|
By Mazen Arakji and Ludovic Poitou, with contributions from Marina Sum, August 6, 2008
|
|
|
OpenDS is an open-source, Lightweight Directory Access Protocol (LDAP) directory-server project (henceforth, OpenDS). Part 1 of this series describes the basic steps for installing and configuring OpenDS as a naming service for UNIX clients that run the OpenSolaris Operating System, Sun's open-source OS. The procedures in this series also apply to the Solaris 10 OS, which is free for download.
Here in Part 2, you learn the advanced configuration steps to complete the process.
Contents
First, set up the directory service to enable authentication of UNIX users, that is, connect to the running instance of OpenDS as the Directory Manager.
Important: For security, even though you can interactively type the Directory Manager's password when prompted, store the password in a temporary file instead. Afterwards, refer to that file in the dsconfig command. Be sure to delete the file when configuration is complete.
Follow this procedure:
Note: The UNIX convention of backslashes in most of the commands that follow is used to break up the commands for readability. Feel free to type the entire command on one long line that wraps, omitting the backslashes.
- Store the
cn=directory manager password, secret12 in this example, in a temporary file. Type:
bash-3.00$ cat > /tmp/.dmp
secret12
^D
|
- Grant the
Proxy user permission to retrieve user account status so that pam_ldap enables users to log in with the rsh, rlogin, rcp, or ssh command without entering a password. As in Part 1, the host in this example is called latica.france.sun.com. Type:
bash-3.00$ bin/dsconfig -h latica.france.sun.com -p 389 \
-D "cn=directory manager" -j /tmp/.dmp -n \
set-access-control-handler-prop \
--add global-aci:'(targetcontrol="1.3.6.1.4.1.42.2.27.9.5.8" ) (version 3.0; \
acl "Allow Account Status control for Proxy"; allow(read, \
proxy) userdn="ldap:///cn=solaris,ou=LDAPauth,dc=example,dc=com";)'
|
If you plan to take advantage of Network Information System (NIS) Netgroups, you must grant the Proxy user permission to use the Virtual List View (VLV) control. To grant that permission, replace the access control instruction in the preceding example, which starts from the third line from the bottom, with the following:
(targetcontrol="1.3.6.1.4.1.42.2.27.9.5.8 || 2.16.840.1.113730.3.4.9" ) (version 3.0; \
acl "Allow Account Status and VLV controls for Proxy"; allow(read, \
proxy) userdn="ldap:///cn=solaris,ou=LDAPauth,dc=example, dc=com";)
|
An OpenSolaris client can choose among several authentication methods for Proxy to authenticate to the directory server. For details on those choices, see the section "LDAP Naming Services Security Model" in the OpenSolaris System Administration Guide.
To adopt the Digest-MD5 or CRAM-MD5 method instead of Transport Layer Security (TLS) or a simple connection, perform three steps:
Note: MD, which stands for Message Digest algorithm 5, is a cryptographic hash function. CRAM is an acronym for challenge-response authentication mechanism.
- Store the user's password in clear text in OpenDS. Type:
bash-3.00$ bin/dsconfig -h latica.france.sun.com -p 389 \
-D "cn=directory manager" -j /tmp/.dmp -n \
set-password-policy-prop --policy-name "Default Password Policy" \
--set default-password-storage-scheme:CLEAR
|
- Configure the Identity mappers. Type:
bash-3.00$ bin/dsconfig -h latica.france.sun.com -p 389 \
-D "cn=directory manager" -j /tmp/.dmp -n \
set-identity-mapper-prop \
--mapper-name 'Regular Expression' \
--add match-attribute:cn \
--set match-pattern:'cn=(.*),ou=LDAPauth.*|uid=(.*),ou=People.*' \
--set replace-pattern:'$1$2'
|
- Configure Simple Authentication and Security Layer (SASL). Type:
bash-3.00$ bin/dsconfig -h latica.france.sun.com -p 389 \
-D "cn=directory manager" -j /tmp/.dmp -n \
set-sasl-mechanism-handler-prop \
--handler-name CRAM-MD5 \
--set identity-mapper:Regular Expression
|
Steps 2 and 3 ensure that users are mapped to directory entries.
Finally, configure your Solaris or OpenSolaris clients for the LDAP naming service. Follow the steps in these two documents:
Configure security between the client and the OpenDS instance with the server certificate. You've already created that certificate (mycert.pem) in Part 1.
Reminder: Delete the /tmp/.dmp file as a final step.
Since the OpenDS default settings are slated for initial evaluation or development on machines with limited bandwidth, you should tune the Java virtual machine and OpenDS to scale. Here are a few recommendations:
- Download the latest version of the Java virtual machine, currently JDK 6, Update 7, aka release 1.6.0_07.
- Set the properties, as appropriate, defined in the Java Virtual Machine Settings section in the OpenDS documentation. Specifically, for consistent performance, tune the Garbage Collector. We recommend the CMS GC or Parallel Collector.
- Cache the data files in memory for optimal performance in OpenDS. The database cache's initial size, which is only 10 percent of the heap size, is definitely too small. Follow these guidelines:
- For a heap size that's below or equal to 2 Gbytes, allocate a database cache of about half of that size.
- For a heap size that's greater than 2 Gbytes, allocate a database cache of that size minus 1 Gbyte.
To specify the Java settings in a command or task, run the dsjavaproperties command. Alternatively, edit the instance-name/config/java.properties file to change the settings.
OpenDS is simple to install and configure as an OpenSolaris LDAP naming service. Do give it a try.
Also, check out OpenDS Standard Edition 1.0, the newly released version that's fully supported and indemnified by Sun. A gratifying development for OpenDS and a big win for its adopters!
|
Mazen Arakji joined Sun in July 2007 and is responsible for the functional and system testing of NAS products, including the LDAP and naming-service capabilities in OpenStorage. A Master's graduate in Computer Engineering from the University of Colorado at Boulder, Mazen is certified for Embedded System Design, Software Engineering, Engineering Management, and Java programming.
|
Ludovic Poitou is the OpenDS community lead and a directory architect at Sun. For the past 13 years, he's been designing and developing numerous aspects of Sun's directory products—from management tools to protocols to security to multimaster replication. Ludovic blogs on LDAP, directory services, OpenDS, and life.
|
 Marina Sum is a staff writer for Sun Developer Network. She has been writing for Sun since 1989, mostly in the technical arena. Marina blogs on Sun's products, technologies, events, publications, and unsung heroes.
|
|
Print-friendly Version
