Netscape Directory Server Installation Guide: Chapter 1Preparing for a Directory Server Installation

Installation Guide
Netscape Directory Server

Chapter 1 Preparing for a Directory Server Installation

Before you begin installing Netscape Directory Server (Directory Server), you should have an understanding of the various Directory Server components and the design and configuration decisions you need to make.

To help you prepare for your Directory Server installation, you should be familiar with the concepts contained in the following sections:

Installation Components

Configuration Decisions

Installation Process Overview

Installation Privileges

The Netscape Directory Server Deployment Guide contains basic directory concepts as well as guidelines to help you design and successfully deploy your directory service. Be sure you understand the concepts presented in this manual before proceeding with the installation process.

Installation Components

Directory Server contains the following software components:

Netscape Console—Netscape Console provides the common user interface for all Netscape server products. From it you can perform common server administration functions such as stopping and starting servers, installing new server instances, and managing user and group information. Netscape Console can be installed as a stand-alone application on any machine. You can also install it on your network and use it to manage remote servers.

Netscape Administration Server—Administration Server is a common front-end to all Netscape servers. It receives communications from Netscape Console and passes those communications on to the appropriate Netscape server. Your site will have at least one Administration Server for each server root in which you have installed an Netscape server.

Directory Server—Directory Server is Netscape's LDAP implementation. The Directory Server runs as the ns-slapd process (on UNIX) or slapd service (on Windows). This is the server that manages the directory databases and responds to client requests. Directory Server is a required component.

The order in which you install and configure the various components depends on whether you are performing a new installation or an upgrade. See "Installation Process Overview" for details.

Configuration Decisions

During Directory Server installation, you are prompted for basic configuration information. Decide how you are going to configure these basic parameters before you begin the installation process. You are prompted for some or all of following information, depending on the type of installation that you decide to perform:

Port number; see "Choosing Unique Port Numbers".

Server root; see "Creating a New Server Root".

Users and groups to run the server as; see "Deciding the User and Group for Your Netscape Servers (UNIX only)".

Your directory suffix; see "Determining Your Directory Suffix".

Several different authentication user IDs; see "Defining Authentication Entities".

The location of the configuration and user Directory Servers; see "Determining the Location of the Configuration Directory" and Determining the Location of the User Directory.

The administration domain; see "Determining the Administration Domain".

Choosing Unique Port Numbers

Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your Directory Server:

The standard Directory Server (LDAP) port number is 389.

Port 636 is reserved from LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP installation, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port.

Port numbers between 1 and 1024 have been assigned to various services by the Internet Assigned Numbers Authority. Do not use port numbers below 1024 other than 389 or 636 for directory services as they will conflict with other services.

On UNIX platforms, Directory Server must be run as root if it will listen on either port 389 or 636.

On Windows platforms, the directory service must have administrative privileges if it will use ports 389 or 636.

Make sure the ports you choose are not already in use. Additionally, if you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical.

For information on how to set up LDAP over SSL (LDAPS) for Directory Server, see the Netscape Directory Server Administrator's Guide.

Creating a New Server Root

Your server root is the directory where you install your Netscape servers. The default server root for Directory Server is /usr/netscape/servers.

The server root must meet the following requirements:

The server root must be a directory on a local disk drive; you cannot use a networked drive for installation purposes. The file sharing protocols such as AFS, NFS, and SMB do not provide file locking and performance suitable for use by the Directory Server. The server database index files may be damaged if they are not held on a local file system.

The directory must not already exist or must be empty.

The server root directory must not be the same as the directory from which you are running the setup program.

By default, the server root directory is one of the following:

/usr/netscape/servers (on UNIX systems)

c:\netscape\servers (on Windows systems)

Deciding the User and Group for Your Netscape Servers (UNIX only)

For security reasons, it is always best to run UNIX-based production servers with normal user privileges. That is, you do not want to run Directory Server with root privileges. However, you will have to run Directory Server with root privileges if you are using the default Directory Server ports. If Directory Server is to be started by Administration Server, Administration Server must run either as root or as the same user as Directory Server.

You must therefore decide what user accounts you will use for the following purposes:

The user and group under which you will run Directory Server.

If you will not be running the Directory Server as root, it is strongly recommended that you create a user account for all Netscape servers. You should not use any existing operating system account, and must not use the nobody account. Also you should create a common group for the directory server files; again, you must not use the nobody group.

The user and group under which you will run Administration Server.

For installations that use the default port numbers, this must be root. However, if you use ports over 1024, then you should create a user account for all Netscape servers, and run Administration Server as this account.

As a security precaution, when Administration Server is being run as root, it should be shut it down when it is not in use.

You should use a common group for all Netscape servers, such as gid Netscape, to ensure that files can be shared between servers when necessary.

Before you can install Directory Server and Administration Server, you must make sure that the user and group accounts you will use exist on your system.

Defining Authentication Entities

As you install Directory Server and Administration Server, you will be asked for various user names, distinguished names (DN), and passwords. This list of login and bind entities will differ depending on the type of installation that you are performing:

Directory Manager DN and password.

The Directory Manager DN is the special directory entry to which access control does not apply. Think of the directory manager as your directory's superuser. (In former releases of Directory Server, the Directory Manager DN was known as the root DN).

The default Directory Manager DN is cn=Directory Manager. Because the Directory Manager DN is a special entry, the Directory Manager DN does not have to conform to any suffix configured for your Directory Server. Therefore, you must not manually create an actual Directory Server entry that has the same DN as the directory manager DN.

The Directory Manager password must be at least 8 characters long, and is limited to ASCII letters, digits, and symbols.

Configuration Directory Administrator ID and password.

The configuration directory administrator is the person responsible for managing all the Netscape servers accessible through Netscape Console. If you log in with this user ID, then you can administer any Netscape server that you can see in the server topology area of Netscape Console.

For security, the configuration directory administrator should not be the same as the directory manager. The default configuration directory administrator ID is admin.

Administration Server User and password.

You are prompted for this only during custom installations. The Administration Server user is the special user that has all privileges for the local Administration Server. Authentication as this person allows you to administer all the Netscape servers stored in the local server root.

Administration Server user ID and password is used only when the Directory Server is down and you are unable to log in as the configuration directory administrator. The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting Directory Server, reading log files, and so forth.

Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password.

Determining Your Directory Suffix

A directory suffix is the directory entry that represents the first entry in a directory tree. You will need at least one directory suffix for the tree that will contain your enterprise's data. It is common practice to select a directory suffix that corresponds to the DNS host name used by your enterprise. For example, if your organization uses the DNS name example.com, then select a suffix of dc=example,dc=com.

For more information on planning the suffixes for your directory service, see the Netscape Directory Server Deployment Guide.

Determining the Location of the Configuration Directory

Many Netscape servers, including Directory Server, use an instance of Directory Server to store configuration information. This information is stored in the o=NetscapeRoot directory tree. It does not need to be held on the same Directory Server as your directory data. Your configuration directory is the Directory Server that contains the o=NetscapeRoot tree used by your Netscape servers.

If you are installing Directory Server only to support other Netscape servers, then that Directory Server is your configuration directory. If you are installing Directory Server to use as part of a general directory service, then you will have multiple Directory Servers installed in your enterprise and you must decide which one will host the configuration directory tree, o=NetscapeRoot. You must make this decision before you install any Netscape servers (including Directory Server).

For ease of upgrades, you should use a Directory Server instance that is dedicated to supporting the o=NetscapeRoot tree; this server instance should perform no other function with regard to managing your enterprise's directory data. Also, do not use port 389 for this server instance because doing so could prevent you from installing a Directory Server on that host that can be used for management of your enterprise's directory data.

Because the configuration directory normally experiences very little traffic, you can allow its server instance to coexist on a machine with another more heavily loaded Directory Server instance. However, for very large sites that are installing a large number of Netscape servers, you may want to dedicate a low-end machine to the configuration directory so as to not hurt the performance of your other production servers. Netscape server installations result in write activities to the configuration directory. For large enough sites, this write activity could result in a short-term performance hit to your other directory activities.

Also, as with any directory installation, consider replicating the configuration directory to increase availability and reliability. See the Netscape Directory Server Deployment Guide for information on using replication and DNS round robins to increase directory availability.

Caution

Corrupting the configuration directory tree can result in the necessity of reinstalling all other Netscape servers that are registered in that configuration directory. Remember the following guidelines when dealing with the configuration directory:

Always back up your configuration directory after you install a new Netscape server.

Never change the host name or port number used by the configuration directory.

Never directly modify the configuration directory tree. Only the setup program for the various Netscape servers should ever modify the configuration.

Determining the Location of the User Directory

Just as the configuration directory is the Directory Server that is used for Netscape server administration, the user directory is the Directory Server that contains the entries for users and groups in your enterprise.

For most directory installations, the user directory and the configuration directory should be two separate server instances. These server instances can be installed on the same machine, but for best results you should consider placing the configuration directory on a separate machine.

Between your user directory and your configuration directory, it is your user directory that will receive the overwhelming percentage of the directory traffic. For this reason, you should give the user directory the greatest computing resources. Because the configuration directory should receive very little traffic, it can be installed on a machine with very low-end resources (such as a minimally-equipped Pentium).

Also, you should use the default directory ports (389 and 636) for the user directory. If your configuration directory is managed by a server instance dedicated to that purpose, you should use some non-standard port for the configuration directory.

You cannot install a user directory until you have installed a configuration directory somewhere on your network.

Determining the Administration Domain

The administration domain allows you to logically group Netscape servers together so that you can more easily distribute server administrative tasks. A common scenario is for two divisions in a company to each want control of their individual Netscape servers. However, you may still want some centralized control of all the servers in your enterprise. Administration domains allow you to meet these conflicting goals.

Administration domains have the following qualities:

All servers share the same configuration directory, regardless of the domain they belong to.

Servers in two different domains may use two different user directories for authentication and user management.

The configuration directory administrator has complete access to all installed Netscape servers, regardless of the domain that they belong to.

Each administration domain can be configured with an administration domain owner. This owner has complete access to all the servers in the domain but does not have access to the servers in any other administration domain.

The administration domain owner can grant individual users administrative access on a server by server basis within the domain.

For many installations, you can have just one administration domain. In this case, choose a name that is representative of your organization. For other installations, you may want different domains because of the demands at your site. In the latter case, try to name your administration domains after the organizations that will control the servers in that domain.

For example, if you are an ISP and you have three customers for whom you are installing and managing Netscape servers, create three administration domains each named after a different customer.

Installation Process Overview

You can use one of several installation processes to install Directory Server. Each one guides you through the installation process and ensures that you install the various components in the correct order.

The sections that follow outline the installation processes available, how to upgrade from an earlier release of Directory Server, and how to unpack the software to prepare for installation.

Selecting an Installation Process

You can install Directory Server software using one of the four different installation methods provided in the setup program:

Express Installation. Use this if you are installing for the purposes of evaluating or testing Directory Server. Express installation is described in "Using Express Installation".

Typical Installation. Use this if you are performing a normal installation of Directory Server. Typical installation is described in "Using Typical Installation".

Custom Installation. In Directory Server 6.x, the custom installation process is very similar to the typical installation process. The main difference is that the custom installation process allows you to import an LDIF file to initialize the user directory database that is created by default.

Silent Installation. Use this if you want to script your installation process. This is especially useful for installing multiple consumer servers around your enterprise. Silent install is described in Chapter 4 "Silent Installation."

Beyond determining which type of installation process you will use, the process for installing Directory Server is as follows:

Plan your directory service. By planning your directory tree in advance, you can design a service that is easy to manage and easy to scale as your organization grows. For guidance on planning your directory service, refer to the Netscape Directory Server Deployment Guide.

Install your Directory Server as described in this manual.

Create the directory suffixes and databases. You do not have to populate your directory now; however, you should create the basic structure for your tree, including all major roots and branch points. For information about the different methods of creating a directory entry, refer to the Netscape Directory Server Administrator's Guide.

Create additional Directory Server instances and set up replication agreements between your directory servers to ensure availability of your data.

Upgrade Process

Directory Server supports migration from previous releases of Directory Server. The migration process is described in Chapter 6 "Migrating and Upgrading From Previous Versions."

For information on migrating servers involved in replication agreements, refer to the Netscape Directory Server Administrator's Guide.

Unpacking the Software

If you have obtained Directory Server software from the web site, you will need to unpack it before beginning installation.

Create a new directory for the installation:

# mkdir ds # cd ds

Download the product binaries file to the installation directory.

On UNIX, unpack the product binaries file using the following command:

# gzip -dc filename.tar.gz | tar -xvof -

where filename corresponds to the product binaries that you want to unpack.

On Windows, unzip the product binaries.

Installation Privileges

On UNIX you must install as root if you choose to run the server on a port below 1024, such as the default LDAP ports: 389 and 636 (LDAP over SSL). If you choose port numbers higher than 1024, you can install using any valid UNIX login. On Windows, you must run the installation as administrator.

Last Updated August 23, 2002