This document explains the steps to install and configure the Oracle DSEE on grinnell. Note that the DSCC has not been configured on grinnell yet. 1. Install packages to help with debugging. {{{ yum install openldap-clients* yum install telnet yum install nmap }}} 2. Download the x86-64 bit version of Oracle Directory Server Enterprise Edition (11.1.1.7.0). 3. Extract contents into /var/tmp/ldap/. 4. The extracted contents contain a ZIP file called sun-dsee7.zip. Simply unzipping this file installs the Oracle DSEE. {{{ unzip -qq sun-dsee7.zip -d /srv/ }}} 5. Install required 32-bit packages. {{{ yum install libstdc++-4.4.7-3.el6.i686 }}} 6. Prepare creation of directory server instance. {{{ mkdir /srv/servers chown oracle /srv/servers/ su - oracle }}} 7. Create directory server instance {{{ [oracle@grinnell ~]$ /srv/dsee7/bin/dsadm create /srv/servers/slapd-grouper-test Choose the Directory Manager password: Confirm the Directory Manager password: Use command 'dsadm start '/srv/servers/slapd-grouper-test'' to start the instance }}} 8. Start instance {{{ [oracle@grinnell ~]$ /srv/dsee7/bin/dsadm start /srv/servers/slapd-grouper-test Directory Server instance '/srv/servers/slapd-grouper-test' started: pid=16604 }}} 9. Set ssl-cipher-family property. This is based on existing UA documentation the production directory servers. {{{ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -h localhost -p 1389 ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA ssl-cipher-family:TLS_DHE_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ssl-cipher-family:TLS_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_RC4_128_SHA ssl-cipher-family:TLS_DHE_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_RSA_WITH_SEED_CBC_SHA ssl-cipher-family:TLS_RSA_WITH_CAMELLIA_128_CBC_SHA ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 ssl-cipher-family:SSL_RSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_CK_RC4_128_WITH_MD5 ssl-cipher-family:SSL_CK_RC2_128_CBC_WITH_MD5 ssl-cipher-family:SSL_CK_DES_192_EDE3_CBC_WITH_MD5 ssl-cipher-family:SSL_CK_DES_64_CBC_WITH_MD5 Certificate "CN=grinnell.alaska.edu, CN=1636, CN=Directory Server, O=Sun Microsystems" presented by the server is not trusted. Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y Enter "cn=Directory Manager" password: Before setting SSL configuration, export Directory Server data. Do you want to continue [y/n] ? y Directory Server must be restarted for changes to take effect. }}} 10. Restart directory {{{ [oracle@grinnell ~]$ /srv/dsee7/bin/dsadm restart /srv/servers/slapd-grouper-test Directory Server instance '/srv/servers/slapd-grouper-test' stopped Directory Server instance '/srv/servers/slapd-grouper-test' started: pid=17197 }}} 11. Check config {{{ [oracle@grinnell ~]$ /srv/dsee7/bin/dsadm info /srv/servers/slapd-grouper-test/ Instance Path: /srv/servers/slapd-grouper-test Owner: oracle(oinstall) Non-secure port: 1389 Secure port: 1636 Bit format: 64-bit State: Running Server PID: 17197 DSCC url: - Instance version: D-A30 }}} 12. Set server properties. This is based on existing UA documentation the production directory servers. {{{ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -p 1389 look-through-limit:unlimited Enter "cn=Directory Manager" password: [oracle@grinnell ~]$ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-check-enabled:on Enter "cn=Directory Manager" password: Enabling "pwd-check-enabled" property automatically sets the value of "pwd-accept-hashed-pwd-enabled" property to "off". [oracle@grinnell ~]$ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-lockout-duration:30m Enter "cn=Directory Manager" password: [oracle@grinnell ~]$ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-lockout-enabled:on Enter "cn=Directory Manager" password: [oracle@grinnell ~]$ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-max-age:57w1d Enter "cn=Directory Manager" password: [oracle@grinnell ~]$ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-max-failure-count:5 Enter "cn=Directory Manager" password: [oracle@grinnell ~]$ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-max-history-count:5 Enter "cn=Directory Manager" password: [oracle@grinnell ~]$ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-min-length:8 Enter "cn=Directory Manager" password: [oracle@grinnell ~]$ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-must-change-enabled:off Enter "cn=Directory Manager" password: [oracle@grinnell ~]$ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-root-dn-bypass-enabled:on Enter "cn=Directory Manager" password: [oracle@grinnell ~]$ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-user-change-enabled:off Enter "cn=Directory Manager" password: [oracle@grinnell ~]$ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -p 1389 search-size-limit:unlimited Enter "cn=Directory Manager" password: }}} 13. Copy production schema. (Assume that grinnell has a copy of the production "config" directory located at /srv/tmp/config.) {{{ mv /srv/servers/slapd-grouper-test/config/schema/99user.ldif /srv/tmp/99user.ldif.orig cp /srv/tmp/config/schema/99user.ldif /srv/servers/slapd-grouper-test/config/schema/ chown oracle:oinstall /srv/servers/slapd-grouper-test/config/schema/99user.ldif }}} 14. Configure attribute uniqueness plugin. {{{ [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf create-plugin -p 1389 -H /srv/dsee7/lib64/uid-plugin.so -F NSUniqueAttr_Init -Y preoperation "ARSCSystemID Uniqueness" Enter "cn=Directory Manager" password: [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-plugin-prop -p 1389 "ARSCSystemID Uniqueness" desc:"Enforce unique attribute values..." version:7.0 vendor:"Sun Microsystems, Inc." depends-on-type:database Enter "cn=Directory Manager" password: Directory Server must be restarted for changes to take effect. [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf enable-plugin -p 1389 "ARSCSystemID Uniqueness" Enter "cn=Directory Manager" password: Directory Server must be restarted for changes to take effect. [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-plugin-prop -p 1389 "ARSCSystemID Uniqueness" argument:"ARSCSystemID" argument:"dc=alaska,dc=edu" Enter "cn=Directory Manager" password: Directory Server must be restarted for changes to take effect. [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf create-plugin -p 1389 -H /srv/dsee7/lib64/uid-plugin.so -F NSUniqueAttr_Init -Y preoperation "UASystemID Uniqueness" Enter "cn=Directory Manager" password: [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-plugin-prop -p 1389 "UASystemID Uniqueness" desc:"Enforce unique attribute values..." version:7.0 vendor:"Sun Microsystems, Inc." depends-on-type:database Enter "cn=Directory Manager" password: Directory Server must be restarted for changes to take effect. [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf enable-plugin -p 1389 "UASystemID Uniqueness" Enter "cn=Directory Manager" password: Directory Server must be restarted for changes to take effect. [oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-plugin-prop -p 1389 "UASystemID Uniqueness" argument:"UASystemID" argument:"dc=alaska,dc=edu" Enter "cn=Directory Manager" password: Directory Server must be restarted for changes to take effect. [oracle@grinnell ~]$ /srv/dsee7/bin/dsadm restart /srv/servers/slapd-grouper-test Directory Server instance '/srv/servers/slapd-grouper-test' stopped Directory Server instance '/srv/servers/slapd-grouper-test' started: pid=27485 }}} 15. The top of the dse.ldif file contains ACIs. Copy the ACIs from the production dse.ldif file to the dse.ldif file on grinnell at /srv/servers/slapd-grouper-test/config/dse.ldif. {{{ aci: (targetattr != "aci") (targetscope = "base") (version 3.0; aci "Enable r ead access to rootdse for anonymous users"; allow(read,search,compare) user dn="ldap:///anyone"; ) aci: (targetattr = "*") (version 3.0; acl "Enable full access for Administrat ors group"; allow (all)(groupdn = "ldap:///cn=Administrators,cn=config"); ) aci: (targetattr = "userPassword") ( version 3.0; acl "allow userpassword self modification"; allow (write) userdn = "ldap:///self";) aci: (targetattr = "*") (version 3.0; acl "Enable full access for Directory Se rvices Managers"; allow (all)(userdn = "ldap:///cn=*,cn=Administrators,cn=ds cc");) aci: (targetattr = "aci") (targetscope = "base") (version 3.0; acl "Enable roo t ACI modification by Directory Services Managers"; allow (all)(userdn = "ld ap:///cn=*,cn=Administrators,cn=dscc");) }}}