Deployment and configuration

This section describes the steps required to install the plug-in on a Windows, UNIX or Linux platform.

Registering the Sun Directory Server Password Synchronization Plug-ins with Sun Directory Server

Sun ONE Directory Server 5.2

To register the plug-in, stop Sun Directory Server and add the following to the Sun Directory Server configuration file dse.ldif, using the Directory Server Management Console:

dn: cn=IBM DI PassSync,cn=plugins,cn=config
nsslapd-pluginPath: TDI_install_dir/pwd_plugins/sun/sunpwsync.dll
nsslapd-pluginEnabled: on
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: IBM DI PassSync
nsslapd-pluginType: object
nsslapd-pluginInitfunc: PWSyncInit
nsslapd-pluginarg0: TDI_install_dir/pwd_plugins/sun/pwsync.props
nsslapd-pluginId: ibmdi.pwsync
nsslapd-pluginVersion: 7.1
nsslapd-pluginVendor: IBM
nsslapd-pluginDescription: IBM TDI plug-in for password synchronization

According to the SUN Directory Server Documentation, the 64-bit Sun DS server running on Solaris will search the 64-bit libraries in a directory under the specified path.

For example, if the value of nsslapd-pluginPath is set in the configuration entry as follows:

nsslapd-pluginPath: TDI_install_dir/pwd_plugins/sun/libsunpwsync_64.so

then a 64-bit Directory Server running in Solaris Operating Environment searches for a 64-bit plug-in library named: TDI_install_dir/pwd_plugins/sun/64/libsunpwsync_64.so

That is why on Solaris the 64-bit binary for the Sun Directory Server Password Synchronizer is shipped in that folder instead.

Generally we should avoid manually modifying the dse.ldif configuration file of the Sun Directory Server. We can register the plug-in by importing the above LDIF statements using the Directory Server Console like this:

1. Save the above LDIF content in an LDIF file (replace the placeholders for the installation folder accordingly).

2. Open the Directory Server instance in the Directory Server Console.

3. Go to the Tasks tab.

4. Select Import LDIF.

5. Browse to the location of the file. Check the Add only checkbox. Uncheck the Continue on error checkbox. Click OK.

6. Restart the Directory Server, so that the plug-in is loaded

Sun Java System Directory Server Enterprise Edition 6.0

Locate the dsconf command-line tool that ships with the Directory Server; it will be used to register the plug-in. Ensure the Directory Server is running. Execute the following steps (refer to the notes after the steps for the meaning of the access-options placeholder):

1. Register the plug-in binary (you may need to change the name of the binary depending on the platform - sunpwsync.dll, libsunpwsync.so, and so forth):

   dsconf create-plugin <access options> -H "TDI_install_dir/pwd_plugins/sun/sunpwsync.dll" 
     -F PWSyncInit -Y object -G "TDI_install_dir/pwd_plugins/sun/pwsync.props" "IBM DI PassSync"

2. Set the description of the plug-in:

   dsconf set-plugin-prop access-options "IBM DI PassSync"
     "desc:IBM TDI plug-in for password synchronization"

3. Set the vendor name of the plug-in:

   dsconf set-plugin-prop access-options "IBM DI PassSync" vendor:IBM

4. Set the version of the plug-in:

   dsconf set-plugin-prop access-options "IBM DI PassSync" version:7.1

5. Enable the plug-in:

   dsconf enable-plugin access-options "IBM DI PassSync"

6. Restart the Directory Server, so that it loads the plug-in.

Notes:

1. The access-options placeholder should be replaced with access details and credentials used to connect to the Directory Server.

   For example, if the Directory Server is located on the localhost, accepts non-SSL connections on port 1389 and the uses the default administrator DN cn=Directory Manager, we can use the following options:

     -p 1389 --unsecured

   For a full list of options that dsconf supports refer to the Sun documentation: http://docs.sun.com/app/docs/doc/819-0986/6n3chglmh?a=view.

2. To un-register the plug-in use the following command:

   dsconf delete-plugin access-options "IBM DI PassSync"

Enable Sun Directory Server logging for plug-ins

The directory plug-in part of the Sun Directory Server Password Synchronizer logs messages in the error log of the Sun Directory Server. By default messages from server plug-ins do not appear in the error log for performance reasons.

Sun ONE Directory Server 5.2

Perform the following steps to enable Sun Directory Server logging for plug-ins:

1. On the Directory Server Console, select the Configuration tab.

2. In the navigation tree, expand the Logs folder and select the Error Log icon.

3. The error log configuration attributes are displayed in the pane on the right side of the screen.

4. To enable error logging, select the Enable Logging check box (error logging is enabled by default).

5. Select Plug-ins in the Log Level list box and click Save.

Sun Java System Directory Server Enterprise Edition 6.0

Perform the following steps to enable Sun Directory Server logging for plug-ins:

1. Ensure the Directory Server is running.

2. Execute the following command with the dsconf tool of the Directory Server:

   dsconf set-log-prop access-options error level:err-plugins

   For the meaning of the access-options placeholder see the notes in section Sun Java System Directory Server Enterprise Edition 6.0.

To query the current level of the error log run the following command:

dsconf get-log-prop access-options error level

Configuring the Sun Directory Server Password Synchronization Plug-in

The Sun Directory Server plug-in has a template configuration file installed at TDI_Install_dir/pwd_plugins/sun/pwsync.props. When the SunDS plug-in is initialized, it will expect that the configuration file is set as the last parameter of the plug-in's registration line. The plug-in then reads the file. Some of the parameters in that configuration file are shared between the plug-in and the Java Proxy. For a complete list of the supported properties, check out Password plug-ins common configuration and utilities.

The property listed below is specific for the Sun Directory Server Password Synchronizer:

syncBase

This optional property enables restricting the part of the directory tree where passwords are intercepted. The string value specified is the LDAP distinguished name (dn) of the root of the tree whose entry' passwords we want to intercept. Specifying "o=ibm,c=us", for example, results in intercepting password update "cn=Kyle Nguyen,ou=Austin,o=IBM,c=US" and skipping the password update "cn=Henry Nguyen,o=SomeOtherCompany,c=US". Setting no value for this property results in the interception of password updates in the whole directory tree.