Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

Sun Java System Directory Server

From Livedoc - The Documentation Repository
Revision as of 12:24, 12 August 2008 by William Yang (talk | contribs) (Initial edit.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Currently, this article applies to version 6 of Sun Java System Directory Server, Sun's implemention of an LDAP server. It is sometimes referred to as Sun Directory Server, Directory Server Enterprise Edition, or DSEE.


  • Currently we use the Java Enterprise System (JES) or native packages installers. Note that the native package installer for version 6.3 is really the JES installer for 6.0 + Solaris patch.
  • To use Identity Synchronization for Windows (ISW), you may need to download the ZIP distribution of DSEE. Note that you should still install the native packages distribution for DSEE, only using the ZIP distribution to get ISW.
  • When installing DSEE, choose "Configure Later". After installation completes, run the following sequence of commands to use the DSCC (not a typo) web management interface:
/opt/SUNWdsee/dscc6/bin/dsccsetup initialize
cacaoadm enable
cacaoadm start
smcwebserver enable
smcwebserver start

Configuration Notes

Any configuration steps listed below that are server-specific must be run on each LDAP instance!

  • The databases are currently stored using ZFS, located at /store/ds/{subdir}.
  • We use the wildcard SSL certificate from ipsCA rather than a self-signed one for LDAP because we have it and it works. It needs to be imported in PKCS12 format (the password for which cannot be null). As last attempted, this process seems to be a little more involved than it should:
    • Import the certificate
    • Restart the Directory Server instance
    • Now switch to the new certificate
    • Restart again
  • To change the manager password, run ldapmodify with the appropriate arguments against this:
dn: cn=config
changetype: modify
replace: nsslapd-rootpw
nsslapd-rootpw: newpassword
  • To enable starting the server at boot time using SMF, run
/opt/SUNWdsee/ds6/bin/dsadm enable-service -T SMF /path/to/directory

DSCC's LDAP server is located at /var/opt/SUNWdsee/dscc6/dcc/ads, while we locate the data-containing LDAP servers at /store/ds/{subdir}. Also run svccfg -s application/sun/ds setprop start/timeout_seconds=600 in the event that a recovery needs to take a long time, otherwise SMF will kill and restart the LDAP server if a recovery operation takes longer than the default timeout (which means the directory server may not ever automatically restart after a system crash). Finally run svcadm enable on the new SMF entries created for the Directory Servers. sun/ds:default doesn't start anything so you don't need to enable that.


See also NSS LDAP.

  • NSS LDAP databases are stored in /store/ds/nss.
  • Currently ports 388 (non-SSL) and 635 (SSL) are used for NSS LDAP, but that is not a requirement. It is used because NSS LDAP used to coexist with another LDAP instance at the same IP address that used the normal 389/636 ports. While that is no longer the case, the port numbers were kept to reduce impact on already configured client systems.
  • Verify that the following 4 acis exist on the root dn entry dc=csl,dc=tjhsst,dc=edu (easily done by reading a backup LDIF dump):
aci: (targetattr="dspswpassword")(version 3.0; acl "No read access to dspswpas
 sword"; deny(read, search, compare) userdn="ldap:///anyone";)
aci: (targetattr="dspswuserlink || dspswloop || dspswvalidate")(version 3.0; a
 cl "deny write access to dspswuserlink, dspswloop, dspswvalidate"; deny(writ
 e) userdn="ldap:///self";)
aci: (targetattr="*")(version 3.0; acl "Full rights for PSW Connector"; allow(
 all) userdn="ldap:///uid=PSWConnector,dc=csl,dc=tjhsst,dc=edu";)
aci: (target="ldap:///dc=csl,dc=tjhsst,dc=edu")(targetattr !="aci")(version 3.
 0;acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///
  • In order for NSS LDAP to fully work for Solaris clients, we need to set up VLV indexes (nowadays sometimes referred to as "browsing indexes". This must be done on EACH replica server, not just the master(s). Without these indexes, while the system will probably work fine, you won't be able to "dump" the NSS databases using getent passwd or getent group.
    • From the DSCC web interface, select the LDAP instance, then go to Entry Management -> Access Control
    • Edit the "VLV Request Control" entry to apply to ldap:///anyone instead of ldap:///all (anyone means anonymous access while all means any bound user)
    • On the command line, ldapadd the vlvindexes.ldif file (currently located in the ds folder on the Sun admin volume)
    • Stop the directory instance
    • Generate the VLV indexes: dsadm reindex -l -b -t csl.tjhsst.edu.getpwent -t csl.tjhsst.edu.getgrent /store/ds/nss csl
  • We also want to supplement the default attribute indexes. After logging into the DSCC, go to Directory Servers -> Suffixes -> [choose the suffix] -> Indexes.
    • For "uid", enable Presence and Substring (Equality should already be enabled).
    • ldapadd the nssindexes.ldif file to add all the other indexes that we want.
    • Indexes shouldn't need to be regenerated since there shouldn't be any data in the directory server yet.
  • Adjust the default cache values. Select the LDAP instance, then go to Server Configuration.
    • On the LDAP subtab, set the Size Limit and Lookthrough Limit to Unlimited. The default 3600 second Time Limit and Unlimited Idle Timeout should be fine.
    • On the Performance subtab, change the following values:
      • Database Cache (Global): 256 MB
      • Initialization Cache (Global): 512 MB
      • Cache Size Limits: dc=csl,dc=tjhsst,dc=edu: 64 MB
    • If using ISW: on the Plugins subtab, select the "referential integrity postoperation" plugin. Set the Argument 1 to "2". This should make mass modifications and deletions faster[1]. This plugin is enabled by Identity Synchronization, so at the time you change the setting, the plugin may still be disabled.