Installation Guide Netscape Directory Server

Previous      Contents      Index      DocHome      Next

Chapter 2   Computer System Requirements

Before you can install Netscape Directory Server (Directory Server), you must make sure that the systems on which you plan to install the software meet the minimum hardware and operating system requirements.

These requirements are described in detail for each platform in the following sections:

• Supported Platforms
• Hardware Requirements
• Operating System Requirements

Supported Platforms

---

This release of Directory Server is supported on the following platforms:

• Sun Solaris 8 for UltraSPARC (32 bit) operating environment
• Microsoft Windows NT 4.0 Server with Service Pack 6a (x86 only)
• Microsoft Windows 2000 Server with Service Pack 2
• Microsoft Windows 2000 Advanced Server with Service Pack 2
• Hewlett-Packard HP-UX 11.0 (PA-RISC 1.1 or 2.0)

Note	Before you install Directory Server, check the required patches and kernel parameter settings, as described in the sections that follow. Also ensure that DNS is properly configured on the system and that the system has a static IP address.

Hardware Requirements

---

On all platforms, you will need:

• Roughly 200 MB of disk space for a minimal installation. For production systems, you should plan at least 2GB to support the product binaries, databases, and log files (log files require 1 GB by default); 4GB and greater may be required for very large directories.
• 256 MB of RAM. However, you should plan from 256 MB to 1 GB of RAM for best performance on large production systems.

The table below contains some guidelines for disk space and memory requirements depending on the number of entries managed by your Directory Server. This assumes entries in the LDIF file are approximately 100 bytes in size and only the recommended indexes are configured. If you are using larger entries, make sure that at least four times the size of the LDIF file is available on disk.

Number of Entries	Disk Space and Memory Required
10,000 - 250,000 entries	Free disk space: 2 GB Free memory: 256 MB
250,000 - 1,000,000 entries	Free disk space: 4 GB Free memory: 512 MB
Over 1,000,000 entries	Free disk space: 8GB Free memory: 1 GB

Operating System Requirements

---

This section contains information on operating-system versions and patches required for installing Directory Server:

• dsktune Utility
• Solaris 8 Operating System
• Windows NT 4.0 Server
• Windows 2000 Server and Advanced Server
• HP-UX 11.0 Operating System
• DNS and NIS Requirements (UNIX only)

dsktune Utility

For UNIX platforms, Directory Server provides a utility named dsktune that can help you verify whether you have the appropriate patches installed on your system. The utility also provides useful information and advice on how to tune your kernel parameters for best performance.

To enable you to run dsktune before installing the Directory Server, the utility is placed, along with the setup program, in the directory where you unpack product binaries. After you've installed the Directory Server, you can find the utility in the serverRoot/bin/slapd/server directory.

For information on running dsktune, see Chapter 8 "Troubleshooting."

Solaris 8 Operating System

If you run Directory Server on a Solaris operating system, you must ensure that the recommended patch cluster is installed. Solaris patches are identified by two numbers, for example 106125-10. The first number (106125) identifies the patch itself. The second number identifies the version of the patch, in the example above the patch is version number 10. We recommend installing the latest version of the patch in order to benefit from the latest fixes.

See the Solaris Operating Environment Security Sun Blueprint at http://www.sun.com/blueprints/0100/security.pdf for advice on guarding against potential security threats.

This section covers these topics:

• Verifying Disk Space
• Verifying Required System Modules
• Installing Patches
• Tuning the System
• Setting File Descriptors
• Tuning TCP Parameters

Verifying Disk Space

Ensure that you have sufficient disk space before downloading the software.

Current working directory: 120 MB
Partition containing /usr/netscape: 2 GB

Verifying Required System Modules

Directory Server requires the use of a SPARC v8+ or an UltraSPARC (SPARC v9) processor, as these processors include support for high performance and multiprocessor systems. Earlier SPARC processors are not supported.

If you run Directory Server on a 64-bit Sun Solaris 8 UltraSPARC machine, it will run as a 32-bit application.

Installing Patches

You must use Solaris 8 with the Sun recommended patches. The following Sun patches should be installed on your system before installing this Netscape product. The command "showrev -p" will list the patches which have been installed. If you need to get a patch, see the web page sunsolve.sun.com or FTP to ftp://sunsolve.sun.com/pub/patches.

You will need to reboot your machine after installing these patches.

In addition to the patches listed here, you may want to install the latest patch cluster for your version of Solaris, which includes additional recommended and security patches. The Sun recommended patch clusters can be obtained from your Solaris support representative, or from http://sunsolve.sun.com.

Table 2-1    Solaris 8 Patch List  

108528-09:	SunOS 5.8: kernel update patch
108652-35:	X11 6.4.1 Xsun patch
108725-05:	SunOS 5.8: st driver patch
108827-10:	SunOS 5.8: libthread patch
108827-19	SunOS 5.8: /usr/lib/libthread.so.1 patch
108869-06:	SunOS 5.8: snmpdx/mibiisa/libssasnmp/snmplib patch
108875-09:	SunOS 5.8: c2audit patch
108968-05:	SunOS 5.8: vol/vold/rmmount patch
108974-11:	SunOS 5.8: dada, uata, dad, sd and scsi drivers patch
108975-04:	SunOS 5.8: /usr/bin/rmformat and /usr/sbin/format patch
108977-01:	SunOS 5.8: libsmedia patch
108985-03:	SunOS 5.8: /usr/sbin/in.rshd patch
108987-04:	SunOS 5.8: Patch for patchadd and patchrm
108989-02:	SunOS 5.8: /usr/kernel/sys/acctctl and /usr/kernel/sys/exacctsys patch
108991-13:	SunOS 5.8: /usr/lib/libc.so.1 patch
108993-03:	SunOS 5.8: nss and ldap patch
109091-04:	SunOS 5.8: /usr/lib/fs/ufs/ufsrestore patch
109137-01:	SunOS 5.8: /usr/sadm/install/bin/pkginstall patch
109181-03:	SunOS 5.8: /kernel/fs/cachefs patch
109277-01:	SunOS 5.8: /usr/bin/iostat patch
109279-13:	SunOS 5.8: /kernel/drv/ip patch
109318-12:	SunOS 5.8: suninstall patch
109320-03:	SunOS 5.8: LP patch
109322-07:	SunOS 5.8: libnsl patch
109324-02:	SunOS 5.8: sh/jsh/rsh/pfsh patch
109326-05:	SunOS 5.8: libresolv.so.2, in.named patch
109326-07:	SunOS 5.8: libresolv.so.2 and in.named patch
109470-02:	CDE 1.4: Actions Patch
109587-03:	SunOS 5.8: libspmistore patch
109742-04:	SunOS 5.8: /kernel/drv/icmp patch
109783-01:	SunOS 5.8: /usr/lib/nfs/nfsd patch
109805-03:	SunOS 5.8: pam_krb5.so.1 patch
109898-02:	SunOS 5.8: /kernel/drv/arp patch
109951-01:	SunOS 5.8: jserver buffer overflow
110075-01:	SunOS 5.8: /kernel/drv/devinfo and /kernel/drv/sparcv9/devinfo patch
110283-03:	SunOS 5.8: mkfs and newfs patch
110286-02:	SunOS 5.8: mkfs and newfs patch
110322-01:	SunOS 5.8: /usr/lib/netsvc/yp/ypbind patch
110383-01:	SunOS 5.8: libnvpair patch
110387-03:	SunOS 5.8: ufssnapshots support, ufsdump patch
110453-01:	SunOS 5.8: admintool patch
110458-02:	SunOS 5.8: libcurses patch
110662-02:	SunOS 5.8: ksh patch
110700-01:	SunOS 5.8: automount patch
110898-02:	SunOS 5.8: csh/pfcsh patch
110901-01:	SunOS 5.8: /kernel/drv/sgen and /kernel/drv/sparcv9/sgen patch
110934-01:	SunOS 5.8: pkgtrans, pkgadd, pkgchk and libpkg.a patch
110939-01:	SunOS 5.8: /usr/lib/acct/closewtmp patch
110943-01:	SunOS 5.8: /usr/bin/tcsh patch
110945-01:	SunOS 5.8: /usr/sbin/syslogd patch
110951-01:	SunOS 5.8: /usr/sbin/tar and /usr/sbin/static/tar patch
111071-01:	SunOS 5.8: cu patch
111111-01:	SunOS 5.8: nawk line length limit corrupts patch dependency checking
111232-01:	SunOS 5.8: patch in.fingerd
111234-01:	SunOS 5.8: patch finger
111293-03:	SunOS 5.8: /usr/lib/libdevinfo.so.1 patch
111325-01:	SunOS 5.8: /usr/lib/saf/ttymon patch
111327-02:	SunOS 5.8: libsocket patch
111363-01:	SunOS 5.8: /usr/sbin/installf patch
111548-01:	SunOS 5.8: catman, man, whatis, apropos and makewhatis patch
111570-01:	SunOS 5.8: uucp patch

Tuning the System

Basic Solaris tuning guidelines are available from several books, including Sun Performance and Tuning: Java and the Internet (ISBN 0-13-095249-4). Advanced tuning information is available in the Solaris Tunable Parameters Reference Manual (806-4015) which can be obtained from http://docs.sun.com/ab2/coll.707.1/

Setting File Descriptors

The system-wide maximum file descriptor table size setting will limit the number of concurrent connections that can be established to Directory Server. The governing parameter, rlim_fd_max, is set in the /etc/system file. By default, if this parameter is not present, the maximum is 1024. It can be raised to 4096 by adding to /etc/system a line

set rlim_fd_max=4096

and rebooting the system.

Caution	This parameter should not be raised above 4096 without first consulting your Sun Solaris support representative as it may affect the stability of the system.

Tuning TCP Parameters

By default, the TCP/IP implementation in a Solaris kernel is not correctly tuned for Internet or Intranet services. The following /dev/tcp tuning parameters should be inspected and, if necessary, changed to fit the network topology of the installation environment.

The tcp_time_wait_interval in Solaris 8 specifies the number of milliseconds that a TCP connection will be held in the kernel's table after it has been closed. If its value is above 30000 (30 seconds) and the directory is being used in a LAN, MAN or under a single network administration, it should be reduced by adding a line similar to the following to the /etc/init.d/inetinit file:

ndd -set /dev/tcp tcp_close_wait_interval 30000

The tcp_conn_req_max_q0 and tcp_conn_req_max_q parameters control the maximum backlog of connections that the kernel will accept on behalf of the Directory Server process. If the directory is expected to be used by a large number of client hosts simultaneously, these values should be raised to at least 1024 by adding a line similar to the following to the /etc/init.d/inetinit file:

ndd -set /dev/tcp tcp_conn_req_max_q0 1024
ndd -set /dev/tcp tcp_conn_req_max_q 1024

The tcp_keepalive_interval specifies the interval in seconds between keepalive packets sent by Solaris for each open TCP connection. This can be used to remove connections to clients that have become disconnected from the network.

The tcp_rexmit_interval_initial value should be inspected when performing server performance testing on a LAN or high speed MAN or WAN. For operations on the wide area Internet, its value need not be changed.

The tcp_smallest_anon_port controls the number of simultaneous connections that can be made to the server. When rlim_fd_max has been increased to above 4096, this value should be decreased, by adding a line similar to the following to the /etc/init.d/inetinit file:

ndd -set /dev/tcp tcp_smallest_anon_port 8192

The tcp_slow_start_initial parameter should be inspected if clients will predominately be using the Windows TCP/IP stack.

Windows NT 4.0 Server

This section describes how to install Directory Server on Windows NT:

• Configuring a Machine to Run Directory Server
• Verifying Required System Modules
• Installing Windows NT Server
• Installing Third-Party Utilities
• Installing Microsoft Utilities
• Ensuring System Clock Accuracy
• Installing Windows Service Packs and Hotfixes
• Configuring the System Post Installation

Configuring a Machine to Run Directory Server

Directory Server should be installed on a computer which is isolated from the public Internet by a network-level firewall. This is necessary to protect the Windows NT operating system from IP-based attacks.

No other network functions should be provided by this computer. The computer should not be dual-booting system or run other operating systems. At a minimum, the computer system should have at least 256 MB of RAM, 2 GB of disk, a Pentium II or later processor, and a 100 MBps Ethernet connection.

Ensure that you have sufficient disk space before downloading the software.

Download drive: 120 MB
Installation drive: 200 MB

Verifying Required System Modules

Directory Server is not supported on Windows NT 3.5.1 or earlier releases, or Windows NT for the Alpha architecture. Neither is it supported on Windows NT Workstation, because this form of the operating system is not suitable for scalable Internet or Intranet server deployments. Windows NT Workstation is limited in its allowable setting for connection backlog. Windows NT Server allows a connection backlog setting of more than 10, which is necessary for TCP/IP servers under heavy load.

Installing Windows NT Server

During the installation of Windows NT, please observe the following:

• If there is already an operating system present on the computer, choose to perform a fresh install rather than an upgrade.
• Format the drives with NTFS rather than FAT, as NTFS allows access controls to be set on files and directories.
• Specify that the computer will be a standalone server and will not be a member of any existing domain or workgroup. This will reduce dependencies on the network security services.
• Choose an administrator password of at least 9 characters. Use punctuation or other non-alphabetic characters for the first 7 characters.
• Do not install Internet Information Server.
• Specify only TCP/IP as network protocol, and do not install any other network services.
• Always use the latest version of DLL files.

If you are installing on a Windows NT system that has newer DLL files than those supplied with Directory Server, do not overwrite the newer DLL files with the versions provided with Directory Server. For example, this situation can occur if you are running the latest Windows NT Service Pack.
 

• On Windows NT 4.0, the maximum address space that an application can use is 2 GB. Because Directory Server cannot use more than 2 GB of virtual memory, the sum of all caches configured for the server must be strictly less than 2 GBs. If the size of the entry caches and of the database cache exceed this limit, Directory Server will exit with an error message.

Installing Third-Party Utilities

You need an UNZIP utility to unpack the Directory Server software. There are many commercially licensed, free, and shareware tools available, such as PKZIP or Winzip. Note that shareware unregistered versions of PKZIP 2.70 maintain a TCP/IP connection to an Internet advertising service, and so may not be suitable for installation on this system.

You may need to install Adobe Acrobat Reader to read the documentation. It can be downloaded from this site: http://www.adobe.com/products/acrobat/readstep2.html

To edit the server configuration file, you will need a text editor that is capable of handling large text files (Notepad and Wordpad are not suitable). If you are already familiar with Emacs on UNIX, a port to Windows can be downloaded from ftp://ftp.cs.washington.edu/pub/ntemacs/. There are many other shareware and commercial text editors available.

To display non-English characters using any Netscape browser, you can obtain general internationalization advice and more specific information about the Bitstream Cyberbit font from the following URL:

http://developer.netscape.com/software/jdk/i18n.html

To download the Bitstream Cyberbit font use the following FTP link:

ftp://ftp.netscape.com/pub/communicator/extras/fonts/windows

Before downloading the font, read the READMEfirst.txt and ReadMe.htm files.

Installing Microsoft Utilities

The following additional utilities are recommended to improve the security of the Windows NT Operating System. They are not required for the operation of the Directory Server.

If you have the Resource Kit CD-ROM produced by Microsoft Press, then copy the utility passprop.exe from the Windows NT Server Resource Kit onto the system. The utility is located on the CD in the i386\netadmin directory. You will need this later to enable Administrator account lockout.

At this point you will need to install Service Pack 4 or later, if not already installed. This is needed for the installation of Microsoft Internet Explorer 5. Service packs can be obtained from http://www.microsoft.com/windows/servicepacks/

You will need to install Microsoft Internet Explorer 5 or later, as this is needed by the Security Configuration Manager.

The Microsoft Security Configuration Manager is located on the Service Pack 6a CD-ROM, or can be downloaded from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/tools/scm/. This tool is described in Microsoft Knowledge Base article Q195227.

Ensuring System Clock Accuracy

So that date and time stamps in log files can be correlated with those of other computer systems, the system clock should be kept reasonably in sync. As the NET TIME command requires NetBIOS, which will be disabled during post-installation system configuration, either a TCP/IP based NTP client should be installed (such as the shareware program Tardis) or a time radio receiver attached. See http://www.ntp.org/ for more information on NTP clients for Windows NT.

Installing Windows Service Packs and Hotfixes

Windows NT Service Packs include key fixes that are necessary to maintain the security and reliability of the operating system. The hotfix series contains important changes for problems that were found after the service pack was released.

• Installing Windows NT 4.0 Service Pack 6a or Later—It can be obtained from http://www.microsoft.com/windows/servicepacks/. The system will reboot after the service pack is installed.
• Installing Hotfixes—Download and install any Windows NT 4.0 Hotfixes that are for the service pack that is installed on the system, such as post-sp6a for Service Pack 6a. They can be obtained from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/. It will probably be necessary to reboot the system after each hotfix is installed.
• Installing TCP ISN Patch—If you will be authenticating users to the directory, then TCP connection hijacking is a vulnerability. Microsoft has released a patch to improve the serial numbers, q243835i.exe. For more information please see http://www.microsoft.com/security/bulletins/ms99-046.asp

Configuring the System Post Installation

The Windows environment will require tuning to provide optimum performance for Directory Server in an operational environment. Consult the Windows system administrator's documentation or support channel for information on NT tuning for multi-threaded internet services. The sections that follow provide some guidelines.

• Restricting Network Services—Network file sharing is not required by Directory Server and should be disabled. Go to the Control Panel and open the Network icon. From Network Services tab, remove Workstation, Computer Browser, NetBIOS Interface, Remote Access Service, and Server Services. Leave RPC Configuration. The SNMP service may be left if SNMP monitoring will be used.






From then on, each time the Network Control Panel is used, Windows NT will prompt to install Windows NT Networking. Always answer No to the prompt.
 

• Removing NETBIOS—The server uses only TCP/IP and does not require any Microsoft network services. To unbind NETBIOS from TCP/IP, go to the Network window and on the Bindings tab, select All Protocols. Disable the WINS Client.





• Enabling Port Filtering—The RPC services are not removed, as it may be necessary for Microsoft software to make RPC connections on the loopback interface. However, the RPC ports must not be accessible to other systems.

Open the Network window, select the Protocols tab, select TCP/IP, and click Properties. Select Advanced and Enable Security. On the TCP/IP Filtering window, permit only TCP ports 389 and 636 and the administration port number, permit no UDP ports, and permit only IP protocol 6 (TCP).
 

If you have multiple interfaces, it may be necessary to repeat this for each interface.
 







Note that after this change has been made, the Microsoft command-line FTP client will no longer operate. This is because the Microsoft client requires the FTP server to establish a connection in the reverse direction, and all non-LDAP ports are blocked.
 

• Disabling IP Routing—On the TCP/IP protocol window, disable IP Routing.
• Disabling WINS Client—On the Devices window (Control Panel > Devices), disable the WINS Client.
• Removing the OS/2 and POSIX Subsystem Keys From the Registry—Directory Server does not require OS/2 and POSIX subsystems. Remove them by performing the following registry actions with regedit.

Delete all subkeys of:
 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT
 

There is another key under CurrentControlSet\Control named SessionManager, without a space in its name. Do not alter anything below that key.
 

Delete the value of Os2LibPath in this key:
 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
 

Change the value of the Optional item in the following key to the two bytes "00 00":
 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
 

Delete the Posix and OS/2values from the following key:
 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
 

• Removing the OS/2 DLLs—Delete all files in the %SystemRoot%\system32\os2 directory and all subdirectories.
• Stopping Unwanted Services—Open the Services panel (Control Panel > Services) and stop and disable any running services except for the following: EventLog, Netscape Directory Server, Netscape Administration Server, NT LM Security Support Provider, Plug and Play, Protected Storage, Remote Procedure Call (RPC) Service, and SNMP. Services that are listed as Manual start do not need to be disabled.





• Ensuring System Will Automatically Reboot on Error—Open the Control Panel System panel. Under the Startup/Shutdown tab, set the show list time to 0 seconds, and select the Automatic reboot checkbox.
• Configuring User Accounts—Open the Administrative tools. (Start > Programs > Administrative Tools > User Manager.) Under Policies, choose Account. On the Account Policies window, allow accounts to be locked out.






Next, under Policies, choose User Rights. Select "Access this computer from the network," remove Everyone, and add Authenticated Users.
 







Next, under Policies, choose Audit, select Audit These Events, and check the boxes for both Success and Failure for the Logon and Logoff Events.
 







You may wish also to rename the administrator account to something else, making it harder to guess.
 

If you have copied the passprop utility from the NT Server Resource Kit, it can be used to allow lockout of the administrator's account by running it on the command line as passprop/adminlockout.
 

• Encrypting Account Database—Protect the NT user account database, SAM, by running the syskey program. This encrypts the Administrator's password so that registry-extracting hacker tools cannot use it.
• Configuring Event Log—Open the Event Viewer (Start > Programs > Administrative Tools > Event Viewer); set the log overwrite intervals (located under Log > Log Settings...) to a value appropriate to your deployment.





• Setting Tuning Parameters—The transmission control blocks (TCBs) store data for each TCP connection. A control block is attached to the TCB hash table for each active connection. If there are not enough control blocks available when an LDAP connection arrives at the server via TCP/IP, there is added delay while it waits for additional control blocks to be created. By increasing the TCB timewait table size, you reduce latency overhead by allowing more client connections to be serviced faster. To adjust this value, add to the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
 

the MaxFreeTcbs value of 0xFA0.
 

This example increases the TCB timewait table to 4,000 entries from the default of 2,000. Now that the overhead time introduced by TCP has been lowered for Directory Server, adjust the corresponding hash table that stores the TCBs. Adjust the hash table by adding to the following registry value:
 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
 

the value of MaxHashTableSize to 0x400.
 

This increases the TCB hash table size from 512 to 1,024, allowing more room for connection information. TCB information is stored in the nonpaged memory pool. If Directory Server is experiencing memory bottlenecks and more memory cannot be allotted to the server, lower the above values.
 

On a multiprocessor system, we recommend optimizing the NIC and CPU relationship. Each LDAP request received over the network generates an interrupt to the processor requesting service. If the processor does not consider the request to be sufficiently urgent, (that is, with a sufficiently high interrupt level), it defers the request. This deferred interrupt request becomes a Deferred Procedure Call (DPC). As more and more requests come into the server, the number of interrupts and DPCs increases.
 

When an interrupt is sent to a particular CPU and is subsequently deferred, additional server overhead is incurred if this DPC is shipped off to another CPU in the server (if the server is an SMP capable machine). This is NTs default behavior and can be costly from a performance perspective. To stop this transfer from happening, add to the following registry value:
 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NDIS\Parameters
 

the value of ProcessorAffinityMask to 0.
 

This forces the CPU that handled the interrupt to also handle any associated DPCs. This also insures that the network interface card or cards are not to associated with a specific CPU. This improves the CPUs servicing of interrupts and DPCs generated by the network interface card(s).
 

Windows NT ships with a variety of transport drivers such as TCP/IP, NBF (NetBEUI), and NWLink. All of these transports export a TDI interface on top and an NDIS (Network Driver Interface Specification) on the bottom. (Windows NT also ships with AppleTalk and DLC, however, these do not have a TDI interface.) If the TCP/IP protocol is first in the bindings list, average connection setup time decreases.
 

Windows NT can implement the Van Jacobson TCP fast retransmit and recovery algorithm to quickly retransmit missing segments upon the receipt of n ACKS, without waiting for the retransmission timer to expire. To implement the Van Jacobson algorithm, edit:
 

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters
 

Add a value named TcpMaxDupAcks, with type REG_DWORD, and set the value to the number of ACKs. The range is 1-3, and the default is 2.
 

Windows 2000 Server and Advanced Server

This section covers the following:

• Configuring a Machine to Run Directory Server
• Verifying Required System Modules
• Installing Windows 2000 Server
• Installing Third-Party Utilities
• Ensuring System Clock Accuracy
• Installing Windows Service Packs and Hotfixes
• Configuring the System Post Installation

Configuring a Machine to Run Directory Server

Directory Server should be installed on a computer that is isolated from the public Internet by a network-level firewall. This is necessary to protect the operating system from IP-based attacks.

No other network functions should be provided by this computer. The computer should not be a dual-booting system or run other operating systems. At a minimum, the computer system should have at least 256 MB of RAM, 16 B of disk, a Pentium II or later processor, and a 100 MBps Ethernet connection.

Ensure that you have sufficient disk space before downloading the software.

Download drive: 120 MB
Installation drive: 200 MB

Verifying Required System Modules

Directory Server is not supported on Windows 2000 Pro or Windows 2000 DataCenter Server.

Installing Windows 2000 Server

During the installation of Windows 2000, observe the following:

• If there is already an operating system present on the computer, choose to perform a fresh install rather than an upgrade.
• Format the drives with NTFS rather than FAT, as NTFS allows access controls to be set on files and directories.
• Specify that the computer will be a standalone server and will not be a member of any existing domain or workgroup. This will reduce dependencies on the network security services.
• Choose an administrator password of at least 9 characters. Use punctuation or other non-alphabetic characters in the first 7 characters.
• Do not install Internet Information Server.
• Specify only TCP/IP as network protocol, and do not install any other network services.

Installing Third-Party Utilities

You need an UNZIP utility to unpack the directory server software. There are many commercially licensed, free and shareware tools available, such as PKZIP or Winzip. Note that shareware unregistered versions of PKZIP 2.70 maintain a TCP/IP connection to an Internet advertising service, so it may not be suitable for installation on this system.

You may need Adobe Acrobat Reader to read the documentation. If you do not have it installed, you can download it from: http://www.adobe.com/products/acrobat/readstep2.html

To edit the server configuration file, you will need a text editor that is capable of handling large text files (Notepad and Wordpad are not suitable). If you are already familiar with Emacs text editor on UNIX, a port to Windows can be downloaded from ftp://ftp.cs.washington.edu/pub/ntemacs/. There are many other shareware and commercial text editors available.

To display non-English characters using any Netscape browser, you can obtain general internationalization advice and more specific information about the Bitstream Cyberbit font from the following URL:

http://developer.netscape.com/software/jdk/i18n.html

To download the Bitstream Cyberbit font use the following FTP link:

ftp://ftp.netscape.com/pub/communicator/extras/fonts/windows

Before downloading the font, read the READMEfirst.txt and ReadMe.htm files.

Ensuring System Clock Accuracy

To facilitate the correlation of date and time stamps in log files with those of other computer systems, keep your system clock reasonably in sync. As the NET TIME command requires NetBIOS, which will be disabled during post-installation system configuration, either a TCP/IP based NTP client should be installed (such as the shareware program Tardis), or a time radio receiver attached. See http://www.ntp.org for more information on NTP clients for Windows.

Installing Windows Service Packs and Hotfixes

Windows 2000 Service Packs include key fixes which are needed to maintain the security and reliability of the operating system. The hotfix series contains important changes for problems discovered after the service pack had been released.

Configuring the System Post Installation

The Windows 2000 environment requires tuning to provide optimum performance for Directory Server in an operational environment. Consult the Windows 2000 system administrator's documentation or support channel for information on Windows 2000 tuning for multi-threaded internet services.

HP-UX 11.0 Operating System

This section contains the following information:

• Verifying Disk Space Requirements
• Verifying Required System Modules
• Installing Patches
• Tuning the System
• Installing Third-Party Utilities

Verifying Disk Space Requirements

Ensure that you have sufficient disk space before downloading the software.

Download drive: 120 MB
Installation drive: 2 GB

Verifying Required System Modules

Directory Server is not supported on HP-UX 10 or earlier versions. The minimum system module required is HP-UX 11. Directory Server may be used on a 64 bit HP-UX 11 environment, but will run as a 32 bit process, and is limited to 1 GB of process memory.

For best results, Directory Server requires an HP 9000 architecture with a PA-RISC 1.1 or PA-RISC 2.0 CPU.

Installing Patches

Before you install Directory Server, ensure that the host system is updated with the latest patches recommended by the operating-system vendor. Because the list of recommended patches changes with time, you must always check the operating system vendor's site for a list of patches that you may need to install. Listed below are two URLs to aid you in this effort:

http://welcome.hp.com/country/us/eng/support.htm
http://www.hp.com/products1/unix/java/

Here are some recommendations:

• Install the latest HP-UX 11.0 Quality Pack (QPK1100) patch. For details, see http://www.software.hp.com/SUPPORT_PLUS/qpk.html#qpkdown.
• Install the patches listed below.

PHKL_18543:	PM/VM/UFS/async/scsi/io/DMAPI/JFS/perf cumulative patch
PHCO_23651:	fsck_vxfs(1M) cumulative patch
PHCO_19666:	libpthread cumulative patch
PHKL_20228:	Large data 7/8 patch
PHKL_21039:	semget;large data space;msgmnb;SEMMSL
PHKL_23409:	NFS, Large Data Space, kernel memory leak patch
PHCO_16629:	libc cumulative patch (superceded by PHCO_20765)
PHCO_20765:	libc cumulative patch (supercedes PHCO_16629 and is superceded by PHCO_24148)
PHCO_24148:	libc cumulative patch (supercedes PHCO_20765)
PHKL_17709:	libpthread cumulative patch (superceded by PHKL_17935)
PHSS_16587:	HP aC++ runtime libraries
PHKL_20335:	boot,Jfs;IO perf;PA8600;3GB data;NFS;bcache
PHKL_20174:	Allow sam to set maxdsize patch
PHCO_21187:	Cumulative SAM/ObAM patch




• Install the patches listed below; Netscape Console uses the Abstract Window Tool (AWT) kit and requires you to install these patches.

PHSS_25290:	Xserver cumulative patch
PHSS_25091:	Font Server JAN 99 Cumulative Patch
PHSS_25199:	CDE Runtime JUNE2001 Periodic Patch
PHSS_25447:	X/Motif 32bit Runtime APR2001 Periodic Patch
PHSS_25879:	X/Motif 64bit Runtime JUL2001 Periodic Patch
PHSS_25766:	Asian Printer cumulative patch The following patches are dependencies of patch PHSS_25766: PHCO_18230 and PHSS_20192.
PHSS_20189:	ASX release notes NOV 1999 cumulative patch
PHSS_20190:	Asian Input Method NOV 1999 cumulative patch
PHNE_26771:	Cumulative ARPA Transport patch The following patches are dependencies of patch PHNE_26771: PHKL_21857 and PHNE_22566.




• Run the dsktune utility and see if you need to install any other patches. The utility helps you to verify whether you have the appropriate patches installed on your system and provides useful information and advice on how to tune your kernel parameters for best performance. For information on running the dsktune utility, see Chapter 8 "Troubleshooting."

Tuning the System

Set your kernel parameters as follows:

• Set maxfiles to 100 (the old value was 60).
• Set nkthread to 1328 (the old value was 499); nkthread is a computed value: (((NPROC*7)/4+16).
• Set max_thread_proc to 512 (the old value was 64).
• Set maxusers to 64 (the old value was 32).
• Set maxuprc to 512 (the old value was 75).
• Set nproc to 750, a new value which is not based on a formula (the old formula was 20+8*MAXUSERS, which evaluated to 276).

You also need to turn on large file support in order for Directory Server to work properly. To change an existing file system (from one that has no large files to one that accepts large files):

1. Unmount the system using the umount command. For example:

umount /export
 

2. Create the large file system. For example:

fsadm -F vxfs -o largefiles /dev/vg01/rexport
 

3. Remount the file system. For example:

/usr/sbin/mount -F vxfs -o largefiles /dev/vg01/export
 

For additional information and recommendations about setting these parameters, consult your operating-system documentation.

Installing Third-Party Utilities

You will need the gunzip utility to unpack the directory server software. The GNU gzip and gunzip programs are described in more detail at http://www.gnu.org/software/gzip/gzip.html and can be obtained from many software distribution sites.

You may need Adobe Acrobat Reader to read the documentation. If you do not have it installed, you can download it from: http://www.adobe.com/products/acrobat/readstep2.html

DNS and NIS Requirements (UNIX only)

Prior to installation, it is necessary to have configured the DNS resolver and NIS domain name.

The DNS resolver is typically set by the file /etc/resolv.conf. However, also check the file /etc/nsswitch.conf, and on Solaris /etc/netconfig, to ensure that the DNS resolver will be used for name resolution.

If you are not already using NIS, you will also need to set the default NIS domain name. Typically this is done by placing the NIS domain name in the file /etc/defaultdomain and rebooting or by using the domainname command.

© 2001 Sun Microsystems, Inc. Portions copyright 1999, 2002 Netscape Communications Corporation. All rights reserved.

Last Updated August 23, 2002