wiki:LDAPInstall

Version 2 (modified by uaguest_SPatel1@…, 11 years ago) (diff)

--

This document explains the steps to install and configure the Oracle DSEE on grinnell. Note that the DSCC has not been configured on grinnell yet.

  1. Install packages to help with debugging. 
yum install openldap-clients*
yum install telnet
yum install nmap
  1. Download the x86-64 bit version of Oracle Directory Server Enterprise Edition (11.1.1.7.0).
  1. Extract contents into /var/tmp/ldap/.
  1. The extracted contents contain a ZIP file called sun-dsee7.zip. Simply unzipping this file installs the Oracle DSEE. 
unzip -qq sun-dsee7.zip -d /srv/
  1. Install required 32-bit packages. 
yum install libstdc++-4.4.7-3.el6.i686
  1. Prepare creation of directory server instance. 
mkdir /srv/servers
chown oracle /srv/servers/
su - oracle
  1. Create directory server instance 
[oracle@grinnell ~]$ /srv/dsee7/bin/dsadm create /srv/servers/slapd-grouper-test
Choose the Directory Manager password:
Confirm the Directory Manager password:
Use command 'dsadm start '/srv/servers/slapd-grouper-test'' to start the instance
  1. Start instance 
[oracle@grinnell ~]$ /srv/dsee7/bin/dsadm start /srv/servers/slapd-grouper-test
Directory Server instance '/srv/servers/slapd-grouper-test' started: pid=16604
  1. Set ssl-cipher-family property. This is based on existing UA documentation the production directory servers. 
[oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-server-prop -h localhost -p 1389 ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA ssl-cipher-family:TLS_DHE_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ssl-cipher-family:TLS_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_RC4_128_SHA ssl-cipher-family:TLS_DHE_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_RSA_WITH_SEED_CBC_SHA ssl-cipher-family:TLS_RSA_WITH_CAMELLIA_128_CBC_SHA ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 ssl-cipher-family:SSL_RSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_CK_RC4_128_WITH_MD5 ssl-cipher-family:SSL_CK_RC2_128_CBC_WITH_MD5 ssl-cipher-family:SSL_CK_DES_192_EDE3_CBC_WITH_MD5 ssl-cipher-family:SSL_CK_DES_64_CBC_WITH_MD5
Certificate "CN=grinnell.alaska.edu, CN=1636, CN=Directory Server, O=Sun Microsystems" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y
Enter "cn=Directory Manager" password:
Before setting SSL configuration, export Directory Server data.
Do you want to continue [y/n] ?  y
Directory Server must be restarted for changes to take effect.
  1. Restart directory 
[oracle@grinnell ~]$ /srv/dsee7/bin/dsadm restart /srv/servers/slapd-grouper-test
Directory Server instance '/srv/servers/slapd-grouper-test' stopped
Directory Server instance '/srv/servers/slapd-grouper-test' started: pid=17197
  1. Check config 
[oracle@grinnell ~]$ /srv/dsee7/bin/dsadm info /srv/servers/slapd-grouper-test/
Instance Path:     /srv/servers/slapd-grouper-test
Owner:             oracle(oinstall)
Non-secure port:   1389
Secure port:       1636
Bit format:        64-bit
State:             Running
Server PID:        17197
DSCC url:          -
Instance version:  D-A30
  1. Set server properties. This is based on existing UA documentation the production directory servers. 
[oracle@grinnell ~]$  /srv/dsee7/bin/dsconf set-server-prop -p 1389 look-through-limit:unlimited
Enter "cn=Directory Manager" password:
[oracle@grinnell ~]$
[oracle@grinnell ~]$  /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-check-enabled:on
Enter "cn=Directory Manager" password:
Enabling "pwd-check-enabled" property automatically sets the value of "pwd-accept-hashed-pwd-enabled" property to "off".
[oracle@grinnell ~]$
[oracle@grinnell ~]$  /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-lockout-duration:30m
Enter "cn=Directory Manager" password:
[oracle@grinnell ~]$
[oracle@grinnell ~]$  /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-lockout-enabled:on
Enter "cn=Directory Manager" password:
[oracle@grinnell ~]$
[oracle@grinnell ~]$  /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-max-age:57w1d
Enter "cn=Directory Manager" password:
[oracle@grinnell ~]$
[oracle@grinnell ~]$  /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-max-failure-count:5
Enter "cn=Directory Manager" password:
[oracle@grinnell ~]$
[oracle@grinnell ~]$  /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-max-history-count:5
Enter "cn=Directory Manager" password:
[oracle@grinnell ~]$
[oracle@grinnell ~]$  /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-min-length:8
Enter "cn=Directory Manager" password:
[oracle@grinnell ~]$
[oracle@grinnell ~]$  /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-must-change-enabled:off
Enter "cn=Directory Manager" password:
[oracle@grinnell ~]$
[oracle@grinnell ~]$  /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-root-dn-bypass-enabled:on
Enter "cn=Directory Manager" password:
[oracle@grinnell ~]$
[oracle@grinnell ~]$  /srv/dsee7/bin/dsconf set-server-prop -p 1389 pwd-user-change-enabled:off
Enter "cn=Directory Manager" password:
[oracle@grinnell ~]$
[oracle@grinnell ~]$  /srv/dsee7/bin/dsconf set-server-prop -p 1389 search-size-limit:unlimited
Enter "cn=Directory Manager" password:
  1. Copy production schema. (Assume that grinnell has a copy of the production "config" directory located at /srv/tmp/config.) 
mv /srv/servers/slapd-grouper-test/config/schema/99user.ldif /srv/tmp/99user.ldif.orig
cp /srv/tmp/config/schema/99user.ldif /srv/servers/slapd-grouper-test/config/schema/
chown oracle:oinstall /srv/servers/slapd-grouper-test/config/schema/99user.ldif
  1. Configure attribute uniqueness plugin. 
[oracle@grinnell ~]$ /srv/dsee7/bin/dsconf create-plugin -p 1389 -H /srv/dsee7/lib64/uid-plugin.so -F NSUniqueAttr_Init -Y preoperation "ARSCSystemID Uniqueness"
Enter "cn=Directory Manager" password:
[oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-plugin-prop -p 1389 "ARSCSystemID Uniqueness" desc:"Enforce unique attribute values..." version:7.0 vendor:"Sun Microsystems, Inc." depends-on-type:database
Enter "cn=Directory Manager" password:
Directory Server must be restarted for changes to take effect.
[oracle@grinnell ~]$ /srv/dsee7/bin/dsconf enable-plugin -p 1389 "ARSCSystemID Uniqueness"
Enter "cn=Directory Manager" password:
Directory Server must be restarted for changes to take effect.
[oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-plugin-prop -p 1389 "ARSCSystemID Uniqueness" argument:"ARSCSystemID" argument:"dc=alaska,dc=edu"
Enter "cn=Directory Manager" password:
Directory Server must be restarted for changes to take effect.

[oracle@grinnell ~]$ /srv/dsee7/bin/dsconf create-plugin -p 1389 -H /srv/dsee7/lib64/uid-plugin.so -F NSUniqueAttr_Init -Y preoperation "UASystemID Uniqueness"
Enter "cn=Directory Manager" password:
[oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-plugin-prop -p 1389 "UASystemID Uniqueness" desc:"Enforce unique attribute values..." version:7.0 vendor:"Sun Microsystems, Inc." depends-on-type:database
Enter "cn=Directory Manager" password:
Directory Server must be restarted for changes to take effect.
[oracle@grinnell ~]$ /srv/dsee7/bin/dsconf enable-plugin -p 1389 "UASystemID Uniqueness"
Enter "cn=Directory Manager" password:
Directory Server must be restarted for changes to take effect.
[oracle@grinnell ~]$ /srv/dsee7/bin/dsconf set-plugin-prop -p 1389 "UASystemID Uniqueness" argument:"UASystemID" argument:"dc=alaska,dc=edu"
Enter "cn=Directory Manager" password:
Directory Server must be restarted for changes to take effect.


[oracle@grinnell ~]$ /srv/dsee7/bin/dsadm restart /srv/servers/slapd-grouper-test    
Directory Server instance '/srv/servers/slapd-grouper-test' stopped
Directory Server instance '/srv/servers/slapd-grouper-test' started: pid=27485
  1. The top of the dse.ldif file contains ACIs. Copy the ACIs from the production dse.ldif file to the dse.ldif file on grinnell at /srv/servers/slapd-grouper-test/config/dse.ldif. 
aci: (targetattr != "aci") (targetscope = "base") (version 3.0;  aci "Enable r
 ead access to rootdse for anonymous users";  allow(read,search,compare) user
 dn="ldap:///anyone"; )
aci: (targetattr = "*") (version 3.0;  acl "Enable full access for Administrat
 ors group";  allow (all)(groupdn = "ldap:///cn=Administrators,cn=config"); )
aci: (targetattr = "userPassword") ( version 3.0; acl "allow userpassword self
  modification";  allow (write) userdn = "ldap:///self";)
aci: (targetattr = "*") (version 3.0; acl "Enable full access for Directory Se
 rvices Managers"; allow (all)(userdn = "ldap:///cn=*,cn=Administrators,cn=ds
 cc");)
aci: (targetattr = "aci") (targetscope = "base") (version 3.0; acl "Enable roo
 t ACI modification by Directory Services Managers"; allow (all)(userdn = "ld
 ap:///cn=*,cn=Administrators,cn=dscc");)