Configuring a standard PingDirectoryProxy server deployment
Install a standard PingDirectoryProxy server deployment using the create-initial-proxy-config
tool.
About this task
Remember that you deploy PingDirectoryProxy servers in pairs. Each pair should be configured identically except for their host name, port, and possibly their location. |
Steps
-
After initial installation, select the number to start the
create-initial-proxy-config
tool automatically, or run it manually at the command line from the server root directory,<server-root>/PingDirectoryProxy
.$ ./bin/create-initial-proxy-config
-
If the servers do not meet the displayed configuration requirements, you can enter
no
to quit the process.Some assumptions are made about the topology in order to keep this tool simple: 1) all servers will be accessible via a single user account 2) all servers support the same communication security type 3) all servers are PingDirectoryProxy, Directory Server, Java System 5.x, 6.x, or 7.x, or Red Hat (including Fedora and 389) directory servers If your topology does not have these characteristics you can use this tool to define a basic configuration and then use the 'dsconfig' tool or the Administrative Console to fine tune the configuration. Continue? (yes / no) [yes]:
-
Enter the distinguished name (DN) for the PingDirectoryProxy server user account, and then enter and confirm the password for this account.
Enter the DN of the proxy user account [cn=Proxy User,cn=Root DNs,cn=config]: Enter the password for 'cn=Proxy User,cn=Root DNs,cn=config': Confirm the password for 'cn=Proxy User,cn=Root DNs,cn=config':
You should not use
cn=Directory Manager
account for communication between the PingDirectoryProxy server and the PingDirectory server.For security reasons, the account used to communicate between the PingDirectoryProxy server and the PingDirectory server should not be directly accessible by clients accessing the PingDirectoryProxy server.
For more information about this account, see Configuring LDAP external servers.
-
Specify whether to use secure communication with the PingDirectory server instances.
>>>> External Server Communication Security Specify the type of security that the Directory Proxy Server will use when communicating with directory server instances: 1) None 2) SSL 3) StartTLS b) back q) quit Enter choice [1]:
-
Enter the base DNs of the PingDirectory server instances that will be accessed through the PingDirectoryProxy server. Press Enter when you have finished specifying the DNs.
Enter a base DN of the directory server instances that will be accessed through the Identity Proxy: b) back q) quit Enter a DN or choose a menu item [dc=example,dc=com]:
The PingDirectoryProxy server will create subtree views using each base DN to define portions of the external servers' directory information tree (DIT) available for client access. You can specify more than one base DN.
-
Specify whether the entries under your defined subtree view will be split across multiple servers in an entry balanced deployment.
Press Enter to accept the default setting of no.
-
Define a location for your server, such as the name of your data center or the city where the server is located.
Enter a location name or choose a menu item: east
-
Optional: If you defined more than one location, specify the location that contains the PingDirectoryProxy server itself.
Choose the location for this Directory Proxy Server 1) east 2) west b) back q) quit Enter choice [1]: 1
-
Define the host:port used by the LDAP external servers.
Enter a host:port or choose a menu item [localhost:389]: ldap-east-01.example.com:389
If you have specified more than one location, you will complete this process for each location.
-
Select the option Yes, and all subsequent servers to indicate that you want the tool to create a proxy user account on all of your LDAP external servers within that location.
Would you like to prepare ldap-east-01.example.com:389 for access by the Directory Proxy Server? 1) Yes 2) No 3) Yes, and all subsequent servers 4) No, and all subsequent servers Enter choice [1]: 3
-
If the proxy user account does not already exist on your LDAP external server, create the account by connecting as
cn=Directory Manager
.Would you like to create or modify root user 'cn=Proxy User' so that it is available for this Directory Proxy Server? (yes / no) [yes]: Enter the DN of an account on ldap-east-01.example.com:389 with which to create or manage the 'cn=Proxy User' account [cn=Directory Manager]: Enter the password for 'cn=Directory Manager': Created 'cn=Proxy User,cn=Root DNs,cn=config' Testing 'cn=Proxy User' privileges ..... Done Verifying backend 'dc=example,dc=com' ..... Done
-
Repeat steps 9-12 for the servers in the other location. When finished, press Enter to finish configuring the location.
-
Review the configuration summary. After you have confirmed that the changes are correct, press Enter to write the configuration.
>>>> Configuration Summary External Server Security: SSL Proxy User DN: cn=Proxy User,cn=Root DNs,cn=config Location east Failover Order: west Servers: localhost:1636 Location west Failover Order: east Servers: localhost:2636 Base DN: dc=example,dc=com Servers: localhost:1636, localhost:2636 b) back q) quit w) write configuration file Enter choice [w]:
-
Enter
yes
to apply the configuration changes locally to the PingDirectoryProxy server.This tool can apply the configuration changes to the local Identity Proxy. This requires any configured Server SDK extensions to be in place. Do you want to do this? (yes / no) [yes]:
If you have any Server SDK extensions, be sure to run the
manage-extension
tool first, then press Enter to apply the changes to the PingDirectoryProxy server.Alternatively, you can quit and run the
dsconfig
batch file at a later time.After the changes have been applied, you cannot use the
create-initial-proxy-config
tool to configure this PingDirectoryProxy server again. Use thedsconfig
tool to modify your configuration instead.
Result
If you open the generated proxy-cfg.txt
file or the logs/config-audit.log
file, you see that a configuration element hierarchy has been created, listing locations, health checks, external servers, load-balancing algorithms, request processors, and subtree views.