Oracle Directory Server (ODSEE) Installation, Configuration, Replication

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Note: For most up-to-date OUD/ODSM information click here

Contents

Create new servers and start them

Replication Topology – 3 instances



Run on the 3 local servers
Note1: The replication topology was updated on Jul 2010, the process to setup replication is the same, just additional servers.
Note2: The LDAP/LDAP Proxy admin server configuration changed, for more information please look here

First lets create a directory instance

Note: The next steps require the directory server instance to use an FQDN, needed for certificate.

Note2: For DS7 replace the instance path with /opt/SUNWdsee7/var/dcc/ads

On all 3 server stop the ldap instance (if it was started)

Set a new password key for the certificate database and turn off password prompt (need for the next steps)

Delete the bad certificates named defaultCert certificate database on all 3 servers

On each server create a 3 year certificate.

Disable password prompt on all 3 server and store encrypted in the password database

Start the new instance on all servers

Ready to start setting up replication?

Create a file with the password name dsccreplmanpwd.txt

Run on all 3 servers instances to create a new empty suffixes.

Note: If your port uses 1389 set it like this

Disable Montring plugin

Run on all 3 servers to set replication password

Set on all 3 server instances a replication ID

Get the default certificate off all 3 servers instances they use.

Copy all certificates to all servers and add it as a CA trusted certificate from all other servers

Restart all 3 servers instances

Setup replication to use SSL auth on all instances

Assign and setup replication agreement between server instances

Copy the schema files we use in place to all 3 servers instances

And now finaley restart all instances for the new schema and other changes to take effect

Now we are ready to start the setup for native LDAP and index’s

copy the idsconfig profile file’s (below) to one of the server’s, then run.

NOTE: Change the correct password and domain in the profile.

To create a new silent input file run

Stop all 3 server instances to complete the vlv index’s

Now; To create the vlv index’s copy this to each server instance and run.

Note: You might need to re-run this once the directory is populated

Start all 3 server instances

Initialize and start all replication agreement’s

To check replication status(if dscc is used to manage the directory server instances)

To see replication status on all server instances

To see replication status on one replication aggrement run

To get all directory server properties

To import in LDAP all production DATA

To get a dump of all production LDAP data run

To import all production entree’s

Note: Import the data on one server only, the data gets replicated automatically

Enable native LDAP client binds

Before binding an native ldap client you will need to add this aci to the dc=subdomain,dc=com suffix entry

How to register a directory server instance in DSCC (directory server control center)

Note: The process changed in DS7, for the latest update just Click here

Open a web browser and go to one of this links

Log in as root

Then Log in as admin

Click on Directory Server Tab > server

From the drop down choose Register existing server

In the pop up

Select a Known Host: (i.e ldap1)

Fill in the Instance Path: /data1/ldap_inst1/ldap

DSCC Agent Port: Leave with the default (11162)

Click next

Administration DN: cn=Directory Manager

Password: password

Click next

Click Finish

Repeat the above step for each instance.

Note: Make sure to register with the FQDN name(if not known hosts might show up duplicate)
This could also be done with dsccreg

Sun Directory server 6.3 tuning

In DSCC – Directory Servers > [ds]:389 > Server Configuration > LDAP

Client Control Settings:

Size Limit: 5000

Allow the modify DN operation on non-leaf entries: check the box

In DSCC – Directory Servers > [ds]:389 > Server Configuration > Performance

Change:

Cache Settings

  • Make sure to look here for more information on the Database Cache Location setup

Database Cache Location: /tmp/slapd_inst1/

Cache Size Limits

Database Cache (Global): 2048

Initialization Cache (Global): 128

dc=subdomain,dc=com: 1000.00 (1GB)

Maximum Number of Threads: 128

Maximum Number of Persistent Searches: 128

In DSCC – Directory Servers > [ds]:389 > Server Configuration > Plugins

Enable Plugin:

In DSCC – Replication Agreements

Click on each dc=subdomain,dc=com for each Replicate change

Window Size: 100

Group Size: 10

Same as above accomplished with commend line

Sets the Window Size

Sets the Group Size

Create a start-up script with the proper OS tuning variables

Create a file the name /etc/init.d/Net-Tunes.sh and link from /etc/rc2.d/S90Net-Tunes.sh


For more information on WAN replication tuning click here

Best practice to re-index the new imported data – do it on the last server directory server

Changes need to improve all index

in /data1/ldap_inst1/ldap/logs/dse.ldif change the nsslapd-allidsthreshold

To Change the index value from 4000 (default) in the DSCC for each directory server instance

Click on Directory Servers > ldap2.domain.com:389 Suffixes > dc=subdomain,dc=com > Indexes
change all Max numbers… to 8000
click ok and restart the instance dsadm restart /data1/ldap_inst1/ldap
Then refresh all index data by running
Note: This could slow performance at the time of run…

To reindex all (including newly imported) entry’s just run.

Note: To work properly vlv index need to be run once the data is loaded click here on how to

Password Policy configuration

Change in DSCC

Click on Directory Servers & ldap1.domain.com:389 & Password Policies
In the Global Password Policy
Password Storage Scheme: SSHA
Password Syntax Checking: Always Check
Administrative Users: Check the box
Password Strong Check: Select to check three are of the four sets
Click on Assign Policy to ou=people,o=domain.om,dc=subdomain,dc=com
Create a new Password Policy
Name: domain_password_policy
Parent Entry DN: ou=people,o=domain.com,dc=subdomain,dc=com
Specify Password Change Settings
Global Policy: Inherit Password
Specify Password Expiration Settings
Global Policy: Specify Custom
Password Expiration: 90 days
Expiration Warning: 7 days
Specify Password Content Settings
Global Policy: Inherit Password Content
Specify Account Lockout Settings
Global Policy: Specify Custom
Account Lockout: Enable Account Lockout
Failures Before Lockout: 6
Failure Count Reset: 30
Lockout Duration: 30
Click on Assign Policy to ou=people,o=domain.om,dc=subdomain,dc=com

Directory server Access log rotation

On each server
Click on Directory Servers & ldap1.domain.com:1389
Change File Size Based Log Rotation: 2000
File Size Based Log Deletion: 40000
Free Disk Space Based Log Deletion: 2000

Disabling Anonymous and null access to the directory server

To disable null access to the directory server (disabled by default)

Note: To disable or limit Anonymous access by using directory proxy click here

To request and add a cert

How to add LDAP start up to Solaris SMF

Directory Server Backup configuration

This script run nightly by cron
It backs-up the entire directory in an ldif format to /data1/ldap_backups.
The backup script is located in /data1/backup_scripts/daily_backup.pl

Helpful Web References

4
Leave a Reply

avatar
2 Comment threads
2 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
Eli Kleinmansimply_15Dan Liston Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Dan Liston
Guest
Dan Liston

Fantastic information! Impressive, and Very helpful. Have you considered an “all command line” approach? Such that the entire process may be scripted?

simply_15
Guest
simply_15

this is fantastic Eli! i have also some questions regarding how to generate cert8.db this is connection between ODSEE and other servers. Other servers also uses cert7.db hope could help us or add it to your blog.. thank you 🙂