Page created: 22 Jul 2020
|
Page updated: 1 Feb 2021
| 6 min read
8.2 Product PingDirectory PingDirectoryProxy Directory Capability Product documentation Content Type Administration User task Configuration IT Administrator Administrator Audience System Administrator Software Deployment Method
This section describes how to install a standard Directory Proxy Server deployment using the create-initial-proxy-config tool. Remember that you deploy the Directory Proxy Server in pairs. Each pair should be configured identically except for their host name, port, and possibly their location.
-
After initial installation, select the number to start the
create-initial-proxy-config tool automatically. Otherwise, run
it manually at the command line from the server root directory,
<server-root>/PingDirectoryProxy.
$ ./bin/create-initial-proxy-config
-
The initial proxy configuration presents the assumptions about the underlying
Directory Server backend servers. If the servers do
not meet the requirements, then you can enter "no" to quit the process.
Some assumptions are made about the topology in order to keep this tool simple: 1) all servers will be accessible via a single user account 2) all servers support the same communication security type 3) all servers are PingDirectoryProxy Server, Directory Server, Java System 5.x, 6.x, or 7.x, or Red Hat (including Fedora and 389) directory servers If your topology does not have these characteristics you can use this tool to define a basic configuration and then use the 'dsconfig' tool or the Administrative Console to fine tune the configuration. Continue? (yes / no) [yes]:
-
Enter the DN for the Directory Proxy Server user account, then
enter and confirm the password for this account. Note that you should not use
cn=Directory Manager account for communication between the
Directory Proxy Server and the Directory Server. For security reasons, the account used to
communicate between the Directory Proxy Server and the Directory Server should not be directly accessible by clients
accessing the Directory Proxy Server. For more information about
this account, see Configuring LDAP External
Servers.
Enter the DN of the proxy user account [cn=Proxy User,cn=Root DNs,cn=config]: Enter the password for 'cn=Proxy User,cn=Root DNs,cn=config': Confirm the password for 'cn=Proxy User,cn=Root DNs,cn=config':
-
Specify whether you will be using secure communication with the Directory Server instances.
>>>> External Server Communication Security Specify the type of security that the Directory Proxy Server will use when communicating with directory server instances: 1) None 2) SSL 3) StartTLS b) back q) quit Enter choice [1]:
-
Specify the base DNs of the Directory Server
instances that will be accessed through the Directory Proxy Server. The Directory Proxy Server will create subtree views using
each base DN to define portions of the external servers' DIT available for client
access. You can specify more than one base DN. Press Enter
when you have finished specifying the DN(s).
Enter a base DN of the directory server instances that will be accessed through the Identity Proxy: b) back q) quit Enter a DN or choose a menu item [dc=example,dc=com]:
- Next, specify if the entries under your defined subtree view will be split across multiple servers in an entry balanced deployment. For this example, press Enter to accept the default ("no").
-
Define a location for your server, such as the name of your data center or the city
where the server is located. This example illustrates defining a location named
east.
Enter a location name or choose a menu item: east
-
If you defined more than one location, specify the location that contains the
Directory Proxy Server itself.
Choose the location for this Directory Proxy Server 1) east 2) west b) back q) quit Enter choice [1]: 1
-
Define the hostname:port used by the LDAP external servers. If you have specified
more than one location, you will go through this process for each location.
Enter a host:port or choose a menu item [localhost:389]: ldap-east-01.example.com:389
-
After each step, the server will attempt to prepare each external server by testing
the communication between the Directory Proxy Server and the
Directory Server. Select the option "Yes, and all
subsequent servers" to indicate that you want the tool to create a proxy user account
on all of your LDAP external servers within that location.
Would you like to prepare ldap-east-01.example.com:389 for access by the Directory Proxy Server? 1) Yes 2) No 3) Yes, and all subsequent servers 4) No, and all subsequent servers Enter choice [1]: 3
-
If the proxy user account did not previously exist on your LDAP external server,
create the account by connecting as cn=Directory Manager.
Would you like to create or modify root user 'cn=Proxy User' so that it is available for this Directory Proxy Server? (yes / no) [yes]: Enter the DN of an account on ldap-east-01.example.com:389 with which to create or manage the 'cn=Proxy User' account [cn=Directory Manager]: Enter the password for 'cn=Directory Manager': Created 'cn=Proxy User,cn=Root DNs,cn=config' Testing 'cn=Proxy User' privileges ..... Done Verifying backend 'dc=example,dc=com' ..... Done
- Repeat steps 9-12 for the servers in the other location. Then, press Enter to finish configuring the location.
-
Review the configuration summary. Once you have confirmed that the changes are
correct, press Enter to write the configuration.
>>>> Configuration Summary External Server Security: SSL Proxy User DN: cn=Proxy User,cn=Root DNs,cn=config Location east Failover Order: west Servers: localhost:1636 Location west Failover Order: east Servers: localhost:2636 Base DN: dc=example,dc=com Servers: localhost:1636, localhost:2636 b) back q) quit w) write configuration file Enter choice [w]:
-
Next, apply the configuration changes locally to the Directory Proxy Server. If you have any Server SDK extensions, make
sure to run the manage-extension tool, then press
Enter to apply the changes to the Directory Proxy Server. Alternatively, you can quit and instead run the
dsconfig batch file at a later time. Once the changes have been
applied, you cannot use the create-initial-proxy-config tool to
configure this Directory Proxy Server again. Instead, use the
dsconfig tool.
This tool can apply the configuration changes to the local Identity Proxy. This requires any configured Server SDK extensions to be in place. Do you want to do this? (yes / no) [yes]:
If you open the generated proxy-cfg.txt file or the logs/config-audit.log file, you will see that a configuration element hierarchy has been created: locations, health checks, external servers, load-balancing algorithms, request processors, and subtree views.