Note: For most up-to-date OUD/ODSM information click here click here
Note: If you have any issues with the Directory Server Control Center(DSCC) and you needed to re-initialize it Click here
Contents
- 1 Directory Server Control Center certificates
- 2 Directory Proxy configuration
- 3 Proxy Server configuration tuning and changes
- 3.1 Heap Memory tuning (restart reqierd)
- 3.2 Directory Proxy configuration
- 3.3 Setup the Directory Proxy destinations
- 3.4 Setup the Directory Proxy LDAP Pools
- 3.5 Assign the pools to destinations
- 3.6 Setup your LDAP views
- 3.7 Enable the data sources
- 3.8 Disable Non secure data source (if not used)
- 3.9 Set the Directory Proxy weight
- 4 Directory Proxy native LDAP tuning
- 5 Setup Solaris (SMF) services and Auto restart
- 6 Problems and resolution doing directory proxy configuration
- 7 Enable all LDAP controls to pass Directory Proxy
- 8 Disabling or limit Anonymous access
- 9 Re initialize the Directory Server Control Center(DSCC)
- 10 Troubleshooting a hung Directory Proxy
- 11 Setup Directory and Proxy Server Monitoring
- 12 Reference are avalble here
Directory Server Control Center certificates
Make sure to setup Directory Server Control Center certificates
For a list of steps on how to configure the DSCC certificates Click Here (This is needed for DSCC replication)
Before you begin
Make sure your storage is setup with the correct block size check this first Directory Server Databases and Usage of db_stat
Another place to look on how to tune the files system is Filesystem Cache Optimization Strategies
Directory Proxy configuration
Create a Directory Proxy
dpadm create -p 389 -P 636 -D "cn=Proxy Manager" -w pwfile /data1/ldaproxy
Start the Directory Proxy instance
dpadm start /data1/ldaproxy
Request a self sign certificate
dpadm request-cert /data1/ldaproxy ldaproxy1
Install the self sign CA certificate
dpadm add-cert /data1/ldaproxy my-ca /tmp/ca.cert
Install self sign certificate
dpadm add-cert /data1/ldaproxy ldaproxy1-cert /tmp/new.cert
At this point we would have a self sign working certificate with owner own CA certificate installed add to our proxy instance.
To get the directory proxy CA certificate run
The certificate is needed for the load balancer (NetScaler) to be able to connect to the Directory proxy’s
dpadm show-cert -F ascii /data1/ldaproxy
Proxy Server configuration tuning and changes
Heap Memory tuning (restart reqierd)
Change the proxy to use 2048M memory (from default 256M)
dpadm set-flags /data1/ldaproxy jvm-args="-Xmx2048M -Xms2048M -XX:NewRatio=1 -XX:+PrintGCDetails -Xloggc:/var/java/java-gc.log -XX:NewSize=1024M -XX:MaxNewSize=1024M -XX:PermSize=128M -XX:MaxPermSize=128M -XX:SurvivorRatio=32 -XX:MaxLiveObjectEvacuationRatio=15 -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+PrintGCTimeStamps -Dsun.security.pkcs11.enable-solaris=false" Verify the change: dpadm get-flags /data1/ldaproxy Restart for the change to take affect dpadm restart /data1/ldaproxy
Directory Proxy configuration
Setup the Directory Proxy destinations
Crate a password file (used by the whole configuration) and setup the destinations
echo 'password'>/tmp/pw On proxy1: dpconf create-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap1-389" ldap1.domain.com:389 dpconf create-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap1-636" ldap1.domain.com:636 dpconf create-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap2-389" ldap2.domain.com:389 dpconf create-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap2-636" ldap2.domain.com:636 On proxy2: dpconf create-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap1-389" ldap1.domain.com:389 dpconf create-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap1-636" ldap1.domain.com:636 dpconf create-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap2-389" ldap2.domain.com:389 dpconf create-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap2-636" ldap2.domain.com:636
Setup the Directory Proxy LDAP Pools
On ldaproxy1: dpconf create-ldap-data-source-pool -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" On ldaproxy2: dpconf create-ldap-data-source-pool -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool"
Assign the pools to destinations
Assign the pools to LDAP destinations
On ldaproxy1: For both secure and non secure run dpconf attach-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-389" "ldap1-636" "ldap2-389" "ldap2-636" Note: For both secure only non secure rnn: dpconf attach-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-636" "ldap2-636" On ldaproxy2: For both secure and non secure run: dpconf attach-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-389" "ldap1-636" "ldap2-389" "ldap2-636" Note: For both secure only non secure run: dpconf attach-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-636" "ldap2-636"
Setup your LDAP views
Create your LDAP views and assign the pool to use
On ldaproxy1: dpconf create-ldap-data-view -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "View" "DataSource-Pool" dc=domain,dc=com On ldaproxy2: dpconf create-ldap-data-view -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "View" "DataSource-Pool" dc=domain,dc=com
Enable the data sources
Finaley we needed to enable the data source and restart the proxy server for the LDAP connection pools to work
dpadm restart /data1/ldaproxy
Disable Non secure data source (if not used)
dpconf set-ldap-data-source-prop -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap1-389" is-enabled:false dpconf set-ldap-data-source-prop -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap2-389" is-enabled:false dpconf set-ldap-data-source-prop -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap1-389" is-enabled:false dpconf set-ldap-data-source-prop -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap2-389" is-enabled:false
Set the Directory Proxy weight
dpconf set-attached-ldap-data-source-prop -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-636" add-weight:50 bind-weight:50 compare-weight:50 delete-weight:50 modify-dn-weight:50 modify-weight:50 search-weight:50 dpconf set-attached-ldap-data-source-prop -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap2-636" add-weight:50 bind-weight:50 compare-weight:50 delete-weight:50 modify-dn-weight:50 modify-weight:50 search-weight:50 dpconf set-attached-ldap-data-source-prop -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-636" add-weight:50 bind-weight:50 compare-weight:50 delete-weight:50 modify-dn-weight:50 modify-weight:50 search-weight:50 dpconf set-attached-ldap-data-source-prop -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap2-636" add-weight:50 bind-weight:50 compare-weight:50 delete-weight:50 modify-dn-weight:50 modify-weight:50 search-weight:50
Directory Proxy native LDAP tuning
Directory Proxy Session Tuning
Log in as root
Then Log in as admin
Click on Directory Proxy Tab > server
Click on this proxy server and click on …
Proxy Servers > ldaproxy1:389 > General TAB
Check the box in…
VLV Request LDAPv3 control
Server Side Sorting
Proxy Servers > ldaproxy1:389 > Performance TAB
From 50 to 70 (20 per each connection)
Worker Threads: 70
Directory Proxy Access log Tuning
Click on Proxy Servers > ldaproxy2.domain.com:389 > Access Logging
Log Rotation Policy:
Size Limit: 1000
Max Files to Keep: 15
Setup Solaris (SMF) services and Auto restart
To autostrat/stop for the Directory Proxy
Note: Need to run this when the instance is down
dpadm enable-service -T SMF /data1/ldaproxy-config
Problems and resolution doing directory proxy configuration
Problem 1
Problem: Connections time out with error’s of LDAP to quick disconnect
- Problem: Getting error “connection idle time-out has expired” in the access log
Solution: Modify conf.ldif from milliseconds to seconds
Solution: Set this in the /data1/ldaproxy1/config/conf.ldif on port 389/636 from 3600 milliseconds (3 seconds) to 3600000 milliseconds
Note: This is reference as seconds but relay is milliseconds
From: connectionIdleTimeOutInSec: 3600 To: connectionIdleTimeOutInSec: 3600000
Enable all LDAP controls to pass Directory Proxy
To allow all controls true the proxy run this then restart
dpconf set-server-prop -i -h ldaproxy1.domain.com -P 636 --pwd-file /tmp/pw \ allowed-ldap-controls:2.16.840.1.113730.3.4.2 \ allowed-ldap-controls:2.16.840.1.113730.3.4.3 \ allowed-ldap-controls:2.16.840.1.113730.3.4.4 \ allowed-ldap-controls:2.16.840.1.113730.3.4.5 \ allowed-ldap-controls:2.16.840.1.113730.3.4.16 \ allowed-ldap-controls:2.16.840.1.113730.3.4.15 \ allowed-ldap-controls:2.16.840.1.113730.3.4.17 \ allowed-ldap-controls:2.16.840.1.113730.3.4.19 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.2 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.6 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.8 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.8.5.1 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.8.5.1 \ allowed-ldap-controls:2.16.840.1.113730.3.4.14 \ allowed-ldap-controls:1.3.6.1.4.1.1466.29539.12 \ allowed-ldap-controls:2.16.840.1.113730.3.4.12 \ allowed-ldap-controls:2.16.840.1.113730.3.4.18 \ allowed-ldap-controls:2.16.840.1.113730.3.4.13 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.4 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.7 \ allowed-ldap-controls:1.2.840.113556.1.4.473 \ allowed-ldap-controls:2.16.840.1.113730.3.4.9 To verfiy the change: ldapsearch -h ldaproxy1.domain.com -b "" -s base objectclass=\*
Disabling or limit Anonymous access
In the DSCC console change
Click on Proxy Servers > ldaproxy1.domain.com:389 > Policies
New Policy
Name: Annonymes-Policy
Connection Limit:1
Single IP Connection Limit:1
Operation Limit:1
Simultaneous Operation Limit:1
Search Limits
Minimum Size For Substrings in Searches:3
Maximum Search Time:5
Default Search Size Limit:1
Re initialize the Directory Server Control Center(DSCC)
To re-initialize the Directory Server Control Center(DSCC) run this, then restart the Sun Management web console
/dse61/dscc6/bin/dsccsetup dismantle /dse61/dscc6/bin/dsccsetup initialize smcwebserver restart
Troubleshooting a hung Directory Proxy
Collecting jmap create a cron job
#
## collect script perf stat for Sun Proxy Server
#
* * * * * /data1/sun_collect/collect_jmap.sh
#!/bin/bash
echo "======================
Ran at `date`
======================" >>/data1/sun_collect/collect_jmap.out
proxy_process=`/usr/jdk/instances/jdk1.5.0/bin/sparcv9/jps |grep DistributionServerMain |awk '{print $1}'`
/usr/jdk/instances/jdk1.5.0/bin/sparcv9/jmap -d64 -heap $proxy_process >> /data1/sun_collect/collect_jmap.out
cat /data1/sun_collect/collect_jmap.out
======================
Ran at Tue Jun 23 10:58:00 EDT 2009
======================
using thread-local object allocation.
Parallel GC with 24 thread(s)
Heap Configuration:
MinHeapFreeRatio = 40
MaxHeapFreeRatio = 70
MaxHeapSize = 2147483648 (2048.0MB)
NewSize = 2883584 (2.75MB)
MaxNewSize = -65536 (-0.0625MB)
OldSize = 1835008 (1.75MB)
NewRatio = 1
SurvivorRatio = 32
PermSize = 21757952 (20.75MB)
MaxPermSize = 88080384 (84.0MB)
Heap Usage:
PS Young Generation
Eden Space:
capacity = 432537600 (412.5MB)
used = 112557816 (107.34349822998047MB)
free = 319979784 (305.15650177001953MB)
26.022666237571023% used
From Space:
capacity = 3014656 (2.875MB)
used = 2981888 (2.84375MB)
free = 32768 (0.03125MB)
98.91304347826087% used
To Space:
capacity = 8323072 (7.9375MB)
used = 0 (0.0MB)
free = 8323072 (7.9375MB)
0.0% used
PS Old Generation
capacity = 1073741824 (1024.0MB)
used = 36454704 (34.76591491699219MB)
free = 1037287120 (989.2340850830078MB)
3.3951088786125183% used
PS Perm Generation
capacity = 25165824 (24.0MB)
used = 12957168 (12.356918334960938MB)
free = 12208656 (11.643081665039062MB)
51.487159729003906% used
Collecting jstat
#!/bin/bash
proxy_process=`/usr/jdk/instances/jdk1.5.0/bin/sparcv9/jps |grep DistributionServerMain |awk '{print $1}'`
/usr/jdk/instances/jdk1.5.0/bin/sparcv9/jstat -gcutil $proxy_process 1000 >> /data1/sun_collect/jstat.out
# cat jstat.out|head -10
S0 S1 E O P YGC YGCT FGC FGCT GCT
53.54 0.00 84.20 3.10 51.43 34 2.511 0 0.000 2.511
53.54 0.00 85.41 3.10 51.43 34 2.511 0 0.000 2.511
53.54 0.00 85.94 3.10 51.43 34 2.511 0 0.000 2.511
53.54 0.00 87.13 3.10 51.43 34 2.511 0 0.000 2.511
53.54 0.00 88.44 3.10 51.43 34 2.511 0 0.000 2.511
53.54 0.00 90.22 3.10 51.43 34 2.511 0 0.000 2.511
53.54 0.00 91.02 3.10 51.43 34 2.511 0 0.000 2.511
53.54 0.00 93.08 3.10 51.43 34 2.511 0 0.000 2.511
53.54 0.00 96.34 3.10 51.43 34 2.511 0 0.000 2.511
Debugging a low performance proxy incident
Troubleshooting a Crashed Directory Proxy Server Process
Setup Directory and Proxy Server Monitoring
Sun Directory and Directory proxy server Monitoring
Note: You can not install the Monitoring Server and Client on the same server (or it will not work)
Run the JES installer and select Sun Monitoring Console version 1.0 on the Monitoring Server
On the monitoring server setup the Console
/opt/SUNWmfwk/bin/mfwksetup -i /opt/SUNWmfwk/bin/masetup -i
On all Directory Servers and Proxy Servers enable the monitor plugin to be able to monitor it and restart
Login to the Monitoring Console server and click on Sun Monitoring Console
In discovery enter the IP or Host of the Directory client to Monitor.