Setting Up OpenDS 1.0.0 as a Naming Service for the OpenSolaris OS, Part 1 of 2: Basic Steps

Print-friendly Version

OpenDS, an open-source, Lightweight Directory Access Protocol (LDAP) directory-server project (henceforth, OpenDS), is written entirely in the Java programming language. The project, which just shipped its release 1.0.0, is gaining momentum with an ever-growing community of committers, contributors, and users.

This article, Part 1 of a two-part series, describes how to install and configure OpenDS as a naming service for UNIX clients that run the OpenSolaris Operating System, Sun's open-source operating system. The procedures in this series also apply to the Solaris 10 OS, which is free for download.

Part 2 steps you through the advanced configurations: setting up the directory service for UNIX user authentication, configuring for Digest-MD5 or CRAM-MD5 authentication, configuring clients, and so forth.

First, manually create a self-signed certificate for OpenDS. Generating certificates in the OpenDS installer causes complexity in the subsequent export process, hence the manual method, as described in this section.

Afterwards, export the certificate to an output file and convert it to the PKCS12 format for later use.

Generation Procedure
To generate a self-signed certificate:

1. On the machine in which you will install OpenDS server, create a directory and a certificate database. Type:
   
   

   bash-3.00$ mkdir -p /local/Certs bash-3.00$ /usr/sfw/bin/certutil -N -d /local/Certs -P "opends-host-"

    
   Here's the output:
   
   

   Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password:

    
   
2. Enter and then reenter the password, as prompted.
   
   
3. Create a self-signed certificate for the host, named latica.france.sun.com in this example. Type, all on one line:
   
   

   bash-3.00$ /usr/sfw/bin/64/certutil -S -x -n "server-cert" -s "cn=latica.france.sun.com,ou=Directory Services,o=Example Inc,c=FR" -t CTPu -v 12 -d /local/Certs -P "opends-host-" -5

    
   Here's the output:
   
   

   Enter Password or Pin for "NSS Certificate DB":

    
   
4. Type the password.
   
   Here's the output:
   
   

   A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!

    
   
5. Continue typing, for example, the asterisk, until the progress meter is full.
   
   Here's the output:
   
   

   |************************************************************| Finished. Press enter to continue:

    
   
6. Press Enter as prompted.
   
   certutil generates the key and outputs the following:
   
   

   Generating key. This may take a few moments ... 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for future use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish

    
   
7. Type 1 as the choice.
   
   certutil then prompts:
   
   

   Is this a critical extension [y/N]?

    
   
8. Type y.
   
   The menu under Step 6 is redisplayed.
   
   
9. Type 8 or press Return to finish.

Export and Conversion Procedures
Follow these steps to export and convert the certificate:

1. Export the server certificate into an output file in Privacy Enhanced Mail (PEM) format. Type:
   
   

   bash-3.00$ /usr/sfw/bin/certutil -L -d /local/Certs -P "opends-host-" -n "server-cert" -a > mycert.pem

    
   
2. Take a look at the certificate. Type:
   
   

   bash-3.00$ more mycert.pem

    
   Here's an example of the output:
   
   

   -----BEGIN CERTIFICATE----- MIICVDCCAb2gAwIBAgIFAIk3J8IwDQYJKoZIhvcNAQEEBQAwYTELMAkGA1UEBhMC VVMxFTATBgNVBAoTDEV4YW1wbGUgQ29ycDEbMBkGA1UECxMSRGlyZWN0b3J5IFNl cnZpY2VzMR4wHAYDVQQDExVsYXRpY2EuZnJhbmNlLnN1bi5jb20wHhcNMDgwMzMx MTAzODA4WhcNMDkwMzMxMTAzODA4WjBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RXhhbXBsZSBDb3JwMRswGQYDVQQLExJEaXJlY3RvcnkgU2VydmljZXMxHjAcBgNV BAMTFWxhdGljYS5mcmFuY2Uuc3VuLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA1vyLBMSdJ0UsDF+a10tmQot2oLu9kekzVqAqpvLQiNY1PeAi2h4Nzygs 5uOqUgiyF7s9utEW0vvmTSOb75OgXlqxBQFnKw/NegHaY0K6ka1QCmSkdUp9t96M SJjXvd15iEvgH40EeC4K0zj9Bxuih5BSmWcrNDGnLwsrEQc2bjECAwEAAaMYMBYw FAYJYIZIAYb4QgEBAQH/BAQDAgZAMA0GCSqGSIb3DQEBBAUAA4GBAG99NMW/ehFM Dr2LazDKhplEixeU20Ib3w8fxYfm0NeHKG058Gdi2PcNdPfikUnBGIHth7denYOQ J3RV884ExRBkGjDEpkjah2qPfRO7gRnv4u4RL94FtOz4+bbcF3SHqbfMpPvyy14e umvAwo75MzYtinQ+pOM+z8/a7nMtTZzL -----END CERTIFICATE-----

    
   
3. Convert the certificate to the PKCS12 format. Type:
   
   

   bash-3.00$ /usr/sfw/bin/pk12util -o mypk12 -d /local/Certs -P "opends-host-" -n "server-cert"

    
   pk12util prompts for two passwords:
   
   

   Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password:

    
   
4. Type the passwords as prompted.
   
   When conversion is complete, pk12util confirms:
   
   

   pk12util: PKCS12 EXPORT SUCCESSFUL bash-3.00$

    
   

Normally, as a privileged TCP/IP port, the LDAP port is opened by root. It is bad practice to run servers as root, however. On the Solaris OS, a preferred way for running OpenDS is to create a user that will install and own the server and files.

Realistically, multiple administrators in an enterprise must share the privilege of configuring and administering the directory server. A robust solution is to define a role called, for example, opendsd, and assign it the authority to open privileged ports. Afterwards, grant that role to the pertinent administrators. Do the following:

1. As root, create a role for the OpenDS service and files. Type:
   
   

   # roleadd -c "OpenDS role" -s /bin/bash -K defaultpriv=basic,net_privaddr,sys_resource opendsd # passwd opendsd

    
   
2. At the New Password and Re-enter new Password prompts, press Return.
   
   You need not set up a password here because only users who are assigned the opendsd role can run OpenDS anyway. Here's the output:
   
   

   passwd: password successfully changed for opendsd

    
   
3. Grant the role to a user, for example, user1. Type:
   
   

   # usermod -R opendsd user1

    
   
4. Log out of root by typing exit and test the privilege as user1. Type:
   
   

   bash-3.00$ su opendsd

    
   
5. At the password prompt, press Return.
   
   You can now install and run the OpenDS server. Read on for the details.

Download and install OpenDS 1.0.0:

1. Download the core server ZIP file from the latest OpenDS build.
   
   
2. Unzip the file in the installation directory, for example, /local/OpenDS. Type:
   
   

   bash-3.00$ cd /local/OpenDS bash-3.00$ unzip /tmp/OpenDS-1.0.0

    
   
3. Install OpenDS 1.0.0. Type:
   
   

   bash-3.00$ cd /local/OpenDS/OpenDS-1.0.0 bash-3.00$ setup

    
   Note: You can also install OpenDS on the command line. This section describes the GUI way only.

The OpenDS QuickSetup wizard is then displayed, starting with the Welcome screen. Follow these steps:

1. Click Next.
   
   The Server Settings screen is displayed. See Figure 1.
   
   
   

   Figure 1: Server Settings
    
   
2. Fill in the two top text fields: one for the host name, which must be the fully qualified name that you specified for the certificate (latica.france.sun.com in this example); and the other for the LDAP listener port (389 in this example).
   
   
3. Click Configure to configure LDAP secure access.
   
   The Configure Secure Access screen is displayed. See Figure 2.
   
   
   

   Figure 2: Configuration of Secure Access
    
   
4. Retain the default settings and click OK.
   
   
5. In the Server Settings screen, retain the default value (cn=Directory Manager) in the Root User DN text field and type secret12 as its password in the two Password text fields, as in Figure 1. Click Next.
   
   The Topology Options screen is displayed. See Figure 3.
   
   
   

   Figure 3: Topology Options
    
   
6. Select the setting "This will be a standalone server" and click Next.
   
   The Directory Data screen is displayed. See Figure 4.
   
   
   

   Figure 4: Directory Data
    
   
7. Retain the default value in the Directory Base DN text field and, under Directory Data, select Leave Database Empty. Click Next.
   
   The Review screen is displayed with a list of the settings. See Figure 5.
   
   
   

   Figure 5: Confirmation of Settings
    
   
8. Deselect "Start Server when Configuration has Completed." Click Finish.
   
   The OpenDS installer then configures the settings and confirms when the process is complete.

By default, OpenDS contains a set of LDAP schemas that are defined in standard Requests for Comments (RFCs). However, to enable Solaris naming services, you must add schema definitions for these two profiles:

• Directory User Agent (DUA) configuration profiles, which specify the organization of the LDAP data for the LDAP client and tools
  
  
• Solaris OS-specific project profiles, which define Solaris projects and store them in OpenDS

Do the following:

1. Download the two schema files (DUA and Solaris ).
   
   
2. Add the files to the config/schema directory. Type, for example:
   
   

   bash-3.00$ cp /tmp/05-rfc4876.ldif config/schema/ bash-3.00$ cp /tmp/90-solaris.ldif config/schema/

    
   

Next, create the structure for the Directory Information Tree (DIT) structure and populate the required data. Here are the five files in question:

Do the following:

1. Import the myskel.ldif file into the installation directory. Type, for example:
   
   

   bash-3.00$ bin/import-ldif -b dc=example,dc=com -l /tmp/myskel.ldif

    
   
2. Append—or configure and then append—the other four files, as follows:
   
   
   1. For myproxy.ldif, type, for example:
      
      

      bash-3.00$ bin/import-ldif -b dc=example,dc=com -a -l /tmp/myproxy.ldif

       
      
   2. Edit the myprofile.ldif file to specify the IP address of the machine for the OpenDS instance. Afterwards, append the file. Type, for example:
      
      

      bash-3.00$ bin/import-ldif -b dc=example,dc=com -a -l /tmp/myprofile.ldif

       
      
   3. Add the information for your users and groups to the myusers.ldif and mygroups.ldif files.
      
      Note: Be sure to specify all user passwords as clear text. Part 2 of this series will show you how to configure OpenDS with the CLEAR password storage scheme when adding users or changing passwords.
      
      
   4. Append the two files. Type, for example:
      
      

      bash-3.00$ bin/import-ldif -b dc=example,dc=com -a -l /tmp/myusers.ldif bash-3.00$ bin/import-ldif -b dc=example,dc=com -a -l /tmp/mygroups.ldif

       
      
3. Start OpenDS. Type:
   
   

   bash-3.00$ bin/start-ds

    
   

Now, on to Part 2, which steps you through the advanced configurations.

• OpenDS
  • Main page
  • Documentation
  • Community
  
  
• Solaris 10 OS
  
  
• OpenSolaris OS
  
  
• Sun developer services
  • Support
  • Training and certification