Configuring Sun Java System Directory as a Security Manager

Restriction: This topic applies only when the Enterprise Server feature is enabled.

This section describes the steps you need to perform in order to configure Sun Java System Directory to use it as an Enterprise Server security manager and configuration repository. Micro Focus has developed and tested under Sun Java System Directory Server Enterprise Edition 6.1. Later revisions of Sun Java System Directory should be compatible with Enterprise Server Security Manager and Configuration Repository but this is not guaranteed. Micro Focus will review any issues found in later releases of Sun Java System Directory but cannot guarantee compatibility.

Note:

The commands in this section make the following assumptions:

  • You have downloaded and installed Sun Java System Directory Server Enterprise Edition 6.1 as described on the Sun web site.
  • You have installed into /usr/local/dsee.
  • You are using port 3880. This is an arbitrarily-chosen port. Check with your system administrator to find out what ports are available on your system.
  • You are using the dsadm command-line tool instead of the Sun Java Web Console GUI Directory Service Control Centre.
  • You are using the scratch directory /usr/local/dsee/var/example.

You will need to change the commands if your installation uses settings other than these.

When configuring an external Security Manager connection on Solaris, it is possible to specify the use of the Sun-provided LDAP client module for LDAP communications with the external Security Manager. The following configuration text is required in the Security Manager Configuration Information area:

[LDAP] 
provider=/usr/lib/libldap.so
Note: A Security Manager connection configured on Solaris is not limited to using Sun Java Directory Server. It can communicate with other LDAP-based external Security Managers such as Microsoft Active Directory or Open LDAP.
  1. To set up the Sun Directory Server configuration and database directories:
    1. Enter the following command:
      dsadm create -p 3880 /usr/local/dsee/var/example

      The following information is displayed: Choose the Directory Manager password:

    2. Specify the Directory Manager password.

      The following information is displayed: Confirm the Directory Manager Password

    3. Confirm the password.

      The following information is displayed: Use 'dsadm start '/usr/local/dsee/var/example'' to start the instance.

  2. To start the instance and confirm that it is running:
    1. Enter the following command:
      dsadm start /usr/local/dsee/var/example

      The following information is displayed: Server started: pid=24879

    2. Enter the following command:
      dsadm info /usr/local/dsee/var/example
      The following information is displayed:
      Instance Path /usr/local/dsee/var/example
      Owner hub(staff)
      Non-secure port 3880
      Secure port 1636
      Bit format 64-bit
      State Running
      Server PID 24879
      DSCC url -
      SMF application name -
      Instance version D-A00
    3. Use an LDAP browser to connect to the instance at machine-address:3880 using id DN: "cn=Directory Manager" and password "password" to confirm it is running. Currently only the RootDSE data is displayed.
  3. To extend the schema, create a text file called 99container.ldif in /usr/local/dsee/var/example/config/schema. The file should contain the following:
    dn:cn=schema
    objectClasses:(1.2.840.113556.1.3.23 NAME 'container' SUP top STRUCTURAL MUST (cn))
  4. To generate the Micro Focus schema extension file, enter the following command:
    mfds -l DC=X 3	/usr/local/dsee/var/example/config/schema/99microfocus.ldif 
  5. To ensure the Directory Server instance picks up the new schema files, enter the following command:
    dsadm restart /usr/local/dsee/var/example
  6. To confirm the Micro Focus schema has been installed, enter the following command:
    /usr/local/dsee/dsrk6/bin/ldapsearch -b cn=schema -v -h 127.0.0.1 -p 3880 -D "cn=Directory Manager" -w password "objectclass=*" > schema.txt

    This command dumps the active schema to a file called schema.txt . You can search this file to confirm that it includes the expected "container" and "microfocus" attributeTypes and objectClasses.

  7. To create a default suffix for an example DIT:
    1. Enter the following command:
      dsconf create-suffix -p 3880 dc=example,dc=com

      The following information is displayed: Enter "cn=Directory Manager" password:

    2. Specify the password.
  8. To confirm that the new suffix exists:
    1. Enter the following command:
      dsconf list-suffixes -p 3880

      The following information is displayed: Enter "cn=Directory Manager" password:

    2. Specify the password.

      The following information is displayed: dc=example,dc=com

  9. To import the standard shipped example LDIF file.
    1. Enter the following command:
      dsconf import -p 3880 /usr/local/dsee/ds6/ldif/Example.ldif dc=example,dc=com

      The following information is displayed: Enter "cn=Directory Manager" password:

    2. Specify the password.

      The following information is displayed:

      New data will override existing data of the suffix "dc=example,dc=com".

      Initialization will have to be performed on replicated suffixes.

      Do you want to continue [y/n] ?

    3. Press 'Y'

      The following information is displayed:

      ## Index buffering enabled with bucket size 40
      ## Beginning import job...
      ## Processing file "/usr/local/dsee/ds6/ldif/Example.ldif"
      ## Finished scanning file "/usr/local/dsee/ds6/ldif/Example.ldif" (160 entries)
      ## Workers finished; cleaning up...
      ## Workers cleaned up.
      ## Cleaning up producer thread...
      ## Indexing complete.
      ## Starting numsubordinates attribute generation. This may take a while, please wait for further activity reports.
      ## Numsubordinates attribute generation complete. Flushing caches...
      ## Closing files...
      ## Import complete. Processed 160 entries in 4 seconds. (40.00 entries/sec)
      Task completed (slapd exit code: 0).
  10. Refresh the LDAP browser to ensure that you can see the new DIT contents. There should be a new "example" DC, containing organizational units for groups and people.
  11. Add the standard Micro Focus containers: create a file /home/hub/staff/example/mf-containers-sun.ldif containing the following:
    dn: cn=Micro Focus,dc=example,dc=com
    cn: Micro Focus
    objectClass: container
    
    dn: cn=Micro Focus,dc=example,dc=com
    cn: Micro Focus
    objectClass: container
    
    dn: cn=Enterprise Server Users,cn=Micro Focus,dc=example,dc=com
    cn: Enterprise Server Users
    objectClass: container
    
    dn: cn=Enterprise Server User Groups,cn=Micro Focus,dc=example,dc=com
    cn: Enterprise Server User Groups
    objectClass: container 
    
    dn: cn=MFDS Repository,cn=Micro Focus,dc=example,dc=com
    cn: MFDS Repository
    objectClass: container 
  12. Add containers to the DIT:
    1. Enter the following command:
      /usr/local/dsee/dsrk6/bin/ldapmodify -a -v -h 127.0.0.1 -p 3880 -D "cn=Directory Manager" -w password -f /home/hub/staff/example/mf-containers-sun.ldif

      The following information is displayed:

      bin_ldapmodify: started Wed Sep 19 16:31:26 2007
      ldap_init( 127.0.0.1, 3880 )
      add cn:
      Micro Focus
      add objectClass:
      container
      adding new entry cn=Micro Focus,dc=example,dc=com
      modify complete
      add cn:
      Enterprise Server Resources
      add objectClass:
      container
      adding new entry cn=Enterprise Server Resources,cn=Micro Focus,dc=example,dc=com
      modify complete
      add cn:
      Enterprise Server Users
      add objectClass:
      container
      adding new entry cn=Enterprise Server Users,cn=Micro Focus,dc=example,dc=com
      modify complete
      add cn:
      Enterprise Server User Groups
      add objectClass:
      container
      adding new entry cn=Enterprise Server User Groups,cn=Micro Focus,dc=example,dc=com
      modify complete
      add cn:
      MFDS Repository
      add objectClass:
      container
      adding new entry cn=MFDS Repository,cn=Micro Focus,dc=example,dc=com
      modify complete
  13. Refresh the LDAP browser to ensure that you can see the new DIT contents. There should be a new "Micro Focus " container with the user "Enterprise Server" subcontainers.
  14. Add the Directory Server resources and users.
    1. Enter the following command:
      mfds -e "cn=Micro Focus,dc=example,dc=com" "cn=Enterprise Server Users" "cn=Enterprise Server User Groups" "cn=Enterprise Server Resources" 2 "/home/hub/staff/example/mfds-users-sun.ldif"
      Note:

      There is no difference between the OpenLDAP and Sun syntax for the generated LDIF file, so no Directory Server changes have been required.

  15. Import the generated mfds_users_sun.ldif file.
    1. Enter the following command:
      /usr/local/dsee/dsrk6/bin/ldapmodify -a -v -h 127.0.0.1 -p 3880 -D "cn=Directory Manager" -w password -f /home/hub/staff/example/mf-users-sun.ldif
  16. Refresh the LDAP browser to ensure that you can see the new DIT contents. The "Enterprise Server" subcontainers now contain the "Enterprise Server Administration", "schemaadmin" and "#"-prefixed Directory Server default user groups.
  17. In Directory Server, configure a new external security manager as follows:
    Name Sun Directory 6.1 machine-address:3880
    Module mldap_esm
    Connection Path machine-address:3880
    Authorized ID cn=Directory Manager
    Description Test Sun Directory ESM
    Configuration Information [LDAP]
      Base=cn=Micro Focus,DC=example,dc=com
      user container=CN=Enterprise Server Users
      group container=CN=Enterprise Server User Groups
      resource container=CN=Enterprise Server Resources
  18. Change the MF Server Directory Security Manager List to use this external security manager and turn on administrative security.