Tuesday, February 15, 2011

Running DSCC as Non-root User

A student in a recent class complained that he could not start or stop Directory Servers (DS) or read the logs using the Directory Server Control Center (DSCC). After a few more questions, it became obvious that he did not have root access to that machine.

Background: Sun Directory Server Enterprise Edition 6.3 and 7.0 as well as the re-branded Oracle Directory Server Enterprise Edition 11gR1 come with two sets of administrative tools, the command-line tools and the Web-based DSCC. Users authenticate to the DSCC using accounts stored in the DSCC Registry directory server (default: port 3998). However, when the admin tries to execute certain operations, they are challenged for the authentication of the owner of the DS process. In this student's example, the process was owned by root, the student could not provide the root authentication and so could not execute the particular operation.

To avoid this issue, on a new installation create a service account and service group; assume they are "dsuser" and "dsgroup". To run the DSCC as a non-root user, you need to make sure dsuser and dsgroup own a) the installation directory and all of its files and subdirectories, b) the instance directory and all of its files and subdirectories, and c) the DSCC Registry DS must installed using dsuser. (Depending on which brand of web container you are using, you MAY need to make ownership adjustments on the dscc.war file and/or its deployment. I usually use TomCat and have seen no ownership issues.)

Step c above is often done as part of executing the "dsccsetup initialize" command. However, this command can only be run as root. So, instead of running this command, run the individual commands called by initialize, remembering to run the "dsccsetup ads-create" command as dsuser (Step 2 in the following documentation):

http://download.oracle.com/docs/cd/E19424-01/820-4807/deploy-war/index.html

Remember, any ldif file you intend on importing using the DSCC must be readable by dsuser and/or dsgroup!

No comments:

Post a Comment