Red Hat DIRECTORY SERVER 8.0 Installation Manual

Red Hat Directory

Server 8.0

Installation Guide

Ella Deon Lackey

Publication date: January 11, 2010 (Update)

Installation Guide

Red Hat Directory Server 8.0 Installation Guide

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

All other trademarks are the property of their respective owners.

1801 Varsity Drive Raleigh, NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park, NC 27709 USA

This manual provides a high-level overview of design and planning decisions you need to make before installing Directory Server, and describes the different installation methods that you can use.

iii

Preface v

1. Examples and Formatting ................................................................................................ v

2. Additional Reading ......................................................................................................... vii

3. Giving Feedback ............................................................................................................ vii

4. Document History ......................................................................................................... viii

1. Preparing for a Directory Server Installation 1

1.1. Directory Server Components ....................................................................................... 1

1.2. Considerations Before Setting up Directory Server ......................................................... 1

1.2.1. Port Numbers .................................................................................................... 1

1.2.2. Directory Server User and Group ....................................................................... 2

1.2.3. Directory Manager ............................................................................................. 3

1.2.4. Directory Administrator ....................................................................................... 3

1.2.5. Administration Server User ................................................................................ 4

1.2.6. Directory Suffix .................................................................................................. 4

1.2.7. Configuration Directory ...................................................................................... 4

1.2.8. Administration Domain ....................................................................................... 4

1.3. About the setup-ds-admin.pl Script ................................................................................ 5

1.4. Overview of Setup ........................................................................................................ 8

2. System Requirements 13

2.1. Hardware Requirements ............................................................................................. 13

2.2. Operating System Requirements ................................................................................. 13

2.2.1. Using dsktune ................................................................................................. 14

2.2.2. Red Hat Enterprise Linux 4 and 5 .................................................................... 15

2.2.3. HP-UX 11i ....................................................................................................... 17

2.2.4. Sun Solaris 9 .................................................................................................. 20

3. Setting up Red Hat Directory Server on Red Hat Enterprise Linux 25

3.1. Installing the JRE ....................................................................................................... 26

3.2. Installing the Directory Server Packages ...................................................................... 26

3.3. Express Setup ............................................................................................................ 28

3.4. Typical Setup ............................................................................................................. 30

3.5. Custom Setup ............................................................................................................ 33

4. Setting up Red Hat Directory Server on HP-UX 11i 39

4.1. Installing the JRE ....................................................................................................... 39

4.2. Installing the Directory Server Packages ...................................................................... 40

4.3. Express Setup ............................................................................................................ 40

4.4. Typical Setup ............................................................................................................. 43

4.5. Custom Setup ............................................................................................................ 46

5. Setting up Red Hat Directory Server on Sun Solaris 51

5.1. Installing the JRE ....................................................................................................... 51

5.2. Installing the Directory Server Packages ...................................................................... 52

5.2.1. Installing Individual Packages ........................................................................... 52

5.2.2. Installing from an ISO Image ............................................................................ 54

5.3. Express Setup ............................................................................................................ 54

5.4. Typical Setup ............................................................................................................. 57

5.5. Custom Setup ............................................................................................................ 60

6. Advanced Setup and Configuration 65

6.1. Working with Administration Server Instances .............................................................. 65

6.1.1. Configuring IP Authorization on the Administration Server .................................. 65

Installation Guide

6.1.2. Configuring Proxy Servers for the Administration Server ..................................... 66

6.2. Working with Directory Server Instances ...................................................................... 66

6.2.1. Creating a New Directory Server Instance ......................................................... 66

6.2.2. (Alternate) Installing Directory Server with setup-ds ............................................ 67

6.2.3. Registering an Existing Directory Server Instance with the Configuration

Directory Server ........................................................................................................ 67

6.2.4. Updating and Re-registering Directory Server Instances ..................................... 67

6.3. Silent Setup ............................................................................................................... 67

6.3.1. Silent Setup for Directory Server and Administration Server ................................ 68

6.3.2. Silent Directory Server Instance Creation .......................................................... 69

6.3.3. Sending Parameters in the Command Line ....................................................... 70

6.3.4. Using the ConfigFile Parameter to Configure the Directory Server ....................... 72

6.3.5. About .inf File Parameters ................................................................................ 73

6.4. Uninstalling Directory Server ....................................................................................... 79

6.4.1. Removing a Single Directory Server Instance .................................................... 79

6.4.2. Uninstalling Directory Server ............................................................................ 80

7. General Usage Information 83

7.1. Directory Server File Locations ................................................................................... 83

7.2. LDAP Tool Locations .................................................................................................. 84

7.3. Starting the Directory Server Console .......................................................................... 85

7.4. Getting the Administration Server Port Number ............................................................ 85

7.5. Starting and Stopping Servers ..................................................................................... 86

7.5.1. Starting and Stopping Directory Server ............................................................. 86

7.5.2. Starting and Stopping Administration Server ...................................................... 86

7.6. Resetting the Directory Manager Password .................................................................. 86

7.7. Troubleshooting .......................................................................................................... 87

7.7.1. Running dsktune .............................................................................................. 87

7.7.2. Common Installation Problems ......................................................................... 88

8. Migrating from Previous Versions 91

8.1. Migration Overview ..................................................................................................... 91

8.2. About migrate-ds-admin.pl .......................................................................................... 92

8.3. Before Migration ......................................................................................................... 95

8.3.1. Backing up the Directory Server Configuration ................................................... 95

8.3.2. Configuring the Directory Server Console .......................................................... 95

8.4. Migration Scenarios .................................................................................................... 96

8.4.1. Migrating a Server or Single Instance ............................................................... 96

8.4.2. Migrating Replicated Servers ............................................................................ 97

8.4.3. Migrating a Directory Server from One Machine to Another ................................. 99

8.4.4. Migrating a Directory Server from One Platform to Another ............................... 100

Glossary 103

Index 117

Preface

This installation guide describes the Red Hat Directory Server 8.0 installation process and the migration process. This manual provides detailed step-by-step procedures for all supported operating systems, along with explanations of the different setup options (express, typical, custom, and silent), additional options for Directory Server instance creation, migrating previous versions of Directory Server, and troubleshooting and basic usage.

IMPORTANT

Directory Server 8.0 provides a migration tool for upgrading or migrating from earlier Directory Server versions. If you already have a Directory Server deployment that is supported for migration, you must use the documented migration procedure to migrate your data and configuration to version 8.0. Chapter 8, Migrating from Previous Versions has for more information.

The Directory Server setup process requires information specific to the Directory Server instance being configured, information about the host names, port numbers, passwords, and IP addresses that will be used. The setup program attempts to determine reasonable default values for these settings based on your system environment. Read through this manual before beginning to configure the Directory Server to plan ahead what values to use.

TIP

If you are installing Directory Server for evaluation, use the express or typical setup mode. These processes are very fast, and can help get your directory service up and running quickly.

IMPORTANT

Red Hat Directory Server 8.0 introduces filesystem paths for configuration files, scripts, commands, and database files used with Directory Server which comply with Filesystem Hierarchy Standard (FHS). This file layout is very different than previous releases of Directory Server, which installed all of the files and directories in /opt/redhat-ds or /opt/netscape. If you encounter errors during the installation process, look at

Section 7.7, “Troubleshooting”. For more information on how the file layout has changed,

see Section 7.1, “Directory Server File Locations”.

The latest Directory Server release is available for your platform and operating system through Red

Hat Network (RHN) at http://rhn.redhat.com/.

1. Examples and Formatting

All of the examples for Red Hat Directory Server commands, file locations, and other usage are given for Red Hat Enterprise Linux 5 (32-bit) systems. Be certain to use the appropriate commands and files for your platform.

To start the Red Hat Directory Server:

Preface

service dirsv start

Example 1. Example Command

All of the tools for Red Hat Directory Server are located in the /usr/bin directory. These tools can be run from any location without specifying the tool location.

There is another important consideration with the Red Hat Directory Server tools. The LDAP tools referenced in this guide are Mozilla LDAP, installed with Red Hat Directory Server in the /usr/lib/ mozldap directory on Red Hat Enterprise Linux 5 (32-bit).

However, Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the /usr/ bin directory. It is possible to use the OpenLDAP commands as shown in the examples, but you must use the -x argument to disable SASL, which OpenLDAP tools use by default.

Certain words are represented in different fonts, styles, and weights. Different character formatting is used to indicate the function or purpose of the phrase being highlighted.

Formatting Style Purpose

Monospace font Monospace is used for commands, package names, files and

directory paths, and any text displayed in a prompt.

Monospace with a background

This type of formatting is used for anything entered or returned in a command prompt.

Italicized text Any text which is italicized is a variable, such as

instance_name or hostname. Occasionally, this is also used to

emphasize a new term or other phrase.

Bolded text Most phrases which are in bold are application names, such as

Cygwin, or are fields or options in a user interface, such as a User Name Here: field or Save button.

Other formatting styles draw attention to important text.

NOTE

A note provides additional information that can help illustrate the behavior of the system or provide more detail for a specific issue.

IMPORTANT

Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot.

WARNING

A warning indicates potential data loss, as may happen when tuning hardware for maximum performance.

Additional Reading

vii

2. Additional Reading

The Directory Server Administrator's Guide describes how to set up, configure, and administer Red Hat Directory Server and its contents. The instructions for installing the various Directory Server components are contained in the Red Hat Directory Server Installation Guide. Many of the scripts and commands used to install and administer the Directory Server are explained in detail in the Red Hat Directory Server Configuration, Command, and File Reference.

The document set for Directory Server contains the following guides:

• Red Hat Directory Server Release Notes contain important information on new features, fixed bugs, known issues and workarounds, and other important deployment information for this specific version of Directory Server.

• Red Hat Directory Server Administrator's Guide contains procedures for the day-to-day maintenance of the directory service. Includes information on configuring server-side plug-ins.

• Red Hat Directory Server Configuration, Command, and File Reference provides reference information on the command-line scripts, configuration attributes, and log files shipped with Directory Server.

• Red Hat Directory Server Installation Guide contains procedures for installing your Directory Server as well as procedures for migrating from a previous installation of Directory Server.

For the latest information about Directory Server, including current release notes, complete product documentation, technical notes, and deployment information, see the Red Hat Directory Server documentation site at http://www.redhat.com/docs/manuals/dir-server/.

3. Giving Feedback

If there is any error in this Installation Guide or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Directory Server through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues:

• Select the Red Hat Directory Server product.

• Set the component to Doc - installation-guide.

• Set the version number to 8.0.

• For errors, give the page number (for the PDF) or URL (for the HTML), and give a succinct description of the problem, such as incorrect procedure or typo.

For enhancements, put in what information needs to be added and why.

• Give a clear title for the bug. For example, "Incorrect command example for setup script options" is better than "Bad example".

We appreciate receiving any feedback — requests for new sections, corrections, improvements, enhancements, even new ways of delivering the documentation or new styles of docs. You are welcome to contact Red Hat Content Services directly at mailto:docs@redhat.com.

Preface

viii

4. Document History

Revision 8.0.5 January 11, 2010 Ella Deon Lackey

Adding [slapd] directives per Bugzilla #500475.

Revision 8.0.4 September 9, 2009 Ella Deon Lackey

Removing any references to the Directory Server Gateway or Org Chart.

Revision 8.0.3 November 4, 2008 Deon Lackey dlackey@redhat.com

Changing actualroot to actualsroot in migration chapter, per Bugzilla #467085. Changing some formatting and common content to work with Publican 0.37.

Revision 8.0.2 August 13, 2008 Ella Deon Lackey dlackey@redhat.com

Adding note box to highlight comment on Directory Server and Administration Server user/group membership, per Bugzilla #455620. Adding revision history and updated common content.

Revision 8.0.1 January 15, 2008 Ella Deon Lackey dlackey@redhat.com

Official release draft.

Revision

8.0.0-4

Thurs. Jan. 10, 2008 Ella Deon Lackey dlackey@redhat.com

Added note that Directory Server is supported as a virtual guest on Red Hat Enterprise Linux 5 Minor bug fixes and text edits from post-beta review

Revision

8.0.0-3

Wed. Oct 31, 2007 Ella Deon Lackey dlackey@redhat.com

Updated all content per engineering review Added sections on Administration Server ports and LDAP tool locations

Revision

8.0.0-2

Thurs. Oct 18, 2007 Ella Deon Lackey dlackey@redhat.com

Wrote content on silent install, uninstall, and other advanced configuration options Wrote content on general server information, like file locations, starting and stopping components, launching the console, and (edited) troubleshooting

Revision

8.0.0-1

Tues. Oct 16, 2007 Ella Deon Lackey dlackey@redhat.com

Cleaned up arrangement of chapters and major sections. Wrote express, typical, and custom setup section; install JRE section; and installing packages sections in chapters 3 (RHEL), 4 (HP-UX), and 5(Solaris)

Chapter 1.

Preparing for a Directory Server Installation

Before you install Red Hat Directory Server 8.0, there are required settings and information that you need to plan in advance. This chapter describes the kind of information that you should provide, relevant directory service concepts Directory Server components, and the impact and scope of integrating Directory Server into your computing infrastructure.

The information that is covered here and supplied during the Directory Server setup relates to the design of your directory tree (the hierarchical arrangement of your directory, including all major roots and branch points) and relates to your directory suffixes and databases. See the Directory Server Administrator's Guide for more information on suffixes and databases.

1.1. Directory Server Components

Directory Server 8.0 is comprised of several components, which work in tandem:

• The Directory Server is the core LDAP server daemon. It is compliant with LDAP v3 standards. This component includes command-line server management and administration programs and scripts for common operations like export and backing up databases.

• The Directory Server Console is the user interface that simplifies managing users, groups, and other LDAP data for your enterprise. The Console is used for all aspects of server management, including making backups; configuring security, replication, and databases; adding entries; and monitoring servers and viewing statistics.

• The Administration Server is the management agent which administers Directory Servers. It communicates with the Directory Server Console and performs operations on the Directory Server instances. It also provides a simple HTML interface and on-line help pages. There must be one Administration Server running on each machine which has a Directory Server instance running on it.

1.2. Considerations Before Setting up Directory Server

Depending on the type of setup that you perform, you will be asked to provide instance-specific information for both the Administration Server and Directory Server during the installation procedure, including port numbers, server names, and usernames and passwords for the Directory Manager and administrator. If you will have multiple Directory Server instances, then it is better to plan these configuration settings in advance so that the setup processes can run without conflict.

1.2.1. Port Numbers

The Directory Server setup requires two TCP/IP port numbers: one for the Directory Server and one for the Administration Server. These port numbers must be unique.

The Directory Server instance (LDAP) has a default port number of 389. The Administration Server port number has a default number of 9830. If the default port number for either server is in use, then the setup program randomly generates a port number larger than 1024 to use as the default. Alternatively, you can assign any port number between 1025 and 65535 for the Directory Server and Administration Server ports; you are not required to use the defaults or the randomly-generated ports.

Chapter 1. Preparing for a Directory Server Installation

NOTE

While the legal range of port numbers is 1 to 65535, the Internet Assigned Numbers Authority (IANA) has already assigned ports 1 to 1024 to common processes. Never assign a Directory Server port number below 1024 (except for 389/636 for the LDAP server) because this may conflict with other services.

For LDAPS (LDAP with TLS/SSL), the default port number is 636. The server can listen to both the LDAP and LDAPS port at the same time. However, the setup program will not allow you to configure TLS/SSL. To use LDAPS, assign the LDAP port number in the setup process, then reconfigure the Directory Server to use LDAPS port and the other TLS/SSL parameters afterward. For information on how to configure LDAPS, see the Directory Server Administrator's Guide.

The Administration Server runs on a web server, so it uses HTTP or HTTPS. However, unlike the Directory Server which can run on secure (LDAPS) and insecure (LDAP) ports at the same time, the Administration Server cannot run over both HTTP and HTTPS simultaneously. The setup program, setup-ds-admin.pl, does not allow you to configure the Administration Server to use TLS/SSL. To use TLS/SSL (meaning HTTPS) with the Administration Server, first set up the Administration Server to use HTTP, then reconfigure it to use HTTPS.

NOTE

When determining the port numbers you will use, verify that the specified port numbers are not already in use by running a command like netstat.

If you are using ports below 1024, such as the default LDAP port (389), you must run the setup program and start the servers as root. You do not, however, have to set the server user ID to root. When it starts, the server binds and listens to its port as root, then immediately drops its privileges and runs as the non-root server user ID. When the system restarts, the server is started as root by the initscript. The setuid(2) man page1 has detailed technical information.

Section 1.2.2, “Directory Server User and Group” has more information about the server user ID.

1.2.2. Directory Server User and Group

The setup process sets a user ID (UID) and group ID (GID) as which the servers will run. The default UID is a non-privileged (non-root) user, nobody on Red Hat Enterprise Linux and Solaris and daemon on HP-UX. Red Hat strongly recommends using this default value.

IMPORTANT

By default, the same UID is used for both the Directory Server and the Administration Server, which simplifies administration. If you choose a different UID for each server, those UIDs must both belong to the group assigned to Directory Server.

For security reasons, Red Hat strongly discourages you from setting the Directory Server or Administration Server user to root. If an attacker gains access to the server, he might be able to

http://grove.ufl.edu/cgi-bin/webman?SEARCH+man2+setuid.2.gz

Directory Manager

execute arbitrary system commands as the root user. Using a non-privileged UID adds another layer of security.

Listening to Restricted Ports as Unprivileged Users

Even though port numbers less than 1024 are restricted, the LDAP server can listen to port 389 (and any port number less than 1024), as long as the server is started by the root user or by init when the system starts up. The server first binds and listens to the restricted port as root, then immediately drops privileges to the non-root server UID. setuid(2) man page2 has detailed technical information.

Section 1.2.1, “Port Numbers” has more information on port numbers in Directory Server.

1.2.3. Directory Manager

The Directory Server setup creates a special user called the Directory Manager. The Directory Manager is a unique, powerful entry that is used to administer all user and configuration tasks. The Directory Manager is a special entry that does not have to conform to a Directory Server configured suffix; additionally, access controls. password policy, and database limits for size, time, and lookthrough limits do not apply to the Directory Manager. There is no directory entry for the Directory Manager user; it is used only for authentication. You cannot create an actual Directory Server entry that uses the same DN as the Directory Manager DN.

The Directory Server setup process prompts for a distinguished name (DN) and a password for the Directory Manager. The default value for the Directory Manager DN is cn=Directory Manager. The Directory Manager password must contain at least 8 characters which must be ASCII letters, digits, or symbols.

1.2.4. Directory Administrator

The Directory Server setup also creates an administrator user specifically for Directory Server and Administration Server server management, called the Directory Administrator. The Directory Administrator is the "super user" that manages all Directory Server and Administration Server instances through the Directory Server Console. Every Directory Server is configured to grant this user administrative access.

There are important differences between the Directory Administrator and the Directory Manager:

• The administrator cannot create top level entries for a new suffix through an add operation. either adding an entry in the Directory Server Console or using ldapadd, a tool provided with OpenLDAP. Only the Directory Manager can add top-level entries by default. To allow other users to add toplevel entries, create entries with the appropriate access control statements in an LDIF file, and perform an import or database initialization procedure using that LDIF file.

• Password policies do apply to the administrator, but you can set a user-specific password policy for the administrator.

• Size, time, and lookthrough limits apply to the administrator, but you can set different resource limits for this user.

The Directory Server setup process prompts for a username and a password for the Directory Administrator. The default Directory Administrator username is admin. For security, the Directory Administrator's password must not be the same as the Directory Manager's password.

http://grove.ufl.edu/cgi-bin/webman?SEARCH+man2+setuid.2.gz

Chapter 1. Preparing for a Directory Server Installation

1.2.5. Administration Server User

By default, the Administration Server runs as the same non-root user as the Directory Server. Custom and silent setups provide the option to run the Administration Server as a different user than the Directory Server.

IMPORTANT

The default Administration Server user is the same as the Directory Server user, which is nobody. If the Administration Server is given a different UID, then that user must belong to the group to which the Directory Server user is assigned.

1.2.6. Directory Suffix

The directory suffix is the first entry within the directory tree. At least one directory suffix must be provided when the Directory Server is set up. The recommended directory suffix name matches your organization's DNS domain name. For example, if the Directory Server hostname is ldap.example.com, the directory suffix is dc=example,dc=com. The setup program constructs a default suffix based on the DNS domain or from the fully-qualified host and domain name provided during setup. This suffix naming convention is not required, but Red Hat strongly recommends it.

1.2.7. Configuration Directory

The configuration directory is the main directory where configuration information — such as log files, configuration files, and port numbers — is stored. These configuration data get stored in the o=NetscapeRoot tree. A single Directory Server instance can be both the configuration directory and the user directory.

If you install Directory Server for general directory services and there is more than one Directory Server in your organization, you must determine which Directory Server instance will host the configuration directory tree, o=NetscapeRoot. Make this decision before installing any compatible Directory Server applications. The configuration directory is usually the first one you set up.

Since the main configuration directory generally experiences low traffic, you can permit its server instances to coexist on any machine with a heavier-loaded Directory Server instance. However, for large sites that deploy a large number of Directory Server instances, dedicate a low-end machine for the configuration directory to improve performance. Directory Server instances write to the configuration directory, and for larger sites, this write activity can create performance issues for other directory service activities. The configuration directory can be replicated to increase availability and reliability.

If the configuration directory tree gets corrupted, you may have to re-register or re-configure all Directory Server instances. To prevent that, always back up the configuration directory after setting up a new instance; never change a hostname or port number while active in the configuration directory; and do not modify the configuration directory tree; only the setup program can directly modify a configuration.

1.2.8. Administration Domain

The administration domain allows servers to be grouped together logically when splitting administrative tasks. That level of organization is beneficial, for example, when different divisions

About the setup-ds-admin.pl Script

within an organization want individual control of their servers while system administrators require centralized control of all servers.

When setting up the administration domain, consider the following:

• Each administration domain must have an administration domain owner with complete access to all the domain servers but no access to the servers in other administration domains. The administration domain owner may grant individual users administrative access on a server-by-server basis within the domain.

• All servers must share the same configuration directory. The Configuration Directory Administrator has complete access to all installed Directory Servers, regardless of the domain.

• Servers on two different domains can use different user directories for authentication and user management.

1.3. About the setup-ds-admin.pl Script

The Directory Server and Administration Server instances are created and configured through a script call setup-ds-admin.pl. Running this script launches an interactive setup program with a series of dialog screens with a yes/no prompt or a simple text input prompt. Each prompt has a default answer in square brackets, such as the following:

Would you like to continue with setup? [yes]:

• Pressing Enter accepts the default answer and proceeds to the next dialog screen. Yes/No prompts accept y for Yes and n for No.

• To go back to a previous dialog screen, type Control-B and press Enter. You can backtrack all the way to the first screen.

• Two prompts ask for a password. After entering it the first time, confirm the password by typing it in again. The password prompts do not echo the characters entered, so make sure to type them correctly.

• When the setup-ds-admin.pl finishes, it generates a log file in the /tmp directory called setupXXXXXX.log where XXXXXX is a series of random characters. This log file contains all of the prompts and answers supplied to those prompts, except for passwords.

• Some options, such as s (silent) and f (file) allow you to supply values for the setup program through a file. The .inf file (described in more detail in Section 6.3, “Silent Setup”) has three sections for each of the major components of Directory Server: General (host server), slapd (LDAP server), and admin (Administration Server). The parameters used in the .inf can be passed directly in the command line. Command-line arguments with setup-ds-admin.pl specify the .inf setup file section (General, slapd, or admin), parameter, and value in the following form:

section.parameter=value

For example, to set the machine name, suffix, and Directory Server port of the new instance, the command is as follows:

/usr/sbin/setup-ds-admin.pl General.FullMachineName=ldap.example.com

Chapter 1. Preparing for a Directory Server Installation

“slapd.Suffix=dc=example, dc=com” slapd.ServerPort=389

NOTE

Passing arguments in the command line or specifying an .inf sets the defaults used in the interactive prompt unless they are used with the s (silent) option.

Argument values containing spaces or other shell special characters must quoted to prevent the shell from interpreting them. In the previous example, the suffix value has a space character, so the entire parameter has to be quoted. If many of the parameters have to be quoted or escaped, use an .inf file instead.

• An .inf file can be used in conjunction with command line parameters. Parameters set in the command line override those specified in an .inf file, which is useful for creating an .inf file to use to set up many Directory Servers. Many of the parameters can be the same, such as ConfigDirectoryLdapURL, ones specific to the host, such as FullMachineName have to be unique. For example:

setup-ds-admin.pl -s -f common.inf General.FullMachineName=ldap37.example.com slapd.ServerIdentifier=ldap37

This command uses the common parameters specified in the common.inf file, but overrides FullMachineName and ServerIdentifier with the command line arguments.

NOTE

The section names and parameter names used in the .inf files and on the command line are case sensitive. Refer to Table 1.1, “setup-ds-admin Options” to check the correct capitalization.

The .inf file has an additional option, ConfigFile which imports the contents of any LDIF file into the Directory Server. This is an extremely useful tool for preconfiguring users, replication, and other directory management entries. For more information on using the ConfigFile parameter to configure the Directory Server, see Section 6.3.4, “Using the ConfigFile Parameter to Configure the

Directory Server”.

Option Alternate Options Description Example

--silent -s This sets that the setup script will run in silent mode, drawing the configuration information from a file (set with the --file parameter) or from arguments passed in the command line rather than interactively.

About the setup-ds-admin.pl Script

Option Alternate Options Description Example

--file=name -f name This sets the path and name of the file which contains the configuration settings for the new Directory Server instance. This can be used with the

--silent parameter; if used alone, it sets the default values for the setup prompts.

/usr/sbin/setup-dsadmin.pl -f /export/ sample.inf

--debug -d[dddd] This parameter turns on debugging information. For the

-d flag, increasing the number of d's increases the debug level.

--keepcache -k This saves the temporary installation file, .inf that is created when the setup script is run. This file can then be reused for a silent setup.

WARNING

The cache file contains the cleartext passwords supplied during setup. Use appropriate caution and protection with this file.

--logfile name -l This parameter specifies a log file to which to write the output. If this is not set, then the setup

-l /export/ example2007.log

Chapter 1. Preparing for a Directory Server Installation

Option Alternate Options Description Example

information is written to a temporary file.

For no log file, set the file name to /dev/ null:

-l /dev/null

--update -u This parameter updates existing Directory Server instances. If an installation is broken in some way, this option can be used to update or replace missing packages and then re-register all of the local instances with the Configuration Directory.

Table 1.1. setup-ds-admin Options

1.4. Overview of Setup

After the Directory Server packages are installed, there is a script, setup-ds-admin.pl, which you run to configure the new Directory Server and Administration Server instance. This script launches an interactive setup program. The setup program supplies default configuration values which you can accept them or substitute with alternatives. There are three kinds of setup modes, depending on what you select when you first launch the setup program:

• Express — The fastest setup mode. This requires minimal interaction and uses default values for almost all settings. Because express installation does not offer the choice of selecting the Directory Server server port number or the directory suffix, among other settings, Red Hat recommends that you not use it for production deployments. Also, express setups can fail if default configuration values are not available because there is no way to offer an alternative.

• Typical — The default and most common setup mode. This prompts you to supply more detailed information about the directory service, like suffix and configuration directory information, while still proceeding quickly through the setup process.

• Custom — The most detailed setup mode. This provides more control over Administration Server settings and also allows data to be imported into the Directory Server at setup, so that entries are already populated in the databases when the setup is complete.

The information requested with the setup process is described in Table 1.2, “Comparison of Setup

Types”.

There is a fourth setup option, silent setup, which uses a configuration file and command-line options to supply the Directory Server settings automatically, so there is no user interaction required. It is also possible to pass setup arguments with the script, as described in Section 1.3, “About the setup-ds-

admin.pl Script”. The possible .inf setup file parameters are listed and described in Section 6.3.5, “About .inf File Parameters”.

Overview of Setup

NOTE

It is possible to use y and n with the yes and no inputs described in Section 6.3.5,

“About .inf File Parameters”.

Setup Screen Parameter

Input

Express Typical Custom Silent Setup

File Parameter

Continue with setup

Yes or no N/A

Accept license agreement

Yes or no N/A

dsktune

output and continue with setup

Yes or no N/A

Choose setup type

• 1 (express)

• 2 (typical)

• 3 (custom)

N/A

Set the computer name

ldap.example.com [General]

FullMachineName= ldap.example.com

Set the user as which the Directory Server will run

nobody (Sun and Red Hat Enterprise Linux) or daemon (HPUX)

[General] SuiteSpotUserID= nobody

Set the group as which the Directory Server will run

nobody (Sun and Red Hat Enterprise Linux) or daemon (HPUX)

[General] SuiteSpotGroup= nobody

Yes or no N/A

Set the Configuration Directory Server URL

ldap:// ldap.example.com:389/ o=NetscapeRoot

[General] ConfigDirectoryLdapURL= ldap://

Chapter 1. Preparing for a Directory Server Installation

Setup Screen Parameter

Input

Express Typical Custom Silent Setup

File Parameter

ldap.example.com:389/ o=NetscapeRoot

Give the Configuration Directory Server user ID

admin [General]

ConfigDirectoryAdminID= admin

Give the Configuration Directory Server user password

password [General]

ConfigDirectoryAdminPwd=

password

Give the Configuration Directory Server administration domain

example.com [General]

AdminDomain= example.com

Give the path to the CA certificate (if using LDAPS)

/tmp/cacert.asc [General]

CACertificate=/ tmp/cacert.asc

Set the Configuration Directory Server Administrator username

admin

[General] ConfigDirectoryAdminID= admin

Set the Configuration Directory Server Administrator password

password

[General] ConfigDirectoryAdminPwd=

password

Set the Directory Server port

389 [slapd]

ServerPort= 389

Set the Directory Server identifier

ldap [slapd]

ServerIdentifier=

ldap

Set the Directory Server suffix

dc=domain, dc=component

[slapd] Suffix= dc=example,dc=com

Set the Directory Manager ID

cn=Directory Manager

[slapd]

Overview of Setup

Setup Screen Parameter

Input

Express Typical Custom Silent Setup

File Parameter

RootDN= cn=Directory Manager

Set the Directory Manager password

password [slapd]

RootDNPwd=

password

Install sample entries

Yes or no [slapd]

AddSampleEntries= Yes

Populate the Directory Server with entries

• Supply the full path and filename to an LDIF file

• Type suggest, which imports common container entries, such as

ou=People

• Type none, which does not import any data

• Equivalent to

suggest

[slapd] AddOrgEntries= Yes InstallLdifFile= suggest

• Equivalent to setting the path

[slapd] AddOrgEntries= Yes InstallLdifFile= / export/data.ldif

Set the Administration Server port

9830 [admin]

Port= 9830

Set the Administration Server IP address

blank (all interfaces)

[admin] ServerIpAddress=

111.11.11.11

Set user as which the Administration Server runs

nobody (on Red Hat Enterprise Linux and Solaris) or daemon (on HP-UX)

[admin] SysUser= nobody

Are you ready to configure your servers?

Yes or no N/A

This option is only available if you choose to register the Directory Server instance with a Configuration Directory Server.

Chapter 1. Preparing for a Directory Server Installation

This option is only available if you choose not to register the Directory Server instance with a Configuration Directory Server. In that case, the Directory Server being set up is created and configured as a Configuration Directory Server.

Table 1.2. Comparison of Setup Types

Chapter 2.

System Requirements

Before configuring the default Red Hat Directory Server 8.0 instances, it is important to verify that the host server has the required system settings and configuration:

• The system must have the required packages, patches, and kernel parameter settings.

• DNS must be properly configured on the target system.

• The host server must have a static IP address.

This chapter covers the software and hardware requirements, operating system patches and settings, and system configurations that are necessary for Directory Server to perform well. It also includes information on a Directory Server tool, dsktune, which is useful in identifying required patches and system settings for Directory Server.

NOTE

The requirements outlined in this chapter apply to production systems. For evaluating or prototyping Directory Server, you may choose not to meet all of these requirements.

2.1. Hardware Requirements

Red Hat recommends minimum of 200 MB of disk space for a typical installation. Large test lab environments can require 2 GB to support the complete deployment, including product binaries, databases, and log files. Very large directories may require 4 GB and above.

Red Hat suggests 256 MB of RAM for average environments and 1 GB of RAM for large test lab environments for increased performance.

Table 2.1, “Hardware Requirements” contains guidelines for Directory Server disk space and memory

requirements based upon on the number of entries that your organization requires. The values shown here assume that the entries in the LDIF file are approximately 100 bytes each and that only the recommended indices are configurable.

Number of Entries Disk Space/Required Memory

10,000 - 250,000 entries Free disk space: 2 GB

Free memory: 256 MB

250,000 - 1,000,000 entries Free disk space: 4 GB

Free memory: 512 MB

1,000,000 + entries Free disk space: 8 GB

Free memory: 1 GB

Table 2.1. Hardware Requirements

2.2. Operating System Requirements

Directory Server is supported on these operating systems: Red Hat Enterprise Linux 4 and 5 (x86 and x86_64), HP-UX 11i (IA 64), and Sun Solaris 9 (sparc 64-bit). The specific operating system requirements and kernel settings, patches, and libraries are listed for each.

• Section 2.2.1, “Using dsktune”

Chapter 2. System Requirements

• Section 2.2.2, “Red Hat Enterprise Linux 4 and 5”

• Section 2.2.3, “HP-UX 11i”

• Section 2.2.4, “Sun Solaris 9”

Along with meeting the required operating system patches and platforms, system settings, like the number of file descriptors and TCP information, should be reconfigured to optimize the Directory Server performance.

Directory Server includes a tool, dsktune, which simplifies configuring your system settings. This section describes what settings to change on the machine on which Directory Server is installed.

2.2.1. Using dsktune

After the packages for Directory Server are installed there is tool called dsktune which can scan a system to check for required and installed patches, memory, system configuration, and other settings required by Directory Server. The dsktune utility even returns information required for tuning the host server's kernel parameters.

NOTE

The setup program also runs dsktune, reports the findings, and asks you if you want to continue with the setup procedure every time a Directory Server instance is configured.

Red Hat recommends running dsktune before beginning to set up the Directory Server instances so that you can properly configure your kernel settings and install any missing patches. On Red Hat Enterprise Linux and Solaris, the dsktune utility is in the /usr/bin directory; on HP-UX, it is in /

opt/dirsrv/bin. To run it, simply use the appropriate command:

/usr/bin/dsktune

Red Hat Directory Server system tuning analysis version 10-AUGUST-2007.

NOTICE : System is i686-unknown-linux2.6.9-34.EL (1 processor).

WARNING: 1011MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections.

WARNING: There are only 1024 file descriptors (hard limit) available, which limit the number of simultaneous connections.

WARNING: There are only 1024 file descriptors (soft limit) available, which limit the number of simultaneous connections.

NOTE

dsktune is run every time the Directory Server configuration script, setup-ds-admin, is run.

Red Hat Enterprise Linux 4 and 5

2.2.2. Red Hat Enterprise Linux 4 and 5

Directory Server is supported on two versions of Red Hat Enterprise Linux:

• Red Hat Enterprise Linux 4 AS and ES on x86 and x86_64 platforms

• Red Hat Enterprise Linux 5 Server on x86 and x86_64 platforms

NOTE

Red Hat Directory Server is also supported running on a virtual guest on a Red Hat Enterprise Linux 5 virtual server.

Both Red Hat Enterprise Linux versions 4 and 5 on 32-bit and 64-bit platforms have the same system requirements, as listed in Table 2.2, “Red Hat Enterprise Linux Operating System and Hardware

Requirements”. The patches required are listed in Section 2.2.2.1, “Red Hat Enterprise Linux Patches”, and the recommended system configuration changes are described in Section 2.2.2.2, “Red Hat Enterprise Linux System Configuration”.

Criteria Requirements

Operating System Red Hat Enterprise Linux 4 or 5 with the latest

patches and upgrades

CPU Type Pentium 3 or higher; 500MHz or higher

Memory/RAM 256 MB minimum

Up to the system limit (on 32 bit systems, typically 3 GB RAM or 4 GB RAM with hugemem kernel) for large environments

Hard Disk 200 MB of disk space minimum for a typical

deployment 2 GB minimum for larger environments 4 GB minimum for very large environments (more than a million entries)

Other To run the Directory Server using port numbers

less than 1024, such as the default port 389, you must setup and start the Directory Server as root, but it is not necessary to run the Directory Server as root.

Table 2.2. Red Hat Enterprise Linux Operating System and Hardware Requirements

2.2.2.1. Red Hat Enterprise Linux Patches

The default kernel and glibc versions for Red Hat Enterprise Linux 4 and 5 are the only required versions for the Red Hat Directory Server host machine. If the machine has a single CPU, the kernel must be presented in the form kernel-x.x.x.x. If the machine has multiple CPUs, the kernel must be presented the form kernel-smp-x.x.x.x. To determine the components running on the machine, run rpm -qa.

Run the dsktune utility to see if you need to install any other patches. dsktune helps verify whether the appropriate patches are installed on the system and provides useful information for tuning your

Chapter 2. System Requirements

kernel parameters for best performance. For information on dsktune, see Section 2.2.1, “Using

dsktune”.

Criteria Requirements

Operating System Red Hat Enterprise Linux 4 AS and ES (x86 and

x86_64) Red Hat Enterprise Linux 5 Server (x86 and x86_64)

Required Filesystem ext3

Table 2.3. System Versions

2.2.2.2. Red Hat Enterprise Linux System Configuration

After verifying the system's kernel and glibc configuration and installing any required modules and patches, fine-tune the Red Hat Enterprise Linux system to work with Directory Server. For the best performance, configure the host server before configuring the Directory Server instance by running the setup-ds-admin.pl script.

• Section 2.2.2.2.1, “Perl Prerequisites”

• Section 2.2.2.2.2, “File Descriptors”

• Section 2.2.2.2.3, “DNS Requirements”

2.2.2.2.1. Perl Prerequisites

For Red Hat Enterprise Linux systems, use the Perl version that is installed with the operating system in /usr/bin/perl for both 32-bit and 64-bit versions of Red Hat Directory Server.

2.2.2.2.2. File Descriptors

Editing the number of file descriptors on the Linux system can help Directory Server access files more efficiently. Editing the maximum number of file descriptors the kernel can allocate can also improve file access speeds.

1. First, check the current limit for file descriptors:

cat /proc/sys/fs/file-max

2. If the setting is lower than 64000, edit the /etc/sysctl.conf file, and reset the fs.file-max

parameter:

fs.file-max = 64000

3. Then increase the maximum number of open files on the system by editing the /etc/security/ limits.conf configuration file. Add the following entry:

HP-UX 11i

* - nofile 8192

4. Edit the /etc/pam.d/system-auth, and add this entry:

session required /lib/security/$ISA/pam_limits.so

5. Reboot the Linux machine to apply the changes.

2.2.2.2.3. DNS Requirements

It is very important that DNS and reverse DNS be working correctly on the host machine, especially if you are using TLS/SSL or Kerberos with Directory Server.

Configure the DNS resolver and the NIS domain name by the modifying the /etc/resolv.conf, / etc/nsswitch.conf, and /etc/netconfig files, and set the DNS resolver for name resolution.

Edit the /etc/defaultdomain file to include the NIS domain name. This ensures that the fullyqualified host and domain names used for the Directory Server resolve to a valid IP address and that that IP address resolves back to the correct hostname.

Reboot the Red Hat Enterprise Linux machine to apply these changes.

2.2.3. HP-UX 11i

Directory Server runs on HP-UX version 11i only; earlier HP-UX versions are not supported. Directory Server runs on a 64-bit HP-UX 11i environment as a 64-bit process.

Table 2.4, “HP-UX 11i” lists the hardware requirements. Section 2.2.3.1, “HP-UX Patches” lists the

required patches, and the recommended system configurations are in Section 2.2.3.2, “HP-UX System

Configuration”.

Criteria Requirements

Operating System HP-UX 11i with the latest patches and upgrades

CPU Type HP 9000 architecture with an Itanium CPU

Memory/RAM 256 MB minimum

1 GB RAM for large environments

Hard Disk 300 MB of disk space minimum for a typical

deployment 2 GB minimum for larger environments 4 GB minimum for very large environments (more than a million entries)

You must use the largefile command to configure database files larger than 2 GB.

Other To run the Directory Server using port numbers

less than 1024, such as the default port 389, you must setup and start the Directory Server as root, but it is not necessary to run the Directory Server as root.

Table 2.4. HP-UX 11i

Chapter 2. System Requirements

2.2.3.1. HP-UX Patches

The HP-UX 11i host must have the correct packages and dependencies installed to run Directory Server. The patch list changes daily, so check the HP site regularly to ensure you have the latest releases:

• http://www.software.hp.com/SUPPORT_PLUS/qpk.html

• http://welcome.hp.com/country/us/eng/support.htm

The first package to install is the PHSS_30966: ld(1) and linker tools cumulative patch. The other required patches are listed in Table 2.5, “HP-UX 11i Patches”. Run the dsktune utility to see if you need to install any other patches. dsktune helps verify whether the appropriate patches are installed on the system and provides useful information for tuning your kernel parameters for best performance. For information on dsktune, see Section 2.2.1, “Using dsktune”.

Criteria Requirements

GOLDAPPS11i B.11.11.0406.5 Gold Applications Patches for

HP-UX 11i v1, June 2004

GOLDBASE11i B.11.11.0406.5 Gold Base Patches for HP-UX 11i

v1, June 2004

GOLDQPK11i HP-UX 11i Quality Pack patch from June 2004 or

later

Table 2.5. HP-UX 11i Patches

2.2.3.2. HP-UX System Configuration

Before setting up Directory Server, tune your HP-UX system so Directory Server can access the respective kernel parameters. To tune HP-UX systems, enable large file support, set the TIME_WAIT value, and modify kernel parameters.

• Section 2.2.3.2.1, “Perl Prerequisites”

• Table 2.6, “HP-UX 11i Kernel Parameters”

• Section 2.2.3.2.3, “TIME_WAIT Setting”

• Section 2.2.3.2.4, “Large File Support”

• Section 2.2.3.2.5, “DNS Requirements”

2.2.3.2.1. Perl Prerequisites

On HP-UX, Red Hat Directory Server uses the Perl version installed with the operating system in / opt/perl_64/bin/perl. Contact Hewlett-Packard support if this Perl version is not installed.

2.2.3.2.2. Kernel Parameters

The parameters to edit and the recommended values are listed in Table 2.6, “HP-UX 11i Kernel

Parameters”.

Parameter Setting

maxfiles 1024

HP-UX 11i

Parameter Setting

nkthread 1328

max_thread_proc 512

maxuser 64

maxuprc 512

nproc 750

Table 2.6. HP-UX 11i Kernel Parameters

2.2.3.2.3. TIME_WAIT Setting

Normally, client applications that shut down correctly cause the socket to linger in a TIME_WAIT state. Verify that the TIME_WAIT entry is set to a reasonable duration. For example:

ndd -set /dev/tcp tcp_time_wait_interval 60000

This limits the socket TIME_WAIT state to 60 seconds.

2.2.3.2.4. Large File Support

To run Directory Server on HP-UX, you must enable large file support.

1. Unmount the filesystem using the umount command.

umount /export

2. Create the large filesystem.

fsadm -F vxfs -o largefiles /dev/vg01/rexport

3. Remount the filesystem.

/usr/sbin/mount -F vxfs -o largefiles /dev/vg01/export

2.2.3.2.5. DNS Requirements

It is very important that DNS and reverse DNS be working correctly on the host machine, especially if you are using TLS/SSL or Kerberos with Directory Server.

Configure the DNS resolver and the NIS domain name by the modifying the /etc/resolv.conf, / etc/nsswitch.conf, and /etc/netconfig files, and set the DNS resolver for name resolution.

Then, reboot the HP-UX machine to apply these changes.

Chapter 2. System Requirements

2.2.4. Sun Solaris 9

Directory Server on Solaris 9 requires an UltraSPARC (SPARC v9) processor, which 64-bit applications as well as high-performance and multi-processor systems. Earlier SPARC processors are not supported. Use the isainfo command to verify that the system has support for sparc9. Verify the system's kernel configuration, install the appropriate modules and patches, and then fine-tune the system to work with Sun Solaris 9.

The system requirements are listed in Table 2.7, “Sun Solaris sparcv9”. The required patches are listed in Section 2.2.4.1, “Solaris Patches”, and the recommended configuration changes are described in Section 2.2.4.2, “Solaris System Configuration”.

Criteria Requirements

Operating System Solaris 9 with the latest patches and upgrades

CPU Type UltraSparc-IIi SPARC v9 300MHz or faster (64-

bit)

Memory/RAM 256 MB minimum

1 GB RAM for large environments

Hard Disk 200 MB of disk space minimum for a typical

deployment 2 GB minimum for larger environments 4 GB minimum for very large environments (more than a million entries)

You must use the largefile command to configure database files larger than 2 GB.

Other To run the Directory Server using port numbers

less than 1024, such as the default port 389, you must setup and start the Directory Server as root, but it is not necessary to run the Directory Server as root.

Table 2.7. Sun Solaris sparcv9

2.2.4.1. Solaris Patches

The patches required to run the Directory Server on Solaris 9 are listed in Table 2.8, “Sun Solaris

Patches”. Run the dsktune utility to see if you need to install any other patches. dsktune helps

verify whether the appropriate patches are installed on the system and provides useful information for tuning your kernel parameters for best performance. For information on dsktune, see Section 2.2.1,

“Using dsktune”.

Patch ID Description

112998-03 SunOS 5.9: patch /usr/sbin/syslogd

112875-01 SunOS 5.9: patch /usr/lib/netsvc/rwall/rpc.rwalld

113146-04 SunOS 5.9: Apache Security Patch

113068-05 SunOS 5.9: hpc3130 patch

112963-14 SunOS 5.9: linker patch

113273-08 SunOS 5.9: /usr/lib/ssh/sshd patch

Sun Solaris 9

Patch ID Description

112233-12 SunOS 5.9: Kernel patch

112964-08 SunOS 5.9: /usr/bin/ksh patch

112808 CDE1.5: Tooltalk patch

113279-01 SunOS 5.9: klmmod patch

113278-07 SunOS 5.9: NFS Daemon patch

113023 SunOS 5.9: Broken preremove scripts from S9

ALC packages

112601-09 SunOS 5.9: PGX32 Graphics

113923-02 X11 6.6.1: security font server patch

112817-18 SunOS 5.9: Sun Gigaswift Ethernet 1.0 driver

patch

113718-02 SunOS 5.9: usr/lib/utmp_udate patch

114135-01 SunOS 5.9: at utility patch

112834-04 SunOS 5.9: patch scsi

112907-03 SunOS 5.9: libgss patch

113319 SunOS 5.9: libnsl nispasswd

112785-43 SunOS 5.9: Xsun patch

112970-07 SunOS 5.9: patch libresolv

112951-09 SunOS 5.9: patchadd and patchrm patch

113277-24 SunOS 5.9: st, sd, and ssd patch

113579-06 SunOS 5.9: ypserv/ypxfrd patch

112908-14 SunOS 5.9: krb5 shared object patch

113073-14 SunOS 5.9: ufs and fsck patch

Table 2.8. Sun Solaris Patches

2.2.4.2. Solaris System Configuration

After installing any required patches or modules, tune the Solaris system to work with Directory Server. There are three areas that may need modified for optimum Directory Server performance: the TCP service, DNS/NIS service, and the file descriptors.

• Section 2.2.4.2.1, “Perl Prerequisites”

• Section 2.2.4.2.2, “TCP Tuning”

• Section 2.2.4.2.3, “DNS and NIS Requirements”

• Section 2.2.4.2.4, “File Descriptors”

2.2.4.2.1. Perl Prerequisites

On Solaris systems, Red Hat Directory Server is installed with a Perl package, RHATperlx, that must be used. This package contains a 64-bit version of Perl 5.8. It is not possible to use the Perl version installed in /usr/bin/perl on Solaris because it is 32 bit and will not work with Directory Server's 64-bit components.

Chapter 2. System Requirements

2.2.4.2.2. TCP Tuning

Edit the Solaris TCP configuration Directory Server can access local system ports better. If tuned properly, this may enhance network connection speeds. The maximum achievable throughput for a single TCP connection is determined by several factors, including the maximum bandwidth on the slowest link on the path, bit errors that limit connections, and the total round-trip time.

The configuration that must be edited is in the /dev/tcp directory. Reset the following parameters:

• tcp_time_wait_interval determines the time (in milliseconds) that a TCP connection remains

in a kernel's table after being closed. If its value is above 30000 (or 30 seconds) and the directory is being used in a LAN, MAN, or other network connection, reduce the value by modifying the /etc/ init.d/inetinit file:

ndd -set /dev/tcp tcp_time_wait_interval 30000

• The tcp_conn_req_max_q0 and tcp_conn_req_max_q parameters control the connection's

maximum backlog that gets accepted by the kernel. If a directory is used by a large number of client hosts simultaneously, increase these values by at least 1024. Edit the /etc/init.d/inetinit file:

ndd -set /dev/tcp tcp_conn_req_max_q0 1024 ndd -set /dev/tcp tcp_conn_req_max_q 1024

• The tcp_keepalive_interval setting determines the duration (in seconds) between the

keepalive packets sent for each open TCP connection. Edit this setting to remove client

connections that disconnect from the network.

• Check the tcp_rexmit_interval_initial parameter value for server maintenance testing on

a high speed LAN, MAN, or other network connection. For wide area networks, you do not have to change the tcp_rexmit_interval_initial value.

• The tcp_smallest_anon_port setting determines the number of simultaneous server

connections. If you increase the rlim_fd_max value to over 4096, you must decrease the tcp_smallest_anon_port value in the /etc/init.d/inetinit file.

ndd -set /dev/tcp tcp_smallest_anon_port 8192

• Reboot the Solaris machine to apply these changes.

2.2.4.2.3. DNS and NIS Requirements

It is very important that DNS and reverse DNS be working correctly on the host machine, especially if you are using TLS/SSL or Kerberos with Directory Server.

Configure the DNS resolver and the NIS domain name by the modifying the /etc/resolv.conf, / etc/nsswitch.conf, and /etc/netconfig files, and set the DNS resolver for name resolution.

+ 98 hidden pages

Red Hat DIRECTORY SERVER 8.0 Installation Manual

Specifications and Main Features

Frequently Asked Questions

User Manual