Directory Server

Installing Sun Directory Server Enterprise Edition
In this installation, we are installing odsee 11.1.1.5 directory server on Centos

Linux 6.3 32bit. This is a zip based installation, Please follow the steps given
below to install at your system. Please be sure that Selinux is disabled and
iptables are stopped. If you want to run the odsee in active state of selinux
and iptables then make the setting as required by selinux and iptables.
V25766-01(1).zip is the zip file containg the odsee software.The install path of
the odsee directory server is /ldap
[root@odsee ~]# ls
anaconda-ks.cfg install.log install.log.syslog ldif tmp V25766-01(1).zip
[root@odsee ~]#
Unzip the V25766-01(1).zip file in tmp directory and then unzip the sun-
dsee7.zip in /ldap directory
[root@odsee ~]# cd tmp/
[root@odsee tmp]# unzip ../V25766-01$1$.zip
creating: ODSEE_Identity_Synchronization_for_Windows/jdk/
inflating: ODSEE_Identity_Synchronization_for_Windows/jdk/jdk-1.5.0_29-
fcs.i586.rpm
creating: ODSEE_Identity_Synchronization_for_Windows/144591-01/
inflating: ODSEE_Identity_Synchronization_for_Windows/144591-
01/README.144591-01
inflating: ODSEE_Identity_Synchronization_for_Windows/144591-
01/LEGAL_LICENSE.TXT
extracting: ODSEE_Identity_Synchronization_for_Windows/144591-
01/isw.6.0.sp1.linux.zip
creating: ODSEE_ZIP_Distribution/
inflating: ODSEE_ZIP_Distribution/idsktune
extracting: ODSEE_ZIP_Distribution/sun-dsee7.zip
inflating: README.txt
inflating: THIRDPARTYLICENSEREADME-ODSEE.txt
[root@odsee tmp]#
[root@odsee tmp]# ls
COPYRIGHT.txt ODSEE_ZIP_Distribution
THIRDPARTYLICENSEREADME-ODSEE.txt
ODSEE_Identity_Synchronization_for_Windows README.txt
[root@odsee tmp]# cd ODSEE_ZIP_Distribution/
[root@odsee ODSEE_ZIP_Distribution]# ls
idsktune sun-dsee7.zip
[root@odsee ODSEE_ZIP_Distribution]# unzip -d /ldap/ sun-dsee7.zip
----------------------------------OUTPUT
TRUNCATED------------------------------------------------
/ldap/dsee7/jre/lib/i386/client/libjsig.so -> ../libjsig.so
/ldap/dsee7/jre/lib/i386/server/libjsig.so -> ../libjsig.so
[root@odsee ODSEE_ZIP_Distribution]#
ODSEE directory server is installed in /ldap/dsee7 directory
Go to the directory and run the below command
[root@odsee ODSEE_ZIP_Distribution]# cd /ldap/dsee7/
[root@odsee dsee7]# ls
bin dsrk etc ext include jre lib resources var

[root@odsee dsee7]#
[root@odsee bin]# ./dsadm --version
[dsadm]
dsadm : 11.1.1.5.0 B2011.0517.2350 ZIP
Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
[slapd 32-bit]
Oracle Corporation.
Sun-Directory-Server/11.1.1.5.0 B2011.0517.2350 32-bit
ns-slapd : 11.1.1.5.0 B2011.0517.2350 ZIP
Slapd Library : 11.1.1.5.0 B2011.0517.2350
Front-End Library : 11.1.1.5.0 B2011.0517.2350
[root@odsee bin]#
ODSEE Suffix Configuration
For basic configuration of the odsee server we need to create a new instance
listening on port 3891/6361 of the odsee server and a suffix with data on the
server. Please follow the steps given below for the instance creation and
suffix creation
Creating Suffix on odsee 11
Use dsadm command to create the instance of odsee

[root@odsee bin]# ./dsadm create -p 3891 -P 6361 /ldap/instances/masterA
Choose the Directory Manager password:
Confirm the Directory Manager password:
Use 'dsadm start '/ldap/instances/masterA'' to start the instance
[root@odsee bin]#
Start the instance with dsadm start instancename
[root@odsee bin]# ./dsadm start /ldap/instances/masterA/
Directory Server instance '/ldap/instances/masterA' started: pid=3768
[root@odsee bin]#
Check the instance status
[root@odsee bin]# ./dsadm info /ldap/instances/masterA/
Instance Path: /ldap/instances/masterA
Owner: root(root)
Non-secure port: 3891
Secure port: 6361
Bit format: 32-bit
State: Running
Server PID: 3768
DSCC url: -
Instance version: D-A20
[root@odsee bin]#
Create the suffix dc=ldaphome,dc=com with dsconf command
[root@odsee bin]# ./dsconf create-suffix -e -p 3891 -B ldaphome

dc=ldaphome,dc=com
Enter "cn=Directory Manager" password:
[root@odsee bin]#
Check the suffix properties with dsconf get-suffix-prop suffixname
[root@odsee bin]# ./dsconf get-suffix-prop -e -p 3891 dc=ldaphome,dc=com
all-ids-threshold : inherited (4000)
compressed-entries : overflow
compression-mode : none
db-name : ldaphome
db-path : /ldap/instances/masterA/db/ldaphome
enabled : on
entry-cache-count : unlimited
entry-cache-size : 10M
entry-count : 1
entry-crc-enabled : of
index-filter-analyzer-enabled : of
index-filter-analyzer-max-entries : 2000
moddn-enabled : inherited (of)
parent-suffix-dn : undefined
referral-mode : disabled
referral-url : undefined
repl-accept-client-update-enabled : N/A
repl-cl-max-age : N/A
repl-cl-max-entry-count : N/A
repl-id : N/A
repl-manager-bind-dn : N/A
repl-purge-delay : N/A
repl-rewrite-referrals-enabled : N/A
repl-role : not-replicated
require-index-enabled : of
[root@odsee bin]#
Your suffix is ready now load the data into the suffix. Here we add only two
entries into the suffix
[root@odsee bin]# /ldap/dsee7/dsrk/bin/ldapmodify -h odsee.ldaphome.com

-p 3891 -D "cn=directory manager"
-w test123test -a
dn: ou=people,dc=ldaphome,dc=com
objectclass: organizationalunit
ou: people
adding new entry ou=people,dc=ldaphome,dc=com
dn: uid=user.0,ou=people,dc=ldaphome,dc=com
cn: user.0
sn: user.0
userpassword: test123test
objectclass: inetorgperson
adding new entry uid=user.0,ou=people,dc=ldaphome,dc=com

^C
[root@odsee bin]#
==============================================
=================================
ODSEE Access Control List
In this internet world the servers are open to the internet/intranet due to
which any one can connect to the server and perform the add/del/mod
operation on the server. If the server is opened to the network without the
proper access control then it is very risky and any one can steal or damage
your data. There are lots of application which are authenticating by the ldap
server with username and password. So if the ldap server is compromised
then your application may also be compromised.
ODSEE directory server have a very smart ACI facility to secure the server.
With Aci we can permit the user/group/role based access on the suffixes. If
the odsee ldap server does not configured with proper aci rules then
configured it properly
ODSEE Anonymous Access ACI
To give the anonymous access on the odsee ldap server allow the read,
search, compare access on the suffix to anyone. Try to search with
anonymous user
[root@odsee bin]# ldapsearch -h odsee.ldaphome.com -p 3891 -b

dc=ldaphome,dc=com
# extended LDIF
# LDAPv3
# base with scope subtree

# filter: (objectclass=*)
# requesting: ALL
# search result
search: 2
result: 0 Success
# numResponses: 1
[root@odsee bin]#
Allow Anonymous access
Add the aci allow the anonymous access
[root@odsee bin]# ldapmodify -h odsee.ldaphome.com -p 3891 -D

"cn=directory manager" -w test123test
dn: dc=ldaphome,dc=com
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Anonymous Access"; allow (read,

search, compare)
userdn="ldap:///anyone";)
modifying entry "dc=ldaphome,dc=com"
^C
[root@odsee bin]#
Now search with anonymous
[root@odsee bin]# ldapsearch -h odsee.ldaphome.com -p 3891 -b

dc=ldaphome,dc=com dn
# ldaphome.com
# people, ldaphome.com
dn: ou=people,dc=ldaphome,dc=com
# user.0, people, ldaphome.com
dn: uid=user.0,ou=people,dc=ldaphome,dc=com
[root@odsee bin]#
Full access for user uid=user.1,ou=people,dc=ldaphome,dc=com on

dc=ldaphome,dc=com
[root@odsee bin]# ldapmodify -h odsee.ldaphome.com -p 3891 -D

changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Allow user.1"; allow (all)

userdn="ldap:///uid=user.1,
ou=people,dc=ldaphome,dc=com";)
modifying entry "dc=ldaphome,dc=com"
^C
[root@odsee bin]#
==============================================
====================================
Configure SSL/TLS on ODSEE/Sun DSEE Server
There are two types of network data transfers, clear-text and SSL/TLS. In
clear-text from the communication between the client and server are in plain
text, any snifer can read the data packets on the network and easily know
what is flowing on the network. To overcome this plaintext risk, we can use
the ssl/tls transmission. SSL/TLS are cryptographic schemes used to encrypt
the transmission of data between the server and client or between the server
to server. The encryption is based on the public/private keys.
In SSL/TLS the server can use two types of certificates self sign certificate
and CA sign certifiactes. The later is more robust and trusted by the clients.
Configure SSL/TLS with OpenSSL
Requirements
Certifying Authority
Server Private Key
Certificate Signing Request
Server Public Certificate
Steps to setup the SSL
Create a private key
Generate the certificate signing request (CSR)

Sign the CSR from CA
Declare the private key and public key in the server
Check the SSL connection
Note:- We configure here our own CA with Openssl, which sign the server
certificates.
Configure CA on CentOS Linux
Step:- 1. Configure openssl.cnf file
Rename the CA certificate file to ca.crt and CA private key to ca.key
[root@odsee ~]# cd /etc/pki/tls/
[root@odsee tls]# vim openssl.cnf
[ ca ]
default_ca = CA_default # The default ca section
##############################################
######################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.

new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file
Step:- 2. Creating CA private and public keys
Create the ca certificate and ca key by make ca.crt
[root@odsee certs]# cd /etc/pki/tls/certs
[root@odsee certs]# make ca.crt
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > ca.key
Generating RSA private key, 2048 bit long modulus
...............................................+++
...........................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:

umask 77 ; \
/usr/bin/openssl req -utf8 -new -key ca.key -x509 -days 365 -out ca.crt
-set_serial 0
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:IN
State or Province Name (full name) [Delhi]:
Locality Name (eg, city) [New Delhi]:
Organization Name (eg, company) [Example CA Authority]:
Organizational Unit Name (eg, section) []:Certificates Section
Common Name (eg, your name or your server's hostname) []:ExampleCA
Email Address []:support@example.com
[root@odsee certs]#
Move the CA private key (ca.key) file to /etc/pki/CA/private and set the
permission 0700. Move the CA certificate file ca.crt to /etc/pki/CA
[root@odsee certs]# mv ca.key /etc/pki/CA/private/
[root@odsee certs]# chmod 0700 /etc/pki/CA/private/ca.key
[root@odsee certs]# mv ca.crt /etc/pki/CA/

Create the serial and index files under /etc/pki/CA
[root@odsee ~]# cd /etc/pki/CA
[root@odsee CA]# touch index.txt
[root@odsee CA]# echo 01 > serial
[root@odsee CA]#
Your CA is configured now request a certificate from directory server with

dsadm command
Request a CSR
Request a certificate signing request from the directory server by using the
dsadm request-cert Give the full dns (fqdn)hostname of the server in csr
request command
[root@odsee bin]# ./dsadm request-cert
Operand is missing
Usage: dsadm request-cert [ -i ] [ -W CERT_PW_FILE ] { -S DN | --name NAME [

--org ORG ] [ --org-unit ORG-UNIT ] [ --city CITY ] [ --state STATE ] [ --country
COUNTRY ] } [ --phone PHONE ] [ --email EMAIL ] ... [ --dns DOMAIN ] ... [
--keysize KEYSIZE ] [ --sigalg SIGALG ] [ -F FORMAT ] [ -o OUTPUT_FILE ]
INSTANCE_PATH
[root@odsee bin]# hostname
odsee.ldaphome.com
[root@odsee bin]#
[root@odsee bin]# ./dsadm request-cert --name odsee.ldaphome.com --org
"LDAPHOME Company Ltd." --org-unit "Directory Services" --city "Noida"
--state "Uttar Pradesh" --country "IN" --phone "9891290666" --email
"support@ldaphome.com" --dns "ldaphome.com" --keysize 1024 -F ascii -o
odsee.csr /ldap/instances/masterA/
[root@odsee bin]#
Send the CSR odsee.csr to the CA to sign through email or ftp
Sign the CSR with CA
Run the below command on the CA server, In my case both server are same
odsee.ldaphome.com
[root@odsee bin]# openssl x509 -req -in odsee.csr -out odsee.crt -days
365 -CA /etc/pki/CA/certs/ca.crt -CAkey /etc/pki/CA/private/ca.key
-CAserial /etc/pki/CA/serial
Signature ok
subject=/C=IN/ST=Uttar Pradesh/L=Noida/OU=Directory
Services/O=LDAPHOME Company Ltd./CN=odsee.ldaphome.com
Getting CA Private Key
Enter pass phrase for /etc/pki/CA/private/ca.key:
[root@odsee bin]#
CA sends the certifiate to the client by email or ftp
On Directory server side

Add the ca signed certificate to the server and restart the instance
[root@odsee bin]# ./dsadm add-cert /ldap/instances/masterA/ server-cert

/ldap/dsee7/bin/odsee.crt
The Directory Server will need to be restarted before being able to use the
new certificate.
[root@odsee bin]#
[root@odsee bin]# ./dsadm restart /ldap/instances/masterA/
Directory Server instance '/ldap/instances/masterA' stopped
[root@odsee bin]#
Configure the server to use the new certificate in ssl communications
[root@odsee bin]# ./dsconf set-server-prop -e -p 3891 ssl-rsa-cert-

name:server-cert
Before setting SSL configuration, export Directory Server data.
Do you want to continue [y/n] ? y
Directory Server must be restarted for changes to take efect.
[root@odsee bin]#
[root@odsee bin]# ./dsadm restart /ldap/instances/masterA/

[root@odsee bin]#
Your server is now configured with CA signed certificate. Check the certificate
with openssl command
[root@odsee bin]# openssl s_client -connect odsee.ldaphome.com:6361

-CAfile /etc/pki/CA/certs/ca.crt
CONNECTED(00000003)
depth=1 C = IN, ST = Delhi, L = New Delhi, O = Example CA Authority, OU =

Certificates Section, CN = ExampleCA, emailAddress =
support@example.com
verify return:1
depth=0 C = IN, ST = Uttar Pradesh, L = Noida, OU = Directory Services, O =

LDAPHOME Company Ltd., CN = odsee.ldaphome.com
verify return:1
---
Certificate chain
0 s:/C=IN/ST=Uttar Pradesh/L=Noida/OU=Directory Services/O=LDAPHOME

Company Ltd./CN=odsee.ldaphome.com
i:/C=IN/ST=Delhi/L=New Delhi/O=Example CA Authority/OU=Certificates

Section/CN=ExampleCA/emailAddress=support@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDKDCCAhACAQIwDQYJKoZIhvcNAQEFBQAwgacxCzAJBgNVBAYTAklOMQ4wD
AYD
BgNVBAMMCUV4YW1wbGVDQTEiMCAGCSqGSIb3DQEJARYTc3VwcG9ydEBleGF
tcGxl
igC67+9H0HAkQKLfQ9Un5cgtrydCGHF4l2J7GfaV3ovKxumXdAJb5BfY4yuf58o5
CeelQil6opKFyRvEJbcVrFiEQGWTzNjv7fjXA1SYvyGm86AShePMr39WFvs=
---------------- OUTPUT TRUNCATES -----------------------------
-----END CERTIFICATE-----
subject=/C=IN/ST=Uttar Pradesh/L=Noida/OU=Directory
Services/O=LDAPHOME Company Ltd./CN=odsee.ldaphome.com
issuer=/C=IN/ST=Delhi/L=New Delhi/O=Example CA
Authority/OU=Certificates
Section/CN=ExampleCA/emailAddress=support@example.com
---
Acceptable client certificate CA names
/O=Sun Microsystems/CN=Directory
Server/CN=6361/CN=odsee.ldaphome.com
---
SSL handshake has read 1083 bytes and written 323 bytes
---
New, TLSv1/SSLv3, Cipher is CAMELLIA256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : CAMELLIA256-SHA
Session-ID:
0F62D9B2C94155A49AE76C88A0E5BD2D6DE19F90C722DDDA9DC8ADACA7
2F3C6B
Session-ID-ctx:
Master-Key:
95F0075D78DCB251A9B97D0201748DB2D6D49D4E449B632E2660B8C2EEE
D863433D15DF6B76D3DD9E61566B567C87977
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1421674520
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Configure your ca certificate for openldap client commands. Running

ldapsearch command to check the ssl certificate
[root@odsee certs]# cp /etc/pki/CA/ca.crt /etc/openldap/cacerts
[root@odsee cacerts]# ln -s ca.crt `openssl x509 -hash -noout -in ca.crt`.0
[root@odsee cacerts]# ls
5053cf66.0 ca.crt
[root@odsee cacerts]# vim /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://odsee.ldaphome.com:3891/
BASE dc=ldaphome,dc=com
Now run the openldap client ldapsearch command

Connecting on TLS port 3891
[root@odsee openldap]# ldapsearch -x -h odsee.ldaphome.com -p 3891 -D

"cn=directory manager" -w test123test -b "dc=ldaphome,dc=com"
cn=praveen -ZZ
# extended LDIF
# LDAPv3
# filter: cn=praveen
# requesting: ALL
# praveen, people, ldaphome.com
dn: cn=praveen,ou=people,dc=ldaphome,dc=com
userPassword::
e1NTSEF9Q1hZMlJKdFhYeW45ODQrUUthR3pKaXFBcmFjUWRwNEMweTlITnc9P
Q=
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: kumar
cn: praveen
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@odsee openldap]#
Connecting ssl port 6361
[root@odsee openldap]# ldapsearch -x -H ldaps://odsee.ldaphome.com:6361

-D "cn=directory manager" -w test123test -b "dc=ldaphome,dc=com"
cn=praveen
# extended LDIF
# LDAPv3
# filter: cn=praveen
# requesting: ALL
# praveen, people, ldaphome.com
userPassword::
e1NTSEF9Q1hZMlJKdFhYeW45ODQrUUthR3pKaXFBcmFjUWRwNEMweTlITnc9P
Q=
objectClass: person
objectClass: top
sn: kumar
cn: praveen
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@odsee openldap]#
Connecting through odsee ldapsearch command
Preparing certificate database for odsee ldap client commands
[root@odsee ~]# mkdir certs
[root@odsee ~]# /ldap/dsee7/bin/certutil -N -d /root/certs
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
[root@odsee ~]#
[root@odsee ~]# /ldap/dsee7/bin/certutil -A -d certs -n "EXAMPLE CA

certificate"
-t "CT,," -a -i /etc/openldap/cacerts/ca.crt
[root@odsee ~]#
Run odsee ldapsearch command with SSL
[root@odsee ~]# /ldap/dsee7/dsrk/bin/ldapsearch -h odsee.ldaphome.com -p

3891 -P /root/certs/cert8.db -D "cn=directory manager" -w test123test -b
dc=ldaphome,dc=com cn=praveen -ZZ
version: 1
userPassword: {SSHA}CXY2RJtXXyn984+QKaGzJiqAracQdp4C0y9HNw==
objectClass: person
objectClass: top
sn: kumar
cn: praveen
[root@odsee ~]#
[root@odsee ~]# /ldap/dsee7/dsrk/bin/ldapsearch -h odsee.ldaphome.com -p

6361 -P /root/certs/cert8.db -D "cn=directory manager" -w test123test -b
dc=ldaphome,dc=com cn=praveen -Z
version: 1
userPassword: {SSHA}CXY2RJtXXyn984+QKaGzJiqAracQdp4C0y9HNw==
objectClass: person
objectClass: top
sn: kumar
cn: praveen
[root@odsee ~]#
==============================================
====================================
ODSEE 11 Logs Configuration
Logs are very important in the life of I.T person. As the full game of the
troubleshooting of any server or application is based on the logs provided by
the application/server. The odsee directory server has three types of logs
Acceslogs/Errorlogs/Auditlogs. Each log is giving its specific type of
information related to the server.
Access Logs
Accesslogs are the logs which gives the information related to the clients,
users and operations performed on the server
[root@odsee bin]# ./dsconf get-log-prop -e -p 3891 access
bufering-enabled : on
enabled : on
level : default
max-age : 1M
max-disk-space-size : 500M
max-file-count : 10
max-size : 100M
min-free-disk-space-size : 5M
path : /ldap/instances/masterA/logs/access
perm : 600
rotation-interval : 1d
rotation-min-file-size : unlimited
rotation-time : undefined
verbose-enabled : N/A
[root@odsee bin]#
Change the log level default to acc-internal
[root@odsee bin]# ./dsconf set-log-prop -e -p 3891 access level:s
"s" is not a valid value for "level".
Allowed values: acc-internal|default|acc-default_plus_referrals|acc-timing.
The "set-log-prop" operation failed on "localhost:3891".
[root@odsee bin]# ./dsconf set-log-prop -e -p 3891 access level:acc-internal
[root@odsee bin]#
Access the logs with tailf command
[root@odsee bin]# tailf /ldap/instances/masterA/logs/access
[16/Oct/2014:20:12:01 +0530] conn=15 op=3 msgId=-1 - closing from

127.0.0.1:57169 - U1 - Connection
closed by unbind client -
[16/Oct/2014:20:12:02 +0530] conn=15 op=-1 msgId=-1 - closed.
[16/Oct/2014:20:13:28 +0530] conn=16 op=-1 msgId=-1 - fd=14 slot=14

LDAP connection from 127.0.0.1:57171
to 127.0.0.1
[16/Oct/2014:20:13:31 +0530] conn=16 op=0 msgId=1 - BIND

dn="cn=Directory Manager" method=128 version=3
[16/Oct/2014:20:13:31 +0530] conn=16 op=0 msgId=1 - RESULT err=0
tag=97 nentries=0 etime=0
dn="cn=directory manager"
[16/Oct/2014:20:13:31 +0530] conn=16 op=1 msgId=2 - SRCH

base="cn=config" scope=0 filter="(objectClass=*)"
attrs="nsslapd-config-magic"
Error Logs
Error logs are logs which gives information about the plugins, fatal, warning
messages about the server
[root@odsee bin]# ./dsconf get-log-prop -e -p 3891 error
bufering-enabled : N/A
enabled : on
level : default
max-age : 1M
max-disk-space-size : 100M
max-file-count : 2
max-size : 100M
min-free-disk-space-size : 5M
path : /ldap/instances/masterA/logs/errors
perm : 600
rotation-interval : 1w
rotation-min-file-size : unlimited
rotation-time : undefined
verbose-enabled : of
[root@odsee bin]#
You can get the diferent levels of error logs which you can set on the error
logs for getting the diferent types of the logs information about the server.
Run the below command with level having some arbitary value xx
[root@odsee bin]# ./dsconf set-log-prop -e -p 3891 error level:xx
"xx" is not a valid value for "level".
Allowed values: default|err-function-calls|err-search-args|err-connection|err-

packets|
err-search-filter|err-config-file|err-acl|err-ldbm|err-entry-parsing|err-
housekeeping|err-replication|
err-entry-cache|err-plugins|err-dsml|err-dsml-advanced.
The "set-log-prop" operation failed on "localhost:3891".
[root@odsee bin]
Set the error logs to err-plugins
[root@odsee bin]# ./dsconf set-log-prop -e -p 3891 error level:err-plugins
[root@odsee bin]#
[root@odsee bin]# tailf /ldap/instances/masterA/logs/errors
[16/Oct/2014:17:14:00 +0530] - Listening on all interfaces port 6361 for

LDAPS requests
[16/Oct/2014:17:14:00 +0530] - slapd started.
[16/Oct/2014:17:14:00 +0530] - INFO: 0 entries in the directory

database.========================================
==============================================
==
Backup and Restore
Taking backup is a very important task in the directory servers. If your server
is crashed and you did not have a backup to restore it.Then you are in
trouble. We have to take the backup at regular intervals and the interval is
should be less than repl-purge-delay and repl-cl-max-age time period. If the
time period between the two backups are more that the repl-purge-delay and
repl-cl-max-age period then your recent changes are lost.
Taking Binary Backup
Binary backup is faster to take and restore as compare to ldif backup. For
taking backup with dsadm the instance should be in stopped state
[root@odsee bin]# ./dsadm stop /ldap/instances/masterA/
[root@odsee bin]# ./dsadm backup /ldap/instances/masterA

/ldap/backup/masterA_backup_17102014
[16/Oct/2014:22:00:20 +0530] - Backup starting

(/ldap/backup/masterA_backup_17102014)
[16/Oct/2014:22:00:20 +0530] - Backing up file 1

(/ldap/backup/masterA_backup_17102014/ldaphome/
ldaphome_givenName.db3)
------------------------------- OUTPUT TRUNCATED----------------------------------

(/ldap/backup/masterA_backup_17102014/log.0000000001)

(/ldap/backup/masterA_backup_17102014/DBVERSION)
[16/Oct/2014:22:00:20 +0530] - Running recovery on backup.
[16/Oct/2014:22:00:20 +0530] - Database recovery is 0% complete.
[16/Oct/2014:22:00:20 +0530] - Recovery of backup succeded.

[16/Oct/2014:22:00:20 +0530] - Backup completed
(/ldap/backup/masterA_backup_17102014)
[root@odsee bin]#
[root@odsee bin]# ./dsadm start /ldap/instances/masterA/
[root@odsee bin]#
Restore the instance from binary backup
[root@odsee bin]# ./dsadm stop /ldap/instances/masterA/ D
[root@odsee bin]# ./dsadm restore /ldap/instances/masterA/

/ldap/backup/masterA_backup_17102014/
Warning: the Directory Server instance data will be overwritten.
Do you want to continue [y/n]? y
[16/Oct/2014:22:06:07 +0530] - Restoring file 1

(/ldap/instances/masterA/db/log.0000000001)
[16/Oct/2014:22:06:
---------------------------------- OUTPUT TRUNCATED---------------------------------------
[16/Oct/2014:22:06:07 +0530] - WARNING<20489> - Backend Database -

conn=-1 op=-1 msgId=-1 -
Recovering database after restore from archive.
[16/Oct/2014:22:06:09 +0530] - Waiting for 4 database threads to stop
[16/Oct/2014:22:06:10 +0530] - All database threads now stopped
[root@odsee bin]#
[root@odsee bin]# ./dsadm start /ldap/instances/masterA/ D

[root@odsee bin]#
LDIF Backup and Restore
In a ldif backup the backup is taken in ldif text format and you can modify the
backup also.
[root@odsee bin]# ./dsconf export -e -p 3891 dc=ldaphome,dc=com

/ldap/backup/ldaphome.ldif
## Beginning export of 'ldaphome'
## Could not start other auxiliary threads.
## ldaphome: Start processing.
## ldaphome: Processed 4 entries (100%), 4.0 entries/sec average, 4

exported.
## Export finished.
Task completed (slapd exit code: 0).
[root@odsee bin]# vim /ldap/backup/ldaphome.ldif
version: 1
# entry-id: 1
dc: ldaphome
objectClass: top
objectClass: domain
creatorsName: cn=directory manager
createTimestamp: 20141016115144Z
aci: (targetattr="*")(version 3.0; acl "Anonymous Access"; allow (read, search
, compare) userdn="ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Allow user.1"; allow (all) userdn="lda
p:///uid=user.1,ou=people,dc=ldaphome,dc=com";)
modifiersName: cn=directory manager
modifyTimestamp: 20141016143051Z
nsUniqueId: b0bb26a3-552a11e4-8052f89c-f7902c4
Restore the Ldif backup
[root@odsee bin]# ./dsconf import -e -p 3891 /ldap/backup/ldaphome.ldif

dc=ldaphome,dc=com
New data will override existing data of the suffix "dc=ldaphome,dc=com".
Initialization will have to be performed on replicated suffixes.
Do you want to continue [y/n] ? y
## Index bufering enabled with bucket size 40
## Beginning import job...
## Starting to process and index entries
## Processing file "/ldap/backup/ldaphome.ldif"
## Finished scanning file "/ldap/backup/ldaphome.ldif" (4 entries)
## Workers finished; cleaning up...
## Workers cleaned up.
## Cleaning up producer thread...
## Indexing complete.
## Starting numsubordinates attribute generation.

## This may take a while, please wait for further activity reports.
## Numsubordinates attribute generation complete. Flushing caches...
## Closing files...
## Import complete. Processed 4 entries in 3 seconds. (1.33 entries/sec)
Task completed (slapd exit code: 0).
[root@odsee bin]#
Run the ldapsearch command to check the entries are avialable or not
Congratulation you successfully retore odsee suffix from backup!.
Comments.
Login for comments
==============================================
=====================================
Configure ODSEE Password Policy
Its a human nature that they do not want to do difficult things and wants easy
things. Changing the password frequently is a headache because we confuse
in remembering the password. But due to this nature of not changing the
passwords frequently makes the password compromise. We apply the
password polices which enforces the users to change the password after a
specific time period, with diferent characters in the password.
Creating a Password Policy
Creating a password policy is same as modifying and adding ldif entries to

the server. Create a ldif file which contains a password policy defaultpolicy
Password policy checks
Password quality check 2 only two quality checks are enforced like, lower,
upper characters etc.
Max password attempts - 3
Password lock out after 3 failed attempts
Password lock out duration 300 seconds (5 minutes)
Password must change after reset
[root@odsee bin]# vim /root/ldif/pol.ldif
dn: cn=DefaultPolicy,dc=ldaphome,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: sunPwdPolicy
objectClass: LDAPsubentry
cn: DefaultPolicy
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxFailure: 3
pwdMustChange: TRUE
pwdMinLength: 8
[root@odsee bin]#
[root@odsee bin]# ldapmodify -x -h odsee.ldaphome.com -p 3891 -D

"cn=directory manager" -w test123test -a -f /root/ldif/pol.ldif
adding new entry "cn=DefaultPolicy,dc=ldaphome,dc=com"

[root@odsee bin]#
Check the added password policy entry in the ldap serer
[root@odsee bin]# ldapsearch -x -h odsee.ldaphome.com -p 3891 -D

"cn=directory manager" -w test123test "(&(objectclass=ldapsubentry)
(cn=Defaultpolicy))"
# extended LDIF
# LDAPv3
# base (default) with scope subtree
# filter: (&(objectclass=ldapsubentry)(cn=Defaultpolicy))
# requesting: ALL
# DefaultPolicy, ldaphome.com
dn: cn=DefaultPolicy,dc=ldaphome,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: sunPwdPolicy
objectClass: LDAPsubentry
objectClass: passwordPolicy
cn: DefaultPolicy
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxFailure: 3
pwdMustChange: TRUE
passwordCheckSyntax: on
passwordLockout: on
passwordUnlock: on
passwordLockoutDuration: 300
passwordMaxFailure: 3
passwordMustChange: on
pwdMinLength: 8
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@odsee bin]#
Assign a password policy to the particular one user
Assiging a password policy to the user is by simply adding pwdPolicySubentry

attribute to the entry
[root@odsee bin]# vim /root/ldif/userpolicy.ldif
dn: cn=sunil,ou=people,dc=ldaphome,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=DefaultPolicy,dc=ldaphome,dc=com
[root@odsee bin]#

"cn=directory manager" -w test123test -a -f /root/ldif/userpolicy.ldif
modifying entry "cn=sunil,ou=people,dc=ldaphome,dc=com"
[root@odsee bin]#

"cn=directory manager" -w test123test "(cn=sunil)" pwdpolicysubentry
# sunil, people, ldaphome.com
pwdpolicysubentry: cn=DefaultPolicy,dc=ldaphome,dc=com
[root@odsee bin]#
Add Password modification extended operation entry
To change the password according to the password policy with ldappasswd

command we need to add a password modification extended operation entry
into the server. Follow the below steps to add the password modification
extended entry
dn: oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.11.1
cn: Password Modify Extended Operation
aci: (targetattr != "aci")(version 3.0; acl "Password Modify Extended

Operation"; allow( read, search, compare, proxy ) userdn="ldap:///all";)

"cn=directory manager" -w test123test -a -f /root/ldif/passwordextend.ldif
adding new entry "oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config"
[root@odsee bin]#
Check the password policy
Reset the cn=sunil user password by directory manager and then try to
search the directory with cn=sunil user

changetype: modify
replace: userpassword
userpassword: test123test
modifying entry "cn=sunil,ou=people,dc=ldaphome,dc=com"
^C

"cn=sunil,ou=people,dc=ldaphome,dc=com" -w test123test "(cn=sunil)"
pwdpolicysubentry
# extended LDIF
# LDAPv3
# base (default) with scope subtree
# filter: (cn=sunil)
# requesting: pwdpolicysubentry
# search result
search: 2
result: 53 Server is unwilling to perform
text: Password was reset and must be changed.
control: 2.16.840.1.113730.3.4.4 false MA==
# numResponses: 1
[root@odsee bin]#
The ldap server is giving warning that before connecting to the server by user
cn=sunil the password must be changed by the user
Change the password with only less than 8 characters, the server will give
warning
[root@odsee bin]# ./ldappasswd -h odsee.ldaphome.com -p 3891 -D

"cn=sunil,ou=people,dc=ldaphome,dc=com" -w test123test -a test123test -s
redhat "cn=sunil,ou=people,dc=ldaphome,dc=com"
ldap_passwd_s: Constraint violation
Now change the password having more than 8 characters, the password of
the user will changed
[root@odsee bin]# ./ldappasswd -h odsee.ldaphome.com -p 3891 -D

"cn=sunil,ou=people,dc=ldaphome,dc=com" -w test123test -a test123test -s
redhat123 "cn=sunil,ou=people,dc=ldaphome,dc=com"
bin_ldappasswd: password successfully changed
[root@odsee bin]#
==============================================
=======================================
Password Storage Schemes
ODSEE Server have various password storage schemes, it stores the

password value in userPassword attribute.The value of this attribute is
depends on the storage schemes you selected. Every password storage
schemes has its own strong and weak points.Storage schemes available in
ODSEE server are
Password storage schemes available in odsee
[root@odsee bin]# ./dsconf get-server-prop -e -p 3891
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA256
pwd-supported-storage-scheme : SHA512
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : SSHA256
pwd-supported-storage-scheme : SSHA512
pwd-supported-storage-scheme : CLEAR
Current Password storage scheme
[root@odsee bin]# ./dsconf get-server-prop -e -p 3891

pwd-storage-scheme : SSHA
==============================================
======
Linux User Authentication with ODSEE
As the main task of the odsee server is to store the username and password
centrally at one locations. All the applications and windows/linux connects to
the odsee server for the authentications
Here we configure the linux to fetch the username and password information
from the odsee server. The users are not present locally on the linux server,
they are stored cetrally on odsee ldap server
Steps to configure Linux Cetralize Authentication with odsee
Add the entry to directory with proper attributes required for linux
authentication
Configure the Linux server to fetch the user information from ldap directory
Add user entry with proper attributes.There are posix attributes like
loginshell, uidNumber, gidNumber homedirectory, userPassword, which are
required by the linux os to login the user
[root@odsee schema]# ldapmodify -x -h odsee.ldaphome.com -p 3891 -D

"cn=directory manager" -w test123test -a
dn: uid=ldapuser,ou=people,dc=ldaphome,dc=com
uidNumber: 1000
cn: ldapuser
sn: user
gidNumber: 1000
loginshell: /bin/bash
homeDirectory: /home/ldapuser
uid: ldapuser
userPassword: test123test
objectclass: inetorgperson
objectclass: posixAccount
adding new entry "uid=ldapuser,ou=people,dc=ldaphome,dc=com"
^C
[root@odsee schema]#
Configure the linux server to get the username, password information from
ldap server
Configuration on Centos 6.3
Run authconfig-tui on linux and select ldap to get user and password
information. Then give ldap server hostname, port and suffix information
from which the username, password information is fetched
Authconfig
Click on next
Authconfig
Login with ldapuser on the system

[root@station20 ~]# mkdir /home/ldapuser
[root@station20 ~]# chown ldapuser /home/ldapuser/
[root@station20 ~]# cp /etc/skel/.
./ ../ .bash_logout .bash_profile .bashrc .kshrc

.mozilla/
[root@station20 ~]# cp /etc/skel/.* /home/ldapuser/
cp: omitting directory `/etc/skel/.'
cp: omitting directory `/etc/skel/..'
cp: omitting directory `/etc/skel/.mozilla'
[root@station20 ~]#
[root@station20 ~]# su - ldapuser
id: cannot find name for group ID 1000
[ldapuser@station20 ~]$
Create the group also in ldap then this error disapperas. In place of creating
the home directories manually, you can also use the pam module
pam_mkdir.so to create the home directories whenever a user first login to
the system
==============================================
=======================================
Kerberos Authentication with ODSEE LDAP
Kerberos authentication is the very secure authentication mechanism. In

kerberos authentication the user information is stored on the ldap server and
password information is stored on the kerberos server. Kerberos can also be
used for single sign access of services, once a user authenticates to the KDC
then the user does not need to give the password again for accessing the
kerberos enabled application.
In this document the kerberos is configured already, we only configure the
odsee ldap server with kerberos. To learn how to configure the kerberos see
page : - Configure Kerberos with ldap store
Note: For kerberos authentication two things are mandatory DNS name
resolution and Time should be same on all kerberos enabled hosts. For DNS
resolution you can also use /etc/hosts file for name resolution but this is only
for limited not of hosts
Steps to configure ODSEE Kerberos authentication
Add ldap service principal to kerberos
Configure odsee.ldaphome.com ldap server to connect to kerberos
Configure odsee server for kerberos
Configure a linux system to authenticate from ldap and kerberos
Add ldap service principal
Login to kerberos server and run kadmin.local command
[root@kerberos ~]# kadmin.local
Authenticating as principal root/admin@LDAPHOME.COM with password.
kadmin.local:
kadmin.local: add_principal -randkey

ldap/odsee.ldaphome.com@LDAPHOME.COM
WARNING: no policy specified for

ldap/odsee.ldaphome.com@LDAPHOME.COM; defaulting to no policy
Principal "ldap/odsee.ldaphome.com@LDAPHOME.COM" created.
kadmin.local:
Configure /etc/krb5.conf on odsee.ldaphome.com server to connect to
kerberos server
[root@odsee ~]# vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LDAPHOME.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
LDAPHOME.COM = {
kdc = kerberos.ldaphome.com
admin_server = kerberos.ldaphome.com
[domain_realm]
.ldaphome.com = LDAPHOME.COM
ldaphome.com = LDAPHOME.COM
:wq
[root@odsee ~]#
Login with kadmin command to kadmin interface of kerberos to get the ldap
keytab file. Save the ldap service principal in /ldap/dsee7/ldap.keytab file
[root@odsee ~]# kadmin -p admin/admin
Authenticating as principal admin/admin with password.
Password for admin/admin@LDAPHOME.COM:
kadmin:
kadmin: ktadd -k /ldap/dsee7/ldap.keytab ldap/odsee.ldaphome.com
Entry for principal ldap/odsee.ldaphome.com with kvno 3, encryption type

aes256-cts-hmac-sha1-96 added to keytab
WRFILE:/ldap/dsee7/ldap.keytab.

aes128-cts-hmac-sha1-96 added
to keytab WRFILE:/ldap/dsee7/ldap.keytab.

des3-cbc-sha1 added to keytab

arcfour-hmac added to keytab

des-hmac-sha1 added to keytab

des-cbc-md5 added to keytab
kadmin:
Read the keytab file
[root@odsee ~]# ktutil
ktutil: rkt /ldap/dsee7/ldap.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 ldap/odsee.ldaphome.com@LDAPHOME.COM
ktutil:
Set the environment variable KRB5_KTNAME
[root@odsee ~]# vim /etc/rc.local
export KRB5_KTNAME=/ldap/dsee7/ldap.keytab
[root@odsee ~]# export KRB5_KTNAME=/ldap/dsee7/ldap.keytab
Define the identity mapping of Kerberos in odsee under

cn=GSSAPI,cn=identity mapping,cn=config
==============================================
===========================================

Directory Server

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Directory Server

Uploaded by

Copyright:

Available Formats

Installing Sun Directory Server Enterprise Edition

In this installation, we are installing odsee 11.1.1.5 directory server on Centos

anaconda-ks.cfg install.log install.log.syslog ldif tmp V25766-01(1).zip

[root@odsee ~]# cd tmp/

[root@odsee tmp]# unzip ../V25766-01\(1\).zip

[root@odsee tmp]# cd ODSEE_ZIP_Distribution/

[root@odsee ODSEE_ZIP_Distribution]# unzip -d /ldap/ sun-dsee7.zip

/ldap/dsee7/jre/lib/i386/client/libjsig.so -> ../libjsig.so

/ldap/dsee7/jre/lib/i386/server/libjsig.so -> ../libjsig.so

ODSEE directory server is installed in /ldap/dsee7 directory

Go to the directory and run the below command

[root@odsee ODSEE_ZIP_Distribution]# cd /ldap/dsee7/

bin dsrk etc ext include jre lib resources var

[root@odsee bin]# ./dsadm --version

dsadm : 11.1.1.5.0 B2011.0517.2350 ZIP

Sun-Directory-Server/11.1.1.5.0 B2011.0517.2350 32-bit

ns-slapd : 11.1.1.5.0 B2011.0517.2350 ZIP

Slapd Library : 11.1.1.5.0 B2011.0517.2350

Front-End Library : 11.1.1.5.0 B2011.0517.2350

ODSEE Suffix Configuration

Creating Suffix on odsee 11

Use dsadm command to create the instance of odsee

Choose the Directory Manager password:

Confirm the Directory Manager password:

Use 'dsadm start '/ldap/instances/masterA'' to start the instance

Start the instance with dsadm start instancename

[root@odsee bin]# ./dsadm start /ldap/instances/masterA/

Directory Server instance '/ldap/instances/masterA' started: pid=3768

Check the instance status

[root@odsee bin]# ./dsadm info /ldap/instances/masterA/

Instance Path: /ldap/instances/masterA

Non-secure port: 3891

Secure port: 6361

Bit format: 32-bit

Server PID: 3768

Instance version: D-A20

Create the suffix dc=ldaphome,dc=com with dsconf command

[root@odsee bin]# ./dsconf create-suffix -e -p 3891 -B ldaphome

Check the suffix properties with dsconf get-suffix-prop suffixname

[root@odsee bin]# ./dsconf get-suffix-prop -e -p 3891 dc=ldaphome,dc=com

Enter "cn=Directory Manager" password:

all-ids-threshold : inherited (4000)

moddn-enabled : inherited (of)

[root@odsee bin]# /ldap/dsee7/dsrk/bin/ldapmodify -h odsee.ldaphome.com

adding new entry ou=people,dc=ldaphome,dc=com

adding new entry uid=user.0,ou=people,dc=ldaphome,dc=com

ODSEE Access Control List

ODSEE Anonymous Access ACI

[root@odsee bin]# ldapsearch -h odsee.ldaphome.com -p 3891 -b

# base with scope subtree

Allow Anonymous access

Add the aci allow the anonymous access

[root@odsee bin]# ldapmodify -h odsee.ldaphome.com -p 3891 -D

aci: (targetattr="*")(version 3.0; acl "Anonymous Access"; allow (read,

modifying entry "dc=ldaphome,dc=com"

Now search with anonymous

[root@odsee bin]# ldapsearch -h odsee.ldaphome.com -p 3891 -b

# user.0, people, ldaphome.com

Full access for user uid=user.1,ou=people,dc=ldaphome,dc=com on

[root@odsee bin]# ldapmodify -h odsee.ldaphome.com -p 3891 -D

aci: (targetattr="*")(version 3.0; acl "Allow user.1"; allow (all)

Configure SSL/TLS on ODSEE/Sun DSEE Server

Configure SSL/TLS with OpenSSL

Server Private Key