Jim Connors' Weblog

« Using Solaris to... | Main | Are Solaris RAM... »
Monday May 19, 2008

Working Around a Simple Directory Server Install Issue with Windows

While working with a customer evaluating Sun's Directory Server Enterprise Edition 6.3 for Windows, we came across a problem during very basic install and setup.  For posterity's sake, I thought it might make sense to document the issue and offer a few potential workarounds. 

How to replicate

1. Install the directory server.  In this case the downloadable image has been unzipped into the c:\tmp\dsee63\DSEE_ZIP_DISTRIBUTION directory

  C:\tmp\dsee63\DSEE_ZIP_Distribution> dsee_deploy --no-inter -i /tmp/ds63                                                                              
  Unzipping sun-ldap-shared-l10n.zip ...                                      
  Unzipping sun-ldap-directory.zip ...                                    
  Unzipping sun-ldap-console-gui-help-l10n.zip ...                                                
  Configuring Cacao at /tmp/ds63/dsee6/cacao_2                                            
  ...
  You can now start your Directory Server Instances
  You can now start your Directory Proxy Server Instances

2. Create a new Directory Server instance and start the instance

  C:\tmp\dsee63\DSEE_ZIP_Distribution>cd \tmp\ds63
  C:\tmp\ds63> set PATH=c:\tmp\ds63\ds6\bin;c:\tmp\ds63\dsrk6\bin;%PATH%
  C:\tmp\ds63>dsadm create /tmp/instance
  Choose the Directory Manager password:
  Confirm the Directory Manager password:
  Use 'dsadm start '/tmp/instance'' to start the instance
  C:\tmp\ds63>dsadm start /tmp/instance
  Waiting for Directory Server instance 'C:/tmp/instance' to start...
  Directory Server instance 'C:/tmp/instance' started: pid=2144

3. Create a suffix.  This is where the installation fails:

C:\tmp\ds63>dsconf create-suffix -h localhost -p 1389 dc=example,dc=com
Enter "cn=Directory Manager" password:
Unable to bind securely on "localhost:1389".
The "create-suffix" operation failed on "localhost:1389".

The problem here is described in The Sun Java System Directory Server Enterprise Edition 6.3 Release Notes:

On Windows systems, Directory Server does not allow Start TLS by default.

This issue affects server instances on Windows systems only. This issue is due to performance on Windows systems when Start TLS is used.

To work around this issue, consider using the -P option with the dsconf command to connect using the SSL port directly. Alternatively, if your network connection is already secured, consider using the -e option with the dsconf command. The option lets you connect to the standard port without requesting a secure connection.

 

Two Potential Workarounds

Workaround 1: Issue the 'dsconf create-suffix' command by directly connecting to the SSL port (-P 1636)

C:\tmp\ds63>dsconf create-suffix -h localhost -P 1636 dc=example,dc=com
Certificate "CN=TECRA-A1, CN=1636, CN=Directory Server, O=Sun Microsystems" pres
ented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details
: Y
Enter "cn=Directory Manager" password:

Workaround 2: Modify the ds-start-tls-enabled attribute that is stored in the directory server configuration.

a. Create a file, say c:\tmp\modify.ldif which looks like:

  dn: cn=config
  changetype: modify
  replace: ds-start-tls-enabled
  ds-start-tls-enabled: on

b. Issue an ldapmodify command something like this:

  C:\tmp>ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password < c:\tmp\modify.ldif
  modifying entry cn=config

c. Confirm modification via ldapsearch command:

  C:\tmp>ldapsearch -b "cn=config" -h localhost -p 1389 -D "cn=Directory Manager" -w password "cn=config" ds-start-tls-enabled
  version: 1
  dn: cn=config
  ds-start-tls-enabled: on

  dn: cn=config,cn=chaining database,cn=plugins,cn=config

  dn: cn=config,cn=ldbm database,cn=plugins,cn=config

c. Stop and restart the directory server instance

  C:\tmp\ds63>dsadm stop /tmp/instance
  Directory Server instance 'C:/tmp/instance' stopped
  C:\tmp\ds63>dsadm start /tmp/instance
  Directory Server instance 'C:/tmp/instance' started: pid=3560

d. Try creating a suffix with the standard port (1389):

  C:\tmp\ds63>dsconf create-suffix -h localhost -p 1389 dc=example1,dc=com
  Enter "cn=Directory Manager" password:

Note:  Directory Server Enterprise Edition 6.3 is supported on Windows Server 2003, but not for Windows XP.  Although not formally supported, it is possible to experiment with XP.

Posted at 10:03AM May 19, 2008 by jtc in Sun  |  Comments[4]

Comments:

Jim......... man you saved me ALOT of aggravation!

Thanks dude!

Rich

Posted by Richard Hajinlian on June 17, 2008 at 10:07 AM EDT #

saved me!!

Thanks a lot!

Posted by DavidDai on July 01, 2008 at 04:54 AM EDT #

D:\DSEE\ds6\bin>dsconf create-suffix -e -h localhost -p 1389 dc=example,dc=com
Enter "cn=Directory Manager" password:adminadmin

adminadmin was my password during the installation.

This works fine.

-e is unsecured port .

Posted by Raghuvir on August 07, 2008 at 05:33 AM EDT #

Thanks, it works :)

Posted by agung on July 24, 2009 at 07:34 AM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed

Calendar

« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today

Feeds

Search

Links

Navigation

Referrers