Download :

CZGI9ML        IBM Tivoli Access Manager Base for Linux on x86 v6.1.1  
CZGJ0ML        IBM Tivoli Access Manager Web Security for Linux on x86 v6.1.1  
C12WNML        IBM Tivoli Directory Server 6.1 Client-Server with entitlement, GSKit 7.0.3.30 (tar file) for Linux x86-64, Multilingual  
C12WQML        IBM Tivoli Directory Server 6.1, DB2 v 9.1 FP 02 (tar file) for Linux x86-64  
C12WRML        IBM Tivoli Directory Server 6.1 eWAS 6.1.0.7, Tivoli Directory Integrator 6.1.1(tar file) for Linux x86-64  

Prerequisites :

  • install CentOS 6.3
  • minimal install
  • netinstall

Other software

Apache Directory Studio
install eclipse
install plugin : http://directory.apache.org/studio/update/1.x

install vmware tools

openssh-clients is needed so you can use scp … strange stuff

  yum install perl  
  yum install openssh openssh-clients  

Installation of vmwaretools :

mkdir /mnt/cdrom
mount /dev/cdrom /mnt/cdrom
cd /tmp
tar xvzf /mnt/cdrom/VM*
cd vmware-tools-distrib
./vmware-install.pl

Remove the persistent net rules, so when copying the virtual machine, the primary interface remains eth0 :

  rm /etc/udev/rules.d/70-persistent-net.rules  

Create ssh keys:

  ssh-keygen  

accept all defaults

Make sure IBM DB2 is installed :
Install DB2 for TDS

Install TDS from rpm

cd /mnt/cdrom/tdsfiles  
  
rpm -ihv idsldap-cltbase63-6.3.0-0.x86_64.rpm  
rpm -Uvh idsldap-clt32bit63-6.3.0-0.x86_64.rpm  
rpm -ihv idsldap-clt64bit63-6.3.0-0.x86_64.rpm  
rpm -ihv idsldap-cltjava63-6.3.0-0.x86_64.rpm  
rpm -ihv idsldap-srv64bit63-6.3.0-0.x86_64.rpm  
rpm -ihv idsldap-srvbase64bit63-6.3.0-0.x86_64.rpm  
idsldap-license63-6.3.0-0.x86_64.rpm  
idsldap-msg63-en-6.3.0-0.x86_64.rpm  
  
rpm -Uvh idsldap-cltbase63-6.3.0-0.x86_64.rpm idsldap-clt32bit63-6.3.0-0.x86_64.rpm idsldap-clt64bit63-6.3.0-0.x86_64.rpm idsldap-cltjava63-6.3.0-0.x86_64.rpm idsldap-srv64bit63-6.3.0-0.x86_64.rpm idsldap-srvbase64bit63-6.3.0-0.x86_64.rpm idsldap-license63-6.3.0-0.x86_64.rpm idsldap-msg63-en-6.3.0-0.x86_64.rpm  

check :

  rpm -qa | grep idsldap  

should be:

idsldap-cltbase63-6.3.0-0  
idsldap-clt32bit63-6.3.0-0  
idsldap-cltjava63-6.3.0-0  
idsldap-srvbase32bit63-6.3.0-0  
idsldap-srv32bit63-6.3.0-0  

I have : (close enough :-) )

idsldap-clt64bit63-6.3.0-0.x86_64  
idsldap-srv64bit63-6.3.0-0.x86_64  
idsldap-cltjava63-6.3.0-0.x86_64  
idsldap-cltbase63-6.3.0-0.x86_64  
idsldap-srvbase64bit63-6.3.0-0.x86_64  
idsldap-clt32bit63-6.3.0-0.x86_64  

Update TDS

download the fixpack and extract

  cd /mnt/hgfs/hostroot/local/Downloads/IBM/Tivoli/TAM611/6.3.0.18-ISS-ITDS-LinuxX64-IF0018/images
  rpm -Uvh idsldap-cltbase63\* idsldap-clt32bit63\* idsldap-clt64bit63-6.3\* idsldap-cltjava63-6.3\* idsldap-srv64bit63-6.3\* idsldap-srvbase64bit63-6.3\* idsldap-license63-6.3\* idsldap-msg63-en-6.3\*  

Install GSKKit

  cd /mnt/cdrom/gskit  
  rpm -Uvh gsk\*  

Update gskkit

  cd /mnt/hgfs/hostroot/local/Downloads/IBM/Tivoli/TAM611/8.0.14.24-ISS-GSKIT-LinuxX64-FP0024  
  rpm -Uvh gsk\*  

Create default instance

as root, run:

usermod -G db2iadm root   
cd /opt/ibm/ldap/V6.3/sbin  
./idsxinst  

useradd -r db2ldap  
echo passw0rd | passwd db2ldap --stdin  

I needed to manually create this file :

cat /opt/ibm/ldap/V6.3/etc/ldapdb.properties  
currentDB2InstallPath=/opt/ibm/db2/V9.7  
currentDB2Version=9.7.0.0  
encryption string : passw0rd123456789  

so in the interface, create new instance.
Select to create custom instance
Select the db2 instance db2inst1

user : db2ldap  
database location : /home/db2inst1  
online backup : /opt/backup  

Again, command line :
remove instances :

  /opt/ibm/db2/V9.7/instance/db2ilist  
  
  /opt/ibm/db2/V9.7/instance/db2idrop dsrdbm01  

  idsicrt -I idsldap -e passw0rd123456789 -G db2iadm -w passw0rd –p 389 –s 636 -t db2inst1  

  cd -  
  /opt/ibm/ldap/V6.3/sbin  
  ./idsicrt -I idsldap -e passw0rd123456789 -G db2iadm -w passw0rd –p 389 –s 636 -t db2inst1 ```` GLPWRP123I The program '/opt/ibm/ldap/V6.3/sbin/64/idsadduser' is used with the following arguments '-u idsldap -g db2iadm -w \*\*\*\*\*'.  

GLPGRP011W The user ‘idsldap’ already exists. The user will be recreated with modified properties.
GLPGRP052W If the Network Information Service (NIS) database is installed on the system, user properties modification is not recommended.

Do you want to….
(1) Continue with the above actions, or
(2) Exit without making any changes:1

You have chosen to perform the following actions:

GLPGRP019I System user will be created for directory server instance.
GLPGRP020I The system user ‘idsldap’ will be created.
GLPGRP021I The user’s primary group ‘db2iadm’ will be created.
GLPGRP024I The user ‘idsldap’ will be a member of group ‘idsldap’.
GLPGRP025I The user ‘root’ will be a member of group ‘db2iadm’.
GLPGRP005I The password for user ‘idsldap’ will be set.
GLPGRP011W The user ‘idsldap’ already exists. The user will be recreated with modified properties.
GLPGRP052W If the Network Information Service (NIS) database is installed on the system, user properties modification is not recommended.
Do you want to….
(1) Continue with the above actions, or
(2) Exit without making any changes:1

GLPGRP053I The home directory of the existing user ‘idsldap’ is /home/idsldap.
GLPGRP034I The group ‘db2iadm’ already exists.
GLPGRP029I The user ‘idsldap’ was created successfully.
GLPGRP030I The user ‘idsldap’ was added to group ‘db2iadm’ successfully.
GLPGRP047I The user ‘root’ is already a member of group ‘db2iadm’.
GLPGRP006I Setting the password for user ‘idsldap’
GLPGRP007I Successfully changed password for user ‘idsldap’.
GLPWRP123I The program ‘/opt/ibm/ldap/V6.3/sbin/64/idsicrt’ is used with the following arguments ‘idsicrt -I idsldap -e ***** -G db2iadm -w ***** -t db2inst1 –p 389 –s 636’.
You have chosen to perform the following actions:

GLPICR020I A new directory server instance ‘idsldap’ will be created.
GLPICR057I The directory server instance will be created at: ‘/home/idsldap’.
GLPICR013I The directory server instance’s port will be set to ‘389’.
GLPICR014I The directory server instance’s secure port will be set to ‘636’.
GLPICR015I The directory instance’s administration server port will be set to ‘3538’.
GLPICR016I The directory instance’s administration server secure port will be set to ‘3539’.
GLPICR019I The description will be set to: ‘IBM Tivoli Directory Server Instance V6.3’.
GLPICR021I Database instance ‘db2inst1’ will be configured.

Do you want to….
(1) Continue with the above actions, or
(2) Exit without making any changes:1

GLPICR028I Creating directory server instance: ‘idsldap’.
GLPICR025I Registering directory server instance: ‘idsldap’.
GLPICR026I Registered directory server instance: : ‘idsldap’.
GLPICR049I Creating directories for directory server instance: ‘idsldap’.
GLPICR050I Created directories for directory server instance: ‘idsldap’.
GLPICR043I Creating key stash files for directory server instance: ‘idsldap’.
GLPICR044I Created key stash files for directory server instance: ‘idsldap’.
GLPICR040I Creating configuration file for directory server instance: ‘idsldap’.
GLPICR041I Created configuration file for directory server instance: ‘idsldap’.
GLPICR034I Creating schema files for directory server instance: ‘idsldap’.
GLPICR035I Created schema files for directory server instance: ‘idsldap’.
GLPICR037I Creating log files for directory server instance: ‘idsldap’.
GLPICR038I Created log files for directory server instance: ‘idsldap’.
GLPICR088I Configuring log files for directory server instance: ‘idsldap’.
GLPICR089I Configured log files for directory server instance: ‘idsldap’.
GLPICR085I Configuring schema files for directory server instance: ‘idsldap’.
GLPICR086I Configured schema files for directory server instance: ‘idsldap’.
GLPICR073I Configuring ports and IP addresses for directory server instance: ‘idsldap’.
GLPICR074I Configured ports and IP addresses for directory server instance: ‘idsldap’.
GLPICR077I Configuring key stash files for directory server instance: ‘idsldap’.
GLPICR078I Configured key stash files for directory server instance: ‘idsldap’.
GLPICR046I Creating profile scripts for directory server instance: ‘idsldap’.
GLPICR047I Created profile scripts for directory server instance: ‘idsldap’.
GLPICR103I Adding instance information to the .profile file for directory server instance: ‘idsldap’.
GLPICR104I Added instance information to the .profile file for directory server instance: ‘idsldap’.
GLPICR069I Adding entry to /etc/inittab for the administration server for directory instance: ‘idsldap’.
GLPICR070I Added entry to /etc/inittab for the administration server for directory instance: ‘idsldap’.
GLPICR118I Creating runtime executable for directory server instance: ‘idsldap’.
GLPICR119I Created runtime executable for directory server instance: ‘idsldap’.
GLPCTL074I Starting admin server for directory server instance: ‘idsldap’.
GLPCTL075I Started admin server for directory server instance: ‘idsldap’.
GLPICR029I Created directory server instance: : ‘idsldap’.
GLPICR031I Adding database instance ‘db2inst1’ to directory server instance: ‘idsldap’.
GLPCTL002I Creating database instance: ‘db2inst1’.
GLPCTL003I Created database instance: ‘db2inst1’.
GLPICR133I Setting the DB2 registry for database instance ‘db2inst1’ to allow DB2 SELECTIVITY.
GLPICR134I The DB2 registry for database instance ‘db2inst1’ has been set to allow DB2 SELECTIVITY.
GLPCTL017I Cataloging database instance node: ‘db2inst1’.
GLPCTL018I Cataloged database instance node: ‘db2inst1’.
GLPCTL008I Starting database manager for database instance: ‘db2inst1’.
GLPCTL009I Started database manager for database instance: ‘db2inst1’.
GLPCTL049I Adding TCP/IP services to database instance: ‘db2inst1’.
GLPCTL050I Added TCP/IP services to database instance: ‘db2inst1’.
GLPICR081I Configuring database instance ‘db2inst1’ for directory server instance: ‘idsldap’.
GLPICR082I Configured database instance ‘db2inst1’ for directory server instance: ‘idsldap’.
GLPICR052I Creating DB2 instance link for directory server instance: ‘idsldap’.
GLPICR053I Created DB2 instance link for directory server instance: ‘idsldap’.
GLPICR032I Added database instance ‘db2inst1’ to directory server instance: ‘idsldap’.

 
  
## SET Administrator ID and Password  

      ./idsdnpw -I idsldap –u cn=root –p passw0rd

Enter the directory server administrator password:  

GLPWRP123I The program ‘/opt/ibm/ldap/V6.3/sbin/64/idsdnpw’ is used with the following arguments ‘-I idsldap –u cn=root –p passw0rd’.
You have chosen to perform the following actions:

GLPDPW004I The directory server administrator DN will be set.
GLPDPW005I The directory server administrator password will be set.

Do you want to….
(1) Continue with the above actions, or
(2) Exit without making any changes:1

GLPDPW009I Setting the directory server administrator DN.
GLPDPW010I Directory server administrator DN was set.
GLPDPW006I Setting the directory server administrator password.
GLPDPW007I Directory server administrator password was set.
[root@webseal sbin]#

  
Configure a database :

      idscfgdb -I idsldap –a db2inst1 –w passw0rd –t db2ldap –l /home/ldapdb  
  
  
START:

      idsslapd -I idsldap

To stop a directory server instance named instancename, type the following command:  
STOP :

      idsslapd -I idsldap -k  
  
START directory administration server :  

      idsdiradm -I idsldap  

To stop the directory administration server for a directory server instance named instancename, type the following command:  

      idsdiradm -I idsldap -k  

## AUTOSTART  
 
db2 needs to start  
ldap needs to start  
  
 
## Suffix  
  
      idscfgsuf -I idsldap -s o=issc  
  
## Load LDIF  
  
      idsldif2db -i /tmp/issc.ldif -I idsldap  
  
## Logs
 
      cd /home/idsldap/idsslapd-idsldap/logs/  

Now use ldapsearch to check.  
  
      ldapsearch -vx -h 172.16.231.153 -D cn=root -w passw0rd "cn=Tom Bosmans" "\*"

Assign rights (new LDAP admin)  

> AuditAdmin  
> DirDataAdmin  
> PasswordAdmin  
> ReplicationAdmin  
> SchemaAdmin  
> ServerConfigGroupMember  
> ServerStartStopAdmin  

## Set Encryption mechanism  
  
To change the type of encryption using the command line, issue the following command:  
  
      idsldapmodify -D -w -i  
  
where contains:

dn: cn=configuration
changetype: modify
replace: ibm-slapdPWEncryption
ibm-slapdPWEncryption: md5
````

In production, you should use something strong, like aes256. md5 is not good enough in real life.
Here, the ibm-slapdPWEncryption attribute can be assigned any of the
following values: none,aes128,aes192,aes256,crypt,sha,ssha, md5
sha224, sha256, sha384, sha512, ssha224, ssha256, ssha384, or ssha512.