HP Red Hat Directory Installation Guide

Red Hat Directory Server 8.0

Installation Guide

Red Hat Directory Server 8.0

This manual provides a high-level overview of design and planning decisions you need to make before installing Directory Server, and describes the different installation methods that you can use.

Red Hat Directory Server 8.0: Installation Guide

Copyright © 2008 Red Hat, Inc.. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0 or later with the restrictions noted below (the latest version of the OPL is presently available at http://www.opencontent.org/openpub/).

Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder.

Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder.

Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries.

All other trademarks referenced herein are the property of their respective owners. The GPG fingerprint of the security@redhat.com key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E

1801 Varsity Drive Raleigh, NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park, NC 27709 USA

Red Hat Directory Server 8.0

Preface .................................................................................................................... vii

1. Document Conventions ................................................................................ viii

2. We Need Feedback! ......................................................................................ix

1. Preparing for a Directory Server Installation ............................................................. 1

1. Directory Server Components ......................................................................... 1

2. Considerations before Setting up Directory Server ........................................... 1

2.1. Port Numbers ...................................................................................... 1

2.2. Directory Server User and Group ......................................................... 3

2.3. Directory Manager ............................................................................... 3

2.4. Directory Administrator ........................................................................ 3

2.5. Administration Server User .................................................................. 4

2.6. Directory Suffix ................................................................................... 4

2.7. Configuration Directory ........................................................................ 4

2.8. Administration Domain ......................................................................... 5

3. About the setup-ds-admin.pl Script .................................................................. 5

4. Overview of Setup .......................................................................................... 9

2. System Requirements ...........................................................................................15

1. Hardware Requirements ................................................................................15

2. Operating System Requirements ....................................................................16

2.1. Using dsktune ....................................................................................16

2.2. Red Hat Enterprise Linux 4 and 5 ........................................................17

2.3. HP-UX 11i .........................................................................................20

2.4. Sun Solaris 9 .....................................................................................23

3. Setting up Red Hat Directory Server on Red Hat Enterprise Linux ............................29

1. Installing the JRE ..........................................................................................30

2. Installing the Directory Server Packages .........................................................31

3. Express Setup ..............................................................................................32

4. Typical Setup ................................................................................................35

5. Custom Setup ...............................................................................................39

4. Setting up Red Hat Directory Server on HP-UX 11i .................................................45

1. Installing the JRE ..........................................................................................46

2. Installing the Directory Server Packages .........................................................46

3. Express Setup ..............................................................................................47

4. Typical Setup ................................................................................................50

5. Custom Setup ...............................................................................................54

5. Setting up Red Hat Directory Server on Sun Solaris ................................................61

1. Installing the JRE ..........................................................................................61

2. Installing the Directory Server Packages .........................................................63

2.1. Installing Individual Packages .............................................................63

2.2. Installing from an ISO Image ...............................................................64

3. Express Setup ..............................................................................................65

4. Typical Setup ................................................................................................68

5. Custom Setup ...............................................................................................73

6. Advanced Setup and Configuration ........................................................................79

1. Working with Administration Server Instances .................................................79

1.1. Configuring IP Authorization on the Administration Server .....................79

Red Hat Directory Server 8.0

1.2. Configuring Proxy Servers for the Administration Server .......................80

2. Working with Directory Server Instances .........................................................80

2.1. Creating a New Directory Server Instance ............................................80

2.2. (Alternate) Installing Directory Server with setup-ds ..............................81

2.3. Registering an Existing Directory Server Instance with the Configuration

Directory Server .......................................................................................81

3. Silent Setup ..................................................................................................82

3.1. Silent Setup for Directory Server and Administration Server ..................82

3.2. Silent Directory Server Instance Creation .............................................83

3.3. Sending Parameters in the Command Line ..........................................85

3.4. Using the ConfigFile Parameter to Configure the Directory Server .........87

3.5. About .inf File Parameters ...................................................................88

4. Uninstalling Directory Server ..........................................................................95

4.1. Removing a Single Directory Server Instance .......................................95

4.2. Uninstalling Directory Server ...............................................................95

7. General Usage Information ....................................................................................99

1. Directory Server File Locations ......................................................................99

2. LDAP Tool Locations ...................................................................................101

3. Starting the Directory Server Console ...........................................................101

4. Getting the Administration Server Port Number .............................................102

5. Starting and Stopping Servers .....................................................................102

5.1. Starting and Stopping Directory Server ..............................................102

5.2. Starting and Stopping Administration Server ......................................103

6. Resetting the Directory Manager Password ..................................................103

7. Troubleshooting ..........................................................................................105

7.1. Running dsktune ..............................................................................105

7.2. Common Installation Problems ..........................................................106

8. Migrating from Previous Versions .........................................................................107

1. Migration Overview .....................................................................................107

2. About migrate-ds-admin.pl ...........................................................................108

3. Before Migration .........................................................................................111

3.1. Backing up the Directory Server Configuration ...................................112

3.2. Configuring the Directory Server Console ..........................................112

4. Migration Scenarios ....................................................................................113

4.1. Migrating a Server or Single Instance ................................................113

4.2. Migrating Replicated Servers ............................................................115

4.3. Migrating a Directory Server from One Machine to Another .................117

4.4. Migrating a Directory Server from One Platform to Another .................119

Glossary ................................................................................................................121

A. Revision History .................................................................................................139

Index .....................................................................................................................141

Preface

This installation guide describes the Red Hat Directory Server 8.0 installation process and the migration process. This manual provides detailed step-by-step procedures for all supported operating systems, along with explanations of the different setup options (express, typical, custom, and silent), additional options for Directory Server instance creation, migrating previous versions of Directory Server, and troubleshooting and basic usage.

IMPORTANT

Directory Server 8.0 provides a migration tool for upgrading or migrating from earlier Directory Server versions. If you already have a Directory Server deployment that is supported for migration, you must use the documented migration procedure to migrate your data and configuration to version 8.0.

Chapter 8, Migrating from Previous Versions has for more information.

The Directory Server setup process requires information specific to the Directory Server instance being configured, information about the host names, port numbers, passwords, and IP addresses that will be used. The setup program attempts to determine reasonable default values for these settings based on your system environment. Read through this manual before beginning to configure the Directory Server to plan ahead what values to use.

TIP

If you are installing Directory Server for evaluation, use the express or typical setup mode. These processes are very fast, and can help get your directory service up and running quickly.

IMPORTANT

Red Hat Directory Server 8.0 introduces filesystem paths for configuration files, scripts, commands, and database files used with Directory Server which comply with Filesystem Hierarchy Standard (FHS). This file layout is very different than previous releases of Directory Server, which installed all of the files and directories in /opt/redhat-ds or /opt/netscape. If you encounter errors during the installation process, look at Section 7, “Troubleshooting”. For more information on how the file layout has changed, see Section 1, “Directory Server

File Locations”.

The latest Directory Server release is available for your platform and operating system through Red Hat Network (RHN) at http://rhn.redhat.com/.

vii

Preface

1. Document Conventions

Certain words in this manual are represented in different fonts, styles, and weights. This highlighting indicates that the word is part of a specific category. The categories include the following:

Courier font

Courier font represents commands, file names and paths, and prompts . When shown as below, it indicates computer output:

Desktop about.html logs paulwesterberg.png Mail backupfiles mail reports

bold Courier font

Bold Courier font represents text that you are to type, such as: service jonas start If you have to run a command as root, the root prompt (#) precedes the command:

# gconftool-2

italic Courier font

Italic Courier font represents a variable, such as an installation directory:

install_dir/bin/

bold font

Bold font represents application programs and text found on a graphical interface. When shown like this: OK , it indicates a button on a graphical application interface.

Additionally, the manual uses different strategies to draw your attention to pieces of information. In order of how critical the information is to you, these items are marked as follows:

Note

viii

A note is typically information that you need to understand the behavior of the system.

We Need Feedback!

Tip

A tip is typically an alternative way of performing a task.

Important

Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot.

Caution

A caution indicates an act that would violate your support agreement, such as recompiling the kernel.

Warning

A warning indicates potential data loss, as may happen when tuning hardware for maximum performance.

2. We Need Feedback!

If you find a typographical error in this manual, or if you have thought of a way to make this manual better, we would love to hear from you! Please submit a report in Bugzilla:

http://bugzilla.redhat.com/bugzilla/ against the product Red Hat Directory Server.

When submitting a bug report, be sure to mention the manual's identifier: RHDSIG 8.0 If you have a suggestion for improving the documentation, try to be as specific as possible when

describing it. If you have found an error, please include the section number and some of the surrounding text so we can find it easily.

Chapter 1.

Preparing for a Directory Server Installation

Before you install Red Hat Directory Server 8.0, there are required settings and information that you need to plan in advance. This chapter describes the kind of information that you should provide, relevant directory service concepts Directory Server components, and the impact and scope of integrating Directory Server into your computing infrastructure.

The information that is covered here and supplied during the Directory Server setup relates to the design of your directory tree (the hierarchical arrangement of your directory, including all major roots and branch points) and relates to your directory suffixes and databases. See the Directory Server Administrator's Guide for more information on suffixes and databases.

1. Directory Server Components

Directory Server 8.0 is comprised of several components, which work in tandem:

• The Directory Server is the core LDAP server daemon. It is compliant with LDAP v3

standards. This component includes command-line server management and administration programs and scripts for common operations like export and backing up databases.

• The Directory Server Console is the user interface that simplifies managing users, groups,

and other LDAP data for your enterprise. The Console is used for all aspects of server management, including making backups; configuring security, replication, and databases; adding entries; and monitoring servers and viewing statistics.

• The Administration Server is the management agent which administers Directory Servers. It

communicates with the Directory Server Console and performs operations on the Directory Server instances. It also provides a simple HTML interface and on-line help pages. There must be one Administration Server running on each machine which has a Directory Server instance running on it.

2. Considerations before Setting up Directory Server

Depending on the type of setup that you perform, you will be asked to provide instance-specific information for both the Administration Server and Directory Server during the installation procedure, including port numbers, server names, and usernames and passwords for the Directory Manager and administrator. If you will have multiple Directory Server instances, then it is better to plan these configuration settings in advance so that the setup processes can run without conflict.

2.1. Port Numbers

The Directory Server setup requires two TCP/IP port numbers: one for the Directory Server and

Chapter 1. Preparing for a Directory Server Installation

one for the Administration Server. These port numbers must be unique. The Directory Server instance (LDAP) has a default port number of 389. The Administration

Server port number has a default number of 9830. If the default port number for either server is in use, then the setup program randomly generates a port number larger than 1024 to use as the default. Alternatively, you can assign any port number between 1025 and 65535 for the Directory Server and Administration Server ports; you are not required to use the defaults or the randomly-generated ports.

NOTE

While the legal range of port numbers is 1 to 65535, the Internet Assigned Numbers Authority (IANA) has already assigned ports 1 to 1024 to common processes. Never assign a Directory Server port number below 1024 (except for

389/636 for the LDAP server) because this may conflict with other services.

For LDAPS (LDAP with TLS/SSL), the default port number is 636. The server can listen to both the LDAP and LDAPS port at the same time. However, the setup program will not allow you to configure TLS/SSL. To use LDAPS, assign the LDAP port number in the setup process, then reconfigure the Directory Server to use LDAPS port and the other TLS/SSL parameters afterward. For information on how to configure LDAPS, see the Directory Server Administrator's Guide.

The Administration Server runs on a web server, so it uses HTTP or HTTPS. However, unlike the Directory Server which can run on secure (LDAPS) and insecure (LDAP) ports at the same time, the Administration Server cannot run over both HTTP and HTTPS simultaneously. The setup program, setup-ds-admin.pl, does not allow you to configure the Administration Server to use TLS/SSL. To use TLS/SSL (meaning HTTPS) with the Administration Server, first set up the Administration Server to use HTTP, then reconfigure it to use HTTPS.

NOTE

When determining the port numbers you will use, verify that the specified port numbers are not already in use by running a command like netstat.

If you are using ports below 1024, such as the default LDAP port (389), you must run the setup program and start the servers as root. You do not, however, have to set the server user ID to

root. When it starts, the server binds and listens to its port as root, then immediately drops its

privileges and runs as the non-root server user ID. When the system restarts, the server is started as root by the initscript. The setuid(2) man page1has detailed technical information.

http://grove.ufl.edu/cgi-bin/webman?SEARCH+man2+setuid.2.gz

Directory Server User and Group

Section 2.2, “Directory Server User and Group” has more information about the server user ID.

2.2. Directory Server User and Group

The setup process sets a user ID (UID) and group ID (GID) as which the servers will run. The default UID is a non-privileged (non-root) user, nobody on Red Hat Enterprise Linux and Solaris and daemon on HP-UX. Red Hat strongly recommends using this default value. The same UID can be used for both the Directory Server and the Administration Server, which simplifies administration. If you choose a different UID for each server, those UIDs must both belong to the group assigned to Directory Server.

For security reasons, Red Hat strongly discourages you from setting the Directory Server or Administration Server user to root. If an attacker gains access to the server, he might be able to execute arbitrary system commands as the root user. Using a non-privileged UID adds another layer of security.

Listening to Restricted Ports as Unprivileged Users.

Even though port numbers less than 1024 are restricted, the LDAP server can listen to port 389 (and any port number less than 1024), as long as the server is started by the root user or by

init when the system starts up. The server first binds and listens to the restricted port as root,

then immediately drops privileges to the non-root server UID. setuid(2) man page2has detailed technical information.

Section 2.1, “Port Numbers” has more information on port numbers in Directory Server.

2.3. Directory Manager

The Directory Server setup creates a special user called the Directory Manager. The Directory Manager is a unique, powerful entry that is used to administer all user and configuration tasks. The Directory Manager is a special entry that does not have to conform to a Directory Server configured suffix; additionally, access controls. password policy, and database limits for size, time, and lookthrough limits do not apply to the Directory Manager. There is no directory entry for the Directory Manager user; it is used only for authentication. You cannot create an actual Directory Server entry that uses the same DN as the Directory Manager DN.

The Directory Server setup process prompts for a distinguished name (DN) and a password for the Directory Manager. The default value for the Directory Manager DN is cn=Directory

Manager. The Directory Manager password must contain at least 8 characters which must be

ASCII letters, digits, or symbols.

2.4. Directory Administrator

The Directory Server setup also creates an administrator user specifically for Directory Server and Administration Server server management, called the Directory Administrator. The Directory Administrator is the "super user" that manages all Directory Server and Administration Server

http://grove.ufl.edu/cgi-bin/webman?SEARCH+man2+setuid.2.gz

Chapter 1. Preparing for a Directory Server Installation

instances through the Directory Server Console. Every Directory Server is configured to grant this user administrative access.

There are important differences between the Directory Administrator and the Directory Manager:

• The administrator cannot create top level entries for a new suffix through an add operation.

either adding an entry in the Directory Server Console or using ldapadd, a tool provided with OpenLDAP. Only the Directory Manager can add top-level entries by default. To allow other users to add top-level entries, create entries with the appropriate access control statements in an LDIF file, and perform an import or database initialization procedure using that LDIF file.

• Password policies do apply to the administrator, but you can set a user-specific password

policy for the administrator.

• Size, time, and lookthrough limits apply to the administrator, but you can set different

resource limits for this user.

The Directory Server setup process prompts for a username and a password for the Directory Administrator. The default Directory Administrator username is admin. For security, the Directory Administrator's password must not be the same as the Directory Manager's password.

2.5. Administration Server User

By default, the Administration Server runs as the same non-root user as the Directory Server. Custom and silent setups provide the option to run the Administration Server as a different user than the Directory Server.

The default Administration Server user is the same as the Directory Server user, which is

nobody. If the Administration Server is given a different UID, then that user must belong to the

group to which the Directory Server user is assigned.

2.6. Directory Suffix

The directory suffix is the first entry within the directory tree. At least one directory suffix must be provided when the Directory Server is set up. The recommended directory suffix name matches your organization's DNS domain name. For example, if the Directory Server hostname is

ldap.example.com, the directory suffix is dc=example,dc=com. The setup program constructs a

default suffix based on the DNS domain or from the fully-qualified host and domain name provided during setup. This suffix naming convention is not required, but Red Hat strongly recommends it.

2.7. Configuration Directory

The configuration directory is the main directory where configuration information — such as log files, configuration files, and port numbers — is stored. These configuration data get stored in the o=NetscapeRoot tree. A single Directory Server instance can be both the configuration directory and the user directory.

Administration Domain

If you install Directory Server for general directory services and there is more than one Directory Server in your organization, you must determine which Directory Server instance will host the configuration directory tree, o=NetscapeRoot. Make this decision before installing any compatible Directory Server applications. The configuration directory is usually the first one you set up.

Since the main configuration directory generally experiences low traffic, you can permit its server instances to coexist on any machine with a heavier-loaded Directory Server instance. However, for large sites that deploy a large number of Directory Server instances, dedicate a low-end machine for the configuration directory to improve performance. Directory Server instances write to the configuration directory, and for larger sites, this write activity can create performance issues for other directory service activities. The configuration directory can be replicated to increase availability and reliability.

If the configuration directory tree gets corrupted, you may have to re-register or re-configure all Directory Server instances. To prevent that, always back up the configuration directory after setting up a new instance; never change a hostname or port number while active in the configuration directory; and do not modify the configuration directory tree; only the setup program can directly modify a configuration.

2.8. Administration Domain

The administration domain allows servers to be grouped together logically when splitting administrative tasks. That level of organization is beneficial, for example, when different divisions within an organization want individual control of their servers while system administrators require centralized control of all servers.

When setting up the administration domain, consider the following:

• Each administration domain must have an administration domain owner with complete access

to all the domain servers but no access to the servers in other administration domains. The administration domain owner may grant individual users administrative access on a server-by-server basis within the domain.

• All servers must share the same configuration directory. The Configuration Directory

Administrator has complete access to all installed Directory Servers, regardless of the domain.

• Servers on two different domains can use different user directories for authentication and user

management.

3. About the setup-ds-admin.pl Script

The Directory Server and Administration Server instances are created and configured through a script call setup-ds-admin.pl. Running this script launches an interactive setup program with a series of dialog screens with a yes/no prompt or a simple text input prompt. Each prompt has a

Chapter 1. Preparing for a Directory Server Installation

default answer in square brackets, such as the following:

Would you like to continue with setup? [yes]:

• Pressing Enter accepts the default answer and proceeds to the next dialog screen. Yes/No

prompts accept y for Yes and n for No.

• To go back to a previous dialog screen, type Control-B and press Enter. You can backtrack

all the way to the first screen.

• Two prompts ask for a password. After entering it the first time, confirm the password by

typing it in again. The password prompts do not echo the characters entered, so make sure to type them correctly.

• When the setup-ds-admin.pl finishes, it generates a log file in the /tmp directory called

setupXXXXXX.log where XXXXXX is a series of random characters. This log file contains

all of the prompts and answers supplied to those prompts, except for passwords.

• Some options, such as s (silent) and f (file) allow you to supply values for the setup program

through a file. The .inf file (described in more detail in Section 3, “Silent Setup”) has three sections for each of the major components of Directory Server: General (host server), slapd (LDAP server), and admin (Administration Server). The parameters used in the .inf can be passed directly in the command line. Command-line arguments with setup-ds-admin.pl specify the .inf setup file section (General, slapd, or admin), parameter, and value in the following form:

section.parameter=value

For example, to set the machine name, suffix, and Directory Server port of the new instance, the command is as follows:

/usr/sbin/setup-ds-admin.pl General.FullMachineName=ldap.example.com

“slapd.Suffix=dc=example, dc=com” slapd.ServerPort=389

NOTE

Passing arguments in the command line or specifying an .inf sets the defaults used in the interactive prompt unless they are used with the s (silent) option.

Argument values containing spaces or other shell special characters must quoted to prevent the shell from interpreting them. In the previous example, the suffix value has a space character, so the entire parameter has to be quoted. If many of the parameters have to be quoted or escaped, use an .inf file instead.

About the setup-ds-admin.pl Script

• An .inf file can be used in conjunction with command line parameters. Parameters set in the

command line override those specified in an .inf file, which is useful for creating an .inf file to use to set up many Directory Servers. Many of the parameters can be the same, such as

ConfigDirectoryLdapURL, ones specific to the host, such as FullMachineName have to be

unique. For example:

setup-ds-admin.pl -s -f common.inf General.FullMachineName=ldap37.example.com

slapd.ServerIdentifier=ldap37

This command uses the common parameters specified in the common.inf file, but overrides

FullMachineName and ServerIdentifier with the command line arguments.

NOTE

The section names and parameter names used in the .inf files and on the command line are case sensitive. Refer to Table 1.1, “setup-ds-admin Options” to check the correct capitalization.

The .inf file has an additional option, ConfigFile which imports the contents of any LDIF file into the Directory Server. This is an extremely useful tool for preconfiguring users, replication, and other directory management entries. For more information on using the

ConfigFile parameter to configure the Directory Server, see Section 3.4, “Using the

ConfigFile Parameter to Configure the Directory Server”.

Option Alternate Options Description Example

--silent -s This sets that the setup script will run in silent mode, drawing the configuration information from a file (set with the --file parameter) or from arguments passed in the command line rather than interactively.

--file=name -f name This sets the path and name of the file

/usr/sbin/setup-ds-admin.pl

-f /export/sample.inf which contains the configuration settings for the new Directory Server instance. This

Chapter 1. Preparing for a Directory Server Installation

Option Alternate Options Description Example

can be used with the

--silent parameter;

if used alone, it sets the default values for the setup prompts.

--debug -d[dddd] This parameter turns on debugging information. For the

-d flag, increasing the

number of d's increases the debug level.

--keepcache -k This saves the temporary installation file, .inf that is created when the setup script is run. This file can then be reused for a silent setup.

WARNING

The cache file contains the cleartext passwords supplied during setup. Use appropriate caution and protection with this file.

--logfile name -l This parameter

Overview of Setup

Option Alternate Options Description Example

specifies a log file to which to write the output. If this is not set, then the setup information is written to a temporary file.

-l /export/example2007.log

For no log file, set the file name to

/dev/null:

-l /dev/null

Table 1.1. setup-ds-admin Options

4. Overview of Setup

After the Directory Server packages are installed, there is a script, setup-ds-admin.pl, which you run to configure the new Directory Server and Administration Server instance. This script launches an interactive setup program. The setup program supplies default configuration values which you can accept them or substitute with alternatives. There are three kinds of setup modes, depending on what you select when you first launch the setup program:

• Express — The fastest setup mode. This requires minimal interaction and uses default values for almost all settings. Because express installation does not offer the choice of selecting the Directory Server server port number or the directory suffix, among other settings, Red Hat recommends that you not use it for production deployments. Also, express setups can fail if default configuration values are not available because there is no way to offer an alternative.

• Typical — The default and most common setup mode. This prompts you to supply more detailed information about the directory service, like suffix and configuration directory information, while still proceeding quickly through the setup process.

• Custom — The most detailed setup mode. This provides more control over Administration Server settings and also allows data to be imported into the Directory Server at setup, so that entries are already populated in the databases when the setup is complete.

The information requested with the setup process is described in Table 1.2, “Comparison of

Setup Types”.

There is a fourth setup option, silent setup, which uses a configuration file and command-line options to supply the Directory Server settings automatically, so there is no user interaction required. It is also possible to pass setup arguments with the script, as described in Section 3,

“About the setup-ds-admin.pl Script”. The possible .inf setup file parameters are listed and

described in Section 3.5, “About .inf File Parameters”.

Chapter 1. Preparing for a Directory Server Installation

NOTE

It is possible to use y and n with the yes and no inputs described in Section 3.5,

“About .inf File Parameters”.

Setup Screen

Continue with setup

Accept license agreement

dsktune

output and continue with setup

Choose setup type

Parameter Input

Yes or no N/A

• 1 (express)

• 2 (typical)

• 3 (custom)

Express Typical Custom Silent Setup

File Parameter

N/A

Set the computer name

Set the user as which the Directory Server will run

Set the group as which the Directory Server will run

ldap.example.com

nobody (Sun and Red Hat Enterprise Linux) or daemon (HP-UX)

[General] FullMachineName= ldap.example.com

[General] SuiteSpotUserID= nobody

[General] SuiteSpotGroup= nobody

Overview of Setup

Setup Screen

new Directory Server with an existing Configuration Directory Server

Set the Configuration Directory Server URL

Give the Configuration Directory Server user

ID Give the

Configuration Directory Server user password

Parameter

Express Typical Custom Silent Setup

Input

ldap://ldap.example.com:389/o=NetscapeRoot

admin

password

File Parameter

[General] ConfigDirectoryLdapURL= ldap://ldap.example.com:389/o=NetscapeRoot

[General] ConfigDirectoryAdminID= admin

[General] ConfigDirectoryAdminPwd=

password

Give the Configuration Directory Server administration domain

Give the path to the CA certificate (if using LDAPS)

Set the Configuration Directory Server Administrator username

Set the Configuration Directory Server

example.com

/tmp/cacert.asc

admin

password

[General] AdminDomain= example.com

[General] CACertificate=/tmp/cacert.asc

[General] ConfigDirectoryAdminID= admin

[General] ConfigDirectoryAdminPwd=

password

Chapter 1. Preparing for a Directory Server Installation

Setup Screen

Administrator password

Set the Directory Server port

Set the Directory Server identifier

Set the Directory Server suffix

Set the Directory Manager ID

Parameter Input

389

ldap

dc=domain, dc=component

cn=Directory Manager

Express Typical Custom Silent Setup

File Parameter

[slapd] ServerPort= 389

[slapd] ServerIdentifier=

ldap

[slapd] Suffix= dc=example,dc=com

[slapd] RootDN= cn=Directory Manager

Set the Directory Manager password

Install sample entries

Populate the Directory Server with entries

password

Yes or no

• Supply the full path and filename to an LDIF file

• Type

suggest,

which imports common container entries, such as

[slapd] RootDNPwd=

password

[slapd] AddSampleEntries= Yes

• Equivalent to suggest

[slapd] AddOrgEntries= Yes InstallLdifFile= suggest

• Equivalent to setting the path

Overview of Setup

Setup Screen

Set the Administration Server port

Set the Administration Server IP address

Set user as which the Administration Server runs

Parameter Input

ou=People

• Type none, which does not import any data

9830

blank (all interfaces)

nobody (on Red Hat Enterprise Linux and Solaris) or daemon (on HP-UX)

Express Typical Custom Silent Setup

File Parameter

[slapd] AddOrgEntries= Yes InstallLdifFile= /export/data.ldif

[admin] Port= 9830

[admin] ServerIpAddress=

111.11.11.11

[admin] SysUser= nobody

Are you ready

Yes or no N/A to configure your servers?

This option is only available if you choose to register the Directory Server instance with a Configuration Directory

Server.

This option is only available if you choose not to register the Directory Server instance with a Configuration Directory

Server. In that case, the Directory Server being set up is created and configured as a Configuration Directory Server.

Table 1.2. Comparison of Setup Types

Chapter 2.

System Requirements

Before configuring the default Red Hat Directory Server 8.0 instances, it is important to verify that the host server has the required system settings and configuration:

• The system must have the required packages, patches, and kernel parameter settings.

• DNS must be properly configured on the target system.

• The host server must have a static IP address.

This chapter covers the software and hardware requirements, operating system patches and settings, and system configurations that are necessary for Directory Server to perform well. It also includes information on a Directory Server tool, dsktune, which is useful in identifying required patches and system settings for Directory Server.

NOTE

The requirements outlined in this chapter apply to production systems. For evaluating or prototyping Directory Server, you may choose not to meet all of these requirements.

1. Hardware Requirements

Red Hat recommends minimum of 200 MB of disk space for a typical installation. Large test lab environments can require 2 GB to support the complete deployment, including product binaries, databases, and log files. Very large directories may require 4 GB and above.

Red Hat suggests 256 MB of RAM for average environments and 1 GB of RAM for large test lab environments for increased performance.

Table 2.1, “Hardware Requirements” contains guidelines for Directory Server disk space and

memory requirements based upon on the number of entries that your organization requires. The values shown here assume that the entries in the LDIF file are approximately 100 bytes each and that only the recommended indices are configurable.

Number of Entries Disk Space/Required Memory

10,000 - 250,000 entries

Free disk space: 2 GB Free memory: 256 MB

250,000 - 1,000,000 entries

Free disk space: 4 GB Free memory: 512 MB

1,000,000 + entries

Chapter 2. System Requirements

Number of Entries Disk Space/Required Memory

Free disk space: 8 GB Free memory: 1 GB

Table 2.1. Hardware Requirements

2. Operating System Requirements

Directory Server is supported on these operating systems: Red Hat Enterprise Linux 4 and 5 (x86 and x86_64), HP-UX 11i (IA 64), and Sun Solaris 9 (sparc 64-bit). The specific operating system requirements and kernel settings, patches, and libraries are listed for each.

• Section 2.1, “Using dsktune”

• Section 2.2, “Red Hat Enterprise Linux 4 and 5”

• Section 2.3, “HP-UX 11i”

• Section 2.4, “Sun Solaris 9”

Along with meeting the required operating system patches and platforms, system settings, like the number of file descriptors and TCP information, should be reconfigured to optimize the Directory Server performance.

Directory Server includes a tool, dsktune, which simplifies configuring your system settings. This section describes what settings to change on the machine on which Directory Server is installed.

2.1. Using dsktune

After the packages for Directory Server are installed there is tool called dsktune which can scan a system to check for required and installed patches, memory, system configuration, and other settings required by Directory Server. The dsktune utility even returns information required for tuning the host server's kernel parameters.

NOTE

The setup program also runs dsktune, reports the findings, and asks you if you want to continue with the setup procedure every time a Directory Server instance is configured.

Red Hat recommends running dsktune before beginning to set up the Directory Server

Red Hat Enterprise Linux 4 and 5

instances so that you can properly configure your kernel settings and install any missing patches. On Red Hat Enterprise Linux and Solaris, the dsktune utility is in the /usr/bin directory; on HP-UX, it is in /opt/dirsrv/bin. To run it, simply use the appropriate command:

/usr/bin/dsktune

Red Hat Directory Server system tuning analysis version 10-AUGUST-2007.

NOTICE : System is i686-unknown-linux2.6.9-34.EL (1 processor).

WARNING: 1011MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections.

WARNING: There are only 1024 file descriptors (hard limit) available, which limit the number of simultaneous connections.

WARNING: There are only 1024 file descriptors (soft limit) available, which limit the number of simultaneous connections.

NOTE

dsktune is run every time the Directory Server configuration script, setup-ds-admin, is run.

2.2. Red Hat Enterprise Linux 4 and 5

Directory Server is supported on two versions of Red Hat Enterprise Linux:

• Red Hat Enterprise Linux 4 AS and ES on x86 and x86_64 platforms

• Red Hat Enterprise Linux 5 Server on x86 and x86_64 platforms

NOTE

Red Hat Directory Server is also supported running on a virtual guest on Red Hat Enterprise Linux Virtualization Server 5.

Both Red Hat Enterprise Linux versions 4 and 5 on 32-bit and 64-bit platforms have the same system requirements, as listed in Table 2.2, “Red Hat Enterprise Linux Operating System and

Hardware Requirements”. The patches required are listed in Section 2.2.1, “Red Hat Enterprise

Chapter 2. System Requirements

Linux Patches”, and the recommended system configuration changes are described in Section 2.2.2, “Red Hat Enterprise Linux System Configuration”.

Criteria Requirements

Operating System Red Hat Enterprise Linux 4 or 5 with the latest

patches and upgrades CPU Type Pentium 3 or higher; 500MHz or higher Memory/RAM

256 MB minimum

Up to the system limit (on 32 bit systems,

typically 3 GB RAM or 4 GB RAM with

hugemem kernel) for large environments Hard Disk

200 MB of disk space minimum for a typical

deployment

2 GB minimum for larger environments

4 GB minimum for very large environments

(more than a million entries) Other To run the Directory Server using port

numbers less than 1024, such as the default

port 389, you must setup and start the

Directory Server as root, but it is not

necessary to run the Directory Server as

root.

Table 2.2. Red Hat Enterprise Linux Operating System and Hardware Requirements

2.2.1. Red Hat Enterprise Linux Patches

The default kernel and glibc versions for Red Hat Enterprise Linux 4 and 5 are the only required versions for the Red Hat Directory Server host machine. If the machine has a single CPU, the kernel must be presented in the form kernel-x.x.x.x. If the machine has multiple CPUs, the kernel must be presented the form kernel-smp-x.x.x.x. To determine the components running on the machine, run rpm -qa.

Run the dsktune utility to see if you need to install any other patches. dsktune helps verify whether the appropriate patches are installed on the system and provides useful information for tuning your kernel parameters for best performance. For information on dsktune, see

Section 2.1, “Using dsktune”.

Criteria Requirements

Operating System

Red Hat Enterprise Linux 4 AS and ES (x86

and x86_64)

Red Hat Enterprise Linux 4 and 5

Criteria Requirements

Red Hat Enterprise Linux 5 Server (x86 and

x86_64) Required Filesystem ext3

Table 2.3. System Versions

2.2.2. Red Hat Enterprise Linux System Configuration

After verifying the system's kernel and glibc configuration and installing any required modules and patches, fine-tune the Red Hat Enterprise Linux system to work with Directory Server. For the best performance, configure the host server before configuring the Directory Server instance by running the setup-ds-admin.pl script.

• Section 2.2.2.1, “Perl Prerequisites”

• Section 2.2.2.2, “File Descriptors”

• Section 2.2.2.3, “DNS Requirements”

2.2.2.1. Perl Prerequisites

For Red Hat Enterprise Linux systems, use the Perl version that is installed with the operating system in /usr/bin/perl for both 32-bit and 64-bit versions of Red Hat Directory Server.

2.2.2.2. File Descriptors

Editing the number of file descriptors on the Linux system can help Directory Server access files more efficiently. Editing the maximum number of file descriptors the kernel can allocate can also improve file access speeds.

1. First, check the current limit for file descriptors:

cat /proc/sys/fs/file-max

2. If the setting is lower than 64000, edit the /etc/sysctl.conf file, and reset the fs.file-max parameter:

fs.file-max = 64000

3. Then increase the maximum number of open files on the system by editing the

Chapter 2. System Requirements

/etc/security/limits.conf configuration file. Add the following entry:

* - nofile 8192

4. Edit the /etc/pam.d/system-auth, and add this entry:

session required /lib/security/$ISA/pam_limits.so

5. Reboot the Linux machine to apply the changes.

2.2.2.3. DNS Requirements

It is very important that DNS and reverse DNS be working correctly on the host machine, especially if you are using TLS/SSL or Kerberos with Directory Server.

Configure the DNS resolver and the NIS domain name by the modifying the

/etc/resolv.conf, /etc/nsswitch.conf, and /etc/netconfig files, and set the DNS

resolver for name resolution. Edit the /etc/defaultdomain file to include the NIS domain name. This ensures that the

fully-qualified host and domain names used for the Directory Server resolve to a valid IP address and that that IP address resolves back to the correct hostname.

Reboot the Red Hat Enterprise Linux machine to apply these changes.

2.3. HP-UX 11i

Directory Server runs on HP-UX version 11i only; earlier HP-UX versions are not supported. Directory Server runs on a 64-bit HP-UX 11i environment as a 64-bit process.

Table 2.4, “HP-UX 11i” lists the hardware requirements. Section 2.3.1, “HP-UX Patches” lists

the required patches, and the recommended system configurations are in Section 2.3.2, “HP-UX

System Configuration”.

Criteria Requirements

Operating System HP-UX 11i with the latest patches and

upgrades CPU Type HP 9000 architecture with an Itanium CPU Memory/RAM

256 MB minimum

1 GB RAM for large environments Hard Disk

300 MB of disk space minimum for a typical

deployment

+ 124 hidden pages