Configuring a Proxy Server in a ITDS Environment
IBM Tivoli Directory Server (ITDS) is IBM’s LDAP server. If you have any IBM applications (Websphere, Lotus, Tivoli, Rational, etc) in your environment there is a good chance you’re running this. It’s part of IBM’s middleware stack (Websphere Application Server, ITDS, and DB2) and they leave very little room for compatibility with other brands.
In 6.0 of ITDS, they introduced a proxy server. The main feature of the proxy server is scalability. It does this by distributing directory entries over a set of directory servers, instead of a single server.
I get a lot of requests for setting up proxy servers. I’m finding many of these are due to people having a hard time figuring out IBM’s documentation. To help simplify the process I’m going to show how I configured a proxy server with a back end server in a AIX environment.
In my example, I’m going to have two instances (proxy and back end) on a single AIX 5.3 system and I’ll be using ITDS 6.0 FP7. I start off by creating a instance for the back end, load it with sample data, and then I will configure the proxy.
Configuring the Back End Servers
1. Create the first back end ITDS Instance
idsicrt -I backend01 -e seedforbackend -n
2. Configure the ITDS database
idscfgdb -I backend01 -a backend01 -w password -t backend01 -l /home/backend01
3. Configure the admin DN
idsdnpw -I backend01 -u cn=root -p password
4. Configure a suffix for the environment (I’m using o=ibm,c=us because I will be using the sample.ldif
idscfgsuf -I backend01 -s o=ibm,c=us
5. Import the sample data ldif shipped with ITDS. The ldif is found in /opt/IBM/ldap/V6.x/examples
idsldif2db -I backend01 -i sample.ldif
6. Start the backend server
idsslapd -I backend01
7. Run a quick ldapsearch test
ldapsearch -D cn=root -w password -s sub -b "" objectclass=*
Configuring the Proxy
1. Configure the instance for the proxy
idsicrt -I proxy -e seedforproxy -n
2. Set the admin DN and password
idsdnpw -I proxy -u cn=root -p password -n
3. Set the suffix for the proxy instance
idscfgsuf -I proxy -s o=ibm,c=us -n
4. Now, we need to crypto sync the proxy instance with the back end instance. In my case this is being done on the same server. I will just copy the ibmslapddir.ksf from the backend’s directory to the proxy’s directory. This is a short cut for synching two instances. It also only works when you’re copying the file between servers that are almost the same. Meaning servers that are the same operating system, hardware, etc.
cp /home/backend/idss*/etc/ibmslapddir.ksf /home/proxy/idss*/etc/ibmslapddir.ksf
Listing out the ITDS instances, my environment looks like this:
idsilist -a
Directory server instances: -------------------------------------- Instance 1: Name: proxy Version: 6.0 Location: /home/proxy Description: IBM Tivoli Directory Server Instance V6.0 IP Addresses: All available Port: 389 Secure Port: 636 Admin Daemon Port: 3538 Admin Daemon Secure Port: 3539 Type: Directory Server -------------------------------------- Instance 2: Name: backend Version: 6.0 Location: /home/backend Description: IBM Tivoli Directory Server Instance V6.0 IP Addresses: All available Port: 1389 Secure Port: 1636 Admin Daemon Port: 3540 Admin Daemon Secure Port: 3541 Type: Directory Server
Next, I need to configure the proxy instance with a global admin group.
5. Start the proxy instance in ‘configuration only mode’
idsslapd -I proxy -a
6. Add a admin member on the backend server. First, create a ldif file with the following:
vi /tmp/globaladmingroupmember.ldif
add:
dn: cn=manager,cn=ibmpolicies objectclass: person sn: manager cn: manager userpassword: password
Next we need to add this to the backend server.
idsldapadd -p 1389 -D cn=root -w password -f /tmp/globaladmingroupmember.ldif
expected output:
adding new entry cn=manager,cn=ibmpolicies
At this point I need to make an update to the global admin group. This is because cn=root (or local administrators in the ibmslapd.conf file) bind against the proxy server will give administrative access to the proxy schema and proxy configuration only. In order to obtain administrative access to the data in the backend servers you must bind as a global admin group member against the proxy server. This is why it’s important to have global admin group members.
7. Create a ldif file with the following:
vi /tmp/modifyglobaladmingroup.ldif
add:
dn: globalGroupName=GlobalAdminGroup,cn=ibmpolicies
changetype: modify
add: member
member: cn=manager,cn=ibmpolicies
This will make the user cn=manager,cn=ibmpolicies a member of the GlobalAdminGroup group.
8. Add the modifyglobaladmingroup.ldif
idsldapadd -p 1389 -D cn=root -w password -f /tmp/globaladmingroupupdate.ldif
output:
modifying entry globalGroupName=GlobalAdminGroup,cn=ibmpolicies
9. I need to configure my proxy instance to actually be a proxy install. To do this I need to change the server from a RDBM backend to a proxy backend (It will have no database backend).
vi /tmp/changeserver.ldif
add:
dn: cn=Configuration changetype: modify replace: ibm-slapdServerBackend ibm-slapdServerBackend: PROXY
At this point the proxy instance is still in ‘Configuration Only Mode’, so I can a ldapmodify to make the change.
idsldapadd -p 389 -D cn=root -w password -f /tmp/changeserver.ldif
output:
modifying entry cn=Configuration
Note: Pay attention to the port number. This change needs to be made on the proxy NOT on the backend.
10. Add suffix and enable distributed groups
vi /tmp/proxysuffix.ldif
add:
dn: cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration changetype: modify add: ibm-slapdSuffix ibm-slapdSuffix: cn=ibmpolicies ibm-slapdSuffix: cn=pwdpolicy ibm-slapdSuffix: o=ibm,c=us - replace: ibm-slapdProxyEnableDistDynamicGroups ibm-slapdProxyEnableDistDynamicGroups: true - replace: ibm-slapdProxyEnableDistGroups ibm-slapdProxyEnableDistGroups: true
idsldapmodify -D cn=root -w password -f /tmp/proxysuffix.ldif
output:
modifying entry cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration
11. Now I need to let the proxy server now about the backend server.
vi /tmp/backendcfg.ldif
add:
dn: cn=backend, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration cn: backend ibm-slapdProxyBindMethod: Simple ibm-slapdProxyConnectionPoolSize: 5 ibm-slapdProxyDN: cn=root ibm-slapdProxyPW: password ibm-slapdProxyTargetURL: ldap://backend01.robscomputergarage.com:1389 objectClass: top objectClass: ibm-slapdProxyBackendServer objectClass: ibm-slapdConfigEntry
Add the entry into the proxy server.
idsldapadd -p 389 -D cn=root -w password -f /tmp/backendcfg.ldif
output:
adding new entry cn=backend, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory,cn=Schemas, cn=Configuration
12. Add a backend server group for each backend server. In my case it’s only 1.
vi /tmp/servergroup.ldif
add:
pre>dn: cn=serverGroup, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration
cn: serverGroup
ibm-slapdProxyBackendServerDN: cn=backend,cn=ProxyDB,cn=Proxy
Backends,cn=IBM Directory,cn=Schemas,cn=Configuration
objectclass: top
objectclass: ibm-slapdConfigEntry
objectclass: ibm-slapdProxyBackendServerGroup
Add it on the proxy.
idsldapadd -p 389 -D cn=root -w password -f /tmp/config/servergroup.ldif
output:
adding new entry cn=serverGroup, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration
13. The last configuration step is to tell the proxy how the data will be stored across the backends.
In my examples I have three subtrees I need to worry about.
cn=ibmpolicies
cn=pwdPolicy
o=ibm,c=us
Created a ldif file.
vi /tmp/splits.ldif
add:
dn: cn=cn=ibmpolicies split, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration cn: cn=ibmpolicies split ibm-slapdProxyNumPartitions: 1 ibm-slapdProxyPartitionBase: cn=ibmpolicies objectclass: top objectclass: ibm-slapdConfigEntry objectclass: ibm-slapdProxyBackendSplitContainer dn: cn=split1, cn=cn=ibmpolicies split, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration cn: split1 ibm-slapdProxyBackendServerDN: cn=backend,cn=ProxyDB,cn=Proxy Backends,cn=IBM Directory,cn=Schemas,cn=Configuration ibm-slapdProxyPartitionIndex: 1 objectclass: top objectclass: ibm-slapdConfigEntry objectclass: ibm-slapdProxyBackendSplit dn: cn=cn=pwdpolicy split, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration cn: cn=pwdpolicy split ibm-slapdProxyNumPartitions: 1 ibm-slapdProxyPartitionBase: cn=pwdpolicy objectclass: top objectclass: ibm-slapdConfigEntry objectclass: ibm-slapdProxyBackendSplitContainer dn: cn=split1, cn=cn=pwdpolicy split, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration cn: split1 ibm-slapdProxyBackendServerDN: cn=backend,cn=ProxyDB,cn=Proxy Backends,cn=IBM Directory,cn=Schemas,cn=Configuration ibm-slapdProxyPartitionIndex: 1 objectclass: top objectclass: ibm-slapdConfigEntry objectclass: ibm-slapdProxyBackendSplit dn: cn=o=ibm,c=us split, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration cn: o=ibmc=us split ibm-slapdProxyNumPartitions: 1 ibm-slapdProxyPartitionBase: o=ibm,c=us objectclass: top objectclass: ibm-slapdConfigEntry objectclass: ibm-slapdProxyBackendSplitContainer dn: cn=split1, cn=o=ibm,c=us split, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration cn: split1 ibm-slapdProxyBackendServerDN: cn=backend,cn=ProxyDB,cn=Proxy Backends,cn=IBM Directory,cn=Schemas,cn=Configuration ibm-slapdProxyPartitionIndex: 1 objectclass: top objectclass: ibm-slapdConfigEntry objectclass: ibm-slapdProxyBackendSplit
Add that to the proxy instance.
idsldapadd -p 389 -D cn=root -w password -f /tmp/splits.ldif
output:
adding new entry cn=cn=ibmpolicies split, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration adding new entry cn=split1, cn=cn=ibmpolicies split, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration adding new entry cn=cn=pwdpolicy split, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration adding new entry cn=split1, cn=cn=pwdpolicy split, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration adding new entry cn=o=ibm,c=us split, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration adding new entry cn=split1, cn=o=ibm,c=us split, cn=ProxyDB, cn=Proxy Backends, cn=IBM Directory, cn=Schemas, cn=Configuration
Finally the configuration of the proxy server is complete. At this point I need to start up the proxy in normal mode. Right now, it’s still in the ‘Configuration Only Mode’. It’s also a good idea to restart the ibmslapd on the backend server.
Stop:
idsslapd -I proxy -k
Start:
idsslapd -I proxy
Stop:
idsslapd -I backend -k
Start:
idsslapd -I backend
Wrap Up
Once the backend and proxy instance are running, can you run the following search against the proxy:
ldapsearch -p 389 -D cn=root -w password -b o=ibm,c=us -s base objectclass=*
If you ran the search you would have seen:
ldap_search: Insufficient access
This is because the proxy does not allow cn=root access for anything except for updating proxy schema and configuration. This is the reason we setup the admin
The proper way to run the search would be to use that global admin I created instead of cn=root.
ldapsearch -D cn=manager,cn=ibmpolicies -w password -b o=ibm,c=us -s base objectclass=*
output:
o=IBM,c=US objectclass=top objectclass=organization o=IBM
Follow Me!