IBM(R) Directory Server Version 4.1 Installation and Configuration Guide for Multiplatforms
IBM(R) Directory Server Version 4.1 Installation and Configuration Guide for Multiplatforms
| Note |
|---|
|
Before using this information and the product it supports, read the general
information under Appendix F, Notices. |
First Edition (April 2002)
This edition applies to version 4, release 1, of The IBM Directory and to
all subsequent releases and modifications until otherwise indicated in new
editions.
(C) Copyright International Business Machines Corporation 1998, 2002. All rights reserved.
U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
This document describes how to install, configure, and remove the IBM
Directory. Please check System requirements before you install.
Preface
Installation, configuration, and migration overview
System requirements
Common installation using InstallShield GUI
Installing using AIX utilities
Installing using Hewlett-Packard (HP-UX) utilities
Installing using Linux utilities
Installing using Solaris utilities
Installing using Windows 98, Windows 2000 or Windows NT utilities
Configuration
Unconfiguring the server and removing IBM Directory
Migration
Troubleshooting
Appendix A. Database configuration planning
Appendix B. Creating a change log database with a non-default database (Windows, Windows 2000, Windows NT, AIX and Solaris operating systems only)
Appendix C. Creating a database manually
Appendix D. Modifications to Web server configuration files
Appendix E. IBM Directory configuration schema
Appendix F. Notices
Index
This chapter briefly describes the recommended installation, configuration
and migration procedures for IBM Directory version 4.1.
If you have a pre-existing version of Lightweight Directory Access Protocol
(LDAP) from a vendor other than IBM, you must remove it before installing the
IBM Directory. If you attempt to install the IBM Directory without
removing the other vendor's version, the resulting file name conflicts
might prevent either version from working.
If you have IBM SecureWay(R) Directory Version
3.1.1.5, Version 3.2 or Version
3.2.2 installed and you want to migrate your data, see Migration before beginning the installation process
for the IBM Directory 4.1.
Attention: If you have SecureWay Directory Version
3.1.1.5 currently installed and you want to migrate your
data, you must upgrade to level 3.2.2 before installing IBM
Directory 4.1. You can download SecureWay Directory version
3.2.2 from the IBM SecureWay Directory Web site: http://www-306.ibm.com/software/network/directory/downloads/.
You can install either the IBM Directory client or the IBM Directory server
that includes the client.
IBM Directory 4.1 has several installation options. You can
install using an InstallShield Graphical User Interface (GUI), or use
platform-specific installation methods, such as the command line or
smitty. Instructions for using the InstallShield GUI are found in Common installation using InstallShield GUI.
For platform-specific installation instructions, see the Installation
chapter for the platform for which you are installing. For example,
"Installing using AIX(R) Utilities"
Notes:
- InstallShield GUI installation is not available for HP-UX, Linux 390 or
TurboLinux operating systems.
- Do not use special characters, such as "-" and "." in the name of
the installation directory for IBM Directory. If you do not choose the
default location for the software installation, choose a name such as "ldap"
or "ldapdir". Do not choose a name such as "ldap-dir" or
"ldap.dir".
See System requirements for any prerequisites.
You can use either the Server Administration (ldapxcfg) or the
ldapcfg command-line utility to configure the IBM Directory
server.
- Note:
- Web server configuration does not apply to Linux and HP-UX operating
systems.
For either the ldapxcfg or the ldapcfg program, IBM
Directory server configuration consists of three parts:
- Defining the IBM Directory administrator distinguished name (DN) and a
password. This operation can be compared to defining the root user ID
and password on a UNIX(R) system. DNs are not case
sensitive. If you are unfamiliar with X.500 format, or if for
any other reason you do not want to define a new DN, accept the default
DN. You need to define a password.
- Modifying a Web server configuration to access the IBM Directory Web
administration pages.
- Configuring the database.
For configuration of a Web server, verify that the Web server is
installed. You also need to know:
- The name of the Web server that you are using
- The full path and name of the configuration file for the Web server
Instructions for configuring using ldapxcfg and
ldapcfg are found in Configuration.
If you have a previous version of the IBM Directory, for example SecureWay
3.2.2, migration is necessary to preserve any changes that you
have made to the schema definitions and to preserve your directory server
configuration. Use the migration procedures in Migration.
To install the IBM Directory, administer the IBM Directory server, and use
the Global Security Kit (GSKit), your computer must meet the following minimum
system requirements.
Before installing, see the client README file in the root directory of the
CD for the latest information on supported versions of AIX operating
system. After installing, the README file is located in
/usr/ldap/web/<lang>/readme/client.txt or
/usr/ldap/web/<lang>/readme/client.pdf, or using a Web
browser, at
/usr/ldap/web/<lang>/readme/client.htm.
- A minimum of 128 MB RAM (256 MB is strongly recommended).
- If installing either ldap.server.cfg or
ldap.client.dmt on AIX 4.3.3 or later, the
following filesets and fixes must be installed:
- X11.adt.lib 4.3.3.10
- X11.adt.motif 4.3.3.0
- Note:
- The IBM AIX Developer Kit, Java(TM) Technology Preview Edition, Version
1.3.0 requires AIX 4.3.3.10 (or
later). You need to install the 4330-02 or later (for example 4330-03 )
Recommended Maintenance package. You can order the 4330-02 package (or
download required filesets from the FixDist Web site) with APAR
IY06844. You can also get it on the 2/2000 Update CD that is shipped
with AIX. In the United States, you can call IBM at 800-879-2755 and
request a refresh of the AIX 4.3.3 media.
To check the current level of bos.rte.libc, using the
following command:
lslpp -ah bos.rte.libc
Before installing, see the client README file in the root directory of the
CD for the latest information on supported versions of HP-UX operating
system. After installing, the README file is located in
/usr/ldap/web/<lang>/readme/client.txt or
/usr/ldap/web/<lang>/readme/client.pdf, or
using a Web browser, at
/usr/ldap/web/<lang>/readme/client.htm.
- Hewlett-Packard UNIX (HP-UX) 11.0 or later.
- A minimum of 128 MB RAM. (256 MB is strongly recommended).
Before installing, see the client README file in the root directory of the
CD for the latest information on supported versions of Linux operating
system. After installing, the README file is located in
/usr/ldap/web/<lang>/readme/client.txt or
/usr/ldap/web/<lang>/readme/client.pdf, or
using a Web browser, at
/usr/ldap/web/<lang>/readme/client.htm.
- Linux Operating System from Red Hat Version 7.1 or later, SuSE
Version 7.2 or later, or Turbolinux Version 6.5 or later.
- A minimum of 128 MB RAM (256 MB or more is strongly recommended).
- The latest levels of glibc (Red Hat 7.1 systems only). To
get the latest levels of glibc, download the following files in order from the
Red Hat Web site:
- glibc-2.2.4-19.3.i686.html
- glibc-devel-2.2.4-19.3.i386.html
- glibc-2.2.4-19.3.i686.html
Before installing, see the client README file in the root directory of the
CD for the latest information on supported versions of Solaris operating
system. After installing, the README file is located in
/opt/IBMldaps/web/<LANG>/readme/client.pdf, or using a
Web browser,
/opt/IBMldaps/web/<LANG>/readme/client.htm.
- Solaris Operating Environment(TM) Software versions 7 and 8 or
later. On Solaris 7, the following patch levels are required to run the
Directory Management Tool on the client and server. They are also
needed to run the LDAP configuration programs (ldapcfg,
ldapxcfg, ldapucfg) on the server:
- 109104-01 (needed for 106541-12)
- 107544-02 (needed for 106541-12)
- 106541-12 (needed for 106980-13)
- 106980-13
- 107081-22
- 107636-05
- 108376-07 (needed for Asian locales only)
- 107544-03 109104-04 X11.adt.lib 4.3.3.0
- Note:
- You can download Solaris operating system patches directory from Sun
Microsystems, Inc. at the following Web site:
http://sunsolve.Sun.COM
In order for Java 1.3 to function correctly, Solaris Operating
Environment(TM) Software Version 7 and Solaris 8 require patches. For
the latest information about recommended and required patches for the Java 2
SDK, go to the following Web site:
http://java.sun.com/.
- A minimum of 128 MB RAM. (256 MB is strongly recommended.)
- Ensure that the code page conversion routines (en_US.UTF-8
1.0) are installed.
- GSKit5 at a level of 5.0.4 or later.
Before installing, see the client README file in the root directory of the
CD for the latest information on supported versions of Windows 98, Windows
2000 or Windows NT(R) operating systems. After installing, the
README file is located in
/usr/ldap/web/<lang>/readme/client.txt or
/usr/ldap/web/<lang>/readme/client.pdf, or
using a Web browser, at
/usr/ldap/web/<lang>/readme/client.htm.
- Microsoft(R) Windows 98, Windows 2000 or Windows NT 4.0 with
Service Pack 4 or higher; a Windows NT file system (NTFS) is required for
security support.
- A minimum of 128 MB RAM (256 MB is strongly recommended).
Update the ldap.client.rte fileset and see the server README
file on the root directory of the CD. After you install, the README is
located in
/usr/ldap/web/<lang>/readme/server.txt or
/usr/ldap/web/<lang>/readme/server.pdf, or
using a Web browser, at
/usr/ldap/web/<lang>/readme/server.htm.
In addition to the client requirements, the server requires the
following:
- A minimum of 256 MB RAM (512 MB or more is strongly recommended).
- One of the following Web servers (or a later version) installed and
configured:
IBM HTTP Server 1.3.12 (IBM HTTP Server 1.3.19
is included with IBM Directory)
Lotus(R) Domino(TM) Enterprise 5.0.2b Webserver(TM)
Apache Server 1.3.12
iPlanet FastTrack Server 3.01
iPlanet Enterprise Server 3.6.3, 4.0
- DB2(R) Universal Database for AIX version 7.2 Enterprise
Edition (DB2) is included with the IBM Directory, although DB2 version
7.1 with Fix Pack 3, is also supported. If you have a version of
DB2 earlier than 7.1 with Fix Pack 3, you must remove it or upgrade it
before installing the IBM Directory Version 4.1.
Attention: If you have a 3.2.x version of
SecureWay Directory installed, read and understand the migration process in Migration before removing or upgrading DB2. If you remove DB2
before migrating, you will lose your data.
Notes:
- If you already have DB2 installed, you need approximately 45 MB of disk
space. You need approximately 135 MB of disk space for both LDAP and
DB2.
- Disk space required for data storage is dependent upon the number and size
of database entries. You need to allow a minimum of 80 MB for your
database on UNIX systems. Also, ensure there is approximately another 4
MB of disk space in the /home directory to create the DB2 instance. See
the README file for any last minute changes on database requirements.
Customers can choose to have more than one version of DB2 installed on a
machine. IBM Directory always defaults to the highest (newest) version
of DB2 found on a system. Customers who wish to use an older
(supported) version of DB2 are required to manually reset two links to enable
that version:
Notes:
- If DB2 UDB 7.1 with Fix Pack 3 or later is installed, but not
installed as the default database, issue the following commands as
root to use it:
ln -fs /usr/lpp/db2_07_01 /usr/ldap/db2
ln -fs /usr/lpp/db2_07_01/lib/libdb2.a /usr/ldap/lib/libdb2.a
- You must have a license to use any DB2 product other than DB2 UDB
7.2, which is delivered with IBM Directory.
- If you are upgrading your level of DB2, ensure that you follow the DB2
migration procedure which requires you to stop all applications. If you
have a server up and running and you uninstall DB2 without reinstalling the
IBM Directory Server, the directory server cannot start.
See the server README file on the root directory of the CD in for the
latest information on supported versions of HP-UX. After you install,
the README is located in
/usr/ldap/web/<lang>/readme/server.txt or
/usr/ldap/web/<lang>/readme/server.pdf, or
using a Web browser, at
/usr/ldap/web/<lang>/readme/server.htm.
- HP-UX 11.0 or later.
- A minimum of 256 MB RAM (512 MB is strongly recommended).
- DB2 Universal Database(TM) for HP-UX Workgroup or Enterprise edition
version 7.1 with FixPak 3 or later (DB2).
- HP-UX Runtime Environment for the Java 2 Platform Version
1.3. HP-UX Runtime Environment for the Java 2 Platform Version
1.3. is included with IBM Directory.
- XSWGR1100 B.11.00.47.08 General Release Patch,
November 1999 (ACE). Verify that you have the
B.11.00.47.08 patch installed by running the
following command:
swlist
- Current kernel configuration parameters. See Setting the current kernel configuration parameters for the required parameters.
Before installing, see the server README file in the root directory of the
CD for the latest information on supported versions of Linux operating
system. After installing, the README file is located in After you
install, the README is located in
/usr/ldap/web/<lang>/readme/server.txt or
/usr/ldap/web/<lang>/readme/server.pdf, or
using a Web browser, at
/usr/ldap/web/<lang>/readme/server.htm.
In addition to the client requirements, the server requires the
following:
- A minimum of 256 MB RAM (512 MB or more is strongly recommended).
- DB2 Universal Database for Linux - Personal or Enterprise edition -
version 7.1 with FixPak 3 or later (DB2). DB2 Version 7.2
Personal edition is included with the IBM Directory and is installed if a
supported version of DB2 is not detected on your system. If you have a
version of DB2 earlier than Version 7.1 with FixPak 3 installed on your
system, you must remove it or upgrade it before installing the IBM Directory
version 4.1.
Attention: If you have a 3.2.x version of
SecureWay Directory installed, read and understand the migration process in Migration before removing or upgrading DB2. If you remove DB2
before migrating, you will lose your data.
Notes:
- DB2 Version 7.2 Personal edition is included with the IBM
Directory.
- If you already have DB2 installed, you need approximately 45 MB of disk
space. You need approximately 135 MB of disk space for both LDAP and
DB2.
- Disk space required for data storage is dependent upon the number and size
of database entries. You need to allow a minimum of 80 MB for your
database on UNIX systems. Also allow approximately another 4 MB of disk
space in the /home directory to create the db2 instance. See the README
file for any additional information on database requirements.
Before installing, see the server README file in the root directory of the
CD for the latest information on supported versions of Solaris operating
system. After installing, the README file is located in
/opt/IBMldaps/web/<LANG>/README/server.txt or
/opt/IBMldaps/web/<LANG>/README/server.htm, or using a
Web browser,
at/opt/IBMldaps/web/<LANG>/README/server.pdf.
In addition to the client requirements, the server requires the
following:
- A minimum of 256 MB RAM (512 MB is strongly recommended)
- One of the following Web servers (or a later version), installed and
configured:
- IBM HTTP Server 1.3.12 (IBM HTTP Server 1.3.19
is included with IBM Directory)
- Lotus Domino Enterprise 5.0.2b Webserver(TM)
- Apache Server 1.3.12
- iPlanet FastTrack Server 3.01
- iPlanet Enterprise Server 3.6.3, 4.0
- DB2 Universal Database for Solaris Enterprise edition - version 7.1
with FixPak 3 or later (DB2). The minimum supported level is DB2
Version 7.1 with FixPak 3 or later. DB2 Version 7.2
Extended Enterprise edition is included with the IBM Directory and is
installed if a supported version of DB2 is not detected on your system.
If you have a version of DB2 earlier than Version 7.1 with FixPak 3
installed on your system, you must remove it or upgrade it before installing
the IBM Directory version 4.1.
Attention: If you have a 3.2.x version of
SecureWay Directory installed, read and understand the migration process in Migration before removing or upgrading DB2. If you remove DB2
before migrating, you will lose your data.
Notes:
- If you already have DB2 installed, you need approximately 45 MB of disk
space. You need approximately 155 MB of disk space for both LDAP and
DB2.
- Disk space required for data storage is dependent upon the number and size
of database entries. You need to allow a minimum of 80 MB for your
database on UNIX systems. Also allow another 2 to 3 MB of disk space to
create the DB2 instance. See the README file for any last minute
changes on database requirements.
- Current kernel configuration parameters. See Setting the current kernel configuration parameters for the required parameters.
Before installing, see the server README file in the root directory of the
CD for the latest information on supported versions of Windows 2000 or Windows
NT operating system. After installing, the README file is located in
/usr/ldap/README/<lang>/README/server.txt or
/usr/ldap/README/<lang>/README/server.pdf, or
using a Web browser, at
/usr/ldap/web/<lang>/README/server.htm.
In addition to the client requirements, the server requires the
following:
- Windows 2000, orWindows NT 4.0 with Service Pack 4 or later.
- A minimum of 256 MB RAM (512 MB is strongly recommended.)
- One of the following Web servers (or a later version), installed and
configured:
- IBM HTTP Server 1.3.12
- Lotus Domino Enterprise 5.0.2b Webserver(TM)
- Microsoft Internet Information Server 4.0
- Apache Server 1.3.12
- iPlanet FastTrack Server 3.01
- iPlanet Enterprise Server 3.6.3, 4.0
If a supported Web server is not detected on your system, the installation
process automatically installs the IBM HTTP Server 1.3.19 that
is included in the IBM Directory package.
- DB2(R) Universal Database for Windows- Personal or Enterprise edition
(DB2). The minimum supported level is DB2 Version 7.1 with
FixPak 3 or later. DB2 Version 7.2 Personal edition is included
with the IBM Directory and is installed, if a supported version of DB2 is not
detected on your system. If you have a version of DB2 earlier than
Version 7.1 with FixPak 3 installed on your system, you must remove it
or upgrade it before installing the IBM Directory version 4.1.
Attention: If you have a 3.2.x version of
SecureWay Directory installed, read and understand the migration process in Migration before removing or upgrading DB2. If you remove DB2
before migrating, you will lose your data.
Notes:
- If you already have DB2 installed, you need approximately 25 MB of disk
space. You need approximately 135 MB of disk space for both the IBM
Directory and DB2.
- Disk space required for data storage is dependent upon the number and size
of database entries. You need to allow a minimum of 80 MB for your
database on Windows 2000 or Windows NT systems. Also allow another 2 to
3 MB of disk space when creating the DB2 instance. See the README file
for any last minute changes on database requirements.
- In addition to the two filesets required for AIX 4.3.3 you
must install AIX Maintenance Level Fix Pack 8 or higher.
- Note:
- If you have no locale specific requirements, after you apply all the services
that you need for your system, restart your system to enable the
changes.
- The bos.loc.iso.ZH_TW fileset must be set for the
Taiwan locale. The fileset is available from the AIX
4.3.3 installation medium.
To administer the IBM Directory server you need the following:
- A frame-enabled browser that supports:
- HTML version 3.0 or later
- Java(TM) 1.1.7 features including the Java Development Kit
(JDK) 1.1 Abstract Window (AWT) events
- JavaScript(TM) 1.2
- The browser must be enabled to accept cookies.
The following Web browsers support these specifications:
- Microsoft Internet Explorer (MS IE) version 4.0 plus service pack 1
or higher
- Netscape Navigator version 4.07 or later (4.08 is
recommended)
- Netscape Communicator version 4.7, 4.8 or later
Global Security Kit (GSKit) version 5.0.4 is an optional
software package that is required only if Secure Socket Layer (SSL) Security
is required.
The IBM Directory 4.1 alone does not provide the capability for SSL
connections from IBM Directory clients. You can add the SSL feature by
installing the IBM GSKit 5.0.4 package. The GSKit package
includes SSL support and associated RSA Data Security, Inc. (4)
technology.
The IBM Directory server works without the GSKit installed. In this
case the IBM Directory server accepts only non-SSL connections from any
Directory client. Similarly, the IBM Directory client works without the
GSKit installed.
You can use the InstallShield GUI to install IBM Directory on AIX, Solaris,
Windows 98, Windows 2000 or Windows NT platforms. It is also available
for Linux SuSE and Linux Red Hat platforms. If you do not wish to use
InstallShield GUI to install, this guide contains a manual installation
chapter for each platform. For example "Installing using AIX operating
system utilities".
The InstallShield GUI requires a substantial amount of temporary disk
space. Before installing, ensure that you have at least 400 MB of
available space in your /tmp directory.
Attention:
You cannot migrate from a 3.2.x version of SecureWay
Directory or reinstall over an existing version of IBM Directory 4.1 on
an AIX platform using InstallShield GUI. Use SMIT Installation to install IBM Directory if you want to migrate or
reinstall. See Migration from SecureWay Directory Version 3.2.x for AIX installations for instructions on migrating and restoring
backed-up files after reinstallation on an AIX system.
If you have a 3.2.x version of SecureWay Directory installed
on a Linux SuSE, Linux Red Hat, Solaris, system, read and understand the
migration process in Migration from SecureWay Directory Version 3.2.x for UNIX installations. If you have a 3.2.x version of
SecureWay Directory installed on a Windows 2000 or Windows NTsystem, read and
understand the migration process in or Migration from SecureWay Directory Version 3.2.x for Windows 2000 or Windows NT InstallShield GUI installations before installing IBM Directory 4.1.
It is very important that you backup and export previous versions of schema
files and slapd32.conf before installing IBM Directory
4.1.
Notes:
- References to Web servers do not apply to Linux or HP-UX operating
systems.
- If you install using InstallShield GUI, you must also uninstall using the
InstallShield GUI. See Removing IBM Directory for instructions on removing using the InstallShield
GUI.
- Once installation using InstallShield GUI has begun, do not try to cancel
the installation by closing the InstallShield Window or using the
Ctrl+c keystroke. If you inadvertently cancel installation,
see Recovering from a failed installation before attempting to re-install.
Before installing, make sure the below conditions are met. If these
conditions are not met, the install will exit.
- If you have pre-3.2.x version of SecureWay Directory
installed on your system:
Upgrade to 3.2 or later before installing IBM Directory
4.1.
- If you have a downlevel version of DB2:
Upgrade to DB2 7.1 Fix Pack 3 or later. DB2 7.2 is
included with IBM Directory.
Attention: Export your data using db2ldif before
unconfiguring and removing your current database. Do not use the
DB2BACKUP command. If you do not export before unconfiguring
and removing the database, you will lose your data.
- If you have a 3.2.x version of SecureWay Directory
installed on your computer:
- Export the database using db2ldif
- Note:
- Read the db2ldif documentation in the SecureWay
Administration Guide for your release before exporting the
database.
db2ldif -o <outputfile>[-s <subtree DN>]
where outputfile specifies the LDIF output file to contain
the directory entries in LDIF and subtree DN identifies the top
entry of the subtree that is to be dumped to the LDIF output file.
Attention: Export your data using db2ldif and
remove the db2admin id from the operating system before unconfiguring and
removing the database (step 2). Do not use the DB2BACKUP
command. If you do not export before unconfiguring and removing the
database, you will lose your data.
- Unconfigure and remove the database:
ldapucfg -d
Press y to confirm to the removal. Default LDAP
databases are automatically removed from the system when the command
successfully completes.
- Note:
-
- If you use a custom database, you must manually remove the DB2 database
from the system.
- Data contained in the SecureWay Directory 3.2.x database is
not compatible with IBM Directory 4.1 unless it is exported via
db2ldif and imported through the bulkload or
ldif2db utilities provided with IBM Directory 4.1.
- The server will not start if you do not migrate.
- Changelog is removed during migration.
- If you have a downlevel version of DB2, you must upgrade to 7.1 Fix
Pack 3 or later.
Attention: Export your data using db2ldif and
remove the db2admin id from the operating system before unconfiguring and
removing the database (step 2). Do not use the DB2BACKUP
command. If you do not export before unconfiguring and removing the
database, you will lose your data.
- If you are installing on a Windows 2000 or Windows NT
system:
Windows NT and Windows 2000 Service Pack 2 users must perform the following
before installation:
- Go to Start->Run... and type
secpol.msc.
- Double-click Local Policies.
- Double-click User Rights Assignments.
At this point, a list of policies is displayed. The user needs to
add the Administrator group to the following policies:
- Act as part of the operating system
- Increase quotas
- Replace a process level token
Do the following to add the Administrator group to these policies:
- Right-click on the appropriate policy, and click
Security....
- Click Add... in the new window.
- Select the Administrators group in the scrollbox, then click
Add....
- Click OK.
- Click OK again to exit.
Repeat these procedures for each of the 3 policies above. When
finished, restart your computer.
InstallShield GUI has two installation options: Typical and
Custom. If you want to accept the default settings, select Typical
during installation. If you are an experienced user and want to
customize your installation, select Custom.
Typical installation uses default settings and is recommended for new
users.
To begin installing IBM Directory 4.1:
- Insert the CD in your CD-ROM drive. If the CD-ROM does not
automatically start, click Start->Run. Depending on whether
you are installing locally from a CD or remotely from the network, select the
drive for your CD-ROM or for the appropriate network path and then select the
package you want to install. Double-click the
Setup.exe icon. A language panel is displayed.
- Select the language you want to use during IBM Directory
installation. Click OK.
- Note:
- This is the language used in the installation wizard, not in the IBM
Directory. You choose the language used in the IBM Directory in step 6.
- If a previous or current version of IBM Directory is not installed on your
system, go to 4. If a previous or current version of IBM Directory is
installed on your system, do one of the following:
- After reading the Software license, select I accept the
terms in the license agreement.
- Click Next. Any preinstalled components and
corresponding version levels are displayed. Click
Next.
- Select the language you want to use in IBM Directory
4.1. Click Next.
- To install to the default directory, click Next. You can
specify a different directory by clicking the Browse button.
- Select Typical installation. Click
Next.
- The following list displays:
- Client SDK 4.1
- DMT 4.1 and Java 1.3
- Server 4.1
- Note:
- If you have an earlier version of a component installed on your machine, you
must install the most current version of the component.
- Click Next. If you selected Server 4.1
in 9, continue. If you did not select Server
4.1 in 9, go to step 11.
Do one of the following only:
- If you have more than one Web server installed and you selected to install
the server, select which Web server you want IBM Directory to use and click
Next. Enter the full pathname of the Web server
configuration file for the Web Server. Click Next.
- If you have only one Web server installed, enter the full pathname of the
Web server configuration file for the Web Server. Click
Next.
- If you are installing Server 4.1, and you have no Web server
installed, the IBM HTTP Web server is installed. A panel appears that
prompts you for the Windows user ID and password of an existing Windows
administrator ID. After entering the user ID and password, click
Next.
- Enter a distinguished name and password. The default
distinguished name is cn=root. Enter the password again to
confirm.
The IBM Directory administrator DN is the DN used by the directory's
administrator.
Notes:
- Record this password for future reference.
- The IBM Directory administrator DN must contain cn= as part of
the DN.
.
- Click Next. If you selected Server 4.1
in step 9, and DB2 is not installed on your system DB2 7.2 will
be installed for you. You will see a panel prompting you to enter a
Windows user ID and password for the DB2 system ID. If you are using an
existing Windows user ID, be sure your password is correct. The user ID
default is db2admin. Type the password. Type the
password again to confirm.
- Note:
- If you have an existing Windows user ID for the DB2 system ID, you must enter
the correct password for the ID here in order to install the DB2
correctly.
- Click Next. A screen summarizing the components selected
for installation and configuration is displayed. If you wish to change
any of your selections, use the Back button. To begin
installation, click Next.
- Note:
- Any corequisite products needed by IBM Directory, such as DB2 or a Web
server, are automatically installed. These products are listed in the
summary described in this step.
- After the files are installed, the Client README opens. If you
installed the server, the server README also opens.
- Select to reboot your computer now or later.
- Note:
- You must restart your system to complete the IBM Directory configuration and
to create the DB2 database. You are unable to use the IBM Directory
product until this is completed. During the restart, a configuration
program is run. No user input is required. The program must
complete before you can use the IBM Directory.
- Click Finish. You have completed a Typical installation
and configuration. Click Start->Programs->IBM Directory
4.1 to see a list of the installed components.
Custom installation is for experienced users who want to customize their
installation.
- Insert the CD in your CD-ROM drive. If the CD-ROM does not
automatically start, click Start->Run. Depending on whether
you are installing locally from a CD or remotely from the network, select the
drive for your CD-ROM or for the appropriate network path and then select the
package you want to install. Double-click the
Setup.exe icon. The small language panel
displays.
- Select the language you want to use during IBM Directory
installation. Click OK.
- Note:
- This is the language used in the installation wizard, not in the IBM
Directory. You choose the language used in the IBM Directory in step 7.
- If a previous or current version of IBM Directory is not installed on your
system, go to 5. If a previous version of IBM Directory is installed
on your system, do one of the following:
- To continue with installation, click Next.
- After reading the the Software license, select I accept
the terms in the license agreement. Click Next.
- Any preinstalled components and corresponding version levels
display. Click Next.
- Select the language you want to use in IBM Directory
4.1. Click Next.
- Select Custom installation.
- Click Next. This panel displays the following install
components:
- Client SDK 4.1
- DMT 4.1 and Java 1.3
- Server 4.1
- IBM HTTP Server 1.3.19
- DB2 7.2
- GSKit 5.0.4 (SSL packages only.)
The components that are not yet installed are preselected. You can
choose to reinstall the Server or the Client, if they were previously
installed. You can also choose to install the IBM HTTP Server even if
other Web servers are already installed.
This panel also indicates the amount of disk space required and available
on the selected drive.
- Click Next. On this panel, you can choose to perform any
or all of the following:
- Set the directory administration name and password
- Create the directory DB2 database
- Configure a Web server
Click Next.
A panel displays.
Depending on what you have selected to do, the following options are
displayed in sequence:
- Do one of the following:
- If you have more than one Web server installed on your system and are not
installing the IBMHTTP Web server, select the Web Server you want to use to
configure IBM Directory and click Next. Verify the location
of the configuration file is correct and then click Next.
- If you are installing the IBM HTTP Web server, a panel appears prompting
you for a userid and password. Enter a userid and password that have
administrative privileges. This id will be used to start the Web
server. Click Next.
- Accept or change the default distinguished name. Enter a password
twice. If the password entries match, the Next button
becomes active. Click Next.
- If you are installing DB2, a panel appears prompting a userid and
password. You will see a panel prompting you to enter a Windows user ID
and password for the DB2 system ID. If you are using an existing
Windows user ID, be sure your password is correct. The user ID default
is db2admin. Type the password. Type the password
again to confirm. Click Next.
- Select the type of database you want to use. Click
Next.
- Select the drive where you want to create the database. Click
Next.
- Installation now has enough information to begin installing. A
panel appears containing the following information, depending on your
selections:
- Files will be installed to the following directory C:\Program
Files\IBM\LDAP (or to the drive path that you provided)
- Password for administration DN cn=root will be set
- LDAP UCS-2(UTF-8) DB2 database will be created on drive C
- IBM HTTP will be installed in C:\Program Files\IBMHTTP Server
- Web server IBM HTTP Server will be configured using the file
C:\Program Files\IBM HTTP Server\conf\httpd.conf
- GSKit 5.0.4 will be installed in C:\Program
Files\IBM\GSK5
- DB2 7.2 will be installed in C:\Program Files\SQLLIB
Click Back to change any of your selections. Click
Next to begin installation.
- After the files are installed, the Client README opens. If you
installed the server, the server README also opens.
- Select to reboot your computer now or later.
- Note:
- You must restart your system to complete the IBM Directory configuration and
to create the DB2 database. You are unable to use the IBM Directory
product until this is completed. During the restart, a configuration
program is run. No user input is required. The program must
complete before you can use the IBM Directory.
- Click Finish.
- Click Start->Programs->IBM Directory 4.1. You
have completed a Custom installation and configuration.
- Note:
- You cannot migrate from a 3.2.x version of SecureWay Directory
or reinstall over an existing version of IBM Directory 4.1 on an AIX
platform using InstallShield GUI. Use SMIT Installation to install IBM Directory if you want to migrate or
reinstall.
You cannot migrate or reinstall over an existing version of IBM Directory
4.1 on an AIX platform using InstallShield GUI. Use SMIT Installation to install IBM Directory if you want to migrate or
reinstall. See Migration from SecureWay Directory Version 3.2.x for AIX installations for instructions on migrating and restoring backed-up files
after reinstallation on an AIX system.
InstallShield GUI has two installation options: Typical and
Custom. If you want to accept the default settings, select Typical
during installation. If you are an experienced user and want to
customize your installation, select Custom.
- Go to the root directory on your CD. Invoke
setup. A language panel is displayed.
- Select the language you want to use during IBM Directory
installation. Click OK.
- Note:
- This is the language used in the installation wizard, not in the IBM
Directory. You choose the language used in the IBM Directory in step 5.
Attention: If you have a version of IBM Directory already
installed on your system, a message appears telling you that you must remove
it before installing. If you do not save and back up your data
before uninstalling, you will lose it. See Before installing on UNIX-based platforms for instructions on how to save and back up your
data.
- After reading the Software license, click I accept the terms in the
license agreement.
- Click Next. Any preinstalled components and
corresponding version levels are displayed. Click
Next.
- Select the language you want to use in IBM Directory
4.1. Click Next.
- Select Typical installation. Click
Next.
- The following list displays:
- Client SDK 4.1
- DMT 4.1 and Java 1.3
- Server 4.1
Select the features you want to install.
- Click Next. A screen summarizing the components selected
for installation and configuration is displayed. If you wish to change
any of your selections, use the Back button. To begin
installation, click Next.
- Note:
- Any corequisite products needed by IBM Directory, such as DB2 or a Web
server, are automatically installed. These products are listed in the
summary described in this step.
- After the files are installed, the Client README opens. After
reading the Client README, click Next. If you installed the
server, the server README also opens. After reading the Server README,
click Next.
- Click Finish. At this point we recommend you configure
the IBM Directory. See Configuration for instructions on how to configure IBM Directory.
- Insert the CD in your CD-ROM drive. Go to the root directory on the
CD and invoke setup. A language panel displays.
- Select the language you want to use during IBM Directory
installation. Click OK.
- Note:
- This is the language used in the installation wizard, not in the IBM
Directory. You choose the language used in the IBM Directory in step 5.
Attention: If you have a version of IBM Directory already
installed on your system, a message appears telling you that you must remove
it before installing. Before you uninstall, see Before installing on UNIX-based platforms for instructions on how to save and back up your
data. If you do not save and back up your data, you will lose it
during the uninstall.
- After reading the the Software license, select I accept the terms in
the license agreement. Click Next.
- Any preinstalled components and corresponding version levels
display. Click Next.
- Select the language you want to use in IBM Directory
4.1. Click Next.
- Select Custom installation.
- Click Next. This panel displays the following install
components:
- Client SDK 4.1
- DMT 4.1 and Java 1.3
- Server 4.1
- IBM HTTP Server 1.3.12
- DB2 V7.2
- GSKit 5.0.4 (SSL packages only.)
The components that are not yet installed are preselected. You
can choose to install the IBM HTTP Server if other Web servers are already
installed.
- Note:
- The IBM HTTP Server feature is not offered for Linux platforms.
This panel also indicates the amount of disk space required and available
on the selected drive.Click Next.
- Installation now has enough information to begin installing. A
summary panel displays the components you selected and the locations where the
selected components will be installed. Click Back to change
any of your selections. Click Next to begin
installation.
- After the files are installed, the Client README opens. After
reading the Client README, click Next. If you installed the
server, the server README also opens. After reading the Server README,
click Next.
- Click Finish. Installation is complete. At this
point we recommend you configure the IBM Directory. See Configuration for instructions on how to configure IBM Directory.
You can use either SMIT Installation (the preferred installation method) or
installp from Command Line Installation to install the IBM Directory.
Attention:
Use SMIT Installation to install IBM Directory if you want to migrate from a
3.2.x version of SecureWay Directory or reinstall over an
existing version of IBM Directory 4.1. Read and understand the
migration process inMigration from SecureWay Directory Version 3.2.x for AIX installations before installing IBM Directory. Migration from SecureWay Directory Version 3.2.x for AIX installations contains instructions on migrating and
restoring backed-up files after reinstallation on an AIX system. It is
very important that you backup and export previous versions of schema files
and slapd32.conf before installing IBM Directory
4.1..
Notes:
- Full client and server versions require an X11 environment.
Versions of IBM Directory Client and Server with no X11 requirements are
available in this release. For a client with no X11 requirements,
install the minimal client that provides IBM Directory Client Runtime
(ldap.client.rte) and IBM Directory Client SDK
(ldap.client.adt).
For a server with no X11 requirements, do not install the IBM Directory
Server Configuration GUI (ldapxcfg). ldapxcfg is
located in the ldap.server.cfg fileset.
- You do not need to install security functions if you are not going to use
them. You can provide SSL by installing a Global Security Kit (GSKit),
which is included with IBM Directory 4.1.
- If you are installing the IBM Directory on a node within an RS/6000(R)
SP(TM) environment, see Before Installing on a Node within an RS/6000 SP Environment before beginning installation.
For more detailed information on AIX operating system installation
procedures and commands, see the AIX Installation Guide that comes
with the operating system.
To install IBM Directory using smit:
- Log on as root.
- Insert the CD containing IBM Directory Version 4.1 into the CD-ROM
drive or download the files from the IBM Directory Web site
at:
http://www.ibm.com/software/network/directory.
- At the command prompt, type the following:
smit install
and press Enter. The Software Installation and
Maintenance window is displayed.
- Click Install and Update Software. The Install and
Update Software window is displayed.
- Click Install and Update from the LATEST Available
Software.
- Click List beside the INPUT device/directory for
software field.
- Select the appropriate CD-ROM drive or the directory containing the IBM
Directory images.
- Move your cursor to Software to install. Do one of the
following:
- Type ldap to install all the ldap filesets (or
ldap.server, or ldap.client, if appropriate).
- Click List to list all the filesets on the compact disc, and
then select the filesets that you want to install, including different
translations of IBM Directory messages.
- Note:
- By default smit installs translated messages based on the language you
configured into your AIX system.
If you select the list option, you see:
> ldap.client ALL
4.1.0.0 IBM Directory Client DMT
4.1.0.0 IBM Directory Client Java
4.1.0.0 IBM Directory Client Runtime (No SSL)
4.1.0.0 IBM Directory Client SDK
> ldap.html.de_DE ALL
4.1.0.0 IBM Directory HTML Install/Config Gd-German
4.1.0.0 IBM Directory HTML Man Pages - German
> ldap.html.en_US ALL
4.1.0.0 IBM Directory HTML Install/Config Gd-U.S. English
4.1.0.0 IBM Directory HTML Man Pages - U.S. English
> ldap.server ALL
4.1.0.0 IBM Directory Server Administrative Interface
4.1.0.0 IBM Directory Server Config GUI
4.1.0.0 IBM Directory Server Framework
4.1.0.0 IBM Directory Server Runtime (No SSL)
- Note:
- The ldap.html packages are language specific. The
ldap.html.en_US and ldap.html.de_DE packages are
used as examples.
When you finish selecting filesets, click OK.
- Click OK. The message Are You Sure? is
displayed.
- Click OK to start the installation.
- Check the installation summary at the end of the output to verify
successful installation of the filesets.
- Click Done.
- Exit smit by pressing F12 or by clicking Cancel
until you are back to a command prompt. Verify that IBM Directory was
installed successfully by typing the following at a command prompt:
lslpp -L | grep ldap
The output displayed lists all the filesets starting with ldap. This
includes the server, client, HTML, and message filesets. For
example:
ldap.client.adt 4.1.0.0 C IBM Directory SDK
ldap.client.rte 4.1.0.0 C IBM Directory Client
ldap.html.en_US.config 4.1.0.0 C IBM Directory HTML
ldap.html.en_US.man 4.1.0.0 C IBM Directory HTML man
ldap.msg.en_US 4.1.0.0 C IBM Directory Messages
ldap.server.admin 4.1.0.0 C IBM Directory Server
ldap.server.com 4.1.0.0 C IBM Directory Server
ldap.server.rte 4.1.0.0 C IBM Directory Server
- Note:
- If you want to migrate from a 3.2.x version of SecureWay
Directory or reinstall over an existing version of IBM Directory 4.1,
use the instructions in SMIT Installation to install IBM Directory.
To install IBM Directory from a command prompt:
- Log on as root.
- Insert the AIX 4.3.3 or higher CD into the CD-ROM
drive.
- Determine which IBM Directory packages you need. For the server and
client, the package name is ldap.server, and for just the client, the
package name is ldap.client. For all packages, including all
language translations of the message files and documentation, the package name
is ldap.
- Determine which language versions of the message files and documentation
you need. To see the language versions that are available, type the
following command:
installp -ld /dev/cd0 | grep ldap
A list all of the installable IBM Directory packages is displayed.
Some examples of United States English-specific packages are:
ldap.html.en_US.man
ldap.msg.en_US
- At the command prompt, install the required packages with the following
command:
installp -acgXd /dev/cd0 <packages>
where :
- -a stands for apply
- -c stands for commit
- -g installs prerequisites if necessary
- -X increases the file system space if needed
- -d stands for device
Examples:
To install only the IBM Directory server and client files, type:
installp -acgXd /dev/cd0 ldap.server
To install all of the IBM Directory filesets (including every language
translation of messages), type:
installp -acgXd /dev/cd0 ldap
- Upon completion of installation, the system generates an installation
summary. Verify that the Result column shows success for all
loaded files. You can also verify that IBM Directory was installed
successfully by typing the following at a command prompt:
lslpp -L | grep ldap
The output displayed lists all the filesets starting with ldap. This
includes the server, client, HTML, and message filesets. For
example:
ldap.client.adt 4.1.0.0 C IBM Directory SDK
ldap.client.dmt 4.1.0.0 C IBM Directory Client DMT
ldap.client.java 4.1.0.0 C IBM Directory Client Java
ldap.client.rte 4.1.0.0 C IBM Directory Client Runtime
ldap.html.en_US.config 4.1.0.0 C IBM Directory Install/Config
ldap.html.en_US.man 4.1.0.0 C IBM Directory Man Pages - U.S.
ldap.msg.en_US 4.1.0.0 C IBM Directory Messages - U.S.
ldap.server.admin 4.1.0.0 C IBM Directory Server
ldap.server.cfg 4.1.0.0 C IBM Direcotry Server Config GUI
ldap.server.com 4.1.0.0 C IBM Directory Server Framework
ldap.server.rte 4.1.0.0 C IBM Directory Server Runtime
- If you want to include security functions, install GSKit
5.0.4. See Installing GSKit.
If you are installing the IBM Directory on a node within an RS/6000 SP
environment you must first add the necessary users and groups to the Control
Workstation (CWS) and propagate them out to the nodes using
/var/sysamn/supper update.
- Add ldap user and group on the CWS.
mkgroup id=300 ldap
mkuser id=300 ldap
chgrpmem -m + ldap ldap
- You need to create the userID ldapdb2 and group
dbsysadm only if you are using the default database. For any
other database you must add the user and the group through the Control
Workstation.
mkgroup id=350 dbsysadm
mkuser id=350 ldapdb2
chgrpmem -m + ldapdb2 dbsysadm
- Note:
- The user ids and group ids used are just for the purpose of this
example. You can choose different user ids and group ids for your
environment or use the system defaults.
- Remove the home directory of ldap user.
rm -rf /home/ldap
- Update the RS/6000 SP nodes with the new users and groups.
/var/sysamn/supper update
You are now ready to install and configure the IBM Directory on the
RS/6000 SP node.
If you installed an SSL-enabled version of IBM Directory, you need to
install GSKit to take advantage of the security features.
To install using the System Management Interface tool (SMIT)
- Invoke SMIT by typing smit at the command line.
- Select Software Installation & Maintenance.
- Select Install and Update Software.
- Select Install and Update Software by Package Name.
- On the device/directory window specify the directory which contains the
installable software.
- Select Package gskkm from the Multi-select List
- Select the file sets of the software package to install
- Select the options appropriate to your installation requirements from the
Options window.
- Note:
- Set the Install all prereqs options to yes.
- Confirm to complete the installation.
To Install GSKit from the command line:
installp -acdgqW gskkm.rte
The installp command installs available software products in a
compatible installation package.
Options:
a apply
c commit
ddevice, specifies where the installation media can be found.
g automatically installs or commits any requisite software product.
p runs preinstallation checks for the specified action.
q suppresses the prompt for the device.
W does not wildcard FilesetName. By default, the system installs
foo.rte.bar when foo.rte is chosen.
Ikeyman GUI sets up its own environment except for JAVA_HOME. To see
how ikeyman sets its environment edit
/usr/opt/ibm/gskkm/bin/gsk5ikm
The user will need to set the following AIX variable so ikeyman can
run: JAVA_HOME=location where location
in the location where the user installed JDK 1.1.7
- Note:
- If you are prompted to set JAVA_HOME, you can set it to either the
system-installed Java or the Java version included with the IBM Directory
Server. If you use the IBM Directory Server version, you also need to
set the LIBPATH environment variable as follows:
export LIBPATH=/usr/ldap/java/bin:/usr/ldap/java/bin/classic:$LIBPATH
To remove GSKit using SMIT:
- Invoke SMIT by typing smit at the command line.
- Select Software Installation and Maintenance from the menu.
- Select Software Maintenance and Utilities.
- From the Maintenance window, select Remove Installed Software
to open the Remove Software Product window.
- Enter the name of the software package
- Turn the flag for REMOVE dependent software? to YES
to instruct the system to automatically remove software products and updates
that are dependent upon the product you are removing.
- Confirm the procedure to complete the removal of the software
package.
To remove GSKit using the command line:
installp -u -g -V2 <gskkm.rte>
u Removes the specified software and any of its installed updates
from the system.
g this flag removes or rejects dependents of the specified software.
V2 prints alphabetically ordered list of FAILURES and WARNINGS.
Attention: If you have a 3.2.x version of
SecureWay Directory installed, and you want to migrate your data, use the the
instructions in SMIT Installation to install IBM Directory. Read and understand the
migration process in Migration from SecureWay Directory Version 3.2.x for UNIX installations before installing IBM Directory 4.1. It is
very important that you backup and export previous versions of schema files
and slapd32.conf before installing IBM Directory 4.1.
The following sections step you through setting the current configuration
parameters and installing the Java Runtime Environment. You must have
the current kernel configuration parameters set, and Java Runtime Environment
1.3 and DB2 Version 7.1 Fix Pack 3 or later installed before
installing the IBM Directory.
Instructions given in this chapter assume you are logged in as
root and have the IBM Directory Version 4.1 CD mounted at
/SD_CDROM.
- Note:
- Before installing the DB2, you must remove any existing versions of DB2 that
might have been installed previously. If you try to install DB2 over an
existing version of DB2, DB2 does not install correctly. If this occurs
you must remove DB2 and then reinstall it.
The following table contains the parameters and values that must be set
before installing IBM Directory Server.
Table 1. HP-UX operating system kernel configuration parameters
| Kernel parameter
| Value 256MB+ physical memory
|
| maxuprc
| 512
|
| maxfiles
| 256
|
|
|
| nproc
| 1024
|
| nflocks
| 8192
|
| ninode
| 2048
|
| nfile
| (4 * ninode)
|
|
|
| msgseg
| 32768
|
| msgmnb
| 65535 (1)
|
| msgmax
| 65535 (1)
|
| msgtql
| 1024
|
| msgmap
| 258
|
| msgmni
| 256
|
| msgssz
| 16
|
|
|
| semmni
| 512
|
| semmap
| 514
|
| semmns
| 1024
|
| semmnu
| 1024
|
|
|
| shmmax
| 268435456 (2)
|
| shmseg
| 16
|
| shmmni
| 300
|
To set a kernel configuration parameter:
- At a command prompt, type: sam
The System Administration Manager opens.
- Double-click Kernel Configuration.
- Double-click Configurable Parameters.
- Double-click the parameter you want to edit and specify the new value in
the Enter New Formula\Value field.
- Click OK.
- Repeat steps 5 and 6 for each parameter that needs to be set.
- Click Actions-->Process New Kernel.
- To process the modifications, click Yes.
- Select Move Kernel Into Place and Shutdown/Reboot Now and click
OK.
Do the following to install HP-UX Runtime Environment for the Java 2
Platform Version 1.3.:
- Type swinstall at a command prompt.
- Select B9789AA
- Click Actions -->Mark For Install.
- Click Actions -->Install (analysis) . . .
Analysis is complete when the Status field reads
Ready.
- Click OK.
- To begin installation, click Yes. Installation is
complete when the Status field reads Done.
- Click File --> Exit.
Before installing the IBM Directory, you must remove any non-IBM versions
of LDAP that might have been installed previously. If you try to
install the IBM Directory over an existing non-IBM version of LDAP, such as
OpenLDAP, the IBM Directory does not install correctly. If this occurs
you must remove the IBM Directory and then reinstall it. See Removing IBM Directory.
Before installing the IBM Directory, make sure you have the correct kernel
configuration parameters set, and Java Runtime Environment 1.3.
and DB2 Version 7.1 Fix Pack 3 or later installed.
To install IBM Directory:
- Type swinstall at a command prompt.
- Select the IBM Directory 4.1 version you want to install.
You can select from the following list:
LDAPServer
LDAPClient
LDAPServer_noSSL
LDAPClient_noSSL
Selecting LDAPServer installs both the server and
client. Selecting LDAPClient installs the client
only. Selecting LDAPServer_noSSL or
LDAPClient_noSSL installs the client and server or client only with
SSL disabled.
- Note:
- If you select an SSL-enabled version of IBM Directory, you must also install
GSKit. See Installing GSKit.
- Click Actions -->Mark For Install.
- Click Actions -->Install (analysis) . . .
Analysis is complete when the Status field reads Ready.
- Click OK.
- Click Yes to begin installation. Installation is
complete when the Status field reads Done.
- Click File --> Exit.
You can install the GSKit package (gsk5bas.tar.Z) through
command line or through sam, a GUI utility for system
administration.
To install GSKit:
- Download or copy the GSKit package to /tmp.
- Run the following command:
cd /tmp
- Uncompress and untar the package:
zcat gsk5bas.tar.Z | tar -xvf - cd
- Run the following command:
swinstall -s /var/spool/pkg/gsk5bas gsk5bas
Options:
-p Preview the install task by running the session through
the analysis phase only.
-s The full_path of the software source
sw_selection The name of the install package
gsk5bas Contains the Restricted GSKit Base Toolkit install image
Please set and verify that the following path have been set in your
.profile.
SHLIB_PATH=/usr/lib
To set this path the following example is provided:
export SHLIB_PATH=/usr/lib;$SHLIB_PATH
To remove GSKit, run the following command at a command prompt:
swremove gsk5bas
Options:
-p Preview the install task by running the session through
the analysis phase only.
sw_selection The name of the install package.
You need to add NLS to your environment.
- Run the following commands to modify your environment:
echo 'export NLSPATH=/usr/lib/nls/msg/%L/%N' >>~/.profile
- Note:
- Ensure that you include the tilde character before
/.profile in the previous commands.
The following instructions tell you how to set up a basic IBM
Directory. You can find more detailed information in subsequent
sections of this documentation.
Instructions given in this chapter assume you are logged in as
root and have the IBM Directory Version 4.1 CD mounted at
/SD_CDROM.
Attention: If you have a 3.2.x version of
SecureWay Directory installed, and you want to migrate your data, use the the
instructions in SMIT Installation to install IBM Directory. Read and understand the
migration process in Migration from SecureWay Directory Version 3.2.x for UNIX installations before installing IBM Directory 4.1. It is
very important that you backup and export previous versions of schema files
and slapd32.conf before installing IBM Directory 4.1.
- Note:
- Before installing the IBM Directory, you must remove any existing versions of
LDAP that might have been installed previously. If you try to install
the IBM Directory over an existing version of LDAP, the IBM Directory does not
install correctly. If this occurs you must remove the IBM Directory and
then reinstall it. See Removing IBM Directory.
One method to determine if you have a previously installed version of LDAP
is to issue the following command to query the installed packages:
rpm -qa | grep -i ldap
This command finds any installed applications containing the name
ldap. This method works only if you have a version of LDAP that
contains the string ldap in its application names.
The IBM Directory for Linux operating system is shipped in the following
packages.
Intel-based Linux packages:
- ldap-server-4.1-1.i386.rpm (no SSL)
- ldap-client-4.1-1.i386.rpm (no SSL)
- ldap-serverd-4.1-1.i386.rpm (SSL enabled)
- ldap-clientd-4.1-1.i386.rpm (SSL enabled)
- ldap-msg-xxx-4.1-1.i386.rpm (Where
xxx is language dependent.)
- ldap-html-xxx-4.1-1.i386.rpm (Where
xxx is language dependent.)
- ldap-dmtjava-4.1-1.i386.rpm (no SSL)
- ldap-dmtjavad-4.1-1.i386.rpm (SSL enabled)
Linux S/390(R) packages:
- ldap-server-4.1-1.s390.rpm (no SSL)
- ldap-client-4.1-1.s390.rpm (no SSL)
- ldap-serverd-4.1-1.s390.rpm (SSL enabled)
- ldap-clientd-4.1-1.s390.rpm (SSL enabled)
- ldap-msg-xxx-4.1-1.s390.rpm (Where
xxx is language dependent.)
- ldap-html-xxx-4.1-1.s390.rpm (Where
xxx is language dependent.)
- ldap-dmtjava-4.1-1.s390.rpm (no SSL)
- ldap-dmtjavad-4.1-1.s390.rpm (SSL enabled)
Notes:
- The examples in this chapter use Linux Intel-based packages.
- For Turbolinux Version 6.5, during the install, the install tool
(rpm) thinks there is a dependency on the file
libstdc++.so.2.9 and cannot find it even though a
more recent version is on the system. To fix this problem specify
--nodeps (dash dash nodeps) in the rpm input parameters. For
example:
rpm --nodeps -hiv ldap-client-4.1-1.i386.rpm
Specifying --nodeps bypasses dependency checking. It
allows the code to be installed.
To install the IBM Directory with no SSL:
- Install the client:
rpm -hiv ldap-client-4.1-1.i386.rpm
- Install the DMT:
rpm -hiv ldap-dmtjava-4.1-1.i386.rpm
- Install the server:
rpm -hiv ldap-server-4.1-1.i386.rpm
- Verify that the packages have been installed correctly:
rpm -qa | grep ldap
If the product has been successfully installed, the following is
displayed:
ldap-client-4.1-1
ldap-dmtjava-4.1-1
ldap-server-4.1.1
- Install the language-dependant messages or documents:
rpm -hiv ldap-msg-xxx-4.1-1.i386.rpm
rpm -hiv ldap-html-xxx-4.1-1.i386.rpm
After installing the messages, you need to set the following environment
variables:
export NLSPATH=/usr/share/i18n/msg/%L/%N
export LANG=xxx
LC_ALL=xxx
where xxx is the language. For example, de_DE.
To install the IBM Directory with SSL enabled:
- Install the client:
rpm -hiv ldap-clientd-4.1-1.i386.rpm
- Install the DMT:
rpm -hiv ldap-dmtjavad-4.1-1.i386.rpm
- Install the server:
rpm -hiv ldap-serverd-4.1-1.i386.rpm
- Verify that the packages have been installed correctly:
rpm -qa | grep ldap
If the product has been successfully installed, the following is
displayed:
ldap-clientd-4.1-1
ldap-dmtjavad-4.1-1
ldap-serverd-4.1.1
- Install the language-dependant messages or documents:
rpm -hiv ldap-msg-xxx-4.1-1.i386.rpm
rpm -hiv ldap-html-xxx-4.1-1.i386.rpm
After installing the messages, you need to set the following environment
variables:
export NLSPATH=/usr/share/i18n/msg/%L/%N
export LANG=xxx
LC_ALL=xxx
where xxx is the language. For example, de_DE.
The following information is provided as a guide to those who wish to
install the software package gsk5bas.tar on Linux operating
system. You can install the package through command line.
The rpm commands to perform the installation are:
- Install in the default location: /usr/local (need to be "root")
rpm -ivv <rpm_file>
rpm -ivv gsk5bas-5.0.1-X.i386.rpm
- Install rpm -ivv --prefix in a user specified location (need
to have write access) to avoid the errors of the post-install script, (which
will crop up if the user is not "root") use the --noscripts flag
rpm -hiv --prefix <new_location><rpm_file> --noscripts
Example:
rpm -hiv --prefix /tmp/usr gsk5bas-5.0.1-X.i386.rpm --noscripts
To remove GSKit, type the following at a command prompt:
rpm -evv <package_name>
Options:
-evv Erase <package_name> and display debugging information.
Could use just the -e if no trace or debug information is desired.
<package_name> Name of the rpm package to be removed.
Example:
rpm -evv gsk5bas-5.0.1
You need to add DB2INSTANCE and LD_LIBRARY_PATH to your environment.
The following examples assume that you are using the bash shell. If you
use a different shell, substitute the appropriate .login or
.profile for .bashrc.
- Log on as root, or enter the command:
su -
- Run the following commands to modify your environment:
echo 'export DB2INSTANCE=ldapdb2' >>~/.bashrc
echo 'export LD_LIBRARY_PATH=/usr/IBMdb2/V7.1/lib:/usr/
ldap/lib:$LD_LIBRARY_PATH' >>~/.bashrc
. ~/.bashrc
- Note:
- Ensure that you include the tilde character before /.bashrc
in the previous commands.
For information about starting, stopping and populating the directory,
see the IBM Directory Server Version 4.1 Administration
Guide.
Instructions given in this chapter assume you are logged in as
root and have the IBM Directory Version 4.1 CD mounted at
/SD_CDROM.
Attention: If you have a 3.2.x version of
SecureWay Directory installed, and you want to migrate your data, use the the
instructions in SMIT Installation to install IBM Directory. Read and understand the
migration process in Migration from SecureWay Directory Version 3.2.x for UNIX installations before installing IBM Directory 4.1. It is
very important that you backup and export previous versions of schema files
and slapd32.conf before installing IBM Directory 4.1.
- Note:
- Before installing the IBM Directory, you must remove any existing versions of
LDAP that might have been installed previously. If you try to install
the IBM Directory over an existing version of LDAP, the IBM Directory does not
install correctly. See Removing IBM Directory.
Use either the admintool utility or pkgadd from a
command prompt to install IBM Directory.
- Note:
- You do not need to install security functions if you are not going to use
them. You can provide SSL by installing a Global Security Kit
(GSKit).
The following instructions assume that you are installing from a CD-ROM
with the device name /dev/cd0.
The following five IBM Directory packages are available for
installation:
- IBMldapc IBM Directory Client
- IBMldapdj IBM Directory DMT
- IBMldaps IBM Directory Server
- IBMldixxx IBM Directory Documentation (where xxx is language dependent)
- IBMldmxxx IBM Directory Messages (where xxx is language dependent)
- Note:
- The English messages are automatically installed with the IBMldaps (server)
package. There is no separate messages package for English.
Because of package dependencies, the order of installation is
significant. Install the packages in the following order:
- Client
- DMT
- Server
- Documentation and Messages
If installing only the client software, the order is:
- Client
- DMT
- Documentation and Messages
If the client package is not installed first, the installation
fails.
During the installation of the server or client on Solaris Operating
Environment Software Version 8, or the server on Version 7, you might
encounter the following message:
A non-IBM version of LDAP has been located on your system. In order
to use the command line version of the IBM supplied files, the
existing files (ldapadd, ldapdelete, ldaplist, ldapmodify,
ldapmodrdn, ldapsearch) must be relocated. Specify the new
directory in which to move the files (/usr/bin/ldapsparc) [?,q]
Press Enter to accept the default directory
(/usr/bin/ldapsparc), or type a new path name and press Enter, or
type q and press Enter to quit.
After relocating the files, you might see these additional messages:
## Processing system information.
WARNING: /usr/bin/ldapadd <no longer a linked file>
WARNING: /usr/bin/ldapdelete <no longer a linked file>
WARNING: /usr/bin/ldapmodify <no longer a linked file>
WARNING: /usr/bin/ldapmodrdn <no longer a linked file>
WARNING: /usr/bin/ldapsearch <no longer a linked file>
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
The following files are already installed on the system and
are being used by another package:
/usr/bin/ldapadd
/usr/bin/ldapdelete
/usr/bin/ldapmodify
/usr/bin/ldapmodrdn
/usr/bin/ldapsearch
Do you want to install these conflicting files [y,n,?,q]
Type y and press Enter to continue the
installation. The existing files are moved to the directory previously
specified and the IBM Directory files are installed in the /usr/bin
directory.
To install IBM Directory using the admintool utility:
- Type the following at a root command prompt:
admintool&
The Users window is displayed.
- Click Browse--> Software. The Software window
is displayed.
- Click Edit--> Add. The Set Source Media
window is displayed.
Attention: Do not click the Customize button in
the lower left corner of the Set Source Media window. If you
click Customize, AdminTool crashes. Because LDAP does not
have any customizable options, there is no need for you to use this
button.
- Select CD with Volume Management. The CD-ROM path
defaults to: /cdrom/cdrom0/
- Change the path to /cdrom/cdrom0/ldap41_us and click
OK.
- Click OK.
- Select from the following list of installable packages:
IBM Directory Client
IBM Directory DMT
IBM Directory Server
IBM Directory Documentation (for all languages)
IBM Directory Messages (for all languages)
Remember that you must install the IBMldapc package first. See Package dependencies for the correct installation sequence.
- Click Add.
- You are asked if you want to use /opt as the base
directory. If space permits, use /opt as the base
installation directory. To accept /opt as the base
directory, press Enter.
Notes:
- With the installation of client and server packages, the system prompts
you with the notice, This package contains scripts which will be executed
with super-user permission during the process of installing the
package. These scripts create the IBM Directory user ID.
Type y to continue.
- If you are installing the Server package, you also see the prompt, Do
you want to install these as setuid/setgid files? The CGI programs need
to be able to start daemons, run DB2 commands, and create the IBM Directory
DB2 instance user ID and group, so they occasionally need to run as
root. Type y to continue.
After the package is installed, the Software window is displayed.
- Repeat steps 6 through 11 for each additional package you want to
install. If you are finished installing the packages, Select
File--> Exit to exit the admintool utility.
To install IBM Directory from a command prompt:
- At the command prompt, install the required packages with the following
command:
pkgadd -d /cdrom/cdrom0/ldap41_us
The following packages are available:
IBMldapc IBM Directory Client
(sparc) 4.1.0.0
IBMldapdj IBM Directory DMT
(sparc) 4.1.0.0
IBMldaps IBM Directory Server
(sparc) 4.1.0.0
IBMldixxx IBM Directory documentation
(sparc) 4.1.0.0
IBMldmxxx IBM Directory messages
(sparc) 4.1.0.0
where xxx is a specific language identifier.
- Note:
- The English messages are automatically installed with the IBMldaps (server)
package. There is no separate messages package for English.
- Specify the IBM Directory packages you want to install. Do not use
the system default of ALL. The system does not sequence the
packages correctly and the installation fails.
Examples:
- To install all IBM Directory packages, enter:
pkgadd -d /cdrom/cdrom0/ldap41 IBMldapc IBMldapdj IBMldaps IBMldixxx IBMldmxxx
- Note:
- The order in which the packages are listed is crucial. If package
dependencies are not met, the installation fails.
- To install the client only, enter:
pkgadd -d /cdrom/cdrom0/ldap41 IBMldapc
- To install the client and documentation packages, enter:
pkgadd -d /cdrom/cdrom0/ldap41 IBMldapc IBMldixxx
- To install the client and DMT only, enter:
pkgadd -d /cdrom/cdrom0/ldap41 IBMldapc IBMldapdj
- To install the client, DMT and server packages, enter:
pkgadd -d /cdrom/cdrom0/ldap41 IBMldapc IBMldapdj IBMldaps
- To install the client, DMT, server, and message packages, enter:
pkgadd -d /cdrom/cdrom0/<ldap41> IBMldapc IBMldapdj IBMldaps IBMldmxxx
- During installation, you are asked if you want to use /opt as
the base directory. If space permits, use /opt as the base
installation directory. To accept /opt as the base
directory, press Enter.
Notes:
- With the installation of client and server packages, the system prompts
you with the query, This package contains scripts which will be executed
with super-user permission during the process of installing the
package. Continue with installation? These scripts create the IBM
Directory user ID. Type y to continue.
- If you are installing the Server package, you also see the prompt, Do
you want to install these as setuid and/or setgid files? The CGI
programs need to be able to start daemons, run DB2 commands, and create the
IBM Directory DB2 instance user ID and group, so they occasionally need to run
as root. Type y to continue.
- When the installation is completed, type q to return to the
command prompt.
You can install GSKit 5 using either the AdminTool or the command
line.
To install IBM Directory using the admintool utility:
- Log in as root.
- Type the following at a root command prompt:
admintool&
The Users window is displayed.
- Click Browse--> Software. The Software window
is displayed.
- Click Edit--> Add. The Set Source Media
window is displayed.
- Type the full path name to the directory that contains the GSKit
installation code in the Path field. For example, if you are
installing from a CD-ROM :
/cdrom/cdrom0/gskit
- Click OK.
- Select Certificate and SSL Base Runtime (gsk5bas)
- Click Add. You are asked if you want to continue the
installation.
- Type y and press Enter. After the package is
installed, a message is displayed and you are instructed to press
Return.
- Press Enter.
- If you are finished installing packages, click File-->Exit to
exit the admintool utility.
To install GSKit using the command line:
- Insert the CD-ROM.
- Log in as root.
- At the command prompt, install the required tar file sets with the
following command:
pkgadd -d /cdrom/cdrom0/gskit
To remove GSKit, type the following at a command prompt:
pkgrm gsk5bas
The following options and conditions apply to Silent Installation:
- You must have at least 100 MB available memory before invoking Silent
Installation.
- If you install the client/server package, you do not need to install both
the client and the server. You can choose to install the client
only.
- Silent installation does not install GSKit.
- If you choose to install the server, you must already have a Web server
and DB2 installed.
- You must uninstall any existing LDAP directory on your system before
beginning silent installation. If an existing LDAP directory is
detected during installation, silent install exits and no migration takes
place.
- To edit installation path settings, copy the /options file to a writable
location.
- Configuration cannot be specified.
To begin installing IBM Directory 4.1:
- Run the following command at a command prompt:
setup -is:silent -options d:\ldap\optionsFiles\InstallServer.txt
where d: is your CD-ROM drive.
If installation exits for any reason, you can find information about the
exit in ldapinst.log.
Installation is complete when the last log entry in the
<installpath>\ldap\ldapinst.log reads:
Exiting LdapExit.
If installation is unsuccessful, check to make sure that your options file
settings and command line parameters are valid.
If you have a previous version of GSKit installed, remove it before
installing GSKit 5.
Installation Instructions for Windows 98, Windows 2000 or Windows NT
operating systems
- Run the following command
- Note:
- Do not start the setup.exe by the clicking on the icon.
setup <LDAP> <PATH>
s -f1"<extracted file location>\ setup.iss"
Where LDAP is the name of your application and will be
registered as a registered user of GSK in the Windows Registry (under the key
SOFTWARE\\IBM\\GSK\\REGAPPS)
And where PATH is the path where you want the installation to
put the code. Please note our installation program will append
"\ibm\gsk5" to any path you enter.
Options: -s to run the setup in the SILENT
mode.
-f1"..\setup.iss" the RESPONSE file needed
to run the Setup in the SILENT mode.
For example:
gsk5bas setup LDAP PATH -s -f1"<extracted file location>\setup.iss"
To remove GSKit, run the following command:
gsk5BUI LDAP
You can use either the Server Administration (ldapxcfg) or the
ldapcfg command-line utility to configure the IBM Directory
server. To configure a UNIX system, you must be logged is as
root. On a Windows 2000 or Windows NT system, log in as
Administrator to configure.
You must have at least 80 MB available to configure the sample
database.
If you are using a Windows 2000 or Windows NT system, and you used the
InstallShield GUI Typical option to install, IBM Directory was automatically
configured.
If you are configuring a UNIX-based system, you must run the three command
line utilities, ldapcfg, ldapxcfg, and
ldapucfg, from a directory that has execute permission for
other. That is, a directory that has at least the
--------x permission set. If this permission is not set, you
might see an error message and experience a subsequent failure during the
database creation step. To set this permission for your current
directory, you can enter the command:
chmod o+x .
- Note:
- The period ( . ) in the command is required to indicate "this
directory".
For either the Server Administration or the command line program, IBM
Directory server configuration consists of three parts:
- Defining the IBM Directory administrator distinguished name (DN) and a
password. This operation can be compared to defining the root user ID
and password on a UNIX system. DNs are not case sensitive. If
you are unfamiliar with X.500 format or if for any other reason you do
not want to define a new DN, accept the default DN. You need to define
a password.
- Modifying a Web server configuration to access the IBM Directory Web
administration pages. Web servers are available on AIX, Solaris,
Windows 2000 or Windows NT platforms only.
- Configuring the database.
For configuration of a Web server, verify that the Web server is
installed. You also need to know:
- The name of the Web server that you are using
- The full path and name of the configuration file for the Web server:
- IBM HTTP Server
- AIX operating systems:
/usr/HTTPServer/conf/httpd.conf
- Solaris operating systems:
/opt/HTTPServer/conf/httpd.conf
- Windows 2000 or Windows NT operating systems: C:/Program
Files/ IBM HTTP Server/conf/httpd.conf
- Domino Webserver
- AIX and Solaris operating systems:
/local/notesdata/httpd.cnf
- Windows 2000 or Windows NT operating systems:
C:/Lotus/Domino/Data/httpd.cnf
- Apache Server
- AIX and Solaris operating systems:
/usr/local/apache/conf/httpd.conf
- Windows 2000 or Windows NT operating systems: C:/Program
Files/Apache Group/Apache/conf/httpd.conf
- iPlanet Webserver
- AIX and Solaris operating systems:
/usr/netscape/server4/https/<fully qualified domain
name>/config/obj.conf
- Windows 2000 or Windows NT operating systems:
C:/netscape/server4/https<fully qualified domain
name>/config/obj.conf
When configuration is complete, restart the Web server manually for the
changes to take effect.
- Note:
- To run the configuration utilities (ldapcfg, ldapxcfg,
and ldapucfg) on a TurboLinux 6.5 operating system, you must
have the sh-utils-2.0.5-exit.patch installed
to enable the configuration utilities.
To work around this problem, obtain the following patch and additional
information from the Linux Technology Center Web site, located at
http://bugzilla.linux.ibm.com/show_bug.cgi?id=495
Attention: Before configuring a Red Hat 7.1 system,
you need to make special system modifications to the configuration tools
(ldapxcfg, ldapcfg, ldapucfg):
- Download sh-utils-2.0.11-5.i386.rpm from the
following Red Hat site: ftp://ftp.redhat.com/pub/redhat/linux/7.2/en/os/i386/RedHat/RPMS/
- Log in as root and update the sh-utils package using the following
command:
rpm -Fvh sh-utils-2.0.11-5.i386.rpm
To configure the IBM Directory using Server Administration:
- Type ldapxcfg at a command prompt.
- You can set the Directory administrator name and password, create the
directory DB2 database, or configure a Web server for directory server
administration. You can select one of these tasks or you can select
multiple tasks. If you select more than one task, the information entry
windows are displayed consecutively.
- To set the administrator DN and password:
- Select Set the directory administrator name and
password.
- Click Next. Type the administrator DN (or accept the
default DN), type in a password, and retype to confirm the password.
- Click Next.
- Review the Configuration Summary panel. Click
Configure.
- The Configuration Completion panel is displayed. Click
OK.
- To configure or reconfigure a directory database:
- Select Create the LDAP DB2 database (the selection is
Reconfigure the directory DB2 database, if a DB2 database already
exists), and click Next.
- Select either Create a default directory DB2 database (if a
database is currently configured, the selection is Reconfigure the
existing default LDAPDB2 database) or Use my own DB2 database
(this selection is also referred to as a custom database). For
information on creating a database manually, see Appendix C, Creating a database manually. The default directory selections are
recommended.
- Click Next.
- If prompted, select Create a Universal DB2 database (UTF-8) to
create the database in the Universal Character Set or select Create a
local codepage DB2 database to create the database in the local
codepage. You can also select Create a database for changelog
support to enable the change log.
- If prompted, specify the directory where you want the database to reside
or accept the default directory. Click Next.
- If you selected Use my own DB2 database, fill in the four
required fields. Click Next.
- The Configuration Completion panel is displayed; click
OK.
- To configure a Web server:
- Ensure that the Web server is installed.
- Select Configure a Web server for directory
administration.
- Choose only one of the following:
- IBM HTTP
- Apache
- Lotus Domino
- iPlanet Netscape
- Microsoft Internet Information server (for Windows 2000 or Windows NT
systems only)
- If prompted, enter the full pathname of the Web server configuration
file.
- Review the Configuration Summary panel, and then click
Configure
- The Configuration Completion panel is displayed. Make note of the
administration Web address, and then click OK.
- Restart the configured Web server. For the appropriate command, see
the ldapcfg utility step 2. Pick the appropriate Web server
and perform Step c for your Web server.
- Start the IBM Directory server by using a Web browser and the
administration Web address that was listed on the Configuration
Completion panel to access Server Administration. Click
Server->Startup/Shutdown, and on the Server startup page click
Startup. When startup is finished, a completion window is
displayed.
If you have previously set the administrator DN and password, and
configured a Web server, you can configure or reconfigure a database from a
Web browser. Using a Web browser connect to
http://hostname/ldap, and then log on as the administrator DN
(for example, use Netscape Navigator to connect to this page, and then log
on).
- Note:
- Some Web servers might require you to specify index.html in the Web
address. If you are unable to get to the Server Administration tool
with http://hostname:portnumber/ldap, try
http://hostname:portnumber/ldap/index.html.
- Click Database to expand its selections.
- Click Configure.
- Click the type of database you want to use, and then click
Next.
- If you want to back up your database, type the fully qualified file name
in the field. Select if you want to create the backup directory or to
stop the configuration process if the directory that you specified is not
found. Otherwise, click Do not backup the current
data. Be aware that if you do not back up your database, the
database is deleted and the data is lost. Click Next.
- Do one of the following depending on the type of database you
are configuring:
- If you are configuring a default database, select the directory where you
want to create the database, click the type of database you want to create,
and then click Finish.
- If you are configuring a custom database, type the Database name, the
Database instance, the Database system administrator, and the Database system
administrator password. Retype the password in the Confirm the password
field, and then click Finish. This configures the
database.
- Restart the LDAP server.
To configure the IBM Directory using the command-line utility:
- To define the admin DN and password, type the following command at a
command prompt:
ldapcfg -u "cn=root" -p secret
- Note:
- Do not use single quotes (') to define DNs with spaces in them.
They are not interpreted correctly.
To accept the default administrator DN of "cn=root" and define a password,
type the following command at a command prompt:
ldapcfg -p secret
- Pick the appropriate Web server and configure the Web server. You
need to know the full pathname of the Web server configuration file.
Use that path name instead of the paths shown after the -f options
in the following examples. The example paths are based upon system
defaults for an AIX system.
IBM HTTP Server
- Type the following command at a command prompt:
ldapcfg -s ibmhttp -f /usr/HTTPServer/conf/httpd.conf
- After the Web server configuration is complete, stop the Web server by
typing the following command at a command prompt:
/usr/HTTPServer/bin/apachectl stop
- Restart the Web server by typing the following command at a command
prompt:
/usr/HTTPServer/bin/apachectl start
Domino Enterprise 5.0.2b Webserver
- Type the following command at a command prompt:
ldapcfg -s domino -f /etc/httpd.conf
- After the Web server configuration is complete, stop the Web server by
typing the following at a command prompt:
stopsrc -s httpd
- Restart the Web server by typing the following at a command prompt:
startsrc -s httpd
Apache Server
- Type the following command at a command prompt:
ldapcfg -s apache -f /usr/local/apache/conf/srm.conf
- Note:
- The location of the Apache Server might differ. Apache
v1.4.1 uses /usr/local/apache as the default.
- After the Web server configuration is complete, stop the Web server by
typing the following at a command prompt:
kill -TERM `cat /usr/local/apache/logs/httpd.pid`
- Restart the Web server by typing the following at a command prompt:
/usr/local/apache/src/httpd -f /usr/local/apache/config/httpd.conf
iPlanet Webserver Enterprise or Fast Track Edition
- Type the following command at a command prompt:
ldapcfg -s iplanet -f /usr/netscape/server4/https-<
fully qualified hostname>/config/obj.conf
Where the variable <fully qualified hostname> refers to the
server id, which by default is the local hostname.
- Note:
- The path given in the examples assumes a iPlanet Enterprise server.
For iPlanet FastTrack, the default path is:
/usr/netscape/server4/httpd-<fully qualified hostname>
/config/obj.conf
- After the Web server configuration is complete, you can stop and restart
the Web server from either the iPlanet Server Administration page or a command
prompt.
- From the iPlanet Server Administration page:
- Click iPlanet Server OFF to stop the Web server.
- Click iPlanet Server ON to restart the Web server.
- From a command prompt:
- Stop the Web server by typing:
/usr/netscape/server4/https-<
fully qualified hostname>/stop
- Restart the Web server by typing:
/usr/netscape/server4/https-<
fully qualified hostname>/start
Microsoft IIS Web server (Windows 2000 and Windows NT only)
- Type the following at a command prompt:
ldapcfg -s iis
- From the desktop, double-click the My Computer icon.
- Double-click the Control Panel icon. Double-click the
Services icon.
- Select World Wide Web Publishing Service and click
Stop.
- Select World Wide Web Publishing Service and click
Start.
- To configure a database, the following options are available:
- -l location
- Location of the DB2 database. For UNIX systems, this is a directory
or filesystem name.
- -a id.
- DB2 administrator ID.
- -c
- Create a database in UTF8 format.
- -i
- DB2 instance name.
- -w password
- DB2 administrator password.
- -d database
- DB2 database name.
- -o
- Overwrite database if one previously exists. If -o is
not specified and a database currently exists, then DB2 configuration is not
performed.
For default configuration, use the -l option.
For configuration into your own existing (custom) database, use the
-a, -w, -i, and -d options.
Because an instance in DB2 must be the name of an existing user, the
-a and -i values must be the same on UNIX
platforms.
- To configure a custom database with a DB2 administrator name of
db2admin, an instance name of dbInstanceName and a
database name of dbName when there is not an existing database
configured (that is, the first time), the command is:
ldapcfg -a dbInstanceName -w mypassword -i dbInstanceName -d dbName
Attention: Do not use ldapdb2 as a custom database
name. Any custom database named ldapdb2 will be destroyed during
unconfiguration.
- To configure a custom database similar to the previous example when a
database is already configured, the command is:
ldapcfg -a db2admin -w mypassword -i dbInstanceName -d dbName -o
Return to the Installation, configuration, and migration overview.
The options for the ldapucfg utility are the same as for the
ldapcfg utility except that in the ldapucfg utility the
-d option removes the LDAPDB2 database backend and the
-g option disables the change log. Disabling the change log
removes the change log database and any data (change records) that are in
it. The -g option does not affect the main directory
database.
Attention: Back up any existing schema files and your
directory before performing the following steps.
- Log in as root.
- Stop all clients that are connected to the IBM Directory server.
- Use the ldapucfg utility to remove the DB2 configuration
information from the IBM Directory server. At the command prompt,
type:
ldapucfg -d
You are prompted to enter Y or N to confirm the
unconfiguration.
- Note:
- If the default database was configured, the ldapucfg utility
deletes the database from the system by this step. If a custom database
was configured, the database remains on the system. You must remove the
custom database if its removal is necessary.
To remove a custom database:
- If you are on a Windows 2000 or Windows NT system, open a db2
window. If you are using a UNIX system, log in as the instance
owner. Type:
db2stop
- Type:
db2 drop db <instance name>
- Type:
db2idrop <instance name>
- Pick the appropriate Web server and follow the steps to remove the
configuration information from the Web server. Microsoft IIS Web Server
applies to Windows 2000 or Windows NT systems only. The remaining
examples show you how to remove a Web server configuration on an AIX
system.
- IBM HTTP Server
-
- Type the following command at a command prompt:
ldapucfg -s ibmhttp -f /usr/HTTPServer/conf/httpd.conf
- After you remove the Web server configuration information, stop the Web
server by typing the following command at a command prompt:
/usr/HTTPServer/bin/apachectl stop
- Restart the Web server by typing the following command at a command
prompt:
/usr/HTTPServer/bin/apachectl start
- Microsoft IIS Web Server (Windows 2000 or Windows NT operating systems
only)
- Windows 2000
- Click Start-->Settings-->Control Panel.
- Double-click Administrative Tools.
- Double-click Computer Management.
- Double-click Services and Applications.
- Double-click Internet Information Services.
- Double-click Default Web Site.
- Delete the ldap icon.
Windows NT
- Click Start-->Programs-->Windows NT 4.0
Option Pack-->Microsoft Personal Web Server-->Internet
Service Manager.
- Double-click Internet Information Server.
- Double-click the machine name.
- Double-click Default Web site.
- Delete the ldap icon.
- Domino Enterprise Webserver
-
- Type the following command at a command prompt:
ldapucfg -s domino -f /etc/httpd.conf
- After you remove the Web server configuration information, stop the Web
server by typing the following command at a command prompt:
stopsrc -s httpd
- Restart the Web server by typing the following command at a command
prompt:
startsrc -s httpd
- Apache Server
-
- Type the following command at a command prompt:
ldapucfg -s apache -f /usr/local/apache/conf/srm.conf
- Note:
- The location of the Apache Server might differ from the example.
Apache v1.2.5 uses /usr/local/apache as the default.
- After you remove the Web server configuration information, stop the Web
server by typing the following command at a command prompt:
kill -TERM `cat /usr/local/apache/logs/httpd.pid`
- Restart the Web server by typing the following command at a command
prompt:
/usr/local/apache/src/httpd -f /usr/local/apache/config/httpd.conf
- iPlanet Webserver Enterprise or Fast Track Edition
-
- Type the following command at a command prompt:
ldapucfg -s netscape -f /usr/netscape/server4/https-<
fully qualified hostname>/config/obj.conf
Where the variable <fully qualified hostname> refers to the
server ID, which by default is the local host name.
- Note:
- The path in the examples assumes an iPlanet Enterprise server. For
iPlanet FastTrack, the default path is:
/usr/netscape/server4/httpd-<
fully qualified hostname>/config/obj.conf
- After you remove the Web server configuration information, you can stop
and restart the Web server from either the iPlanet Server Administration page
or a command prompt.
- From the iPlanet Server Administration page:
- Stop the Web server by selecting iPlanet Server OFF.
- Restart the Web server by selecting iPlanet Server ON.
- From a command prompt:
- Stop the Web server by typing at a command prompt:
/usr/netscape/server4/https-<fully qualified hostname>/stop
- Restart the Web server by typing at a command prompt:
/usr/netscape/server4/https-<fully qualified hostname>/start
After you remove the configuration information, you can uninstall the IBM
Directory.
Notes:
- If you installed IBM Directory using the InstallShield GUI, uninstall
using the process in Uninstalling using InstallShield GUI.
- During removal no attempt is made to see if Web servers still contain IBM
Directory modifications. If the IBM Directory is removed before
removing the IBM Directory configuration information from the Web server, the
Web server configuration files have to be unconfigured manually. If you
reinstall the IBM Directory, you do not need to reconfigure the Web
server.
- Removing the IBM Directory does not remove any databases you created using
IBM Directory.
To uninstall the IBM Directory server or client, type the following:
installp -u ldap
This removes only IBM Directory filesets. It does not remove other
components such as DB2.
To remove the IBM Directory, complete the following steps:
- At a command prompt, type swremove
- Select the installed IBM Directory.
- Click Actions-->Mark For Remove.
- Click Actions-->Remove/Uninstall.
- Click OK.
- When removal is complete, click Done.
- Click File-->Exit.
Before removing the IBM Directory, ensure that the server is stopped and
issue the following commands.
- Note:
- If the IBM Directory server is installed, you must remove the server before
you remove the client (the reverse order of the installation).
rpm -ev ldap-server-4.1-1
rpm -ev ldap-dmtjava-4.1-1
rpm -ev ldap-client-4.1-1
rpm -ev ldap-msg-xxx-4.1-1.i386.rpm (Where xxx is
language dependent.)
rpm -ev ldap-html-xxx-4.1-1.i386.rpm (Where xxx is
language dependent.)
You can uninstall the IBM Directory using the admintool utility
or from a command line using pkgrm.
To Remove the IBM Directory using the admintool utility:
- Log in as root.
- Type the following at a root command prompt:
admintool&
The Users window is displayed.
- Click Browse -> Software. The Software window
is displayed.
- Select the packages to delete from the displayed list.
IBM Directory Client
IBM Directory Documentation
IBM Directory DMT and Java
IBM Directory Server
- Click Edit ->Delete. The AdminTool:
Warning window is displayed.
- Click Delete.
Notes:
- With the removal of client and server packages, the system prompts you
with the query, This package contains scripts which will be executed with
super-user permission during the process of installing the package.
Continue with the removal of this package? Type y to
continue. If you are removing the Server package, you also see the
prompt, Do you want to remove these as setuid and/or setgid
files?Type y to continue.
- After the package is removed, the Software window is
displayed. When the removal is complete, type q to return to
the command prompt.
Installing the IBM Directory using the default settings creates the
opt/IBMldaps and opt/IBMldapc directories. If you uninstall the IBM
Directory, the removal procedure might not remove these directories. If
one or both of these directories exist, they create a problem if you later
reinstall the IBM Directory in non-default directories.
To ensure that the directories are completely removed issue this command at
a command line:
rm -fr /opt/IBMldaps /opt/IBMldapc
You can now reinstall the IBM Directory to a non-default
directory.
- Note:
- This problem does not occur if you reinstall to the default
directories.
To see what IBM Directory components are installed, type:
pkinfo | grep -i ibml
The output displayed is similar to the following:
IBMldapc IBM Directory Client
(sparc) 4.1.0.0
IBMldapdj IBM Directory DMT
(sparc) 4.1.0.0
IBMldaps IBM Directory Server
(sparc) 4.1.0.0
IBMldixxx IBM Directory documentation
(sparc) 4.1.0.0
IBMldmxxx IBM Directory messages
(sparc) 4.1.0.0
Use pkgrm to remove the desired packages:
pkgrm IBMldapc IBMldapdj IBMldaps
You can specify either the package name or its listing number.
Remove the packages in the reverse order of the installation sequence.
- Click Start-->Settings-->Control Panel-->Add/Remove
Programs.
- Select IBM Directory 4.1. Click the
Change/Remove button.
- Select the language you want to use during the uninstall. Click
OK.
- Click Next.
- Select the features you want to uninstall. Click
Next.
- To uninstall the selected features, click Next.
- Click Start-->Settings-->Control Panel-->Add/Remove
Programs.
- Select IBM Directory 4.1. Click the
Change/Remove button.
- Select the language you want to use during the uninstall. Click
OK.
- Click Next.
- Select the features you want to uninstall. Click
Next.
- To uninstall the selected features, click Next.
- From a command prompt, go to the IBM Directory _uninst
directory.
AIX and Linux operating systems:
/usr/ldap/_uninst
Solaris operating system:
/opt/IBMldapc/_uninst
- Run the uninstall command:
./uninstall
Migrating is necessary to preserve any changes that you have made to the
schema definitions and to preserve your data and directory server
configuration. Use these procedures when you are migrating an existing
directory server on the same physical machine. The level of SecureWay
Directory you are migrating must be 3.2.0 or higher.
If you have SecureWay Directory 3.1.1.5 version
currently installed, you must upgrade to level 3.2.2 before
installing IBM Directory 4.1. You can download SecureWay
Directory version 3.2.2 from the IBM SecureWay Directory Web
site: http://www-306.ibm.com/software/network/directory/downloads/.
Audit log and change log are not migrated. If you want to preserve
your audit log and change log settings, record them before
uninstalling. Once you have reinstalled, you can reset the audit log
and change log settings in WebAdmin.
Attention: Run the db2ldif application before
uninstalling the 3.2.x version of SecureWay Directory. Do
not use the DB2BACKUP command.
If you are upgrading from a 3.2.x version of SecureWay
Directory, and you are installing IBM Directory on a 2000 or Windows NT system
using the InstallShield GUI, the installation automatically completes some
migration for you.
To migrate, do the following:
- If you have not done so already:
- Export the database using db2ldif
- Note:
- Read the db2ldif documentation in the SecureWay
Administration Guide for your release before exporting the
database.
db2ldif -o <outputfile>[-s <subtree DN>]
where outputfile specifies the LDIF output file to contain the
directory entries in LDIF and subtree DN identifies the top entry
of the subtree that is to be dumped to the LDIF output file.
Attention: Export your data using db2ldif before
unconfiguring and removing the database. Do not use the
DB2BACKUP command. If you do not export before unconfiguring
and removing the database, you will lose your data.
- Unconfigure and remove the database:
ldapucfg -d
Press y to confirm to the removal. Default LDAP
databases are automatically removed from the system when the command
successfully completes.
- Note:
-
- If you use a custom database, you must manually remove the DB2 database
from the system.
- Data contained in the SecureWay Directory 3.2.x database is
not compatible with IBM Directory 4.1 unless it is exported via
db2ldif and imported through the bulkload or
ldif2db utilities provided with IBM Directory 4.1.
- The server will not start if you do not migrate.
- Changelog is removed during migration.
- If you have a downlevel version of DB2, you must upgrade to 7.1 Fix
Pack 3 or later.
Attention: Export your data using db2ldif before
uninstalling or upgrading your level of DB2. Do not use the
DB2BACKUP command. If you do not export the data using
db2ldif before unconfiguring, upgrading or removing your current
level of DB2, you will lose the contents of your data base.
- Install IBM Directory 4.1. The InstallShield GUI
automatically performs the following migration processes for you:
- Saves your server configuration (slapd32.conf) in the following
location:
<install path>etc/userV41
- Saves your Schema files in the following location:
<install path>etc/userV41
- Saves any existing IBM JNDI applications, IBMJNDI.JAR or any
associated JNDI files in the following location:
<install path>etc/userV41/java
JNDI related files:
- Ibmjcefw.jar
- Ibmjceprovider.jar
- IBMjgssprovider.jar
- Local_policy.jar
- US_export_policy.jar
- Krb5.ini
- Ibmjndi.jar
- Ibmjndi.zip
JNDI related directories:
- etc/java/bin
- etc/java/lib
- Saves the webk file to the following location:
<install path>/webk/webk.bak
- Migrates the configuration and schema by executing the migrate41
script.
- Note:
- You might be asked if you want to replace some configuration files.
Select Yes to replace.
- After you complete installation and reboot your machine, create a new
default LDAP database, use ldapcfg or ldapxcfg.
See Configuration for instructions on how to create a new default LDAP
database. To create a custom database, use DB2 commands. See Appendix C, Creating a database manually for instructions on how to create a new default LDAP
database.
- Note:
- If you want a changelog database, make sure changelog is enabled in
ldapxcfg or the -d option in ldapcfg.
- Use the bulkload utility to import the db2ldif
exported data:
- Note:
- Read the bulkload documentation in the IBM Directory Server
Version 4.1 Administration Guide for new command line settings
that provide additional levels of functionality.
bulkload -i <ldiffile>-c -d
Where ldiffile is the name of the input file containing the
LDIF data to be loaded into the directory.
- Note:
- You can also use ldif2db and ldapadd to import, but for
performance reasons we recommend that you use bulkload to import
the db2ldif exported data.
To migrate an existing directory server on the same physical machine:
- Export the database using db2ldif
- Note:
- Read the db2ldif documentation in the SecureWay
Administration Guide for your release before exporting the
database.
db2ldif -o <outputfile>[-s <subtree DN>]
where outputfile specifies the LDIF output file to contain the
directory entries in LDIF and subtree DN identifies the top entry
of the subtree that is to be dumped to the LDIF output file.
Attention: Export your data using db2ldif and
remove the db2admin id from the operating system before unconfiguring and
removing the database (step 2). Do not use the DB2BACKUP
command. If you do not export before unconfiguring and removing the
database, you will lose your data.
- Unconfigure and remove the database:
ldapucfg -d
Press y to confirm to the removal. Default LDAP
databases are automatically removed from the system when the command
successfully completes.
Notes:
- If you use a custom database, you must manually remove the DB2 database
from the system.
- Data contained in the SecureWay Directory 3.2.x database is
not compatible with IBM Directory 4.1 unless it is exported via
db2ldif and imported through the bulkload or
ldif2db utilities provided with IBM Directory 4.1.
- The server will not start if you do not migrate.
- If you have a downlevel version of DB2, you must upgrade to 7.1 Fix
Pack 3 or later.
Attention: Export your data using db2ldif before
unconfiguring and removing the database . Do not use the
DB2BACKUP command. If you do not export before unconfiguring
and removing the database, you will lose your data.
- Save the webk file to the following location:
<install path>/webk/webk.bak
- Install IBM Directory 4.1 using SMIT Installation. SMIT installation automatically performs the
following migration processes for you:
- Do one of following:
- To create a new default LDAP database, use ldapcfg or
ldapxcfg. See Configuration for instructions on how to create a new default LDAP
database. To create a custom database, use DB2 commands. See Appendix C, Creating a database manually for instructions on how to create a new default LDAP
database.
- Note:
- If you want a changelog database, make sure changelog is enabled in
ldapxcfg or the -d option in ldapcfg.
- Use the bulkload utility to import the db2ldif
exported data:
- Note:
- Read the bulkload documentation in the IBM Directory Server
Version 4.1 Administration Guide for new command line settings
that provide additional levels of functionality.
bulkload -i <ldiffile>-c -d
Where ldiffile is the name of the input file containing the
LDIF data to be loaded into the directory.
- Note:
- You can also use ldif2db and ldapadd to import, but for
performance reasons we recommend that you use bulkload to import
the db2ldif exported data.
Attention: Do not use these instructions to migrate on an AIX
system. If you are migrating on an AIX system, see Migration from SecureWay Directory Version 3.2.x for AIX installations.
To migrate an existing directory server on the same physical machine:
- Note:
- If you are installing using InstallShield GUI, you might have completed some
of these steps already. See Before installing on UNIX-based platforms
- Export the database using db2ldif
- Note:
- Read the db2ldif documentation in the SecureWay
Administration Guide for your release before exporting the
database.
db2ldif -o <outputfile>[-s <subtree DN>]
where outputfile specifies the LDIF output file to contain the
directory entries in LDIF and subtree DN identifies the top entry
of the subtree that is to be dumped to the LDIF output file.
Attention: Export your data using db2ldif and
remove the db2admin id from the operating system before unconfiguring and
removing the database (step 2). Do not use the DB2BACKUP
command. If you do not export before unconfiguring and removing the
database, you will lose your data.
- Unconfigure and remove the database:
ldapucfg -d
Press y to confirm to the removal. Default LDAP
databases are automatically removed from the system when the command
successfully completes.
Notes:
- If you use a custom database, you must manually remove the DB2 database
from the system.
- Data contained in the SecureWay Directory 3.2.x database is
not compatible with IBM Directory 4.1 unless it is exported via
db2ldif and imported through the bulkload or
ldif2db utilities provided with IBM Directory 4.1.
- The server will not start if you do not migrate.
- If you have a downlevel version of DB2, you must upgrade to 7.1 Fix
Pack 3 or later.
Attention: Export your data using db2ldif before
unconfiguring and removing the database . Do not use the
DB2BACKUP command. If you do not export before unconfiguring
and removing the database, you will lose your data.
- Note:
- If you have non-IBM Directory applications using a downlevel version of DB2,
and you are using InstallShield GUI to install on a UNIX system, you can leave
the downlevel version machine on your machine. InstallShield GUI will
install DB2 7.2 during installation. We recommend that you
remove the downlevel version of DB2 if you are not using it.
- Save your server configuration (slapd32.conf) in the following
location:
<install path>etc/userV41
- Save your Schema files in the following location:
<install path>etc/userV41
- If you have any existing IBM JNDI applications, IBMJNDI.JAR or any
associated JNDI files, save them in the following location:
<install path>etc/userV41/java
JNDI related files:
- Ibmjcefw.jar
- Ibmjceprovider.jar
- IBMjgssprovider.jar
- Local_policy.jar
- US_export_policy.jar
- Krb5.ini
- Ibmjndi.jar
- Ibmjndi.zip
JNDI related directories:
- etc/java/bin
- etc/java/lib
- Save the webk file to the following location:
<install path>/webk/webk.bak
- If you have an earlier version of IBM Directory installed, for example
SecureWay Directory 3.2.2, remove it before installing IBM
Directory 4.1.
- Install IBM Directory 4.1 using pkgadd (Solaris),
RPM (Linux Intel/390) or the InstallShield GUI.
- Migrate the configuration and schema by executing the migrate41
script:
<installpath>/sbin/migrate41
- Note:
- You must run the migrate41 script even if you didn't modify the previous
schema. There are new schema files and entries in the
slapd32.conf file that are not compatible with previous
versions.
- To create a new default LDAP database, use ldapcfg or
ldapxcfg. See Configuration for instructions on how to create a new default LDAP
database. To create a custom database, use DB2 commands. See Appendix C, Creating a database manually for instructions on how to create a new default LDAP
database.
- Note:
- If you want a changelog database, make sure changelog is enabled in
ldapxcfg or the -d option in ldapcfg.
- Use the bulkload utility to import the db2ldif
exported data:
- Note:
- Read the bulkload documentation in the IBM Directory Server
Version 4.1 Administration Guide for new command line settings
that provide additional levels of functionality.
bulkload -i <ldiffile>-c -d
Where ldiffile is the name of the input file containing the
LDIF data to be loaded into the directory.
- Note:
- You can also use ldif2db and ldapadd to import, but for
performance reasons we recommend that you use bulkload to import
the db2ldif exported data.
If you are having problems installing or configuring the IBM Directory
4.1 product, refer to this section for possible fixes.
If your install does not complete, the first place you should look for
information is the ldapinst.log. If the install destination
directory (ldaphome) was created, this log will be in the ldaphome
root directory. For example, on a Windows 98, Windows 2000 or Windows
NT system, the ldapinst.log would be in c:\Program
Files\IBM\LDAP\. If the install destination was not created
before the installation failed, the log may be in a temporary
directory. To find it, do a search for "ldapinst.log".
Review this log for any messages about why the install failed. Because
some of the ldap features require corequisite products, it's possible
that a failure in the corequisite installation caused the IBM Directory
installation to fail. For example, if the server feature is being
installed, but the DB2 install fails, the server feature cannot be
installed.
Another reason for failed installation is lack of disk space. IBM
Directory attempts to verify that there is enough space and generates messages
if the requisite disk space is not found, but it is possible that
InstallShield GUI cannot progress far enough to issue a message. Before
installing, make sure you have the recommended free disk space. All
platforms use temporary space, and in addition, UNIX platforms use the
/var directory. When install is first executed, the JVM is
installed to the install directory, so be sure that your installation
destination directory has enough space.
The first step to recovering from a failed install is to run the
InstallShield Uninstall GUI to clean up any registry entries that may have
been made by the install. If you do not run the InstallShield Uninstall
GUI, the InstallShield GUI might fail the next time your try to install using
the InstallShield GUI. See the following sections on how to do this for
each platform. See Uninstalling using InstallShield GUI for information on uninstalling using the InstallShield
GUI.
When installing on UNIX platforms, the IBM Directory GUI install uses the
native packages (i.e. AIX installp files, Solaris .pkg
files, or RPM files) to do the install. Because of this, you will see
these packages when you run the platform commands (such as "rpm -qa" on Linux
operating system) to query what is installed. Even though you can use
the platform commands (such as rpm -e) to uninstall, you MUST use the
InstallShield GUI to uninstall so that the InstallShield Registry is cleaned
up.
- Uninstall using the InstallShield GUI.
- Execute:
pkginfo
If any packages were left on the system, use pkgrm to uninstall
them:
pkgrm <package names>
- Note:
- If you encounter problems removing these packages, try to remove the
directories containing the packages from /var/sadm/pkg
- Remove the /opt/IBMldapc and /opt/IBMldaps
directories, and any other directories left from the install, such as a
language directory.
- Correct whatever other problems that were listed in the
ldapinst.log.
- Uninstall using the InstallShield GUI.
- Remove the ldap directory. The default directory is
C:\Program Files\IBM\LDAP
- Correct any other problems listed in the ldapinst.log.
If you see the following message during the configuration of the database
Failed to start database manager for instance: ldapdb2
you might have a problem with your electronic DB2 license. To
verify this, type the following at the command prompt:
db2start
If your license is correct, you see the message:
SQL1063N DB2START processing was successful.
Otherwise, you see the message that starts:
SQL8007W There are xx day(s) left in the evaluation period for the product.....
If there is a problem with your electronic DB2 license, one of the
following situations might be the cause:
- You have a demonstration license.
To upgrade your DB2 product from a demonstration license to a product
license, you need to copy the license file from the DB2 CD to the system where
DB2 is installed; you do not need to reinstall the product.
- Note:
- Your Proof of Entitlement and License Information booklets identify the
products for which you are licensed.
- You have purchased a different product.
If you install a DB2 product as Try-and-Buy, and you buy a different
product, you must uninstall the Try-and-Buy product and then install the new
one that you have purchased. Perform the following to upgrade your DB2
license:
- Put the product CD in the CD-ROM drive.
- Double-click the Nodelock Administration Tool icon in the
License Use Runtime - Client folder to start the Nodelock
Administration Tool.
- Select Products->New from the menu bar.
- Click Import.
- In the Import window, locate the db2\license directory on your
CD-ROM. A list of files is shown. Select the license file that
corresponds to the specific product that you have purchased and installed on
your system:
db2pers.lic DB2 Universal Database Personal Edition
- Click OK.
- Manually remove the DB2 database using the instructions in DB2 does not configure properly.
If something fails during configuration or unconfiguration, you might need
to clean up your database by performing some or all of the following
steps. If a step fails, continue to the next step. You are now
ready for configuration.
- Log on as the DB2 administrator (db2admin by default), not as
Administrator.
- Type db2cmd at a command prompt.
- From the Windows services window, start the service labeled
DB2 - LDAPDB2.
- In the db2cmd window, type:
DB2 drop database ldapdb2
- From the services window, stop the service labeled DB2 -
LDAPDB2.
- In the db2cmd window, type:
db2 uncatalog database ldapdb2
db2 uncatalog node ldapdb2
db2idrop ldapdb2
- Edit the slapd32.conf file in
<ldaphome>\etc\
where ldaphome is the directory where you installed IBM
Directory. Remove these lines that follow the database rdbm line:
ibm-slapdDbName: ldapdb2
ibm-slapdDbInstance: ldapdb2
ibm-slapdDbUserPW: >.......<
ibm-slapdDbUserID: ldapdb2
- Remove the ldapdb2 database directory and all subdirectories. The
directory is located on the drive that you selected when configuring the
database. From the command prompt, type:
rd /s ldapdb2
- Log onto the system as root.
- At a command prompt, type:
su - ldadb2
- Type
db2
to start the DB2 command shell.
- In the DB2 command shell window, type:
db2 uncatalog database ldapdb2
db2 uncatalog node ldapdb2
db2idrop ldapdb2
- Edit the slapd32.conf file in
<ldaphome>\etc\
where ldaphome is the directory where you installed IBM
Directory. Remove these lines that follow the database rdbm line:
ibm-slapdDbAlias: ldapdb2b
ibm-slapdDbName: ldapdb2
ibm-slapdDbInstance: ldapdb2
ibm-slapdDbUserPW: >.......<
ibm-slapdDbUserID: ldapdb2
- Edit the /etc/services file by removing the following two lines:
ldapdb2svc 3702/tcp
ldapdb2svci 3703/tcp
- Remove the ldapdb2 database directory and all subdirectories. The
directory is located on the filesystem you selected when configuring the
database. The default directory is /home/ldapdb2/ for most
systems. From the command prompt, type:
rm -rf ldapdb2
The BUFFPAGE and DBHEAP database configuration parameters can affect
performance. The default BUFFPAGE included with DB2 is 1000 (4 KB
pages), which might not be big enough for a large database. Also, if
you increase the BUFFPAGE parameter, you must also increase the DBHEAP size by
1 for every 30 incremented in the BUFFPAGE.
DB2 database supports multiple buffer pools. However, unless you
know how to do specialized tuning on DB2, it is recommended that you use a
single buffer pool. This can be specified using the command:
db2 alter bufferpool ibmdefaultbp size -1
To update the database configuration parameters for a database, use the
command:
db2 update database configuration for <databasename> using
<param> <value>
For example, to increase the BUFFPAGE and DBHEAP size, use the
command:
db2 update database configuration for <databasename> using
BUFFPAGE 20000 DBHEAP 1866
- Note:
- For more detailed performance information, see the IBM Directory Server
Version 4.1 Tuning Guide.
If you are using a Windows 2000 or Windows NT and have a master server
configured to do replication, you might see an error like the following in the
slapd error log during updates :
[IBM][CLI Driver] CLI0157E Error opening a file. SQLSTATE=S1507
This problem can be resolved by adding the following stanza to the
\sqllib\db2cli.ini file:
[COMMON]
TempDir=x:\<your directory>
where x:\<your directory> specifies an existing
directory on a drive that has space available. DB2 database writes
temporary files to this directory. The amount of space required depends
on the size of the directory entries you are adding or updating, but generally
does require more space than the size of the largest entry you are
updating.
The attributes defined in IBM Directory Server configuration files are
significant to only the first 18 characters. Names longer than 18
characters are truncated to meet the DB2 restriction.
If you want to index the attribute, the limit is further restricted to 16
characters. If you add attributes longer than 18 characters, the server
might not start. For additional information, see the Server
Administration helps under Reference, Directory Schema.
The following messages might be displayed at IBM Directory Server startup
if the schema defines too many attributes:
SQL0965C The transaction log for the database is full
SQLSTATE=57011 slapd unable to start because all backends failed to configure
You might need to increase the DB2 transaction log sizes by typing:
db2 update db cfg for ldaptest using logprimary X
db2 update db cfg for ldaptest using logsecond X
where X is greater than what is currently defined.
Running certain DB2 commands, such as list database directory
and connect to ldapdb2, against the LDAPDB2 database on a Windows
NT , Windows 2000 or Windows NT system results in the following error:
SQL1031N: "The database directory cannot be found on the indicated filesystem."
To work around this problem, perform one of the following
workarounds:
- Log in to your NT system as ldapdb2 user and set the
DB2INSTANCE environment variable to ldapdb2.
This workaround assumes you are using the default database, ldapdb2
.
- Open a DB2 window and run:
db2cmd
Set the DB2INSTANCE environment variable to ldapdb2:
set DB2INSTANCE=LDAPDB2
In addition to the slapd.errors log file that can be accessed
through the Server Administration, DB2 errors are logged in the
cli.errors file. Both files are located in the tmp subdirectory
of the IBM Directory installation directory on the Windows NT, Windows 2000 or
Windows NT operating system.
- Note:
- The tmp subdirectory might include other DB2 files.
The IBM Directory server errors are logged to:
/tmp/slapd.errors
The DB2 errors are logged to:
/tmp/cli.errors
If the error logs do not provide enough information to resolve a problem,
you can run the IBM Directory server in a special debug mode that generates
very detailed information. The server executable slapd must be run from
a command prompt to enable debug output. The syntax is as
follows:
ldtrc on
slapd -h bitmask
where the specified bitmask value determines which categories of debug
output are generated.
For example, the following ldtrc search:
ldapsearch -l 60 -h ddejesus -D "o=IBM_US, c=US" -w
secret -b "ou=Austin, o=IBM_US, c=US" "cn=Cindy Corn"
might return results similar to the following:
Connection received from 9.53.95.251 on socket 540.
86366975 704 usec SQLAllocStmt() => 0
86367557 73 usec SQLBindParameter() => 0
86367974 33 usec SQLBindParameter() => 0
86435508 52 usec SQLFetch => 0
86436039 49 usec SQLGetData => 0
86436835 454 usec SQLFreeStmt => 0
86458726 629 usec SQLAllocStmt() => 0
86459708 561 usec SQLPrepare(SELECT distinct
DB2ADMIN.LDAP_ENTRY.EID FROM DB2ADMIN.LDA
P_ENTRY,DB2ADMIN.LDAP_DESC WHERE
(DB2ADMIN.LDAP_ENTRY.EID=DB2ADMIN.LDAP_DESC.DEID
AND DB2ADMIN.LDAP_DESC.AEID=?) AND DB2ADMIN.LDAP_ENTRY.EID
IN (SELECT EID FROM DB2ADMIN.CN WHERE CN_T= ?)) => 0
See Table 2 for a description of debug categories.
Table 2. Debug categories
| Hex
| Decimal
| Value
| Description
|
| 0x0001
| 1
| LDAP_DEBUG_TRACE
| Entry and exit from routines
|
| 0x0002
| 2
| LDAP_DEBUG_PACKETS
| Packet activity
|
| 0x0004
| 4
| LDAP_DEBUG_ARGS
| Data arguments from requests
|
| 0x0008
| 8
| LDAP_DEBUG_CONNS
| Connection activity
|
| 0x0010
| 16
| LDAP_DEBUG_BER
| Encoding and decoding of data
|
| 0x0020
| 32
| LDAP_DEBUG_FILTER
| Search filters
|
| 0x0040
| 64
| LDAP_DEBUG_MESSAGE
| Messaging subsystem activities and events
|
| 0x0080
| 128
| LDAP_DEBUG_ACL
| Access Control List activities
|
| 0x0100
| 256
| LDAP_DEBUG_STATS
| Operational statistics
|
| 0x0200
| 512
| LDAP_DEBUG_THREAD
| Threading statistics
|
| 0x0400
| 1024
| LDAP_DEBUG_REPL
| Replication statistics
|
| 0x0800
| 2048
| LDAP_DEBUG_PARSE
| Parsing activities
|
| 0x1000
| 4096
| LDAP_DEBUG_PERFORMANCE
| Relational backend performance statistics
|
| 0x1000
| 8192
| LDAP_DEBUG_RDBM
| Relational backend activities (RDBM)
|
| 0x4000
| 16384
| LDAP_DEBUG_REFERRAL
| Referral activities
|
| 0x8000
| 32768
| LDAP_DEBUG_ERROR
| Error conditions
|
| 0xffff
| 65535
| ALL
|
|
| 0x7fffffff
| 2147483647
| LDAP_DEBUG_ANY
| All levels of debug
|
For example, specifying a bitmask value of 65535 turns on full debug
output and generates the most complete information.
When you are finished, issue the following command at a command
prompt:
ldtrc off
It is recommended that you contact IBM Service for assistance with
interpreting the debug output and resolving the problem.
During migration, some log files might be created:
Errors that occurred during schema migration are logged to:
/tmp/migrate.errors
Detailed messages concerning schema migration are logged to:
/tmp/migrate41.log
IBM Directory migration errors are logged to:
/tmp/migrate41.err
IBM Directory information messages are logged to:
/tmp/migrate41.out
- Cache Setup
- Click View->Internet Options , and select
General. Then, click Settings. Under
Check for newer versions of stored pages, click Every visit to
the page.
If you are getting unpredictable results using the browser, the cache might
be storing pages with errors. On the General folder page, click
Delete files and Clear History to clear the
cache. Use these options as often as necessary.
Shutting down and restarting the browser can also repair some intermittent
problems.
- HTTP Level Setup
- In View->Internet Options, select
Advanced. Under HTTP 1.1 settings, if you
are not using the iPlanet Fastrack Server, select Use HTTP
1.1. If you are using the iPlanet Fastrack Server, clear
both check boxes, if you want the browser to use HTTP 1.0. If
you change this option, the change does not become effective until you shut
down and restart the browser.
- Scroll Bars in Navigational Area
- You might see small scroll bars in the IBM Directory Entry area on the
left-side frame of the browser. To remove the scroll bars double-click
in the area as if you are going to select a menu item. The menu area in
the left-side frame is displayed correctly. Resizing the window also
removes the scroll bars.
- Cache Setup
- Click Edit->Preferences->Advanced->Cache. Under
Document in cache is compared to document on network, click
Every time.
On this same page, if you are getting unpredictable results using the
browser, click Clear Memory Cache and Clear Disk Cache
to clear the cache. You can use these buttons as often as
necessary.
Shutting down and restarting the browser can also improve some intermittent
problems.
- Resizing Windows
- If you resize the browser window, the Java applets on the left side and
top frame are not painted to the new size. In addition, a Data Missing
browser error might occur. For these reasons, resizing the Netscape
browser window is not recommended.
- Disappearing Fields
- The fields in the work area on the right side of the screen sometimes
appear momentarily and then disappear. Minimize the browser window and
then maximize it to repaint the form correctly.
- Shutdown
- The Netscape browser takes some time to shut down Java. You need to
wait sufficient time before restarting the Netscape browser.
If you have more than one Netscape session open, you probably started the
browser before it shut down Java. If you find multiple Netscape
processes running at the same time, stop all of them, and then restart the
browser.
- Page cannot be displayed error
- I you receive a "Page cannot be displayed" error when trying to access Web
Administration, make sure the location field contains one of the following
values:
http://hostname/ldap/ or http://hostname/ldap/index.html
The Netscape browser sometimes has problems if the trailing slash is not
included.
Before configuring and populating your database, determine:
- What type of data you are going to store in the directory
- Decide what sort of schema you need to support the type of data you want
to keep in your directory. A standard set of attribute-type definitions
and object-class definitions are included with the directory server.
Before you begin adding entries to the directory, you might want to add new
attribute-type and object-class definitions that are customized to your
data.
- Note:
- You can make schema additions after the directory is already populated with
data, but schema changes might require you to unload and reload your
data.
- Which code page you are going to use
- Decide whether to create your database using the local code page or using
the Universal Character Set (UTF-8). Selecting the local code page
enables IBM Directory applications and users to get search results as expected
for the collation sequence of the native language. Using UTF-8 enables
the storing of any UTF-8 character data in the directory. IBM Directory
clients running anywhere in the world (in any UTF-8 supported language) can
access and search the directory. In many cases, however, the client
might have limited ability to properly display the results retrieved from the
directory in a particular language or character set. For more
information, see the Online Help in the Server Administration. Under
Tell me about, select UTF-8 Support.
- How you want to structure your directory data
- An IBM Directory is stored in a hierarchical tree structure. The
names of entries in the directory are based on their relative position within
the tree structure. It is important to define some logical organization
to the directory. This makes it easier for clients to determine which
branch of the tree contains the information they are trying to locate.
If you are storing data about the people in an organization, it is easy to map
the structure of the organization onto the structure of the directory.
If you are storing descriptions of applications, machine configuration data,
or data on customers, it might take more planning to decide how to structure
your directory.
- Your data security requirements
- See the SSL section under References and the Password
Encryption section under Tell me about in the Server Administration
Online Help for information about how your data is secured.
- How you want to allocate access permissions
- See the ACL section under References in the Server
Administration Online Help for information about using access
permissions.
Return to Installation, configuration, and migration overview or to Configuration.
To use change log with a non-default database you must configure it
manually. You need to have the following information:
- The Instance name of the non-default database.
- The location of the non-default database.
- The user ID and password of the owner of the non-default database.
- Using DB2 commands, create the change log database in the same instance as
the main database. The actual steps to do this vary by platform.
For example, you do the following:
- Become the user who owns the main database:
db2cmd
- Run:
db2start
- Run:
db2 create database <changelog_db_name>
[using codeset UTF-8 TERRITORY <territory>]
- Note:
- If the main database was created as UTF-8, then the change log must be
created as UTF-8.
- After the database is created, you must edit the <ldap
root>/etc/slapd32.conf file.
In the directory section that starts,
dn:cn=Directory,cn=RDBM Backends,cn=IBM Directory,cn=Schemas,cn=Configuration
add the following line:
ibm-slapdPlugin:preoperation /bin/libcl.dll CLInit cn=changelog
After that section insert the following change log section:
dn:cn=Change Log,cn=RDBM Backends,cn=IBM SecureWay,cn=Schemas,cn=Configuration
cn:Change Log
cn:changelog
ibm-slapdChangeLogMaxEntries:0
ibm-slapdDbConnections:2
ibm-slapdDbInstance:<your_db2_instance>
ibm-slapdDbName:<your_new_changelog_database_name>
ibm-slapdDbUserId:<your_database_id>
ibm-slapdDbUserPW:<your_database_password>
ibm-slapdPlugin:database /bin/libback-rdbm.dll rdbm_backend_init
ibm-slapdPlugin:preoperation /bin/libcl.dll CLInit cn=changelog
ibm-slapdReadOnly:FALSE
ibm-slapdSuffix:cn=changelog
ibm-slapdUseProcessIdPw:FALSE
objectClass:top
objectClass:ibm-slapdRdbmBackend
In schema section that starts,
dn:cn=SchemaDB,cn=LDCF Backends,cn=IBM SecureWay,cn=Schemas,
cn=Configuration
add the line:
ibm-slapdPlugin:preoperation /bin/libcl.dll CLInit cn=changelog
Restart the slapd service for the changes to take effect.
IBM Directory uses a DB2 database to store directory data. Use the
following steps to create that database on your system.
- Note:
- For a Windows, Windows 2000 or Windows NT operating system you must issue the
db2cmd command instead of the UNIX su - ldapdb2
command. If db2cmd does not work on your machine, click
Start->Programs->IBM DB2->Command Line Processor.
- Create a group named dbsysadm for the database
administrators:
groupadd [-g <gid>] dbsysadm
- Note:
- The groupadd command on some Linux distributions requires that the
group ID number (gid) be specified using the -g
<gid> syntax. Type cat /etc/group to
find an available group ID number. Red Hat automatically assigns the
next available gid if the -g option is not specified.
- Add users root and ldap to the dbsysadm
group.
- Open /etc/group in your favorite editor.
- Add the users root,ldap to the last line
- Note:
- There are no spaces in the syntax.
dbsysadm:x:<gid>:root,ldap
or
sed -e 's/^dbsysadm:.*:$/&root,ldap/g' /etc/group > group.tmp
cp group.tmp /etc/group
rm group.tmp
- Create a user account (ldapdb2) for the DB2 instance:
useradd -g dbsysadm -m ldapdb2
- Set the password for the user account (ldapdb2):
passwd ldapdb2
Enter the new password when prompted. You might want to record
your password for future reference.
- Create the DB2 Instance (ldapdb2):
- Create a system user whose primary group is dbsysadm
- Create a db2 instance named after the user you created in step a.
- Login as the user you created in step a. and set the DB2INSTANCE to
the user. For example, if the user you created in step a. is
ldapuser:
DB2INSTANCE=ldapuser
/usr/IBMdb2/V7.2/instance/db2icrt -u ldapdb2 ldapdb2
- Create the DB2 database:
su - ldapdb2
Log in using password created in step 4.
db2start
df -k
db2 create db ldapdb2 on /home/ldapdb2 using codeset UTF-8 territory US
exit
Notes:
- The database requires at least 80 MB. By default it is created in
the /home/ldapdb2 directory. If you do not have sufficient space on the
/home filesystem, create it now or select an alternate location where user
ldapdb2 has full access privileges. Substitute that path for
/home/ldapdb2 in the previous command.
- You must configure the IBM Directory server before you can begin
populating the database. See Configuration for instructions on completing this task.
The following DB2 configuration settings must be made to ensure proper
operations. This must be done for databases used by the slapd server,
including ldapdb2 (the default backend database) and ldapclog (the changelog
database, if enabled).
- Log on as ldapdb2.
su - ldapdb2
- View current database configuration settings, issue from command
line:
db2 get db cfg for <databasename>
View current database manager configuration settings, issue from command
line:
db2 get dbm cfg
- Update the following database configuration settings with
db2 update db cfg for <databasename
> using <parm><newvalue>
| DB2 Parameter
| Minimum value allowed
|
| APPLHEAPSZ
| 1280
|
| PCKCACHESZ
| 360
|
For example:
db2 update db cfg for ldapdb2 using applheapsz 1280
- Restart DB2
DB2STOP
DB2START
To create a Traditional Chinese database, issue the following command from
a Traditional Chinese machine:
db2 create database TTW using codeset Big5 territory tw
To create a database in your current locale issue the following
command:
db2 create database <databasename>
To create a UTF-8 database issue the following command:
db2 create database UTF8 using codeset UTF-8 territory US
- Note:
- Use the same command to create the UTF-8 database regardless of the target
locale.
Programs ldapcfg and ldapxcfg make the following
server-specific modifications to the configuration files of the following Web
servers:
- Note:
- Does not apply to Linux and HP-UX operating systems.
- iPlanet Enterprise Webserver:
- Adds to the obj.conf
Init fn="init-cgi" timeout=0
NameTrans from=/ldap/cgi-bin fn=pfx2dir dir="/usr/ldap/web/cgi-bin"
name="cgi"
NameTrans from=/ldap fn=pfx2dir dir="/usr/ldap/web"
Init fn="init-cgi" LANG="...."
Init fn="init-cgi" LIBPATH="...."
Init fn="init-cgi" LOCPATH="...."
Init fn="init-cgi" NLSPATH="...."
- iPlanet FastTrack Webserver:
- Adds to the httpd.conf
Init fn="init-cgi" timeout=0
NameTrans from=/ldap/cgi-bin fn=pfx2dir dir="/usr/ldap/web/cgi-bin"
name="cgi"
NameTrans from=/ldap fn=pfx2dir dir="/usr/ldap/web"
Init fn="init-cgi" LANG="...."
Init fn="init-cgi" LIBPATH="...."
Init fn="init-cgi" LOCPATH="...."
Init fn="init-cgi" NLSPATH="...."
- Domino Enterprise 5.0.2b Webserver:
- Adds to the httpd.conf
Exec /ldap/cgi-bin/* /usr/ldap/web/cgi-bin/*
Pass /ldap/* /usr/ldap/web/*
- Apache Server:
- Adds to the srm.conf
ScriptAlias /ldap/cgi-bin/ /usr/ldap/web/cgi-bin/
Alias /ldap /usr/ldap/web
PassEnv LANG
PassEnv NLSPATH
PassEnv LOCPATH
- IBM HTTP Server:
- Adds to the htppd.conf
ScriptAlias /ldap/cgi-bin/ /usr/ldap/web/cgi-bin/
Alias /ldap /usr/ldap/web
PassEnv LANG
PassEnv NLSPATH
PassEnv LOCPATH
This appendix describes the Directory Information Tree (DIT) and the
Attributes that are used to configure the slapd32.conf file. In
previous releases the directory configuration settings were stored in a
proprietary format in the slapd32.conf file. With the Version
3.2 release the directory settings are stored using the LDIF format in
the slapd32.conf file.
cn=Configuration
- DN
- cn=Configuration
- Description
- This is the top-level entry in the configuration DIT. It holds data
of global interest to the server, although in practice it also contains
miscellaneous items. Every attribute in the this entry comes from the
first section (global stanza) of slapd32.conf.
- Number
- 1 (required)
- Object Class
- ibm-slapdTop
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn=Event Notification, cn=Configuration
- Description
- Global event notification settings for IBM Directory 4.1
- Number
- 1 (required)
- Object Class
- ibm-slapdEventNotification
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn=Front End, cn=Configuration
- Description
- Global environment settings that the server applies at startup.
- Number
- 0 or 1 (optional)
- Object Class
- ibm-slapdFrontEnd
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn=Kerberos, cn=Configuration
- Description
- Global Kerberos authentication settings for IBM Directory
4.1.
- Number
- 0 or 1 (optional)
- Object Class
- ibm-slapdKerberos
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn=Master Server, cn=Configuration
- Description
- When configuring a replica, this entry holds the bind credentials and
referral URL of the master server.
- Number
- 0 or 1 (optional)
- Object Class
- ibm-slapdReplication
- Mandatory Attributes
-
- Optional Attributes
-
- ibm-slapdMasterPW (If not using Kerberos
authentication, this attribute is mandatory.)
- DN
- cn=Referral, cn=Configuration
- Description
- This entry contains all the "referral" entries from the first section
(global stanza) of slapd32.conf. If there are no referrals
(there are none by default), this entry is optional.
- Number
- 0 or 1 (optional)
- Object Class
- ibm-slapdReferral
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn=Schemas, cn=Configuration
- Description
- This entry serves as a container for the schemas. This entry is not
really necessary because the schemas can be distinguished by the object class
ibm-slapdSchema. It is included to improve the readability of the
DIT.
Only one schema entry is currently allowed: cn=IBM SecureWay.
- Number
- 1 (required)
- Object Class
- Container
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn=IBM SecureWay, cn=Schemas, cn=Configuration
- Description
- This entry contains all the schema configuration data from the first
section (global stanza) of slapd32.conf. It also serves as a
container for all the backends which use the schema. Multiple schemas
are not currently supported, but if they were, then there would be one
ibm-slapdSchema entry per schema. Note that multiple schemas are
assumed to be incompatible. Therefore, a backend can only be associated
with a single schema.
- Number
- 1 (required)
- Object Class
- ibm-slapdSchema
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn=RDBM Backends, cn=IBM SecureWay, cn=Schemas, cn=Configuration
- Description
- This entry serves as a container for the RDBM backends. It
effectively replaces the "database rdbm" line from slapd32.conf by
identifying all sub-entries as DB2 backends. This entry is not really
necessary because the RDBM backends can be distinguished by object class
ibm-slapdRdbmBackend. It is included to improve the readability of the
DIT
- Number
- 1 (required)
- Object Class
- Container
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn=Directory, cn=RDBM Backends, cn=IBM SecureWay, cn=Schemas,
cn=Configuration
- Description
- This entry contains all the database configuration settings for the
default RDBM database backend.
Although multiple backends with arbitrary names can be created, the Server
Administration assumes that "cn=Directory" is the main directory backend, and
that "cn=Change Log" is the optional changelog backend. Only the
suffixes displayed in "cn=Directory" are configurable through the Server
Administration (except for the changelog suffix, which is set transparently by
enabling changelog).
- Number
- 0 - n (optional)
- Object Class
- ibm-slapdRdbmBackend
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn=Change Log, cn=RDBM Backends, cn=IBM SecureWay, cn=Schemas,
cn=Configuration
- Description
- This entry contains all the database configuration settings for the change
log backend.
- Number
- 0 - n (optional)
- Object Class
- ibm-slapdRdbmBackend
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn=LDCF Backends, cn=IBM SecureWay, cn=Schemas, cn=Configuration
- Description
- This entry serves as a container for the LDCF backends. It
effectively replaces the "database ldcf" line from slapd32.conf by
identifying all sub-entries as LDCF backends. This entry is not really
necessary because the LDCF backends can be distinguished by the object class
ibm-slapdLdcfBackend. It is included to improve the readability of the
DIT.
- Number
- 1 (required)
- Object Class
- Container
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn=SchemaDB, cn=LDCF Backends, cn=IBM SecureWay, cn=Schemas,
cn=Configuration
- Description
- This entry contains all the database configuration data from the ldcf
database section of slapd32.conf.
- Number
- 1 (required)
- Object Class
- ibm-slapdLdcfBackend
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn=SSL, cn=Configuration
- Description
- Global SSL connection settings for IBM Directory 4.1.
- Number
- 0 or 1 (optional)
- Object Class
- ibm-slapdSSL
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn=CRL, cn=SSL, cn=Configuration
- Description
- This entry contains certificate revocation list data from the first
section (global stanza) of slapd32.conf. It is only needed if
"ibm-slapdSslAuth = serverclientauth" in the cn=SSL entry and the client
certificates have been issued for CRL validation.
- Number
- 0 or 1 (optional)
- Object Class
- ibm-slapdCRL
- Mandatory Attributes
-
- Optional Attributes
-
- DN
- cn = Transaction, cn = Configuration
- Description
- Specifies Global transaction support settings. Transaction support
is provided using the plugin:
Windows98, Windows 2000 or Windows NT operating system:
extendedop /bin/libtranext.dll tranExtOpInit 1.3.18.0.2.12.5
1.3.18.0.2.12.6
AIX:
extendedop /lib/libtranext.a tranExtOpInit 1.3.18.0.2.12.5
1.3.18.0.2.12.6
Solaris operating system:
extendedop /lib/libtranext.so tranExtOpInit 1.3.18.0.2.12.5
1.3.18.0.2.12.6
The server (slapd) loads this plugin automatically at startup
if ibm-slapdTransactionEnable = TRUE. The plugin does not
need to be explicitly added to slapd32.conf.
- Number
- 1 (required)
- Object Class
- ibm-slapdTransaction
- Mandatory Attributes
-
- Optional Attributes
-
- Description
- This is the X.500 common Name attribute, which contains a name of
an object.
- Syntax
- Directory string
- Maximum Length
- 256
- Value
- Multi-valued
- Modified by
- Do not modify.
- Description
- The administrator bind DN for IBM Directory server.
- Default
- cn=root
- Syntax
- DN
- Maximum Length
- 1000
- Value
- Single-valued
- Modified by
- The ldapcfg -u admin DN command or the
ldapxcfg command.
- Description
- The administrator bind Password for IBM Directory server.
- Default
- secret
- Syntax
- Binary
- Maximum Length
- 128
- Value
- Single-valued
- Modified by
- The ldapcfg -p admin PW command or the
ldapxcfg command.
- Description
- This attribute is used by a changelog plugin to specify the maximum number
of changelog entries allowed in the RDBM database. Each changelog has
its own changeLogMaxEntries attribute.
Minimum = 0 (unlimited)
Maximum = 2,147,483,647 (32-bit, signed integer)
- Default
- 0
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
- Modified by
- Server Administration: Database -> Settings.
The default is 0 (unlimited) when change log is first created or
enabled.
- Description
- Setting this to TRUE allows searches to proceed simultaneously with
updates. It allows for 'dirty reads', that is results that
might not be consistent with the committed state of the database.
- Default
- FALSE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
- Modified by
- Manually editing slapd32.conf
- Description
- Specify the number of DB2 connections the server will dedicate to the DB2
backend. The value must be between 5 & 50 (inclusive).
- Note:
- ODBCCONS environment variable overrides the value of this directive.
If ibm-slapdDbConnections (or ODBCCONS) is less than 5 or greater than
50, the server will use 5 or 50 respectively. 1 additional connection
will be created for replication (even if no replication is defined). 2
additional connections will be created for the change log (if change log is
enabled).
- Default
- 15
- Syntax
- Integer
- Maximum Length
- 50
- Value
- Single-valued
- Modified by
- Server Administration: Settings -> Performance.
- Description
- Specifies the DB2 database instance for this backend.
- Default
- ldapdb2
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 8
- Value
- Single-valued
- Modified by
- Created with the cn=Directory object when configuring the database using
the ldapcfg, ldapxcfg commands or using Server
Administration: Database -> Configure. The default
is ldapdb2. This can be edited using Server Administration:
Database -> Settings.
- Note:
- All ibm-slapdRdbmBackend objects must use the same ibm-slapdDbInstance,
ibm-slapdDbUserID, ibm-slapdDbUserPW and DB2 character set.
- Description
- Specifies the DB2 database name for this backend.
- Default
- ldapdb2
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 8
- Value
- Single-valued
- Modified by
- Created with the cn=Directory object when configuring the database using
the ldapcfg, ldapxcfg commands or using Server
Administration: Database -> Configure. The default
for the cn=Directory object is ldapdb2, and for the cn=Change Log object is
chng_log. The cn=Directory value can be edited using Server
Administration: Database -> Settings.
- Note:
- All other ibm-slapdRdbmBackend objects, except change log (Server
Administration: Database -> Settings), must be edited
manually.
- Description
- Specifies the user name with which to bind to the DB2 database for this
backend.
- Default
- ldapdb2
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 8
- Value
- Single-valued
- Modified by
- Created with the cn=Directory object when configuring the database using
the ldapcfg, ldapxcfg commands or using Server
Administration: Database -> Configure. The default
is ldapdb2. This can be edited using Server Administration:
Database -> Settings.
- Note:
- All ibm-slapdRdbmBackend objects must use the same ibm-slapdDbInstance,
ibm-slapdDbUserID, ibm-slapdDbUserPW and DB2 character set.
- Description
- Specifies the user password with which to bind to the DB2 database for
this backend. The password can be plain text or imask encrypted.
- Default
- ldapdb2
- Syntax
- Binary
- Maximum Length
- 128
- Value
- Single-valued
- Modified by
- Created with the cn=Directory object when configuring the database using
the ldapcfg, ldapxcfg commands or using Server
Administration: Database -> Configure. The default
password is randomly generated every time that the database is
reconfigured. This can be edited using Server Administration:
Database -> Settings.
- Note:
- All ibm-slapdRdbmBackend objects must use the same ibm-slapdDbInstance,
ibm-slapdDbUserID, ibm-slapdDbUserPW and DB2 character set.
- Description
- Specifies whether to enable Event Notification. It must be set to
either TRUE or FALSE.
If set to FALSE, the server rejects all client requests to register event
notifications with the extended result LDAP_UNWILLING_TO_PERFORM.
- Default
- TRUE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
- Modified by
- Server Administration: Settings -> Event
notification.
- Description
- Specifies the file path or device on the IBM Directory server machine to
which error messages are written. On Windows 98, Windows 2000 or
Windows NT operating systems, forward slashes are allowed, and a leading slash
not preceded by a drive letter (D:) is assumed to be rooted at the
install directory, that is /tmp/slapd.errors = D:\Program
Files\IBM\ldap\tmp\slapd.errors.
- Default
- /tmp/slapd.errors
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 1024
- Value
- Single-valued
- Modified by
- Server Administration: Logs -> Error log ->
Settings.
- Description
- Maximum time to keep a LDAP connection open when there is no activity on
the connection. The idle time for a LDAP connection is the time (in
seconds) between the last activity on the connection and the current
time. If the connection has expired, based on the idle time being
greater than the value of this attribute, the LDAP server will clean up and
end the LDAP connection, making it available for other incoming
requests.
- Default
- 300
- Syntax
- Integer
- Length
- 11
- Count
- Single
- Usage
- Directory operation
- User Modify
- Yes
- Access Class
- Critical
- Required
- No
- Description
- Specifies a file path on the IBM Directory server machine containing
schema definitions. On Windows 98, Windows 2000 or Windows NT operating
systems, forward slashes are allowed, and a leading slash not preceded by a
drive letter (D:) is assumed to be rooted at the install directory, that
is, /etc/V3.system.at = D:\Program
Files\IBM\ldap\etc\V3.system.at.
- Default
-
/etc/V3.system.at
/etc/V3.system.oc
/etc/V3.ibm.at
/etc/V3.ibm.oc
/etc/V3.user.at
/etc/V3.user.oc
/etc/V3.ldapsyntaxes
/etc/V3.matchingrules
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 1024
- Value
- Multi-valued
- Modified by
- Server Administration: Settings -> Schema ->
Files.
- Description
- Specifies the Kerberos ID of the LDAP administrator (for example,
ibm-kn=admin1@realm1). Used when Kerberos authentication is used to
authenticate the administrator when logged onto the Server Administration
interface. This may be specified instead of or in addition to adminDN
and adminPW.
- Default
- No preset default is defined.
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 128
- Value
- Single-valued
- Modified by
- Server Administration: Security -> Kerberos.
- Description
- Specifies whether the server supports Kerberos authentication. It
must be either TRUE or FALSE.
- Default
- TRUE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
- Modified by
- Server Administration: Security -> Kerberos (Enable
Kerberos authentication)
- Description
- Specifies whether to use Kerberos identity mapping. It must be set
to either TRUE or FALSE. If set to TRUE, when a client is authenticated
with a Kerberos ID, the server searches for all local users with matching
Kerberos credentials, and adds those user DNs to the bind credentials of the
connection. This allows ACLs based on LDAP user DNs to still be usable
with Kerberos authentication.
- Default
- FALSE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
- Modified by
- Server Administration: Security -> Kerberos.
- Description
- Specifies the LDAP server Kerberos keytab file. This file contains
the LDAP server private key, that is associated with its Kerberos
account. This file is to be protected (like the server SSL key database
file).
On Windows 98, Windows 2000 or Windows NT operating systems, forward
slashes are allowed, and any path not preceded by a drive letter.
(D:) is assumed to be rooted at the install directory (that is:
/tmp/slapd.errors = D:\Program
Files\IBM\ldap\tmp\slapd.errors).
- Default
- No preset default is defined.
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 1024
- Value
- Single-valued
- Modified by
- Server Administration: Security -> Kerberos.
- Description
- Specifies the Kerberos realm of the LDAP server. It is used to
publish the ldapservicename attribute in the root DSE. Note that an
LDAP server can serve as the repository of account information for multiple
KDCs (and realms), but the LDAP server, as a kerberized server, can only be a
member of a single realm.
- Default
- No preset default is defined.
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 256
- Value
- Single-valued
- Modified by
- Server Administration: Security -> Kerberos.
- Description
- Specifies the host name of the LDAP server that contains the Certificate
Revocation Lists (CRLs) for validating client x.509v3
certificates. This parameter is needed when
ibm-slapdSslAuth=serverclientauth and the client certificates have been issued
for CRL validation.
- Default
- No preset default is defined.
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 256
- Value
- Single-valued
- Modified by
- Server Administration: Security -> SSL -> Certificate
revocation.
- Description
- Specifies the password that server-side SSL uses to bind to the LDAP
server that contains the Certificate Revocation Lists (CRLs) for validating
client x.509v3 certificates. This parameter might be needed when
ibm-slapdSslAuth=serverclientauth and the client certificates have been issued
for CRL validation.
- Note:
- If the LDAP server holding the CRLs permits unauthenticated access to the
CRLs (that is, anonymous access), then ibm-slapdLdapCrlPassword is not
required.
- Default
- No preset default is defined.
- Syntax
- Binary
- Maximum Length
- 128
- Value
- Single-valued
- Modified by
- Server Administration: Security -> SSL -> Certificate
revocation.
- Description
- Specifies the port used to connect to the LDAP server that contains the
Certificate Revocation Lists (CRLs) for validating client x.509v3
certificates. This parameter is needed when
ibm-slapdSslAuth=serverclientauth and the client certificates have been issued
for CRL validation. (IP ports are unsigned, 16-bit integers in the
range 1 - 65535)
- Default
- No preset default is defined.
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
- Modified by
- Server Administration: Security -> SSL -> Certificate
revocation.
- Description
- Specifies the bindDN that the server-side SSL uses to bind to the LDAP
server that contains the Certificate Revocation Lists (CRLs) for validating
client x.509v3 certificates. This parameter might be needed when
ibm-slapdSslAuth=serverclientauth and the client certificates have been issued
for CRL validation.
- Note:
- If the LDAP server holding the CRLs permits unauthenticated access to the
CRLs (that is, anonymous access), then ibm-slapdLdapCrlUser is not
required.
- Default
- No preset default is defined.
- Syntax
- DN
- Maximum Length
- 1000
- Value
- Single-valued
- Modified by
- Server Administration: Security -> SSL -> Certificate
revocation.
- Description
- Specifies the bind DN of master server. The value must match the
replicaBindDN in the replicaObject defined for the master server. When
Kerberos is used to authenticate to the replica, ibm-slapdMasterDN must
specify the DN representation of the Kerberos ID (for example,
ibm-kn=freddy@realm1). When Kerberos is used, MasterServerPW is
ignored.
- Default
- No preset default is defined.
- Syntax
- DN
- Maximum Length
- 1000
- Value
- Single-valued
- Modified by
- Server Administration: Replication -> Settings.
- Description
- Specifies the bind password of master replica server. The value
must match replicaBindDN in the replicaObject defined for the master
server. When Kerberos is used to authenticate to the replica,
ibm-slapdMasterDN must specify the DN representation of the Kerberos ID (for
example, ibm-kn=freddy@realm1). When Kerberos is used,
MasterServerPW is ignored.
- Default
- No preset default is defined.
- Syntax
- Binary
- Maximum Length
- 128
- Value
- Single-valued
- Modified by
- Server Administration: Replication -> Settings.
- Description
- Specifies the URL of the master replica server. For example:
ldap://master.us.ibm.com
For security set to SSL only:
ldaps://master.us.ibm.com:636
For security set to none and using a nonstandard port:
ldap://master.us.ibm.com:1389
- Default
- none
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 256
- Value
- Single-valued
- Modified by
- Server Administration: Replication -> Settings.
- Description
- Specifies the maximum number of event notifications which can be
registered per connection.
Minimum = 0 (unlimited)
Maximum = 2,147,483,647
- Default
- 100
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
- Modified by
- Server Administration: Settings -> Event
notification.
- Description
- Specifies the maximum total number of event notifications which can be
registered for all connections.
Minimum = 0 (unlimited)
Maximum = 2,147,483,647
- Default
- 0
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
- Modified by
- Server Administration: Settings -> Event
notification.
- Description
- Specifies the maximum number of transactions per server.
Minimum = 0 (unlimited)
Maximum = 2,147,483,647
- Default
- 20
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
- Modified by
- Server Administration: Settings ->
Transactions.
- Description
- Specifies the maximum number of operations per transaction.
Minimum = 0 (unlimited)
Maximum = 2,147,483,647
- Default
- 5
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
- Modified by
- Server Administration: Settings ->
Transactions.
- Description
- Specifies the maximum timeout value of a pending transaction in
seconds.
Minimum = 0 (unlimited)
Maximum = 2,147,483,647
- Default
- 300
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
- Modified by
- Server Administration: Settings ->
Transactions.
- Description
- Whether or not the server should allow non-Administrator bind for paged
results requests on a search request. If the value read from the
slapd32.conf file is FALSE, the server will process only those client
requests submitted by a user with Administrator authority. If a client
requests paged results for a search operation, does not have Administrator
authority, and the value read from the slapd32.conf file for this
attribute is FALSE, the server will return to the client with return code
insufficientAccessRights - no searching or paging will be performed.
- Default
- FALSE
- Syntax
- Boolean
- Length
- 5
- Count
- Single
- Usage
- directoryOperation
- User Modify
- Yes
- Access Class
- critical
- Objectclass
- ibm-slapdRdbmBackend
- Required
- No
- Description
- Maximum number of outstanding paged results search requests allowed active
simultaneously. Range = 0.... If a client
requests a paged results operation, and a maximum number of outstanding paged
results are currently active, then the server will return to the client with
return code of busy - no searching or paging will be performed.
- Default
- 3
- Syntax
- Integer
- Length
- 11
- Count
- Single
- Usage
- directoryOperation
- User Modify
- Yes
- Access Class
- critical
- Required
- No
- Objectclass
- ibm-slapdRdbmBackend
- Description
- Maximum number of entries to return from search for an individual page
when paged results control is specified, regardless of any "pagesize" that may
have been specified on the client search request. Range =
0.... If a client has passed a page size, then the
smaller value of the client value and the value read from slapd32.conf
will be used.
- Default
- 50
- Syntax
- Integer
- Length
- 11
- Count
- Single
- Usage
- directoryOperation
- User Modify
- Yes
- Access Class
- critical
- Required
- No
- Objectclass
- ibm-slapdRdbmBackend
- Description
- A plugin is a dynamically loaded library which extends the capabilities of
the server. An ibm-slapdPlugin attribute specifies to the server how to
load and initialize a plugin library. The syntax is:
keyword filename init_function [args...]
The syntax is slightly different for each platform because of library
naming conventions. See the Server Plugin Reference for a
list of plugins shipped with IBM Directory.
Most plugins are optional, but the RDBM backend plugin is required for all
RDBM backends.
- Default
- database /bin/libback-rdbm.dll rdbm_backend_init
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 2000
- Value
- Multi-valued
- Modified by
- Must be modified manually.
- Description
- Specifies the TCP/IP port used for non-SSL connections. It can not
have the same value as ibm-slapdSecurePort. (IP ports are unsigned,
16-bit integers in the range 1 - 65535.)
- Default
- 389
- Syntax
- Integer
- Maximum Length
- 5
- Value
- Single-valued
- Modified by
- Server Administration: Settings -> General.
- Description
- Specifies the encoding mechanism for the user passwords before they are
stored in the directory. It must be specified as none, imask, crypt, or
sha (you must use the keyword sha in order to get SHA-1
encoding). The value must be set to none, for the SASL cram-md5 bind to
succeed.
- Default
- none
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 5
- Value
- Single-valued
- Modified by
- Server Administration: Settings -> General.
- Description
- This attribute is normally applied to only the Directory backend.
It specifies whether the backend can be written to. It must be
specified as either TRUE or FALSE. It defaults to FALSE if
unspecified. If set to TRUE, the server returns
LDAP_UNWILLING_TO_PERFORM (0x35) in response to any client request which would
change data in the readOnly database.
- Default
- FALSE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
- Modified by
- Server Administration: Database -> Settings.
- Description
- Specifies the referral LDAP URL to pass back when the local suffixes do
not match the request. It is used for superior referral (that is, the
suffix is not within the naming context of the server).
- Default
- No preset default is defined.
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 32700
- Value
- Multi-valued
- Modified by
- Server Administration: Settings -> Referrals.
- Description
- The ibm-slapdSchemaAdditions attribute is used to identify explicitly
which file holds new schema entries. This is set by default to be
/etc/V3.modifiedschema. If this attribute is not defined, the
server reverts to using the last ibm-slapdIncludeSchema file as in previous
releases.
Before Version 3.2, the last "includeSchema" entry in
slapd.conf was the file to which any new schema entries were
added by the server if it received an add request from a client.
Normally the last "includeSchema" is the V3.modifiedschema file, which
is an empty file installed just for this purpose.
- Note:
- The name modified is misleading, for it only stores new entries.
Changes to existing schema entries are made in their original files.
- Default
- /etc/V3.modifiedschema
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 1024
- Value
- Single-valued
- Description
- Specifies the schema checking mechanism for the add/modify/delete
operation. It must be specified as V2, V3, or V3_lenient.
- V2 - Retain v2 and v2.1 checking. Recommended for migration
purpose.
- V3 - Perform v3 checking.
- V3_lenient - Not all parent object classes are needed. Only the
immediate object class is needed when adding entries.
- Default
- V3_lenient
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 10
- Value
- Single-valued
- Modified by
- Server Administration: Schema -> Settings.
- Description
- Specifies the TCP/IP port used for SSL connections. It can not have
the same value as ibm-slapdPort. (IP ports are unsigned, 16-bit
integers in the range 1 - 65535.)
- Default
- 636
- Syntax
- Integer
- Maximum Length
- 5
- Value
- Single-valued
- Modified by
- Server Administration: Security -> SSL -> General
settings.
- Description
- Enables SSL connections. Must be none, SSL, or SSLOnly.
- none - server listens on the non-ssl port only.
- SSL - server listens on both the ssl and the non-ssl ports.
- SSLOnly - server listens on the ssl port only.
- Default
- none
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 7
- Value
- Single-valued
- Modified by
- Server Administration: Security -> SSL -> General
settings (SSL status).
- Description
- The server runs putenv() for all values of ibm-slapdSetenv at
startup to modify the server runtime environment. Shell variables (like
%PATH% or $LANG) are not expanded.
DB2CODEPAGE=1208 is required for unicode databases (this is set
automatically when you configure a unicode database using Server
Administration, or using either of the ldapcfg or
ldapxcfg commands).
setenv LDAP_CONCURRENTRW=ON turns off the locking that prevents
searches from proceeding during updates. It allows for 'dirty
reads', that is results that might not be consistent with the committed
state of the database.
- Default
- No preset default is defined.
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 2000
- Value
- Multi-valued
- Modified by
- Must be edited manually.
- Description
- Specifies the maximum number of entries to return from search, regardless
of any size limit that might have been specified on the client search request
(Range = 0...). If a client has passed a limit,
then the smaller value of the client values and the value read from
slapd32.conf are used. If a client has not passed a
limit and has bound as admin DN, the limit is considered unlimited. If
the client has not passed a limit and has not bound as admin DN, then the
limit is that which was read from the slapd32.conf
file. 0 = unlimited.
- Default
- 500
- Syntax
- Integer
- Maximum Length
- 12
- Value
- Single-valued
- Modified by
- Server Administration: Settings -> Performance.
- Description
- Must be one of { "serverauth" | "serverclientauth" } Specify
authentication type for ssl connection. serverauth - supports server
authentication at the client. serverclientauth - supports both server
and client authentication.
- Default
- 3
- Syntax
- cis
- Length
- 11
- Count
- Single
- Usage
- directoryOperation
- User Modify
- Yes
- Access Class
- critical
- Objectclass
- ibm-slapdRdbmBackend
- Required
- No
- Description
- Whether or not the server should allow non-Administrator bind for sort on
a search request. If the value read from the slapd32.conf file
is FALSE, the server will process only those client requests submitted by a
user with Administrator authority. If a client requests sort for a
search operation, does not have Administrator authority, and the value read
from the slapd32.conf file for this attribute is FALSE, the server will
return to the client with return code insufficientAccessRights - no searching
or sorting will be performed.
- Default
- FALSE
- Syntax
- Boolean
- Length
- 5
- Count
- Single
- Usage
- directoryOperation
- User Modify
- Yes
- Access Class
- critical
- Objectclass
- ibm-slapdRdbmBackend
- Required
- No
- Description
- Specifies the authentication type for the ssl connection, either
serverauth or serverclientauth.
- serverauth - supports server authentication at the client. This is
the default.
- serverclientauth - supports both server and client authentication.
- Default
- serverauth
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 16
- Value
- Single-valued
- Modified by
- Server Administration: Security -> SSL -> General
settings.
- Description
- Specifies the label that identifies the server Personal Certificate in the
key database file. This label is specified when the server private key
and certificate are created with the gsk4ikm application. If
ibm-slapdSslCertificate is not defined, the default private key, as defined in
the key database file, is used by the LDAP server for SSL connections.
- Default
- No preset default is defined.
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 128
- Value
- Single-valued
- Modified by
- Server Administration: Security -> SSL -> General
settings (Key label).
- Description
- Specifies the decimal representation of a bitmask specifying the allowable
key encryption methods for establishing an SSL connection. Add the
decimal values of all the desired encryption methods to determine the value of
ibm-slapdSslCipherSpecs.
Table 3.
| 256
| (0x0100)
| Triple DES encryption with a 168-bit key and a SHA-1 MAC
(SLAPD_SSL_TRIPLE_DES_SHA_US)
|
| 512
| (0x0200)
| DES encryption with a 56-bit key and a SHA-1 MAC (SLAPD_SSL_DES_SHA_US)
|
| 1024
| (0x0400)
| RC4 encryption with a 128-bit key and a SHA-1 MAC (SLAPD_SSL_RC4_SHA_US)
|
| 2048
| (0x0800)
| RC4 encryption with a 128-bit key and a MD5 MAC (SLAPD_SSL_RC4_MD5_US)
|
| 4096
| (0x01000)
| RC2 encryption with a 40-bit key and a MD5 MAC (SLAPD_SSL_RC2_MD5_EXPORT)
|
| 8192
| (0x02000)
| RC4 encryption with a 40-bit key and a MD5 MAC (SLAPD_SSL_RC4_MD5_EXPORT)
|
- Default
- 12288 (SLAPD_SSL_RC2_MD5_EXPORT + SLAPD_SSL_RC4_MD5_EXPORT)
- Syntax
- Integer
- Maximum Length
- 12
- Value
- Single-valued
- Modified by
- Server Administration: Security -> SSL ->
Encryption.
- Description
- Specifies the file path to the LDAP server SSL key database file.
This key database file is used for handling SSL connections from LDAP clients,
as well as for creating secure SSL connections to replica LDAP servers.
On Windows 98, Windows 2000 or Windows NT operating systems, forward
slashes are allowed, and a leading slash not preceded by a drive specifier
(D:) is assumed to be rooted at the install directory (that is,
/etc/key.kdb = D:\Program
Files\IBM\ldap\etc\key.kdb).
- Default
- /etc/key.kdb
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 1024
- Value
- Single-valued
- Modified by
- Server Administration: Security -> SSL -> General
settings.
- Description
- Specifies the password associated with the LDAP server SSL key database
file, as specified on the ibm-slapdSslKeyDatabase parameter. If the
LDAP server key database file has an associated password stash file, then the
ibm-slapdSslKeyDatabasePW parameter can be omitted, or set to none.
- Note:
- The password stash file must be located in the same directory as the key
database file and it must have the same file name as the key database file,
but with an extension of .sth instead of .kdb.
- Default
- none
- Syntax
- Binary
- Maximum Length
- 128
- Value
- Single-valued
- Modified by
- Server Administration: Security -> SSL -> General
settings.
- Description
- Specifies a naming context to be stored in this backend.
- Note:
- This has the same name as the object class.
- Default
- No preset default is defined.
- Syntax
- DN
- Maximum Length
- 1000
- Value
- Multi-valued
- Modified by
- Server Administration: Settings -> Suffixes for
editing suffixes in the cn=Directory object only. The suffix for the
cn=Change Log object is created automatically with a fixed value when enabling
changelog. the suffix in the cn=SchemaDB object is hard coded.
Suffixes in all other backend objects must be edited manually.
- Description
- Specifies the level at which debugging and operation statistics are logged
in the slapd.errors file. It must be specified as l, m, or
h.
- h - high (provides the most information)
- m - medium (the default)
- l - low (provides the least information)
- Default
- m
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 1
- Value
- Single-valued
- Modified by
- Server Administration: Logs -> Error log ->
Settings
- Description
- Specifies the maximum number of seconds to spend on a search request,
regardless of any time limit that might have been specified on the client
request. If a client has passed a limit, then the smaller value of the
client values and the value read from slapd32.conf are
used. If a client has not passed a limit and has bound as admin DN, the
limit is considered unlimited. If the client has not passed a limit and
has not bound as admin DN, then the limit is that which was read from the
slapd32.conf file. 0 = unlimited.
- Default
- 900
- Syntax
- Integer
- Maximum Length
-
- Value
- Single-valued
- Modified by
- Server Administration: Settings -> Performance.
- Description
- If the transaction plugin is loaded but ibm-slapdTransactionEnable is set
to FALSE, the server rejects all StartTransaction requests with the response
LDAP_UNWILLING_TO_PERFORM.
- Default
- TRUE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
- Modified by
- Server Administration: Settings ->
Transactions.
- Description
- If set to TRUE, the server ignores the ibm-slapdDbUserID and the
ibm-slapdDbUserPW attributes and uses its own process credentials to
authenticate to DB2.
- Default
- FALSE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
- Modified by
- Must be edited manually.
- Description
- The values of the objectClass attribute describe the kind of object which
an entry represents.
- Syntax
- Directory string
- Maximum Length
- 128
- Value
- Multi-valued
- Modified by
- Do not modify.
This information was developed for products and services offered in the
U.S.A. IBM might not offer the products, services, or
features discussed in this document in other countries. Consult your
local IBM representative for information on the products and services
currently available in your area. Any reference to an IBM product,
program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual
property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product,
program, or service.
IBM may have patents or pending patent applications covering subject matter
in this document. The furnishing of this document does not give you any
license to these patents. You can send license inquiries, in writing,
to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the
IBM Intellectual Property Department in your country or send inquiries, in
writing, to:
IBM World Trade Asia Corporation Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan
The following paragraph does not apply to the United Kingdom or any
other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION
"AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not
allow disclaimer of express or implied warranties in certain transactions,
therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical
errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the information.
IBM may make improvements and/or changes in the product(s) and/or the
program(s) described in this information at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials
for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the
purpose of enabling: (i) the exchange of information between
independently created programs and other programs (including this one) and
(ii) the mutual use of the information which has been exchanged, should
contact:
IBM Corporation
Department LZKS
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and
conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer
Agreement, IBM International Program License Agreement, or any equivalent
agreement between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating
environments may vary significantly. Some measurements may have been
made on development-level systems and there is no guarantee that these
measurements will be the same on generally available systems.
Furthermore, some measurement may have been estimated through
extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be
addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject
to change or withdrawal without notice, and represent goals and objectives
only.
All IBM prices shown are IBM's suggested retail prices, are current
and are subject to change without notice. Dealer prices may
vary.
The following terms are trademarks of International Business Machines
Corporation in the United States, or other countries, or both:
Domino and Lotus Go are trademarks of Lotus Development Corporation in the
United States, or other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Sun Microsystems, Inc. in the United States and other
countries.
Microsoft, MS-DOS, Windows 98, Windows 2000 and Windows NT are registered
trademarks of Microsoft Corporation
UNIX is a registered trademark in the United States and/or other countries
licensed exclusively through X/Open Company Limited.
Other company, product, and service names may be trademarks or service
marks of others.
A
B
C
D
G
H
I
J
L
M
N
P
R
S
T
U
W
A
B
C
- change log
(477)
- client
- command line
- configuration
- Configuration
(424)
D
G
H
- HP-UX
- before installing
(394)
- installing JRE
(396)
- setting kernel configuration parameters
(395)
- setting system variables
(399)
I
J
L
M
- Microsoft
- migration
(449)
N
P
R
- remove
- RS/6000 SP environment
- installation on node
(389)
S
- schema
- security
- server
- setting system variables
- silent installation
(421)
- SMIT
- Solaris
- SSL
(373)
- system requirements
T
U
W
- Web browser
- Web server
(339), (351)
- Apache
(330), (344), (356)
- configuration
- configuring
(434)
- Domino Enterprise
(328), (342), (354)
- IBM HTTP
(326), (340), (352)
- iPlanet Enterprise
(334), (348), (360)
- iPlanet FastTrack
(332), (346), (358)
- starting
(433)
- stopping
(432)