Configuration Choices

During Directory Server configuration, you are prompted for basic information. Decide how you are going to configure these basic parameters before you begin the configuration process. You are prompted for some or all of following information, depending on the type of configuration that you decide to perform the following.

Port number
Users and groups to run the server as
Your directory suffix
Several different authentication user IDs
The administration domain

Choosing Unique Port Numbers

Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your iPlanet Directory Server 5.1.

The standard iPlanet Directory Server 5.1 (LDAP) port number is 389.
Port 636 is reserved for LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP configuration, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port.
Port numbers between 1 and 1024 have been assigned to various services by the Internet Assigned Numbers Authority. Do not use port numbers below 1024 other than 389 or 636 for directory services as they will conflict with other services. Additionally, port numbers below 1024 are accessible by root only.
iPlanet Directory Server 5.1 must run as root using either port 389 or 636.
Make sure the ports you choose are not already in use. Additionally, if you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical.

Note - If the LDAP naming service clients are using SSL encryption, you must use the default port numbers 389 and 636, so that the server runs as root. See "Transport Layer Security (TLS)" for information on Transport Layer Security.

For information on how to set up LDAP over SSL (LDAPS) for the iPlanet Directory Server 5.1, see the iPlanet Directory Server 5.1 Administrator's Guide.

Choosing User and Group

For security reasons, it is always best to run UNIX-based production servers with normal user privileges. That is, you do not want to run Directory Server with root privileges. However, you will have to run Directory Server with root privileges if you are using the default Directory Server ports. If Directory Server is to be started by Administration Server, Administration Server must run either as root or as the same user as iPlanet Directory Server 5.1.

You must therefore decide what user accounts you will use for the following purposes.

The user and group under which you will run iPlanet Directory Server 5.1.

If you will not be running the iPlanet Directory Server 5.1 as root, it is strongly recommended that you create a user account for all iPlanet servers. You should not use any existing operating system account, and must not use the nobody account. Also you should create a common group for the iPlanet Directory Server 5.1 files; again, you must not use the nobody group
The user and group under which you will run Administration Server.

For configurations that use the default port numbers, this must be root. However, if you use ports over 1024, then you should create a user account for all iPlanet servers, and run Administration Server as this account.

As a security precaution, when Administration Server is being run as root, it should be shut it down when it is not in use.

You should use a common group for all iPlanet servers, such as gid iPlanet, to ensure that files can be shared between servers when necessary.

Before you can install iPlanet Directory Server 5.1 and Administration Server, you must make sure that the user and group accounts you will use exist on your system.

Defining Authentication Entities

As you configure iPlanet Directory Server 5.1 and Administration Server, you will be asked for various user names, distinguished names (DN), and passwords. This list of login and bind entities will differ depending on the type of configuration that you are performing.

Directory Manager DN and password

The Directory Manager DN is the special directory entry to which access control does not apply. Think of the directory manager as your directory's superuser. (In former releases of iPlanet Directory Server, the Directory Manager DN was known as the root DN).

The default Directory Manager DN is cn=Directory Manager. Because the Directory Manager DN is a special entry, the Directory Manager DN does not have to conform to any suffix configured for your iPlanet Directory Server 5.1. Therefore, you must not manually create an actual iPlanet Directory Server 5.1 entry that has the same DN as the directory manager DN.

The Directory Manager password must be at least 8 characters long, and is limited to ASCII letters, digits, and symbols.

Note - It is wise to use the same Directory Manager DN and password for all of your LDAP servers, especially if you have set the replicas to follow referrals to the master server during client add and modify operations.
Configuration Directory Administrator ID and password

The configuration directory administrator is the person responsible for managing all the iPlanet servers accessible through iPlanet Console. If you log in with this user ID, then you can administer any iPlanet server that you can see in the server topology area of iPlanet Console.

For security, the configuration directory administrator should not be the same as the directory manager. The default configuration directory administrator ID is admin.
The Administration Server User and password

You are prompted for this only during custom configurations. The Administration Server user is the special user that has all privileges for the local Administration Server. Authentication as this person allows you to administer all the iPlanet servers stored on this server.

Administration Server user ID and password is used only when the iPlanet Directory Server 5.1 is down and you are unable to log in as the configuration directory administrator. The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting iPlanet Directory Server 5.1, reading log files, and so forth.

Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password.

Choosing Your Directory Suffix

A directory suffix is the directory entry that represents the first entry in a directory tree. You will need at least one directory suffix for the tree that will contain your enterprise's data. It is common practice to select a directory suffix that corresponds to the DNS host name used by your enterprise. For example, if your organization uses the DNS name example.com, then select a suffix of dc=example,dc=com.

For more information on planning the suffixes for your directory service, see the iPlanet Directory Server 5.1 Deployment Guide.

Choosing the Location of the Configuration Directory

Many iPlanet servers including Directory Server 5.1 use an instance of iPlanet Directory Server 5.1 to store configuration information. This information is stored in the o=NetscapeRoot directory tree. It does not need to be held on the same iPlanet Directory Server 5.1 as your directory data. Your configuration directory is the iPlanet Directory Server 5.1 that contains the o=NetscapeRoot.

If you are installing iPlanet Directory Server 5.1 only to support other iPlanet servers, then that iPlanet Directory Server 5.1 is your configuration directory. If you are installing iPlanet Directory Server 5.1 to use as part of a general directory service, then you will have multiple iPlanet Directory Server 5.1s installed in your enterprise and you must decide which one will host the configuration directory tree, o=NetscapeRoot. You must make this decision before you install any iPlanet servers (including iPlanet Directory Server 5.1).

For ease of upgrades, you should use a iPlanet Directory Server 5.1 instance that is dedicated to supporting the o=NetscapeRoot tree; this server instance should perform no other function with regard to managing your enterprise's directory data. Also, do not use port 389 for this server instance because doing so could prevent you from installing a iPlanet Directory Server 5.1 on that host that can be used for management of your enterprise's directory data.

Because the configuration directory normally experiences very little traffic, you can allow its server instance to coexist on a machine with another more heavily loaded iPlanet Directory Server 5.1 instance. However, for very large sites that are installing a large number of iPlanet servers, you may want to dedicate a low-end machine to the configuration directory so as to not hurt the performance of your other production servers. iPlanet server configurations result in write activities to the configuration directory. For large enough sites, this write activity could result in a short-term performance hit to your other directory activities.

Also, as with any directory configuration, consider replicating the configuration directory to increase availability and reliability. See the iPlanet Directory Server 5.1 Deployment Guide for information on using replication and DNS round robins to increase directory availability.

Caution - If the configuration directory tree if corrupted, you might need to reinstall all other iPlanet servers that are registered in that configuration directory. Remember the following guidelines when dealing with the configuration directory.

Always back up your configuration directory after you install a new iPlanet server
Never change the host name or port number used by the configuration directory
Never directly modify the configuration directory tree. Only the setup program for the various iPlanet servers should ever modify the configuration


11. iPlanet Directory Server 5.1 Configuration Configuration Components


	Configuration Choices During Directory Server configuration, you are prompted for basic information. Decide how you are going to configure these basic parameters before you begin the configuration process. You are prompted for some or all of following information, depending on the type of configuration that you decide to perform the following. Port number Users and groups to run the server as Your directory suffix Several different authentication user IDs The administration domain Choosing Unique Port Numbers Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your iPlanet Directory Server 5.1. The standard iPlanet Directory Server 5.1 (LDAP) port number is 389. Port 636 is reserved for LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP configuration, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port. Port numbers between 1 and 1024 have been assigned to various services by the Internet Assigned Numbers Authority. Do not use port numbers below 1024 other than 389 or 636 for directory services as they will conflict with other services. Additionally, port numbers below 1024 are accessible by root only. iPlanet Directory Server 5.1 must run as root using either port 389 or 636. Make sure the ports you choose are not already in use. Additionally, if you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical. Note - If the LDAP naming service clients are using SSL encryption, you must use the default port numbers 389 and 636, so that the server runs as `root`. See "Transport Layer Security (TLS)" for information on Transport Layer Security. For information on how to set up LDAP over SSL (LDAPS) for the iPlanet Directory Server 5.1, see the iPlanet Directory Server 5.1 Administrator's Guide. Choosing User and Group For security reasons, it is always best to run UNIX-based production servers with normal user privileges. That is, you do not want to run Directory Server with root privileges. However, you will have to run Directory Server with root privileges if you are using the default Directory Server ports. If Directory Server is to be started by Administration Server, Administration Server must run either as root or as the same user as iPlanet Directory Server 5.1. You must therefore decide what user accounts you will use for the following purposes. The user and group under which you will run iPlanet Directory Server 5.1. If you will not be running the iPlanet Directory Server 5.1 as root, it is strongly recommended that you create a user account for all iPlanet servers. You should not use any existing operating system account, and must not use the `nobody` account. Also you should create a common group for the iPlanet Directory Server 5.1 files; again, you must not use the `nobody` group The user and group under which you will run Administration Server. For configurations that use the default port numbers, this must be root. However, if you use ports over 1024, then you should create a user account for all iPlanet servers, and run Administration Server as this account. As a security precaution, when Administration Server is being run as root, it should be shut it down when it is not in use. You should use a common group for all iPlanet servers, such as `gid iPlanet`, to ensure that files can be shared between servers when necessary. Before you can install iPlanet Directory Server 5.1 and Administration Server, you must make sure that the user and group accounts you will use exist on your system. Defining Authentication Entities As you configure iPlanet Directory Server 5.1 and Administration Server, you will be asked for various user names, distinguished names (DN), and passwords. This list of login and bind entities will differ depending on the type of configuration that you are performing. Directory Manager DN and password The Directory Manager DN is the special directory entry to which access control does not apply. Think of the directory manager as your directory's superuser. (In former releases of iPlanet Directory Server, the Directory Manager DN was known as the root DN). The default Directory Manager DN is `cn=Directory Manager`. Because the Directory Manager DN is a special entry, the Directory Manager DN does not have to conform to any suffix configured for your iPlanet Directory Server 5.1. Therefore, you must not manually create an actual iPlanet Directory Server 5.1 entry that has the same DN as the directory manager DN. The Directory Manager password must be at least 8 characters long, and is limited to ASCII letters, digits, and symbols. Note - It is wise to use the same Directory Manager DN and password for all of your LDAP servers, especially if you have set the replicas to follow referrals to the master server during client `add` and `modify` operations. Configuration Directory Administrator ID and password The configuration directory administrator is the person responsible for managing all the iPlanet servers accessible through iPlanet Console. If you log in with this user ID, then you can administer any iPlanet server that you can see in the server topology area of iPlanet Console. For security, the configuration directory administrator should not be the same as the directory manager. The default configuration directory administrator ID is `admin`. The Administration Server User and password You are prompted for this only during custom configurations. The Administration Server user is the special user that has all privileges for the local Administration Server. Authentication as this person allows you to administer all the iPlanet servers stored on this server. Administration Server user ID and password is used only when the iPlanet Directory Server 5.1 is down and you are unable to log in as the configuration directory administrator. The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting iPlanet Directory Server 5.1, reading log files, and so forth. Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password. Choosing Your Directory Suffix A directory suffix is the directory entry that represents the first entry in a directory tree. You will need at least one directory suffix for the tree that will contain your enterprise's data. It is common practice to select a directory suffix that corresponds to the DNS host name used by your enterprise. For example, if your organization uses the DNS name `example.com`, then select a suffix of `dc=example,dc=com`. For more information on planning the suffixes for your directory service, see the iPlanet Directory Server 5.1 Deployment Guide. Choosing the Location of the Configuration Directory Many iPlanet servers including Directory Server 5.1 use an instance of iPlanet Directory Server 5.1 to store configuration information. This information is stored in the `o=NetscapeRoot` directory tree. It does not need to be held on the same iPlanet Directory Server 5.1 as your directory data. Your configuration directory is the iPlanet Directory Server 5.1 that contains the `o=NetscapeRoot`. If you are installing iPlanet Directory Server 5.1 only to support other iPlanet servers, then that iPlanet Directory Server 5.1 is your configuration directory. If you are installing iPlanet Directory Server 5.1 to use as part of a general directory service, then you will have multiple iPlanet Directory Server 5.1s installed in your enterprise and you must decide which one will host the configuration directory tree, `o=NetscapeRoot`. You must make this decision before you install any iPlanet servers (including iPlanet Directory Server 5.1). For ease of upgrades, you should use a iPlanet Directory Server 5.1 instance that is dedicated to supporting the `o=NetscapeRoot` tree; this server instance should perform no other function with regard to managing your enterprise's directory data. Also, do not use port 389 for this server instance because doing so could prevent you from installing a iPlanet Directory Server 5.1 on that host that can be used for management of your enterprise's directory data. Because the configuration directory normally experiences very little traffic, you can allow its server instance to coexist on a machine with another more heavily loaded iPlanet Directory Server 5.1 instance. However, for very large sites that are installing a large number of iPlanet servers, you may want to dedicate a low-end machine to the configuration directory so as to not hurt the performance of your other production servers. iPlanet server configurations result in write activities to the configuration directory. For large enough sites, this write activity could result in a short-term performance hit to your other directory activities. Also, as with any directory configuration, consider replicating the configuration directory to increase availability and reliability. See the iPlanet Directory Server 5.1 Deployment Guide for information on using replication and DNS round robins to increase directory availability. Caution - If the configuration directory tree if corrupted, you might need to reinstall all other iPlanet servers that are registered in that configuration directory. Remember the following guidelines when dealing with the configuration directory. Always back up your configuration directory after you install a new iPlanet server Never change the host name or port number used by the configuration directory Never directly modify the configuration directory tree. Only the setup program for the various iPlanet servers should ever modify the configuration