Centralised Authentication on Solaris part #3

With the base software now installed, it's time to test it.

First off, we need to check if the web server is started. Is isn't:

root@ds1 bin]#/usr/sbin/smcwebserver status
Sun Java(TM) Web Console is stopped

root@ds1 bin]#/usr/sbin/smcwebserver start
Starting Sun Java(TM) Web Console Version 3.0.3 ...
The console is running

I was then able to login into the web console at https://ds1:6789 using my standard local user account. To initialise the Directory Service Control Center apparently requires root access, so against my better judgement I logged into the web interface as root.

The Control Center did it's thing, and to my delight it even recommended that I return back to using a non-privileged user again now that the initialisation was complete.

Initial indications were that everything seemed mightily slow, but it may speed up with time.
The authentication to the webconsole can be done as any local user and once you select the DSCC, you're asked for admin authentication to the DS itself. Makes sense, so basically the Sun directory server is just piggybacking on the existing web management console for remote administration. There doesn't appear to be a local ldap/management client.

It quickly became obvious that the web interface didn't have any directory servers registered. It seems that I setup what was needed for the DS server itself, but not an actual ldap directory.

I tried created a new directory, but failed with Could not contact the DSCC agent on ds1. Use the command cacaoadm to check that the DSCC agent is installed and running on port 11162.

So:

root@ds1 bin]#cacaoadm status
Cannot find property: [cacao.embedded].

Doh!
Google provided http://bugs.opensolaris.org/view_bug.do;jsessionid=4694b06edf8cd25d148e6a54c8fa?bug_id=6745235
which shows this as being a bug in snv_97. This host is using snv_95, but I seemed to be having the same issue:

root@ds1 bin]#pkginfo -l SUNWcacaort | grep VERSION
VERSION: 2.0,REV=15

and yet the snv_95 DVD came with:
root@angelous Product]#cat /mnt/tmp/Solaris_11/Product/SUNWcacaort/pkginfo | grep VERS
VERSION=2.2.0.1,REV=2008.06.06

So I replaced SUNWcacaort, SUNWcacaosvr and SUNWcacaodtrace. There were errors along the way, but at least the command didn't return errors now.
The service isn't started by default:
root@ds1 ~]#cacaoadm enable
root@ds1 ~]#cacaoadm status
default instance is ENABLED at system startup.
default instance is not running.
root@ds1 ~]#cacaoadm start
root@ds1 ~]#cacaoadm status
default instance is ENABLED at system startup.
Smf monitoring process:
12649
12650
Uptime: 0 day(s), 0:1

Lots more RAM was being eaten up now, but moving on...

Cacoa was only listening on localhost, so to get dsee working with it, I had to rerun the registration from dsccsetup

root@ds1 ~]#cacaoadm list-params | grep network-bind
network-bind-address=127.0.0.1

root@ds1 ~]#/opt/SUNWdsee/dscc6/bin/dsccsetup status
***
DSCC Application is registered in Sun Java (TM) Web Console
***
DSCC Agent is not registered in Cacao
***
DSCC Registry has been created
Path of DSCC registry is /var/opt/SUNWdsee/dscc6/dcc/ads
Port of DSCC registry is 3998
***
root@ds1 ~]#/opt/SUNWdsee/dscc6/bin/dsccsetup cacoa-reg
Invalid subcommand cacoa-reg
For more information, see dsccsetup --help.
root@ds1 ~]#/opt/SUNWdsee/dscc6/bin/dsccsetup cacao-reg
Registering DSCC Agent in Cacao...
Checking Cacao status...
Stopping Cacao...
Enabling remote connections in Cacao ...
Starting Cacao...
DSCC agent has been successfully registered in Cacao.
root@ds1 ~]#cacaoadm list-params | grep network-bind
network-bind-address=0.0.0.0

Better!

Creating the new ldap server failed the first time, for two reasons.
1. The user that I was using didn't have the right to create a service with a low port number.
Solved using RBAC:
root@ds1 ~]#usermod -K defaultpriv=net_privaddr ds

2. The directory that I specified for the new domain didn't exist yet, and the used didn't have permission to create it. I rather just expected this to work.
root@ds1 SUNWdsee]#mkdir griffous.net
root@ds1 SUNWdsee]#chown ds:ds griffous.net/
root@ds1 SUNWdsee]#cd griffous.net/
root@ds1 griffous.net]#pwd
/opt/SUNWdsee/griffous.net
However this too didn't quite work, because the directory already existed. Finally I granted ds access to /opt/SUNWdsee, just to get the directory created.

I didn't manage to get the server started on a priviledged port, but it did come up on a non-priviledged one. I'll troubleshoot that further tomorrow.