PingDirectory

About the prepare-external-server tool

Use the prepare-external-server tool if you have added LDAP external servers using dsconfig.

The create-initial-proxy-config tool automatically runs the prepare-external-server tool to configure server communications so that you do not need to invoke it separately. The create-initial-proxy-config tool verifies that the proxy user account exists and has the correct password and required privileges. If it detects any problems, it prompts for manager credentials to rectify them.

If you want the prepare-external-server tool to add the LDAP external server’s certificates to the PingDirectoryProxy server’s trust store, you must include the --proxyTrustStorePath option and either the --proxyTrustStorePassword or the --proxyTrustStorePasswordFile option.

The default location of the PingDirectoryProxy server’s trust store is config/truststore. The pin is encoded in the config/truststore.pin file.

The following example prepares a PingDirectory server on the remote host ds-east-01.example.com, listening on port 1389 for access by the PingDirectoryProxy server using the default user account cn=Proxy User, as shown in the following example.

prepare-external-server --hostname ds-east-01.example.com \
--port 1389 --baseDN dc=example,dc=com --proxyBindPassword secret

When the prepare-external-server command is executed, it creates the cn=Proxy User Root distinguished name (DN) entry as well as an access control rule in the PingDirectory server to grant the proxy user the proxy access right.

For non-Ping Identity servers, the --baseDN argument is required for the prepare-external-server tool. The base DN is used to create the global access control instruction (ACI) entries for these servers.

Configuring server communication using the prepare-external-server tool

The following example illustrates how to run the prepare-external-server tool to prepare a PingDirectory server.

About this task

In this example, the server is configured on the remote host ds-east-01.example.com, listening on port 1636.

The PingDirectory server is being accessed by a PingDirectory server that uses the default user account cn=Proxy User,cn=Root DNs,cn=config. Because a password to the trust store is not provided, the trust store defined in the --proxyTrustStorePath is referenced in a read-only manner.

Steps

  • To prepare the PingDirectory server, use the prepare-external-server tool.

    Example:

    $ ./PingDirectoryProxy/bin/prepare-external-server \
      --baseDN dc=example,dc=com
      --proxyBindPassword password \
      --hostname ds-east-01.example.com \
      --useSSL \
      --port 1636
      --proxyTrustStorePath /full/path/to/trust/store \
      --proxyTrustStorePassword secret
  • Follow the prompts to set up the external server.

    Testing connection to ds-east-01.example.com:1636 .....
    
    Do you wish to trust the following certificate?
    
    Certificate Subject: CN=ds-east-01.example.com, O=Example Self-Signed Certificate
    Issuer Subject:      CN=ds-east-01.example.com, O=Example Self-Signed Certificate
    Validity:            Thu May 21 08:02:30 CDT 2009 to Wed May 16 08:02:30 CDT 2029
    
    Enter 'y' to trust the certificate or 'n' to reject it.
    
    y
    
    The certificate was added to the local trust store
    
    Done
    Testing 'cn=Proxy User' access to ds-east-01.example.com:1636 ..... Failed to bind as
    'cn=Proxy User'
    
    Would you like to create or modify root user 'cn=Proxy User' so that it is available
    for this Directory Proxy Server? (yes / no) [yes]:
    
    Enter the DN of an account on ds-east-01.example.com:1636 with which to create or
    manage the 'cn=Proxy User' account [cn=Directory Manager]:
    
    Enter the password for 'cn=Directory Manager':
    
    Created 'cn=Proxy User,cn=Root DNs,cn=config'
    
    Testing 'cn=Proxy User' privileges ..... Done