With the base software now installed, it's time to test it.
First off, we need to check if the web server is started. Is isn't:
root@ds1 bin]#/usr/sbin/smcwebserver status
Sun Java(TM) Web Console is stopped
root@ds1 bin]#/usr/sbin/smcwebserver start
Starting Sun Java(TM) Web Console Version 3.0.3 ...
The console is running
I was then able to login into the web console at https://ds1:6789 using my standard local user account. To initialise the Directory Service Control Center apparently requires root access, so against my better judgement I logged into the web interface as root.
The Control Center did it's thing, and to my delight it even recommended that I return back to using a non-privileged user again now that the initialisation was complete.
Initial indications were that everything seemed mightily slow, but it may speed up with time.
The authentication to the webconsole can be done as any local user and once you select the DSCC, you're asked for admin authentication to the DS itself. Makes sense, so basically the Sun directory server is just piggybacking on the existing web management console for remote administration. There doesn't appear to be a local ldap/management client.
It quickly became obvious that the web interface didn't have any directory servers registered. It seems that I setup what was needed for the DS server itself, but not an actual ldap directory.
I tried created a new directory, but failed with Could not contact the DSCC agent on ds1. Use the command cacaoadm to check that the DSCC agent is installed and running on port 11162.
So:
root@ds1 bin]#cacaoadm status
Cannot find property: [cacao.embedded].
Doh!
Google provided http://bugs.opensolaris.org/view_bug.do;jsessionid=4694b06edf8cd25d148e6a54c8fa?bug_id=6745235
which shows this as being a bug in snv_97. This host is using snv_95, but I seemed to be having the same issue:
root@ds1 bin]#pkginfo -l SUNWcacaort | grep VERSION
VERSION: 2.0,REV=15
and yet the snv_95 DVD came with:
root@angelous Product]#cat /mnt/tmp/Solaris_11/Product/SUNWcacaort/pkginfo | grep VERS
VERSION=2.2.0.1,REV=2008.06.06
So I replaced SUNWcacaort, SUNWcacaosvr and SUNWcacaodtrace. There were errors along the way, but at least the command didn't return errors now.
The service isn't started by default:
root@ds1 ~]#cacaoadm enable
root@ds1 ~]#cacaoadm status
default instance is ENABLED at system startup.
default instance is not running.
root@ds1 ~]#cacaoadm start
root@ds1 ~]#cacaoadm status
default instance is ENABLED at system startup.
Smf monitoring process:
12649
12650
Uptime: 0 day(s), 0:1
Lots more RAM was being eaten up now, but moving on...
Cacoa was only listening on localhost, so to get dsee working with it, I had to rerun the registration from dsccsetup
root@ds1 ~]#cacaoadm list-params | grep network-bind
network-bind-address=127.0.0.1
root@ds1 ~]#/opt/SUNWdsee/dscc6/bin/dsccsetup status
***
DSCC Application is registered in Sun Java (TM) Web Console
***
DSCC Agent is not registered in Cacao
***
DSCC Registry has been created
Path of DSCC registry is /var/opt/SUNWdsee/dscc6/dcc/ads
Port of DSCC registry is 3998
***
root@ds1 ~]#/opt/SUNWdsee/dscc6/bin/dsccsetup cacoa-reg
Invalid subcommand cacoa-reg
For more information, see dsccsetup --help.
root@ds1 ~]#/opt/SUNWdsee/dscc6/bin/dsccsetup cacao-reg
Registering DSCC Agent in Cacao...
Checking Cacao status...
Stopping Cacao...
Enabling remote connections in Cacao ...
Starting Cacao...
DSCC agent has been successfully registered in Cacao.
root@ds1 ~]#cacaoadm list-params | grep network-bind
network-bind-address=0.0.0.0
Better!
Creating the new ldap server failed the first time, for two reasons.
1. The user that I was using didn't have the right to create a service with a low port number.
Solved using RBAC:
root@ds1 ~]#usermod -K defaultpriv=net_privaddr ds
2. The directory that I specified for the new domain didn't exist yet, and the used didn't have permission to create it. I rather just expected this to work.
root@ds1 SUNWdsee]#mkdir griffous.net
root@ds1 SUNWdsee]#chown ds:ds griffous.net/
root@ds1 SUNWdsee]#cd griffous.net/
root@ds1 griffous.net]#pwd
/opt/SUNWdsee/griffous.net
However this too didn't quite work, because the directory already existed. Finally I granted ds access to /opt/SUNWdsee, just to get the directory created.
I didn't manage to get the server started on a priviledged port, but it did come up on a non-priviledged one. I'll troubleshoot that further tomorrow.
Sunday, October 26, 2008
Saturday, October 25, 2008
Centralised Authentication on Solaris part #2
Installing a whole root zones take time. A lot of it.
# time zoneadm -z ds1 install
A ZFS file system has been created for this zone.
Preparing to install zone.
Creating list of files to copy from the global zone.
Copying <210541> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1334> packages on the zone.
Initialized <1334> packages on zone.
Zone is initialized.
The file contains a log of the zone installation.
real 65m58.822s
user 2m38.165s
sys 8m11.322s
Given just how long it took, one starts to wonder at the advantages of using zones at all, over just using stand alone virtual machines. A full VM is much more portable, and I wonder just how much management you save by using a whole root zone.
A topic for another day...
With my newly initialised zone, I proceeded to run the installer again.
This post is going to be very text heavy, but it serves as some self documentation for me, and maybe an outline for anyone else that hits this.
Choose Software Components - Main Menu
-------------------------------
Note: "* *" indicates that the selection is disabled
[ ] 1. Web Server 7.0 Update 1
[ ] 2. Directory Preparation Tool 6.4
[ ] 3. Application Server Enterprise Edition 8.2 Patch 2
[ ] 4. Directory Server Enterprise Edition 6.2
[ ] 5. Monitoring Console 1.0 Update 1
[ ] 6. High Availability Session Store 4.4.3
[ ] 7. Access Manager 7.1
[ ] 8. Message Queue 3.7 UR2
* * Java DB 10.2.2.1
[ ] 10. All Shared Components
Enter a comma separated list of products to install, or press R to refresh
the list [] {"<" goes back, "!" exits}: 4
Enter a comma separated list of components to install (or A to install all )
[A] {"<" goes back, "!" exits}
*[X] 1. Directory Service Control Center
*[X] 2. Directory Server Command-Line Utility
Next came the share components that failed in the sparse zone:
Shared Component Upgrades Required
-----------------------------------
The shared components listed below are currently installed. They will be
upgraded for compatibility with the products you chose to install.
Component Package
--------------------
Cacao SUNWcacaort
2.2.0.1 (installed)
2.0:PATCHES:123896-03 (required)
Cacao SUNWcacaowsvr
2.2.0.1 (installed)
2.0:PATCHES:123897-03 (required)
JavaActivationFramework SUNWjaf
8.0.0.0 (installed)
8.1 (required)
JavaMail SUNWjmail
8.0.0.0 (installed)
8.1 (required)
SunWebConsole SUNWmctag
3.0.2 (installed)
3.0.2:PATCHES:125953-05 (required)
SunWebConsole SUNWmconr
3.0.2 (installed)
3.0.2:PATCHES:125951-05 (required)
SunWebConsole SUNWmcon
3.0.2 (installed)
3.0.2:PATCHES:125953-05 (required)
SunWebConsole SUNWmcos
3.0.2 (installed)
3.0.2:PATCHES:125951-05 (required)
Ant SUNWant
11.11.0 (installed)
11.12.0 (required)
Enter 1 to upgrade these shared components and 2 to cancel [1] {"<" goes
back, "!" exits}:1
I told it to upgrade everything it needed.
Installation Directories
------------------------
Enter the name of the target installation directory for each product:
Directory Server [/opt/SUNWdsee] {"<" goes back, "!" exits}:
Directory Preparation Tool [/opt/SUNWcomds] {"<" goes back, "!" exits}:
Checking System Status
Available disk space... : Checking .... OK
Memory installed... : Checking .... OK
Swap space installed... : Checking .... OK
Operating system patches... : Checking .... OK
Operating system resources... : Checking .... OK
System ready for installation
System Ready for Installation. Memory detection is disabled in a non-global zone.
Neat, it worked out that it's not real. On with the installation, nearly.
Screen for selecting Type of Configuration
1. Configure Now - Selectively override defaults or express through
2. Configure Later - Manually configure following installation
Select Type of Configuration [1] {"<" goes back, "!" exits} 1
I opted to configure everything up front, since I may not know how to change the defaults easily later
Specify Common Server Settings
Enter Host Name [ds1] {"<" goes back, "!" exits}
Enter DNS Domain Name [griffous.net] {"<" goes back, "!" exits}
Enter IP Address [192.168.1.74] {"<" goes back, "!" exits}
Enter Server admin User ID [admin] {"<" goes back, "!" exits}
Enter Admin User's Password (Password cannot be less than 8 characters) []
{"<" goes back, "!" exits}
Confirm Admin User's Password [] {"<" goes back, "!" exits}
Enter System User [ds] {"<" goes back, "!" exits} ds
Enter System Group [ds] {"<" goes back, "!" exits} ds
Directory Server: Create Directory Instance
Directory Server Console requires Directory Server, but does not require
a directory instance.
Although not a requirement, you can create a directory instance now
during installation.
Create a directory instance (in addition to installing Directory Server)?
1. Yes
2. No
Enter 1 or 2 [1] {"<" goes back, "!" exits} 1
I opted to setup the directory while at it, accepting all the defaults.
Directory Server: Specify Instance Creation Information
Enter Instance Directory [/var/opt/SUNWdsee/dsins1] {"<" goes back, "!"
exits}
Enter Instance Port [389] {"<" goes back, "!" exits}
Enter Instance SSL Port [636] {"<" goes back, "!" exits}
Directory Manager DN [cn=Directory Manager] {"<" goes back, "!" exits}
System User [root] {"<" goes back, "!" exits} ds
System Group [root] {"<" goes back, "!" exits} ds
Enter Instance password (At least 8 characters long) [] {"<" goes back, "!"
exits}
Retype Password [] {"<" goes back, "!" exits}
Enter Suffix [dc=griffous,dc=net] {"<" goes back, "!" exits}
Ready to Install
----------------
The following components will be installed.
Product: Java Enterprise System Identity Management Suite
Uninstall Location: /var/sadm/prod/SUNWident-entsys5u1
Space Required: 138.79 MB
---------------------------------------------------------
Sun Java(TM) System Directory Preparation Tool
Sun Java(TM) System Directory Server Enterprise Edition 6.2
Sun Java(TM) System Directory Server Enterprise Edition 6.2 Command-Line
Utilities
Java Enterprise System Directory Server 6.2 Core Server
Java Enterprise System Directory Service Control Center
1. Install
2. Start Over
3. Exit Installation
What would you like to do [1] {"<" goes back, "!" exits}?1
This failed, so I tried again, this time with everything as root.
Java Enterprise System Identity Management Suite
|-1%--------------25%-----------------50%-----------------75%--------------100%|
Installation Complete
# time zoneadm -z ds1 install
A ZFS file system has been created for this zone.
Preparing to install zone
Creating list of files to copy from the global zone.
Copying <210541> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1334> packages on the zone.
Initialized <1334> packages on zone.
Zone
The file contains a log of the zone installation.
real 65m58.822s
user 2m38.165s
sys 8m11.322s
Given just how long it took, one starts to wonder at the advantages of using zones at all, over just using stand alone virtual machines. A full VM is much more portable, and I wonder just how much management you save by using a whole root zone.
A topic for another day...
With my newly initialised zone, I proceeded to run the installer again.
This post is going to be very text heavy, but it serves as some self documentation for me, and maybe an outline for anyone else that hits this.
Choose Software Components - Main Menu
-------------------------------
Note: "* *" indicates that the selection is disabled
[ ] 1. Web Server 7.0 Update 1
[ ] 2. Directory Preparation Tool 6.4
[ ] 3. Application Server Enterprise Edition 8.2 Patch 2
[ ] 4. Directory Server Enterprise Edition 6.2
[ ] 5. Monitoring Console 1.0 Update 1
[ ] 6. High Availability Session Store 4.4.3
[ ] 7. Access Manager 7.1
[ ] 8. Message Queue 3.7 UR2
* * Java DB 10.2.2.1
[ ] 10. All Shared Components
Enter a comma separated list of products to install, or press R to refresh
the list [] {"<" goes back, "!" exits}: 4
Enter a comma separated list of components to install (or A to install all )
[A] {"<" goes back, "!" exits}
*[X] 1. Directory Service Control Center
*[X] 2. Directory Server Command-Line Utility
Next came the share components that failed in the sparse zone:
Shared Component Upgrades Required
-----------------------------------
The shared components listed below are currently installed. They will be
upgraded for compatibility with the products you chose to install.
Component Package
--------------------
Cacao SUNWcacaort
2.2.0.1 (installed)
2.0:PATCHES:123896-03 (required)
Cacao SUNWcacaowsvr
2.2.0.1 (installed)
2.0:PATCHES:123897-03 (required)
JavaActivationFramework SUNWjaf
8.0.0.0 (installed)
8.1 (required)
JavaMail SUNWjmail
8.0.0.0 (installed)
8.1 (required)
SunWebConsole SUNWmctag
3.0.2 (installed)
3.0.2:PATCHES:125953-05 (required)
SunWebConsole SUNWmconr
3.0.2 (installed)
3.0.2:PATCHES:125951-05 (required)
SunWebConsole SUNWmcon
3.0.2 (installed)
3.0.2:PATCHES:125953-05 (required)
SunWebConsole SUNWmcos
3.0.2 (installed)
3.0.2:PATCHES:125951-05 (required)
Ant SUNWant
11.11.0 (installed)
11.12.0 (required)
Enter 1 to upgrade these shared components and 2 to cancel [1] {"<" goes
back, "!" exits}:1
I told it to upgrade everything it needed.
Installation Directories
------------------------
Enter the name of the target installation directory for each product:
Directory Server [/opt/SUNWdsee] {"<" goes back, "!" exits}:
Directory Preparation Tool [/opt/SUNWcomds] {"<" goes back, "!" exits}:
Checking System Status
Available disk space... : Checking .... OK
Memory installed... : Checking .... OK
Swap space installed... : Checking .... OK
Operating system patches... : Checking .... OK
Operating system resources... : Checking .... OK
System ready for installation
System Ready for Installation. Memory detection is disabled in a non-global zone.
Neat, it worked out that it's not real. On with the installation, nearly.
Screen for selecting Type of Configuration
1. Configure Now - Selectively override defaults or express through
2. Configure Later - Manually configure following installation
Select Type of Configuration [1] {"<" goes back, "!" exits} 1
I opted to configure everything up front, since I may not know how to change the defaults easily later
Specify Common Server Settings
Enter Host Name [ds1] {"<" goes back, "!" exits}
Enter DNS Domain Name [griffous.net] {"<" goes back, "!" exits}
Enter IP Address [192.168.1.74] {"<" goes back, "!" exits}
Enter Server admin User ID [admin] {"<" goes back, "!" exits}
Enter Admin User's Password (Password cannot be less than 8 characters) []
{"<" goes back, "!" exits}
Confirm Admin User's Password [] {"<" goes back, "!" exits}
Enter System User [ds] {"<" goes back, "!" exits} ds
Enter System Group [ds] {"<" goes back, "!" exits} ds
Directory Server: Create Directory Instance
Directory Server Console requires Directory Server, but does not require
a directory instance.
Although not a requirement, you can create a directory instance now
during installation.
Create a directory instance (in addition to installing Directory Server)?
1. Yes
2. No
Enter 1 or 2 [1] {"<" goes back, "!" exits} 1
I opted to setup the directory while at it, accepting all the defaults.
Directory Server: Specify Instance Creation Information
Enter Instance Directory [/var/opt/SUNWdsee/dsins1] {"<" goes back, "!"
exits}
Enter Instance Port [389] {"<" goes back, "!" exits}
Enter Instance SSL Port [636] {"<" goes back, "!" exits}
Directory Manager DN [cn=Directory Manager] {"<" goes back, "!" exits}
System User [root] {"<" goes back, "!" exits} ds
System Group [root] {"<" goes back, "!" exits} ds
Enter Instance password (At least 8 characters long) [] {"<" goes back, "!"
exits}
Retype Password [] {"<" goes back, "!" exits}
Enter Suffix [dc=griffous,dc=net] {"<" goes back, "!" exits}
Ready to Install
----------------
The following components will be installed.
Product: Java Enterprise System Identity Management Suite
Uninstall Location: /var/sadm/prod/SUNWident-entsys5u1
Space Required: 138.79 MB
---------------------------------------------------------
Sun Java(TM) System Directory Preparation Tool
Sun Java(TM) System Directory Server Enterprise Edition 6.2
Sun Java(TM) System Directory Server Enterprise Edition 6.2 Command-Line
Utilities
Java Enterprise System Directory Server 6.2 Core Server
Java Enterprise System Directory Service Control Center
1. Install
2. Start Over
3. Exit Installation
What would you like to do [1] {"<" goes back, "!" exits}?1
This failed, so I tried again, this time with everything as root.
Java Enterprise System Identity Management Suite
|-1%--------------25%-----------------50%-----------------75%--------------100%|
Installation Complete
Centralised Authentication on Solaris
It's a big topic. Some might even call it a bit daunting.
Most importantly this is a subject that I didn't feel I knew enough about, and so began the journey of discovery to learn what one must do to have single sign on (SSO) under Solaris.
Microsoft's AD really does make it a bit easy for windows admins - there really is just the one choice, and like it or not you're going to be doing it the one way. About the only weird thing is that they persist with making the very standard task of setting up a domain controller, a command line app (dcpromo.exe), despite windows being very obviously a GUI centric world.
On the Solaris/Linux front we're too spoilt for choice. There are a good number of centralised directory/LDAP systems out there and I spent the best part of a day just trying to catch up on all the naming conventions and versions.
The major players appear to be:
Apache Directory Server
OpenDS
OpenLDAP
Sun Java System Directory Server
I had a look at the last three in some depth.
OpenDS is an entirely java based ldap server, which is a bit...odd, but more importantly to me, it doesn't appear to have any kind of a integrated gui front end whatsoever.
Now I know what you're thinking, it's Solaris, if you don't want command line, then pick up your toys and go play with Windows!
I've already deployed OpenLDAP on linux, and have run it for around 4 years powering my home network. It's been solid but it's really painful having to use command line tools for even the most mundane of updates. By the time you throw some kind of SSL into the mix, it becomes really ugly to manage and maintain. I'm sorry - this time around I wanted a GUI and that's that.
Which brings us to the Sun Java Directory Server - a product which goes by so many many names it's VERY hard to figure out what you are working on. Being a Sun product designed for Solaris it did seem the obvious tool for the job right from the start, but I wanted to at least give some of the other choices some review before making a start.
Having made the decision to go with the Sun DS, I created a zone on supernova and started the install.
Details in the next post.
Most importantly this is a subject that I didn't feel I knew enough about, and so began the journey of discovery to learn what one must do to have single sign on (SSO) under Solaris.
Microsoft's AD really does make it a bit easy for windows admins - there really is just the one choice, and like it or not you're going to be doing it the one way. About the only weird thing is that they persist with making the very standard task of setting up a domain controller, a command line app (dcpromo.exe), despite windows being very obviously a GUI centric world.
On the Solaris/Linux front we're too spoilt for choice. There are a good number of centralised directory/LDAP systems out there and I spent the best part of a day just trying to catch up on all the naming conventions and versions.
The major players appear to be:
Apache Directory Server
OpenDS
OpenLDAP
Sun Java System Directory Server
I had a look at the last three in some depth.
OpenDS is an entirely java based ldap server, which is a bit...odd, but more importantly to me, it doesn't appear to have any kind of a integrated gui front end whatsoever.
Now I know what you're thinking, it's Solaris, if you don't want command line, then pick up your toys and go play with Windows!
I've already deployed OpenLDAP on linux, and have run it for around 4 years powering my home network. It's been solid but it's really painful having to use command line tools for even the most mundane of updates. By the time you throw some kind of SSL into the mix, it becomes really ugly to manage and maintain. I'm sorry - this time around I wanted a GUI and that's that.
Which brings us to the Sun Java Directory Server - a product which goes by so many many names it's VERY hard to figure out what you are working on. Being a Sun product designed for Solaris it did seem the obvious tool for the job right from the start, but I wanted to at least give some of the other choices some review before making a start.
Having made the decision to go with the Sun DS, I created a zone on supernova and started the install.
Details in the next post.
Subscribe to:
Posts (Atom)