15 minute read time

Setting up an IDM LDAP-driver to synchronize data between eDirectory and Sun Directory Server Enterprise Edition

by   in Cybersecurity
This article will try to detail the process of setting up a working SSL-encrypted connection with the LDAP-driver to Sun DSEE 6.3 running on Windows. I assume the reader has experience with IDM/eDirectory/iManager. If you are interested what those commands that you find in this document really do I recommend downloading the DSEE documentation set.

The reason I wrote this is because I needed to get a test environment working for the LDAP-driver together with Sun DSEE and I had some trouble trying to set up the SSL part because the LDAP-driver documentation details the steps for the Netscape Directory Server which is what DSEE was called a couple of versions ago. According to Father Ramon in the IDM forum:

“Sun DSEE is rename/derived from Sun Java System Directory, which was rename/derived from Sun One Directory Server, which was renamed rename/derived from iPlanet Directory Server (a collaboration between Sun and Netscape), which was rename/derived from Netscape Directory Server. “

In this example I have a two VMware machines, one is running SLES 10 SP1 with eDirectory 8.8.2 and IDM 3.5.1, it has IP-address, the other one is running Windows Server 2003 with Active Directory and Sun DSEE 6.3 with IP

Now we'll get to the process of setting up the driver, first I had to install the IDM Remote Loader on the Windows machine, I won't detail the install since it's already well documented and mostly consists of clicking Next... After installing the Remote Loader you might want to patch the LDAP-driver with the latest patch from Novell.

In the Remote Loader Console I clicked on Add and created a Remote Loader instance with the following configuration:

Description: SunDSEE
Driver: com.novell.nds.dirxml.driver.ldap.LDAPDriverShim
Config File: C:\Novell\RemoteLoader\SunDSEE-Config.txt
IP Address:
Connection Port – Metadirectory Server: 8090
Command Port – Local host communication only: 8000
Remote Loader Password: Remote
Driver Object Password: Driver
Use an SSL Connection: No
Trace Level: 3
Trace File: C:\Novell\RemoteLoader\SunDSEE-Trace.log
Maximum Disk Space Allowed for all Trace Logs (Mb): 100
Establish a Remote Loader service for this driver instance: Yes

How to install Sun DSEE 6.3 on Windows Server 2003

This part will tell you step by step how to install DSEE on Windows.

Surf to the Sun DSEE download page:


Download Directory Server Enterprise Edition 6.x, version 6.3, Native Package (PKG) for Windows Server 2003.

You will be presented with an option to download the Patch Only Install and the Base Full Install DSEE 6.0, download both because you must first install DSEE 6.0 and then patch it to 6.3.

After downloading and extracting the files run setup.bat from the java_es-5_identsuite-windows-x86 folder.

I selected that I wanted the wizard to configure the Java Enterprise System automatically during installation.

Click to view.

I then had to select the components to install, I chose only the Directory Server Enterprise Edition 6.0:

Click to view.

After the components selection you must enter a password for the Java ES administrator, the password must be at least 8 characters long:

Click to view.

At the end of the installation I de-selected “Click here to start the servers of configured products.” as I didn't want to start any services because I had to patch DSEE to v6.3.

Patching DSEE to v6.3

During this process I had three command line windows open as it made the process easier.

Open a CMD prompt and go to
C:\Program Files\Sun\JavaES5\DSEE\ds6\bin

dsadm.exe stop "C:\Program Files\Sun\JavaES5\DSEE\var\dscc6\dcc\ads"

After that open the task manager and kill the
process. (If it's running)

Open another CMD prompt and go to
C:\Program Files\Sun\JavaES5\share\cacao_2\bin

cacaoadm prepare-uninstall

Now you'll need download some patches and install them.
Surf to the Sun support site:

Download the Sun patch 126910-02 and install it, this is needed to be able to install the other patches.

Download the Sun patch 126183-07 and install it, this will patch “cacao”.
According to the documentation cacao is the "common agent container".

CD to
C:\Program Files\Sun\JavaES5\share\cacao_2


CD back to
C:\Program Files\Sun\JavaES5\share\cacao_2\bin

cacaoadm.bat rebuild-dependencies

Download the patch 125311-07 if you didn't do it in the beginning and install it, this will patch DSEE to v6.3.

Open up another CMD prompt and CD to
C:\Program Files\Sun\JavaES5\DSEE\dscc6\bin

dsccsetup console-unreg

dsccsetup console-reg

In your first CMD window (C:\Program Files\Sun\JavaES5\DSEE\ds6\bin) type:
dsadm.exe start "C:\Program Files\Sun\JavaES5\DSEE\var\dscc6\dcc\ads"

If you get an error that the directory does not exist you can change back to the
C:\Program Files\Sun\JavaES5\DSEE\ds6\bin
directory and run:

dsccsetup.exe initialize

or you can wait and do it later through the web browser.

Back in your
C:\Program Files\Sun\JavaES5\share\cacao_2\bin
directory type:

cacaoadm.bat start

This will start the common container agent.

When the installation has completed open a web browser and surf to:
https://IP of your DSEE server:6789

This will get you to the Java Web Console which you use to access the management tool for the DSEE, the Directory Service Control Center (DSCC), think iManager and you'll get the picture.

Click to view.

You will need to login with a user that has administrative rights to the server OS, in my case Administrator.

Click to view.

Next, click on the DSCC link at the bottom.
If you did not run the "dsccsetup.exe initialize" command then you will be asked to initialize DSCC, enter a password.

A pop up window will open and the DSCC will initialize it's configuration. When it's done click Close and Continue. Now you are in the Control Center which you use to administer DSEE using a GUI. There is also a command line tool called "dsadm".

Click to view.

Click to view.

We are going to click on the Directory Servers tab and then on New Server...
A new window will open where we are going to enter the details of our new DSEE instance.

Click to view.

If you are running another LDAP server on the same machine that uses the default 389/636 port combination you have to enter another port number, in my case 1389 and 1636. The Instance Path is where the database files will be located, it must not exist.

If the server is a AD domain controller you need to enter the Runtime User ID in the following format:

These are the settings I used:

Host: Know Host: <MY SERVERNAME>
LDAP Port: 1389
LDAP Secure Port: 1636
Instance Path: c:\sundsee
Directory Manager DN: cn=Directory Manager
Runtime User ID: <mydomain>\administrator
DSCC Agent Port: Default (11162)

If you get an error when you click next, such as that the DSCC agent could not be contacted do the following:

Open a cmd.exe process on your server where DSEE will be running, and go to:
C:\Program Files\Sun\JavaES5\share\cacao_2\bin

cacoadm status

If you get the following message: default instance is DISABLED at system startup.
default instance is not running.

cacaoadm start

Go back to DSCC and try to click Next again.

You will be asked to accept a default certificate, do it and click Next:

Click to view.

Click to view.

Click to view.

When the installation is complete click on the Suffixes tab in DSCC and then on New Suffix...
This is like creating a new tree in eDirectory (I think...)

Click to view.

In step 2 select “Do Not Replicate Suffix”

In step 2.1 select your server.

In step 3 select Use Default Settings

In step 4 select Use Default Database Location

In step 5 select Initialize by Importing Sample Data (160 entries)

Now that I've created the instance and the suffix I wanted to test connectivity by authenticating using an LDAP browser, I used Apache Directory Studio to connect to my server on the SSL port 1636 with the “cn=Directory Manager” as username, you could say that's the admin user, I also had to specify the base DN, in my case that was the DN of the suffix, o=Atlas.

The next step is to configure the DSEE services to start automatically when Windows starts.

First create an empty text file named
and place it under C:\
Edit it and enter the password of the administrator user, in my case of the domain administrator, IDM360\Administrator. Just the password, nothing else.

Now from the
C:\Program Files\Sun\JavaES5\share\cacao_2\bin
directory run this command:

cacaoadm.bat enable -i default -f c:\password.txt

This will create a new service, in my case it was named Common Agent Container 2 (864cfa27:default) but I was not able to start it.

I had to go to the Domain Controller Security Policy under Administrative Tools on the Control Panel, select Local Policies, User Rights Assignment, Log on as a service and add my user to that list, then I ran the gpupdate command and I was able to start my new service!

Now, to enable the DSEE instance and the DSCC instance to start as a service CD to the
C:\Program Files\Sun\JavaES5\DSEE\ds6\bin

Type the following commands, change c:\sundsee to the path of your installed instance:

dsadm stop c:\sundsee
dsadm enable-service c:\sundsee
dsadm.exe stop "C:\Program Files\Sun\JavaES5\DSEE\var\dscc6\dcc\ads"
dsadm.exe enable-service "C:\Program Files\Sun\JavaES5\DSEE\var\dscc6\dcc\ads"

Now I had two more services:

Directory Server 6.3 (C:/Program Files/Sun/JavaES5/DSEE/var/dscc6/dcc/ads)
Directory Server 6.3 (c:/sundsee)

Enabling the retro changelog which is needed by the LDAP driver:

Type the following command when you are located in the
C:\Program Files\Sun\JavaES5\DSEE\ds6\bin

dsconf set-server-prop -h -P 1636 retro-cl-enabled:on

Restart the directory server using DSCC or the command line.

Next I need to configure the DSEE to accept SSL-connections from the IDM LDAP-driver.

Logon to the DSCC, select Directory Servers, click on the server, in my case IDM36:1389
Click on the Security tab. If you get an error about authentication like I did click on it to update the credentials and type in the username in the format: DOMAIN\USERNAME, in my case: IDM360\Administrator.

Click on the Certificates tab.
We will now generate a new certificate request.

Click on Request CA-Signed, a new window will open.

Click to view.

I just entered the CN as LdapDriverCert and clicked OK.

You'll get a new window with the certificate request:

Click to view.

Select the entire text from -----BEGIN to after the REQUEST and save it to a file such as LdapDriverCertCSR.txt.

Step 2 is to use iManager to issue the certificate using the eDirectory CA.

Logon to iManager, click on Novell Certificate Server > Issue Certificate

In the filename field browse to the LdapDriverCertCSR.txt file.
Click Next.
Select SSL or TLS as key type.
I also selected Extended key type: Any
Click Next.

I selected the certificate type as Certificate Authority and Path length as Unspecified.

Select a validity period and click Next.

Select: Save to: File in Base64 format

Save the file LdapDriverCertCSR.b64 to your computer.

Next go back to DSCC and click on Add next to the Request CA-Signed button.
Enter a certificate name and open the b64 file in a text editor, copy and paste the entire content into the new DSCC window where it says certificate.

Click to view.

Now go back to iManager, switch to the View Objects view, Browse > Security, click on your CA and click Modify Object, click on Certificates, check Self Signed Certificate, click Export, don't export the private key (uncheck it). Select BASE64 format. Click Next.
Save it as TrustedRoot.b64

Now, back again to DSCC, click on the CA Certificates tab, click Add.
A new window will open.
Enter a name that will identify your trees CA certificate. Open your TrustedRoot.b64 and copy and paste the content into the Certificate field.

When you are done it will look something like this:

Click to view.

It will tell you that you need to restart the DSEE service. Do it.

Now click on the Security tab in DSCC and on the General page change the SSL Settings. There is an option called Certificate:, change it from Default Certificate to LdapDriverCert (the name you gave your eDirectory signed certificate.) Click Save, you will get a message telling you to restart the service, do it again.

Now I have to proceed with the step that is labeled “7.6.2 Importing into the Client's Certificate Store” in the LDAP Driver documentation.

It details the steps needed to import the eDirectory trusted root certificate into a keystore that the driver uses.

For this I'm using a Java based GUI tool named KeyTool IUI that can be downloaded from here:

You need to have JRE 1.6 installed to start it, after extracting the ZIP-file I had to edit the
file and remove the REM before
set HOME_JAVA=C:\Program Files\Java\jdk1.6.0\jre\bin\java
and changed the path to the JRE directory installed on my machine:
C:\Program Files\Java\jre1.6.0_07\bin\java
(You'll have to make sure you enter the path on YOUR machine)

After starting the program click on Create > Keystore

Click to view.

Click on the disk icon and browse to the directory where you want to store the keystore. I chose to store it under

The click on the Keystore password icon and enter a password for the keystore. I chose changeit

Now we have to import the trusted root certificate, I had to rename my .B64 file containing the trusted root to .PEM

In KeyTool IUI go to
Import > Keystore's entry > Trusted Certificate > Regular certificate

Under Source browse for the .PEM file, under Target browse for the Keystore file and enter the password for the keystore.

Click to view.

You'll be asked to enter an alias for the certificate and then you'll have to confirm that you trust it.

When you're done it should look something like this:

Click to view.

Configuring the LDAP driver in Designer

I assume you know how to use Designer to configure a driver, this is the configuration I used:

The configuration is pretty straight forward, I entered the following data:

Driver name: LDAP
Placement Type: Mirror
eDirectory Container: Sun
LDAP Container: O=atlas
LDAP Server: : 1636
LDAP Authentication DN: cn=Directory Manager
Use SSL: Yes
Configure Data Flow: Bi-Directional
Driver is Local/Remote: Remote
Remote Host Name and Port: : 8900
Driver Password: Driver
Remote Password: Remote
Keystore Path: C:\Novell\RemoteLoader\ldapdriver.jks
Use SSL Mutual Authentication: No
Polling Interval in Seconds: 20
Publication Method: Changelog
Entries to Process on Startup: Previously unprocessed
Changelog Max Batch Size: 1000

After deploying the driver and setting the security equivalence my driver started nicely. If you have any problems raise the trace level on the Remote Loader to see what's happening when it tries to connect.

Now we have the driver running and syncing BUT what if I don't want to use the eDirectory generated certificate for my Sun DSEE server? What if I want to use DSEE own certificate?
Well, I'll explain how to accomplish that too.

Using DSEE certificates in the driver instead of the eDirectory certificates

Download OpenSSL Light from here and install it:

You may also need to install the Visual C 2008 runtime from here:


We are going to use openssl.exe to extract the public key from the DSEE certificate since I don't know how to export just the public key (tips are welcome).

Now we are going to export the Sun DSEE default certificate, yes more import/export...

In DSCC, Security, Certificates, check Default Certificate (or the one you want to use), More Certificate Actions, Export
My Export Path was: C:\suncert
You'll be asked to set a PKCS#12 password.

Now you have a PKCS12 file that contains both the private and the public key.

In DSCC, Security > General > Certificate: change back from LdapDriverCert (or whatever you named your eDirectory generated certificate) to Default Certificate or another cert. you want to use. Save and restart the DSEE service.

After that we run the command:
openssl pkcs12 -in c:\suncert -out sunpublickey.pem -clcerts -nokeys

This command extracts the public key from our DSEE certificate.

Now open that .PEM file in a text editor and remove everything from the beginning so you just have something that begins with -----BEGIN CERTIFICATE----- and so on. Save the file. Now use KeyTool IUI to import the .PEM file into our keystore file (Import > Keystore's entry > Trusted Certificate > Regular Certificate).

When you're done restart the driver to test if it works as it should.

So there you have it, how to set up your own test environment instance of Sun DSEE and configure the IDM LDAP-driver for SSL communications in two ways, with the eDirectory generated certificate or with the DSEE generated certificate.

Remember, if you are running the remote loader as I am there are two connections that you may need to secure, the one from IDM to the Remote Loader, you can activate SSL on that too and it's really easy. Then there is the connection from the driver shim and the LDAP server which what this document is about.