[Oracle Solaris] ODSEE 11g Installation & Configuration

Oracle Fusion Middleware: Directory Server Enterprise 7 Installation & Configuration

This document refers to the native installation of Oracle Directory Server Enterprise Edition 7.1 (ODSEE), also part the Oracle Fusion Middleware product line. The ZIP distribution installation is a little different and documentation for that can be found at this url. The native installation is strictly meant to be installed on a Solaris OS. The ZIP distribution allows for ODSEE to be installed on a variety of OSes such as Linux, Windows, etc…

Overview

The goal of this document is to convey concisely the information needed to have a new installation of ODSEE 7.0 up and running with little fuss using Solaris 10. The version of Solaris for this documentation was Solaris 10/09 (U8). This document does not cover Identity Synchronization for Windows, which by the way is included as part of the native installation package used in this document. Also, this document does not cover the setup of using a Directory Proxy Server setup with ODSEE. The domain to be served in this document is: goldcoast.com and is the ldap base used in examples. Note, this is just an example domain that I do not own.

Packages required before installing DSEE

This list of Shared Components was taken from: http://docs.sun.com/app/docs/doc/821-1503/dsee-native-install?l=en&a=view. The below are a list of x86-64 packages needed prior to installing DSEE. The patches required are prefixed with a plus(+) in the list below:

Solaris 10 x86_64 System Prerequisite Packages:

O SASL
  o SUNWsasl >= 2.17,REV=2003.07.18.13.13
    + 119346-07

O Network Security Services/Netscape Portable Runtime (NSS/NSPR))
  o SUNWpr   >= 4.6.4,REV=2006.11.16.21.41  || 4.5.1,REV=2004.11.05.03.44
  o SUNWtls  >= 3.11.4,REV=2006.11.16.21.41 || 3.9.5,REV=2005.01.14.19.03
  o SUNWtlsu >= 3.11.4,REV=2006.11.16.21.41 || 3.9.5,REV=2005.01.14.19.03
    + 125359-11 || 119214-23

O International Components for Unicode (ICU)
  o SUNWicu >= 1.2,REV=2005.01.06.14.13
    + 119811-05

O Java Development Kit 1.6
  o SUNWj6rt  >= 1.6.0,REV=2006.11.29.05.03
    + 125138-22
  o SUNWj6rtx >= 1.6.0,REV=2006.11.29.02.51
    + 125139-22

O Java Dynamic Management Kit Runtime
  o SUNWjdmk-runtime     >= 5.1,REV=34
  o SUNWjdmk-runtime-jmx >= 5.1,REV=34
    + 119044-03

O Common Agent Container Runtime
  o SUNWcacaort >= 2.0,REV=15
    + 123896-22

O Sun Java Monitoring Framework (MFWK)
  o SUNWmfwk-rt >= 2.0,REV=2006.11.24
    + 125446-13

O LDAP C SDK
  o SUNWldapcsdk-libs   >= 6.00,REV=2006.12.11.00.35
  o SUNWldapcsdk-tools  >= 6.00,REV=2006.12.11.00.35
  o SUNWldapcsdk-dev    >= 6.00,REV=2006.12.11.00.35
    + 136800-03

O LDAP Java SDK
  o SUNWljdk >= 1.0,REV=2004.10.11.06.02
    + 119725-06

You can verify the packages that were installed on your system by using pkgparam. Below the packages above were feed to pkgparam:

# for pkg in `echo SUNWpr SUNWtls SUNWtlsu SUNWicu SUNWj6rt \
     SUNWj6rtx SUNWjdmk-runtime SUNWjdmk-runtime-jmx SUNWcacaort \
     SUNWmfwk-rt SUNWldapcsdk-libs`; do pkgparam -v $pkg VERSION PATCHLIST; done

VERSION='4.5.1,REV=2004.11.05.03.44'
PATCHLIST='119214-19'
VERSION='3.9.5,REV=2005.01.14.19.03'
PATCHLIST='119214-19'
VERSION='3.9.5,REV=2005.01.14.19.03'
PATCHLIST='119214-19'
VERSION='1.2,REV=2005.01.06.14.13'
PATCHLIST='119811-05'
pkgparam: ERROR: unable to locate parameter information for "SUNWj6rt"
pkgparam: ERROR: unable to locate parameter information for "SUNWj6rtx"
pkgparam: ERROR: unable to locate parameter information for "SUNWjdmk-runtime"
pkgparam: ERROR: unable to locate parameter information for "SUNWjdmk-runtime-jmx"
VERSION='2.0,REV=15'
PATCHLIST='123896-14'
pkgparam: ERROR: unable to locate parameter information for "SUNWmfwk-rt"
pkgparam: ERROR: unable to locate parameter information for "SUNWldapcsdk-libs"

Based on the above we need to manually add the following packages:

SUNWsasl
SUNWj6rt
SUNWj6rtx
SUNWjdmk-runtime
SUNWjdmk-runtime-jmx
SUNWmfwk-rt
SUNWldapcsdk-libs

which can be installed by using the installation DVD that came with your system and or the packages contained within the native packages of ODSEE.

In my case, the following packages were installed from the DVD, under: ../Solaris_10/Product

 # pkgadd -d . SUNWj6rt SUNWj6rtx *

and the following were installed from the “Native Packages for DSEE”, under: ../ODSEE_PKG_Distribution. Note: If you have not downloaded the native packages I describe how to go about this below under: Downloading the Software

# pkgadd -d . SUNWsasl SUNWjdmk-runtime SUNWjdmk-runtime-jmx SUNWmfwk-rt SUNWldapcsdk-libs

Again, when we verify the packages on our system we should have something similar to the following:

bash-3.00# for pkg in `echo SUNWpr SUNWtls SUNWtlsu SUNWicu SUNWj6rt \
      SUNWj6rtx SUNWjdmk-runtime SUNWjdmk-runtime-jmx SUNWcacaort \
      SUNWmfwk-rt SUNWldapcsdk-libs`; do pkgparam -v $pkg VERSION PATCHLIST; done

VERSION='4.5.1,REV=2004.11.05.03.44'
PATCHLIST='119214-19'
VERSION='3.9.5,REV=2005.01.14.19.03'
PATCHLIST='119214-19'
VERSION='3.9.5,REV=2005.01.14.19.03'
PATCHLIST='119214-19'
VERSION='1.2,REV=2005.01.06.14.13'
PATCHLIST='119811-05'
VERSION='1.6.0,REV=2006.11.29.05.03'
PATCHLIST='125138-19 125138-23'
VERSION='1.6.0,REV=2006.11.29.02.51'
PATCHLIST='125139-19 125139-23'
VERSION='5.1,REV=34'
PATCHLIST='119044-03'
VERSION='5.1,REV=34'
PATCHLIST='119044-03'
VERSION='2.0,REV=15'
PATCHLIST='123896-14'
VERSION='2.0,REV=2006.11.24'
PATCHLIST='125446-09'
VERSION='6.00,REV=2006.12.11.00.35'
PATCHLIST='136800-03 145086-01'

At this point we can proceed to download and install ODSEE.

Downloading the Software

The following URL may be used to download Oracle Directory Server
Enterprise Server Edition and may require a login: http://edelivery.oracle.com

Steps: (these may be slightly different for you.)

  1. “Choose a Language ==> English”, Continue
  2. Enter registration information
  3. Then, “Select a Product Pack” ==> Oracle Fusion Middleware
  4. Then, “Platform” ==> Oracle Solaris on x86-64 (64-bit) and click “Go”
  5. Select “Oracle Fusion Middleware 11g Media Pack for Other Platforms”, then “Continue”, then choose to download:
  6. Oracle Directory Server Enterprise Edition 11gR1 for Oracle Solaris on x86-64 (64-bit) (Solaris Package)

The “Solaris Package” is the same as the “Native Package” and the “Compressed Archive” is what’s commonly referred to as the “ZIP distribution”. As noted, in my case the “Solaris Package” was downloaded and the filename was something of V21894-01.zip. The filename may differ, but the package content should be the same. Once it has been extracted, we should have content similar to the following:

COPYRIGHT.txt*                               README.txt*
ODSEE_Identity_Synchronization_for_Windows/  THIRDPARTYLICENSEREADME-ODSEE.txt*
ODSEE_PKG_Distribution/

Installing Directory Server Enterprise Edition

There are three main packages that need to be installed from the Native Package Distribution and they are:

  1. SUNWdsee7
  2. SUNWdsee7-var
  3. SUNWdsee7-man
bash-3.00# pwd
../ODSEE_PKG_Distribution

bash-3.00# pkgadd -d . SUNWdsee7 SUNWdsee7 SUNWdsee7-var SUNWdsee7-man
[ verifying class  ]

Installation of <SUNWdsee7-man> was successful.

All binaries necessary to setup DSEE are installed under: /opt/SUNWdsee7/bin/. Therefore placing this in your path may prove convenient after the initial setup phase of ODSEE.

Pre-Configuring the DIrectory Server Enterprise Edition

I suggest you install the en_US locales if not currently on your system, but this is completely optional -:). On my system the following were installed by default:

bash-3.00# locale -a
C
POSIX
iso_8859_1
bash-3.00#

But, I decided to install the en_US locales as well. Considering the Solaris ISO image is mounted under /mnt, you can install the en_US locales by issuing:

bash-3.00# localeadm -a nam -d /mnt | tee /var/log/install-locale.log</stron>

And, when prompted with a message like:

No langcd1 image has been found in/mnt/Solaris_10/Product

Please enter the path to this image/disk, or enter 'q' to quit:
 (if this image is on CD-ROM, please mount the disk and give the path to the CD-ROM drive e.g. /cdrom/cdrom0)
 >

Just type ‘q’ unless you have the ‘langcd1’ image. Once done, set the locale in your current working environment to: ‘en_US’

# export LANG=en_US

Post-Configuring the DIrectory Server Enterprise Edition

bash-3.00# dsccsetup initialize
***
Registering DSCC Agent in Cacao...
Checking Cacao status...
Deploying DSCC agent in Cacao...
DSCC Agent will use locale en_US and charset ISO8859-1
DSCC agent has been successfully registered in Cacao.
***
Choose password for Directory Service Manager:
Confirm password for Directory Service Manager:
Creating DSCC registry...
ld.so.1: dsadm: fatal: libsasl.so: version `SUNWprivate1.1' not found (required by file /usr/lib/mps/libldap60.so)
ld.so.1: dsadm: fatal: libsasl.so: open failed: No such file or directory
rc = 9
/opt/SUNWdsee7/bin/dsadm exited with unexpected error code 9
Sofware installation is probably incomplete or corrupted
***

If you received the above error message you need to install SUNWsasl (I missed this one the first time around):

# pkgadd -d . SUNWsasl

Then, try again:

bash-3.00# dsccsetup  initialize
***
DSCC Agent is already registered
***
Choose password for Directory Service Manager:
Confirm password for Directory Service Manager:
Passwords mismatch
Choose password for Directory Service Manager:
Confirm password for Directory Service Manager:
Creating DSCC registry...
DSCC Registry has been created successfully
***
Created /var/opt/SUNWdsee7/dscc7.war
***

Choose a password that will be used for the “Directory Server Manager”. Afterwards check the status of the initialization.

bash-3.00# dsccsetup status
***
DSCC Agent is registered in Cacao
***
DSCC Registry has been created
Path of DSCC registry is /var/opt/SUNWdsee7/dcc/ads
Port of DSCC registry is 3998
***

Create Directory Server Instance

(Optional) If you would like to run Directory Server Instance as a non-root user, Keith Bucher at http://blog.halomede.com/2009/10/running-sun-directory-server-63-as-non.html, described how
to perform this step in a nut-shell:

# groupadd ldap
# useradd -g ldap -s /bin/false -c "ldap" ldap
# usermod -K defaultpriv=basic,proc_owner,net_privaddr ldapdsadm create -u ldap /odsee

I have not fully tested the above, but just including here in case this may strike anyone’s interest. My DSCC instance runs as the root user in a Solaris zone. The below will create the DS instance as a root user.

bash-3.00# dsadm create -h odsee -p 389 -P 636 /odsee
Choose the Directory Manager password:
Confirm the Directory Manager password:
Use 'dsadm start '/odsee'' to start the instance
bash-3.00# dsadm start /odsee
Directory Server instance '/odsee' started: pid=10384
bash-3.00# ls /odsee/
alias    bak      config   db       ldif     locks    logs     plugins  tmp

Check the status:

bash-3.00# dsadm info /odsee/
Instance Path:         /odsee
Owner:                 root(root)
Non-secure port:       389
Secure port:           636
Bit format:            64-bit
State:                 Running
Server PID:            10384
DSCC url:              -
SMF application name:  -
Instance version:      D-A10

A good advantage of using the native packages when installing ODSEE is the ability to automatically have SMF manage the instance when the server boots. The have this newly created instance be managed by SMF, first stop the instance. Then run:

# dsadm enable-service --type SMF /<instance-path>"

so in our case, we can perform:

bash-3.00# dsadm stop /odsee
Directory Server instance '/odsee' stopped

bash-3.00# dsadm enable-service --type SMF /odsee
Registering 'Directory Server' as 'application/sun/ds7' in SMF ...
Registering '/odsee' as 'ds7-odsee' in SMF ...
Instance /odsee registered in SMF
Use 'dsadm start '/odsee'' to activate the service

bash-3.00# dsadm start /odsee
bash-3.00# svcs -a | grep odsee
online         16:24:53 svc:/application/sun/ds7:ds7-odsee

And for the DSCC do something similiar

# dsadm enable-service --type SMF /var/opt/SUNWdsee7/dcc/ads

If necessary, register the server instance with Directory Service Control Center

bash-3.00# dsccreg add-server -h odsee --description "Oracle DSEE" /odsee
Enter DSCC administrator's password:
/odsee is an instance of DS
Enter password of "cn=Directory Manager" for /odsee:
This operation will restart /odsee.
Do you want to continue ? (y/n) y
Connecting to /odsee (using ldap://127.0.0.1:389)
Enabling DSCC access to /odsee
Restarting /odsee
Registering /odsee in DSCC on odsee.

Creating Suffixes

dsconf create-suffix dc=goldcoast,dc=com
bash-3.00# dsconf create-suffix dc=goldcoast,dc=com
Certificate "CN=odsee, CN=636, CN=Directory Server, O=Sun Microsystems" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y
Enter "cn=Directory Manager" password:

Create a sub-suffix to contain user accounts called ‘users’, and attach it to the parent suffix. Attaching a sub-suffix to a parent-suffix create an interdependency the prevents the parent-suffix from being deleted without first removing the sub-suffix:

bash-3.00# dsconf create-suffix ou=users,dc=goldcoast,dc=com
Enter "cn=Directory Manager" password:
"ou=users,dc=goldcoast,dc=com" has been created as a subsuffix of "dc=goldcoast,dc=com".

dsconf set-suffix-prop -h odsee ou=users,dc=goldcoast,dc=com parent-suffix-dn:dc=goldcoast,dc=com
Enter "cn=Directory Manager" password:

bash-3.00# dsconf get-suffix-prop -h odsee ou=users,dc=goldcoast,dc=com
Enter "cn=Directory Manager" password:
all-ids-threshold                  :  inherited (4000)
compressed-entries                 :  overflow
compression-mode                   :  none
db-name                            :  users
db-path                            :  /odsee/db/users
enabled                            :  on
entry-cache-count                  :  unlimited
entry-cache-size                   :  10M
entry-count                        :  1
index-filter-analyzer-enabled      :  off
index-filter-analyzer-max-entries  :  2000
moddn-enabled                      :  inherited (off)
parent-suffix-dn                   :  dc=goldcoast,dc=com
referral-mode                      :  disabled
referral-url                       :  undefined
repl-accept-client-update-enabled  :  N/A
repl-cl-max-age                    :  N/A
repl-cl-max-entry-count            :  N/A
repl-id                            :  N/A
repl-manager-bind-dn               :  N/A
repl-purge-delay                   :  N/A
repl-rewrite-referrals-enabled     :  N/A
repl-role                          :  not-replicated
require-index-enabled              :  off

Prepare Directory Server Enterprise Edition (DSEE) to be populated with data and serve LDAP clients. The tool ‘idsconfig’ is ran immediately after a server instance is created on the LDAP server. For the idsconfig that shipps with DSEE 7.0, there is a minor bug that prevents the script from running. Here is what it looks like:

bash-3.00# /usr/lib/ldap/idsconfig.orig

It is strongly recommended that you BACKUP the directory server
before running idsconfig.

Hit Ctrl-C at any time before the final confirmation to exit.
Do you wish to continue with server setup (y/n/h)? [n] y
Enter the JES Directory Server's  hostname to setup: odseeEnter the port number for iDS (h=
help): [389] ERROR: idsconfig only works with JES DS version 5.x and 6.x, not 11.1.1.3.0.

In short this has to do with a very simple check that does not allow the script to run if t
he version of DSEE installed is not one of: 5.x or 6.x. The inclusion for 7.x was left out.
Until this is fixed in a later release we have to perform this change by hand. But first,
here is the patch if you know how to apply it.

--- /usr/lib/ldap/idsconfig        Tue Jan 11 23:57:51 2011
+++ /tmp/idsconfig   Sun Jan 30 00:01:15 2011
@@ -1250,7 +1250,7 @@
     IDS_VER=`cat ${TMPDIR}/checkDSver`
     IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.`
     IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.`
-    if [ "${IDS_MAJVER}" != "5" ] && [ "${IDS_MAJVER}" != "6" ]; then
+    if [ "${IDS_MAJVER}" != "5" ] && [ "${IDS_MAJVER}" != "6" ] && [ "${IDS_MAJVER}" != "1
1" ]; then
        ${ECHO} "ERROR: $PROG only works with JES DS version 5.x and 6.x, not ${IDS_VER}."
        exit 1
     fi

The following work-around was made to allow idsconfig work. First backup the file:

# cp /usr/lib/ldap/idsconfig /usr/lib/ldap/idsconfig.orig

Edit the script, idsconfig, and change the line:

  if [ "${IDS_MAJVER}" != "5" ] &amp;&amp; [ "${IDS_MAJVER}" != "6" ]; then

to

  if [ "${IDS_MAJVER}" != "5" ] &amp;&amp; [ "${IDS_MAJVER}" != "6" ] &amp;&amp; [ "${IDS_MAJVER}" != "11" ]; then

Now we can run idsconfig to continue without interruptions.

bash-3.00# idsconfig

It is strongly recommended that you BACKUP the directory server
before running idsconfig.

Hit Ctrl-C at any time before the final confirmation to exit.

Do you wish to continue with server setup (y/n/h)? [n] y
Enter the JES Directory Server's  hostname to setup: odsee
Enter the port number for iDS (h=help): [389]
Enter the directory manager DN: [cn=Directory Manager]
Enter passwd for cn=Directory Manager :
Enter the domainname to be served (h=help): [goldcoast.com]
Enter LDAP Base DN (h=help): [dc=goldcoast,dc=com]
  Checking LDAP Base DN ...
  Validating LDAP Base DN and Suffix ...
  sasl/GSSAPI is not supported by this LDAP server
Enter the profile name (h=help): [default]
Default server list (h=help): [192.168.1.6]
Preferred server list (h=help):
Choose desired search scope (one, sub, h=help):  [one] sub
The following are the supported credential levels:
  1  anonymous
  2  proxy
  3  proxy anonymous
  4  self
  5  self proxy
  6  self proxy anonymous
Choose Credential level [h=help]: [1] 2
The following are the supported Authentication Methods:
  1  none
  2  simple
  3  sasl/DIGEST-MD5
  4  tls:simple
  5  tls:sasl/DIGEST-MD5
  6  sasl/GSSAPI
Choose Authentication Method (h=help): [1] 2

Current authenticationMethod: simple

Do you want to add another Authentication Method?
Please enter y or n.
Do you want to add another Authentication Method? n
Do you want the clients to follow referrals (y/n/h)? [n]
Do you want to modify the server timelimit value (y/n/h)? [n]
Do you want to modify the server sizelimit value (y/n/h)? [n]
Do you want to store passwords in "crypt" format (y/n/h)? [n]
Do you want to setup a Service Authentication Methods (y/n/h)? [n]
Client search time limit in seconds (h=help): [30]
Profile Time To Live in seconds (h=help): [43200]
Bind time limit in seconds (h=help): [10]
Do you want to enable shadow update (y/n/h)? [n]
Do you wish to setup Service Search Descriptors (y/n/h)? [n] y

  A  Add a Service Search Descriptor
  D  Delete a SSD
  M  Modify a SSD
  P  Display all SSD's
  H  Help
  X  Clear all SSD's

  Q  Exit menu
Enter menu choice: [Quit] ^C
bash-3.00#
bash-3.00# idsconfig

It is strongly recommended that you BACKUP the directory server
before running idsconfig.

Hit Ctrl-C at any time before the final confirmation to exit.

Do you wish to continue with server setup (y/n/h)? [n] y
Enter the JES Directory Server's  hostname to setup: odsee
Enter the port number for iDS (h=help): [389]
Enter the directory manager DN: [cn=Directory Manager]
Enter passwd for cn=Directory Manager :
Enter the domainname to be served (h=help): [goldcoast.com]
Enter LDAP Base DN (h=help): [dc=goldcoast,dc=com]
  Checking LDAP Base DN ...
  Validating LDAP Base DN and Suffix ...
  sasl/GSSAPI is not supported by this LDAP server
Enter the profile name (h=help): [default]
Default server list (h=help): [192.168.1.6]
Preferred server list (h=help):
Choose desired search scope (one, sub, h=help):  [one]
The following are the supported credential levels:
  1  anonymous
  2  proxy
  3  proxy anonymous
  4  self
  5  self proxy
  6  self proxy anonymous
Choose Credential level [h=help]: [1] 2
The following are the supported Authentication Methods:
  1  none
  2  simple
  3  sasl/DIGEST-MD5
  4  tls:simple
  5  tls:sasl/DIGEST-MD5
  6  sasl/GSSAPI
Choose Authentication Method (h=help): [1] 2

Current authenticationMethod: simple

Do you want to add another Authentication Method? n
Do you want the clients to follow referrals (y/n/h)? [n]
Do you want to modify the server timelimit value (y/n/h)? [n] y
Enter the time limit for iDS (current=3600): [-1]
Do you want to modify the server sizelimit value (y/n/h)? [n] y
Enter the size limit for iDS (current=2000): [-1]
Do you want to store passwords in "crypt" format (y/n/h)? [n] y
Do you want to setup a Service Authentication Methods (y/n/h)? [n]
Client search time limit in seconds (h=help): [30] 10
Profile Time To Live in seconds (h=help): [43200]
Bind time limit in seconds (h=help): [10]
Do you want to enable shadow update (y/n/h)? [n]
Do you wish to setup Service Search Descriptors (y/n/h)? [n] y
  A  Add a Service Search Descriptor
  D  Delete a SSD
  M  Modify a SSD
  P  Display all SSD's
  H  Help
  X  Clear all SSD's

  Q  Exit menu
Enter menu choice: [Quit] a
Enter the service id: passwd
Enter the base: ou=users,dc=goldcoast,dc=com
Enter the scope: one
  A  Add a Service Search Descriptor
  D  Delete a SSD
  M  Modify a SSD
  P  Display all SSD's
  H  Help
  X  Clear all SSD's

  Q  Exit menu
Enter menu choice: [Quit] a
Enter the service id: group
Enter the base: ou=groups,dc=goldcoast,dc=com
Enter the scope: one
  A  Add a Service Search Descriptor
  D  Delete a SSD
  M  Modify a SSD
  P  Display all SSD's
  H  Help
  X  Clear all SSD's

  Q  Exit menu
Enter menu choice: [Quit]

              Summary of Configuration

  1  Domain to serve               : goldcoast.com
  2  Base DN to setup              : dc=goldcoast,dc=com
  3  Profile name to create        : default
  4  Default Server List           : 192.168.1.6
  5  Preferred Server List         :
  6  Default Search Scope          : one
  7  Credential Level              : proxy
  8  Authentication Method         : simple
  9  Enable Follow Referrals       : FALSE
 10  iDS Time Limit                : -1
 11  iDS Size Limit                : -1
 12  Enable crypt password storage : TRUE
 13  Service Auth Method pam_ldap  :
 14  Service Auth Method keyserv   :
 15  Service Auth Method passwd-cmd:
 16  Search Time Limit             : 10
 17  Profile Time to Live          : 43200
 18  Bind Limit                    : 10
 19  Enable shadow update          : FALSE
 20  Service Search Descriptors Menu

Enter config value to change: (1-20 0=commit changes) [0]
Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=goldcoast,dc=com]
Enter passwd for proxyagent:
Re-enter passwd:

WARNING: About to start committing changes. (y=continue, n=EXIT) y

  1. Changed timelimit to -1 in cn=config.
  2. Changed sizelimit to -1 in cn=config.
  3. Changed passwordstoragescheme to "crypt" in cn=config.
  4. Schema attributes have been updated.
  5. Schema objectclass definitions have been added.
  6. NisDomainObject added to dc=goldcoast,dc=com.
  7. Top level "ou" containers complete.
  8. automount maps: auto_home auto_direct auto_master auto_shared processed.
  9. ACI for dc=goldcoast,dc=com modified to disable self modify.
  10. Add of VLV Access Control Information (ACI).
  11. Proxy Agent cn=proxyagent,ou=profile,dc=goldcoast,dc=com added.
  12. Give cn=proxyagent,ou=profile,dc=goldcoast,dc=com read permission for password.
  13. Generated client profile and loaded on server.
  14. Processing eq,pres indexes:
      uidNumber (eq,pres)   Finished indexing.
      ipNetworkNumber (eq,pres)   Finished indexing.
      gidnumber (eq,pres)   Finished indexing.
      oncrpcnumber (eq,pres)   Finished indexing.
      automountKey (eq,pres)   Finished indexing.
  15. Processing eq,pres,sub indexes:
      ipHostNumber (eq,pres,sub)   Finished indexing.
      membernisnetgroup (eq,pres,sub)   Finished indexing.
      nisnetgrouptriple (eq,pres,sub)   Finished indexing.
  16. Processing VLV indexes:
      goldcoast.com.getgrent vlv_index   Entry created
      goldcoast.com.gethostent vlv_index   Entry created
      goldcoast.com.getnetent vlv_index   Entry created
      goldcoast.com.getpwent vlv_index   Entry created
      goldcoast.com.getrpcent vlv_index   Entry created
      goldcoast.com.getspent vlv_index   Entry created
      goldcoast.com.getauhoent vlv_index   Entry created
      goldcoast.com.getsoluent vlv_index   Entry created
      goldcoast.com.getauduent vlv_index   Entry created
      goldcoast.com.getauthent vlv_index   Entry created
      goldcoast.com.getexecent vlv_index   Entry created
      goldcoast.com.getprofent vlv_index   Entry created
      goldcoast.com.getmailent vlv_index   Entry created
      goldcoast.com.getbootent vlv_index   Entry created
      goldcoast.com.getethent vlv_index   Entry created
      goldcoast.com.getngrpent vlv_index   Entry created
      goldcoast.com.getipnent vlv_index   Entry created
      goldcoast.com.getmaskent vlv_index   Entry created
      goldcoast.com.getprent vlv_index   Entry created
      goldcoast.com.getip4ent vlv_index   Entry created
      goldcoast.com.getip6ent vlv_index   Entry created

idsconfig: Setup of iDS server odsee is complete.


Note: idsconfig has created entries for VLV indexes.

      For DS5.x, use the directoryserver(1m) script on odsee
      to stop the server.  Then, using directoryserver, follow the
      directoryserver examples below to create the actual VLV indexes.

      For DS6.x, use dsadm command delivered with DS6.x on odsee
      to stop the server.  Then, using dsadm, follow the
      dsadm examples below to create the actual VLV indexes.

  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getgrent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.gethostent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getnetent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getpwent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getrpcent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getspent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getauhoent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getsoluent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getauduent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getauthent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getexecent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getprofent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getmailent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getbootent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getethent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getngrpent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getipnent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getmaskent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getprent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getip4ent
  directoryserver -s <server-instance> vlvindex -n goldcoast -T goldcoast.com.getip6ent


  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getgrent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.gethostent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getnetent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getpwent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getrpcent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getspent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getauhoent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getsoluent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getauduent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getauthent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getexecent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getprofent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getmailent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getbootent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getethent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getngrpent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getipnent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getmaskent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getprent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getip4ent <directory-instance-path> dc=goldcoast,dc=com
  <install-path>/bin/dsadm reindex -l -t goldcoast.com.getip6ent <directory-instance-path> dc=goldcoast,dc=com

And as suggested, stop the instance, then reindex (choose from the example above):

bash-3.00# dsadm stop /odsee
Directory Server instance '/odsee' stopped
bash-3.00#

[30/Jan/2011:00:33:00 -0500] - WARNING<20488> - Backend Database - conn=-1 op=-1 msgId=-1 -  Detected Disorderly Shutdown last time Directory Server was running, recovering database.
[30/Jan/2011:00:33:01 -0500] - Database recovery is 0% complete.
[30/Jan/2011:00:33:01 -0500] - Database recovery is 100% complete.
[30/Jan/2011:00:33:01 -0500] - goldcoast: Indexing VLV: goldcoast.com.getip6ent
[30/Jan/2011:00:33:01 -0500] - goldcoast: Indexed search unsuccessful, will perform unindexed search instead.
[30/Jan/2011:00:33:01 -0500] - goldcoast: Index buffer bucket size: 0
[30/Jan/2011:00:33:01 -0500] - goldcoast: Finished indexing.

bash-3.00# dsadm start /odsee
Directory Server instance '/odsee' started

Initialize a Client Node

Prior to initializing a new client, it should be noted that the default aci/acl for DSEE 7 does not allow anonymous binds. To allow this, add the following to an ldif file which will later be read by ldapmodify.

# cat > /tmp/allow.anon.ldif
dn: dc=goldcoast,dc=com
changetype: modify
add: aci
aci: (target ="ldap:///dc=goldcoast,dc=com")
 (targetattr !="userPassword")
 (version 3.0; acl "Anonymous Example"; allow
 (read, search, compare)
 (userdn= "ldap:///anyone");)

Verify and commit your changes with ldapmodify:

# ldapmodify -D “cn=Directory Manager” -f /tmp/allow.anon.ldif

Now we should be able to initialize a client machine with the below:

As root run:

Note: This type of initialization requires that anonymous binding to be enabled.

# ldapclient init -v \
      -a proxyDN=cn=proxyagent,ou=profile,dc=goldcoast,dc=com \
      -a domainName=goldcoast.com -a profileName=default \
      -a proxyPassword=<the-proxy-pass> 192.168.1.6
...edited...
Parsing proxyDN=cn=proxyagent,ou=profile,dc=goldcoast,dc=com
Parsing domainName=goldcoast.com
Parsing profileName=default
Parsing proxyPassword=proxyagent
Arguments parsed:
        domainName: goldcoast.com
        proxyDN: cn=proxyagent,ou=profile,dc=goldcoast,dc=com
        profileName: default
        proxyPassword: proxyagent
        defaultServerList: 192.168.1.6
...edited...
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: milestone/name-services:default... success
System successfully configured

Adding users

If you have an older /etc/passwd or /etc/group file they can enasily be added from the just initialized client by using ldapaddent.

# ldapaddent -a simple -D "cn=Directory Manager" -f /tmp/passwd.old passwd
Enter password:
3 entries added

The password field is ignored by default. But, to have the password include, use the -p option and supply a shadow password file (e.g. /etc/shadow) instead. Note: If you are using any other password hashing methods but crypt the -p will not work. If your password field uses md5, blowfish, or anything other than crypt take out the -p flag and just use a regular passwd file not including the passwd field.

sh$ ldapaddent -a simple -p -D "cn=directory manager" -f /tmp/shadow.passwd.users passwd
Enter password:
3 entries added

Adding Groups

sh$ ldapaddent -a simple -D "cn=directory manager" -f /nfs_system/backup/ldap.groups group

Listing the current ACI’s

$ ldapsearch -h odsee -b "dc=goldcoast,dc=com" -s base "objectclass=*" aci

Note: As you may have seen, Identity Synchronization for Windows version 6.0 SP1 is now bundled with Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1).

References:

  1. Fourm: Oracle Directory Server Enterprise Edition/SUN DSEE
  2. Soup To Nuts Sun DSEE
Advertisements
Aside | This entry was posted in *Nix and tagged , , , , , , . Bookmark the permalink.

22 Responses to [Oracle Solaris] ODSEE 11g Installation & Configuration

  1. suma says:

    Hi,
    This site seems to be very informative.Looking forward for more on this from configuration perspective.This site helped me to install and configure directory server enterprise 7.Thanks a lot for sharing this.

    Oracle R12 Upgrade.

  2. Very informative, I have no idea where to start for DSEE7 (used to DS5.2 #4 installation) and this installation and configuration helps me alot. Big thanks to you, swinful.

    However, what does “Initialize a Client Node” does? What is the 192.168.1.6 referring to? Your DSEE7 or the “client” ?

    Regards,

    Anwar

    • swinful says:

      Hi Anwar,

      “Initialize a Client Node” is referring to the client binding process, when one performs the command “ldapclient init …”. After this ‘initialization’ ldap client nodes are allowed access to the Directory Server for authentication and other information. In the example of “ldapclient ini -v …” command in the post the IP address 192.168.1.6 is referring to the Master Directory Server.

      Please, do not hesitate to let me know if you have any further questions. -:)

      Thank you for the feedback!

      Best Regards,
      -swinful

  3. Hi swinful,

    Thanks for the reply, appreciated it!

    I got some question to ask..hope you don’t mind..

    [1] How do you access DSEE7 administration console?

    [2] And also, I am not sure if backup and restore operation, on DSEE7 is the same as DS 5.2, can you help to enlighten me?

    Regards.

    Anwar

    • swinful says:

      Hi Anwar,

      Unfortunately, I do not recall coming across a Web Front-end while working with DSEE7. I do believe that this is possible through the use of a .war file that needs to be generated and placed in a specific folder. I do not have all the details on the top of my head at the moment. I have to dig a little deeper and will post the details should I come across this. If you find out before I do, please free to post another comment.

      Regards,
      -swinful

      • Hi swinful,

        Just to let you know that I am successfully deployed DSCC7 war file using weblogic, but the usefulness close to none 😦

        And regarding backup & restore, its already been stated in to official DSEE7 documentation.

        Without your guide, I might not be able to start anything on DSEE7..

        Thanks again!

      • swinful says:

        Tv3suku,

        Thank you very much for taking the time to reply to this post. Your comment really means a lot to me!

        Cheers,
        swinful

  4. JB says:

    Hi,
    Thanks for this post. With regards to running the DSEE as a non-root user, do you have any suggestion with accomplishing this task on Linux?

    Thanks again

  5. mike says:

    Followed these instructions – really great everything works. I am now trying to use SSL – no joy.
    I have solaris 10, odsee 11g
    new profile, listing on client:
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=dmesystems,dc=com
    NS_LDAP_BINDPASSWD= {NS1}54c4ed35e8165226404d
    NS_LDAP_SERVERS= 192.168.1.102
    NS_LDAP_SEARCH_BASEDN= dc=dmesystems,dc=com
    NS_LDAP_AUTH= tls:simple
    NS_LDAP_SEARCH_REF= FALSE
    NS_LDAP_SEARCH_SCOPE= one
    NS_LDAP_SEARCH_TIME= 30
    NS_LDAP_CACHETTL= 43200
    NS_LDAP_PROFILE= sslprofile
    NS_LDAP_CREDENTIAL_LEVEL= proxy
    NS_LDAP_BIND_TIME= 10
    NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple

    search:
    ldapsearch -b “ou=people,dc=dmesystems,dc=com” -h 192.168.1.102 -Z -p 636 -P /var/ldap/cert8.db -D “cn=proxyagent,ou=profile,dc=dmesystems,dc=com” -w mypassword -s sub cn=”*”
    “dn”

    but get:
    ldap_simple_bind: Can’t contact LDAP server

    this works fine for
    ldapsearch -b “ou=people,dc=dmesystems,dc=com” -h 192.168.1.102 -s sub cn=”*” “dn”
    version: 1
    dn: uid=john,ou=people,dc=dmesystems,dc=com
    dn: uid=mike,ou=people,dc=dmesystems,dc=com
    dn: uid=fred,ou=people,dc=dmesystems,dc=com

    i can ssh between server and client, i used one of your links to create CA cert and server cert and install in /local/odsee

    any help would be appreciated

  6. gary says:

    Thank goodness I found your document.. very very helpful…. kudos (^-^)

  7. enceladus says:

    Thanks man!! It really helped. I was struggling with DS 7 config.

  8. Dushyant says:

    Thank you very much, this post is very useful to me!
    Thanks Swinful !

  9. Hawk says:

    Any additions/suggestions for DSEE 11.1.1.7? Latest is no
    longer shipping with cacao, and this will be my first attempt at
    installing (not upgrading from previous version/s). In all, I am
    pretty confident in what I must do, just looking for info on how to
    add client to the new LDAP server. Thanks!

    • swinful says:

      Hello There!

      I have not gotten my hands on the latest version of DSEE, but would love to get my hands dirty with it and document any interesting findings. 🙂

      How far have you gotten and what are you having the most trouble with in this new version?

      • Hawk says:

        Thus far I’ve gotten everything to work in ODSEE 11.1.1.7,
        i.e.: 4 way Multi Master Replication (MMR). MMR works using SSL.
        Used Tomcat, following instructions on Oracle doc (what a surprise
        it worked!), which replaces cacao. I got all of this to work just
        fine, but am still wrestling with securing LDAP clients to use SSL;
        not sure how I need to add my /var/ldap/*.db files into dsadm…
        More if needed.

      • swinful says:

        Hawk,

        Great news and thanks for sharing your success. If I have time ill put up how to bind clients and use SSL for all communications.

        Regards ,
        swinful

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s