idsicrt
Use the idsicrt command to create a directory server instance.
Description
The idsicrt command
can be run only by root on AIX®, Linux®, or Solaris systems, or a
member of the Administrator group on Windows systems.
The administrator specifies a directory server instance name and optionally
can specify the port, secure port, admin server port, admin server
secure port. If these ports are not specified, then the first available
port from #389
to #636
is selected
for directory server and the secure port. Where, #
takes
values from 1 to 65. For admin server, ports that are in the range
3538 - 65535 are selected. It is not a must to specify the -e parameter.
However, the encryption seed is required and you are prompted to supply
a value for the encryption seed. On Windows,
the administrator must specify the location to store the directory
server instance. On AIX, Linux, or Solaris systems, specifying
the location is optional.
If an operating system user corresponding to an instance does not exist, then the idsicrt command creates the user by internally issuing the idsadduser command. To create a user, you must provide the primary group name to associate with the user by using the -G parameter. The values for -u, -w, and -g parameters of idsadduser is taken from the values of -I, -w, and -G parameters of idsicrt.
If an operating system user exists, and the parameter values are specified then you can run idsicrt in prompt mode or no prompt mode. In no prompt mode, the properties of the existing user are overwritten.
DB2ADMNS
and DB2GROUPS
are
created. In such a case, if an instance is
created by using idsicrt, then the instance owner
must be a member of the DB2 security
groups.If the idsicrt command is used with the -w parameter, then the instance owner is added as a member of the DB2 security groups. If the -w parameter is not used, then you must manually add the instance owner as a member of the DB2 security groups.
By default, the DB2 database instance name (DB database instance owner) is assumed to have the same name as the directory server instance name. The DB2 instance name can be overwritten by using the -t parameter, if a DB2 instance owner ID exists on the operating system.
If a DB2 database instance exists on a system, then that DB2 instance is used. However, if the DB2 database instance is being used by another directory server instance, then the command fails. To verify whether the DB2 instance name is in use, check the directory server instance repository and then check configuration file of each directory server instance.
By default, the directory server instance listens on all available IP addresses.
If you are creating a directory server instance that must be cryptographically synchronized with an existing instance, you must synchronize the encryption keys of the instances. You must synchronize before you do any of the following steps because the directory server instance generates the server encryption keys.
- Start the second server instance.
- Run the idsbulkload command from the second server instance.
- Run the idsldif2db command from the second server instance.
Synopsis
idsicrt [-I instance_name [-e encrypt_seed] [-g encrypt_salt] [-p port] [-s secureport]
[-a admin_port] [-c admin_secureport] [-t db_instance] [-C]
[-i ipaddress] [-l inst_location] [-r description]
[-d debug_level] [-b output_file] [-G group_name]
[-w user_password] [-q] [-n] [-x]] | -v | -?
Options
The idsicrt command takes the following parameters.- -a admin_port
- Specifies the port that the administration server associated with a directory server instance listens on. Specify a positive number that is greater than 0 and less than 65535. The port that is specified must not cause a conflict with ports used by other applications, operating systems. The port must not be in use by other directory server instance that is bound to a particular host name or IP address.
- -b outputfile
- Specifies the full path of a file to redirect console output. If you use this parameter with the -q parameter, errors are sent to the outputfile file. If debug mode is set, then the debug output is sent to this file.
- -c admin_secureport
- Specifies the secure port that the administration server associated with a directory server instance listens on. Specify a positive number that is greater than 0 and less than 65535. The port that is specified must not cause a conflict with ports used by other applications, operating systems. The port must not be in use by other directory server instance that is bound to a particular host name or IP address.
- -C
- Specifies to configure a database instance for an existing directory server instance.
- -d debuglevel
- Sets the LDAP debug level to debuglevel. If you specify this parameter, the command sends the debug output to stdout. The debuglevel value is a bit mask that controls which output is generated with values from 1 to 65535. For more information about debug levels, see Debugging levels.
- -e encrypt_seed
- Specifies the encryption seed to use for creating the key stash
files for a directory server instance. This parameter is required
if you use the -n parameter. If this parameter
is not specified, you are prompted for an encryption seed. The encryption
seed must contain only printable
ISO-8859–1 ASCII
characters with values in the range of 33 to 126. The encryption seed must be a minimum of 12 and a maximum of 1016 characters in length. For more information about the characters that can be used, seeASCII characters from 33 to 126. - -g encrypt_salt
- Specifies the encryption salt value. If you want to use replication, use a distributed directory, or import and export LDIF data between server instances, providing an encryption salt value is useful. You can obtain better server performance if two interacting directory server instances have the same encryption salt value.
- -G group_name
- Specifies the name of primary group of the user. This parameter is valid only on AIX, Linux, and Solaris systems and is required on these systems if you want to create user.
- -i ipaddress
- Specifies the IP address of the system to which the directory
server instance binds.
If more than one IP address is specified, the comma separator must
be used with no spaces. Spaces are allowed only if the entire argument
is surrounded in quotation marks. To use all available IP addresses,
use the key word,
all
. All available IP addresses is the default setting, if you do not specify the -i parameter. - -I instancename
- Specifies the directory server instance name to create. The instance name must be an existing user ID on the system and must not be greater than eight characters in length.
- -l instancelocation
- Specifies the location to store the configuration files and logs of a directory server instance. On Windows systems, this parameter is required and a drive letter must be specified. This location must have a minimum of 30 MB of free space. More disk space must be available to accommodate growth as the directory server log files increase.
- -n
- Specifies to run in no prompt mode. All output from the command is generated, except for messages that require user interaction.
- -p port
- Specifies the port that the directory server instance listens on. Specify a positive number that is greater than 0 and less than 65535. The port that is specified must not cause a conflict with ports used by other applications, operating systems. The port must not be in use by other directory server instance that is bound to a particular host name or IP address.
- -q
- Specifies to run in quiet mode. All output from the command is suppressed, except for error messages. If you also specify the -d parameter, then the trace output is not suppressed.
- -r description
- Specifies a description of the directory server instance.
- -s secureport
- Specifies the secure port that the directory server instance listens on. Specify a positive number that is greater than 0 and less than 65535. The port that is specified must not cause a conflict with ports used by other applications, operating systems. The port must not be in use by other directory server instance that is bound to a particular host name or IP address.
- -t db2instance
- Specifies the DB2 database instance name. The database instance name is also the DB2 instance owner ID. By default, the database instance name is assumed to be the same as the directory server instance owner ID.
- -v
- Specifies to show the version information of the command.
- -w
- Specifies the password of the user. This parameter is required if you want to create the user.
- -x
- Creates a proxy directory server instance. If this parameter is not specified, then a full directory server instance with a DB2 instance is created.
- -?
- Specifies to show the syntax format.
Examples
- Example 1:
- To create a directory server instance, with the following details
run the idsicrt command.
- Instance name: myinst
- Port: 389
- Secure port: 636
- Encryption seed: mysecretkey!
- Encryption salt: mysecretsalt
- DB2 instance: myinst
idsicrt -I myinst –p 389 –s 636 –e mysecretkey! -g mysecretsalt
- Example 2:
- To create an instance that binds to a particular IP address, run
the following command:
idsicrt –I myinst –p 389 –s 636 –e mysecretkey! -g mysecretsalt –i 1.9.86.566
- Example 3:
- To create a directory server instance with the following details,
run the idsicrt command. In this example, the command
randomly generates an encryption salt value.
- Instance name: myinst
- Port: 389
- Secure port: 636
- Encryption seed: mysecretkey!
- DB2 instance: mydbin
idsicrt -I myinst –p 389 –s 636 –e mysecretkey! -t mydbin
- Example 4:
- To create an instance when the corresponding operating system
user does not exist, run the following command:
idsicrt –I instance_name –e encryptionseed –l instlocation \ –G group_name –w password