OpenDJ: Register with SMF on OpenIndiana

OpenDJ logo OpenIndiana logoIn response to the entry on running OpenDJ at boot time on Linux, Dave Koelmeyer asked about doing the same on OpenSolaris or OpenIndiana. It turns out that we provide a .zip of SVR4 packages for each release — check the download page — and that package includes what you need.

Security Config

First, here are the steps to get OpenDJ setup to work with SMF on OpenIndiana, so the directory server can be managed as a service with svcadm. This is stuff you do before installation.

  1. Edit the authorization description database file to add a line in the list of managed services for OpenDJ.
    $ sudo vi /etc/security/auth_attr
    ### Add this line:
    solaris.smf.manage.opendj:::Manage OpenDJ Service States::help=SmfOpenDJStates.html

    Adding this line provides a definition for service management that you add subsequently to the role.

  2. Provide a group and role to manage OpenDJ.The login user here, mark, is in sudoers and has the Primary Administrator profile, sudo usermod -P 'Primary Administrator' mark, so can perform the necessary administrative tasks.These lines add an opendj group, and an opendj role with the capability to manage the OpenDJ service. The lines give the opendj role a password, so that a login user such as mark can su opendj to manage OpenDJ. Finally, the last line assigns the opendj role to user mark.
    $ pfexec groupadd opendj
    $ pfexec roleadd -g opendj -s /bin/sh -A solaris.smf.manage.opendj \
    > -K defaultpriv=basic,net_privaddr,sys_resource opendj
    $ pfexec passwd opendj
    New Password:
    Re-enter new Password:
    passwd: password successfully changed for opendj
    $ pfexec usermod -R opendj,root mark

    usermod tells me the changes may not take effect until I login again, so I exit and log in again.

Installation

Next, here are the commands I used to install OpenDJ 2.4.2 on a VM running OpenIndiana oi_148.

$ wget http://download.forgerock.org/downloads/opendj/2.4.2/opendj.zip
$ unzip opendj.zip
$ pfexec pkgadd -d . opendj

With OpenDJ 2.4.2 the /usr/opendj/[un]configure scripts have execute permissions for root and read permissions for everyone else. As a side effect, opendj cannot run the configure script. To work around this, first add the following lines near the top of each script to prevent users other than root from actually completing configure or unconfigure operations.

# Prevent non-root users from running this script.
USERID=`id -u`
if [[ $USERID -ne 0 ]]; then
        echo "This script must be run as root" 1>&2
        exit 1
fi

Next, give users the right to execute the commands.

$ pfexec chmod +x /usr/opendj/*configure

At this point, proceed with installation.

$ pfexec /usr/opendj/configure --instancePath \
> /home/mark/OpenDJ --userName opendj --groupName opendj
$ su opendj
Password:
$ /usr/opendj/setup --cli

The unconfigure command lets you get rid of your instances later.

Ongoing Management

Finally, manage OpenDJ with svcadm.

$ su opendj
Password:
$ svcadm enable opendj

The first time you run svcadm enable, the command either starts OpenDJ, or restarts OpenDJ so you can manage the instance with SMF.

Now when you assume the opendj role, you can manage OpenDJ through SMF.

$ id
uid=102(opendj) gid=100(opendj) groups=100(opendj)
$ /usr/opendj/bin/status
$ /usr/opendj/bin/status -D "cn=Directory Manager" -w ********                   

          --- Server Status ---
Server Run Status:        Started
Open Connections:         1

          --- Server Details ---
Host Name:                openindiana
Administrative Users:     cn=Directory Manager
Installation Path:        /usr/opendj
Instance Path:            /home/mark/OpenDJ
Version:                  OpenDJ 2.4.2
Java Version:             1.6.0_21
Administration Connector: Port 4444 (LDAPS)

          --- Connection Handlers ---
Address:Port : Protocol : State
-------------:----------:---------
--           : LDIF     : Disabled
0.0.0.0:161  : SNMP     : Disabled
0.0.0.0:389  : LDAP     : Enabled
0.0.0.0:636  : LDAPS    : Disabled
0.0.0.0:1689 : JMX      : Disabled

          --- Data Sources ---
Base DN:     dc=example,dc=com
Backend ID:  userRoot
Entries:     2002
Replication: Disabled

$ svcadm disable opendj
$ /usr/opendj/bin/status -D "cn=Directory Manager" -w ********

          --- Server Status ---
Server Run Status:        Stopped
Open Connections:          (*)

          --- Server Details ---
Host Name:                openindiana
Administrative Users:     cn=Directory Manager
Installation Path:        /usr/opendj
Instance Path:            /home/mark/OpenDJ
Version:                  OpenDJ 2.4.2
Java Version:              (*)
Administration Connector: Port 4444 (LDAPS)

          --- Connection Handlers ---
Address:Port : Protocol : State
-------------:----------:---------
--           : LDIF     : Disabled
0.0.0.0:161  : SNMP     : Disabled
0.0.0.0:389  : LDAP     : Enabled
0.0.0.0:636  : LDAPS    : Disabled
0.0.0.0:1689 : JMX      : Disabled

          --- Data Sources ---
Base DN:     dc=example,dc=com
Backend ID:  userRoot
Entries:      (*)
Replication: Disabled

* Information only available if server is running and you provide valid
authentication information when launching the status command.

Thus opendj can manage OpenDJ through svcadm.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s