Configuring iPlanet/Netscape Directory Server for TC Dirsync

After installation of the iPlanet/Netscape Directory Server you will have to make decisions like how to organize your user store and which object classes and attributes to use. Please refer for those issues to the iPlanet/Netscape Directory Documentation.

For TC Dirsync however you need to do the following basic operations:

• You need to know where to store user data. Only one root directory per TC/Link instance is possible. For example: o=topcall.com on a computer called planetdirectory. The complete LDAP path for TC/Link Setup (registry key PDTreeBase) would be: "LDAP://planetdirectory/o=topcall.com"

• You need to know how to store user data. The typical object class for storing user data is

inetOrgPerson. Either you use this object class, or you create your own user object classes, typically inherited from inetOrgPerson. TCOSS distinguishes between users and recipients; so two different user classes can be used to update TOPCALL users and recipients.

• The change log has to be configured. The change log is part of the directory and typically gets the name cn=changelog.

• TC/Link needs a user and password for accessing the Directory Server. This user needs the rights to read, search and compare in the address store, the change log (in our example o=topcall.com and cn=changelog) and the root DSE (entry). If this is not a productive user, it is better not to create him in the scope of dirsync. That way the user will not be created on the TOPCALL Server.

For an easy installation of iPlanet/Netscape dirsync the following steps are necessary:

(We presume a Directory Server 4.11 and following parameters: Servername: planetdirectory; root address store dn: o=topcall.com; user object class: inetOrgPerson; changelog dn: cn=changelog; Directory User for TC/Link access: uid=topcall,o=NetscapeRoot)

3.5.1.1 Starting the Directory Server Console

1. Start the Netscape Console 4.11 and log in as Directory Manager (cn=Directory Manager).

2. In the left window, double click from the Server Group the Directory Server. The Directory Server Console appears.

3.5.1.2 Configuring the change log:

1. On the Directory Server Console, select the Configuration tab and then select the Replication Agreements folder.

2. Select the Supplier Settings tab in the right pane.

3. In the Changelog Database Directory text box, type the full path to the directory where you want the server to store the change log. This directory must be located on the supplier’s local disk. If you want the directory server to suggest a pathname, click Use Default.

4. In the Changelog Suffix text box, enter a DN to be used as the change log’s directory suffix. Typically, this suffix is: cn=changelog.

5. Either enter the maximum number of records you want the change log to record in the Max Changelog Records text box, or if you do not want to set a maximum number of entries for the change log, select Unlimited.

6. If you want the server to remove entries from the change log after they reach a certain age, specify that age in seconds, minutes, hours, days, or weeks in the Max Changelog Age fields. If you do not want to configure a maximum age, select Unlimited; the server will not remove entries from the change log due to their age.

7. Click Save.

8. Restart the directory server (Choose Restart in the Tasks tab).

9. Close the directory server console and open it again (Too my experience this step is also necessary, the views are not always refreshed automatically).

After that you should see on the Directory Server Console, on the Directory tab in the left window the entry for the changelog.

3.5.1.3 Creating the User for Directory Access

Before Dirsync can read from the Directory Server, the Link Server must be allowed to read the change log and the root directory. Therefore we create the user: uid=topcall,o=NetscapeRoot

1. On the Directory Server Console, select the Directory tab.

2. Right-click the entry NetscapeRoot in the left pane and select New|User. The new entry will be created as a child entry of the NetscapeRoot entry. The Create New User box appears.

3. Provide the information for the new entry in the dialog box. You have to fill in the required fields. For the uid write topcall and set a password.

4. When you are finished defining the information for the entry, click OK.

3.5.1.4 Providing Access to Change Log, Address Store and Root DSE (Entry)

The user topcall must be allowed to read change log and root directory. At the root level of your change log tree, create an ACI (Access Control Instruction) statement that grants the user topcall read, search, and compare access to the entire change log tree. The same has to be done for the root directory of the address store and the root DSE. (On a standard installation however there is by default anonymous access granted on the address store root, and no restrictions are set for the root DSE.)

1. On the Directory Server Console, select the Directory tab.

2. Right-click the entry in the navigation tree for which you want to set access control (cn=changelog), and select Set Access Permissions from the pop-up menu. The Multi-value ACI Selector dialog box appears.

3. Click New. The Set Access Permissions dialog box appears. The table lists the access control rules (ACRs) defined for this ACI. By default, the first ACR in the table denies access to everyone with the exception of the root DN (Directory Manager). We are going to change that line.

4. In the Allow/Deny column select allow.

5. Double click in the User text box. The select Users and Groups dialog box appears.

6. Click in the void text box beside the Add button and write "uid=topcall,o=NetscapeRoot" (without quotes, and take care, no blanks!).

7. Click Add. The line beyond is updated.

8. Click OK. The Set Access Permission dialog box is updated.

9. Double click in the Rights column. The Select Rights dialog appears.

10. Check the read, search and compare permissions, uncheck the rest.

11. Click OK. The Set Access Permission dialog is updated.

12. Click OK. The server creates the new ACI.

13. Now do the same again from step 2 for the root directory (o=topcall.com) and the root DSE (the topmost entry on the server) if the default settings are not sufficient.

Take care with access permissions on the Directory Server. If there are any confusing configurations along the directory structure, the most restrictive permission is used!

3.5.1.5 Directory Server Parameters

The Directory Server Parameters restrict the number of entries returned at one request. But these restrictions do not confirm to the root DN user (by default cn=Directory Manager).

On the Directory Server Console you find these parameters on the configuration-tab. Mark on the left side the root entry and choose on the right the performance-tab to see the Server Parameters.

Mark on the left side database and choose on the right the performance-tab to see the Database Parameters.

You can also directly edit the configuration files to change the parameter settings. The two files are named slapd.conf and slapd.ldbm.conf. The documentation states that the directory server has to be stopped for editing these files.

For more detailed information on the server parameters see the Netscape/iPlanet Directory Server documentation.

3.5.1.5.1 Full Dirsync

For full dirsync the whole directory has to be read in one single step. That means that the sizelimit and the lookthroughlimit parameter have to be set high enough to read all entries. Therefore it is recommended to do one of the following for a full dirsync:

• Either set both of the sizelimit and lookthroughlimit parameters to no limits. This is done by setting them to –1,

• Or use the root DN (by default cn=Directory Manager) to authenticate TC/LINK to the Directory Server (HKLM\Software\TOPCALL\TCLINKxx\Dirsync\PDUserID, …\PDPassword). After changing these settings you have to restart the link.

3.5.1.5.2 Update Dirsync

For update dirsync there are no special recommendations for setting the Directory Server Parameters.

But beside these parameters there seems to be a not documented restriction concerning the changelog. A normal user can read only the last 5000 entries of the changelog, no matter how the parameters are configured. Only the Directory Manager can read unlimited all entries of the changelog.

So for the regular update dirsync,

• Either configure the time frequently enough to have never more than 5000 changelog entries,

• Or use the root DN (by default cn=Directory Manager) to let TC/LINK read from the Directory Server (HKLM\Software\TOPCALL\TCLINKxx\Dirsync\PDUserID, …\PDPassword). After changing these settings you have to restart the link.