3. Install Tivoli Directory Server
Download :
CZGI9ML IBM Tivoli Access Manager Base for Linux on x86 v6.1.1
CZGJ0ML IBM Tivoli Access Manager Web Security for Linux on x86 v6.1.1
C12WNML IBM Tivoli Directory Server 6.1 Client-Server with entitlement, GSKit 7.0.3.30 (tar file) for Linux x86-64, Multilingual
C12WQML IBM Tivoli Directory Server 6.1, DB2 v 9.1 FP 02 (tar file) for Linux x86-64
C12WRML IBM Tivoli Directory Server 6.1 eWAS 6.1.0.7, Tivoli Directory Integrator 6.1.1(tar file) for Linux x86-64
Prerequisites :
- install CentOS 6.3
- minimal install
- netinstall
Other software
Apache Directory Studio
install eclipse
install plugin : http://directory.apache.org/studio/update/1.x
install vmware tools
openssh-clients is needed so you can use scp … strange stuff
yum install perl
yum install openssh openssh-clients
Installation of vmwaretools :
mkdir /mnt/cdrom
mount /dev/cdrom /mnt/cdrom
cd /tmp
tar xvzf /mnt/cdrom/VM*
cd vmware-tools-distrib
./vmware-install.pl
Remove the persistent net rules, so when copying the virtual machine, the primary interface remains eth0 :
rm /etc/udev/rules.d/70-persistent-net.rules
Create ssh keys:
ssh-keygen
accept all defaults
Make sure IBM DB2 is installed :
Install DB2 for TDS
Install TDS from rpm
cd /mnt/cdrom/tdsfiles
rpm -ihv idsldap-cltbase63-6.3.0-0.x86_64.rpm
rpm -Uvh idsldap-clt32bit63-6.3.0-0.x86_64.rpm
rpm -ihv idsldap-clt64bit63-6.3.0-0.x86_64.rpm
rpm -ihv idsldap-cltjava63-6.3.0-0.x86_64.rpm
rpm -ihv idsldap-srv64bit63-6.3.0-0.x86_64.rpm
rpm -ihv idsldap-srvbase64bit63-6.3.0-0.x86_64.rpm
idsldap-license63-6.3.0-0.x86_64.rpm
idsldap-msg63-en-6.3.0-0.x86_64.rpm
rpm -Uvh idsldap-cltbase63-6.3.0-0.x86_64.rpm idsldap-clt32bit63-6.3.0-0.x86_64.rpm idsldap-clt64bit63-6.3.0-0.x86_64.rpm idsldap-cltjava63-6.3.0-0.x86_64.rpm idsldap-srv64bit63-6.3.0-0.x86_64.rpm idsldap-srvbase64bit63-6.3.0-0.x86_64.rpm idsldap-license63-6.3.0-0.x86_64.rpm idsldap-msg63-en-6.3.0-0.x86_64.rpm
check :
rpm -qa | grep idsldap
should be:
idsldap-cltbase63-6.3.0-0
idsldap-clt32bit63-6.3.0-0
idsldap-cltjava63-6.3.0-0
idsldap-srvbase32bit63-6.3.0-0
idsldap-srv32bit63-6.3.0-0
I have : (close enough :-) )
idsldap-clt64bit63-6.3.0-0.x86_64
idsldap-srv64bit63-6.3.0-0.x86_64
idsldap-cltjava63-6.3.0-0.x86_64
idsldap-cltbase63-6.3.0-0.x86_64
idsldap-srvbase64bit63-6.3.0-0.x86_64
idsldap-clt32bit63-6.3.0-0.x86_64
Update TDS
download the fixpack and extract
cd /mnt/hgfs/hostroot/local/Downloads/IBM/Tivoli/TAM611/6.3.0.18-ISS-ITDS-LinuxX64-IF0018/images
rpm -Uvh idsldap-cltbase63\* idsldap-clt32bit63\* idsldap-clt64bit63-6.3\* idsldap-cltjava63-6.3\* idsldap-srv64bit63-6.3\* idsldap-srvbase64bit63-6.3\* idsldap-license63-6.3\* idsldap-msg63-en-6.3\*
Install GSKKit
cd /mnt/cdrom/gskit
rpm -Uvh gsk\*
Update gskkit
cd /mnt/hgfs/hostroot/local/Downloads/IBM/Tivoli/TAM611/8.0.14.24-ISS-GSKIT-LinuxX64-FP0024
rpm -Uvh gsk\*
Create default instance
as root, run:
usermod -G db2iadm root
cd /opt/ibm/ldap/V6.3/sbin
./idsxinst
useradd -r db2ldap
echo passw0rd | passwd db2ldap --stdin
I needed to manually create this file :
cat /opt/ibm/ldap/V6.3/etc/ldapdb.properties
currentDB2InstallPath=/opt/ibm/db2/V9.7
currentDB2Version=9.7.0.0
encryption string : passw0rd123456789
so in the interface, create new instance.
Select to create custom instance
Select the db2 instance db2inst1
user : db2ldap
database location : /home/db2inst1
online backup : /opt/backup
Again, command line :
remove instances :
/opt/ibm/db2/V9.7/instance/db2ilist
/opt/ibm/db2/V9.7/instance/db2idrop dsrdbm01
idsicrt -I idsldap -e passw0rd123456789 -G db2iadm -w passw0rd –p 389 –s 636 -t db2inst1
cd -
/opt/ibm/ldap/V6.3/sbin
./idsicrt -I idsldap -e passw0rd123456789 -G db2iadm -w passw0rd –p 389 –s 636 -t db2inst1 ```` GLPWRP123I The program '/opt/ibm/ldap/V6.3/sbin/64/idsadduser' is used with the following arguments '-u idsldap -g db2iadm -w \*\*\*\*\*'.
GLPGRP011W The user ‘idsldap’ already exists. The user will be recreated with modified properties.
GLPGRP052W If the Network Information Service (NIS) database is installed on the system, user properties modification is not recommended.
Do you want to….
(1) Continue with the above actions, or
(2) Exit without making any changes:1
You have chosen to perform the following actions:
GLPGRP019I System user will be created for directory server instance.
GLPGRP020I The system user ‘idsldap’ will be created.
GLPGRP021I The user’s primary group ‘db2iadm’ will be created.
GLPGRP024I The user ‘idsldap’ will be a member of group ‘idsldap’.
GLPGRP025I The user ‘root’ will be a member of group ‘db2iadm’.
GLPGRP005I The password for user ‘idsldap’ will be set.
GLPGRP011W The user ‘idsldap’ already exists. The user will be recreated with modified properties.
GLPGRP052W If the Network Information Service (NIS) database is installed on the system, user properties modification is not recommended.
Do you want to….
(1) Continue with the above actions, or
(2) Exit without making any changes:1
GLPGRP053I The home directory of the existing user ‘idsldap’ is /home/idsldap.
GLPGRP034I The group ‘db2iadm’ already exists.
GLPGRP029I The user ‘idsldap’ was created successfully.
GLPGRP030I The user ‘idsldap’ was added to group ‘db2iadm’ successfully.
GLPGRP047I The user ‘root’ is already a member of group ‘db2iadm’.
GLPGRP006I Setting the password for user ‘idsldap’
GLPGRP007I Successfully changed password for user ‘idsldap’.
GLPWRP123I The program ‘/opt/ibm/ldap/V6.3/sbin/64/idsicrt’ is used with the following arguments ‘idsicrt -I idsldap -e ***** -G db2iadm -w ***** -t db2inst1 –p 389 –s 636’.
You have chosen to perform the following actions:
GLPICR020I A new directory server instance ‘idsldap’ will be created.
GLPICR057I The directory server instance will be created at: ‘/home/idsldap’.
GLPICR013I The directory server instance’s port will be set to ‘389’.
GLPICR014I The directory server instance’s secure port will be set to ‘636’.
GLPICR015I The directory instance’s administration server port will be set to ‘3538’.
GLPICR016I The directory instance’s administration server secure port will be set to ‘3539’.
GLPICR019I The description will be set to: ‘IBM Tivoli Directory Server Instance V6.3’.
GLPICR021I Database instance ‘db2inst1’ will be configured.
Do you want to….
(1) Continue with the above actions, or
(2) Exit without making any changes:1
GLPICR028I Creating directory server instance: ‘idsldap’.
GLPICR025I Registering directory server instance: ‘idsldap’.
GLPICR026I Registered directory server instance: : ‘idsldap’.
GLPICR049I Creating directories for directory server instance: ‘idsldap’.
GLPICR050I Created directories for directory server instance: ‘idsldap’.
GLPICR043I Creating key stash files for directory server instance: ‘idsldap’.
GLPICR044I Created key stash files for directory server instance: ‘idsldap’.
GLPICR040I Creating configuration file for directory server instance: ‘idsldap’.
GLPICR041I Created configuration file for directory server instance: ‘idsldap’.
GLPICR034I Creating schema files for directory server instance: ‘idsldap’.
GLPICR035I Created schema files for directory server instance: ‘idsldap’.
GLPICR037I Creating log files for directory server instance: ‘idsldap’.
GLPICR038I Created log files for directory server instance: ‘idsldap’.
GLPICR088I Configuring log files for directory server instance: ‘idsldap’.
GLPICR089I Configured log files for directory server instance: ‘idsldap’.
GLPICR085I Configuring schema files for directory server instance: ‘idsldap’.
GLPICR086I Configured schema files for directory server instance: ‘idsldap’.
GLPICR073I Configuring ports and IP addresses for directory server instance: ‘idsldap’.
GLPICR074I Configured ports and IP addresses for directory server instance: ‘idsldap’.
GLPICR077I Configuring key stash files for directory server instance: ‘idsldap’.
GLPICR078I Configured key stash files for directory server instance: ‘idsldap’.
GLPICR046I Creating profile scripts for directory server instance: ‘idsldap’.
GLPICR047I Created profile scripts for directory server instance: ‘idsldap’.
GLPICR103I Adding instance information to the .profile file for directory server instance: ‘idsldap’.
GLPICR104I Added instance information to the .profile file for directory server instance: ‘idsldap’.
GLPICR069I Adding entry to /etc/inittab for the administration server for directory instance: ‘idsldap’.
GLPICR070I Added entry to /etc/inittab for the administration server for directory instance: ‘idsldap’.
GLPICR118I Creating runtime executable for directory server instance: ‘idsldap’.
GLPICR119I Created runtime executable for directory server instance: ‘idsldap’.
GLPCTL074I Starting admin server for directory server instance: ‘idsldap’.
GLPCTL075I Started admin server for directory server instance: ‘idsldap’.
GLPICR029I Created directory server instance: : ‘idsldap’.
GLPICR031I Adding database instance ‘db2inst1’ to directory server instance: ‘idsldap’.
GLPCTL002I Creating database instance: ‘db2inst1’.
GLPCTL003I Created database instance: ‘db2inst1’.
GLPICR133I Setting the DB2 registry for database instance ‘db2inst1’ to allow DB2 SELECTIVITY.
GLPICR134I The DB2 registry for database instance ‘db2inst1’ has been set to allow DB2 SELECTIVITY.
GLPCTL017I Cataloging database instance node: ‘db2inst1’.
GLPCTL018I Cataloged database instance node: ‘db2inst1’.
GLPCTL008I Starting database manager for database instance: ‘db2inst1’.
GLPCTL009I Started database manager for database instance: ‘db2inst1’.
GLPCTL049I Adding TCP/IP services to database instance: ‘db2inst1’.
GLPCTL050I Added TCP/IP services to database instance: ‘db2inst1’.
GLPICR081I Configuring database instance ‘db2inst1’ for directory server instance: ‘idsldap’.
GLPICR082I Configured database instance ‘db2inst1’ for directory server instance: ‘idsldap’.
GLPICR052I Creating DB2 instance link for directory server instance: ‘idsldap’.
GLPICR053I Created DB2 instance link for directory server instance: ‘idsldap’.
GLPICR032I Added database instance ‘db2inst1’ to directory server instance: ‘idsldap’.
## SET Administrator ID and Password
./idsdnpw -I idsldap –u cn=root –p passw0rd
Enter the directory server administrator password:
GLPWRP123I The program ‘/opt/ibm/ldap/V6.3/sbin/64/idsdnpw’ is used with the following arguments ‘-I idsldap –u cn=root –p passw0rd’.
You have chosen to perform the following actions:
GLPDPW004I The directory server administrator DN will be set.
GLPDPW005I The directory server administrator password will be set.
Do you want to….
(1) Continue with the above actions, or
(2) Exit without making any changes:1
GLPDPW009I Setting the directory server administrator DN.
GLPDPW010I Directory server administrator DN was set.
GLPDPW006I Setting the directory server administrator password.
GLPDPW007I Directory server administrator password was set.
[root@webseal sbin]#
Configure a database :
idscfgdb -I idsldap –a db2inst1 –w passw0rd –t db2ldap –l /home/ldapdb
START:
idsslapd -I idsldap
To stop a directory server instance named instancename, type the following command:
STOP :
idsslapd -I idsldap -k
START directory administration server :
idsdiradm -I idsldap
To stop the directory administration server for a directory server instance named instancename, type the following command:
idsdiradm -I idsldap -k
## AUTOSTART
db2 needs to start
ldap needs to start
## Suffix
idscfgsuf -I idsldap -s o=issc
## Load LDIF
idsldif2db -i /tmp/issc.ldif -I idsldap
## Logs
cd /home/idsldap/idsslapd-idsldap/logs/
Now use ldapsearch to check.
ldapsearch -vx -h 172.16.231.153 -D cn=root -w passw0rd "cn=Tom Bosmans" "\*"
Assign rights (new LDAP admin)
> AuditAdmin
> DirDataAdmin
> PasswordAdmin
> ReplicationAdmin
> SchemaAdmin
> ServerConfigGroupMember
> ServerStartStopAdmin
## Set Encryption mechanism
To change the type of encryption using the command line, issue the following command:
idsldapmodify -D -w -i
where contains:
dn: cn=configuration
changetype: modify
replace: ibm-slapdPWEncryption
ibm-slapdPWEncryption: md5
````
In production, you should use something strong, like aes256. md5 is not good enough in real life.
Here, the ibm-slapdPWEncryption attribute can be assigned any of the
following values: none,aes128,aes192,aes256,crypt,sha,ssha, md5
sha224, sha256, sha384, sha512, ssha224, ssha256, ssha384, or ssha512.