|
Installation Guide Netscape Directory Server |
|
||
|
|
Chapter 3 Computer System Requirements
Before you can install Netscape Directory Server (Directory Server), you must make sure that the systems on which you plan to install the software meet the minimum hardware and operating system requirements.
These requirements are described in detail for each platform in the following sections:
Summary of Supported Platforms
This release of Directory Server is supported on the platforms listed in Table 3-1. The sections that follow provide information that is specific to each of the supported platforms.
Before you install Directory Server, check the required patches and kernel parameter settings, as described in the sections that follow. Also ensure that DNS is properly configured on the system and that the system has a static IP address.
HP UX 11.0 or HP UX 11i with relevant patches. For details, see "HP-UX 11.0 or 11i Operating System".
256 MB. However, you should plan from 512 MB to 1 GB of RAM for best performance on large production systems.
Approximately 300 MB of disk space for a minimal installation. For production systems, you should plan at least 2 GB to support the product binaries, databases, and log files (log files require 1 GB by default); 4GB and greater may be required for very large directories.
You must install as root in order to use well-known port numbers (such as 389) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as root. If you plan to run as root, you should also install as root and specify nobody, or a similar user ID that has very few privileges, as the default run-as user and group.
Windows 2000 Advanced Server with Service Pack 3. For details, see "Microsoft Windows 2000 Advanced Server".
256 MB. However, you should plan from 256 MB to 1 GB of RAM for best performance on large production systems.
Approximately 300 MB of disk space for a minimal installation. For production systems, you should plan at least 2 GB to support the product binaries, databases, and log files (log files require 1 GB by default); 4GB and greater may be required for very large directories.
To support database files that are larger than 2 GB, the machine must be configured to support large files; you can do this by choosing
vxfsfilesystem withlargefilesoption.You must install as Administrator or a user with Administrator privileges (that is, the user must be in the Administrators group).
For additional details, see "Microsoft Windows 2000 Advanced Server".
Linux 7.3 (x86) or Linux Advanced Server 2.1 (x86) with relevant upgrades/patches. For details, see "Red Hat Linux 7.3 Operating System" or "Red Hat Linux Advanced Server 2.1 Operating System".
256 MB. However, you should plan from 256 MB to 1 GB of RAM for best performance on large production systems.
Approximately 300 MB of disk space for a minimal installation. For production systems, you should plan at least 2 GB to support the product binaries, databases, and log files (log files require 1 GB by default); 4GB and greater may be required for very large directories.
You must install as root in order to use well-known port numbers (such as 389) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as root. If you plan to run as root, you should also install as root and specify nobody as the default run-as user and group.
Solaris 8 (32-bit) or Solaris 9 (32-bit) with relevant patches. For details, see "Sun Solaris 8 Operating System" or "Sun Solaris 9 Operating System".
Solaris bits can run in 32-bit or 64-bit operating system mode (32 bit application certified on 64 bit mode).
256 MB. However, you should plan from 512 MB to 1 GB of RAM for best performance on large production systems.
Approximately 300 MB of disk space for a minimal installation. For production systems, you should plan at least 2 GB to support the product binaries, databases, and log files (log files require 1 GB by default); 4GB and greater may be required for very large directories.
To support database files that are larger than 2 GB, the machine must be configured to support large files; you can do this by choosing
largefile.You must install as
rootin order to use well-known port numbers (such as 389) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install asroot. If you plan to run asroot, you should also install asrootand specify nobody, or a similar user ID that has very few privileges, as the default run-as user and group.
On all platforms, you will need:
- Roughly 200 MB of disk space for a minimal installation. For production systems, you should plan at least 2GB to support the product binaries, databases, and log files (log files require 1 GB by default); 4GB and greater may be required for very large directories.
- 256 MB of RAM. However, you should plan from 256 MB to 1 GB of RAM for best performance on large production systems.
The table below contains some guidelines for disk space and memory requirements depending on the number of entries managed by your Directory Server. This assumes entries in the LDIF file are approximately 100 bytes in size and only the recommended indexes are configured. If you are using larger entries, make sure that at least four times the size of the LDIF file is available on disk.
This section contains information on operating-system versions and patches required for installing Directory Server:
- dsktune Utility
- HP-UX 11.0 or 11i Operating System
- Microsoft Windows 2000 Advanced Server
- Red Hat Linux 7.3 Operating System
- Red Hat Linux Advanced Server 2.1 Operating System
- Sun Solaris 8 Operating System
- Sun Solaris 9 Operating System
- DNS and NIS Requirements (UNIX Only)
For UNIX platforms, Directory Server provides a utility named
dsktunethat can help you verify whether you have the appropriate patches installed on your system. The utility also provides useful information and advice on how to tune your kernel parameters for best performance.To enable you to run
dsktunebefore installing the Directory Server, the utility is placed, along with thesetupprogram, in the directory where you unpack product binaries. Additionally, in the 6.2 release, thesetupprogram has been enhanced to allow specifying of a pre-pre-installation program to be run before the Directory Server installation begins—in theslapd.inffile, a new field namedPrePreInstallis defined for specifying the path to the executable, which must be relative to thesetupprogram. By default, thePrePreInstallfield is set to thedsktuneutility path, enabling you to run the utility as a part of the Directory Server installation.After you've installed the Directory Server, you can find the utility in this directory:
For information on running
dsktune, see Chapter 8 "Troubleshooting."HP-UX 11.0 or 11i Operating System
This section contains the following information:
- Verifying Disk Space Requirements
- Verifying Required System Modules
- Installing Patches
- Tuning the System
- Installing Third-Party Utilities
Verifying Disk Space Requirements
Ensure that you have sufficient disk space before downloading the software.
Download drive: 120 MB
Installation drive: 2 GBVerifying Required System Modules
Directory Server is not supported on HP-UX 10 or earlier versions. The minimum system module required is HP-UX 11. Directory Server may be used on a 64 bit HP-UX 11 environment, but will run as a 32 bit process, and is limited to 1 GB of process memory.
For best results, Directory Server requires an HP 9000 architecture with a PA-RISC 1.1 or PA-RISC 2.0 CPU.
Before you install Directory Server, ensure that the host system is updated with the latest patches recommended by the operating-system vendor. Because the list of recommended patches changes with time, you must always check the operating system vendor's site for a list of patches that you may need to install. Listed below are two URLs to aid you in this effort:
http://welcome.hp.com/country/us/eng/support.htm
http://www.hp.com/products1/unix/java/Here are some recommendations:
- For HP-UX 11.0, install the latest
HP-UX 11.0 Quality Pack (QPK1100)patch. For HP-UX 11i, install the latestHP-UX 11i Quality Pack (GOLDQPK11i)patch. For details, seehttp://www.software.hp.com/SUPPORT_PLUS/qpk.html.- Install the patches listed below.
libc cumulative patch (supercedes PHCO_16629 and is superceded by PHCO_24148)
- Install the patches listed below; Netscape Console uses the Abstract Window Tool (AWT) kit and requires you to install these patches.
- Run the
dsktuneutility and see if you need to install any other patches. The utility helps you to verify whether you have the appropriate patches installed on your system and provides useful information and advice on how to tune your kernel parameters for best performance. For information on thedsktuneutility, see "dsktune Utility"."Set your kernel parameters as follows:
- Set
maxfilesto 100 (the old value was 60).- Set
nkthreadto 1328 (the old value was 499);nkthreadis a computed value:(((NPROC*7)/4+16).- Set
max_thread_procto 512 (the old value was 64).- Set
maxusersto 64 (the old value was 32).- Set
maxuprcto 512 (the old value was 75).- Set
nprocto 750, a new value which is not based on a formula (the old formula was20+8*MAXUSERS, which evaluated to 276).Typically, client applications that do not properly shut down the socket cause it to linger in a
TIME_WAITstate. To prevent this, you should consider changing theTIME_WAITsetting to a reasonable value. For example, setting
ndd -set /dev/tcp tcp_time_wait_interval 60000will limit the
TIME_WAITstate of sockets to 60 seconds.You also need to turn on large file support in order for Directory Server to work properly. To change an existing file system (from one that has no large files to one that accepts large files):
- Unmount the system using the
umountcommand. For example:
umount /export
- Create the large file system. For example:
fsadm -F vxfs -o largefiles /dev/vg01/rexport
- Remount the file system. For example:
/usr/sbin/mount -F vxfs -o largefiles /dev/vg01/export
For additional information and recommendations about setting these parameters, consult your operating-system documentation.
Installing Third-Party Utilities
You will need the
gunziputility to unpack the Directory Server software. The GNUgzipandgunzipprograms are described in more detail athttp://www.gnu.org/software/gzip/gzip.htmland can be obtained from many software distribution sites.You may need Adobe Acrobat Reader to read the documentation. If you do not have it installed, you can download it from:
http://www.adobe.com/products/acrobat/readstep2.htmlMicrosoft Windows 2000 Advanced Server
If you plan to install Directory Server on a machine running the Windows 2000 Advanced Server operating system (OS), follow the recommendations outlined in these sections:
- Configuring a Machine to Run Directory Server
- Verifying Required System Modules
- Installing Windows 2000 Server
- Installing Third-Party Utilities
- Ensuring System Clock Accuracy
- Installing Windows Service Packs and Hotfixes
- Configuring the System Post Installation
In addition to these recommendations, be sure to check the OS vendor's web site for the latest information pertaining to your OS version. Below are two URLs that you may find useful:
http://www.microsoft.com/technet/Configuring a Machine to Run Directory Server
Directory Server must be installed with a static IP address on a computer that is isolated from the public Internet by a network-level firewall. This is necessary to protect the operating system from IP-based attacks.
No other network functions should be provided by this computer. The computer should not be a dual-booting system or run other operating systems. At a minimum, the computer system should have at least 256 MB of RAM, 2 GB of disk, a Pentium 4 or later processor, and a 100 MBps Ethernet connection.
Ensure that you have sufficient disk space before downloading the software.
Download drive: 120 MB
Installation drive: 200 MBVerifying Required System Modules
Directory Server is not supported on Windows 2000 Pro or Windows 2000 DataCenter Server.
Installing Windows 2000 Server
During the installation of Windows 2000, observe the following:
- If there is already an operating system present on the computer, choose to perform a fresh install rather than an upgrade.
- Format the drives with NTFS rather than FAT, as NTFS allows access controls to be set on files and directories.
- Specify that the computer will be a standalone server and will not be a member of any existing domain or workgroup. This will reduce dependencies on the network security services.
- Choose an administrator password of at least 9 characters. Use punctuation or other non-alphabetic characters in the first 7 characters.
- Do not install Internet Information Server.
- Specify only TCP/IP as network protocol, and do not install any other network services.
Installing Third-Party Utilities
You need an UNZIP utility to unpack the directory server software. There are many commercially licensed, free and shareware tools available, such as PKZIP or Winzip. Note that shareware unregistered versions of PKZIP 2.70 maintain a TCP/IP connection to an Internet advertising service, so it may not be suitable for installation on this system.
You may need Adobe Acrobat Reader to read the documentation. If you do not have it installed, you can download it from:
http://www.adobe.com/products/acrobat/readstep2.htmlTo edit the server configuration file, you will need a text editor that is capable of handling large text files (Notepad and Wordpad are not suitable). If you are already familiar with Emacs text editor on UNIX, a port to Windows can be downloaded from
ftp://ftp.cs.washington.edu/pub/ntemacs/. There are many other shareware and commercial text editors available.To display non-English characters using any Netscape browser, you can obtain general internationalization advice and more specific information about the Bitstream Cyberbit font from the following URL:
http://developer.netscape.com/software/jdk/i18n.htmlTo download the Bitstream Cyberbit font use the following FTP link:
ftp://ftp.netscape.com/pub/communicator/extras/fonts/windowsBefore downloading the font, read the
READMEfirst.txtandReadMe.htmfiles.Ensuring System Clock Accuracy
To facilitate the correlation of date and time stamps in log files with those of other computer systems, keep your system clock reasonably in sync. As the NET TIME command requires NetBIOS, which will be disabled during post-installation system configuration, either a TCP/IP based NTP client should be installed (such as the shareware program Tardis), or a time radio receiver attached. See
http://www.ntp.orgfor more information on NTP clients for Windows.Installing Windows Service Packs and Hotfixes
Windows 2000 Service Packs include key fixes that are needed to maintain the security and reliability of the operating system. The hotfix series contains important changes for problems discovered after the service pack had been released.
Directory Server is certified with Service Pack 3 and security patches released by the OS vendor at the time of this certification. It is recommended that you install the latest service pack and all hotfixes and patches recommended by the OS vendor.
Configuring the System Post Installation
The Windows 2000 environment requires tuning to provide optimum performance for Directory Server in an operational environment. Consult the Windows 2000 system administrator's documentation or support channel for information on Windows 2000 tuning for multi-threaded internet services.
It is recommended that you set the
LargeSystemCacheregistry key to 0 to limit the growth of system cache. TheLargeSystemCachehas a default value of 1, which is not suitable for applications such as Directory Server, which do caching internally.Also, if there'll be a lot of connections from clients:
- Change
tcp_time_wait_intervalfrom its default value, which is 240 seconds, to 60 seconds. To do this, at RegistryHKEY_LOCAL_MACHINE\System\CurrectControlSet\services\Tcpip\Parameters, create a keyTcpTimeWaitDelaywith value 60.- Change the upper range of ephemeral from the default value, which is 4999, to 65534. To do this, at Registry
HKEY_LOCAL_MACHINE\System\CurrectControlSet\services\Tcpip\Parameters, create a keyMaxUserPortwith value 65534.Red Hat Linux 7.3 Operating System
If you plan to install Directory Server on a machine running the Linux 7.3 operating system (OS), follow the recommendations outlined in these sections:
- Verifying Disk Space Requirements
- Verifying Required System Modules
- Installing System Patches
- Tuning the System
- Installing Third-Party Utilities
In addition to these recommendations, be sure to check the OS vendor's web site for the latest information pertaining to your OS version:
http://www.redhat.com/apps/support/Verifying Disk Space Requirements
Ensure that you have sufficient disk space before downloading the software.
Download drive: 120 MB
Installation drive: 2 GBVerifying Required System Modules
Directory Server is certified to work on:
- The Intel Pentium series processors [i686]
- The default kernel/glibc revisions that comes along with Red Hat Linux 7.3 and the other kernel revisions with their corresponding glibc revisions as mentioned below.
Directory Server has been certified on Red Hat Linux 7.3 with kernel revisions 2.4.18-27.7.x (
kernel-2.4.18-27.7.x.i686.rpm) / glibc version 2.2.5-43 (glibc-2.2.5-43.i686.rpm). Table 3-2 provides the list of.rpmpackages that were installed in the test machines during the certification process of this release of Directory Server. (If the machine is a single CPU machine, the corresponding kernel would be of the formkernel-x.x.x.x. If the machine is a multi-CPU machine, then the corresponding kernel would be of the formkernel-smp-x.x.x.x.)
Table 3-2 Red Hat Linux 7.3 Patch List
This section contains some basic system tuning information. Keep in mind that changing any of the following kernel tuning parameters requires a system reboot.
- NFS Tuning—This tuning is recommended if you are using Directory Server to write to NFS mounted drives. On Linux, NFS is typically recommended to be done over TCP and not over UDP. Make the following change to the
/etc/rc.d/init.d/autofsfile:
+ localoptions='rsize=8192,wsize=8192,vers=3,tcp'
- TCP Tuning—You can increase number of local system ports available by running this command:
echo "1024 65000" > /proc/sys/net/ipv4.ip_local_port_range
- You can also achieve the same by editing this parameter in the
/etc/sysctl.conffile:
[ echo "1024 65000" >> /etc/sysctl.conf ]
- File Tuning—You can increase the file descriptors by running these commands:
echo "64000" > /proc/sys/fs/file-maxor edit this parameter in the/etc/sysctl.conffile:[ echo "fs.file-max = 64000" >> /etc/sysctl.conf ]
- echo "* soft nofile 8192" >> /etc/security/limits.conf
echo "* hard nofile 8192" >> /etc/security/limits.conf
echo "ulimit -n 8192" >> /etc/profile
echo "session required /lib/security/pam_limits.so" >> /etc/security/limits.conf
Installing Third-Party Utilities
You will need the
gunziputility to unpack the Directory Server software. The GNUgzipandgunzipprograms are described in more detail athttp://www.gnu.org/software/gzip/gzip.htmland can be obtained from many software distribution sites.You may need Adobe Acrobat Reader to read the documentation. If you do not have it installed, you can download it from:
http://www.adobe.com/products/acrobat/readstep2.htmlRed Hat Linux Advanced Server 2.1 Operating System
If you plan to install Directory Server on a machine running the Linux Advanced Server 2.1 operating system (OS), follow the recommendations outlined in these sections:
- Verifying Disk Space Requirements
- Verifying Required System Modules
- Installing System Patches
- Tuning the System
- Installing Third-Party Utilities
In addition to these recommendations, be sure to check the OS vendor's web site for the latest information pertaining to your OS version:
http://www.redhat.com/apps/support/Verifying Disk Space Requirements
Ensure that you have sufficient disk space before downloading the software.
Download drive: 120 MB
Installation drive: 2 GBVerifying Required System Modules
Directory Server is certified to work on:
- The Intel Pentium series processors [i686]
- The default kernel/glibc revisions that comes along with Red Hat Linux Advanced Server 2.1 and the other kernel revisions with their corresponding glibc revisions as mentioned below.
- Required Kernel:
- Default kernel - kernel-2.4.9-e.3
Kernel used for certification - kernel-2.4.9-e.16
- Required glibC:
- Default glibc - glibc-2.2.4-26
glibc used for certification - glibc-2.2.4-31.7
- Required Filesytem:
- ext3 (
LARGEFILESsupport enabled) filesystem has been used for the certification process.
Directory Server has been certified on Red Hat Linux Advanced Server 2.1 with kernel revisions 2.4.9-e.16 (
kernel-2.4.9-e.16.i686.rpm) / glibc version 2.2.4-31.7 (glibc-2.2.4-31.7.i686.rpm). Table 3-3 provides the list of.rpmpackages that were installed in the test machines during the certification process of this release of Directory Server. (If the machine is a single CPU machine, the corresponding kernel would be of the formkernel-x.x.x.x. If the machine is a multi-CPU machine, the corresponding kernel would be of the formkernel-smp-x.x.x.x.)
Table 3-3 Red Hat Linux Advanced Server 2.1 Patch List
This section contains some basic system tuning information. Keep in mind that changing any of the following kernel tuning parameters requires a system reboot.
- NFS Tuning—This tuning is recommended if you are using Directory Server to write to NFS mounted drives. On Linux, NFS is typically recommended to be done over TCP and not over UDP. Make the following change to the
/etc/rc.d/init.d/autofsfile:
+ localoptions='rsize=8192,wsize=8192,vers=3,tcp'
- TCP Tuning—You can increase number of local system ports available by running this command:
echo "1024 65000" > /proc/sys/net/ipv4.ip_local_port_range
- You can also achive the same by editing this parameter in the
/etc/sysctl.conffile:
[ echo "1024 65000" >> /etc/sysctl.conf ]
- File Tuning—You can increase the file descriptors by running these commands:
echo "64000" > /proc/sys/fs/file-maxor edit this parameter in the/etc/sysctl.conffile:[ echo "fs.file-max = 64000" >> /etc/sysctl.conf ]
- echo "* soft nofile 8192" >> /etc/security/limits.conf
echo "* hard nofile 8192" >> /etc/security/limits.conf
echo "ulimit -n 8192" >> /etc/profile
echo "session required /lib/security/pam_limits.so" >> /etc/security/limits.conf
Installing Third-Party Utilities
You will need the
gunziputility to unpack the Directory Server software. The GNUgzipandgunzipprograms are described in more detail athttp://www.gnu.org/software/gzip/gzip.htmland can be obtained from many software distribution sites.You may need Adobe Acrobat Reader to read the documentation. If you do not have it installed, you can download it from:
http://www.adobe.com/products/acrobat/readstep2.htmlSun Solaris 8 Operating System
If you plan to install Directory Server on a machine running the Solaris 8 operating system (OS), follow the recommendations outlined in these sections:
- Verifying Disk Space Requirements
- Verifying Required System Modules
- Installing Patches
- Tuning the System
- Setting File Descriptors
- Tuning TCP Parameters
In addition to these recommendations, be sure to check the OS vendor's web site for the latest information pertaining to your OS version. For example, you should read the Solaris Operating Environment Security Sun Blueprint at
http://www.sun.com/blueprints/0100/security.pdffor advice on guarding against potential security threats.Below are two URLs that you may find useful:
Verifying Disk Space Requirements
Ensure that you have sufficient disk space before downloading the software.
Current working directory: 120 MB
Partition containing/usr/netscape: 2 GBVerifying Required System Modules
Directory Server requires the use of a SPARC v8+ or an UltraSPARC (SPARC v9) processor, as these processors include support for high performance and multiprocessor systems. Earlier SPARC processors are not supported.
If you run Directory Server on a 64-bit Sun Solaris 8 UltraSPARC machine, it will run as a 32-bit application.
You must use Solaris 8 with the Sun recommended patches. The Sun recommended patch clusters can be obtained from your Solaris support representative, or from the
http://sunsolve.sun.comsite.Solaris patches are generally identified by two numbers, for example 108434-10. The first number (108434) identifies the patch itself. The second number identifies the version of the patch, in the example above the patch is version number 10.
Table 3-4 provides the list of Solaris 8 patches that were used during the testing of this release of Directory Server. You must install these patches on your machine before installing the Directory Server product. (The command "
showrev -p" will list the patches that have been installed on your machine.)Also keep in mind that Directory Server provides a utility named
dsktunethat can help you verify whether you have the appropriate patches installed on your system. For details, see "dsktune Utility".In addition to the patches listed in Table 3-4 and the patches identified by the
dsktuneutility, we recommend that you check the operating system vendor's web site for information on installing the latest version of the patch clusters to benefit from the latest fixes.You will need to reboot your machine after installing the patches.
Table 3-4 Solaris 8 Patch List
Basic Solaris tuning guidelines are available from several books, including Sun Performance and Tuning: Java and the Internet (ISBN 0-13-095249-4). Advanced tuning information is available in the Solaris Tunable Parameters Reference Manual (806-4015) which can be obtained from this URL:
http://docs.sun.com/db/doc/806-4015The system-wide maximum file descriptor table size setting will limit the number of concurrent connections that can be established to Directory Server. The governing parameter,
rlim_fd_max, is set in the/etc/systemfile. By default, if this parameter is not present, the maximum is 1024. It can be raised to 4096 by adding to/etc/systema line
This parameter should not be raised above 4096 without first consulting your Sun Solaris support representative as it may affect the stability of the system.
You should also set the soft limit for file descriptors:
ulimit -n
in csh limit desc 1024Use the
dsktuneutility (see "dsktune Utility") to check about the hard and soft limits for file descriptors.By default, the TCP/IP implementation in a Solaris kernel is not correctly tuned for Internet or Intranet services. The following
/dev/tcptuning parameters should be inspected and, if necessary, changed to fit the network topology of the installation environment.The
tcp_time_wait_intervalin Solaris 8 specifies the number of milliseconds that a TCP connection will be held in the kernel's table after it has been closed. If its value is above 30000 (30 seconds) and the directory is being used in a LAN, MAN or under a single network administration, it should be reduced by adding a line similar to the following to the/etc/init.d/inetinitfile:ndd -set /dev/tcp tcp_time_wait_interval 30000
The
tcp_conn_req_max_q0andtcp_conn_req_max_qparameters control the maximum backlog of connections that the kernel will accept on behalf of the Directory Server process. If the directory is expected to be used by a large number of client hosts simultaneously, these values should be raised to at least 1024 by adding a line similar to the following to the/etc/init.d/inetinitfile:ndd -set /dev/tcp tcp_conn_req_max_q0 1024
ndd -set /dev/tcp tcp_conn_req_max_q 1024The
tcp_keepalive_intervalspecifies the interval in seconds between keepalive packets sent by Solaris for each open TCP connection. This can be used to remove connections to clients that have become disconnected from the network.The
tcp_rexmit_interval_initialvalue should be inspected when performing server performance testing on a LAN or high speed MAN or WAN. For operations on the wide area Internet, its value need not be changed.The
tcp_smallest_anon_portcontrols the number of simultaneous connections that can be made to the server. Whenrlim_fd_maxhas been increased to above 4096, this value should be decreased, by adding a line similar to the following to the/etc/init.d/inetinitfile: