

Table 3-2 Comparison of setup types (continued)

CustomTypicalExpressParameter inputSetup screen prompt

Set the Directory Manager password

Populate the Directory Server with entries

Set the Administration Server port

IP address

Set user as which the Administration Server runs

your servers?

1 This option is only available if you choose to register the Directory Server instance with an existing Configuration

Directory Server.

2 This option is only available ifyou choose not to register the Directory Server instance with anexisting Configuration

Directory Server. In that case, theDirectory Serverbeing set up is createdand configured as a Configuration Directory

Server, using the Configuration Directory Server name and password that you specify.

password

Yes or noInstall sample entries

• Supply the full path and file name to an

LDIF file

• Type suggest, which imports common

container entries, such as ou=People

• Type none, which does not import any

data

9830

blank (all interfaces)Set the Administration Server

daemon

Silent setup

N/AYes or noAre you ready to configure

3.6.4 Performing express setup

Use express installation if you are installing Directory Server for an evaluation or trial. Because express installation does not offer the choice of selecting the Directory Server server port number or the directory suffix, among other settings, HP recommends not using it for production deployments.

CAUTION: If a Directory Server (notably Netscape Directory Server 6.21 or Red Hat Directory

Server 7.1) is already installed on your machine, it is extremely important that you perform a migration, not a fresh installation. Migration is described in Chapter 6 “Migrating or upgrading

to HP-UX Directory Server from Netscape or Red Hat Directory Server”.

NOTE:

The setup script gets the host information from the /etc/resolv.conf file. If the /etc/hosts file includes aliases (such as ldap.example.com) that do not match the /etc/resolv.conf settings, the setup script cannot use the default host name option, and setup will fail.

1. Launch the setup-ds-admin.pl script using the following command.

NOTE:

Run the setup-ds-admin.pl script as root.

# /opt/dirsrv/sbin/setup-ds-admin.pl

2. When asked to choose the setup type, enter 1 to perform an express setup.

22 Setting up HP-UX Directory Server

3. This step allows you to register your Directory Server with an existing Directory Server

instance that serves as the Configuration Directory Server. This registers your new instance so it can be managed by the Console. If you are setting up the first Directory Server instance on your network, you cannot register it with another directory; you must set up your Directory Server as the Configuration Directory Server. To set up this Directory Server as a Configuration Directory Server, select n. The next express installation step is setting up the administrator user.

To register the Directory Server instance with an existing Configuration Directory Server, select yes. This initiates the registration process in which you must supply the following information about the Configuration Directory Server. This information is supplied in place of setting up the administrator user for the new Directory Server (steps 4 and 5).

• The Configuration Directory Server URL, such as

ldap://ldap.example.com:389/o=NetscapeRoot

To use TLS/SSL, set the protocol as ldaps:// instead of ldap://

For LDAPS, use the secure port (636) instead of the standard port (389), and provide a CA certificate.

• The Configuration Directory Server administrator's user DN; by default, this is admin.

• The administrator user's password.

• The Configuration Directory Server Admin domain, such as example.com.

• The CA certificate to authenticate to the Configuration Directory Server. This is only required if the Directory Server instance will connect to the Configuration Directory Server over LDAPS. This should be the full path and filename of the CA certificate in PEM/ASCII format.

4. If you registered your Directory Server with an existing Configuration Directory Server,

skip to step 6. Otherwise, continue with this step.

Set the administrator user name. The default is admin.

5. Set the administrator password and confirm it.

6. Set the Directory Manager user name (DN). The default is cn=Directory Manager.

7. Set the Directory Manager password and confirm it.

8. The last prompt asks if you are ready to set up your servers. Answer yes, after which

messages such as the following are displayed. If you are not ready, answer no to return to the preceding prompt; use Ctrl-B (followed by pressing Enter) to continue to preceding prompts.

Are you ready to set up your servers? [yes]: y Creating directory server . . . Your new DS instance 'example' was successfully created. Creating the configuration directory server . . . Beginning Admin Server reconfiguration . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Updating the configuration for the httpd engine . . . Restarting admin server . . . The admin server was successfully started. Admin server was successfully reconfigured and started. Exiting . . . Log file is '/tmp/setup0C7tiV.log'

The setup-ds-admin.plscript applies all default options for the Directory Server configuration, including the instance name (for example, ldap.example.com), domain (for example, example.com), suffix (for example, dc=example, dc=com), and port numbers (389 for the Directory Server instance and 9830 for the Administration Server).

3.6 Setting up the Directory Server and Administration Server 23

When the setup-ds-admin.pl script is done, the Directory Server is configured and running. To log into the Directory Server Console to begin setting up your directory service, do the following:

1. Get the Administration Server port number from the Listen parameter in the

console.conf configuration file.

# grep \^Listen /etc/opt/dirsrv/admin-serv/console.conf Listen 0.0.0.0:9830

2. Using the Administration Server port number, launch the Console.

# /opt/dirsrv/bin/hpds-idm-console -a http://localhost:9830

NOTE:

If you do not pass the Administration Server port number with the hpds-idm-console command, you are prompted for it at the Console login screen.

3.6.5 Performing typical setup

The typical setup process is the most commonly-used setup process. It offers control over the ports for the Directory and Administration Servers, the domain name, and directory suffix.

NOTE:

Run the setup-ds-admin.pl script as root.

The typical setup has the following steps:

CAUTION: If a Directory Server (notably Netscape Directory Server 6.21 or Red Hat Directory

Server 7.1) is already installed on your machine, it is extremely important that you perform a migration, not a fresh installation. Migration is described in Chapter 6 “Migrating or upgrading

to HP-UX Directory Server from Netscape or Red Hat Directory Server”.

1. Launch the setup-ds-admin.pl script:

# /opt/dirsrv/sbin/setup-ds-admin.pl

2. When asked to choose the setup type, accept the default (option 2) to perform a typical

setup.

3. Set the computer name of the machine on which the Directory Server is being configured.

This defaults to the fully-qualified domain name (FQDN) for the host. For example:

Computer name [ldap.example.com]:

NOTE:

The setup script gets the host information from the /etc/resolv.conf file. If the /etc/ hosts file includes aliases (such as ldap.example.com) that do not match the /etc/ resolv.conf settings, you cannot use the default host name option.

The host name is very important. It is used for generating the Directory Server instance name, the admin domain, and the base suffix, among others. If you are using SSL/TLS or Kerberos, the computer name must be the exact name that clients use to connect to the system. If you will use DNS, make sure the name resolves to a valid IP address and that the IP address resolves back to this name.

4. Set the user and group that the Directory Server process will run as. The default is

www:other. For example:

System User [www]: System Group [other]:

24 Setting up HP-UX Directory Server

HP recommends using the defaults. If you want to use a user or group other than the default, you must create the user or group before completing the setup script.

5. This step allows you to register your Directory Server with an existing Directory Server

instance that serves as the Configuration Directory Server. This registers your new instance so it can be managed by the Console. If you are setting up the first Directory Server instance on your network, you cannot register it with another directory; you must set up your Directory Server as the Configuration Directory Server. To set up this Directory Server as a Configuration Directory Server, select n. The next installation steps (steps 6, 7, and 8) enable you to set up the administrator user.

• The Configuration Directory Server URL, such as

ldap://ldap.example.com:389/o=NetscapeRoot

To use TLS/SSL, set the protocol as ldaps:// instead of ldap://

For LDAPS, use the secure port (636) instead of the standard port (389), and provide a CA certificate.

• The Configuration Directory Server administrator's user DN; by default, this is admin.

• The administrator user's password.

• The Configuration Directory Server Admin domain, such as example.com.

6. If you registered your Directory Server with an existing Configuration Directory Server,

skip to step 9. Otherwise, continue with this step.

Set the administrator user name. The default is admin.

7. Set the administrator password and confirm it.

8. Set the administration domain. This defaults to the host's domain. For example:

Administration Domain [example.com]:

9. Enter the Directory Server port number. The default is 389 unless that port is in use, in

which case the setup script supplies a randomly generated one.

Directory server network port [30860]: 1025

10. Enter the Directory Server identifier; this defaults to the host name.

Directory server identifier [example]:

11. Enter the directory suffix. This defaults to dc=domain name. For example, for domain

example.com, the default is shown as follows:

Suffix [dc=example, dc=com]:

NOTE:

Server users, replication, and other entities” (page 36)).

12. Set the Directory Manager user name (DN). The default is cn=Directory Manager.

3.6 Setting up the Directory Server and Administration Server 25

13. Set the Directory Manager password and confirm it.

14. Enter the Administration Server port number. The default is 9830 unless that port is in use,

in which case the setup script supplies a randomly generated one.

Administration port [9830]:

15. The last prompt asks if you are ready to set up your servers. Answer yes, after which

messages such as the following are displayed. If you are not ready, answer no to return to the preceding prompt; use Ctrl-B (followed by pressing Enter) to continue to preceding prompts.

Are you ready to set up your servers? [yes]: y Creating directory server . . . Your new DS instance 'example2' was successfully created. Creating the configuration directory server . . . Beginning Admin Server reconfiguration . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Updating the configuration for the httpd engine . . . Restarting admin server . . . The admin server was successfully started. Admin server was successfully reconfigured and started. Exiting . . . Log file is '/tmp/setupulSykp.log'

When the setup-ds-admin.pl script is done, then the Directory Server is configured and running. To log into the Directory Server Console to begin setting up your directory service, do the following:

1. Get the Administration Server port number from the Listen parameter in the

console.conf configuration file.

# grep \^Listen /etc/opt/dirsrv/admin-serv/console.conf Listen 0.0.0.0:9830

2. Using the Administration Server port number, launch the Console.

# /opt/dirsrv/bin/hpds-idm-console -a http://localhost:9830

NOTE:

If you do not pass the Administration Server port number with the hpds-idm-console command, you are prompted for it at the Console login screen.

3.6.6 Performing custom setup

Custom setup provides two special configuration options that allow you to add information to the Directory Server databases during setup. One imports an LDIF file, which is useful if you have existing information. The other imports sample data that is included with Directory Server; this is useful for testing features of Directory Server and for evaluation.

26 Setting up HP-UX Directory Server

NOTE:

Run the setup-ds-admin.pl script as root.

The custom setup has the following steps:

CAUTION: If a Directory Server (notably Netscape Directory Server 6.21 or Red Hat Directory

Server 7.1) is already installed on your machine, it is extremely important that you perform a migration, not a fresh installation. Migration is described in Chapter 6 “Migrating or upgrading

to HP-UX Directory Server from Netscape or Red Hat Directory Server”.

1. Launch the setup-ds-admin.pl script:

# /opt/dirsrv/sbin/setup-ds-admin.pl

2. When asked to choose the setup type, enter 3 to perform a custom setup.

3. Set the computer name of the machine on which the Directory Server is being configured.

This defaults to the fully-qualified domain name (FQDN) for the host. For example:

Computer name [ldap.example.com]:

NOTE:

The setup script gets the host information from the /etc/resolv.conf file. If the /etc/ hosts file includes aliases (such as ldap.example.com) that do not match the /etc/ resolv.conf settings, you cannot use the default host name option.

The host name is very important. It is used generate the Directory Server instance name, the admin domain, and the base suffix, among others. If you are using SSL/TLS or Kerberos, the computer name must be the exact name that clients use to connect to the system. If you will use DNS, make sure the name resolves to a valid IP address and that IP address resolves back to this name.

4. Set the user and group that the Directory Server process will run as. The default is

www:other. For example:

System User [www]: System Group [other]:

HP recommends using the defaults. If you want to use a user or group other than the default, you must create the user or group before completing the setup script.

5. This step allows you to register your Directory Server with an existing Directory Server

instance that serves as the Configuration Directory Server. This registers your new instance so it can be managed by the Console. If you are setting up the first Directory Server instance on your network, you cannot register it with another directory; you must set up your Directory Server as the Configuration Directory Server. To set up this Directory Server as a Configuration Directory Server, select n. The next installation steps (steps 6, 7, and 8) enable you to set up the administrator user.

• The Configuration Directory Server URL, such as

ldap://ldap.example.com:389/o=NetscapeRoot

To use TLS/SSL, set the protocol as ldaps:// instead of ldap://

For LDAPS, use the secure port (636) instead of the standard port (389), and provide a CA certificate.

• The Configuration Directory Server administrator's user DN; by default, this is admin.

3.6 Setting up the Directory Server and Administration Server 27

• The administrator user's password.

• The Configuration Directory Server Admin domain, such as example.com.

• The CA certificate to authenticate to the Configuration Directory Server. This is only

required if the Directory Server instance will connect to the Configuration Directory Server over LDAPS. This should be the full path and file name the CA certificate in PEM/ASCII format.

6. If you registered your Directory Server with an existing Configuration Directory Server,

skip to step 9. Otherwise, continue with this step.

Set the administrator user name. The default is admin.

7. Set the administrator password and confirm it.

8. Set the administration domain. This defaults to the host's domain. For example:

Administration Domain [example.com]:

9. Enter the Directory Server port number. The default is 389 unless that port is in use, in

which case the setup script supplies a randomly generated one.

Directory server network port [389]: 1066

10. Enter the Directory Server identifier; this defaults to the host name.

Directory server identifier [example]:

11. Enter the directory suffix. This defaults to dc=domain name. For example, for domain

example.com, the default is shown as follows:

Suffix [dc=example, dc=com]:

NOTE:

Server users, replication, and other entities” (page 36)).

12. Set the Directory Manager user name (DN). The default is cn=Directory Manager.

13. Set the Directory Manager password and confirm it.

14. Select whether you want to install sample entries with the Directory Server instance. An

example LDIF with preconfigured users, groups, roles, and other entries is imported into the Directory Server database. This option is helpful for evaluation or testing Directory Server features.

15. Select whether to populate the Directory Server with data; this means whether to import an

LDIF file with existing data into the Directory Server database. If the answer is yes, then supply a path to the LDIF file or select the suggested file. If the LDIF file requires custom schema, perform a silent setup instead, and use the SchemaFile directive in the .inf to specify additional schema files. For information on .inf directives, see “Setup file directives”

(page 31) .

The default option is none, which does not import any data.

16. Enter the Administration Server port number. The default is 9830 unless that port is in use,

in which case the setup script supplies a randomly generated one.

Administration port [9830]:

17. Set an IP address for the new Administration Server to use. The Administration Server uses

a web server, and this parameter is set in the console.conf file for the server. Setting this parameter restricts the Administration Server to that single IP. Set this if you are installing on a multi-homed system and do not want the Administration Server to use the first of the

28 Setting up HP-UX Directory Server

IP addresses automatically assigned to the system. Using 0.0.0.0 (the default) allows the Administration Server to acquire any IP address.

18. Set the user that the Administration Server process will run as. The default is www. For

example:

Run Administration Server as [www]:

19. The last prompt asks if you are ready to set up your servers. Answer yes, after which

messages such as the following are displayed. If you are not ready, answer no to return to the preceding prompt; use Ctrl-B (followed by pressing Enter) to continue to preceding prompts.

Are you ready to set up your servers? [yes]: y Creating directory server . . . Your new DS instance 'example3' was successfully created. Creating the configuration directory server . . . Beginning Admin Server reconfiguration . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Updating the configuration for the httpd engine . . . Restarting admin server . . . The admin server was successfully started. Admin server was successfully reconfigured and started. Exiting . . . Log file is '/tmp/setupul88C1.log'

When the setup-ds-admin.pl script is done, then the Directory Server is configured and running. To log into the Directory Server Console to begin setting up your directory service, do the following:

1. Get the Administration Server port number from the Listen parameter in the

console.conf configuration file.

# grep \^Listen /etc/opt/dirsrv/admin-serv/console.conf Listen 0.0.0.0:9830

2. Using the Administration Server port number, launch the Console.

# /opt/dirsrv/bin/hpds-idm-console -a http://localhost:9830

NOTE:

If you do not pass the Administration Server port number with the hpds-idm-console command, you are prompted for it at the Console login screen.

3.6.7 Performing silent setup

Silent setup uses a file to predefine all the Directory Server configuration parameters that are normally supplied interactively with the setup script. The silent functionality allows you to script the setup of multiple instances of Directory Server. Silent setup is useful at sites where many server instances must be created, especially for heavily replicated sites that will create a large number of consumer servers.

Silent setup uses the same script used to create instances of Directory Server and Administration Server. You specify a special option (-s) in the command line to cause the script to run silently. You specify an additional option that references the parameter setup file (for example, -f setup.inf). The command line can also include specific parameter values that override those defined in the referenced setup file.

For silent setup of both the Directory Server and Administration Server, do the following:

1. Install the Directory Server package.

2. Create the setup file. It must specify the following directives:

3.6 Setting up the Directory Server and Administration Server 29

[General] FullMachineName= dir.example.com SuiteSpotUserID= www SuiteSpotGroup= other AdminDomain= example.com ConfigDirectoryAdminID= admin ConfigDirectoryAdminPwd= admin ConfigDirectoryLdapURL= ldap://dir.example.com:389/o=NetscapeRoot

[slapd] SlapdConfigForMC= Yes UseExistingMC= No ServerPort= 389 ServerIdentifier= dir Suffix= dc=example,dc=com RootDN= cn=Directory Manager RootDNPwd= password123

[admin] Port= 9830 ServerIpAddress= 192.0.2.11 ServerAdminID= admin ServerAdminPwd= admin

NOTE:

To create the default Directory and Administration Servers, the setup file must contain three sections of directives: [General], [slapd], and [admin].

You can use silent mode to create additional Directory Server instances, in which case you omit the [admin] from the setup file. For more information, see “Creating a new Directory

Server instance silently” (page 39).

The predefined parameters in the setup file correspond to the information supplied during a typical setup. The setup file structure and directives are described in “Setup file directives”.

To create a setup file, you can run the setup script interactively with the -k option, which saves the setup file (.inf) after the installation. You can then use variations of this setup file for silent set up of subsequent instances, defining a unique instance name and port number for each run (and if setting up Directory Server on another system, defining the host name). For examples of setup files created using typical setup mode and custom setup mode, see “Sample setup files” (page 34).

3. Run the setup-ds-admin script with the -s and -f options.

# /opt/dirsrv/sbin/setup-ds-admin.pl -s -f /export/ds-inf/setup.inf

Running setup-ds-admininstalls both the Directory Server instanceand the Administration Server instance. This means that the setup file must specify parameters for both the Directory Server and the Administration Server. The -s option runs the script in silent mode, and -f /export/ds-inf/setup.inf specifies the setup file to use (setup.inf).

After the script runs, the new Directory Server and Administration Server instances are configured and running, as with a standard setup.

3.6.7.1 Setup file structure

With a silent setup, all the configuration information that is normally supplied interactively with the setup script must be included in the setup file or passed in the command line with the setup-ds-admin.pl (or setup-ds.pl) command.

The setup file has three sections:

General

It supplies information about the server machine; these are global directives that are common to all your Directory Servers.

30 Setting up HP-UX Directory Server

slapd

This supplies information about the specific Directory Server instance; this information, like the port and server ID, must be unique.

admin

It supplies information specific to the Administration Server instance; this is not used when creating additional Directory Server server instances or setting up a single Directory Server instance.

The format of the .inf file is as follows:

[General]

directive=value directive=value

... [slapd]

directive=value directive=value

... [admin]

directive=value directive=value

...

The setup file directives are explained in the following sections.

3.6.7.2 Setup file directives

Table 3-3 describes the global directives for the [General] section of the setup file.

Table 3-3 [General] directives

FullMachineName

domain name of the machine on which you are installing the server. The default is the local host name.

SuiteSpotUserID

which the Directory Server instance runs. This parameter does not apply to the user as which the Administration Server runs. The default is user www, which is recommended for most deployments.

SuiteSpotGroup

the servers will run. The default is group other.

ConfigDirectoryLdapURL

that is used to connect to your configuration directory. LDAP URLs are described in the HP-UX

Directory Server administrator guide.

ExampleReq'd?DescriptionDirective

NoSpecifies the fully qualified

NoSpecifies the user name as

NoSpecifies thegroup as which

YesSpecifies the LDAP URL

ldap.example.com

www

other

ldap://ldap.example.com:389/o=NetscapeRoot

AdminDomain

domain under which this Directory Server instance is registered. See

“Administration domain”

for more information about administration domains.

3.6 Setting up the Directory Server and Administration Server 31

NoSpecifies the administration

example.com

Table 3-3 [General] directives (continued)

ExampleReq'd?DescriptionDirective

ConfigDirectoryAdminID

distinguished name (DN) of the user that has administration privileges to the configuration directory. This is usually admin.

ConfigDirectoryAdminPwd

the admin user.

NoSpecifies the user

YesSpecifies the password for

admin

Table 3-4 describes the directives for the [slapd] section of the .setup file.

Table 3-4 [slapd] directives

ExampleReq'd?DescriptionDirective

ServerPort

server will use for LDAP connections. For information on selecting server port numbers, see

“Port numbers”.

ServerIdentifier

identifier. This value is used as part of the name of the directory in which the Directory Server instance is installed. For example, if the machine's host name is phonebook, then this name is the default, and selecting it installs the Directory Server instance in a directory labeled slapd-phonebook.

389NoSpecifies the port the

phonebookNoSpecifies the server

Suffix

RootDN

RootDNPwd

AddOrgEntries

which to store the directory data. For information on suffixes, see “Directory suffix”.

name used by the Directory Manager. For information on the Directory Manager, see

“Directory manager”.

Manager's password.

If yes, this directive creates the new Directory Server instance with a suggested directory structure and access control. If this directive is used and InstallLdifFile is also used, then this directive has no effect. The default is no.

NoSpecifies the suffix under

NoSpecifies the distinguished

YesSpecifies the Directory

dc=example, dc=com

cn=Directory Manager

YesNo

32 Setting up HP-UX Directory Server

Table 3-4 [slapd] directives (continued)

ExampleReq'd?DescriptionDirective

InstallLdifFile

SchemaFile

ConfigFile

directory withthe contents of the specified LDIF file.

NoLists the full path and file name ofadditional schema files; this is used if there is custom schema with the old Directory Server. This directive may be specified more than once.

NoLists the full path and file name of additional configuration to add to the new dse.ldif. This could include additional suffixes, databases, replication, or other configuration. This directive may be specified more than once.

suggestNoPopulates the new

SchemaFile=/home/files/50custom.ldif

ConfigFile=/home/files/mysuffix-db-config.ldif

Table 3-5 describes the directives for the [admin] section of the .setup file.

Table 3-5 [admin] directives

ExampleRequiredDescriptionDirective

SysUser

Port

ServerAdminID

the Administration Server will run. The default is user www, which is recommended for most deployments. For information as to what users your servers should run, see “Directory Server

user and group”.

Administration Server will use. The default port is

9830.

administration ID that can be used to access this Administration Server if the configurationdirectory is not responding. The default is to use the value specified by the

ConfigDirectoryAdminID

directive. See “Directory

administrator”.

wwwNoSpecifies the user as which

NoSpecifies the port that the

NoSpecifies the

9830

admin

3.6 Setting up the Directory Server and Administration Server 33

Table 3-5 [admin] directives (continued)

ExampleRequiredDescriptionDirective

ServerAdminPwd

ServerIpAddress

3.6.7.3 Sample setup files

This section provides examples of setup files, one for a custom installation and one for a typical setup. These can be used as templates for silent setup. If you have many Directory Server instances to set up, when you create the first instance, you can run the setup script interactively with the

-k option, which saves the setup file after the installation. You can then use variations of this setup file for silent set up of subsequent instances, defining a unique instance name and port number for each run (and if setting up Directory Server on another system, defining the host name).

Example 3-1 includes a setup file for a custom installation.

NoSpecifies the password for the Administration Server user.

NoSpecifies theIP address on which the Administration Server will listen. Use this directive if you are installing on a multi-homed system and you do not want to use the first IP address for the Administration Server.

Example 3-1 Example of setup file for a custom installation

[General] FullMachineName= ldap.example.com SuiteSpotUserID= www SuiteSpotGroup= other AdminDomain= example.com ConfigDirectoryAdminID= admin ConfigDirectoryAdminPwd= Admin123 ConfigDirectoryLdapURL= ldap://ldap.example.com:389/o=NetscapeRoot [slapd] SlapdConfigForMC= Yes UseExistingMC= No ServerPort= 389 ServerIdentifier= example Suffix= dc=example,dc=com RootDN= cn=directory manager RootDNPwd= Secret123 InstallLdifFile= suggest AddOrgEntries= Yes [admin] SysUser= www Port= 9830 ServerIpAddress= 192.0.2.25 ServerAdminID= admin ServerAdminPwd= Admin123

Example 3-2 includes a setup file for registering the instance with a configuration directory server

setup, which is the typical setup.

34 Setting up HP-UX Directory Server

Example 3-2 Example of setup file for a typical setup

[slapd] SlapdConfigForMC= No UseExistingMC= Yes UseExistingUG= No ServerPort= 18257 ServerIdentifier= directory Suffix= dc=example,dc=com RootDN= cn=Directory Manager UseReplication= No AddSampleEntries= No InstallLdifFile= suggest AddOrgEntries= Yes DisableSchemaChecking= No RootDNPwd= admin123

[admin] Port= 33646 ServerIpAddress= 192.0.2.11 ServerAdminID= admin ServerAdminPwd= admin

3.6.8 Sending parameters in the command line

The setup script setup-ds-admin.pl allows settings for the any of the three configuration components to be passed directly in the command line:

• General (host server)

• slapd (LDAP server)

• admin (Administration Server)

Command-line arguments correspond to the parameters and values set in the setup file. The arguments used with setup-ds-admin.pl specify the setup file section (General, slapd, or admin), the parameter, and the parameter value in the following form:

section.parameter=value

For example, the following command sets the machine name, suffix, and Directory Server port of the new instance:

# /opt/dirsrv/sbin/setup-ds-admin.pl General.FullMachineName=ldap.example.com \ "slapd.Suffix=dc=example, dc=com" slapd.ServerPort=389

Argument values containing spaces or other shell special characters must be quoted to prevent the shell from interpreting them. In the previous example, the suffix value has a space character, so the entire directive has to be quoted. If many of the directives have to be quoted or escaped, use a setup file instead.

If you do not specify the -s (silent) option, arguments passed in the command line or specified in a setup file set the defaults used with prompts in interactive mode; arguments passed in the command line override corresponding arguments specified in the setup file. If you specify the

-s option, the arguments passed in the command line override arguments specified in the referenced setup file.

3.6 Setting up the Directory Server and Administration Server 35

Using a setup file in conjunction with command line parameters is useful when you create a setup file to serve as the basis for setting up many Directory Servers. The command line parameters specify values specific to the Directory Server being set up. For example, parameters such as ConfigDirectoryLdapURL, which can be used for multiple instances, could be specified in the setup file. Parameters such as FullMachineName, which is specific to the host, could be specified in the command line. For example, with the following command, the setup script uses the common parameters specified in the common.inf file, but overrides the host-specific parameter values for FullMachineName and ServerIdentifier with those specified in the command line:

# /opt/dirsrv/sbin/setup-ds-admin.pl -s \

-f common.inf General.FullMachineName=ldap37.example.com \ slapd.ServerIdentifier=ldap37

NOTE:

The section names and parameter names used in the setup file and on the command line are case sensitive. For information on correct capitalization, see Table 3-1.

For a full list of options available with the setup-ds-admin script, see Table 3-1 (page 19).

3.6.9 Importing LDIF files for configuring Directory Server users, replication, and other entities

Using the ConfigFile parameter in the setup file is extremely useful for configuring users, replication, and other directory management entries with information specified in LDIF files. You can use the ConfigFile parameter to create special user entries (such as the replication manager), to configure views or classes of service, to add new suffixes and databases, to create instances of the Attribute Uniqueness plug-in, and to set many other configurations for Directory Server. The ConfigFile parameter specifies an LDIF file to import into the directory. The parameter can be used multiple times in a setup file, importing as many LDIF files into the directory.

The ConfigFile parameter is set in the [slapd] section of the setup file.

For example, to configure a new Directory Server instance as a supplier for replication, ConfigFile can be used to create the replication manager, changelog, replica, and replication agreement:

[slapd] ... ConfigFile = repluser.ldif ConfigFile = changelog.ldif ConfigFile = replica.ldif ConfigFile = replagreement.ldif ...

The LDIF file contains the entry information. For example, the replica.ldif contains the information to configure the new Directory Server instance as a supplier:

dn: cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: dc=example,dc=com nsds5replicaid: 7 nsds5replicatype: 3 nsds5flags: 1 nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=replication manager,cn=config

For more information on LDIF, see the HP-UX Directory Server administrator guide.

36 Setting up HP-UX Directory Server

4 Post-installation and advanced configuration tasks

This chapter describes configuration tasks to perform after you have installed Directory Server including additional configuration steps for Administration Server and Directory Server instances and how to set up additional Directory Server and Administration Server instances. It also describes how to uninstall the Directory Server.

4.1 Configuring Administration Server instances

This section describes two additional setup steps for the Administration Server that enable access by remote clients. This allows users to install and launch the Directory Server Console while being able to access the remote Directory Server file, including help files.

NOTE:

Changing IP authorizations as described in the sections that follow may lock you out of the Console or Administration Server. To revert the address changes that locked you out, you may have to edit the Administration Server configuration directly through LDAP. For information on editing the Administration Server configuration, see the following web site:

http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt

4.1.1 Configuring IP authorization on the Administration Server

The Directory Server Console can be launched from remote machines to access an instance of Directory Server. The client running the Directory Server Console needs access to the Administration Server to access support files such as the help content and documentation.

Follow these steps to configure the Administration Server to accept the client IP address:

1. From the same machine on which the Administration Server is running, launch the Console.

# /opt/dirsrv/bin/hpds-idm-console

2. In the Administration Server Console, click the Configuration tab, then click the Network

tab.

3. In the Connection Restrictions Settings section, select IP Addresses to Allow from the

pull down menu.

4. Click Edit.

5. In the IP Addresses field, enter the following:

*.*.*.*

4.1 Configuring Administration Server instances 37

This allows all IP addresses to access the Administration Server.

CAUTION:

By default, access to the Administration Server is limited to users in the same domain as the Administration Server itself. Adding additional IP addresses or proxy servers to the list of accepted addresses increases the number of users that can access the Administration Server. To reduce the possibility of undesirable access, limit the allowed access.

If numerous users are configured to use a proxy server, adding the proxy server increases the number of users having access to the Administration Server. In addition, your Administration Server only knows the IP address of the proxy server, not the address of the actual user. Thus, if the proxyserver isin a trusted domain, anyone can use that proxy server to access the Administration Server. Although the Administration Server provides its own authentication and access limit, HP recommends limiting access to a trusted set of users only.

6. Restart the Administration Server.

4.1.2 Configuring proxy servers for the Administration Server

If proxies for the HTTP connections are on the client machine running the Directory Server Console, you must change the configuration in one of two ways:

• Remove the proxy settings from the client machine. Removing proxies on the machine

running Directory Server Console allows the client to access the Administration Server directly. To remove the proxy settings, edit the proxy configuration of the browser that is used to launch the help files.

• Add the client machine proxy IP address to Administration Server's list of acceptable IP

addresses. This is described in “Configuring IP authorization on the Administration Server”.

CAUTION:

By default, access to the Administration Server is limited to users in the same domain as the Administration Server itself. Adding the client machine proxy IP address potentially increases the number of users that can access the Administration Server. To reduce the possibility of undesirable access, limit the allowed access.

In addition, your Administration Server only knows the proxy IP address, not the address of the actual user. Thus, given that the client machine is in a trusted domain, anyone can use the client machine to access the Administration Server. Although the Administration Server provides its own authentication and access limit, HP recommends limiting access to a trusted set of users only.

4.2 Creating additional Directory Server instances

This section describes how to create new Directory Server instances by running setup-ds-admin.pl interactively or silently. This section also explains how install a Directory Server instance so that it is not managed by the Directory Server Console, allowing you to manage the instance from the command line or by scripting.

38 Post-installation and advanced configuration tasks

NOTE:

You can create new Directory Server instances through the Directory Server Console, as described in theHP-UX Directory Server administrator guide.

4.2.1 Creating a new Directory Server instance interactively

You can create additional instances of the Directory Server by running setup-ds-admin.pl at the command line. You can choose one of the setup choices (express, typical, or custom) described in Chapter 3 “Setting up HP-UX Directory Server ”.

You can also provide Directory Server parameters on the command line, so that the instance is created with predefined defaults. For example, the following command runs the setup script with the Directory Server port default as 1100 and the Directory Manager password as

itsasecret:

# /opt/dirsrv/sbin/setup-ds-admin.pl slapd.ServerPort=1100 slapd.RootDNPwd=itsasecret

4.2.2 Creating a new Directory Server instance silently

Silent setup for a single Directory Server instance is useful for configuring multiple instances quickly.

To run a silent setup of a Directory Server instance, do the following:

NOTE:

When creating a single instance of Directory Server, the Directory Server package must already be installed, and the Administration Server must already be configured and running.

1. Create the setup file. It must specify the following directives:

[General] FullMachineName= dir.example.com SuiteSpotUserID= www SuiteSpotGroup= other

[slapd] ServerPort= 389 ServerIdentifier= dir Suffix= dc=example,dc=com RootDN= cn=Directory Manager RootDNPwd= password123

NOTE:

The setup file must contain two sections of directives: [General] and [slapd], omitting the [Admin] section, which is used only when creating an Administration Server. (For information about creating an Administration Server in silent mode, see “Performing silent

setup” (page 29).)

These directives correspond to the information supplied during a typical setup. The setup file directives are described in “Setup file directives” (page 31).

2. Run the setup-ds-admin.pl script with the -s and -f options.

# /opt/dirsrv/sbin/setup-ds-admin.pl -s -f /export/ds-inf/setup-single.inf

In this command example, the -s option runs the script in silent mode, and the -f /export/ds-inf/setup.inf option specifies the setup file (/export/ds-inf/ setup.inf).

After the script runs, the new Directory Server instance is configured and running, as with a standard setup.

4.2 Creating additional Directory Server instances 39

4.2.3 Creating a Directory Server instance manageable at the command line instead of Console

To create a Directory Server instance so that you can manage the instance through the command line or other tools instead of through the Console, use the /opt/dirsrv/sbin/setup-ds.pl command. All tasks that can beperformed from the Consolecan be performed fromthe command line or by other means. This is advantageous if you have a large number of Directory Server instances to manage, especially when they require tasks that can be more easily performed from the command line or by scripting (such as configuration of replication, LDIF, or SSL). This is also advantageous if you have to manage remotely and network traffic or connection quality makes use of the Console unviable (because of the additional network traffic incurred from graphics-intensive screens).

The script works exactly the same way as setup-ds-admin.pl except it omits the questions about the Configuration Directory Server and Administration Server. It only creates a single, standalone Directory Server instance. (To manage the Directory Server instance with the Console, you must register the Directory Server instance with the Configuration Directory Server. For more information, see “Registering an existing Directory Server instance with the Configuration

Directory Server”.) The script can be run silently as well, accepting command line options.

4.3 Registering an existing Directory Server instance with the Configuration Directory Server

The Configuration Directory Server uses the o=NetscapeRoot database to store information about the Directory Servers and Administration Servers in your network. This database is used by the Console and the Administration Servers. This database can belong to a separate Directory Server instance, called the Configuration Directory Server. When you set up a Directory Server instance using the setup-ds-admin script, the instance is always registered with a Configuration Directory Server. When you use the setup-ds script to set up a Directory Server instance so that it is manageable at the command line instead of at the Console (see “Creating a Directory

Server instance manageable at the command line instead of Console” (page 40)), the instance is

not registered with a Configuration Directory Server. If you decide you want that instance to be manageable at the Console, you can manually register it with a Configuration Directory Server by launching the register-ds-admin script:

# /opt/dirsrv/sbin/register-ds-admin.pl

IMPORTANT:

Running register-ds-admin creates a default instance of the Administration Server and Configuration Directory Server if they do not already exist, then registers any existing Directory Servers with the Configuration Directory Server.

4.4 Uninstalling Directory Server

This section provides information on removing a single Directory Server instance as well as the Directory Server entirely.

4.4.1 Removing a single Directory Server instance

It is possible to remove a single instance of Directory Server without uninstalling the system. Do this with the following command:

# /opt/dirsrv/sbin/ds_removal -s server_id -w admin_password

The ds_removal script unregisters the server from the Configuration Directory Server and removes any related files and directories. If the Directory Server was configured to support SSL, the command leaves the key and cert files in the instance configuration directory, and renames the configuration directory to instance-name.removed.

40 Post-installation and advanced configuration tasks

4.4.2 Uninstalling the HP-UX Directory Server

To uninstall HP-UX Directory Server entirely, perform the following steps:

CAUTION:

This procedure completely removes the Directory Server product and all data served by the Directory Servers on the host.

1. Remove all the Directory Server instances. For example, you can use the following script, entering the appropriate password (for admin-password) and actual Directory Server instances (for instance1 instance2 instance3 ...):

IMPORTANT:

If one of the Directory Server instances hosts the o=netscapeRoot suffix, make sure you specify its name last in the list and that no other servers on other hosts are managed by this configuration directory.

cd /opt/dirsrv/ ADMINPASS="admin-password"

# Specify the instance names here. Important, if one of these # servers holds the o=netscapeRoot suffix, make sure it is the # last one on the list, and that no other servers # on other hosts are managed by this configuration directory. instanceNames="instance1 instance2 instance3 ..." for instanceName in $instanceNames do tmp="$(echo "$instanceName" | cut -d"-" -f 2)" /opt/dirsrv/sbin/ds_removal -s "$tmp" -w "$ADMINPASS" done

2. Stop the Administration Server.

# /opt/dirsrv/sbin/stop-ds-admin

3. Use swremove to uninstall the product bundle:

# /usr/sbin/swremove HPDirSvr

4. Use the following script to clean up any remaining run-time or user-generated files. These files include local configuration caches, SSL certificate files, and so forth.

CAUTION:

Before removing directories, inspect them to ensure that they do not include any unexpected files that you might not want removed.

for path in /opt/dirsrv /var/opt/dirsrv /etc/opt/dirsrv do find $path -type f | xargs ll -d done # # WARNING: Validate no unexpected files exist before # running the rm command below. # cd / rm -rf /opt/dirsrv /var/opt/dirsrv /etc/opt/dirsrv

4.4 Uninstalling Directory Server 41

5 General usage information

This chapter contains common information that you will use after installing HP-UX Directory Server 8.1, such as where files are installed; how to start and stop the Directory Server and Administration Server; how to start the Directory Server Console; obtaining the Administration Server port number; resetting the Directory Manager password; and basic troubleshooting information. For more detailed information about using Directory Server, see the HP-UX Directory Server administrator guide.

5.1 Directory Server file locations

HP-UX DirectoryServer 8.1 conforms to the Filesystem Hierarchy Standards. For moreinformation on FHS, see the FHS web site:

http://www.pathname.com/fhs/

Table 5-1lists the full path name for the files and directories installed with Directory Server. In

the file locations listed in the tables, “instance” is the server instance name that was given during setup. By default, this is the leftmost component of the fully-qualified host and domain name. For example, if the host name is ldap.example.com, the instance name is ldap by default. As shown where applicable, the Administration Server directories are in similar locations as theDirectory Server directories. The Administration Server directories arenamed admin-serv.

Table 5-1 File and directory locations

LocationFile or directory

Log files

Configuration files

Instance directory

Database files

Run-time files

Binaries

Libraries

Directory Server files: /var/opt/dirsrv/slapd-instance/log

Administration Server files: /var/opt/dirsrv/admin-serv/log

Directory Server files:/etc/opt/dirsrv/slapd-instance

Administration Server files: /etc/opt/dirsrv/admin-serv

Directory Server files:/opt/dirsrv/slapd-instance

Directory Server files:/var/opt/dirsrv/slapd-instance/db

Directory Server files:/var/opt/dirsrv/slapd-instance/run

Administration Server files: /var/opt/dirsrv/admin-serv/run

Directory Server and Administration Server files:

/opt/dirsrv/bin /opt/dirsrv/sbin

Directory Server and Administration Server files:

/opt/dirsrv/lib

5.2 LDAP tool locations

HP-UX Directory Server uses Mozilla LDAP tools, such as the following commands, for command-line operations:

• /opt/dirsrv/bin/ldapsearch

• /opt/dirsrv/bin/ldapmodify

• /opt/dirsrv/bin/ldapdelete

You can use these tools to access and perform operations on Directory Server user data as well as configuration and status data.

5.1 Directory Server file locations 43

5.3 Starting the Directory Server Console

To launch the Directory Server Console, use the hpds-idm-console script :

# /opt/dirsrv/bin/hpds-idm-console

When the login screen opens, you are prompted for the username, password, and Administration Server location. The Administration Server has a standard HTTP address; the default is:

http://hostname:9830/

If the Administration Server is using TLS/SSL, the URL begins with https://).

You can send the Administration Server URL and port with the start script. For example:

# /opt/dirsrv/bin/hpds-idm-console -a http://localhost:9830

The -a option is a convenience, particularly if you are logging into a Directory Server for the first time. On subsequent logins, the URL is saved. If you do not pass the Administration Server port number with the hpds-idm-console command, you are prompted for it at the Console login screen. For information on obtaining the Administration Server port number, see “Getting

the Administration Server port number” (page 44).

5.4 Getting the Administration Server port number

To find the port number for your Administration Server run the console.conf command:

# grep \^Listen /etc/opt/dirsrv/admin-serv/console.conf Listen 0.0.0.0:port

The command displays the port (port) after the colon in the Administration Server URL. .If the

grep command reveals that the port is 9830, the Administration Server URL would be http://hostname:9830.

5.5 Starting and stopping servers

This section discusses starting and stopping the Directory Server and the Administration Server.

5.5.1 Starting and stopping the Directory Server

Use the following scripts in the instance directories to start, stop, or restart the Directory Server:

• /opt/dirsrv/slapd-instance/start-slapd

• /opt/dirsrv/slapd-instance/restart-slapd

• /opt/dirsrv/slapd-instance/stop-slapd

The Directory Server instance name can be specific in the start-slapd, stop-slapd, restart-slapd and system scripts. If an instance name is not given, the start or stop operation applies to all instances on the machine.

5.5.2 Starting and stopping the Administration Server

Use the following scripts to start, stop, or restart the Administration Server:

• /opt/dirsrv/sbin/start-ds-admin

• /opt/dirsrv/sbin/stop-ds-admin

• /opt/dirsrv/sbin/restart-ds-admin

5.6 Resetting the Directory Manager password

Passwords are stored in the Directory Server databases and can be modified with tools like ldapmodify and through the Directory Server Console. The Directory Manager password is stored in the Directory Server configuration files and can be viewed (if lost) and modified by editing that file. To check or reset the Directory Manager password, do the following:

44 General usage information

1. Stop the Directory Server.

If the Directory Server is not stopped when the configuration files are edited, the changes are not applied.

# /opt/dirsrv/slapd-instance/stop-slapd

2. Generate a new, hashed password using pwdhash in the /opt/dirsrv/bin directory. For

example:

# /opt/dirsrv/bin/pwdhash newpassword {SSHA}nbR/ZeVTwZLw6aJH6oE4obbDbL0OaeleUoT21w==

3. In the configuration directory, open the dse.ldif file with the text editor of your choice,

for example:

# cd /etc/opt/dirsrv/slapd-instance # vi dse.ldif

4. Locate the nsslapd-rootpw parameter.

nsslapd-rootpw: {SSHA}x03lZLMyOPaGH5VB8fcys1IV+TVNbBIOwZEYoQ==

Delete the old password, and enter in the new hashed password, for example:

nsslapd-rootpw: {SSHA}nbR/ZeVTwZLw6aJH6oE4obbDbL0OaeleUoT21w==

5. Save the change.

6. Start the Directory Server. For example:

# /opt/dirsrv/slapd-instance/start-slapd

7. When the Directory Server restarts, log into the Console again as Directory Manager, and

verify that the password works.

5.7 Troubleshooting

This section describes common problems that can occur during the setup process and the workarounds or solutions you can apply to them. In general, these relate to network or naming problems. and workarounds.

5.7.1 Problem: Clients cannot locate the server

Solution. First, modify the host name. If that does not work, use the fully-qualified domain name, such as www.domain.com, and make sure the server is listed in the DNS. If that does not work, check the IP address.

If the NIS domain is not the same as your DNS domain, check your fully-qualified host and domain name.

5.7.2 Problem: The port is in use

When setting up a Directory Server instance, you receive an error that the port is in use. This is very common when upgrading or migrating an existing server.

Solution This error means that you did not shut down the existing server before beginning the upgrade or migration. Shut down the existing server, then restart the upgrade process.

If this occurs during a setup process, it may mean another server is already using this port. Verify that the port you selected is not in use by another server.

5.7.3 Problem: Forgotten directory manager DN and password

Solution By default, the Directory Manager DN is cn=Directory Manager. If you forget the Directory Manager DN, you can determine it by checking the nsslapd-rootdn attribute in the dse.ldif file, in the /etc/opt/dirsrv/slapd-instance_name directory.

5.7 Troubleshooting 45

6 Migrating or upgrading to HP-UX Directory Server from

Netscape or Red Hat Directory Server

This chapter provides information about moving to HP-UX Directory Server 8.1 from Netscape Directory Server 6.11 or 6.21, or from Red Hat Directory Server 7.1 or 8.0.

In this chapter, moving to HP-UX Directory Server 8.1 from Netscape Directory Server 6.11 or

6.21, or from Red Hat Directory Server 7.1, is referred to as a migration; the two versions exist

side-by-side during the migration while the data and configuration from the old server are copied over to the new 8.1 server. Migrations are discussed in “Migrating from Netscape Directory

Server 6.x, or from Red Hat Directory Server 7.1” (page 47).

In contrast, moving to HP-UX Directory Server 8.1 from Red Hat Directory Server 8.0 is referred to as an upgrade; the new version completely replaces the old version. Upgrades are discussed in “Upgrading from Red Hat Directory Server 8.0” (page 53)

6.1 Migrating from Netscape Directory Server 6.x, or from Red Hat Directory Server 7.1

This section explains the procedure for moving to HP-UX Directory Server 8.1 from Netscape Directory Server 6.11 or 6.21, or from Red Hat Directory Server 7.1.

NOTE: Before migrating to HP-UX Directory Server 8.1, you must either disable SSL in the

legacy server or create a PIN file so that the legacy server can start up without interaction. To disable SSL, edit the legacy server's dse.ldif file and set the nsslapd-security parameter to off. To create a PIN file, follow the instructions in the Administrator Guide for the legacy server.

NOTE: Most examples in this section assume the legacy server is Red Hat Directory Server 7.1,

with the default server root directory path given as /var/opt/netscape/server7. For the Netscape Directory Server (6.11 or 6.21), you can substitute the following Netscape Directory Server default path in these examples: /var/opt/netscape/servers.

6.1.1 Tasks to perform before migrating

For the safety of the Directory Server data, perform the following tasks before beginning to migrate the Directory Server instances:

1. Shut down all Directory Server instances and the Administration Server, as described in

“Starting and stopping servers” (page 44).

2. For servers that have a different configuration directory, make sure that the Directory Server Console write operations are moved from the configuration directory to the server itself, following the steps described in “Configuring the Directory Server Console” (page 47).

CAUTION:

Be sure that the legacy Directory Server instance is not running when you start the migration. The new HP-UX Directory Server instance will use the same port numbers, and the migration process may inadvertently perform updates on the legacy instance instead of the new instance.

6.1.1.1 Configuring the Directory Server Console

If you have a multi-master replication setup that replicates o=NetscapeRoot between the two master servers, server1 and server2, then by default, writes made through server2's Directory Server Console are written to server1, then replicated over. Modify the Directory

6.1 Migrating from Netscape Directory Server 6.x, or from Red Hat Directory Server 7.1 47

Server Console on the second server (server2) so that it writes its own Console instance instead of server1's.

1. Shut down the Administration Server and Directory Server.

2. Change the adm.conf file for the Administration Server to reflect server2 Directory

Servers values:

ldapurl: ldap://server2.example.com:389/o=NetscapeRoot

3. Change the dse.ldif for the Directory Server to reflect server2 Directory Servers values:

serverRoot/slapd-serverID/config/dse.ldif:nsslapd-pluginarg0: ldap:///server2.example.com:389/o=NetscapeRoot

4. Turn off the Pass-through Authentication Plug-in on server2by editing its dse.ldif file

and setting the nsslapd-pluginEnabled value to off.

serverRoot/slapd-serverID/config/dse.ldif

dn: cn=Pass Through Authentication,cn=plugins,cn=config nsslapd-pluginEnabled: off

5. Restart the Directory Server and Administration Server.

6.1.2 Migration script

Migration is performed with the migration script, /opt/dirsrv/sbin/migrate-ds-admin.pl. This script has flexible options that allow a variety of different migration scenarios. Table 6-1 lists the options and arguments for this executable script.

Table 6-1 migrate-ds-admin Options and Argument

Option or argument

options

-o(Required) --oldsroot

-a(Optional) --actualsroot

-i(Optional) --instance

-f name(Optional) --file=name

DescriptionAlternate

Specify the path to the server root directory in the legacy Directory Server installation. The default path in 7.x servers is /var/opt/netscape/server7, and the default path in

6.x servers is /var/opt/netscape/servers.

IMPORTANT: This is a required option.

When migrating between two machines, and the current server root directory in the old 6.x or 7.x Directory Server installation is mounted on a networked drive, or tarballed and moved to a relative directory, use this to specify the original pathto that directory. The oldsroot parameter sets the directory from which the migration is run (such as

machine_new:/migrate/server7), while the actualsroot parameter sets the server root, (/var/opt/ netscape/server7).

This parameter specifies a specific instance to migrate. This parameter can be used multiple times to migrate several instances simultaneously. By default, the migration script migrates all Directory Server instances on the machine.

This sets the path and name of a setup file provided with the migration script. The migration script uses the parameters defined in the file. The only valid parameter is the General.ConfigDirectoryAdminPwd parameter, which is the configuration directory administrator's password.

48 Migrating or upgrading to HP-UX Directory Server from Netscape or Red Hat Directory Server

Table 6-1 migrate-ds-admin Options and Argument (continued)

Option or argument

options

-c or -x(Optional) --cross

-d [dddd](Optional) --debug

-l(Optional) --logfilename

(Required)

General.ConfigDirectoryAdminPwd=password

DescriptionAlternate

This parameter is used when the Directory Server is being migrated from one machine to another machine that has a different architecture. For cross-platform migrations, only certain data are migrated. This migration action takes database information exported to LDIF and imports LDIF data into the new 8.1 databases. Changelog information is not migrated. If a supplier or hub is migrated, then all its replicas must be reinitialized.

This parameter turns on debugging information. For the -d flag, increasing the number of ds increases the debug level.

This parameter specifies a log file to which to write the output. If this is not set, then the migration information is written to a temporary file, named /tmp/migrateXXXXX.log.

To disable logging, set /dev/null as the logfile.

This is the password for the configuration directory administrator of the old Directory Server (the default user name is admin).

IMPORTANT: This is a required argument.

If you do not specify the required items for the migration script (oldsroot) and General.ConfigDirectoryAdminPwd), the migration script exits.

The following is an example using the required option and argument:

# /opt/dirsrv/sbin/migrate-ds-admin.pl\

--oldsroot /var/opt/netscape/server7 General.\ ConfigDirectoryAdminPwd=password

The migrate-ds-admin.pl script allows the password parameter to be provided on the command line, similar to the setup-ds-admin.pl script. The arguments set the section, parameter, and value of parameters of the .inf file in the following form:

section.parameter=value

To avoid displaying this password on the command line, you can invoke the migration script with the --file option to refer to an .inf file that specifies the administrator's password:

# /opt/dirsrv/sbin/migrate-ds-admin.pl --oldsroot /var/opt/netscape/server7 \

--file=/opt/dirsrv/example.inf

The .inf file would have the following two lines:

[General] ConfigDirectoryAdminPwd=password

The migration script takes all the other settings from the old configuration files in the old server root, specified with the --oldsroot option. Any other argument passed in the command line or listed in an inf file, such as those used with the setup-ds-admin.pl script, is ignored. The Directory Server configuration parameters are only taken from the old instance. It is not possible to change the configuration settings, such as the host name or port, using the migration script.

6.1.3 Migration scenarios

The migration scenario differs depending on the type of existing Directory Server configuration you have. You can migrate a single Directory Server instance or all Directory Server instances on a machine or all replicated servers. You can migrate the Directory Server to a different machine

6.1 Migrating from Netscape Directory Server 6.x, or from Red Hat Directory Server 7.1 49

or to a different platform. The migration script has different options available to facilitate migration. The following sections describe the different scenarios.

• “Migrating a server or single instance” (page 50)

• “Migrating replicated servers” (page 50)

• “Migrating a Directory Server from one machine to another” (page 51)

• “Migrating a Directory Server from one platform to another” (page 52)

6.1.3.1 Migrating a server or single instance

To migrate a Directory Server installation to a new one on the same machine, run the migration script, specifying the old server root directory:

# /opt/dirsrv/sbin/migrate-ds-admin.pl\

--oldsroot /var/opt/netscape/server7 \

General.ConfigDirectoryAdminPwd=password

That command automatically migrates every Directory Server instance configured.

To migrate specific instances, use the --instance option with the migrate-ds-admin script. For example, to migrate the Directory Server instance named example and example3, but not

example2, the migration command would be as follows:

# /opt/dirsrv/sbin/migrate-ds-admin.pl\

--oldsroot /var/opt/netscape/server7 \

--instance example --instance example3 \

General.ConfigDirectoryAdminPwd=password

The migration process starts. The legacy Directory Server is migrated, and a new Directory Server

8.1 instance is installed using the configuration information from the legacy Directory Server.

6.1.3.2 Migrating replicated servers

The process for migrating a replicated system is the same as for a single server, but the order in which the Directory Server instances is important to keep from interrupting replication:

• First migrate all master servers.

• Then migrate all hubs.

• Then migrate all consumers, if any

If any of the Directory Servers in the replicated system will be moved to a different machine or another platform, use the --actualsroot and --cross parameters with /opt/dirsrv/sbin/migrate-ds-admin.pl, as described in “Migrating a Directory Server

from one machine to another” (page 51) and “Migrating a Directory Server from one platform to another” (page 52).

To migrate a replicated site, perform the following steps:

1. Stop all old Directory Server instances and the Administration Server.

2. Back up all the Directory Server user and configuration data.

3. Stop directory writes to the master or hub server being migrated.

4. Install the HP-UX Directory Server 8.1 package on the machine where your legacy Directory Server is located.

• Make the first migrated master the configuration instance since it is not replicated. Then,

• This instance needs to listen on your standard port, usually 389.

5. Run the migration script, as root.

50 Migrating or upgrading to HP-UX Directory Server from Netscape or Red Hat Directory Server

IMPORTANT:

Do notset up the new Directory Server instances with setup-ds-admin.pl before running the migration script.

# /opt/dirsrv/sbin/migrate-ds-admin.pl\

--oldsroot /var/opt/netscape/server7/ \ General.ConfigDirectoryAdminPwd=password

Where /var/opt/netscape/server7 is the directory where the old Directory Server is installed.

6. The migration process starts.

The legacy Directory Server is migrated, and a new Directory Server 8.1 instance is installed using the configuration information from the legacy Directory Server.

7. After the old Directory Server instance is migrated, test the replication to make sure it works correctly.

8. After you finish this process for all the master server, repeat the steps for the hub servers, then for the replicas.

6.1.3.3 Migrating a Directory Server from one machine to another

To migrate a Directory Server installation from one machine to a new Directory Server instance on a new machine of the same platform, run the migration script (/opt/dirsrv/sbin/migrate-ds-admin.pl) with options specifying:

• The physical, network-accessible old server root directory, such as tarball or network drive,

(specified with the --oldsroot option).

• The actual directory name of the server root on the old machine (specified with the

--actualsroot option), such as /var/opt/netscape/server7. In this case, the

--actualsroot option names the original absolute installation directory, which the

--oldsroot option gives the path to access that directory.

CAUTION: Migration cannot change the host name used by the Directory Server and

Administration Server. The old machine must have the same host name as your new machine. If you are going to commission a new machine on which to run Directory Server 8.1, first rename the old machine (forexample, change ldap.example.comto ldap_old.example.com),then give the new machine the original name of the old machine (ldap.example.com).

Because the large number of configuration issues based on the Directory Server's host name, including the Console, replication, TLS/SSL, and Kerberos, it is extremely difficult to rename the server with the migration script. HP strongly recommends that you do not attempt to change the Directory Server host name.

NOTE:

If the new machine has a different architecture from the old machine, such as moving from i386 to x86_64, you must perform a cross platform migration, described in “Migrating a Directory

Server from one platform to another” (page 52). The procedure in this section assumes that the

Directory Server is being migrated from one machine to another of the same architecture, such as i386 to i386.

For example, this script migrates a Directory Server on server1 to server2, using an NFS-mounted directory:

# /opt/dirsrv/sbin/migrate-ds-admin.pl --oldsroot /net/server2/migration/server7 \

--actualroot /var/opt/netscape/server7 General.ConfigDirectoryAdminPwd=password

6.1 Migrating from Netscape Directory Server 6.x, or from Red Hat Directory Server 7.1 51

The --oldsroot option can also specify a local directory on the target machine that was created from a tarball. In that case, create a tarball of your old server root directory, and untar it on the target machine. In this example, a tarball was created of /var/opt/netscape/server7 on the source machine, and it was untarred under /migration on the target machine:

# /opt/dirsrv/sbin/migrate-ds-admin.pl --oldsroot /migration/server7 \

--actualroot /var/opt/netscape/server7\ General.ConfigDirectoryAdminPwd=password

The migrate-ds-admin command automatically migrates every Directory Server instance configured. As with migrating Directory Server on the same machine, using the --instance option allows you to set the specific instance to migrate. For example, this command migrated a Directory Server instance named example:

# /opt/dirsrv/sbin/migrate-ds-admin.pl \

--oldsroot /net/server2/migration/server7 \

--actualroot /var/opt/netscape/server7 --instance example \ General.ConfigDirectoryAdminPwd=password

The procedure follows:

1. Stop all Directory Server instances and the Administration Server.

2. Back up all the Directory Server user and configuration data.

3. Install the Directory Server 8.1 package on the new machine that will host Directory Server.

4. Make theold Directory Server accessible to the new machine, either through an NFS-mounted

drive or tarball.

5. Run the migration script as root. Specify the current physical location of the Directory

Server with the --oldsroot option and the location on the old machine with the actualsroot option.

IMPORTANT:

Do notset up the new Directory Server instances with setup-ds-admin.pl before running the migration script.

For example:

# /opt/dirsrv/sbin/migrate-ds-admin.pl \

--oldsroot /net/server2/migration/server7 \

--actualsroot /var/opt/netscape/server7 \ General.ConfigDirectoryAdminPwd=password

The migration process starts. The legacy Directory Server is migrated, and a new Directory Server

8.1 instance is installed using the configuration information from the legacy Directory Server.

6.1.3.4 Migrating a Directory Server from one platform to another

To migrate a Directory Server installation from one platform to another is similar to migrating from one machine to another. The difference between a migration between platforms and other migration scenarios is the information migrated from the old Directory Server. The databases are in an architecture-dependent binary format and can be migrated only after they are exported to LDIF. Other data, such as the changelog, is not migrated. As explained in “Migrating a Directory

Server from one machine to another” (page 51), the migration script uses the --actualsroot

and --oldsroot options to migrate across machines and the cross option to signal that the migration is across-platforms.

The command format to move from one platform to another is similar to the following:

# /opt/dirsrv/sbin/migrate-ds-admin.pl --cross \

--oldsroot /net/server2/migration/server7 \

--actualroot /var/opt/netscape/server7 \ General.ConfigDirectoryAdminPwd=password

The migrate-ds-admin command automatically migrates every Directory Server instance configured. As with migrating Directory Server on the same machine, using the --instance

52 Migrating or upgrading to HP-UX Directory Server from Netscape or Red Hat Directory Server

option allows you to set the specific instance to migrate. For example, this command migrated a Directory Server instance named example:

# /opt/dirsrv/sbin/migrate-ds-admin.pl \

--oldsroot /net/server2/migration/server7 \

--actualroot /var/opt/netscape/server7 --instance example \

General.ConfigDirectoryAdminPwd=password

The procedure follows:

1. Stop all Directory Server instances and the Administration Server.

2. Back up all the Directory Server user and configuration data.

3. Export all the database information to LDIF. The LDIF file must be named the name of the

database with .ldif appended. For example:

# cd /var/opt/netscape/server7/slapd-instance

# ./db2ldif -n userRoot -a /var/opt/netscape/server7/slapd-instance/db/userRoot.ldif # ./db2ldif -n NetscapeRoot -a /var/opt/netscape/server7/slapd-instance/db/NetscapeRoot.ldif

4. Install the HP-UX Directory Server 8.1 package on the new machine that will host Directory

Server.

5. Make theold Directory Server accessible to the new machine, either through an NFS-mounted

drive or tarball.

6. Run the migration script as root. Specify the current physical location of the Directory

Server with the --oldsroot option and the location on the old machine with the

--actualsroot option.

IMPORTANT:

Do notset up the new Directory Server instances with setup-ds-admin.pl before running the migration script.

For example:

# /opt/dirsrv/sbin/migrate-ds-admin.pl --cross \

--oldsroot /net/server2/migration/server7 \

--actualsroot /var/opt/netscape/server7 General.ConfigDirectoryAdminPwd=password

The migration process starts. The legacy Directory Server is migrated, and a new Directory Server

8.1 instance is installed using the configuration information from the legacy Directory Server.

6.2 Upgrading from Red Hat Directory Server 8.0

The upgrade from Red Hat Directory Server 8.0 is automatically handled by a control script included in the HP-UX Directory Server 8.1 product package. The upgrade replaces all product files belonging to the old version with the files belonging to the 8.1 version, removes any files belonging to the old version that are not used by the new version, and upgrades some of the configuration data in the o=NetscapeRoot suffix to function correctly with the new version.

6.2.1 Backing up the Directory Server data and configuration prior to the upgrade

HP recommends that you back up your Red Hat Directory Server 8.0 configuration and data before performing the upgrade to HP-UX Directory Server 8.1. If the upgrade encounters unexpected problems, the backup ensures that you can recover by reverting to the 8.0 version.

To back up the configuration from the 8.0 installation, archive the contents of the /etc/opt/

dirsrv directory. For example:

# /opt/dirsrv/slapd-instance_name/stop-slapd # cd /etc/opt/dirsrv # tar cvf /home/files/rhds80cfg.tar *

To back up the data from the 8.0 installation, run db2bak once for each Directory Server instance. For example:

6.2 Upgrading from Red Hat Directory Server 8.0 53

# /opt/dirsrv/slapd-instance_name/db2bak\ /home/files/bak/slapd-instance_name

To restore Red Hat Directory Server 8.0, reinstall the Red Hat Directory Server 8.0 product package, extract the configuration data to /etc/opt/dirsrv, and run bak2db to restore the data. For example:

# /opt/dirsrv/slapd-instance_name/stop-slapd # cd /etc/opt/dirsrv # tar xvf /home/files/rhds80cfg.tar # /opt/dirsrv/slapd-instance_name/bak2db \ /home/files/bak/slapd-instance_name

6.2.2 Performing the upgrade to HP-UX Directory Server 8.1

To perform the upgrade to HP-UX Directory Server 8.1, perform these steps:

1. Shut down all Directory Server instances and the Administration Server, as described in

“Starting and stopping servers” (page 44).

2. Use swinstall to install the HP-UX Directory Server 8.1 depot.

3. Start the Directory Server instances and the Administration Server, as described in “Starting

and stopping servers” (page 44).

54 Migrating or upgrading to HP-UX Directory Server from Netscape or Red Hat Directory Server

7 Support and other resources

7.1 Contacting HP

7.1.1 Information to collect before contacting HP

Be sure to have the following information available before you call contact HP:

• Software product name

• Hardware product model number

• Operating system type and version

• Applicable error message

• Third-party hardware or software

• Technical support registration number (if applicable)

7.1.2 How to contact HP technical support

Use the following methods to contact HP technical support:

• In the United States, see the CustomerService / Contact HP United Stateswebsite for contact

options:

http://welcome.hp.com/country/us/en/contact_us.html

• In other locations, see the Contact HP Worldwide website for contact options:

http://welcome.hp.com/country/us/en/wwcontact.html

7.1.3 HP authorized resellers

For the name of the nearest HP authorized reseller, see the following sources:

• In the United States, see the HP U.S. service locator website at:

http://www.hp.com/service_locator

• In other locations, see the Contact HP worldwide website at:

http://welcome.hp.com/country/us/en/wwcontact.html

7.1.4 Documentation feedback

HP welcomes your feedback. To make comments and suggestions about product documentation, send a message to:

docsfeedback@hp.com

Include the document title and manufacturing part number in your message. All submissions become the property of HP.

7.2 Related information

7.2.1 HP-UX Directory Server documentation set

• HP-UX Directory Server release notes

The release notes contain important information on new features, fixed bugs, known issues and workarounds, and other important information for this specific version of the HP-UX Directory Server.

• HP-UX Directory Server administrator guide

This guide contains information and procedures you need to perform to maintain your Directory Server.

7.1 Contacting HP 55

• HP-UX Directory Server administration server guide

The Administration Server is a support server that drives access to the Directory Server Console , provides a web server for Directory Server web applications, and stores some Directory Server configuration. This guide covers how to manage the Administration Server through the Console, through the command line, and through the web services. It also covers basic Administration Server concepts.

• HP-UX Directory Server configuration, command, and file reference

This document provides reference information on the command line scripts, configuration attributes, and log files shipped with the Directory Server.

• HP-UX Directory Server console guide

This guide covers the basic structure of the Console for both the Directory Server and the Administration Server and provides an overview of how to use the main Console to manage users and access within the Console.

• HP-UX Directory Server deployment guide

This guide covers the basic considerations that should be addressed before deploying the Directory Server. The decisions made during this phase can have a significant and lasting affect on the effectiveness, efficiency, and scalability of your Directory Server. You should have a good understanding of your Directory Server requirements before moving on to the installation phase.

• HP-UX Directory Server installation guide

This manual contains information and procedures for installing your Directory Serveras well as procedures for migrating from Netscape Directory Server 6.21 or Red Hat Directory Server 7.1.

• HP-UX Directory Server plug-in reference

This reference document describes server plug-ins, as well as how to write server plug-ins in order to customize and to extend the capabilities of the HP-UX Directory Server.

• HP-UX Directory Server schema reference

This reference provides an overview of some of the basic concepts of the directory schema, including lists and descriptions of default schema files, and descriptions of object classes, attributes, object identifiers (OIDs), schema checking, and extending server schema.

• HP-UX Directory Server web applications guide

This guide provides information on Directory Server web applications that are installed separately from the Directory Server.

For the latest information about HP-UX Directory Server, including currentrelease notes, complete product documentation, technical notes, and white papers, as well as other HP Internet and Security products, see the HP-UX Directory Server documentation site at:

http://docs.hp.com/en/internet.html.

7.2.2 HP-UX documentation set

For the latest information about the HP-UX operating system, including current release notes, complete product documentation, technical notes, and white papers, see the HP-UX Operating Environments documentation sites for the version of HP-UX you use:

• HP-UX 11i v3 Operating Environments: http://docs.hp.com/en/oshpux11iv3.html

• HP-UX 11i v2 Operating Environments: http://docs.hp.com/en/oshpux11iv2.html

56 Support and other resources

7.2.3 Troubleshooting resources

• You can search a technical knowledge database available on the HP IT Resource Center

(ITRC) website at:

http://itrc.hp.com/

• To seek solutions to problems, you can post messages on the ITRC Forums page at the

following website (select the HP-UX area in the Areas of peer problem solving section):

http://forums.itrc.hp.com/

In addition, troubleshooting suggestions are included in the following section of this guide:

• “Troubleshooting” (page 45)

7.3 Typographic conventions

This document uses the following typographical conventions:

Book title The title of a book. On the web, this can be a hyperlink to the

Command A command name or command phrase, for example ls -a.

Computer output

Ctrl+x or Ctrl-x

book itself.

Information displayed by the computer.

A key sequence that indicates you must hold down the keyboard key labeled Ctrl while you press the letter x.

ENVIRONMENT VARIABLE The name of an environment variable, for example, PATH.

Key The name of a keyboard key. Return and Enter both refer to the

same key.

Term A term or phrase that is defined in the body text of the document,

not in a glossary.

User input

Replaceable

[ ] In commandsyntax statements, these characters enclose optional

{ } In commandsyntax statements, these charactersenclose required

| The character that separates items in a linear list of choices.

... Indicates that the preceding element can be repeated one or more

WARNING An alert that calls attention to important information that, if not

CAUTION An alert that calls attention to important information that, if not

IMPORTANT An alert that calls attention to essential information.

NOTE An alert that contains additional or supplementary information.

TIP An alert that provides helpful information.

Indicates commands and text that you type exactly as shown.

The name of a placeholder that you replace with an actual value.

content.

times.

understood or followed, results in personal injury.

understood or followed, results in data loss, data corruption, or damage to hardware or software.

7.3 Typographic conventions 57

Glossary

access control instruction

access control list See ACL.

access rights In the context of access control, specify the level of access granted or denied. Access rights are

account inactivation

ACI An instruction that grants or denies permissions to entries in the directory.

ACL The mechanism for controlling access to your directory.

All IDs Threshold Replaced with the ID list scan limit in Directory Server version 7.1. A size limit which is globally

All IDs token A mechanism which causes the server to assume that all directory entries match the index key.

anonymous access

approximate index

attribute Holds descriptive information about an entry. Attributes have a label and a value. Each attribute

attribute list A list of required and optional attributes for a given entry type or object class.

authenticating directory server

authentication (1) Process of proving the identity of the client user to the Directory Server. Users must provide

See ACI.

related to the type of operation that can be performed on the directory. The following rights can be granted or denied: read, write, add, delete, search, compare, selfwrite, proxy and all.

Disables a user account, group of accounts, or an entire domain so that all authentication attempts are automatically rejected.

Index

Symbols

.inf file, 30

directives, 31 samples, 34

Administration domain, 10 Administration Server

configuring IP authorization, 37 configuring proxy servers, 38 finding the port number, 44 port, 7 starting and stopping, 44 user, 9

Clients cannot locate the server, 45 Command-line arguments, 35 Configuration directory, 10 Custom setup

HP-UX 11i, 26

Directory Administrator, 9 Directory Manager, 8

password, 44

Directory Server

additional instances, 39 additional instances (without Console), 40 components, 7 configuration directory, 10 file locations, 43 HP-UX 11i

custom, 26 express, 22

typical, 24 migrating all or single instance, 50 migrating replicated site, 50 migrating to a different machine, 51 migrating to another platform, 52 port, 7 registering Directory Server with Configuration

Directory Server, 40 removing a single instance, 40 starting and stopping, 44 starting the Console, 44 uninstalling Directory Server

HP-UX, 41

user and group, 8

Directory Server Console

starting, 44

directory suffix, 9 documentation

providing feedback, 55 reporting errors in, 55

Express setup

HP-UX 11i, 22

feedback

email address for documentation, 55 File locations, 43 Filesystem Hierarchy Standard, 43 Forgotten Directory Manager DN and password, 45

HP authorized resellers, 55 HP technical support, 55 HP-UX

required patches, 12

system configuration, 13

kernel parameters, 13 Large file support, 14 Perl, 13 TIME_WAIT setting, 14

uninstalling Directory Server, 41 HP-UX 11i, 15

custom setup, 26

express setup, 22

installing JRE, 15

installing Kerberos 5, 16

typical setup, 24

Installing

explained, 7

HP-UX 11i

JRE, 15 Kerberos 5, 16

prerequisites, 7

administration domain, 10 Administration Server user, 9 configuration directory, 10 Directory Administrator, 9 Directory Manager, 8 Directory Server user and group, 8 directory suffix, 9 port numbers, 7

problems, 45

Clients cannot locate the server, 45 Forgotten Directory Manager DN and password, 45 The port is in use, 45

setup modes, 20

comparison, 20 setup-ds-admin.pl, 20 silent, 20

JRE

HP-UX 11i, 15

Kerberos 5

HP-UX 11i, 16

Migrating, 47

prerequisites, 47

configure the Directory Server Console (for

multi-master replication only), 47

scenarios

all or single instance, 50 different machines, 51 different platforms, 52 replicated site, 50

Operating system requirements, 12

HP-UX

patches, 12 system configuration, 13

Passwords

Directory Manager, 44

Patches

HP-UX, 12

Perl

HP-UX, 13

Port number

finding Administration Server, 44

Directory Server only, 39

table, 20 setup script, 17 setup-ds-admin.pl, 17, 20, 39

.inf file, 30

command-line arguments, 35

silent setup, 29

Directory Server only, 39 setup-ds.pl, 40 Silent setup, 29

Directory Server only, 39

Starting and stopping

Directory Server and Administration Server, 44 Directory Server Console, 44

System configuration

HP-UX, 13

kernel parameter, 13

Large file support, 14

Perl, 13

TIME_WAIT setting, 14

The port is in use, 45 Troubleshooting

installation, 45

Typical setup

HP-UX 11i, 24

typographic conventions, 57

Uninstalling Directory Server

HP-UX, 41

single instance, 40

reporting documentation errors

email address, 55

Setting up Directory Server

advanced configuration, 37

additional Directory Server instances, 39 additional Directory Server instances (without

Console), 40

configuring AdministrationServer IP authorization,

configuring Administration Server proxy servers,

registering Directory Server with Configuration

Directory Server, 40

HP-UX 11i

custom, 26 express, 22

typical, 24 modes compared, 20 silent setup, 29, 35

.inf file, 30

websites

HP authorized resellers, 55 HP technical support, 55

70 Index

HP HP-UX Directory Server Installation Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

HP-UX Directory Server installation guide

Table of Contents

1 Preparing for a Directory Server installation

1.1 Directory Server components

1.2 Considerations before setting up Directory Server

1.2.1 Port numbers

1.2.2 Directory Server user and group

1.2.3 Directory manager

1.2.4 Directory administrator

1.2.5 Administration Server user

1.2.6 Directory suffix

1.2.7 Configuration directory

1.2.8 Administration domain

2 System requirements

2.1 Hardware requirements

2.2 Operating system requirements

2.3 HP-UX patches

2.4 HP-UX system configuration

2.4.1 Perl prerequisites

2.4.2 Kernel parameters

2.4.3 TIME_WAIT setting

2.4.4 Large file support

3 Setting up HP-UX Directory Server

3.1 Overview

3.2 HP-UX Apache-based web server requirement

3.3 Installing the JRE

3.4 Installing the Kerberos 5 libraries

3.5 Installing the Directory Server package

3.6 Setting up the Directory Server and Administration Server

3.6.1 Setup overview

3.6.2 Options for running the setup script

3.6.3 Interactive setup modes

3.6.4 Performing express setup

3.6.5 Performing typical setup

3.6.6 Performing custom setup

3.6.7 Performing silent setup

3.6.7.1 Setup file structure

3.6.7.2 Setup file directives

3.6.7.3 Sample setup files

3.6.8 Sending parameters in the command line

3.6.9 Importing LDIF files for configuring Directory Server users, replication, and other entities

4 Post-installation and advanced configuration tasks

4.1 Configuring Administration Server instances

4.1.1 Configuring IP authorization on the Administration Server

4.1.2 Configuring proxy servers for the Administration Server

4.2 Creating additional Directory Server instances

4.2.1 Creating a new Directory Server instance interactively

4.2.2 Creating a new Directory Server instance silently

4.2.3 Creating a Directory Server instance manageable at the command line instead of Console

4.3 Registering an existing Directory Server instance with the Configuration Directory Server

4.4 Uninstalling Directory Server

4.4.1 Removing a single Directory Server instance

4.4.2 Uninstalling the HP-UX Directory Server

5 General usage information

5.1 Directory Server file locations

5.2 LDAP tool locations

5.3 Starting the Directory Server Console

5.4 Getting the Administration Server port number

5.5 Starting and stopping servers

5.5.1 Starting and stopping the Directory Server

5.5.2 Starting and stopping the Administration Server

5.6 Resetting the Directory Manager password

5.7 Troubleshooting

5.7.1 Problem: Clients cannot locate the server

5.7.2 Problem: The port is in use

5.7.3 Problem: Forgotten directory manager DN and password

6.1 Migrating from Netscape Directory Server 6.x, or from Red Hat Directory Server 7.1

6.1.1 Tasks to perform before migrating

6.1.1.1 Configuring the Directory Server Console

6.1.2 Migration script

6.1.3 Migration scenarios

6.1.3.1 Migrating a server or single instance

6.1.3.2 Migrating replicated servers

6.1.3.3 Migrating a Directory Server from one machine to another

6.1.3.4 Migrating a Directory Server from one platform to another

6.2 Upgrading from Red Hat Directory Server 8.0