Posted in

Directory server instance owner – Security and Users

6.5.1.1 Directory server instance owner
The screens to use the IBM SDS Instance Administration Tool are followed on Page 111 – Page 116 of the document available as a free download from ResearchGate, using the DOI: https://doi.org/10.13140/RG.2.2.33527.57761 (IBM Security Directory Services 6.4- Installation on RHEL 8.0).
The IBM SDS directory server instance owner, is a system user ID used as the directory server instance owner.
If you need to add the proxy (for Open LDAP) when this user is created, you have to enter an encryption seed text string which must be between a minimum of 12 characters and a maximum of 1016 characters in length, otherwise you get a GLPCFG147E Data not valid in … pop-up error box.
By default, a dsrdbm01 directory server instance user (with a home directory of/home/dsrdbm01) and with a Database instance of dsrdbm01 is created and configured.

6.5.1.2 Adding grrdbm01 primary group to root user
As we get the error, GLPICR102E ‘root’ must be a member of the primary group ‘grrdbm01’ and of the database we have to run the commands as follows:
usermod -a -G grrdbm01 root
groups root
Additionally, after reboot we discovered that the following essential steps are required to get the system to work correctly. We rebooted the server, as the root user, using:
shutdown -r now
Then we edited the /etc/passwd file using vi to note the root users’ line as follows:
root:x:0:1002:root:/root:/bin/bash
We must take the above internal GroupID used for root in our server (1002) and replace the initial ID 0 from the GroupID held in /etc/passwd for the dsrdbm01 LDAP user with this 1002 value. So, we change the line:
dsrdbm01:x:1002:0::/home/dsrdbm01:/bin/ksh
To:
dsrdbm01:x:1002:1002::/home/dsrdbm01:/bin/ksh
The above procedure is an essential step to allow the creation of the default instance (or any other instance required, since the Group ID of root (usually 0, but not on our server) must match the Group ID in the /etc/passwd file for the default instance user.
Also, we have to change the dsrdm01 subdirectory security permissions in the /home directory using the command chmod 777 dsrdbm01 (note, this will be changed back by the installer.)
We must now enter the following commands:
usermod -a -G grrdbm01 root
Which adds the grrdbm01 group to the root user. We can then list the root user’s groups using:
groups root
Note: Then you must logout and log back in as root before the above can be seen by the process. (Log in as root by clicking on the Not listed? option shown in the Desktop user list under the last user, after rebooting).
See also the Technote:

https://www-01.ibm.com/support/docview.wss?uid=swg21585068
Fixed default instance settings for IBM Security Directory Services 6.4 are shown in Table 6.2:

Table 6.2: The default instance settings for the IBM Security Directory Services 6.4
We can now create a proxy user using the Create Instance button (the first menu button, top-right). We select the Create a new directory server instance radio button option and also tick the Set up as a proxy tick-box. We click Next, and then complete the instance creation.
We can now use the command line add user commands as follows:
cd /opt/ibm/ldap/V6.4/sbin
./idsadduser -u dsproxy -g sdsadm -l /home/dsproxy -w password
Where password is the required dsproxy user password. The prompt to continue with the command actions is answered by entering a 1 (entering a 2 will exit without any changes, so will cancel the commands entered).
The following changes are listed:
• The group, sdsadm is created.
• The user, dsproxy is created.
• The root user is added to the sdsadm group.
• The password for user dsproxy is set.
You must then logout and back in to see the dsproxy user account which is created. The screens to use the IBM SDS Instance Administration Tool are followed on Page 120 – Page 125 of the document available as a free download from ResearchGate, using the DOI: https://doi.org/10.13140/RG.2.2.33527.57761 (IBM Security Directory Services 6.4- Installation on RHEL 8.0)
A new directory server instance is created. The dsproxy user, we created earlier, is selected from the dropdown list. The /home path is typed in for the Browse window and the dsrdbm01 subdirectory is selected from the list.
The Instance description textbox text is entered, for example, ASB Software Development Limited example and the Next button clicked.
The Listen on all configured IP addresses tick box is selected and the Next button is clicked.
By default, the ports are set as;
389, for the Server port.
676, for the Server secure port.
3538 for the Administration server port.
3539 for the Administration server secure port.
Then the Next command button is selected.
With the defaults set, these port numbers will need to be changed to use the proxy server instance. Next, the Configure administrator DN and password tick-box is ticked and Next is clicked.
We are using cn=root
With the password: IBMFileNetP8
A page is then displayed with all the settings we entered, and the Finish command is clicked.

Leave a Reply

Your email address will not be published. Required fields are marked *