Saturday, April 26, 2014

Unable to Start Oracle Unified Directory

 

On RHEL 5.6, installed Oracle Unified Directory 11.1.2.2.0 from ofm_oud_generic_11.1.2.2.0_disk1_1of1.zip.

After installation into $MW_HOME/Oracle_OUD1 and configuration don't start the directory server as the directories $MW_HOME/Oracle_OUD1/logs and $MW_HOME/Oracle_OUD1/locks are not created by the oud-setup program.  Create these manually before starting the directory server.  If the directory server is started by oud-setup, then you are unable to stop using the stop-ds command because there is no server.pid file (stop-ds looks for this in the locks directory).  I ended up de-installing/re-installing when this first happened.

When trying to start using start-ds, the following error message is thrown:

severity=SEVERE_ERROR msgID=2359728 msg=The LDAP connection handler defined in configuration entry cn=LDAP Connection Handler,cn=Connection Handlers,cn=config was unable to bind to 0.0.0.0:389:  IOException(Address already in use)

Solution

cd $MW_HOME/Oracle_OUD1/config
cp -p config.ldif config.ldif.bak
vi config.ldif
Change this:
ds-cfg-listen-port: 389
to
ds-cfg-listen-port: 1389

Then issue start command.

Thanks to a anonymous reader for sharing the correct location as to where the true stop/start commands are:

cd $MW_HOME/asinst_1/OUD/bin

and issue the start command from there.

Wednesday, April 23, 2014

Installing OpenLDAP 2.4.39 on RHEL 5.6

Note: Very high level instructions.  Should work with OpenLDAP 2.4.38 (has been tested) as well and RHEL 5.10.  Possibly other versions also.

My directory structure is as follows:
software install location - /opt
schema file location - /usr/local/etc/
slapd.conf file location - /usr/local/etc/openldap/
database file location - /var/openldap/openldap-data/
certs location -  /usr/local/etc/openldap

Install Berkely DB

Download db-6.0.30.tar.gz and untar in /opt
cd /opt
tar xvf db-6.0.30.tar.gz
cd db-6.0.30/build_unix
../dist/configure --enable-cxx --prefix=/usr/local/BerkeleyDB.6.0
make
make install

Do this step so that libs can be found without having to go through creating messy links:
cd /etc/ld.so.conf.d
vi berkely_db.conf
/usr/lib

/sbin/ldconfig

Install OpenSSL

Download openssl-1.0.1g.tar.gz and untar in /opt
cd /opt
tar xvf openssl-1.0.1g.tar.gz
export CPPFLAGS="-I/usr/local/BerkeleyDB.6.0/include"
export LDFLAGS="-L/usr/local/BerkeleyDB.6.0/lib"
cd  openssl-1.0.1g
./config shared
make
make test
make install

Install Cyrus-SASL

Download cyrus-sasl-2.1.26.tar.gz and untar in /opt
cd /opt
tar xvf cyrus-sasl-2.1.26.tar.gz
cd db-6.0.20/
export CPPFLAGS="-I/usr/local/BerkeleyDB.6.0/include"
export LDFLAGS="-L/usr/local/BerkeleyDB.6.0/lib -L/usr/local/ssl/lib"
./configure --with-openssl=/usr/local/ssl --libdir=/usr/local/lib64
make
make install

After the install, note the following message:
********************************************************
* WARNING:
* Plugins are being installed into /usr/local/lib/sasl2,
* but the library will look for them in /usr/lib/sasl2.
* You need to make sure that the plugins will eventually
* be in /usr/lib/sasl2 -- the easiest way is to make a
* symbolic link from /usr/lib/sasl2 to /usr/local/lib/sasl2,
* but this may not be appropriate for your site, so this
* installation procedure won't do it for you.
*
* If you don't want to do this for some reason, you can
* set the location where the library will look for plugins
* by setting the environment variable SASL_PATH to the path
* the library should use.
********************************************************
I set the SASL_PATH environment variable in the .bash_profile file as follows:
SASL_PATH=/usr/local/lib/sasl2
export SASL_PATH


Install OpenLDAP

Download OpenLDAP openldap-2.4.39.tar.gz
cd /opt
tar xvf openldap-2.4.39.tar.gz
cd openldap-2.4.39
export CPPFLAGS="-I/usr/local/BerkeleyDB.6.0/include -I/usr/local/ssl/include"
export LDFLAGS="-L/usr/local/BerkeleyDB.6.0/lib -L/usr/local/ssl/lib"
./configure --with-tls --with-cyrus-sasl --sysconfdir=/usr/local --bindir=/usr/local --libdir=/usr/local/lib64
make depend
make
make test
make install


Copy Schema Files

mkdir /usr/local/etc
cp -rfp /opt/openldap-2.4.39/servers/slapd/schema /usr/local/etc/.

Copy slapd.conf

mkdir /usr/local/etc/openldap/
cp -rfp /opt/openldap-2.4.39/servers/slapd/slapd.conf  /usr/local/etc/openldap/

Generate  the Encrypted Admintrator LDAP Password

This can be entered into the slapd.conf file so that OpenLDAP can be started without user interaction:
/opt/openldap-2.4.39/servers/slapd/slappasswd -s password
{SSHA}O4iHZ1yg+f4ynVg1rrUjYMki2F6jTp7O

Copy this value and paste it into the /usr/local/etc/openldap/slapd.conf file:
rootpw          {SSHA}O4iHZ1yg+f4ynVg1rrUjYMki2F6jTp7O

The slapd.conf file may end up looking like this:
include         /usr/local/etc/schema/core.schema
include         /usr/local/etc/schema/cosine.schema
include         /usr/local/etc/schema/inetorgperson.schema

pidfile         /var/openldap/run/slapd.pid
argsfile        /var/openldap/run/slapd.args

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=my-domain,dc=com"
rootdn          "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}O4iHZ1yg+f4ynVg1rrUjYMki2F6jTp7O
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/openldap/openldap-data/my-domain
# Indices to maintain
index   objectClass     eq
index   cn              eq
index   uid             eq


Starting OpenLDAP Services

cd /usr/local/etc/openldap/slapd.conf
nohup /opt/openldap-2.4.39/servers/slapd/slapd -f /usr/local/etc/openldap/slapd.conf -d 1 &

View status of the OpenLDAP server:
tail -f nohup.out

Stoping OpenLDAP Services

kill -INT `cat /var/openldap/run/slapd.pid`

Enabling SSL

Request a server certificate from your RA or CA.

Place the issuing CA certificate file here:
TLSCACertificateFile    /usr/local/etc/openldap/cacert.pem

The signed server certificate file here:
TLSCertificateFile      /usr/local/etc/openldap/servercrt.pem

And the private key file (only readable by the process that starts the OpenLDAP server) here:
TLSCertificateKeyFile   /usr/local/etc/openldap/serverkey.pem