How to setup your first directory instance click here
Note: If you have any issues with the Directory Server Control Center(DSCC) and you needed to re-initialize it Click here
Contents
- 1 Setup Directory Server Certificates
- 1.1 Before you start Make sure to setup the DSCC certificates
- 1.2 Setup a password file
- 1.3 Enable DSCC replication
- 1.4 Get the DSCC default certificate
- 1.5 Import the default certificate to each Directory Server
- 1.6 Setup a replication agreement using SSL
- 1.7 Setup a replication agreement password file
- 1.8 Consolidated the Directory Server (DSCC) ldif data
- 1.9 Create an LDIF import file
- 1.10 Import and Initialize one server with the LDIF import data
- 1.11 Initialize all other directory servers
- 2 Show replication status
- 3 To run all DSCC replication in SSL
- 4 To extend the Web Console timeout
- 5 Refrense link
Setup Directory Server Certificates
Note: The process was update please read before you continue
Before you start Make sure to setup the DSCC certificates
For a list of steps on how to configure the certificates Click Here (This is needed for DSCC replication)
Before you begin
Make sure your storage is setup with the correct block size check this first Directory Server Databases and Usage of db_stat
Another place to look on how to tune the files system is Filesystem Cache Optimization Strategies
Setup a password file
Setup a password file that will be used doing this configuration on both servers
Run on all 3 servers for all servers (On all servers, set the multi-master password file.)
Note: on all servers for all servers (Don’t know if its needed)
echo '[password]' > dsccreplmanpwd.txt cp dsccreplmanpwd.txt /var/opt/SUNWdsee/dscc6/dcc/ads/. dsconf set-server-prop -e -i -w dsccreplmanpwd.txt -h ldap1 -p 3998 \ def-repl-manager-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt dsconf set-server-prop -e -i -w dsccreplmanpwd.txt -h ldap2 -p 3998 \ def-repl-manager-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt dsconf set-server-prop -e -i -w dsccreplmanpwd.txt -h ldap3 -p 3998 \ def-repl-manager-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt
Enable DSCC replication
Run on all 3 servers, On all servers, enable replication.
dsconf enable-repl -w dsccreplmanpwd.txt -h ldap1 -p 3998 -e -i -d 1 master cn=dscc dsconf enable-repl -w dsccreplmanpwd.txt -h ldap2 -p 3998 -e -i -d 2 master cn=dscc dsconf enable-repl -w dsccreplmanpwd.txt -h ldap3 -p 3998 -e -i -d 3 master cn=dscc
Get the DSCC default certificate
Run on all 3 servers, On all servers, view the existing default certificate.
dsadm show-cert -F der -o ldap1-dscc-certfile /var/opt/SUNWdsee/dscc6/dcc/ads defaultCert dsadm show-cert -F der -o ldap2-dscc-certfile /var/opt/SUNWdsee/dscc6/dcc/ads defaultCert dsadm show-cert -F der -o ldap3-dscc-certfile /var/opt/SUNWdsee/dscc6/dcc/ads defaultCert
Import the default certificate to each Directory Server
Note: You will need to copy the default certificates to the respective servers and import.
Run on all 3 servers (On all servers, add the CA trusted certificate from all other servers.)
Run on ldap1: dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "ldap2 DSCC Repl Manager Cert" ldap2-dscc-certfile dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "ldap3 DSCC Repl Manager Cert" ldap3-dscc-certfile Run on ldap2: dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "ldap1 DSCC Repl Manager Cert" ldap1-dscc-certfile dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "ldap3 DSCC Repl Manager Cert" ldap3-dscc-certfile Run on ldap3: dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "ldap1 DSCC Repl Manager Cert" ldap1-dscc-certfile dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "ldap2 DSCC Repl Manager Cert" ldap2-dscc-certfile
Setup a replication agreement using SSL
Run on all 3 servers
Run on ldap1: dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap1 -p 3998 -e -i --auth-protocol "ssl-simple" cn=dscc ldap2:3999 dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap1 -p 3998 -e -i --auth-protocol "ssl-simple" cn=dscc ldap3:3999 Run on ldap2: dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap2 -p 3998 -e -i --auth-protocol "ssl-simple" cn=dscc ldap1:3999 dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap2 -p 3998 -e -i --auth-protocol "ssl-simple" cn=dscc ldap3:3999 Run on ldap3: dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap3 -p 3998 -e -i --auth-protocol "ssl-simple" cn=dscc ldap1:3999 dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap3 -p 3998 -e -i --auth-protocol "ssl-simple" cn=dscc ldap2:3999
Setup a replication agreement password file
Run on all 3 servers
Run on ldap1: dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap1 -p 3998 -e -i cn=dscc \ ldap2:3999 auth-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap1 -p 3998 -e -i cn=dscc \ ldap3:3999 auth-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt Run on ldap2: dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap2 -p 3998 -e -i cn=dscc \ ldap1:3999 auth-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap2 -p 3998 -e -i cn=dscc \ ldap3:3999 auth-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt Run on ldap3: dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap3 -p 3998 -e -i cn=dscc \ ldap1:3999 auth-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap3 -p 3998 -e -i cn=dscc \ ldap2:3999 auth-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt
Now restart all 3 servers for new replication agreement to work
dsadm restart /var/opt/SUNWdsee/dscc6/dcc/ads
Consolidated the Directory Server (DSCC) ldif data
We need to consolidated the LDAP data from all directory server (DSCC)used in the replication topology
Do an ldif export on ldap1 and ldap2 ldap3
Note: This won’t work without full path given to the file
dsconf export -w dsccreplmanpwd.txt -h ldap1 -p 3998 cn=dscc /var/tmp/user/rep/dscc-ldap1.ldif dsconf export -w dsccreplmanpwd.txt -h ldap2 -p 3998 cn=dscc /var/tmp/user/rep/dscc-ldap2.ldif dsconf export -w dsccreplmanpwd.txt -h ldap3 -p 3998 cn=dscc /var/tmp/user/rep/dscc-ldap3.ldif
Create an LDIF import file
Create ldif import file by using on of the export files like dscc-ldap1.ldif and append the following entry
Append the following entry from ldif file(The entry with cn=[servername@/….]) from each directory server
dn: cn=ldap2@/var/opt/SUNWdsee/dscc6/dcc/ads,cn=Servers,cn=dscc secureport: 3999 port: 3998 servertype: ADS instanceowner: noaccess objectClass: extensibleobject objectClass: top description: DS instance used as the DSCC registry cn: ldap2@/var/opt/SUNWdsee/dscc6/dcc/ads creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20070510045551Z modifyTimestamp: 20070510045551Z nsUniqueId: b6ad3530-feb211db-80828567-1f32384c ............................ ...................
Import and Initialize one server with the LDIF import data
Initialize on one server like ldap1 using dscc-ldap1.ldif
Note: This won’t work without full path given to the file
chmod 777 dscc-ldap1.ldif dsconf import -h ldap1 -p 3998 /var/tmp/user/rep/dscc-ldap1.ldif cn=dscc
Initialize all other directory servers
Initialize ldap2 from ldap1 using the replication agreement
on ldap1: dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap1 -p 3998 cn=dscc ldap2:3999 dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap1 -p 3998 cn=dscc ldap3:3999 on ldap2: dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap2 -p 3998 cn=dscc ldap1:3999 dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap2 -p 3998 cn=dscc ldap3:3999 on ldap3: dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap3 -p 3998 cn=dscc ldap1:3999 dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap3 -p 3998 cn=dscc ldap2:3999
Show replication status
To check replication status(if dscc is used to mange)
dsccreg list-servers -C -a
Another way to see replication status
dsconf show-repl-agmt-status -h ldap2 -p 3998 cn=dscc ldap1:3999
The dscc ds instance is now replicated too both servers. Before you can manage the /opt/ds instances from ldap2 you have to bind as the Directory Manager for these instances. The admin user (cn=admin,cn=Administrators,cn=dscc) only has the ability to stop and start these instances. To edit their contents you need to bind as the DM. Until this is done they will show up as an error via the dscc gui and also when running dsccreg from ldap2:
An example of the error could be displayed with running dsccreg.
To run all DSCC replication in SSL
Before adding the certificate
Before adding the certificate to the DSCC LDAP instance you will get Denied on the SSL field
dsccreg list-servers -C -a [root@ldap1] /var/tmp/user/rep # dsccreg list-servers -C -a Enter DSCC administrator's password: Hostname Port sPort Type Owner iPath LDAP sTLS LDAPS -------- ---- ----- ---- -------- ------------------------------- ---- ------ ------ ldap3 3998 3999 ADS noaccess /var/opt/SUNWdsee/dscc6/dcc/ads Ok Denied Denied ldap1 3998 3999 ADS noaccess /var/opt/SUNWdsee/dscc6/dcc/ads Ok Denied Denied ldap2 3998 3999 ADS noaccess /var/opt/SUNWdsee/dscc6/dcc/ads Ok Denied Denied 3 server instance(s) found in DSCC on localhost.
Export the DSCC certificate
To fix this issue and run all data in SSL (you could see it says Denied
On each server run this
dsadm show-cert -o /var/tmp/user/rep/ldap1-dscc-der -F der /var/opt/SUNWdsee/dscc6/dcc/ads dsadm show-cert -o /var/tmp/user/rep/ldap2-dscc-der -F der /var/opt/SUNWdsee/dscc6/dcc/ads dsadm show-cert -o /var/tmp/user/rep/ldap3-dscc-der -F der /var/opt/SUNWdsee/dscc6/dcc/ads
prepere to add the DSCC certificate
Then on each server create a file with the ldif modify data called modify.ldif
version: 1 dn: cn=ldap1@/var/opt/SUNWdsee/dscc6/dcc/ads,cn=Servers,cn=dscc changetype: modify add: userCertificate;binary userCertificate;binary:< file:///var/tmp/user/rep/ldap1-dscc-der version: 1 dn: cn=ldap2@/var/opt/SUNWdsee/dscc6/dcc/ads,cn=Servers,cn=dscc changetype: modify add: userCertificate;binary userCertificate;binary:< file:///var/tmp/user/rep/ldap2-dscc-der version: 1 dn: cn=ldap3@/var/opt/SUNWdsee/dscc6/dcc/ads,cn=Servers,cn=dscc changetype: modify add: userCertificate;binary userCertificate;binary:< file:///var/tmp/user/rep/ldap3-dscc-der
Add the certificate to the DSCC LDAP instance
Then modify the dscc ldap entry on each server
ldapmodify -h ldap1 -p 3998 -D "cn=directory manager" -w - -f ./modify.ldif ldapmodify -h ldap2 -p 3998 -D "cn=directory manager" -w - -f ./modify.ldif ldapmodify -h ldap3 -p 3998 -D "cn=directory manager" -w - -f ./modify.ldif
Verify if the DSCC now works in SSL
Now all should look nice
dsccreg list-servers -C -a # dsccreg list-servers -C -a Enter DSCC administrator's password: Hostname Port sPort Type Owner iPath LDAP sTLS LDAPS -------- ---- ----- ---- -------- ------------------------------- ---- ------ ------ ldap3 3998 3999 ADS noaccess /var/opt/SUNWdsee/dscc6/dcc/ads Ok Ok Ok ldap1 3998 3999 ADS noaccess /var/opt/SUNWdsee/dscc6/dcc/ads Ok Ok Ok ldap2 3998 3999 ADS noaccess /var/opt/SUNWdsee/dscc6/dcc/ads Ok Ok Ok 3 server instance(s) found in DSCC on localhost.
Note: this is only needed on the DSCC LDAP instance, any other instance this is not needed by going in to the DSCC GUI it will get fixed.
To extend the Web Console timeout
wcadmin add -p -a ROOT session.timeout.value=mm Example: wcadmin add -p -a ROOT session.timeout.value=120
Refrense link
- Sun Docs used in this configuration
- Sun helpful forms used in this configuration
- Sun blogs helped with SSL configuration
- Step by step DSEE configuration
Whats next: How to setup your first directory instance click here