Configuring the Sun Java System Directory Server on a Trusted Extensions System
The LDAP naming service is the supported naming service for Trusted Extensions. If
your site is not yet running the LDAP naming service, configure a
Sun Java System Directory Server (Directory Server) on a system that is configured
with Trusted Extensions. If your site is already running a Directory Server, then
you need to add the Trusted Extensions databases to the server. To access
the Directory Server, you then set up an LDAP proxy on a Trusted
Extensions system.
Note - If you do not use this LDAP server as an NFS server
or as a server for Sun RayTM clients, then you do not need
to install any labeled zones on this server.
Collect Information for the Directory Server for LDAP
Install the Sun Java System Directory Server
The Directory Server packages are available from the Sun Software Gateway web site.
- Find the Sun Java System Directory Server packages on the Sun web
site.
- On the Sun Software Gateway page, click the Get It tab.
- Click the checkbox for the Sun Java Identity Management Suite.
- Click the Submit button.
- If you are not registered, register.
- Log in to download the software.
- Click the Download Center at the upper left of the screen.
- Under Identity Management, download the most recent software that is appropriate for your
platform.
- In the /etc/hosts file, add the FQDN to your system's hostname entry.
The FQDN is the Fully Qualified Domain Name. This name is a combination
of the host name and the administration domain, as in:
192.168.5.5 myhost myhost.example-domain.com
- Install the Directory Server packages.
Answer the questions by using the information from Collect Information for the Directory Server for LDAP.
- Ensure that the Directory Server starts at every boot.
Templates for the SMF services for the Directory Server are in the Sun
Java System Directory Server packages.
- For a Trusted Extensions Directory Server, enable the service.
# dsadm stop /export/home/ds/instances/your-instance
# dsadm enable-service -T SMF /export/home/ds/instances/your-instance
# dsadm start /export/home/ds/instances/your-instance
For information about the dsadm command, see the dsadm(1M) man page.
- For a proxy Directory Server, enable the service.
# dpadm stop /export/home/ds/instances/your-instance
# dpadm enable-service -T SMF /export/home/ds/instances/your-instance
# dpadm start /export/home/ds/instances/your-instance
For information about the dpadm command, see the dpadm(1M) man page.
- Verify your installation.
# dsadm info /export/home/ds/instances/your-instance
Instance Path: /export/home/ds/instances/your-instance
Owner: root(root)
Non-secure port: 389
Secure port: 636
Bit format: 32-bit
State: Running
Server PID: 298
DSCC url: -
SMF application name: ds--export-home-ds-instances-your-instance
Instance version: D-A00
Troubleshooting
For strategies to solve LDAP configuration problems, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
Configure the Logs for the Sun Java System Directory Server
This procedure configures three types of logs: access logs, audit logs, and error
logs. The following default settings are not changed:
All logs are enabled and buffered.
Logs are placed in the appropriate /export/home/ds/instances/your-instance/logs/LOG_TYPE directory.
Events are logged at log level 256.
Logs are protected with 600 file permissions.
Access logs are rotated daily.
Error logs are rotated weekly.
The settings in this procedure meet the following requirements:
Audit logs are rotated daily.
Log files that are older than 3 months expire.
All log files use a maximum of 20,000 MBytes of disk space.
A maximum of 100 log files is kept, and each file is at most 500 MBytes.
The oldest logs are deleted if less than 500 MBytes free disk space is available.
Additional information is collected in the error logs.
- Configure the access logs.
The LOG_TYPE for access is ACCESS. The syntax for configuring logs is the following:
dsconf set-log-prop LOG_TYPE property:value
# dsconf set-log-prop ACCESS max-age:3M
# dsconf set-log-prop ACCESS max-disk-space-size:20000M
# dsconf set-log-prop ACCESS max-file-count:100
# dsconf set-log-prop ACCESS max-size:500M
# dsconf set-log-prop ACCESS min-free-disk-space:500M
- Configure the audit logs.
# dsconf set-log-prop AUDIT max-age:3M
# dsconf set-log-prop AUDIT max-disk-space-size:20000M
# dsconf set-log-prop AUDIT max-file-count:100
# dsconf set-log-prop AUDIT max-size:500M
# dsconf set-log-prop AUDIT min-free-disk-space:500M
# dsconf set-log-prop AUDIT rotation-interval:1d
By default, the rotation interval for audit logs is one week.
- Configure the error logs.
In this configuration, you specify additional data to be collected in the error
log.
# dsconf set-log-prop ERROR max-age:3M
# dsconf set-log-prop ERROR max-disk-space-size:20000M
# dsconf set-log-prop ERROR max-file-count:30
# dsconf set-log-prop ERROR max-size:500M
# dsconf set-log-prop ERROR min-free-disk-space:500M
# dsconf set-log-prop ERROR verbose-enabled:on
- (Optional) Further configure the logs.
You can also configure the following settings for each log:
# dsconf set-log-prop LOG_TYPE rotation-min-file-size:undefined
# dsconf set-log-prop LOG_TYPE rotation-time:undefined
For information about the dsconf command, see the dsconf(1M) man page.
Configure a Multilevel Port for the Sun Java System Directory Server
To work in Trusted Extensions, the server port of the Directory Server
must be configured as a multilevel port (MLP) in the global zone.
- Start the Solaris Management Console.
# /usr/sbin/smc &
- Select the This Computer (this-host: Scope=Files, Policy=TSOL) toolbox.
- Click System Configuration, then click Computers and Networks.
You are prompted for your password.
- Type the appropriate password.
- Double-click Trusted Network Zones.
- Double-click the global zone.
- Add a multilevel port for the TCP protocol:
- Click Add for the Multilevel Ports for Zone's IP Addresses.
- Type 389 for the port number, and click OK.
- Add a multilevel port for the UDP protocol:
- Click Add for the Multilevel Ports for Zone's IP Addresses.
- Type 389 for the port number.
- Choose the udp protocol, and click OK.
- Click OK to save the settings.
- Update the kernel.
# tnctl -fz /etc/security/tsol/tnzonecfg
Populate the Sun Java System Directory Server
Several LDAP databases have been created or modified to hold Trusted Extensions
data about label configuration, users, and remote systems. In this procedure, you populate the
Directory Server databases with Trusted Extensions information.
Before You Begin
If site security requires separation of duty, complete the following before populating the Directory server:
- Create a staging area for files that you plan to use to populate
the naming service databases.
# mkdir -p /setup/files
- Copy the sample /etc files into the staging area.
# cd /etc
# cp aliases group networks netmasks protocols /setup/files
# cp rpc services auto_master /setup/files
# cd /etc/security
# cp auth_attr prof_attr exec_attr /setup/files/
#
# cd /etc/security/tsol
# cp tnrhdb tnrhtp /setup/files
# cd /etc/inet
# cp ipnodes /setup/files
- Remove the +auto_master entry from the /setup/files/auto_master file.
- Remove the ?:::::? entry from the /setup/files/auth_attr file.
- Remove the :::: entry from the /setup/files/prof_attr file.
- Create the zone automaps in the staging area.
In the following list of automaps, the first of each pair of
lines shows the name of the file. The second line of each pair
shows the file contents. The zone names identify labels from the default label_encodings
file that is included with the Trusted Extensions software.
/setup/files/auto_home_public
* myNFSserver_FQDN:/zone/public/root/export/home/&
/setup/files/auto_home_internal
* myNFSserver_FQDN:/zone/internal/root/export/home/&
/setup/files/auto_home_needtoknow
* myNFSserver_FQDN:/zone/needtoknow/root/export/home/&
/setup/files/auto_home_restricted
* myNFSserver_FQDN:/zone/restricted/root/export/home/&
- Add every system on the network to the /setup/files/tnrhdb file.
No wildcard mechanism can be used here. The IP address of every system
to be contacted, including the IP addresses of labeled zones, must be
in this file.
- Open the trusted editor and edit /setup/files/tnrhdb.
- Add every IP address on a labeled system in the Trusted Extensions
domain.
Labeled systems are of type cipso. Also, the name of the security template
for labeled systems is cipso. Therefore, in the default configuration, a cipso entry is
similar to the following:
192.168.25.2:cipso
Note - This list includes the IP addresses of global zones and labeled zones.
- Add every unlabeled system with which the domain can communicate.
Unlabeled systems are of type unlabeled. The name of the security template for
unlabeled systems is admin_low. Therefore, in the default configuration, an entry for an
unlabeled system is similar to the following:
192.168.35.2:admin_low
- Save the file, and exit the editor.
- Check the syntax of the file.
# tnchkdb -h /setup/files/tnrhdb
- Fix any errors before continuing.
- Copy the /setup/files/tnrhdb file to the /etc/security/tsol/tnrhdb file.
- Use the ldapaddent command to populate every file in the staging area.
# /usr/sbin/ldapaddent -D "cn=directory manager" \ -w dirmgr123 -a simple -f /setup/files/hosts hosts