Note: For most up-to-date OUD/ODSM information click here

Create new servers and start them

Run on the 3 local servers Note1: The replication topology was updated on Jul 2010, the process to setup replication is the same, just additional servers. Note2: The LDAP/LDAP Proxy admin server configuration changed, for more information please look here First lets create a directory instance

dsadm create -p 389 -P 636 /data1/ldap_inst1/ldap

Note: The next steps require the directory server instance to use an FQDN, needed for certificate.

Note2: For DS7 replace the instance path with /opt/SUNWdsee7/var/dcc/ads

On all 3 server stop the ldap instance (if it was started)

dsadm stop /data1/ldap_inst1/ldap

For DSCC:
dsadm stop /var/opt/SUNWdsee/dscc6/dcc/ads/

Set a new password key for the certificate database and turn off password prompt (need for the next steps)

dsadm set-flags /data1/ldap_inst1/ldap cert-pwd-prompt=on

For DSCC:
dsadm set-flags /var/opt/SUNWdsee/dscc6/dcc/ads/ cert-pwd-prompt=on

Delete the bad certificates named defaultCert certificate database on all 3 servers

certutil -D -d /data1/ldap_inst1/ldap/alias -P slapd- -n defaultCert

For DSCC:
certutil -D -d /var/opt/SUNWdsee/dscc6/dcc/ads/alias -P slapd- -n defaultCert

On each server create a 3 year certificate.

On ldap1
certutil -S -d /data1/ldap_inst1/ldap/alias -P slapd- -n defaultCert -s "CN=ldap1.domain.com" -x -v 36 -t CTu,CTu,CTu -5

For DSCC:
certutil -S -d /var/opt/SUNWdsee/dscc6/dcc/ads/alias -P slapd- -n defaultCert -s "CN=ldap1.domain.com" -x -v 36 -t CTu,CTu,CTu -5

On ldap2
certutil -S -d /data1/ldap_inst1/ldap/alias -P slapd- -n defaultCert -s "CN=ldap2.domain.com" -x -v 36 -t CTu,CTu,CTu -5

For DSCC:
certutil -S -d /var/opt/SUNWdsee/dscc6/dcc/ads/alias -P slapd- -n defaultCert -s "CN=ldap2.domain.com" -x -v 36 -t CTu,CTu,CTu -5

On ldap3
certutil -S -d /data1/ldap_inst1/ldap/alias -P slapd- -n defaultCert -s "CN=ldap3.domain.com" -x -v 36 -t CTu,CTu,CTu -5

For DSCC:
certutil -S -d /var/opt/SUNWdsee/dscc6/dcc/ads/alias -P slapd- -n defaultCert -s "CN=ldap3.domain.com" -x -v 36 -t CTu,CTu,CTu -5
Enter Password or Pin for "NSS Certificate DB": 

0 - SSL Client
1 - SSL Server
9 - To Finish

Click 0 then 1 then 9

Is this a critical extension [y/n]? y

For DSCC:
On ldaproxy1:
certutil -S -d /var/opt/SUNWdsee/dscc6/dcc/ads/alias -P slapd- -n defaultCert -s "CN=ldaproxy1,CN=Directory Server,O=Sun Microsystems" \
-x -v 36 -t CTu,CTu,CTu -5 
On ldaproxy2:
certutil -S -d /var/opt/SUNWdsee/dscc6/dcc/ads/alias -P slapd- -n defaultCert -s "CN=ldaproxy2,CN=Directory Server,O=Sun Microsystems" \
-x -v 36 -t CTu,CTu,CTu -5

Disable password prompt on all 3 server and store encrypted in the password database

dsadm set-flags /data1/ldap_inst1/ldap cert-pwd-prompt=off

For DSCC:
dsadm set-flags /var/opt/SUNWdsee/dscc6/dcc/ads cert-pwd-prompt=off

Start the new instance on all servers

dsadm start /data1/ldap_inst1/ldap

For DSCC:
dsadm start /var/opt/SUNWdsee/dscc6/dcc/ads

Ready to start setting up replication?

Create a file with the password name dsccreplmanpwd.txt

echo -n 'your password' >dsccreplmanpwd.txt

Run on all 3 servers instances to create a new empty suffixes.

dsconf create-suffix -w dsccreplmanpwd.txt -e -i -p 389 dc=subdomain,dc=com

Note: If your port uses 1389 set it like this

dsconf create-suffix -w dsccreplmanpwd.txt -e -i -p 1389 dc=subdomain,dc=com

Disable Montring plugin

dsconf disable-plugin -w dsccreplmanpwd.txt -e -i -p 389 "Monitoring Plugin"

Run on all 3 servers to set replication password

cp dsccreplmanpwd.txt /data1/ldap_inst1/ldap/replmanrpwd.txt

On ldap1
dsconf set-server-prop -w dsccreplmanpwd.txt -e -i -h ldap1.domain.com -p 389 def-repl-manager-pwd-file:/data1/ldap_inst1/ldap/replmanrpwd.txt

On ldap2
dsconf set-server-prop -w dsccreplmanpwd.txt -e -i -h ldap2.domain.com -p 389 def-repl-manager-pwd-file:/data1/ldap_inst1/ldap/replmanrpwd.txt

On ldap3
dsconf set-server-prop -w dsccreplmanpwd.txt -e -i -h ldap3.domain.com -p 1389 def-repl-manager-pwd-file:/data1/ldap_inst1/ldap/replmanrpwd.txt

Set on all 3 server instances a replication ID

dsconf enable-repl -w dsccreplmanpwd.txt -h ldap1.domain.com -p 389 -e -i -d 10 master dc=subdomain,dc=com

dsconf enable-repl -w dsccreplmanpwd.txt -h ldap2.domain.com -p 389 -e -i -d 11 master dc=subdomain,dc=com

dsconf enable-repl -w dsccreplmanpwd.txt -h ldap3.domain.com -p 1389 -e -i -d 12 master dc=subdomain,dc=com


dsconf enable-repl -w dsccreplmanpwd.txt -h ldap3.domain.com -p  389 -e -i -d 13 master  dc=subdomain,dc=com

dsconf enable-repl -w dsccreplmanpwd.txt -h ldap4.domain.com -p  389 -e -i -d 14 master  dc=subdomain,dc=com

dsconf enable-repl -w dsccreplmanpwd.txt -h ldap5.domain.com -p  389 -e -i -d 15 master  dc=subdomain,dc=com

dsconf enable-repl -w dsccreplmanpwd.txt -h ldap6.domain.com -p  389 -e -i -d 16 master  dc=subdomain,dc=com

Get the default certificate off all 3 servers instances they use.

On ldap1
dsadm show-cert -F der -o ldap1-certfile /data1/ldap_inst1/ldap defaultCert

On ldap2
dsadm show-cert -F der -o ldap2-certfile /data1/ldap_inst1/ldap defaultCert

On ldap3
dsadm show-cert -F der -o ldap3-certfile /data1/ldap_inst1/ldap defaultCert

Copy all certificates to all servers and add it as a CA trusted certificate from all other servers

On ldap1
dsadm add-cert --ca /data1/ldap_inst1/ldap "ldap2.domain.com Repl Manager Cert" ldap2-certfile
dsadm add-cert --ca /data1/ldap_inst1/ldap "ldap3.domain.com Repl Manager Cert" ldap3-certfile

On ldap2
dsadm add-cert --ca /data1/ldap_inst1/ldap "ldap1.domain.com Repl Manager Cert" ldap1-certfile
dsadm add-cert --ca /data1/ldap_inst1/ldap "ldap3.domain.com Repl Manager Cert" ldap3-certfile

On ldap3
dsadm add-cert --ca /data1/ldap_inst1/ldap "ldap2.domain.com Repl Manager Cert" ldap2-certfile
dsadm add-cert --ca /data1/ldap_inst1/ldap "ldap1.domain.com Repl Manager Cert" ldap1-certfile

Restart all 3 servers instances

dsadm restart /data1/ldap_inst1/ldap

Setup replication to use SSL auth on all instances

On ldap1
dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap1.domain.com -p 389 -e -i --auth-protocol "ssl-simple" dc=subdomain,dc=com ldap2.domain.com:636
dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap1.domain.com -p 389 -e -i --auth-protocol "ssl-simple" dc=subdomain,dc=com ldap3.domain.com:1636

On ldap2
dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap2.domain.com -p 389 -e -i --auth-protocol "ssl-simple" dc=subdomain,dc=com ldap1.domain.com:636
dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap2.domain.com -p 389 -e -i --auth-protocol "ssl-simple" dc=subdomain,dc=com ldap3.domain.com:1636

On ldap3dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap3.domain.com -p 1389 -e -i --auth-protocol "ssl-simple" dc=subdomain,dc=com ldap1.domain.com:636
dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap3.domain.com -p 1389 -e -i --auth-protocol "ssl-simple" dc=subdomain,dc=com ldap2.domain.com:636

Assign and setup replication agreement between server instances

On ldap1
dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap1.domain.com -p 389 -e -i dc=subdomain,dc=com ldap2.domain.com:636 \
auth-pwd-file:/data1/ldap_inst1/ldap/replmanrpwd.txt
dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap1.domain.com -p 389 -e -i dc=subdomain,dc=com ldap3.domain.com:1636 \
auth-pwd-file:/data1/ldap_inst1/ldap/replmanrpwd.txt

On ldap2
dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap2.domain.com -p 389 -e -i dc=subdomain,dc=com ldap1.domain.com:636 \
auth-pwd-file:/data1/ldap_inst1/ldap/replmanrpwd.txt
dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap2.domain.com -p 389 -e -i dc=subdomain,dc=com ldap3.domain.com:1636 \
auth-pwd-file:/data1/ldap_inst1/ldap/replmanrpwd.txt

On ldap3
dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap3.domain.com -p 1389 -e -i dc=subdomain,dc=com ldap1.domain.com:636 \
auth-pwd-file:/data1/ldap_inst1/ldap/replmanrpwd.txt
dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap3.domain.com -p 1389 -e -i dc=subdomain,dc=com ldap2.domain.com:636 \
auth-pwd-file:/data1/ldap_inst1/ldap/replmanrpwd.txt

Copy the schema files we use in place to all 3 servers instances

cp 30ns-samba.ldif 99ns-sudo.ldif /data1/ldap_inst1/ldap/config/schema/
chmod 744 /data1/ldap_inst1/ldap/config/schema/99ns-sudo.ldif
chmod 744 /data1/ldap_inst1/ldap/config/schema/30ns-samba.ldif

And now finaley restart all instances for the new schema and other changes to take effect

dsadm restart /data1/ldap_inst1/ldap

Now we are ready to start the setup for native LDAP and index’s

copy the idsconfig profile file’s (below) to one of the server’s, then run. NOTE: Change the correct password and domain in the profile.

• ldap1 profile (change the password and IP info)

/usr/lib/ldap/idsconfig -v -i [input_file]

To create a new silent input file run

/usr/lib/ldap/idsconfig -o [output_file_name]

Stop all 3 server instances to complete the vlv index’s

dsadm stop /data1/ldap_inst1/ldap

Now; To create the vlv index’s copy this to each server instance and run.

• Initialize vlv index’s

Ldap_vlv_index.txt

Note: You might need to re-run this once the directory is populated

Start all 3 server instances

dsadm start /data1/ldap_inst1/ldap

Initialize and start all replication agreement’s

On ldap1
dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap1.domain.com -p 389 dc=subdomain,dc=com ldap2.domain.com:636
dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap1.domain.com -p 389 dc=subdomain,dc=com ldap3.domain.com:1636

On ldap2
dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap2.domain.com -p 389 dc=subdomain,dc=com ldap1.domain.com:636
dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap2.domain.com -p 389 dc=subdomain,dc=com ldap3.domain.com:1636

On ldap3
dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap3.domain.com -p 1389 dc=subdomain,dc=com ldap1.domain.com:636
dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap3.domain.com -p 1389 dc=subdomain,dc=com ldap2.domain.com:636

To check replication status(if dscc is used to manage the directory server instances)

To see replication status on all server instances

dsccreg list-servers -C -a

To see replication status on one replication aggrement run

dsconf show-repl-agmt-status -w dsccreplmanpwd.txt -e -i -h ldap2 -p 389 dc=subdomain,dc=com ldap1.domain.com:636

To get all directory server properties

dsconf get-server-prop -w /tmp/pw -e -i -h ldap2 -p 389

To import in LDAP all production DATA

To get a dump of all production LDAP data run

ldapsearch -h ldap1 -D cn=Manager -w - -1 -T -b dc=subdomain,dc=com objectClass=* |egrep -v "dspswuser|dspswuserlink" >ldap_prod_export.ldif

To import all production entree’s

Note: Import the data on one server only, the data gets replicated automatically

dsconf import -h ldap1.domain.com -p 389 [full path to file]/ldap_prod_export.ldif dc=subdomain,dc=com

Example
dsconf import -h ldap1.domain.com -p 389 /var/tmp/usera/rep/ldap_prod_export.ldif dc=subdomain,dc=com

Enable native LDAP client binds

Before binding an native ldap client you will need to add this aci to the dc=subdomain,dc=com suffix entry

• Sun directory server anonymous access aci

How to register a directory server instance in DSCC (directory server control center)

Note: The process changed in DS7, for the latest update just Click here

Open a web browser and go to one of this links

• ldap1.domain.com – Directory Service Control Center (DSCC)
• ldap2.domain.com – Directory Service Control Center (DSCC)
• ldap3.domain.com – Directory Service Control Center (DSCC)

Log in as root Then Log in as admin Click on Directory Server Tab > server From the drop down choose Register existing server In the pop up Select a Known Host: (i.e ldap1) Fill in the Instance Path: /data1/ldap_inst1/ldap DSCC Agent Port: Leave with the default (11162) Click next Administration DN: cn=Directory Manager Password: password Click next Click Finish Repeat the above step for each instance. Note: Make sure to register with the FQDN name(if not known hosts might show up duplicate) This could also be done with dsccreg

Sun Directory server 6.3 tuning

In DSCC – Directory Servers > [ds]:389 > Server Configuration > LDAP

Client Control Settings: Size Limit: 5000 Allow the modify DN operation on non-leaf entries: check the box

In DSCC – Directory Servers > [ds]:389 > Server Configuration > Performance

Change: Cache Settings

• Make sure to look here for more information on the Database Cache Location setup

Database Cache Location: /tmp/slapd_inst1/ Cache Size Limits Database Cache (Global): 2048 Initialization Cache (Global): 128 dc=subdomain,dc=com: 1000.00 (1GB) Maximum Number of Threads: 128 Maximum Number of Persistent Searches: 128

In DSCC – Directory Servers > [ds]:389 > Server Configuration > Plugins

Enable Plugin:

uid uniqueness
Monitoring Plugin
pswsync (with idsync)

In DSCC – Replication Agreements

Click on each dc=subdomain,dc=com for each Replicate change Window Size: 100 Group Size: 10

Same as above accomplished with commend line

Sets the Window Size

dsconf set-repl-agmt-prop -h ldap1 -p 389 dc=subdomain,dc=com ldap2:389 transport-window-size:100

Sets the Group Size

dsconf set-repl-agmt-prop -h ldap1 -p 389 dc=subdomain,dc=com ldap2:389 transport-group-size:10

Create a start-up script with the proper OS tuning variables

Create a file the name /etc/init.d/Net-Tunes.sh and link from /etc/rc2.d/S90Net-Tunes.sh

echo "Applying the fowling IP tuning"
set -x
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip_ire_arp_interval 60000
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_send_redirects 0
# Directory Server Tuning
ndd -set /dev/tcp tcp_time_wait_interval        30000
ndd -set /dev/tcp tcp_conn_req_max_q            4096
ndd -set /dev/tcp tcp_keepalive_interval        600000
ndd -set /dev/tcp tcp_rexmit_interval_initial   500
ndd -set /dev/tcp tcp_smallest_anon_port        8192
ndd -set /dev/tcp tcp_deferred_ack_interval     5
# Directory Server DB location
mkdir /tmp/slapd_inst1
set +x

---

For more information on WAN replication tuning click here

Best practice to re-index the new imported data – do it on the last server directory server

Changes need to improve all index

in /data1/ldap_inst1/ldap/logs/dse.ldif change the nsslapd-allidsthreshold

dsadm stop /data1/ldap_inst1/ldap

From:
nsslapd-allidsthreshold: 4000

To:
nsslapd-allidsthreshold: 8000

dsadm start /data1/ldap_inst1/ldap

To Change the index value from 4000 (default) in the DSCC for each directory server instance Click on Directory Servers > ldap2.domain.com:389 Suffixes > dc=subdomain,dc=com > Indexes change all Max numbers… to 8000 click ok and restart the instance dsadm restart /data1/ldap_inst1/ldap Then refresh all index data by running Note: This could slow performance at the time of run…

To reindex all (including newly imported) entry’s just run.

dsconf reindex --pwd-file dsccreplmanpwd.txt -e -i -h ldap1 -p 389 dc=subdomain,dc=com

dsconf reindex --pwd-file dsccreplmanpwd.txt -e -i -h ldap2 -p 389 dc=subdomain,dc=com

dsconf reindex --pwd-file dsccreplmanpwd.txt -e -i -h ldap3 -p 1389 dc=subdomain,dc=com

Note: To work properly vlv index need to be run once the data is loaded click here on how to

Password Policy configuration

Change in DSCC Click on Directory Servers & ldap1.domain.com:389 & Password Policies In the Global Password Policy Password Storage Scheme: SSHA Password Syntax Checking: Always Check Administrative Users: Check the box Password Strong Check: Select to check three are of the four sets Click on Assign Policy to ou=people,o=domain.om,dc=subdomain,dc=com Create a new Password Policy Name: domain_password_policy Parent Entry DN: ou=people,o=domain.com,dc=subdomain,dc=com Specify Password Change Settings Global Policy: Inherit Password Specify Password Expiration Settings Global Policy: Specify Custom Password Expiration: 90 days Expiration Warning: 7 days Specify Password Content Settings Global Policy: Inherit Password Content Specify Account Lockout Settings Global Policy: Specify Custom Account Lockout: Enable Account Lockout Failures Before Lockout: 6 Failure Count Reset: 30 Lockout Duration: 30 Click on Assign Policy to ou=people,o=domain.om,dc=subdomain,dc=com

Directory server Access log rotation

On each server Click on Directory Servers & ldap1.domain.com:1389 Change File Size Based Log Rotation: 2000 File Size Based Log Deletion: 40000 Free Disk Space Based Log Deletion: 2000

Disabling Anonymous and null access to the directory server

To disable null access to the directory server (disabled by default)

Disable null access:
dsconf get-server-prop -e -i -p 389 -w /tmp/pasword_file require-bind-pwd-enabled

Enable null access:
dsconf set-server-prop -e -i -p 389 -w /tmp/pasword require-bind-pwd-enabled:off

To test a null search:
ldapsearch -D "cn=directory manager" -w '' -p 389 -b cn=config 'objectclass=*' dn

Note: To disable or limit Anonymous access by using directory proxy click here

To request and add a cert

dsadm request-cert --name ldap2 --org "B&H Photo" --org-unit "B&H Photo" --state NY \
--city "New Yor" --country US -o my_cert_request_file -F ascii /data1/ldap_inst1/ldap

dsadm add-cert --ca /data1/ldap_inst1/ldap server-cert my_cert_ans_file

dsadm show-cert /data1/ldap_inst1/ldap defaultCert

How to add LDAP start up to Solaris SMF

dsadm enable-service -T SMF /data1/ldap_inst1/ldap

Directory Server Backup configuration

This script run nightly by cron It backs-up the entire directory in an ldif format to /data1/ldap_backups. The backup script is located in /data1/backup_scripts/daily_backup.pl

#!/bin/perl
 
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime time;
$now =  "$mon-$mday\_$hour-$min-$sec\n";
 
my @ldap_tree_backup = ('dsconf export -w /data1/backup_scripts/dsccreplmanpwd.txt -e -i dc=subdomain,dc=com /data1/ldap_backups/domain.ldif_'.$now);
my $error_code = system(@ldap_tree_backup);
 
#print "The backup code was = $error_code\n";
 
my @ldap_tree_backup = ('dsconf export -w /data1/backup_scripts/dsccreplmanpwd.txt -e -i -p 3998 cn=dscc /data1/ldap_backups/dscc.ldif_'.$now);
my $error_code = system(@ldap_tree_backup);
 
#print "The backup code was = $error_code\n";
 
## Backup the LDAP DB's
my @ldap_tree_backup = ('dsconf backup --pwd-file /data1/backup_scripts/dsccreplmanpwd.txt -e -i  /data1/ldap_db_backups/domain_db_'.$now);
my $error_code = system(@ldap_tree_backup);
 
#print "The backup code was = $error_code\n";
 
my @ldap_tree_backup = ('dsconf backup --pwd-file /data1/backup_scripts/dsccreplmanpwd.txt -e -i -p 3998 /data1/ldap_db_backups/dscc_db_'.$now);
my $error_code = system(@ldap_tree_backup);
 
#print "The backup code was = $error_code\n";

Helpful Web References

• Sun Docs used in this configuration
• Sun helpful forms used in this configuration
• Sun blogs helped with SSL configuration
• Step by step DSEE configuration