Friday, October 23, 2009

Running Sun Directory Server 6.3 as a non root user

It's a standard best practice to run services with a dedicated user if possible. Sun's Directory server Enterprise Edition supports this, but, as with many Sun products, the documentation on how to do so is scattered in many different places. Here's a quick how-to guide on to do it for DSEE 6.3.1 on Solaris 10. This only covers the Directory Server component, not the Directory Proxy Server or Control Center components. But don't worry, more posts are in the works for those components!

These steps presume that you have already installed the DSEE software.

Step 1, create the user. Here's quick instructions to create username "ldap" with group "ldap":

groupadd ldap
useradd -g ldap -s /bin/false -c "ldap" ldap
usermod -K defaultpriv=basic,proc_owner,net_privaddr ldap

If you're not familiar with Solaris's RBAC (Role Based Access Control) , the last command grants the ldap user the privileges to bind to a privileged port number (net_privaddr), which is needed to use the standard LDAP ports of 389 and 636. The proc_owner command allows the ldap user to send signals to other processes as well as those that it owns.

Step 2, create the directory server instance.

dsadm create -p 389 -P 636 -u ldap -g ldap /opt/ds_homedir

Where the last argument is the directory that you want to use to store the configuration and data for your new instance.

Step 3, enable the service within SMF. This has two functions: first, it will make sure that the service will restart automatically when the server reboots, second, it enables you to start/stop the directory service as the root user without having to switch to the ldap user first.

If you installed using the Native Package install, it's easy, since the installation contains a built-in SMF manifest. Just run the following command to activate it:

dsadm enable-service --type SMF /opt/ds_homedir

However, if you used the ZIP distribution, it's a little more involved, since you have to create your own SMF manifest and register it manually. Below is the one that I use. You'll need to modify the exec commands to specify the directory of your instance. The timeouts are purposely long, as DS will often need a long time to re-check the database after an ungraceful shutdown (i.e. system crash):

<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>

Document : ds_ldaptest2.xml
Created on : 23-OCT-2009
Author : Keith Bucher
Description: The SMF Service Manifest file for Directory Server 6

<service_bundle type="manifest"
name="SUNWldap-directory services">
<service name="application/sun/ds" type="service" version="1">
<dependency name="filesystems" grouping="require_all"
restart_on="none" type="service">
<service_fmri value="svc:/system/filesystem/local:default">
<dependency name="network" grouping="require_all"
restart_on="none" type="service">
<service_fmri value="svc:/network/initial:default">
<exec_method type="method"
exec="/opt/sun/ds6/bin/dsadm start --exec /opt/ds_ldaptest2"
<method_context working_directory=":default">
<method_credential user="ldap"
<stability value="Evolving">
<exec_method type="method"
exec="/opt/sun/ds6/bin/dsadm stop --exec /opt/ds_ldaptest2"
<method_context working_directory=":default">
<method_credential user="ldap"
<stability value="Evolving">
<instance name="default" enabled="false">
<stability value="Evolving">

<loctext lang="C"> Directory Server </loctext>
<doc_link name="Directory Server Enterprise Edition 6 Administration Guide" uri=""

Once you've created this file, use the following commands to register it with SMF and enable the service:

svccfg import /opt/ds_homedir/config/manifest_file.xml
svcadm enable svc:/application/sun/ds:default


Unknown said...

Thanks for this tip. Worked perfectly. I have one management node running dscc, and all the servers running ds as the ldap user now.

I did have to make some additional changes so that dscc could restart servers as a non root user, with the ds added in to SMF.

First, I moved /opt/SUNWdsee/ds6/bin/dsadm to /opt/SUNWdsee/ds6/bin/dsadm.real.

then I created a shell script that reads like:

pfexec ${0}.real $@
so that I could prepend pfexec to the dsadm calls made by the ldap user via dscc.

Then I created an "LDAP Management" profile, and assigned it to the ldap user, and added the following commands to that profile:
LDAP Management:suser:cmd:::/opt/SUNWdsee/ds6/bin/dsadm.real:uid=0

Now, when dscc on my management host tries to connect to the remote server for such operations as to restart a directory server, it works.

Otherwise, I was getting errors like "Instance: blahblah is in SMF" and "Only root can run that command".

Unknown said...

what exactly is in the "--exec" field?

i can't find documentation of "--exec", i looked in the description for dsadm:

and ran help:
bash-3.00# ./dsadm start --help
Usage: dsadm start [ -Ei ] [ -W CERT_PW_FILE ] INSTANCE_PATH
Starts Directory Server instance
The accepted values for OPTIONS are:
-W CERT_PW_FILE, --cert-pwd-file CERT_PW_FILE
Reads certificate database pwd from CERT_PW_FILE (Default: use stored pwd or prompt for pwd)
-i, --no-inter
Does not prompt for password
-E, --safe
Starts with the configuration used at last successful startup
For global options, use dsadm --help.
INSTANCE_PATH Path of the Directory Server instanc
For more information, see dsadm(1M).

but i can't find the purpose of "--exec". where should i look for the documentation for "--exec"?