Beruflich Dokumente
Kultur Dokumente
Activity Guide
D68336GC10
Edition 1.0
September 2010
D69028
David Goldsmith
Disclaimer
Steve Friedberg
Technical Contributor
and Reviewer
Etienne Remillon
Graphic Designer
Satish Bettegowda
Editors
Malavika Jinka
Raj Kumar
Publishers
Jayanthy Keshavamurthy
Michael Sebastian Almeida
Sumesh Koshy
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Authors
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Table of Contents
vi
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
vii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
viii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
8-21
Task 2 Using the repldisc Utility to Discover a Replication
Topology .......................................................................... Lab 8-22
Task 3 Using the insync Utility to Examine Synchronization
State ................................................................................. Lab 8-23
Task 4 Using the dsconf Utility to Show Replication Agreement
Status................................................................................ Lab 8-24
Task 5 Pausing and Restarting Replication ..................... Lab 8-25
Task 6 Using the entrycmp Utility to Compare Directory Entries
Lab 8-27
Exercise Summary ....................................................................... Lab 8-29
ix
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Task 4 Creating the Data Source, Data Source Pool, and Data
View............................................................................... Lab 11-12
Exercise 2: Creating a Joined LDAP/LDIF View ..................... Lab 11-16
Task 1 Creating an LDIF Data View ............................. Lab 11-16
Task 2 Hiding An Attribute in a Data View .................. Lab 11-19
Task 3 Creating Attribute Data Transformations .......... Lab 11-19
Task 4 Configuring a Join Data View ........................... Lab 11-22
Task 5 Restricting Access Using a Connection HandlerLab 11-24
Exercise 3: Accessing Relational Database Data Through a Directory
Proxy Server ........................................................................... Lab 11-29
Task 1 Installing and Configuring MySQL and the MySQL JDBC
Driver ............................................................................. Lab 11-29
Task 2 Configuring a JDBC Data View ........................ Lab 11-33
Task 3 Emulating LDAP Schema for the JDBC Data View ... Lab
11-35
Task 4 Writing to a Relational Database Using a JDBC Data View
Lab 11-40
Exercise Summary ..................................................................... Lab 11-44
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Preface-xi
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Preface
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab Goals
Preface-xii
Conventions
The following conventions are used in this course to represent various training
elements and alternative learning resources.
Icons
Additional resources Indicates other references that provide additional
information on the topics described in the module.
Note Indicates additional information that can help students but is not crucial to
their understanding of the concept being described. Students should be able to
understand the concept or complete the task without this information. Examples
of notational information include keyword shortcuts and minor system
adjustments.
Caution Indicates that there is a risk of personal injury from a nonelectrical
hazard, or risk of irreversible damage to data, software, or the operating system.
A caution indicates that the possibility of a hazard (as opposed to certainty) might
happen, depending on the action of the user.
Preface-xiii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Conventions
Typographical Conventions
Courier is used for the names of commands, files, directories, programming
code, and on-screen computer output; for example:
Use ls -al to list all files.
system% You have mail.
Courier is also used to indicate programming constructs, such as class names,
methods, and keywords; for example:
The getServletInfo method gets author information.
The java.awt.Dialog class contains Dialog constructor.
Courier bold is used for characters and numbers that you type; for example:
To list the files in this directory, type:
# ls
Courier bold is also used for each line of programming code that is referenced
in a textual description; for example:
1 import java.io.*;
2 import javax.servlet.*;
3 import javax.servlet.http.*;
Notice that the javax.servlet interface is imported to allow access to its
lifecycle methods (Line 2).
Courier italics is used for variables and command-line placeholders that are
replaced with a real name or value; for example:
To delete a file, use the rm filename command.
Courier italic bold represents variables whose values are to be entered by
the student as part of an activity; for example:
Type chmod a+rwx filename to grant read, write, and execute rights for
filename to world, group, and users.
Palatino italics is used for book titles, new words or terms, or words that you
want to emphasize; for example:
Read Chapter 6 in the Users Guide.
These are called class options.
Preface-xiv
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Conventions
Additional Conventions
Java programming language examples use the following additional
conventions:
Line breaks occur only where there are separations (commas), conjunctions
(operators), or white space in the code. Broken code is indented four spaces
under the starting code.
Preface-xv
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Conventions
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 1
Objectives
After completing this lab, you should be able to:
Lab 1-1
Preparation
The following section contains information you need and describes actions you
take before proceeding to the first task in this exercise.
Prerequisite Labs
There are no prerequisite labs for performing this lab.
Lab 1-2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Start the Virtual Box. From the Linux desktop menu bar, select Applications
> System Tools > Sun VirtualBox.
2.
If the License dialog appears, scroll to the bottom of the text and click I
Agree.
3.
When the Registration dialog appears, close the window by clicking the X
in the top right corner.
4.
Select Machine D68336GC10 and click Start. If you see a message about
Auto capture keyboard option, click OK to dismiss it.
5.
Dont do anything while the text login screens proceed, wait until the GUI
login screen. Log in as the root user. The password is cangetin.
6.
These sections describe Solaris Operating System (Solaris OS) zones, and
how to use zones when you work in the Solaris Sandbox.
7.
8.
If you did not run the lab -p command as part of step 6, do so now.
The lab -p command prepares the Solaris Sandbox zones for networking
and GUI display.
Note You can run the lab -p command multiple times during a Solaris
Sandbox session without any ill effect.
9.
Lab 1-3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
The prompt in the terminal window indicates which zone you are logged
into. For example:
zone01 #
12. Review the /opt/ses/shared/software and /opt/ses/shared/lab
directories:
# ls /opt/ses/shared/software
# ls /opt/ses/shared/lab
Subdirectories in the /opt/ses/shared/software directory contain
software that you install when doing these labs.
The /opt/ses/shared/lab directory contains files for doing the labs.
13. Start a Web browser on your lab system:
# firefox &
If the browser is unsuccessful in trying to open a home page, click on the
browser Stop icon.
14. Browse the Directory Server EE 11g (7.0) documentation, which is installed
on your lab system, using the following URL:
file:///opt/ses/shared/lab/docs/Contents.html
You can refer to the documentation at any time for more information while
you are doing labs.
15. Verify that the CATALINA environment variable is not currently set:
# env | grep CATALINA
No value is returned.
16. Append the custom profile file for these labs to the root users
.profile file:
# cat /opt/ses/shared/lab/profile >> /.profile
The customized .profile file provides a PATH environment variable and
other environment variables that lessen the amount of typing required when
doing the labs.
17. Make the new .profile file available in your current shell:
# chmod +x /.profile
# source /.profile
18. Confirm that the new profile is available by displaying the new values of
environment variables that start with the string, CATALINA:
# env | grep CATALINA
CATALINA_HOME=/tomcat
CATALINA_BASE=/tomcat
CATALINA_OPTS=-Djava.awt.headless=true
Lab 1-4
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Verify the path of some commonly used Directory Server EE utilities that
you use in these labs:
# which dsadm
/opt/dsee7/bin/dsadm
# which dsconf
/opt/dsee7/bin/dsconf
# which dpadm
/opt/dsee7/bin/dpadm
Note In the previous task, you updated the PATH environment for the root
user. The new PATH value includes the locations for the dsadm, dsconf, and
dpadm utilities. If you did not get the expected results from the which command,
you probably need to return to step 17 in Task 1 Examining Your Lab System
and properly execute the .profile file.
3.
Lab 1-5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
4.
Caution Make sure that you use the number 1 and not the letter l in the
/local/dsm1 directory name.
# dsadm create -p 1389 -P 1636 /local/dsm1
The following appears in the terminal window:
Warning: This platform is not supported by Directory
Server 7.
Choose the Directory Manager password:
Type sunlearning and press Return.
The following appears in the terminal window:
Confirm the Directory Manager password:
Type sunlearning and press Return.
Note The message, Warning: This platform is not supported by
Directory Server 7, appears when you run the dsadm utility in this course.
The reason for this message is that 32-bit Solaris 10 OS running on x86
architecture is not supported for Directory Server EE 7.0 production use.
Running Directory Server EE 7.0 on 32-bit Solaris 10 OS x86 systems has been
tested by Sun engineering and is available for lightweight uses, such as training
and proof of concepts.
Running Directory Server EE 7.0 on 32-bit Solaris 10 OS x86 systems lets you
deploy the Solaris Sandboxthe platform for these labson any modern host
operating system.
Lab 1-6
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
5.
Install a special message set that lets you run Directory Server EE
administration utilities without the warning message that appeared in the
preceding step:
# cd /opt/dsee7
# unzip /opt/ses/shared/software/ \
dsee-7.0-extras/resources.zip
Note This course uses the \ character at the ends of lines in example commands
to indicate line continuation. When you see a command in multiple lines, each
ending with the \ character, enter the command on a single line, without pressing
Enter. Do not type the \ character when entering the command.
The following prompt appears in the terminal window:
Archive: /opt/ses/shared/software/dsee-7.0extras/resources.zip
replace resources/dsadmin/dsadmin_zh_CN.res? [y]es,
[n]o, [A]ll, [N]one, [r]ename:
Type A and press Return.
Note The special message set is for training purposes only.
6.
Confirm that you created the directory server instance and installed the
special message set correctly:
# dsadm info /local/dsm1
The following output appears in the terminal window:
Instance Path:
Owner:
Non-secure port:
Secure port:
Bit format:
State:
DSCC url:
SMF application name:
Instance version:
/local/dsm1
root(root)
1389
1636
32-bit
Stopped
D-A10
Lab 1-7
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Note The backups can help you recover the files if you encounter problems in
steps 3 through 5.
3.
Lab 1-8
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
4.
5.
Lab 1-9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
6.
Lab 1-10
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Note By default, the dsconf utility uses the Start TLS Lightweight Directory
Access Protocol (LDAP) extension. When using this extension, you must
accepttrustthe digital certificate presented by Directory Server EE during
suffix creation. If you were to answer y (lowercase), you would be accepting
this certificate one time only, and would be asked to trust the certificate again the
next time you ran the dsconf utility. By answering Y (uppercase), you trust
this certificate permanently and are never again asked to trust the certificate for
this directory server instance.
By default, the dsconf utility binds as the cn=Directory Manager user.
Therefore, you are prompted for the directory manager users password. In
subsequent labs, you provide this password in a file so that you are not prompted
for the password. You can specify a user other than the cn=Directory
Manager user with the --user-dn option.
Lab 1-11
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Lab 1-12
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
3.
Use the ldapsearch utility to confirm that the user data was successfully
imported:
# ldapsearch -p 1389 -b dc=example,dc=com \
-s sub uid=scarter
Output similar to the following appears in the terminal window:
version: 1
dn: uid=scarter, ou=People, dc=example,dc=com
exampleTShirtSize: L
givenName: Sam
exampleTShirtName: IPO by 2003
exampleTShirtName: Balanced Books or Else
telephoneNumber: +1 408 555 4798
sn: Carter
ou: Accounting
l: Sunnyvale
manager: uid=bjensen,ou=people,dc=example,dc=com
roomNumber: 4612
mail: scarter@example.com
facsimileTelephoneNumber: +1 408 555 9751
uid: scarter
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: examplePerson
cn: Sam Carter
mobile: +1 408 555 9751
title: Directory of IT
pager: +1 408 555 9722
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 1-13
DSCC
File-based configuration
In the first two tasks in this exercise, you install an Apache Tomcat Web
container and deploy the DSCC Web application into the Web container.
Note For these labs, you use Apache Tomcat as the Web container. A number of
other Web containers are supported for the DSCC Web application. Refer to the
Oracle Directory Server Enterprise Edition 11gR1 Installation Guide for a list of
supported Web containers.
After you install and deploy DSCC, you use DSCC to perform several
configuration tasks.
You can also configure Directory Server EE using configuration files. Some
configuration can be performed by modifying attribute value pairs in the
dse.ldif file. In the last task, you examine several configuration attributes in
the dse.ldif file.
Perform the following tasks:
Lab 1-14
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
3.
4.
Add a startup file for the Tomcat Web container to the /etc/init.d
directory:
# cp /opt/ses/shared/lab/tomcat.sh /etc/init.d/tomcat
5.
6.
7.
Lab 1-15
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
8.
In an earlier task, you created a custom profile for the root user. Verify that
the custom profile set environmental variables as required to run DSCC in
the Tomcat Web container:
a.
b.
Verify that the JAVA_HOME environment variable has been set to the
/usr directory:
# env | grep JAVA_HOME
The following output appears in the terminal window:
JAVA_HOME=/usr
Lab 1-16
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
After DSCC setup, you register the previously created dsm1 directory server
instance with the DSCC and begin exploring that instances configuration.
Complete the following steps in the zone01 zone:
1.
Lab 1-17
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Confirm that the DSCC agent is registered with the common agent
container (CACAO):
a.
b.
c.
Lab 1-18
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
d.
3.
4.
5.
6.
Note Notice that the enablePooling stanza is of the same form as the
preceding two init-params. The preceding change to the web.xml file is
specific to the Tomcat Web container. For other supported Web containers, review
the Oracle Directory Server Enterprise Edition 11gR1 Installation Guide for
required configuration changes.
Lab 1-19
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
7.
Caution Be sure that you have edited the correct files in steps 6 and 7. The
web.xml file that you edit in step 6 is in the /tomcat/conf directory. The
web.xml file that you edit in step 7 is in the /tomcat/webapps/dscc/WEBINF directory.
8.
9.
Log in to DSCC:
a.
b.
Lab 1-20
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
b.
Select Register Existing Server from the More Server Actions dropdown menu to start the Register Existing Directory Server Wizard.
The Step 1: Enter Host and Server Information dialog box appears.
c.
d.
Specify the following values in the Step 1: Enter Host and Server
Information dialog box:
Click Next.
The Step 1.1: Provide Authentication Information for the Host dialog
box appears.
Note When needed, DSCC prompts you to enter the credentials of the Solaris
OS user that runs the ns-slapd processthe root user in these labs. Whenever
you are asked to provide authentication information for the host, enter root as
the user ID and cangetin as the password.
e.
f.
g.
Review the certificate details, then click Next to accept the certificate.
The Step 2: Provide Authentication Information dialog box appears.
h.
i.
Click Next.
The Step 3: Summary dialog box appears, with a warning that the
server instance will be restarted when you click Finish.
Lab 1-21
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
j.
Click Finish.
Messages appear as the dsm1 instance is registered with DSCC and
restarted.
When the operation is complete, the Operation Completed
Successfully message appears.
Note A message stating that DSCC could not set the locale correctly appears
during instance registration. You can ignore this message whenever it appears.
k.
l.
Note In these labs, the zone01:1389 directory server instance is also referred
to as the dsm1 instance.
13. In a previous task, you customized the schema for the dsm1
(zone01:1389) directory server instance. Confirm that you can see these
schema changes in DSCC:
a.
b.
c.
d.
e.
Lab 1-22
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
b.
c.
d.
What is the value of the organizational unit (ou) attribute for a typical
user entry?
________________________________________________________
e.
3.
4.
Change to the config directory for the directory server instance on your
workstation:
# cd /local/dsm1/config
Lab 1-23
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
5.
Note If this limit is reached, the server returns any entries it found that match
the search request, as well as an exceeded size limit error.
b.
c.
d.
Lab 1-24
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Experiences
Interpretations
Conclusions
Applications
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Lab 1-25
Exercise Solutions
The following section provides solutions to questions in the lab.
b.
c.
d.
What is the value of the organizational unit (ou) attribute for a typical
user entry?
The department name; for example, Human Resources, Payroll,
or Accounting.
e.
Lab 1-26
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
5.
b.
c.
d.
Lab 1-27
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 2-1
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 2
Preparation
Prerequisite Lab
The following lab is a prerequisite for performing this lab:
Introducing Oracle Directory Server EE 11gR1
The task to prepare your lab system depends on whether you performed the
prerequisite lab, and whether you have performed other labs, in addition to the
prerequisite lab.
Lab 2-2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
2.
Lab 2-3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Your new boss was at the company party last night and met many
individuals but does not remember their names. Find specific people using
the criteria listed. Search for each person by using the ldapsearch
command-line utility.
Record the search string that worked in the space provided. Some searches
are more difficult to build than others. The answers are available in the
Exercise Solutions on page L2-10, but try to get the answers on your
own before consulting the solutions.
a.
The persons last name sounded something like veter what is his
email address?
ldapsearch:_____________________________________________
________________________________________________________
Note The email attribute is mail, and the approximate operator is ~=.
Lab 2-4
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
b.
I need the full name and phone number of Carter in Accounting, out
of the Santa Clara office.
ldapsearch:_____________________________________________
________________________________________________________
Note The full name attribute is cn, the last name attribute is sn, the phone
attribute is telephonenumber, the department/organizational unit attribute is
ou, the location attribute is l, and the AND operator is &. For example, the
following filter could be used in a search for a directory entry with last name
Smith, first name John, and location Mountain View:
(&(sn=smith)(givenname=john)(l=mountain view)).
c.
Lab 2-5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
e.
Note The manager attribute is manager and is a distinguished name (DN) data
type.
When you are finished, compare your answers to those in the Exercise
Solutions on page L2-10. Discuss any differences you found during the exercise
debriefing.
Create a file named rwilson.ldif in the /tmp directory using any text
editor.
2.
Enter the following instructions in the LDIF file for a new user:
dn: cn=Russ Wilson,ou=People,dc=example,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Russ Wilson
givenName: Russ
sn: Wilson
ou: Marketing
uid: rwilson
Lab 2-6
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
3.
4.
b.
c.
d.
e.
f.
Try to add a second phone number to this entry. Try to add a second
employee number.
Which number worked and which one failed?
________________________________________________________
How do you explain the success or the failure of each attempt?
________________________________________________________
Lab 2-7
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
g.
h.
i.
j.
Lab 2-8
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Experiences
Interpretations
Conclusions
Applications
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Lab 2-9
Exercise Solutions
The following section provides solutions to questions in the lab.
Compare your answers to:
Step 2 in Task 3
Step 4 in Task 4
Your new boss was at the company party last night and met many
individuals but does not remember their names. Find specific people using
the criteria listed. Search for each person by using the ldapsearch
command-line utility.
Record the search string that worked in the space provided. Some searches
are more difficult than others. The answers are available in the Exercise
Solutions on page L2-10, but try to get the answers on your own before
consulting the solutions.
a.
The persons last name sounded something like veter what is his
email address?
Expected result: jvedder@example.com
# ldapsearch -p 1389 \
-b dc=example,dc=com -s sub sn~=veter mail
b.
I need the full name and phone number of Carter in Accounting, out
of the Santa Clara office.
Expected result: Mike Carter, +1 408 555 1846
# ldapsearch -p 1389 -b dc=example,dc=com -s sub \
"(&(sn=carter)(l=Santa Clara)(ou=Accounting))" \
cn telephonenumber
c.
Lab 2-10
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
d.
e.
Try to add a second phone number to this entry. Try to add a second
employee number.
Which phone number worked and which one failed?
Schema checking allows the addition of a second phone number.
Schema checking returns an Object class Violation when you try to
add a second employee number.
How do you explain the success or the failure of each attempt?
In the schema, the phone number attribute is defined as multivalued.
The employee number attribute is defined as single-valued.
g.
Lab 2-11
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
h.
j.
Lab 2-12
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
Lab 3-1
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 3
Preparation
Prerequisite Labs
The following labs are prerequisites for performing this lab:
The task to prepare your lab system depends on whether you performed the
prerequisite labs, and whether you have performed other labs, in addition to the
prerequisite labs.
Lab 3-2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Lab 3-3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Acquaint yourself with the location of logging information for the dsm1
(zone01:1389) instance:
a.
b.
c.
d.
Click OK.
Note If the error message, Error occurred searching the logs for
the server, appears, select Click here to update authentication. When
prompted, enter root as the user ID and cangetin as the password and click
OK.
e.
Lab 3-4
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
f.
Note Whenever you see lines in command examples ending in \ in these labs,
enter them as a single command in your terminal session. Do not enter the \ as
part of the command.
The import operation should work correctly. What message did you
receive?
Message: ____________________________________________________
What corresponding entries appeared in the access log?
Access log entry: _____________________________________________
Note When reviewing log entries using DSCC, try the following:
1. Observe that the adding new entry uid=jabrown message appeared in
the terminal window after you ran the ldapmodify command.
2. In the DSCC Access Logs page, enter the string jabrown in the Only Show
Entries Containing field.
3. Click Search. A single entry appears in the Log Viewer Results table,
indicating that the ADD operation completed successfully.
4. Note the connection number to the right of the ADD message. Enter that
connection number in the Only Show Entries Containing field. Click Search.
Lab 3-5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
All the log entries associated with the ldapmodify command execution now
appear in the Log Viewer Results table. In some cases, extraneous entries might
also appear in the Log Viewer Results table.
3.
4.
5.
Lab 3-6
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
6.
2.
View the current error log settings by viewing the error log attributes
in dse.ldif. and by running the dsconf utility:
# cd /local/dsm1/config
# grep errorlog dse.ldif
# dsconf get-log-prop -p 1389 -w /opt/dsee7/pwd \
error
Lab 3-7
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
b.
Table 3-1
dsconf Utility
Property Name
nsslapd-errorlog
path
nsslapd-errorloglogging-enabled
enabled
nsslapd-errorlogmaxlogsperdir
max-file-count
nsslapd-errorlogmaxlogsize
max-size
nsslapd-errorloglogrotationtime
rotation-time
nsslapd-errorlogexpirationtime
max-age
nsslapd-errorloglogrotationtimeunit
rotation-interval
nsslapd-errorloglevel
level
nsslapd-errorloglogexpirationtimeun
it
max-age
nsslapd-errorloglogminfreediskspace
min-free-diskspace-size
nsslapd-errorloglogmaxdiskspace
max-disk-spacesize
nsslapd-errorlogpermissions
perm
nsslapd-infologlevel
verbose-enabled
Lab 3-8
Value in the
dse.ldif File (if
any)
Value as Reported
by the dsconf
Utility
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
3.
c.
d.
Log File Permissions: Type 640 to let group members view the error
logs.
Click Save.
4.
Confirm that your changes have been updated in the dse.ldif file:
# cd /local/dsm1/config
# grep errorlog dse.ldif
Attributes that were not observed when you performed in step 2a now
appear in the grep command output.
5.
6.
Lab 3-9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
b.
c.
d.
e.
7.
b.
Change the file size-based log rotation size limit to 300 MB and the
file size-based log deletion size limit to 1000 MB:
# dsconf set-log-prop -p 1389 -w /opt/dsee7/pwd \
access max-size:300M max-disk-space-size:1000M
8.
9.
b.
c.
d.
View the audit logs to determine which attributes or entries were modified
or added when you performed steps 7 and 8.
# cd /local/dsm1/logs
# more audit
Lab 3-10
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Change directories to the location of the access logs and view the log file
names:
# cd /local/dsm1/logs
# ls
The ls command output includes the rotated access log filethe file
named access.datestamp.
Lab 3-11
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
View a basic analysis of the rotated access log using the logconv utility:
# logconv access.datestamp
SunOne Access Log Analyzer 5.2
Initializing Variables...
Processing 1 Access Log(s)...
access.20090511-093437 (Total Lines: 2241)
1000 Lines Processed
2000 Lines Processed
*
2241 Lines Processed
Lines Processed:
2241
* Total Lines Analyzed:
2241
Lab 3-12
11/May/2009:09:36:33
11/May/2009:14:18:50
Restarts:
Opened Connections:
Closed Connections:
SSL Connections:
147
288
0
Total Operations:
Total Results:
Overall Performance:
Most Pending Operations:
770
772
100.3%
2
Searches:
Modifications:
Adds:
Deletes:
Mod RDNs:
Compares:
482 (0.028/sec)
14 (0.001/sec)
14 (0.001/sec)
0 (0.000/sec)
1 (0.000/sec)
0 (0.000/sec)
Extended Operations:
Proxied Auth Operations:
Internal Operations:
Entry Operations:
119
0
0
0
Persistent Searches:
Abandoned Requests:
0
1
Total
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
3.
VLV Operations:
VLV Unindexed Searches:
SORT Operations:
0
0
0
1
0
0
0
FDs Taken:
FDs Returned:
Highest FD Taken:
147
288
34
Broken Pipes:
Connections Reset By Peer:
Resource Unavailable:
Ber Decoding Errors:
Unsupported Critical Exts:
0
0
0
0
0
Binds:
Unbinds:
140
144
LDAP v2 Binds:
LDAP v3 Binds:
Expired Password Logins:
SSL Client Binds:
Failed SSL Client Binds:
SASL Binds:
0
140
0
0
0
0
32
0
108
View a detailed analysis of the rotated access log using the logconv utility:
# logconv -V access.datestamp
This shows many of the Top 20 statistics, such as Most Frequent etimes,
Longest etimes, Largest nentries, Requested Attributes, and so on.
Lab 3-13
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Lab 3-14
Experiences
Interpretations
Conclusions
Applications
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Exercise Solutions
The following section provides solutions to questions in the lab.
Compare your answers to:
Step 2b in Task 3
Lab 3-15
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
3.
4.
Lab 3-16
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
5.
6.
Lab 3-17
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
Table 3-1
Value as Reported
by the dsconf
Utility
path
/local/dsm1/
logs/errors
/local/dsm1/
logs/errors
nsslapd-errorloglogging-enabled
enabled
on
on
nsslapd-errorlogmaxlogsperdir
max-file-count
nsslapd-errorlogmaxlogsize
max-size
100
100M
nsslapd-errorloglogrotationtime
rotation-time
undefined
nsslapd-errorlogexpirationtime
max-age
(no value)
1M
nsslapd-errorloglogrotationtimeunit
rotation-interval
week
1w
nsslapd-errorloglevel
level
(no value)
default
nsslapd-errorloglogexpirationtimeun
it
max-age
(no value)
1M
nsslapd-errorloglogminfreediskspace
min-free-diskspace-size
(no value)
5M
nsslapd-errorloglogmaxdiskspace
max-disk-spacesize
(no value)
100M
nsslapd-errorlogpermissions
perm
(no value)
600
dsconf Utility
Property Name
nsslapd-errorlog
Lab 3-18
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
Table 3-1
dsconf Utility
Property Name
Value in the
dse.ldif File (if
any)
Value as Reported
by the dsconf
Utility
nsslapd-infologlevel
verbose-enabled
(no value)
off
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
Lab 3-19
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 4
Objectives
After completing this lab, you should be able to:
Lab 4-1
Information
Value
jvedder
befitting
scarter
sprain
cschmith
hypotenuse
Lab 4-2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Preparation
Prerequisite Labs
The following labs are prerequisites for performing this lab:
The task to prepare your lab system depends on whether you performed the
prerequisite labs, and whether you have performed other labs, in addition to the
prerequisite labs.
Lab 4-3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
You perform the rest of this lab in the zone01 and zone02 zones. Detailed
instructions are provided when the zone02 zone is required.
Log in to DSCC.
The Common Tasks page appears.
2.
3.
4.
Lab 4-4
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
5.
6.
Select the link for the rule labelled, Allow self entry modification except
for nsroledn, aci, resource limit attributes, passwordPolicySubentry and
password policy state attributes.
What does this ACI do?
_________________________________________________________
_________________________________________________________
Why should this rule be made more restrictive?
_________________________________________________________
_________________________________________________________
In subsequent steps, you make the rule more restrictive.
7.
8.
9.
If the ACI syntax is incorrect, correct it, recheck the syntax, and click
OK.
If the ACI syntax is correct, click OK.
11. If a dialog box with the message readwrite appears, click OK.
Note A dialog box with the message readwrite occasionally appears when
working in the DSCC Access Control subtab due to Directory Server EE bug
number 6803995. The dialog box should never appear. If this dialog box appears
at any point during this lab or any other lab, click OK.
Lab 4-5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Is Jeff Vedder able to modify his own mobile phone number, pager number,
and title in his directory entry?
_________________________________________________________
2.
Is Sam Carter able to modify his own mobile phone number, pager number,
and title in his directory entry?
_________________________________________________________
Lab 4-6
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Jeff Vedder is not able to change his title, pager number or mobile phone
number.
Sam Carter is able to change his title, pager number, and mobile phone
number.
Assume that the desired behavior is for individuals to be able to change their own
pager number or mobile phone number, but only human resources (HR) managers
can change a users title. As a result, the following changes must be achieved:
Jeff Vedder should be able to change his pager number and mobile phone
number.
View all the ACIs under the dc=example,dc=com using the ldapsearch
utility:
# ldapsearch -p 1389 -b dc=example,dc=com \
"aci=*" aci
In your own words, interpret what each ACI specifies.
Do not spend too much time on this task. Ask your instructor for help if you
encounter problems.
The first ACI is completed for you as an example.
Under dc=example,dc=com:
a.
Lab 4-7
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
b.
c.
Under ou=People,dc=example,dc=com:
d.
e.
f.
g.
h.
Lab 4-8
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Everyone should be able to change is or her own pager number and mobile
phone number.
Only an HR manager should be able to change a users title.
Lab 4-9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
3.
Setting up ACIs for anyone to modify his or her own pager number
and mobile phone number is relatively easy. Just add the pager and
mobile attributes to the list of attributes that can be written to in the
Allow Self Entry Modification ACI. You do this in the next task.
The group manager ACI statements (Accounting, Engineering, and so
on) that let Sam Carter change his own title (or anything else you
might add in the future) are a little more complex. Following the
preceding design principles, it is better to explicitly decide which
specific attributes you want the managers to be able to change.
Assume that it only makes sense to let the accounting managers
change things like location, room number, and the various phone
numbers (telephone, pager, mobile, fax). You set this up in the next
task.
Lab 4-10
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
3.
Edit the first section of the ACI to include the pager, mobile, and
exampleTShirtSize attributes:
(targetattr="userPassword || telephoneNumber ||
facsimileTelephoneNumber || pager || mobile ||
exampleTShirtSize")
a.
b.
4.
If the ACI syntax is incorrect, correct it, recheck the syntax, and
click OK.
If the ACI syntax is correct, click OK.
b.
c.
If the ACI syntax is incorrect, correct it, recheck the syntax, and
click OK.
If the ACI syntax is correct, click OK.
Lab 4-11
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
d.
At this point, if you were correcting the ACIs for all the department
managers, you would make the same changes to the ACIs for the
Engineering, QA, and HR department manager groups. It is not necessary to
make these changes for this exercise.
5.
Next, create a new ACI that lets HR Managers change anyones title:
a.
b.
c.
d.
e.
Click Next.
The Step 2: Choose Access Rights dialog box appears.
f.
Deselect all rights (including Special Rights) except for the write
right.
g.
Click Next.
The Step 3: Assign Access Rights dialog box appears.
h.
i.
j.
k.
Click OK.
The DN appears in the Step 3: Assign Access Rights dialog box.
l.
Click Next.
The Step 4: Choose Target dialog box appears.
m.
n.
Click Next.
The Step 5: Choose Attributes dialog box appears.
Lab 4-12
o.
p.
Click Remove All to make sure the Selected Attributes list is empty.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
q.
r.
Click Next.
The Step 6: Specify ACI Location dialog box appears.
s.
Click Next.
The Step 7: Summary dialog box appears.
t.
u.
Click Finish.
v.
w.
2.
Review Jeff Vedders and Sam Carters directory access permissions using
the ldapsearch utility. Use the same technique that you used to view
permissions in Task 3 Retrieving Jeff Vedders Directory Access
Permissions on page L4-6 and Task 4 Retrieving Sam Carters Directory
Access Permissions on page L4-6.
3.
Lab 4-13
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
4.
5.
Lab 4-14
Use the ldapmodify utility to verify that your ACI changes are correct:
a.
b.
c.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Preparation
There is no special preparation for this exercise.
Open a second terminal window or terminal tab page on your lab system.
The new terminal window or tab pages prompt indicates that it accesses the
global zone:
global #
2.
In the new terminal window, boot and log in to the zone02 zone:
global # zoneadm -z zone02 boot
global # zlogin zone02
zone02 #
3.
Verify that, using the network, you can access the zone01 zone from the
zone02 zone:
zone02 # ping zone01.example.com
Lab 4-15
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
4.
Verify that you can access the directory server instance running in the
zone01 zone from the zone02 zone:
zone02 # ldapsearch -h zone01.example.com -p 1389 \
-b dc=example,dc=com -s sub "uid=scarter"
Sam Carters directory entry, retrieved from the directory server instance
running in the zone01 zone, appears in the zone02 terminal window.
Note Because you have not installed Directory Server EE in the zone02 zone,
you use the Solaris OS version of the ldapsearch utility in the zone02 zone.
The Solaris OS version of the ldapsearch has sufficient functionality for the
tests you perform in the zone02 zone.
5.
Note The preceding command fails if you attempt to run it from the zone02
zone.
b.
Lab 4-16
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
6.
Using any text editor, create a file in the zone01 zone named
/local/dsm1/config/hosts.deny with the following contents:
ALL:ALL
This file tells the directory server instance to deny all connection from all
hosts unless explicitly allowed in the hosts.allow file.
7.
8.
Using any text editor, create a file in the zone01 zone named
/local/dsm1/config/hosts.allow with the following contents:
ALL: zone01.example.com
ALL: zone02.example.com
9.
10. Test directory access from the zone01 zone using the ldapsearch utility.
Use the ldapsearch utility both with and without the -h parameter:
a.
b.
11. Add the following line to the hosts.allow file in the zone01 zone:
ALL: LOCALHOST
12. Retest access from your machines loopback address:
zone01 # ldapsearch -p 1389 \
Lab 4-17
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 4-18
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Experiences
Interpretations
Conclusions
Applications
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Lab 4-19
Exercise Solutions
The following section provides solutions to questions in the lab.
Step 6 in Task 2
Step 2 in Task 3
Step 2 in Task 4
Step 1 in Task 5
Select the link for the rule labelled, "Allow self entry modification except
for nsroledn, aci, resource limit attributes, passwordPolicySubentry and
password policy state attributes."
What does this ACI do?
This rule allows anyone to write any attribute in their own record, except
for nsroleDN, aci, or resource limits. This rule was added by the system; it
is not part of the LDIF file that you imported earlier.
Why should this rule be made more restrictive?
This rule is too open-ended. Perhaps it should be rewritten to deny write
access to these specific attributes. Make it explicit rather than implicit.
In subsequent steps, you must make the rule more restrictive.
Is Jeff Vedder able to modify his own mobile phone number, pager number,
and title in his directory entry? No
Lab 4-20
Is Sam Carters able to modify his own mobile phone number, pager
number, and title in his directory entry? Yes
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
View all the ACIs under the dc=example,dc=com using the ldapsearch
utility:
# ldapsearch -p 1389 -b dc=example,dc=com "aci=*" aci
In your own words, interpret what each ACI specifies.
Do not spend too much time on this task. Ask your instructor for help if you
encounter problems.
The first ACI is completed for you as an example.
Under dc=example,dc=com:
a.
b.
c.
Under ou=People,dc=example,dc=com:
d.
e.
Lab 4-21
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
f.
g.
h.
Lab 4-22
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
Lab 5-1
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 5
Required Values
User ID
Password
jwallace
linear
hmiller
hillock
ahel
sarsaparilla
Lab 5-2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Preparation
Prerequisite Labs
The following labs are prerequisites for performing this lab:
The task to prepare your lab system depends on whether you performed the
prerequisite labs, and whether you have performed other labs, in addition to the
prerequisite labs.
Lab 5-3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Lab 5-4
Users are allowed three failed attempts within any 10-minute period to
supply the correct password.
After this period, they are locked out of authenticating to the directory, and
their password must be reset by an administrator.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Log in to DSCC.
The Common Tasks page appears.
2.
3.
4.
5.
6.
7.
b.
c.
d.
9.
8.
b.
c.
b.
Lab 5-5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
c.
b.
c.
Verify that the Failure Count Reset: Minutes After Last Failed Login
is set to 10 minutes.
If the Failure Count Reset: Minutes After Last Failed Login field is
not set to 10 minutes, set the field to the value 10.
d.
Verify that the Set Limit on Lockout Duration check box. is checked.
If the check box is not checked, select it.
e.
f.
g.
Click OK.
h.
Lab 5-6
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Lab 5-7
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
4.
Note Make sure that the second character in the string t0ughP@ssword is the
number 0 and not the capital letter O.
You should expect a response message, such as the following message:
modifying entry uid=jwallace,ou=People,dc=example,
dc=com
ldap_modify: Constraint violation
ldap_modify: additional info: invalid password syntax:
dictionary word match
5.
6.
Note Make sure that the second and tenth characters in the string
t0ughP@ssw0rd are the number "0" and not the capital letter "O."
7.
8.
b.
Lab 5-8
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
9.
b.
Lab 5-9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
15. Restart the directory server instance so that the canceling of the Password
Strong Check feature of the Global Password Policy takes effect:
# dsadm restart /local/dsm1
Note Directory server restart is required for the change to the Strong Password
Check plugin to take effect. Restart is not needed for the change to the minimum
password length to take effect.
2.
3.
4.
Log in to DSCC.
The Common Tasks page appears.
5.
6.
Lab 5-10
7.
8.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
9.
b.
c.
In the Browse Data dialog box, double click the ou=people branch.
d.
e.
Click OK.
f.
Click Close.
10. Attempt to change the password to a new password with six charactersa
valid length according to the global password policy:
a.
b.
11. Modify the LDIF file and change the password to fifteencharacters.
Rerun the ldapmodify utility, authenticating as user hmiller.
The password change should be successful.
12. Log out of DSCC.
Lab 5-11
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
3.
Lab 5-12
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
4.
5.
Lab 5-13
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Lab 5-14
Experiences
Interpretations
Conclusions
Applications
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Exercise Solutions
The following section provides solutions to questions in the lab.
Compare your answers to Steps 3, 9, and 11 in Task 3.
9.
Lab 5-15
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Solutions
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 6
Objectives
After completing this lab, you should be able to:
Lab 6-1
Required Values
Information
Value
sunlearning
Preparation
Prerequisite Labs
The following labs are prerequisites for performing this lab:
The task to prepare your lab system depends on whether you performed the
prerequisite labs, and whether you have performed other labs, in addition to the
prerequisite labs.
Lab 6-2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Lab 6-3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Use the command line to view the directory server instances SSL settings
and certificates:
a.
b.
The dsconf utility, used in the previous step, queries the directorys
cn=config tree to obtain the property value.
Query the cn=config tree directly, using the ldapsearch utility:
# ldapsearch -p 1389 -D "cn=Directory Manager" \
-w sunlearning -s base -b cn=config \
"objectclass=*" nsslapd-security
The following should appear in the ldapsearch output: nsslapdsecurity: on.
c.
The cn=config tree that you queried in steps a and b is built from
the dse.ldif file.
Determine whether SSL is configured as on or off directly from the
dse.ldif file:
# grep nsslapd-security /local/dsm1/config/dse.ldif
The output should be nsslapd-security: on.
d.
Lab 6-4
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
e.
View the values of some of the SSL-related properties that you viewed
in step d. You can view more than one setting at a time.
Use the following command to view properties:
# dsconf get-server-prop -p 1389 \
-w /opt/dsee7/pwd ldap-secure-port \
ssl-rsa-cert-name ssl-rsa-security-device
The following output appears:
ldap-secure-port
ssl-rsa-cert-name
ssl-rsa-security-device
2.
:
:
:
1636
defaultCert
Internal (Software)
Use the dsadm utility to view and renew the directory server instances
certificates:
a.
b.
c.
d.
e.
Stop the directory server instance so that you can renew its default
certificate:
# dsadm stop /local/dsm1
f.
Lab 6-5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
h.
3.
Use DSCC to view the directory server instances SSL settings and
certificate information:
a.
Log in to DSCC.
The Common Tasks page appears.
b.
c.
d.
f.
g.
h.
Compare the value in the Issued By column to the value in the Issued
To column.
i.
j.
k.
Lab 6-6
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
l.
4.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 6-7
Preparation
There is no special preparation for this exercise.
Search the directory over an SSL connection with the ldapsearch utility:
# ldapsearch -p 1636 -Z -P \
/local/dsm1/alias/slapd-cert8.db \
-b dc=example,dc=com "uid=scarter"
Lab 6-8
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
View the access log to confirm that your search was over a secure
connection:
# tail -20 /local/dsm1/logs/access
The following is an example of the access log output:
[28/Sep/2009:13:17:57 -0700] conn=41 op=-1 msgId=-1 fd=22 slot=22 LDAPS connection from 127.0.0.1:33241 to
127.0.0.1
[28/Sep/2009:13:17:57 -0700] conn=41 op=-1 msgId=-1 SSL 128-bit RC4
[28/Sep/2009:13:17:57 -0700] conn=41 op=0 msgId=1 SRCH base="dc=example,dc=com" scope=2
filter="(uid=scarter)" attrs=ALL
[28/Sep/2009:13:17:57 -0700] conn=41 op=0 msgId=1 RESULT err=0 tag=101 nentries=1 etime=0
[28/Sep/2009:13:17:57 -0700] conn=41 op=1 msgId=2 UNBIND
[28/Sep/2009:13:17:57 -0700] conn=41 op=1 msgId=-1 closing from 127.0.0.1:33241 - U1 - Connection closed
by unbind client [28/Sep/2009:13:17:59 -0700] conn=41 op=-1 msgId=-1 closed.
Note the presence of the entries with the text LDAPS connection from
127.0.0.1:33241 to 127.0.0.1 and SSL 128-bit RC4. These two
entries indicate that the connection to the directory server instance made
when the ldapsearch utility was executed was made over SSL.
Lab 6-9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Preparation
There is no special preparation for this exercise.
2.
In the second terminal window or terminal tab page, log in to the zone01
zone:
# zlogin zone01
3.
In the second terminal window or terminal tab page, open the access log for
the zone01:1389 (dsm1) instance:
# tail -f /local/dsm1/logs/access
Lab 6-10
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
4.
Execute the dsconf utility in the original terminal window, specifying port
1389:
# dsconf get-server-prop -p 1389 \
-w /opt/dsee7/pwd ssl-enabled
Accept the certificate when prompted to do so.
5.
Wait for entries pertaining to the dsconf utility execution to appear in the
access log in the second terminal window or terminal tab page.
6.
After access log entries pertaining to the dsconf utility execution have
appeared in the second terminal window or terminal tab page, review the
entries. You should see that an LDAP connection was made. Within that
connection, the LDAP extension is represented by the object identifier
(OID) number 1.3.6.1.4.1.1466.20037 in an access log entry similar to the
following:
[28/Sep/2009:13:45:00 -0700] conn=46 op=0 msgId=1 - EXT
oid="1.3.6.1.4.1.1466.20037"
This LDAP extension represents a request to initiate a secure connection, if
possible. Because SSL is enabled on the directory server instance, a secure
connection is establishednote the presence of a log entry with the text
SSL 128-bit RC4. The entire LDAP conversation between the dsconf
utility and the directory server instance is encrypted over this connection,
including the bind and search operations.
7.
8.
9.
Lab 6-11
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
10. Execute the dsconf utility in the original terminal window, specifying port
1636 (note the Uppercase -P):
# dsconf get-server-prop -P 1636 \
-w /opt/dsee7/pwd ssl-enabled
11. Wait for entries pertaining to the dsconf utility execution to appear in the
access log in the second terminal window or terminal tab page.
12. After access log entries pertaining to the dsconf utility execution have
appeared in the second terminal window or terminal tab page, review the
entries. You should see that a secure connection was made.
13. Execute the ldapsearch utility in the original terminal window, specifying
port 1636:
# ldapsearch -p 1636 -D "cn=Directory Manager" \
-w sunlearning -s base -b cn=config \
-Z -P /local/dsm1/alias/slapd-cert8.db \
"objectclass=*" nsslapd-security
14. Wait for entries pertaining to the ldapsearch utility execution to appear in
the access log in the second terminal window or terminal tab page.
15. After access log entries pertaining to the ldapsearch utility execution
have appeared in the second terminal window or terminal tab page, review
the entries. You should see that a secure connection was made.
16. Close the second terminal window or terminal tab page.
Lab 6-12
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Discussion Take a few minutes to discuss what experiences, issues, or
discoveries you had during the lab exercise.
Experiences
Interpretations
Conclusions
Applications
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Lab 6-13
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 7-1
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 7
Preparation
Prerequisite Labs
The following labs are prerequisites for performing this lab:
The task to prepare your lab system depends on whether you performed the
prerequisite labs, and whether you have performed other labs, in addition to the
prerequisite labs.
Lab 7-2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Lab 7-3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
3.
b.
c.
d.
Lab 7-4
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
e.
Confirm your changes using the ldapsearch utility. You should not
be able to find Alan Whites directory entry, and Alexander Lutzs
directory entry should contain the new value for the
facsimileTelephoneNumber attribute:
# ldapsearch -p 1389 -b dc=example,dc=com \
"(|(uid=awhite)(uid=alutz))"\
facsimileTelephoneNumber
4.
5.
6.
Verify that the modifications to the directory that you made in step 3 have
been overwritten as a result of restoring the Directory Server EE database:
# ldapsearch -p 1389 -b dc=example,dc=com \
"(|(uid=awhite)(uid=alutz))" facsimileTelephoneNumber
Output from the ldapsearch utility shows that Alan Whitess user entry
has been restored to the People branch, and Alexander Lutzs fax number
has been restored to its original value.
Lab 7-5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Lab 7-6
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
3.
Use the dsconf import utility to import the LDIF file you created in step
1 into the directory :
# dsconf import -p 1389 -w /opt/dsee7/pwd \
/local/dsm1/ldif/date_and_time_example.ldif \
dc=example,dc=com
Replace the date_and_time variable in the example command with the
value of the date command from the previous task.
The following prompt appears in the terminal window:
New data will override existing data of the suffix
"dc=example,dc=com" Initialization will have to be
performed on replicated suffixes. Do you want to
continue [y/n] ?
Type y in response to the prompt.
Output similar to the following appears in the terminal window:
## Index buffering enabled with bucket size 40
## Beginning import job...
## Processing file
"/local/dsm1/ldif/05_12_09_08_37_37_example.ldif"
## Finished scanning file
"/local/dsm1/ldif/05_12_09_08_37_37_example.ldif" (170
entries)
## Workers finished; cleaning up...
## Workers cleaned up.
## Cleaning up producer thread...
## Indexing complete.
## Starting numsubordinates attribute generation. This
may take a while, please wait for further activity
reports.
## Numsubordinates attribute generation complete.
Flushing caches...
## Closing files...
## Import complete. Processed 167 entries in 4
seconds. (42.50 entries/sec)
Task completed (slapd exit code: 0).
4.
Verify that the changed data has been overwritten as a result of restoring the
Directory Server EE database:
Verify changes by running the same verification test that you ran in Task 2
Backing Up and Restoring Directory Data From the Command Line, step
6 on page L7-5.
Lab 7-7
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
View the database directory for the dsm1 directory server instance:
# ls /local/dsm1/db
# ls /local/dsm1/db/example
2.
3.
Confirm that the People branch point has been removed by using the
ldapsearch utility:
# ldapsearch -D "cn=Directory Manager" -w sunlearning \
-p 1389 -b ou=People,dc=example,dc=com "objectclass=*"
The ldap_search: No such object message appears.
4.
Lab 7-8
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
5.
View the database directory for the dsm1 directory server instance:
# ls /local/dsm1/db
# ls /local/dsm1/db/People
The contents of the /local/dsm1/db directory have changed since you
ran the dsconf create-suffix utility.
6.
7.
b.
Lab 7-9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
c.
d.
Confirm that only equality and presence index definitions are created
for the exampleTShirtSize attribute:
# dsconf get-index-prop -p 1389 -w /opt/dsee7/pwd \
ou=People,dc=example,dc=com exampleTShirtSize
The eq-enabled and pres-enabled properties should have the
value on. Other indexes should have the value off.
You have now created the index definition for the exampleTShirtSize
attribute. When you create a new index definition, you must then reindex
the directory data so that the index databases on the file system are updated.
However, because the People database is currently empty, there is no point
in reindexing the directory data now. When you import data into the
People database, indexes are automatically updated.
Lab 7-10
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
8.
Import the LDIF file that you created in Task 3 Exporting and Importing
a Suffix From the Command Line, step 1 into the People database using
the dsconf import utility:
# dsconf import -p 1389 -w /opt/dsee7/pwd \
/local/dsm1/ldif/date_and_time_example.ldif \
ou=People,dc=example,dc=com
Replace the date_and_time variable in the example command with the
value of the date command from the previous task.
The following output appears in the terminal window:
New data will override existing data of the suffix
"dc=example,dc=com"
Initialization will have to be performed on replicated
suffixes.
Do you want to continue [y/n] ?
Type y in response to the prompt.
Output similar to the following appears in the terminal window:
## Index buffering enabled with bucket size 40
## Beginning import job...
## Starting to process and index entries
## Processing file
"/local/dsm1/ldif/09_28_09_17_21_15_example.ldif"
## Finished scanning file
"/local/dsm1/ldif/09_28_09_17_21_15_example.ldif" (167
entries)
## Workers finished; cleaning up...
## Workers cleaned up.
## Cleaning up producer thread...
## Indexing complete.
## Starting numsubordinates attribute generation. This
may take a while, please wait for further activity
reports.
## Numsubordinates attribute generation complete.
Flushing caches...
## Closing files...
## Import complete. Processed 167 entries (14 entries
were skipped because they don't belong to this
database) in 4 seconds. (41.50 entries/sec)
Task completed (slapd exit code: 0).
Lab 7-11
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
9.
Verify that the directory entries have been imported into the
ou=people,dc=example,dc=com suffix:
# ldapsearch -D "cn=Directory Manager" -w sunlearning \
-p 1389 -b ou=People,dc=example,dc=com \
"objectclass=*"
Lab 7-12
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Experiences
Interpretations
Conclusions
Applications
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Lab 7-13
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 8
Objectives
After completing this lab, you should be able to:
Lab 8-1
Overview
In this lab, you use both DSCC and command-line tools to set up a replication
topology consisting of three master servers. You also use various monitoring tools
to monitor replication.
In addition, you can choose to perform optional exercises at the end of the lab in
which do you the following:
Table 8-1 describes actions taken during each exercise in this lab.
Table 8-1
Exercise Overview
Exercise Phase
Actions
Lab 8-2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Overview
Table 8-1
Exercise Phase
Actions
Test multimaster
replication
Test multimaster
replication
Lab 8-3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Overview
Required Values
Information
Value
dsm1:1389
dsm2:2389
dsm3:3389
Lab 8-4
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Preparation
Prerequisite Labs
The following labs are prerequisites for performing this lab:
The task to prepare your lab system depends on whether you performed the
prerequisite labs, and whether you have performed other labs, in addition to the
prerequisite labs.
Lab 8-5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Log in to DSCC.
The Common Tasks page appears.
2.
3.
4.
Lab 8-6
b.
Select the check boxes for both the dc=example,dc=com suffix and
the ou=People,dc=example,dc=com subsuffix.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
c.
d.
e.
Click OK.
The Enabling Replication dialog box appears.
f.
5.
Export an LDIF file that you can use to initialize the dc=example,dc=com
suffix on replica servers:
a.
b.
Select Export Data to LDIF from the More Suffix Actions drop-down
menu.
The Export to LDIF dialog box appears.
c.
d.
e.
Click OK.
The Exporting to LDIF Progress dialog box appears.
f.
6.
b.
Select Export Data to LDIF from the More Suffix Actions drop-down
menu.
The Export to LDIF dialog box appears.
c.
d.
e.
Click OK.
The Exporting to LDIF Progress dialog box appears.
Lab 8-7
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
f.
Use the dsadm utility to create a new directory server instance named dsm2
running on ports 2389 and 2636:
# dsadm create -p 2389 -P 2636 /local/dsm2
When you are prompted to enter and confirm the Directory Manager
password, type sunlearning.
2.
3.
4.
Lab 8-8
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
5.
Use the dsconf utility to confirm that the suffixes were created on the
dsm2 instance:
# dsconf list-suffixes -p 2389 -w /opt/dsee7/pwd
The following appears in the terminal window:
dc=example,dc=com
ou=People,dc=example,dc=com
6.
Change to the dsm2 instance database directory and verify that directories
named example and People have been created:
# cd /local/dsm2/db
# ls -l
Files in the example and People directories hold data for the
dc=example,dc=com and ou=People,dc=example,dc=com suffixes.
7.
Use the dsconf utilitys help feature to see all replication subcommands:
Lab 8-9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
8.
9.
10. Create replication agreements from the dsm1 instance to the dsm2 instance:
a.
Lab 8-10
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
b.
Lab 8-11
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 8-12
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
16. DSCC does not yet recognize the dsm2 instance because the dsm2 instance
was created using command-line tools.
Register the dsm2 instance with DSCC so that you can administer the
instance using the Web application:
a.
b.
c.
Select Register Existing Server from the More Server Actions dropdown menu to start the Register Existing Directory Server Wizard.
The Step 1: Enter Host and Server Information dialog box appears.
d.
Specify the following values in the Step 1: Enter Host and Server
Information dialog box:
e.
Click Next.
f.
If the The Step 1.1: Provide Authentication Information for the Host
dialog box appears, specify the following values in the Step 1.1:
Provide Authentication Information for the Host dialog box:
User ID: root
Password: cangetin
Click Next to submit the credentials.
The Step 2: Provide Authentication Information dialog box appears.
g.
h.
Click Next.
The Step 3: Summary dialog box appears, with a warning that the
server instance will be restarted when you click Finish.
i.
Click Finish.
Messages appear as the dsm2 instance is registered with DSCC and
restarted.
When the operation is complete, the Operation Completed
Successfully message appears.
j.
k.
Lab 8-13
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
17. By viewing the access logs you can determine if updates are occurring, and
whether updates are being made directly by an LDAP client or by
replication.
Monitor the access logs for the dsm1 and dsm2 instances as follows:
a.
Open two new terminal windows (or terminal tab pages). In one of the
terminal windows you monitor the access log for the dsm1 instance; in
the other window, you monitor the access log for the dsm2 instance.
b.
Use the Terminal / Set Title menu option to set titles on the new
terminal windows. Use the titles dsm1 and dsm2 for the window titles.
c.
d.
b.
c.
d.
Click OK.
The zone01:1389 - Search Data page appears. The search filter is
preset to the values Full Name (cn) and Contains.
e.
Type Andy Walker in the search filter, in the blank field to the right
of the Contains field.
f.
Click Search.
The Search Results page appears, with a single entry for Andy Walker.
g.
Select awalker.
The zone01:1389 - awalker - Entry Overview page appears.
Lab 8-14
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
h.
i.
Click OK.
j.
View the output of the tail command in the dsm1 terminal window.
You should see log entries that indicate the modification of the
awalker entry. You might have to scroll up to see these log entries.
k.
View the output of the tail command in the dsm2 terminal window.
You should see log entries that indicate the modification of the
awalker entry.
Note the connection number associated with this modification. The
connection number will be denoted by the string conn=.
________________________________________________________
l.
Scroll up the dsm2 terminal window and locate the bind operation
under the connection number noted in the previous step.
For example, if the connection number were 10, you would search for
the line starting with the following text:
[ TIMESTAMP ] conn=10 op=0 msgId=1 - BIND dn=.
The bind DN in this log file entry should be the following DN:
cn=replication manager,cn=replication,cn=config
A connection initiated by the cn=replication
manager,cn=replication,cn=config user is performed during
directory data replication.
Lab 8-15
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
m.
Use DSCC to verify that Andy Walkers phone number was changed
on the dsm2 instance.
Locate Andy Walkers entry in DSCC using the same technique that
you used in steps 18a through 18g. Be sure to select zone01:2389 in
the Choose Directory Server dialog box, and not zone01:1389.
Confirm that the telephone number is +1 408 555 1234. In order to
confirm replication is working in both directions, change awalkers
telephone number to +1 408 555 3456.
n.
Use DSCC to verify that Andy Walkers phone number was changed
back to +1 408 555 3456 on the dsm1 instance.
o.
Close the dsm1 and dsm2 terminal windows (or tab pages).
b.
Lab 8-16
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
c.
d.
Click Next.
If the Confirm Password Change dialog box appears, select the
cn=Directory Manager user and click OK.
The Step 2: Choose Additional Settings dialog box appears.
e.
f.
g.
Click Next.
The Step 3: Summary dialog box appears.
h.
i.
Lab 8-17
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
j.
Click Close.
The Directory Servers page appears. The new instance appears in the
directory servers list.
2.
b.
c.
d.
e.
Click Next.
The Step 2: Choose Replication Options dialog box appears.
f.
g.
Click Next.
The Step 2.1: Choose Server(s) dialog box appears.
h.
Select zone01:3389 from the list of available servers and click Add
to add the dsm3 instance to the list of master replicas.
i.
j.
Click Next.
The Step 3: Choose Settings dialog box appears.
k.
l.
Click Next.
The Step 4: Choose Database Location Options dialog box appears.
m.
If the Use Default Database Location check box is not checked, select
it.
n.
Click Next.
The Step 5: Choose Data Options dialog box appears.
o.
Lab 8-18
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
p.
Enter the following path in the field below the Initialize by Importing
Contents of an LDIF File option:
/local/dsm1/ldif/example_init.ldif
q.
Click Next.
The Step 6: Summary dialog box appears.
r.
s.
t.
u.
v.
3.
Click Close.
All other values are the same as the values specified in step 2.
4.
b.
Lab 8-19
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
c.
Note Not the General Tab, but the General section further down the same page
as the informational message in the previous step b. You might need to scroll
down the screen to locate the Enable Client Updates button.
5.
d.
Click Save.
e.
f.
Lab 8-20
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
3.
4.
5.
b.
c.
d.
Lab 8-21
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
If a replication agreement has the Replication Idle status, then there are no
issues with the deployment that inhibit the operation of the replication
agreement.
Click the Refresh button at the top right of the window to make sure that
you are viewing the most recent status.
6.
b.
c.
Select other view options to continue to explore the ways to see the
replication information.
2.
Verify that the dsm1, dsm2, and dsm3 directory server instances are
running.
Note If directory server instances are not running, including instances that are
not part of the replication topology, the repldisc utility fails with a message
that it is not able to connect to the LDAP server.
Lab 8-22
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
3.
Run the repldisc utility with the -a option to omit the replication table:
# repldisc -D "cn=Directory Manager" -w sunlearning \
-a -b ou=People,dc=example,dc=com \
-s zone01:1389
The following replication topology appears in your terminal window:
Lab 8-23
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Note If directory server instances are not running, including instances that are
not part of the replication topology, the insync utility fails with a message that it
is not able to connect to the LDAP server.
2.
Examine the output of the insync utility, noting the Replica DN,
Consumer, Supplier, and Delay values.
Determine the status of the replication agreement from the dsm1 master
replica to the dsm2 master replica for the dc=example,dc=com suffix:
# dsconf show-repl-agmt-status -p 1389 \
-w /opt/dsee7/pwd dc=example,dc=com zone01:2389
2.
Determine the status of the replication agreement from the dsm2 master
replica to the dsm1 master replica for the dc=example,dc=com suffix:
# dsconf show-repl-agmt-status -p 2389 \
-w /opt/dsee7/pwd dc=example,dc=com zone01:1389
3.
Lab 8-24
Check the replication agreement status for the other agreements in the
replication topology if you like.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
b.
c.
Select Disable Agreement from the More Agreement Actions dropdown menu.
A dialog box prompts you to confirm the action.
d.
Click OK.
The Disabling Replication Agreements dialog box appears.
Progress messages inform you of the status of the operation.
Lab 8-25
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
3.
e.
f.
Verify that replication has been paused. Use DSCC to change Andy
Walkers fax number on the dsm1 instance, then verify that his fax number
has not been replicated to the dsm2 and dsm3 instances.
If you are not sure how to change the fax number and to verify that the
number did not change on the replicas, refer to step 18 on page L8-14.
4.
Restart replication:
a.
b.
c.
d.
Select Enable Agreement from the More Agreement Actions dropdown menu.
The Enabling Replication Agreements dialog box appears.
Progress messages inform you of the status of the operation.
e.
5.
Lab 8-26
Verify that replication has been restarted by confirming that the change to
Andy Walkers fax number has been replicated to the dsm2 and dsm3
instances.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
3.
Use DSCC to change Sam Carters telephone number on the dsm1 instance.
If you are not sure how to change the phone number, refer to step 18 on
page L8-14.
4.
5.
6.
Lab 8-27
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
-w sunlearning -s zone01:1389 \
uid=scarter,ou=People,dc=example,dc=com
Output similar to the following appears, indicating that the directory entries
for Sam Carter are back in sync on the replicas:
entrycmp: zone01:2389 - entries match.
entrycmp: zone01:3389 - entries match.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 8-28
Exercise Summary
Discussion Take a few minutes to discuss what experiences, issues, or
discoveries you had during the lab exercise.
Experiences
Interpretations
Conclusions
Applications
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Lab 8-29
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Lab 8-30
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 9
Lab 9-1
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 10
Lab 10-1
Preparation
Prerequisite Labs
The following labs are prerequisites for performing this lab:
The task to prepare your lab system depends on whether you performed the
prerequisite labs, and whether you have performed other labs, in addition to the
prerequisite labs.
Lab 10-2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Lab 10-3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Make sure that the dsm1, dsm2, and dsm3 directory server instances are
started, and all other directory server instances are stopped:
# dsadm start /local/dsm1
# dsadm start /local/dsm2
# dsadm start /local/dsm3
Log in to DSCC.
The Common Tasks page appears.
3.
4.
Lab 10-4
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
5.
Specify the following values in the Step 1: Enter Required Settings dialog
box:
Caution For this lab, you configure the same password for the cn=Proxy
Manager and cn=Directory Manager users. Because both users have the
same password, you can use the /opt/dsee7/pwd file to specify the password
in directory server and directory proxy server CLI operations.
Specifying the same password for multiple internal user accounts is not a security
best practice.
Note A dialog box might appear asking you to confirm the user for which you
are changing the password. If this dialog box appears, select the root user and
click OK. Respond similarly if you see this dialog box appear at any point in
these labs.
6.
Click Next.
The Step 2: Choose Additional Settings dialog box appears.
7.
Click Next to accept the default settings for the Step 2: Choose Additional
Settings dialog box.
The Step 3: Summary dialog box appears.
8.
Click Finish.
Messages appear in the Creating New Server dialog box as the dps1 proxy
server is created and started.
9.
Lab 10-5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
The LDAP_1 data source maps to the dsm1 directory server instance
The LDAP_2 data source maps to the dsm2 directory server instance
The LDAP_3 data source maps to the dsm3 directory server instance
2.
3.
Click New Data Source to start the New Data Source Wizard.
The Step 1: Specify General Properties dialog box appears.
4.
5.
Name: LDAP_1
Click Next.
The Step 2: Choose Client Identity Forwarding Policy dialog box appears.
6.
Click Next to accept the default settings for the Step 2: Choose Client
Identity Forwarding Policy dialog box.
The Step 3: Specify Number of Connections dialog box appears.
7.
Click Next to accept the default settings for the Step 3: Specify Number of
Connections dialog box.
The Step 4: Summary dialog box appears.
8.
Lab 10-6
Click Finish.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Messages appear in the Creating New Data Source dialog box as the
LDAP_1 data source is created.
9.
10. Using the technique you followed in steps 3 through 9, create the LDAP_2
and LDAP_3 data sources for the dsm2 and dsm3 directory server instances.
Make the following changes:
For the LDAP_2 data source, set the description to LDAP 2 (dsm2)
and use the zone01:2389 registered directory server.
For the LDAP_3 data source, set the description to LDAP 3 (dsm3)
and use the zone01:3389 registered directory server.
Verify that the zone01: 9389 - Data Sources page appears in DSCC.
2.
3.
Click New Data Source Pool to start the New Data Source Pool Wizard.
The Step 1: Enter Name and Choose Data Sources dialog box appears.
4.
Specify the following values in the Step 1: Enter Name and Choose Data
Sources dialog box:
Name: LDAP_HA_Pool
5.
Data Sources: Click Add All to move the LDAP_1, LDAP_2, and
LDAP_3 data sources from the Available Data Sources column to the
Chosen Data Sources column.
Click Next.
The Step 2: Choose Load Balancing Algorithm dialog box appears.
6.
Select Failover.
7.
Click Next.
The Step 3: Configure Load Balancing Algorithm dialog box appears.
Lab 10-7
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Enter values from Table 10-1 in the Step 3: Configure Load Balancing
Algorithm dialog box:
Read/Bind Operations
Write Operations
LDAP_1
LDAP_2
LDAP_3
Caution DSCC might not display the data sources in sequential order. Make
sure that you enter the correct value for each data source.
Table 10-1 shows data sources and load-balancing weights. When using the
failover load-balancing algorithm, a directory proxy server sends requests to
all data sources with the highest weight. To demonstrate failover in this lab,
you set different weights for each data source.
Initially, the directory proxy server routes all traffic to the data source with
the highest weightthe LDAP_1 data source. After you shut down the
LDAP_1 data source, the directory proxy server routes all traffic to the data
source with the next highest weight the LDAP_2 data source.
In a production environment, you might choose to set the weights equally.
Setting the weights equally causes equal load-balancing of requests across
all three data sources, while still handling a data source failure.
9.
Click Next.
The Step 4: Summary dialog box appears.
Lab 10-8
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Verify that the zone01: 9389 - Data Source Pools page appears in DSCC.
2.
3.
Click New Data View to start the New Data View Wizard.
The Step 1: Enter Name and Description dialog box appears.
4.
5.
Specify the following values in the Step 1: Enter Name and Description
dialog box:
Name: LDAP_View
Click Next.
The Step 2: Specify Data Settings dialog box appears.
6.
7.
Specify the following values in the Step 2: Specify Data Settings dialog
box:
Click Next.
The Step 3: Summary dialog box appears.
8.
Click Finish.
Messages appear in the Creating New Data View dialog box as the
LDAP_View data view is created.
Lab 10-9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
9.
You can determine where directory server requests are routed by viewing
the access logs.
Monitor the access logs for the dsm1, dsm2, and dsm3 directory server
instances, and for the dps1 directory proxy server as follows:
Lab 10-10
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
a.
Open four new terminal windows (or terminal tab pages). You will use
the four windows (or tabs) to monitor access logs for the following
instances:
b.
Use the Terminal / Set Title menu option to set titles on the new
terminal windows. Use the titles dsm1, dsm2, dsm3, and dps1 for the
window titles.
c.
Log into the zone01 zone in each new terminal window (or tab):
# zlogin zone01
d.
Note In the next step, you search for user Sam Carter using the filter
"uid=scarter" in the original terminal window, and monitor the access logs in
the new terminal windows. By using the grep command, you filter the output so
that you see only the lines containing the string scarter.
Lab 10-11
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Note The search base DN matches the view base DN specified for the data
view in Task 5 Creating a Data View.
3.
4.
View the output of the access logs for the directory proxy server and the
three directory server instances. Confirm that the search was performed
only on the LDAP_1 data sourcethe dsm1 instance. Updates to the access
logs are buffered, so it might take a few seconds for your search to appear
in the logs.
The directory server proxy access log should have log records similar to the
following:
[12/Oct/2009:18:02:21 -0700] - OPERATION - INFO conn=19 op=0 msgid=1 SEARCH
base="ou=People,dc=example,dc=com" scope=2 controls=""
filter="(uid=scarter)" attrs="*"
[12/Oct/2009:18:02:21 -0700] - SERVER_OP - INFO conn=19 op=0 SEARCH base="ou=people,dc=example,dc=com"
scope=2 filter="(uid=scarter)" attrs="*" s_msgid=22
s_conn=ldap_1:6
Notice the string, s_conn=ldap_1, in the directory server proxy access
log. This string indicates that a connection to the LDAP_1 data sourcethe
dsm1 instancewas made.
5.
Once you are convinced that requests are only being sent to the LDAP_1
data source, shut down the dsm1 instance from the original terminal
window:
# dsadm stop /local/dsm1
Lab 10-12
6.
Repeat the ldapsearch utility request that you performed in step 2 several
times.
7.
Review the output of the access logs for the directory proxy server and the
three directory server instances. Confirm that the search was performed
only on the dsm2 instance.
8.
Shut down the dsm2 instance from the original terminal window.
9.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
10. Restart the two stopped instances, and reactivate the monitoring setup for
those instances:
a.
Restart the dsm1 and dsm2 instances from the original terminal
window.
b.
c.
11. Repeat the search to verify that the search is once again performed on the
dsm1 instance.
12. Leave the terminal windows open for use in the next exercise.
Lab 10-13
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
3.
4.
5.
Click New Data Source Pool to start the New Data Source Pool Wizard.
The Step 1: Enter Name and Choose Data Sources dialog box appears.
6.
Specify the following values in the Step 1: Enter Name and Choose Data
Sources dialog box:
Name: LDAP_Prop_Pool
7.
Lab 10-14
Data Sources: Click Add All to move the LDAP_1, LDAP_2, and
LDAP_3 data sources from the Available Data Sources column to the
Chosen Data Sources column.
Click Next.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
9.
Click Next.
The Step 3: Configure Load Balancing Algorithm dialog box appears.
10. Enter values from Table 10-2 in the Step 3: Configure Load Balancing
Algorithm dialog box:
Table 10-2 Data Sources and Load Balancing Weights
Data Source
Read/Bind Operations
Write Operations
LDAP_1
LDAP_2
LDAP_3
Caution DSCC might not display the data sources in sequential order. Make
sure that you enter the correct value for each data source.
11. Click Next.
The Step 4: Summary dialog box appears.
12. Click Finish.
Messages appear in the Creating New Data Source Pool dialog box as the
LDAP_Prop_Pool data source pool is created.
13. Click Close to terminate the New Data Source Pool Wizard.
The LDAP_Prop_Pool data source pool appears in the data source pools
list in DSCC.
Lab 10-15
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
3.
Lab 10-16
4.
5.
Click OK.
6.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
25% of LDAP requests are routed to the LDAP_1 data sourcethe dsm1
instance
50% of LDAP requests are routed to the LDAP_2 data sourcethe dsm2
instance
25% of LDAP requests are routed to the LDAP_3 data sourcethe dsm3
instance
You use the same technique that you used in Exercise 1: Configuring Failover
Using a Directory Proxy Server to verify that the directory proxy server is routing
LDAP requests as expected.
Complete the following steps in the zone01 zone:
1.
You should still have four terminal windows (or tabs) set up to monitor the
access logs for the dsm1, dsm2, dsm3, and dps1 instances.
If you removed the monitoring setup from your lab system, re-create the
setup using the technique you used in step 1 on page L10-10.
2.
3.
Confirm that the search was performed on the directory server instances in
the proportions specified in Table 10-2.
4.
Shut down the dsm1 instance from the original terminal window:
# dsadm stop /local/dsm1
5.
Repeat the ldapsearch utility request that you performed in step 2 six
more times.
6.
Confirm that the search was performed twice as often on the LDAP_2 data
sourcethe dsm2 instanceas on the LDAP_3 data sourcethe dsm3
instance.
7.
Restart the stopped dsm1 instance, and reactivate the monitoring setup for
that instance:
a.
Lab 10-17
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
8.
b.
Stop the tail command in the terminal window monitoring the dsm1
access log by pressing the Ctrl + C keys.
c.
Leave the terminal windows open for use in the next exercise.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 10-18
The LDAP_1 and LDAP_2 data sources must handle search and compare
requests only.
All other directory services requests must be handled by the LDAP_3 data
source.
Task 1 Configuring Operation Type Load Balancing Using the Commandline Interface
Lab 10-19
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Review the current load-balancing weights of each of the three data sources
configured in the LDAP_Prop_Pool data source pool:
a.
Lab 10-20
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
b.
c.
3.
4.
5.
6.
Lab 10-21
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
7.
8.
:
:
:
:
:
:
:
disabled
disabled
1
disabled
disabled
disabled
1
Set the load-balancing weights, by operation type, for the LDAP_2 data
source:
# dpconf set-attached-ldap-data-source-prop -p 9389 \
-w /opt/dsee7/pwd LDAP_op_Pool LDAP_2 \
add-weight:disabled bind-weight:disabled \
compare-weight:1 delete-weight:disabled \
modify-dn-weight:disabled modify-weight:disabled \
search-weight:1
The weights are identical to those for the LDAP_1 data source.
9.
10. Set the load-balancing weights, by operation type, for the LDAP_3 data
source:
# dpconf set-attached-ldap-data-source-prop -p 9389 \
-w /opt/dsee7/pwd LDAP_op_Pool LDAP_3 \
add-weight:1 bind-weight:1 \
compare-weight:disabled delete-weight:1 \
modify-dn-weight:1 modify-weight:1 \
search-weight:disabled
The LDAP_3 data source will receive all request types except search and
compare requests.
Lab 10-22
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
11. Confirm that you configured the LDAP_3 data source correctly:
# dpconf get-attached-ldap-data-source-prop -p 9389 \
-w /opt/dsee7/pwd LDAP_op_Pool LDAP_3
The following output should appear in the terminal window:
add-weight
bind-weight
compare-weight
delete-weight
modify-dn-weight
modify-weight
search-weight
:
:
:
:
:
:
:
1
1
disabled
1
1
1
disabled
12. Review the LDAP_View data views configuration to determine which data
source pool is configured in the data view:
# dpconf get-ldap-data-view-prop -p 9389 \
-w /opt/dsee7/pwd LDAP_View | grep pool
The following output should appear in the terminal window:
ldap-data-source-pool:
LDAP_Prop_Pool
13. Reconfigure the LDAP_View data view to use the LDAP_op_Pool data
source pool:
# dpconf set-ldap-data-view-prop -p 9389 \
-w /opt/dsee7/pwd LDAP_View \
ldap-data-source-pool:LDAP_op_Pool
You should still have four terminal windows (or tabs) set up to monitor the
access logs for the dsm1, dsm2, dsm3, and dps1 instances.
If you removed the monitoring setup from your lab system, re-create the
setup using the technique you used in step 1 on page L10-10.
2.
Run the ldapsearch utility several times to verify that search requests are
routed only to the LDAP_1 data sourcethe dsm1 instanceand the
LDAP_2 data sourcethe dsm2 instance:
# ldapsearch -p 9389 -b ou=People,dc=example,dc=com \
uid=scarter
Lab 10-23
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
3.
Using any text editor, create two LDIF files that you can use to change the
value of the exampletshirtsize attribute in Sam Carters directory
entry:
a.
b.
4.
Run the ldapmodify utility twice to make two attribute value changes to
Sam Carters directory entry:
# ldapmodify -p 9389 \
-D uid=scarter,ou=People,dc=example,dc=com \
-w sprain -f /tmp/scarterchg1.ldif
# ldapmodify -p 9389 \
-D uid=scarter,ou=People,dc=example,dc=com \
-w sprain -f /tmp/scarterchg2.ldif
Review the directory proxy server log to determine where the requests are
being routed. All requests to modify directory entries should be routed to
the LDAP_3 data sourcethe dsm3 instance.
Why do you also see requests to modify directory entries in the dsm1 and
dsm2 instances access logs?
Lab 10-24
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Attach the LDAP_1, LDAP_2 and LDAP_3 data sources to the new data
source pool:
# dpconf attach-ldap-data-source -p 9389 \
-w /opt/dsee7/pwd LDAP_Fair_Pool LDAP_1 LDAP_2 LDAP_3
3.
4.
By default, attached data sources have all request types disabled. Set loadbalancing weights for the data sources to allow all request types:
a.
b.
c.
Lab 10-25
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
d.
e.
f.
5.
6.
Lab 10-26
Using your monitoring setup, verify that all request types are distributed
equally to the LDAP_1, LDAP_2, and LDAP_3 data sources.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Experiences
Interpretations
Conclusions
Applications
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Lab 10-27
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 11
Lab 11-1
Example Chocolates wants to use a virtual directory to let the applications use
directory services to access the data stored in the three discrete types of data
sources. In this lab, you configure a virtual directory that meets all of Example
Chocolates business needs.
Lab 11-2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Data Source
Data View
Base DN
HR data in a directory
server instance
accessible using the
LDAP protocol
HR_View
dc=example,
dc=com
Administration data in
an LDIF file
The Example.dps.
ad.ldif file
AD_View
o=ad.ldif
Joined contents of HR
and administration data
HR_AD_View
dc=example
Payroll data in
relational database
tables
Payroll_View
o=payroll
Sample Data
A Sample Entry From the dsm6 Directory Server Instance
dn: uid=hmiller, ou=People, dc=example,dc=com
employeeNumber: 12014
givenName: Harry
telephoneNumber: +1 408 555 9804
sn: Miller
facsimileTelephoneNumber: +1 408 555 9332
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: hmiller
cn: Harry Miller
userPassword:
{SSHA}IWgRfhTv8dnRJBNdq7Qs8NT165/deOlYm2BlOQ==
Lab 11-3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 11-4
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Task 4 Creating the Data Source, Data Source Pool, and Data View
Lab 11-5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Preparation
Prerequisite Labs
The following labs are prerequisites for performing this lab:
The task to prepare your lab system depends on whether you performed the
prerequisite labs, and whether you have performed other labs, in addition to the
prerequisite labs.
Lab 11-6
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Lab 11-7
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Make sure that all the directory server instances that you worked with in the
preceding labs are stopped:
#
#
#
#
#
2.
dsadm
dsadm
dsadm
dsadm
dsadm
stop
stop
stop
stop
stop
/local/dsm1
/local/dsm2
/local/dsm3
/local/dsrh1
/local/dsr1
Lab 11-8
3.
Log in to DSCC.
4.
5.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
6.
7.
Disable the data sources you added to your configuration in the previous
lab:
a.
Select the three check boxes to the left of the LDAP_1, LDAP_2, and
LDAP_3 data sources.
b.
Click Disable.
A confirmation dialog box appears.
c.
Click OK.
Messages appear in the Disabling Data Source dialog box as the data
sources are disabled.
d.
8.
Disable the data view you added to your configuration in the previous lab:
a.
b.
Select the check box to the left of the LDAP_View data view.
c.
Select Disable from the More Data View Actions drop-down menu.
A confirmation dialog box appears.
d.
Click OK.
Messages appear in the Disabling Data View dialog box as the data
sources are disabled.
e.
b.
Lab 11-9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
d.
Click Next.
If the Confirm Password Change dialog box appears, select the
cn=Directory Manager user and click OK.
The Step 2: Choose Additional Settings dialog box appears.
e.
f.
g.
h.
Click Close.
The Directory Servers page appears. The new instance appears in the
directory servers list.
2.
b.
c.
Lab 11-10
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
d.
e.
Click Next.
The Step 2: Choose Replication Options dialog box appears.
f.
g.
h.
Click Next.
The Step 3: Choose Settings dialog box appears.
i.
j.
If the Use Default Database Location check box is not checked, select
it.
k.
Click Next.
The Step 5: Choose Data Options dialog box appears.
l.
m.
Enter the following path in the field below the Initialize by Importing
Contents of an LDIF File option:
/opt/ses/shared/lab/Example.dps.hr.ldif
n.
Click Next.
The Step 6: Summary dialog box appears.
o.
Lab 11-11
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
p.
Click Close.
Note The set of user entries in the dsm6 directory server instances
dc=example,dc=com suffix is a different set of entries than the entries with
which you have been working in previous labs. You might want to review the set
of user entries in the new suffix to familiarize yourself with this new sample data.
The configuration objects let you access data in the dsm6 directory server
instance using the dps1 directory proxy server.
After you create these objects, you run the ldapsearch utility to verify that you
configured the objects correctly.
Complete the following steps in the zone01 zone:
1.
2.
3.
4.
5.
Click New Data Source to start the New Data Source Wizard.
The Step 1: Specify General Properties dialog box appears.
Lab 11-12
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
b.
Name: HR_LDAP
Note Verify that you have selected the zone01:6389 directory server instance
before proceeding.
c.
Click Next.
The Step 2: Choose Client Identity Forwarding Policy dialog box
appears.
d.
Click Next to accept the default settings for the Step 2: Choose Client
Identity Forwarding Policy dialog box.
The Step 3: Specify Number of Connections dialog box appears.
e.
Click Next to accept the default settings for the Step 3: Specify
Number of Connections dialog box.
The Step 4: Summary dialog box appears.
f.
Click Finish.
Messages appear in the Creating New Data Source dialog box as the
HR_LDAP data source is created.
g.
6.
b.
Click New Data Source Pool to start the New Data Source Pool
Wizard.
The Step 1: Enter Name and Choose Data Sources dialog box appears.
Lab 11-13
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
c.
Specify the following values in the Step 1: Enter Name and Choose
Data Sources dialog box:
Name: HR_Pool
Description: HR Pool
d.
Data Sources: Select the HR_LDAP data source and click Add to
move this data source from the Available Data Sources column to
the Chosen Data Sources column. Make sure that the HR_LDAP
data source is the only data source in the Chosen Data Sources
column.
Click Next.
The Step 2: Choose Load Balancing Algorithm dialog box appears.
e.
f.
Click Next.
The Step 3: Configure Load Balancing Algorithm dialog box appears.
g.
h.
Read/Bind operations: 2
Write operations: 2
Click Next.
The Step 4: Summary dialog box appears.
i.
Click Finish.
Messages appear in the Creating New Data Source Pool dialog box as
the HR_Pool data source pool is created.
j.
7.
b.
Click New Data View to start the New Data View Wizard.
The Step 1: Enter Name and Description dialog box appears.
c.
d.
Lab 11-14
Name: HR_View
Description: HR View
Click Next.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
f.
Click Next.
The Step 3: Summary dialog box appears.
g.
Click Finish.
Messages appear in the Create New Data View dialog box as the
HR_View data view is created.
h.
8.
Confirm that the data from the HR_LDAP data sourcethe dsm6 directory
server instanceis accessible through the directory proxy server.
Display Kurt Jensens directory entry:
# ldapsearch -p 9389 -b ou=People,dc=example,dc=com \
uid=kjensen
Entries from the HR_LDAP data source include attributes such as the
employeeNumber, givenname, and telephoneNumber attributes.
Note If the ldapsearch utility fails with error code 52, you probably specified
the wrong directory server instance when you configured the HR_LDAP data
source. Review the HR_LDAP data source configuration to determine whether a
misconfiguration is the source of your problem.
Lab 11-15
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
LDIF files are accessed as virtual directory entries using LDIF views.
Relational database tables are accessed as virtual directory entries using
JDBC views.
Combinations of elements from multiple data views of any type are
accessed through join views.
In this exercise, you create the AD_View LDIF view that lets the administration
application access the Example.dps.ad.ldif file as a virtual directory. Then
you create a join view, which lets the auditing application access elements in the
HR_View LDAP view and the AD_View LDIF view using a single operation.
Note Because DSCC supports only LDAP data views, you use the CLI in this
exercise to create and configure LDIF and join data views.
Perform the following tasks:
Lab 11-16
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
1.
Review the LDIF file that the AD_View data view abstracts:
# more /opt/ses/shared/lab/Example.dps.ad.ldif
Observe that the base DN ou=People,o=ad.ldif applies to the user
entries in the LDIF file.
Also, observe the presence of the following attribute names in user entries:
2.
The cn attribute
Review attributes in user entries accessed using the HR_View data view:
# ldapsearch -p 9389 -b ou=People,dc=example,dc=com \
uid=kjensen
Observe the presence of the following attribute names in user entries:
The cn attribute
After you create the join view later in the exercise, the join view is able to
retrieve attributes from both data views using a single ldapsearch utility
execution.
3.
Create a directory for the LDIF file and copy the Example.dps.ad.ldif
file to that directory:
# mkdir /local/dps1/ldif
# cp /opt/ses/shared/lab/Example.dps.ad.ldif \
/local/dps1/ldif
Lab 11-17
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
4.
Use the help feature of the dpconf utility to list the set of subcommands
that you use with LDIF data views:
# dpconf --help | grep ldif
The following subcommands are available:
5.
6.
7.
8.
Confirm that the data is accessible through the directory proxy server by
using the ldapsearch utility to search the LDIF data views base DN:
# ldapsearch -p 9389 -b o=ad.ldif eid=12025
Kurt Jensens directory entry from the AD_View data view appears.
9.
Lab 11-18
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Retrieve Sam Carters user entry using the AD_View data view:
# ldapsearch -p 9389 -b o=ad.ldif "cn=Sam Carter"
Observe that the ldapsearch utility returns the eid, sn, department,
location, roomNumber, mail, cn, and jobstatus attributes.
2.
3.
Lab 11-19
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Retrieve Sam Carters user entry using the AD_View data view:
# ldapsearch -p 9389 -b o=ad.ldif "cn=Sam Carter"
Observe that the ldapsearch utility returns the eid, location,
roomNumber, cn, and jobStatus attributes, but does not return the
displayName, employeeNumber, and office attributes.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 11-20
2.
c.
Map the eid attribute already available in the AD_View LDIF data
view to the new employeeNumber attribute:
# dpconf add-virtual-transformation -p 9389 \
-w /opt/dsee7/pwd AD_View read \
add-attr employeeNumber \${eid}
3.
Note The eid, location, roomNumber, and cn attributes are still defined in
the AD_View data view, and, thus, are still returned.
Lab 11-21
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
4.
5.
Confirm that the jobStatus attribute is no longer returned when you run
the ldapsearch utility:
# ldapsearch -p 9389 -b o=ad.ldif "cn=Sam Carter"
6.
Define the join rule to compare the AD_View data views eid attribute with
the HR_View data views employeeNumber attribute.
# dpconf set-ldif-data-view-prop -p 9389 \
-w /opt/dsee7/pwd AD_View \
filter-join-rule:eid=\${HR_View.employeeNumber}
Caution Do not type the \ character when it appears at the end of the line in
a nonbold type face.
Do type the \ character when it appears in the middle of the line in a bold type
face.
Lab 11-22
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Define the HR_AD_View join data view, using the dc=example DN as the
join views base DN:
# dpconf create-join-data-view -p 9389 \
-w /opt/dsee7/pwd HR_AD_View HR_View AD_View dc=example
3.
Compare the output from the request to the HR_AD_View join data view to
output from requests to the HR_View and AD_View data views:
a.
Search for Sam Carters user entry in the HR_View data view,
specifying the base DN, ou=People,dc=example,dc=com:
# ldapsearch -p 9389 -b \
ou=People,dc=example,dc=com uid=scarter
The mobile attribute appears in the search results. The eid attribute
does not appear in the search results.
b.
Search for Sam Carters user entry in the AD_View data view,
specifying the base DN, o=ad.ldif:
# ldapsearch -p 9389 -b o=ad.ldif "cn=Sam Carter"
The eid attribute appears in the search results. The mobile attribute
does not appear in the search results.
c.
Search for Sam Carters user entry in the HR_AD_View join view,
specifying the base DN, dc=example:
# ldapsearch -p 9389 -b dc=example uid=scarter
Both the mobile and eid attributes appear in the search results.
Lab 11-23
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Confirm that the hr_user user can currently access Kurt Jensens directory
data using the HR_View, AD_View, and HR_AD_View data views:
a.
Lab 11-24
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
b.
c.
Note A convenient way to distinguish between the data in the HR_View and
AD_View data views is to request the telephonenumber and department
attributes. The telephonenumber attribute is present only in the HR_Data data
view, whereas the department attribute is present only in the AD_View data
view. Therefore, the telephonenumber attribute is returned from searches that
access the HR_View data view, the department attribute is returned from
searches that access the AD_View data view, and both attributes are returned from
searches that access the HR_AD_View join data view.
2.
Confirm that the alutz user can also access Kurt Jensens directory data
using the HR_View, AD_View, and HR_AD_View data views:
a.
Lab 11-25
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
b.
c.
3.
4.
5.
b.
c.
Name: HR_App
Click Next.
The Step 2: Specify Matching Criteria dialog box appears.
d.
e.
Click Next.
The Step 3: Choose Policies dialog box appears.
Lab 11-26
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
f.
g.
Specify the following values in the Step 4: Choose Data Views dialog
box:
h.
Select the HR_View data view from the Available Data Views column
and click Add.
The HR_View data view appears in the Chosen Data Views column.
i.
Click Next.
The Step 5: Summary dialog box appears.
j.
Click Finish.
Messages appear in the Creating New Connection Handler dialog box
as the HR_App connection handler is created.
k.
6.
7.
In a terminal window, run the same ldapsearch utility commands that you
ran in step 1, authenticating as the hr_user user.
If the connection handler is working correctly, the hr_user user should
only be able to access Kurt Jensens directory data using the HR_View data
view.
Messages similar to the following appear when the hr_user user attempts
to access Kurt Jensens directory data using the AD_View data view:
ldap_search: No such object
ldap_search: additional info: The entry "o=ad.ldif" is
not handled by the server.
Messages similar to the following appear when the hr_user user attempts
to access Kurt Jensens directory data using the HR_AD_View data view:
ldap_search: No such object
ldap_search: additional info: The entry "dc=example" is
not handled by the server.
Lab 11-27
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
8.
9.
Run the same ldapsearch utility commands that you ran in step 2,
authenticating as the alutz user.
The alutz user should still be able to access Kurt Jensens directory data
using all three data views. The filter defined in the HR_App connection
handler does not apply to the alutz user.
Lab 11-28
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Task 1 Installing and Configuring MySQL and the MySQL JDBC Driver
2.
Copy the JAR file containing the MySQL driver to the /mysql directory
and rename the JAR file to the jdbc.jar file:
# cp /opt/ses/shared/software/ \
mysql-connector-java-5.1.7/ \
mysql-connector-java-5.1.7-bin.jar /mysql/jdbc.jar
Lab 11-29
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
3.
4.
5.
6.
c.
Lab 11-30
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
7.
8.
Confirm that the database and its two tables were created:
# ./mysqlshow payroll
Output in the terminal window indicates that the payroll database was
created with two tablesthe salary and users tables.
9.
Use the provided script to populate the payroll database with data:
# ./mysql -u root < \
/opt/ses/shared/lab/add_payroll_data.mysql
b.
+----------+--------+----------+----------+-------------------+
| id
| f_name | l_name
| password | job_title
|
+----------+--------+----------+----------+-------------------+
| achassin | Audrey | Chassin | password | Project Manager
|
| alutz
| Alex
| Lutz
| password | Watchman
|
| ejohnson | Ed
| Johnson | password | Temp
|
| gtriplet | Glen
| Triplet | password | Staff
|
| jcampai2 | John
| Campaine | password | J2EE Developer
|
| mlangdon | Matt
| Langdon | password | Q & A Team Member |
+----------+--------+----------+----------+-------------------+
6 rows in set (0.01 sec)
Lab 11-31
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
c.
+----------+-------+-------------+--------------+------------+
| id
| grade | ssNumber
| vacationDays | startDate |
+----------+-------+-------------+--------------+------------+
| achassin | G12
| 333-33-3333 | 12
| 4/1/2005
|
| alutz
| G7
| 111-11-1111 | 4
| 12/31/1987 |
| ejohnson | T5
| 222-22-2222 | 2
| 2/2/2002
|
| gtriplet | G8
| 999-99-9999 | 3
| 6/21/2001 |
| jcampai2 | G4
| 555-55-5555 | 6
| 1/1/1996
|
| mlangdon | G4
| 777-77-7777 | 17
| 3/15/1979 |
+----------+-------+-------------+--------------+------------+
6 rows in set (0.00 sec)
d.
Lab 11-32
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 11-33
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Configure the directory proxy server to use the dbuser user to access the
payroll database:
# dpconf set-jdbc-data-source-prop -p 9389 \
-w /opt/dsee7/pwd Payroll_Data db-user:dbuser \
db-pwd-file:/opt/dsee7/pwd
The following message appears:
The proxy server will need to be restarted in order for
the changes to take effect
4.
5.
6.
7.
8.
Lab 11-34
(Optional) Verify that you have configured the data source, data source
pool, and data view correctly. Use the dpconf --help | grep listjdbc utility to determine which dpconf utility options to use for
verification.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
Before you can define emulated attributes, you must define tables in
directory proxy server. Directory proxy server tables map to relational
database tables.
Create tables in directory proxy server that map to the payroll database
tables:
a.
b.
3.
Add attributes to the directory proxy server tables that map to the users
tables columns:
a.
Lab 11-35
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
b.
c.
Note Be sure to use the letter l and not the number 1 when you type the
l_name column.
d.
e.
4.
Add attributes to the directory proxy server tables that map to the salary
tables columns:
a.
b.
c.
Lab 11-36
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
d.
5.
Verify that you created the directory proxy server attributes correctly:
a.
Verify that you created attributes for the directory proxy server
Payroll_Users table correctly:
# dpconf list-jdbc-attrs -p 9389 \
-w /opt/dsee7/pwd Payroll_Users
The following output should appear in the terminal window:
givenname
sn
title
uid
userpassword
b.
Verify that you created attributes for the directory proxy server
Payroll_Salary table correctly:
# dpconf list-jdbc-attrs -p 9389 \
-w /opt/dsee7/pwd Payroll_Salary
The following output should appear in the terminal window:
pay_grade
ssn
startdate
vacationdays
Lab 11-37
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
6.
Create the emulated exampleperson object class for the JDBC view,
defining the Payroll_Users table as the primary table for the object class
and the Payroll_Salary table as the secondary table for the object class:
# dpconf create-jdbc-object-class -p 9389 \
-w /opt/dsee7/pwd Payroll_View exampleperson \
Payroll_Users Payroll_Salary uid
Note JDBC object classes DNs are constructed from the base DN of the JDBC
data view and the last parameter in the dpconf create-jdbc-object-class
command. In this example, the DN is constructed from the uid attribute and the
base DN of the Payroll_View data viewo=payroll.
You need to provide base DNs when you run the ldapmodify utility and define
ACIs in the next task.
7.
8.
Define the superclassthe LDAP object class from which the JDBC object
class inherits attributesas the inetOrgPerson object class:
# dpconf set-jdbc-object-class-prop -p 9389 \
-w /opt/dsee7/pwd Payroll_View exampleperson \
super-class:inetOrgPerson
9.
The join rule defines how data from the Payroll_Salary table (which
was defined as the secondary table) is linked to data from the
Payroll_Users table (which was defined as the primary table).
Define the join rule to compare the salary tables id column with the
users tables id column:
# dpconf set-jdbc-table-prop -p 9389 \
-w /opt/dsee7/pwd Payroll_Salary \
filter-join-rule:id=\${users.id}
Caution Do not type the \ character when it appears at the end of the line in
a nonbold type face.
Do type the \ character when it appears in the middle of the line in a bold type
face.
Lab 11-38
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
10. Verify that the data in the payroll database is now accessible by running
the ldapsearch utility on the directory proxy server:
# ldapsearch -p 9389 -b o=payroll uid=achassin
The following output should appear in the terminal window:
version: 1
dn: uid=achassin,o=payroll
objectclass: inetOrgPerson
objectclass: exampleperson
sn: Chassin
title: Project Manager
userpassword: password
uid: achassin
givenname: Audrey
startdate: 4/1/2005
ssn: 333-33-3333
pay_grade: G12
vacationdays: 12
Observe the following results:
Lab 11-39
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
11. Review the previous request in the directory proxy server access log:
# tail /local/dps1/logs/access
You should see a record similar to the following in the access log:
[15/Oct/2009:07:19:47 -0700] - SERVER_OP - INFO conn=28 op=0 SEARCH base="o=payroll" scope=2
filter="(uid=achassin)" attrs="*"
jdbcServer=payroll_data sqlStatement="SELECT
users.id,users.l_name,users.job_title,users.password,us
ers.f_name,salary.startDate,salary.ssNumber,salary.grad
e,salary.vacationdays FROM users LEFT OUTER JOIN
salary ON (salary.id=users.id) WHERE ( ( users.id IS
NOT NULL ) ) AND ( ( UPPER(users.id) = 'ACHASSIN' ) )
ORDER BY users.id"
This access log record provides the operation that was performed on the
payroll database.
Confirm that Ed Johnson does not have write access to the JDBC data view:
a.
Lab 11-40
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
b.
2.
Note Make sure to type the dpsaci statementstarting with the string
dpsaci and ending with the string userdn="ldap:///uid=ejohnson,
o=payroll";)on a single line. The /tmp/payroll_aci.ldif file should
contain exactly five lines. Also, be sure not to type the backslash (\) characters
into the dpsaci definition.
3.
4.
Create and configure the connection handler that lets the ACI take effect for
user Ed Johnson:
a.
b.
Lab 11-41
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
c.
d.
Note You cannot configure connection handlers that route requests to JDBC
data views using DSCC.
5.
6.
Lab 11-42
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
b.
+----------+--------+----------+-----------------+-------------------+
| id
| f_name | l_name
| password
| job_title
|
+----------+--------+----------+-----------------+-------------------+
| achassin | Audrey | Chassin | password
| Project Manager
|
| alutz
| Alex
| Lutz
| password
| Watchman
|
| ejohnson | Ed
| Johnson | anotherpassword | Temp
|
| gtriplet | Glen
| Triplet | password
| Staff
|
| jcampai2 | John
| Campaine | password
| J2EE Developer
|
| mlangdon | Matt
| Langdon | password
| Q & A Team Member |
+----------+--------+----------+-----------------+-------------------+
6 rows in set (0.00 sec)
c.
Lab 11-43
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Lab 11-44
Experiences
Interpretations
Conclusions
Applications
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
Lab 12-1
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Lab 12
Lab 12-2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise: Migrating From Sun Directory Server 5.2 to Oracle Directory Server EE
Preparation
Prerequisite Labs
The following labs are prerequisites for performing this lab:
The task to prepare your lab system depends on whether you performed the
prerequisite labs, and whether you have performed other labs, in addition to the
prerequisite labs.
Lab 12-3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise: Migrating From Sun Directory Server 5.2 to Oracle Directory Server EE
2.
Make sure that all the directory server instances and directory proxy servers
that you worked with in the preceding labs are stopped:
#
#
#
#
#
#
#
Lab 12-4
dsadm
dsadm
dsadm
dsadm
dsadm
dsadm
dpadm
stop
stop
stop
stop
stop
stop
stop
/local/dsm1
/local/dsm2
/local/dsm3
/local/dsm6
/local/dsrh1
/local/dsr1
/local/dps1
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise: Migrating From Sun Directory Server 5.2 to Oracle Directory Server EE
3.
Note The installds52.sh script typically takes between five and ten
minutes to complete.
4.
5.
Verify that the Directory Server 5.2 instance contains custom schema
definitions:
# ldapsearch -T -p 10389 \
-b cn=schema "objectclass=*" | grep -i example
The exampleTShirtName and exampleTShirtSize attribute definitions
and the examplePerson object class definition should be present.
6.
Verify that the Directory Server 5.2 instance contains custom index
definitions:
# ldapsearch -p 10389 \
-D "cn=Directory Manager" -w sunlearning \
-b "cn=exampletshirtsize,cn=index,cn=userRoot, \
cn=ldbm database,cn=plugins,cn=config" \
"objectclass=*" nsIndexType
The presence and equality indexes should be listed for the
exampletshirtsize attribute.
Lab 12-5
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise: Migrating From Sun Directory Server 5.2 to Oracle Directory Server EE
2.
3.
4.
Lab 12-6
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise: Migrating From Sun Directory Server 5.2 to Oracle Directory Server EE
5.
Lab 12-7
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise: Migrating From Sun Directory Server 5.2 to Oracle Directory Server EE
6.
7.
Lab 12-8
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise: Migrating From Sun Directory Server 5.2 to Oracle Directory Server EE
8.
:
:
/var/opt/mps/serverroot/slapd-m1
/local/dsmigrated1
Schema Migration
Security Migration
Config Migration
Data Migration
:
:
:
:
Completed
Completed
Completed
Completed
2.
Verify that the custom schema changes were migrated to the Directory
Server EE 11gR1 instance:
# ldapsearch -T -p 7389 \
-b cn=schema "objectclass=*" | grep -i example
The exampleTShirtName and exampleTShirtSize attribute definitions
and the examplePerson object class definition should be present.
3.
Verify that the custom index was migrated to the Directory Server EE
11gR1 instance:
# dsconf list-indexes -p 7389 -w /opt/dsee7/pwd \
| grep -i exampletshirtsize
The exampletshirtsize attribute should be listed among the
dc=example,dc=com suffixs indexes.
Lab 12-9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise: Migrating From Sun Directory Server 5.2 to Oracle Directory Server EE
Exercise Summary
Lab 12-10
Experiences
Interpretations
Conclusions
Applications
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exercise Summary
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Appendix A
Objectives
Start servers
Bring the Solaris Sandbox to the starting point for doing a lab
Appendix A-1
Appendix A-2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Boot a zone:
global # zoneadm -z zonenn boot
For example, to boot and log in to the zone01 zone, run the following
commands:
global # zoneadm -z zone01 boot
global # zlogin zone01
zone01 #
The zone01 # prompt appears, indicating that you have successfully logged into
the zone01 zone.
Appendix A-3
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Starting Servers
The following sections provide instructions for starting servers used in the labs.
Appendix A-4
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Starting Servers
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Starting Servers
Appendix A-5
Description
First Time
Doing Labs
Not at
Starting Point
Appendix A-6
Instructions
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Description
Ready to Go,
Powered Up
You
completed
the No additional preparation
prerequisite labs and no is required.
additional labs
After
completing
the
prerequisite labs, you did not
power down the Solaris
Sandbox
You
completed
the Perform the steps in the
prerequisite labs and no section Starting the
Solaris Sandbox on
additional labs
page A-8.
After
completing
the
preceding lab, you powered
down the Solaris Sandbox
Ready to Go,
Powered
Down
Not at
Starting Point
Instructions
Either:
Appendix A-7
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
3.
You have successfully started the Solaris Sandbox. You can now begin work on
your lab.
If your lab system requires a proxy server to access the Internet, be sure to
configure the proxy server address in the Firefox browser after you have started a
zone when doing the lab.
Appendix A-8
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2.
3.
4.
5.
6.
If you are logged in to a zone, use the exit command to log out of this
zone.
7.
Run the lab -n command, which brings the Solaris Sandbox to the
starting point for this lab:
global # lab -n lab_number
In this example, lab_number is the number of the lab that you want to
perform.
For example, if you wanted to bring the Solaris Sandbox to a state at which
you could start working on Lab 2, you would run the following command:
lab -n 2
Progress messages appear in the terminal window as the lab -n command
restores the Solaris Sandboxs state to the starting point for this lab.
Appendix A-9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Bringing the Solaris Sandbox to the Starting Point for Doing a Lab
8.
You have successfully brought the Solaris Sandbox to the starting point for a lab.
You can now begin work on the lab.
If your lab system requires a proxy server to access the Internet, be sure to
configure the proxy server address in the Firefox browser after you have started a
zone when doing the lab.
Appendix A-10
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Bringing the Solaris Sandbox to the Starting Point for Doing a Lab