Page created: 24 Jul 2019
|
Page updated: 6 Nov 2019
| 5 min read
7.3 Product PingDirectory
-
After initial installation, select the number to start the
create-initial-proxy-config tool automatically.
Otherwise, run it manually at the command line from the server root directory,
<server-root>/PingDirectoryProxy.
$ ./bin/create-initial-proxy-config
-
The initial proxy configuration presents the assumptions about the underlying
Directory Server backend servers. If the
servers do not meet the requirements, then you can enter "no" to quit the
process.
Some assumptions are made about the topology in order to keep this tool simple: 1) all servers will be accessible via a single user account 2) all servers support the same communication security type 3) all servers are PingDirectoryProxy Server, Directory Server, Java System 5.x, 6.x, or 7.x, or Red Hat (including Fedora and 389) directory servers If your topology does not have these characteristics you can use this tool to define a basic configuration and then use the 'dsconfig' tool or the Administrative Console to fine tune the configuration. Continue? (yes / no) [yes]:
-
Enter the DN for the Directory Proxy Server user account,
then enter and confirm the password for this account. Note that you should not
use cn=Directory Manager account for communication between
the Directory Proxy Server and the Directory Server. For security reasons, the account
used to communicate between the Directory Proxy Server and
the Directory Server should not be directly
accessible by clients accessing the Directory Proxy Server.
For more information about this account, see Configuring LDAP External
Servers.
Enter the DN of the proxy user account [cn=Proxy User,cn=Root DNs,cn=config]: Enter the password for 'cn=Proxy User,cn=Root DNs,cn=config': Confirm the password for 'cn=Proxy User,cn=Root DNs,cn=config':
-
Specify whether you will be using secure communication with the Directory Server instances.
>>>> External Server Communication Security Specify the type of security that the Directory Proxy Server will use when communicating with directory server instances: 1) None 2) SSL 3) StartTLS b) back q) quit Enter choice [1]:
-
Specify the base DNs of the Directory Server
instances that will be accessed through the Directory Proxy Server. The Directory Proxy Server will create subtree views using each base
DN to define portions of the external servers' DIT available for client access.
You can specify more than one base DN. Press Enter when
you have finished specifying the DN(s).
Enter a base DN of the directory server instances that will be accessed through the Identity Proxy: b) back q) quit Enter a DN or choose a menu item [dc=example,dc=com]:
- Next, specify if the entries under your defined subtree view will be split across multiple servers in an entry balanced deployment. For this example, press Enter to accept the default ("no").
-
Define a location for your server, such as the name of your data center or the
city where the server is located. This example illustrates defining a location
named east.
Enter a location name or choose a menu item: east
-
If you defined more than one location, specify the location that contains the
Directory Proxy Server itself.
Choose the location for this Directory Proxy Server 1) east 2) west b) back q) quit Enter choice [1]: 1
-
Define the hostname:port used by the LDAP external servers. If you have
specified more than one location, you will go through this process for each
location.
Enter a host:port or choose a menu item [localhost:389]: ldap-east-01.example.com:389
-
After each step, the server will attempt to prepare each external server by
testing the communication between the Directory Proxy Server
and the Directory Server. Select the option "Yes,
and all subsequent servers" to indicate that you want the tool to create a proxy
user account on all of your LDAP external servers within that location.
Would you like to prepare ldap-east-01.example.com:389 for access by the Directory Proxy Server? 1) Yes 2) No 3) Yes, and all subsequent servers 4) No, and all subsequent servers Enter choice [1]: 3
-
If the proxy user account did not previously exist on your LDAP external
server, create the account by connecting as cn=Directory
Manager.
Would you like to create or modify root user 'cn=Proxy User' so that it is available for this Directory Proxy Server? (yes / no) [yes]: Enter the DN of an account on ldap-east-01.example.com:389 with which to create or manage the 'cn=Proxy User' account [cn=Directory Manager]: Enter the password for 'cn=Directory Manager': Created 'cn=Proxy User,cn=Root DNs,cn=config' Testing 'cn=Proxy User' privileges ..... Done Verifying backend 'dc=example,dc=com' ..... Done
- Repeat steps 9-12 for the servers in the other location. Then, press Enter to finish configuring the location.
-
Review the configuration summary. Once you have confirmed that the changes are
correct, press Enter to write the configuration.
>>>> Configuration Summary External Server Security: SSL Proxy User DN: cn=Proxy User,cn=Root DNs,cn=config Location east Failover Order: west Servers: localhost:1636 Location west Failover Order: east Servers: localhost:2636 Base DN: dc=example,dc=com Servers: localhost:1636, localhost:2636 b) back q) quit w) write configuration file Enter choice [w]:
-
Next, apply the configuration changes locally to the Directory Proxy Server. If you have any Server SDK extensions,
make sure to run the manage-extension tool, then press
Enter to apply the changes to the Directory Proxy Server. Alternatively, you can quit and instead
run the dsconfig batch file at a later time. Once the changes
have been applied, you cannot use the
create-initial-proxy-config tool to configure this
Directory Proxy Server again. Instead, use the
dsconfig tool.
This tool can apply the configuration changes to the local Identity Proxy. This requires any configured Server SDK extensions to be in place. Do you want to do this? (yes / no) [yes]:
If you open the generated proxy-cfg.txt file or the logs/config-audit.log file, you will see that a configuration element hierarchy has been created: locations, health checks, external servers, load-balancing algorithms, request processors, and subtree views.