The installation of both the client and server can be automated using JumpStart technology. To accomplish an automated installation, scripts need to be developed. In this section, the basic steps for setting up a JumpStart environment for both the directory server and clients are discussed including tips for creating scripts. You will find the following sections: -
"Automating the Directory Server Installation" on page 244 -
"Automating LDAP Client Installations" on page 248 -
"Hands-off Installation of an LDAP Client" on page 253 Automating the Directory Server Installation Overview To set up a directory server to support Secured LDAP Clients (whether through automation or not), a number of steps are required: -
Load the Solaris OE on the directory server. -
If the Sun ONE Directory Server 5.2 packages are not included, load them. -
Install applicable patches. -
Set up DNS as a name service. -
Set up tuning parameters. -
Configure the Directory Server (basic). -
Configure TLS/SSL on the server. -
Configure the Directory Server to support LDAP as a name service. -
Populate the Directory Server with name service data. Steps 15 can be accomplished before a system reboot. Steps 68 must be performed after the system reboots. Sample Jumpstart finish scripts are discussed in the following sections. Additional details on JumpStart finish scripts and how to run them following a system reboot can be found in the Sun BluePrints book JumpStart Technology: Effective Use in the Solaris Operating Environment . To Prepare a JumpStart Server to Install and Configure a Directory Server The directions here assume you are familiar with Jumpstart basics. Refer to the Advanced Installation Guide if you are not. -
Create an install server with the Solaris OE . The install server can be created either from the Solaris 8 or Solaris 9 OE distribution. -
Load the Sun ONE Directory Server 5.2 packages . To add packages that are not part of the Solaris OE distribution, a JumpStart finish script is required. You can create one with your favorite editor. A sample JumpStart finish script to install the packages might look like this: #!/bin/sh BASE=/a MNT=/mnt ADMIN_FILE=/tmp/admin mount -f nfs jsserver:/jumpstart/Packages/ds52 ${MNT} cat >${ADMIN_FILE} <<DONT_ASK mail=root instance=overwrite partial=nocheck runlevel=nocheck idepend=nocheck rdepend=nocheck space=ask setuid=nocheck conflict=nocheck action=nocheck basedir=default DONT_ASK /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWasha /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWasvc /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWasvcp /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWasvu /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWdsha /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWdsvcp /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWdsvh /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWdsvhx /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWdsvpl /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWdsvr /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWdsvu /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWdsvx /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWicu /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWicux /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWjss /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWldk /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWldkx /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWpr /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWprx /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWsasl /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWsaslx /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWtls /usr/sbin/pkgadd -a ${ADMIN_FILE} -d ${MNT} -R ${BASE} SUNWtlsx umount ${MNT} -
Install patches . In general, you want to install the recommended patches that correspond to the OE installed on the server. Directory Server-specific patches should also be installed. -
Set up DNS . The system that the Directory Server is installed on should be configured for DNS before it is configured as a directory server. One way to do this is to have a sysidcfg file that specifies dns . -
Configure tuning parameters . Depending on your anticipated load, you might want to change some of the TCP parameter defaults. Example: #!/bin/sh echo "set tcp:tcp_conn_hash_size 1024" >> /a/etc/system ( cat <<EOF ndd -set /dev/tcp tcp_conn_req_max_q 1024 ndd -set /dev/tcp tcp_keepalive_interval 600000 ndd -set /dev/tcp tcp_ip_abort_cinterval 10000 ndd -set /dev/tcp tcp_ip_abort_interval 60000 ndd -set /dev/tcp tcp_strong_iss 2 ndd -set /dev/tcp tcp_smallest_anon_port 8192 ndd -set /dev/tcp tcp_deferred_ack_interval 5 EOF ) >> /a/etc/init.d/inetinit -
Configure the basic directory server parameters . The directory server needs to be configured after the system reboots. One way to trigger a script to run after it boots is to copy a script to the /etc/rc* directory. After it runs, you can delete it. For example: #!/bin/sh cp ${SI_CONFIG_DIR}/Files/S98dirconfig /a/var/ldap The content of S98dirconfig might look like this: #!/bin/sh DIR=/net/jsserver/jumpstart/Files /usr/sbin/directoryserver configure -nodisplay -state \ ${DIR}/typical.ins Note See "To Set Up the Directory Server (Silent Mode)" on page 222 for instructions on how to generate the typical.ins file -
Configure TLS/SSL . See "Enabling TLS/SSL on the Directory Server" on page 232 for instructions on how to manually configure TLS/SSL. The cert7.db and key3.db databases can be copied over with a JumpStart finish script. Example: #!/bin/sh cp ${SI_CONFIG_DIR}/Files/cert7.db /a/var/mps/serverroot/alias /slapd-myserver-cert7.db cp ${SI_CONFIG_DIR}/Files/key3.db /a/var/mps/serverroot/alias /slapd-myserver-key3.db -
Configure Directory Server support for Secured LDAP clients . See "To Run the idsconfig Command (Silent Mode)" on page 229 for instructions on how to perform a silent installation. The script might look something like this: #!/bin/sh DIR=/net/jsserver/jumpstart/Files /usr/lib/ldap/idsconfig -i ${DIR}/idsconfig.ins -
Populate the directory server with name service data . Because the ldapaddent command can only be run on an LDAP name service client and a directory server cannot be its own client, you will not be able to use the ldapaddent command for an automated installation. Alternatively, you can use other data migration scripts as described in Chapter 5 "Migrating Legacy Data to LDAP." Automating LDAP Client Installations In some respects, configuring a client for LDAP is similar to any other name service like NIS or NIS+. The following section is a review of how name services are configured for clients, and how the LDAP name service fits in. How a Solaris OE Client Is Configured A Solaris OE client is configured by a suite of five programs collectively known as sysidtool(1M) . The five programs are: -
/usr/sbin/sysidnet -
/usr/sbin/sysidns -
/usr/sbin/sysidsys -
/usr/sbin/sysidroot -
/usr/sbin/sysidpm These programs are executed when the following two events occur: TABLE 4-4 shows what information is obtained from each of the five utilities. Table 4-4. sysidtool Information Command | Information Obtained | sysidnet | host name, IP address, console type, locale | sysidns | name service, IP subnet mask, domain name, host name and IP address of name server(s), LDAP client profile | sysidsys | time zone, data, time | sysidroot | root password | sysidpm | power management | sysidconfig | controls use of sysidcfg (4) | This information can be obtained from any of the following sources: The first two sources are used to obtain the information during system installation or following a reboot after the sys-unconfig command is run. The third source is used for automatic hands-off installation. During installation, sysidtool attempts to find an NIS+ server on the local subnet where the system installation is taking place. If no NIS+ server is found, a search is performed for an NIS server. If either an NIS+ or NIS server is located, configuration data is extracted from its NIS maps or NIS+ tables. If neither is found, sysidtool prompts the user for the required information. During a hands-off installation, sysidtool searches for a file called sysidcfg whose location is specified in the /etc/bootparams file on the boot server. Information contained in the sysidcfg file can be used instead of obtaining the data from a name service. An example of a sysidcfg file is provided in "The sysidcfg File" on page 253. Information Required to Configure an LDAP Client A Solaris OE LDAP client requires much of the same configuration information that an NIS+ or NIS client does. This common information includes: -
Host name -
IP address -
Netmask -
Root password -
Locale -
Time zone Beside this information, an LDAP client requires several additional pieces of information: -
The name of the domain it belongs to (equivalent to an NIS+ or NIS domain name) -
The IP address of an LDAP server that serves that domain and contains LDAP client profiles set up for the client -
The name of the LDAP client profile to download -
Optionally, the credentials the client uses to bind to the directory The domain name is similar to the NIS domain name except that it is present in an entry on an LDAP directory server instead of an NIS server configuration file. LDAP client profiles are entries that are created on an LDAP server configured to support Solaris OE native LDAP clients. The LDAP profile server does not have to be the same LDAP server (or servers) that the LDAP client will ultimately access for name service data, but it is a common practice to use the same server. Note Installation of an LDAP client through sysidtool requires that an ipHost entry containing the host name and IP address of the client be created on the LDAP server specified in the LDAP client profile. The name service configuration will fail if a host entry matching the client's host name cannot be found on the LDAP server. The following two examples show the dialogue that takes place when LDAP is specified as the name service during an interactive installation. For brevity, only the portion that pertains to name service configuration is shown. Example of the dialog during an interactive installation of a Solaris Native LDAP: [View full width] [View full width] Available name services: 1. NIS+ 2. NIS 3. DNS 4. LDAP 5. None Please enter the number corresponding to the type of name service you would like [2]: 4 Please specify the domain where this system resides. Make sure you enter the name correctly including capitalization and punctuation. Enter this system's domain name [example.com]: example.com Please enter the name of the LDAP profile being used to configure this system as an LDAP client. You must also enter the IP address of the server that contains the profile. Enter the name of the profile [default]: myprofile Enter the address of the profile server []: 128.0.0.7 Note The default domain name that is displayed is obtained from an NIS or NIS+ server. This domain name is only displayed if one is found on the subnet that the client is attached to. A search for LDAP servers on the subnet is not performed, so a domain name cannot be determined by examining one. Example of the output from an interactive installation of a Solaris Native LDAP Client: You have entered the following values: Host Name: ldapclient IP Address: 128.0.0.10 System part of a subnet: Yes Netmask: 255.255.255.0 Enable IPv6: No Name Service: LDAP Domain Name: example.com Profile Name: myprofile Profile Server Address: 128.0.0.7 Time Zone: Eastern Power Management: Turn Power Management Off Do not ask about Power Management at reboot. Client Post-Installation Issues -
When the client reboots, you will notice a console message similar to the following: NIS domainname is example.com This message is misleading, because it implies you are running NIS. The domain name refers to the nisdomain attribute set on the LDAP server that the client is binding to. Unlike an NIS client, there is no ypbind process running on a native LDAP client. -
For user authentication, pam_unix is the only authentication method specified in the /etc/pam.conf file. If you want to authenticate users using pam_ldap , additional lines need to be added to the pam.conf file. -
Unless your LDAP server is populated with rpc map data, you will get errors when the system boots. To eliminate these errors, edit the following line in the /etc/nsswitch.conf file. # rpc: ldap [NOTFOUND=return] files rpc: files ldap The next section walks you through a complete hands-off installation. Hands-off Installation of an LDAP Client This section describes how to use a JumpStart server to automatically install native LDAP clients. This procedure assumes you already have an LDAP server configured to support native LDAP clients. Before attempting an automatic installation, you should make sure an interactive client installation works with the LDAP server you have configured. The sysidcfg File Unlike the NIS and NIS+ name services, sysidtool cannot use LDAP as a name service to obtain configuration information. Instead, the only option for a hands-off installation is the creation of a sysidcfg file for the client that is read by the JumpStart installation utilities. How to create and where to place sysdicfg files is explained in the Advanced Installation Guide . sysidcfg file syntax: name_service=LDAP {domain_name= domain_name profile= profile_name profile_server= ip_address proxyDN= proxy_account_DN proxyPassword= password} The following is a sample of a complete sysidcfg file for a group of LDAP clients. system_locale=en_US timezone=US/Eastern terminal=sun-cmd timeserver=localhost name_service=LDAP {domain_name=example.com profile=myprofile profile_server=128.100.100.7 proxyDN="cn=proxyagent, ou=profile, dc=example, dc=com" proxyPassword=mysecret} root_password=m4QPOWNY Note To use the proxyDN and proxyPassword parameters, Solaris 9 12/02 OE release or greater is required. Note The variable profile_server refers to the LDAP directory server that contains the LDAP profile specified with the profile variable. Do not confuse this terminology with the JumpStart profiles or profile servers. To Prepare a JumpStart Server to Install Solaris LDAP Clients This procedure assumes you have already set up a JumpStart boot, install, and profile server. -
Add the client's host name, IP address, and Ethernet address to the /etc/ hosts and /etc/ethers files on the JumpStart boot server, or to the name service the boot server is using . Note The JumpStart boot server that supports LDAP clients can use LDAP as a name service. However, a sysidcfg file must still be created on the JumpStart server for the client because the LDAP client cannot use LDAP as a naming service until the client is fully installed. -
Create a sysidcfg file specifying LDAP as the name service . A sysidcfg file can be shared among several clients. However, if you want to specify a different root password or LDAP profile, you need to create separate sysidcfg files. Note Only one sysidcfg file can appear in a directory. If you want to set up different configuration parameters for different clients, a separate directory needs to be created for each client or group of clients. -
Run the add_install_client command, specifying the -c and the -p options . Example: # ./add_install_client -c jumpserv:/jumpstart -p jumpserv:/jumpstart/ldapclient1/sysidcfg ldapclient1 sun4u -
(Optional) Create JumpStart finish scripts to handle modifications . To make any additional modifications, such as specifying pam_ldap authentication and changing the default database search path in the nsswitch.conf file, you need to add a JumpStart finish script. For example, the following script replaces the system default pam.conf and nsswitch.conf files with preconfigured ones. cp /a/etc/pam.conf /a/etc/pam.conf.orig cp ${SI_CONFIG_DIR}/Files/pam.conf /a/etc/pam.conf cp /a/etc/nsswitch.conf /a/etc/nsswitch.conf.orig cp ${SI_CONFIG_DIR}/ldapfiles/nsswitch.conf /a/etc/nsswitch.conf This example assumes you have a directory named ldapfiles on the JumpStart server and have preconfigured the pam.conf and nsswitch.conf files. -
To enable TLS/SSL, create a finish script similar to the following example: cp ${SI_CONFIG_DIR}/Files/cert7.db /a/var/ldap cp ${SI_CONFIG_DIR}/Files/key3.db /a/var/ldap -
On the client, run the boot command from the PROM monitor prompt . ok> boot net - install |