PingDirectory

Configuring a standard PingDirectoryProxy server deployment

Install a standard PingDirectoryProxy server deployment using the create-initial-proxy-config tool.

About this task

Remember that you deploy PingDirectoryProxy servers in pairs. Each pair should be configured identically except for their host name, port, and possibly their location.

Steps

  1. After initial installation, select the number to start the create-initial-proxy-config tool automatically, or run it manually at the command line from the server root directory, <server-root>/PingDirectoryProxy.

    $ ./bin/create-initial-proxy-config
  2. If the servers do not meet the displayed configuration requirements, you can enter no to quit the process.

    Some assumptions are made about the topology in order to keep this tool simple:
    
    	1) all servers will be accessible via a single user account
    	2) all servers support the same communication security type
    	3) all servers are PingDirectoryProxy, Directory Server,
    	   Java System 5.x, 6.x, or 7.x, or Red Hat (including Fedora and 389)
    	   directory servers
    
    If your topology does not have these characteristics you can use this tool to define a basic configuration and then use the 'dsconfig' tool or the Administrative Console to
    fine tune the configuration.
    
    Continue? (yes / no) [yes]:
  3. Enter the distinguished name (DN) for the PingDirectoryProxy server user account, and then enter and confirm the password for this account.

    Enter the DN of the proxy user account [cn=Proxy User,cn=Root DNs,cn=config]:
    Enter the password for 'cn=Proxy User,cn=Root DNs,cn=config':
    Confirm the password for 'cn=Proxy User,cn=Root DNs,cn=config':

    You should not use cn=Directory Manager account for communication between the PingDirectoryProxy server and the PingDirectory server.

    For security reasons, the account used to communicate between the PingDirectoryProxy server and the PingDirectory server should not be directly accessible by clients accessing the PingDirectoryProxy server.

    For more information about this account, see Configuring LDAP external servers.

  4. Specify whether to use secure communication with the PingDirectory server instances.

    >>>> External Server Communication Security
    
    Specify the type of security that the Directory Proxy Server will use when communicating with directory server instances:
    
       1)  None
       2)  SSL
       3)  StartTLS
    
       b)  back
       q)  quit
    
    Enter choice [1]:
  5. Enter the base DNs of the PingDirectory server instances that will be accessed through the PingDirectoryProxy server. Press Enter when you have finished specifying the DNs.

    Enter a base DN of the directory server instances that will be accessed through the Identity Proxy:
    
        b)  back
        q)  quit
    
    Enter a DN or choose a menu item [dc=example,dc=com]:

    The PingDirectoryProxy server will create subtree views using each base DN to define portions of the external servers' directory information tree (DIT) available for client access. You can specify more than one base DN.

  6. Specify whether the entries under your defined subtree view will be split across multiple servers in an entry balanced deployment.

    Press Enter to accept the default setting of no.

  7. Define a location for your server, such as the name of your data center or the city where the server is located.

    Enter a location name or choose a menu item: east
  8. Optional: If you defined more than one location, specify the location that contains the PingDirectoryProxy server itself.

    Choose the location for this Directory Proxy Server
    
        1)  east
        2)  west
    
        b)  back
        q)  quit
    
    Enter choice [1]: 1
  9. Define the host:port used by the LDAP external servers.

    Enter a host:port or choose a menu item [localhost:389]: ldap-east-01.example.com:389

    If you have specified more than one location, you will complete this process for each location.

  10. Select the option Yes, and all subsequent servers to indicate that you want the tool to create a proxy user account on all of your LDAP external servers within that location.

    Would you like to prepare ldap-east-01.example.com:389 for access by the Directory Proxy Server?
    
        1) Yes
        2) No
        3) Yes, and all subsequent servers
        4) No, and all subsequent servers
    
    Enter choice [1]: 3
  11. If the proxy user account does not already exist on your LDAP external server, create the account by connecting as cn=Directory Manager.

    Would you like to create or modify root user 'cn=Proxy User' so that it is available for this Directory Proxy Server? (yes / no) [yes]:
    Enter the DN of an account on ldap-east-01.example.com:389 with which to create or manage the 'cn=Proxy
    User' account [cn=Directory Manager]:
    
    Enter the password for 'cn=Directory Manager':
    
    Created 'cn=Proxy User,cn=Root DNs,cn=config'
    Testing 'cn=Proxy User' privileges ..... Done
    Verifying backend 'dc=example,dc=com' ..... Done
  12. Repeat steps 9-12 for the servers in the other location. When finished, press Enter to finish configuring the location.

  13. Review the configuration summary. After you have confirmed that the changes are correct, press Enter to write the configuration.

    >>>> Configuration Summary
    
      External Server Security:  SSL
      Proxy User DN:             cn=Proxy User,cn=Root DNs,cn=config
    
      Location east
        Failover Order: west
        Servers: localhost:1636
    
      Location west
        Failover Order: east
        Servers: localhost:2636
    
      Base DN: dc=example,dc=com
        Servers: localhost:1636, localhost:2636
    
        b)  back
        q)  quit
        w)  write configuration file
    
    Enter choice [w]:
  14. Enter yes to apply the configuration changes locally to the PingDirectoryProxy server.

    This tool can apply the configuration changes to the local Identity Proxy. This requires any configured Server SDK extensions to be in place. Do you want to do
    this? (yes / no) [yes]:

    If you have any Server SDK extensions, be sure to run the manage-extension tool first, then press Enter to apply the changes to the PingDirectoryProxy server.

    Alternatively, you can quit and run the dsconfig batch file at a later time.

    After the changes have been applied, you cannot use the create-initial-proxy-config tool to configure this PingDirectoryProxy server again. Use the dsconfig tool to modify your configuration instead.

Result

If you open the generated proxy-cfg.txt file or the logs/config-audit.log file, you see that a configuration element hierarchy has been created, listing locations, health checks, external servers, load-balancing algorithms, request processors, and subtree views.