Note: For most up-to-date OUD/ODSM information click here click here
Note: If you have any issues with the Directory Server Control Center(DSCC) and you needed to re-initialize it Click here
Contents
- 1 Directory Server Control Center certificates
- 2 Directory Proxy configuration
- 3 Proxy Server configuration tuning and changes
- 3.1 Heap Memory tuning (restart reqierd)
- 3.2 Directory Proxy configuration
- 3.3 Setup the Directory Proxy destinations
- 3.4 Setup the Directory Proxy LDAP Pools
- 3.5 Assign the pools to destinations
- 3.6 Setup your LDAP views
- 3.7 Enable the data sources
- 3.8 Disable Non secure data source (if not used)
- 3.9 Set the Directory Proxy weight
- 4 Directory Proxy native LDAP tuning
- 5 Setup Solaris (SMF) services and Auto restart
- 6 Problems and resolution doing directory proxy configuration
- 7 Enable all LDAP controls to pass Directory Proxy
- 8 Disabling or limit Anonymous access
- 9 Re initialize the Directory Server Control Center(DSCC)
- 10 Troubleshooting a hung Directory Proxy
- 11 Setup Directory and Proxy Server Monitoring
- 12 Reference are avalble here
Directory Server Control Center certificates
Make sure to setup Directory Server Control Center certificates
For a list of steps on how to configure the DSCC certificates Click Here (This is needed for DSCC replication)
Before you begin
Make sure your storage is setup with the correct block size check this first Directory Server Databases and Usage of db_stat
Another place to look on how to tune the files system is Filesystem Cache Optimization Strategies
Directory Proxy configuration
Create a Directory Proxy
1 |
dpadm create -p 389 -P 636 -D "cn=Proxy Manager" -w pwfile /data1/ldaproxy |
Start the Directory Proxy instance
1 |
dpadm start /data1/ldaproxy |
Request a self sign certificate
1 |
dpadm request-cert /data1/ldaproxy ldaproxy1 |
Install the self sign CA certificate
1 |
dpadm add-cert /data1/ldaproxy my-ca /tmp/ca.cert |
Install self sign certificate
1 |
dpadm add-cert /data1/ldaproxy ldaproxy1-cert /tmp/new.cert |
At this point we would have a self sign working certificate with owner own CA certificate installed add to our proxy instance.
To get the directory proxy CA certificate run
The certificate is needed for the load balancer (NetScaler) to be able to connect to the Directory proxy’s
1 |
dpadm show-cert -F ascii /data1/ldaproxy |
Proxy Server configuration tuning and changes
Heap Memory tuning (restart reqierd)
Change the proxy to use 2048M memory (from default 256M)
1 2 3 4 5 6 7 |
dpadm set-flags /data1/ldaproxy jvm-args="-Xmx2048M -Xms2048M -XX:NewRatio=1 -XX:+PrintGCDetails -Xloggc:/var/java/java-gc.log -XX:NewSize=1024M -XX:MaxNewSize=1024M -XX:PermSize=128M -XX:MaxPermSize=128M -XX:SurvivorRatio=32 -XX:MaxLiveObjectEvacuationRatio=15 -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+PrintGCTimeStamps -Dsun.security.pkcs11.enable-solaris=false" Verify the change: dpadm get-flags /data1/ldaproxy Restart for the change to take affect dpadm restart /data1/ldaproxy |
Directory Proxy configuration
Setup the Directory Proxy destinations
Crate a password file (used by the whole configuration) and setup the destinations
1 2 3 4 5 6 7 8 9 10 11 12 13 |
echo 'password'>/tmp/pw On proxy1: dpconf create-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap1-389" ldap1.domain.com:389 dpconf create-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap1-636" ldap1.domain.com:636 dpconf create-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap2-389" ldap2.domain.com:389 dpconf create-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap2-636" ldap2.domain.com:636 On proxy2: dpconf create-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap1-389" ldap1.domain.com:389 dpconf create-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap1-636" ldap1.domain.com:636 dpconf create-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap2-389" ldap2.domain.com:389 dpconf create-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap2-636" ldap2.domain.com:636 |
Setup the Directory Proxy LDAP Pools
1 2 3 4 5 |
On ldaproxy1: dpconf create-ldap-data-source-pool -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" On ldaproxy2: dpconf create-ldap-data-source-pool -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool" |
Assign the pools to destinations
Assign the pools to LDAP destinations
1 2 3 4 5 6 7 8 9 10 11 |
On ldaproxy1: For both secure and non secure run dpconf attach-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-389" "ldap1-636" "ldap2-389" "ldap2-636" Note: For both secure only non secure rnn: dpconf attach-ldap-data-source -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-636" "ldap2-636" On ldaproxy2: For both secure and non secure run: dpconf attach-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-389" "ldap1-636" "ldap2-389" "ldap2-636" Note: For both secure only non secure run: dpconf attach-ldap-data-source -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-636" "ldap2-636" |
Setup your LDAP views
Create your LDAP views and assign the pool to use
1 2 3 4 |
On ldaproxy1: dpconf create-ldap-data-view -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "View" "DataSource-Pool" dc=domain,dc=com On ldaproxy2: dpconf create-ldap-data-view -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "View" "DataSource-Pool" dc=domain,dc=com |
Enable the data sources
Finaley we needed to enable the data source and restart the proxy server for the LDAP connection pools to work
1 |
dpadm restart /data1/ldaproxy |
Disable Non secure data source (if not used)
1 2 3 4 |
dpconf set-ldap-data-source-prop -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap1-389" is-enabled:false dpconf set-ldap-data-source-prop -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "ldap2-389" is-enabled:false dpconf set-ldap-data-source-prop -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap1-389" is-enabled:false dpconf set-ldap-data-source-prop -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "ldap2-389" is-enabled:false |
Set the Directory Proxy weight
1 2 3 4 |
dpconf set-attached-ldap-data-source-prop -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-636" add-weight:50 bind-weight:50 compare-weight:50 delete-weight:50 modify-dn-weight:50 modify-weight:50 search-weight:50 dpconf set-attached-ldap-data-source-prop -i -h ldaproxy1.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap2-636" add-weight:50 bind-weight:50 compare-weight:50 delete-weight:50 modify-dn-weight:50 modify-weight:50 search-weight:50 dpconf set-attached-ldap-data-source-prop -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap1-636" add-weight:50 bind-weight:50 compare-weight:50 delete-weight:50 modify-dn-weight:50 modify-weight:50 search-weight:50 dpconf set-attached-ldap-data-source-prop -i -h ldaproxy2.domain.com -P 636 -w /tmp/pw "DataSource-Pool" "ldap2-636" add-weight:50 bind-weight:50 compare-weight:50 delete-weight:50 modify-dn-weight:50 modify-weight:50 search-weight:50 |
Directory Proxy native LDAP tuning
Directory Proxy Session Tuning
Log in as root
Then Log in as admin
Click on Directory Proxy Tab > server
Click on this proxy server and click on …
Proxy Servers > ldaproxy1:389 > General TAB
Check the box in…
VLV Request LDAPv3 control
Server Side Sorting
Proxy Servers > ldaproxy1:389 > Performance TAB
From 50 to 70 (20 per each connection)
Worker Threads: 70
Directory Proxy Access log Tuning
Click on Proxy Servers > ldaproxy2.domain.com:389 > Access Logging
Log Rotation Policy:
Size Limit: 1000
Max Files to Keep: 15
Setup Solaris (SMF) services and Auto restart
To autostrat/stop for the Directory Proxy
Note: Need to run this when the instance is down
1 |
dpadm enable-service -T SMF /data1/ldaproxy-config |
Problems and resolution doing directory proxy configuration
Problem 1
Problem: Connections time out with error’s of LDAP to quick disconnect
- Problem: Getting error “connection idle time-out has expired” in the access log
Solution: Modify conf.ldif from milliseconds to seconds
Solution: Set this in the /data1/ldaproxy1/config/conf.ldif on port 389/636 from 3600 milliseconds (3 seconds) to 3600000 milliseconds
Note: This is reference as seconds but relay is milliseconds
1 2 3 4 |
From: connectionIdleTimeOutInSec: 3600 To: connectionIdleTimeOutInSec: 3600000 |
Enable all LDAP controls to pass Directory Proxy
To allow all controls true the proxy run this then restart
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
dpconf set-server-prop -i -h ldaproxy1.domain.com -P 636 --pwd-file /tmp/pw \ allowed-ldap-controls:2.16.840.1.113730.3.4.2 \ allowed-ldap-controls:2.16.840.1.113730.3.4.3 \ allowed-ldap-controls:2.16.840.1.113730.3.4.4 \ allowed-ldap-controls:2.16.840.1.113730.3.4.5 \ allowed-ldap-controls:2.16.840.1.113730.3.4.16 \ allowed-ldap-controls:2.16.840.1.113730.3.4.15 \ allowed-ldap-controls:2.16.840.1.113730.3.4.17 \ allowed-ldap-controls:2.16.840.1.113730.3.4.19 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.2 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.6 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.8 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.8.5.1 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.8.5.1 \ allowed-ldap-controls:2.16.840.1.113730.3.4.14 \ allowed-ldap-controls:1.3.6.1.4.1.1466.29539.12 \ allowed-ldap-controls:2.16.840.1.113730.3.4.12 \ allowed-ldap-controls:2.16.840.1.113730.3.4.18 \ allowed-ldap-controls:2.16.840.1.113730.3.4.13 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.4 \ allowed-ldap-controls:1.3.6.1.4.1.42.2.27.9.5.7 \ allowed-ldap-controls:1.2.840.113556.1.4.473 \ allowed-ldap-controls:2.16.840.1.113730.3.4.9 To verfiy the change: ldapsearch -h ldaproxy1.domain.com -b "" -s base objectclass=\* |
Disabling or limit Anonymous access
In the DSCC console change
Click on Proxy Servers > ldaproxy1.domain.com:389 > Policies
New Policy
Name: Annonymes-Policy
Connection Limit:1
Single IP Connection Limit:1
Operation Limit:1
Simultaneous Operation Limit:1
Search Limits
Minimum Size For Substrings in Searches:3
Maximum Search Time:5
Default Search Size Limit:1
Re initialize the Directory Server Control Center(DSCC)
To re-initialize the Directory Server Control Center(DSCC) run this, then restart the Sun Management web console
1 2 3 4 5 |
/dse61/dscc6/bin/dsccsetup dismantle /dse61/dscc6/bin/dsccsetup initialize smcwebserver restart |
Troubleshooting a hung Directory Proxy
Collecting jmap create a cron job
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
# ## collect script perf stat for Sun Proxy Server # * * * * * /data1/sun_collect/collect_jmap.sh #!/bin/bash echo "====================== Ran at `date` ======================" >>/data1/sun_collect/collect_jmap.out proxy_process=`/usr/jdk/instances/jdk1.5.0/bin/sparcv9/jps |grep DistributionServerMain |awk '{print $1}'` /usr/jdk/instances/jdk1.5.0/bin/sparcv9/jmap -d64 -heap $proxy_process >> /data1/sun_collect/collect_jmap.out cat /data1/sun_collect/collect_jmap.out ====================== Ran at Tue Jun 23 10:58:00 EDT 2009 ====================== using thread-local object allocation. Parallel GC with 24 thread(s) Heap Configuration: MinHeapFreeRatio = 40 MaxHeapFreeRatio = 70 MaxHeapSize = 2147483648 (2048.0MB) NewSize = 2883584 (2.75MB) MaxNewSize = -65536 (-0.0625MB) OldSize = 1835008 (1.75MB) NewRatio = 1 SurvivorRatio = 32 PermSize = 21757952 (20.75MB) MaxPermSize = 88080384 (84.0MB) Heap Usage: PS Young Generation Eden Space: capacity = 432537600 (412.5MB) used = 112557816 (107.34349822998047MB) free = 319979784 (305.15650177001953MB) 26.022666237571023% used From Space: capacity = 3014656 (2.875MB) used = 2981888 (2.84375MB) free = 32768 (0.03125MB) 98.91304347826087% used To Space: capacity = 8323072 (7.9375MB) used = 0 (0.0MB) free = 8323072 (7.9375MB) 0.0% used PS Old Generation capacity = 1073741824 (1024.0MB) used = 36454704 (34.76591491699219MB) free = 1037287120 (989.2340850830078MB) 3.3951088786125183% used PS Perm Generation capacity = 25165824 (24.0MB) used = 12957168 (12.356918334960938MB) free = 12208656 (11.643081665039062MB) 51.487159729003906% used |
Collecting jstat
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
#!/bin/bash proxy_process=`/usr/jdk/instances/jdk1.5.0/bin/sparcv9/jps |grep DistributionServerMain |awk '{print $1}'` /usr/jdk/instances/jdk1.5.0/bin/sparcv9/jstat -gcutil $proxy_process 1000 >> /data1/sun_collect/jstat.out # cat jstat.out|head -10 S0 S1 E O P YGC YGCT FGC FGCT GCT 53.54 0.00 84.20 3.10 51.43 34 2.511 0 0.000 2.511 53.54 0.00 85.41 3.10 51.43 34 2.511 0 0.000 2.511 53.54 0.00 85.94 3.10 51.43 34 2.511 0 0.000 2.511 53.54 0.00 87.13 3.10 51.43 34 2.511 0 0.000 2.511 53.54 0.00 88.44 3.10 51.43 34 2.511 0 0.000 2.511 53.54 0.00 90.22 3.10 51.43 34 2.511 0 0.000 2.511 53.54 0.00 91.02 3.10 51.43 34 2.511 0 0.000 2.511 53.54 0.00 93.08 3.10 51.43 34 2.511 0 0.000 2.511 53.54 0.00 96.34 3.10 51.43 34 2.511 0 0.000 2.511 |
Debugging a low performance proxy incident
Troubleshooting a Crashed Directory Proxy Server Process
Setup Directory and Proxy Server Monitoring
Sun Directory and Directory proxy server Monitoring
Note: You can not install the Monitoring Server and Client on the same server (or it will not work)
Run the JES installer and select Sun Monitoring Console version 1.0 on the Monitoring Server
On the monitoring server setup the Console
1 2 |
/opt/SUNWmfwk/bin/mfwksetup -i /opt/SUNWmfwk/bin/masetup -i |
On all Directory Servers and Proxy Servers enable the monitor plugin to be able to monitor it and restart
Login to the Monitoring Console server and click on Sun Monitoring Console
In discovery enter the IP or Host of the Directory client to Monitor.