A directory server provides a centralized directory service for your organization. It is alternative to windows active directory. This post will describes how to install and configure 389 LDAP Directory Server with a basic Lightweight Directory Access Protocol (LDAP) directory implementation. 389 Directory Server was formerly known as the Fedora Directory Server and it is an enterprise-class open source LDAP. 389 Directory server has been developed by Red Hat, as part of Red Hat’s community-supported Fedora Project.
Steps to Install and Configure 389 LDAP Directory Server
TCP and Files system Tuning :
a) Decrease the time default value for tcp_keepalive_time connection. Edit the /etc/sysctl.conf file and add the following lines to the bottom of sysctl.conf ”
[root@ldap ~]# echo "net.ipv4.tcp_keepalive_time = 300" >> /etc/sysctl.conf b) Increase number of local system ports available by editing this parameter in the /etc/sysctl.conf file :
[root@ldap ~]# echo "net.ipv4.ip_local_port_range = 1024 65000" >> /etc/sysctl.conf
c) Increase the file descriptors by running these commands:
[root@ldap ~]# echo "64000" > /proc/sys/fs/file-max [root@ldap-05 ~]# echo "fs.file-max = 64000" >> /etc/sysctl.conf
d) Increase ulimit in /etc/profile :
[root@ldap ~]# echo "ulimit -n 8192" >> /etc/profile
389 Installation :
1. Prepare EPEL Repository on CentOS 6 :
How to Prepare EPEL Repository on CentOS 6
What packages and versions are available in EPEL?
You can take a look on any of the available EPEL mirrors from our mirror list
Alternately, you can browse the package set using repoview:
2. Configure hostname, FQDN and host file has been configured correctly :
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.0.5 ldap.ehowstuff.local
3. Make sure selinux is disabled :
Disable SELinux on CentOS 6.5
4. Install the 389 Directory Server packages :
[root@ldap ~]# yum install 389-ds -y
5. Fix Error: command ‘getsebool httpd_can_connect_ldap’ failed – output [getsebool: SELinux is disabled :
[root@ldap ~]# mkdir ~/bin [root@ldap ~]# vi ~/bin/getsebool
#!/bin/sh echo on exit 0
[root@ldap ~]# vi ~/bin/setsebool
#!/bin/sh exit 0
[root@ldap ~]# chmod +x ~/bin/*sebool
6. Run setup script to start configure the ldap service :
[root@ldap ~]# PATH=~/bin:$PATH setup-ds-admin.pl ============================================================================== This program will set up the 389 Directory and Administration Servers. It is recommended that you have "root" privilege to set up the software. Tips for using this program: - Press "Enter" to choose the default and go to the next screen - Type "Control-B" then "Enter" to go back to the previous screen - Type "Control-C" to cancel the setup program Would you like to continue with set up? [yes]: ============================================================================== Your system has been scanned for potential problems, missing patches, etc. The following output is a report of the items found that need to be addressed before running this software in a production environment. 389 Directory Server system tuning analysis version 23-FEBRUARY-2012. NOTICE : System is x86_64-unknown-linux2.6.32-431.el6.x86_64 (1 processor). Would you like to continue? [yes]: ============================================================================== Choose a setup type: 1. Express Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical Allows you to specify common defaults and options. 3. Custom Allows you to specify more advanced options. This is recommended for experienced server administrators only. To accept the default shown in brackets, press the Enter key. Choose a setup type [2]: ============================================================================== Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: eros.example.com. To accept the default shown in brackets, press the Enter key. Warning: This step may take a few minutes if your DNS servers can not be reached or if DNS is not configured correctly. If you would rather not wait, hit Ctrl-C and run this program again with the following command line option to specify the hostname: General.FullMachineName=your.hostname.domain.name Computer name [ldap.ehowstuff.local]: WARNING: There are problems with the hostname. Hostname 'ldap.ehowstuff.local' is valid, but none of the IP addresses resolve back to ldap.ehowstuff.local - address 192.168.0.5 resolves to host centos6.5.ehowstuff.local Please check the spelling of the hostname and/or your network configuration. If you proceed with this hostname, you may encounter problems. Do you want to proceed with hostname 'ldap.ehowstuff.local'? [no]: yes ============================================================================== The servers must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. If you have not yet created a user and group for the servers, create this user and group using your native operating system utilities. System User [nobody]: System Group [nobody]: ============================================================================== Server information is stored in the configuration directory server. This information is used by the console and administration server to configure and manage your servers. If you have already set up a configuration directory server, you should register any servers you set up or create with the configuration server. To do so, the following information about the configuration server is required: the fully qualified host name of the form .(e.g. hostname.example.com), the port number (default 389), the suffix, the DN and password of a user having permission to write the configuration information, usually the configuration directory administrator, and if you are using security (TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port number (default 636) instead of the regular LDAP port number, and provide the CA certificate (in PEM/ASCII format). If you do not yet have a configuration directory server, enter 'No' to be prompted to set up one. Do you want to register this software with an existing configuration directory server? [no]: ============================================================================== Please enter the administrator ID for the configuration directory server. This is the ID typically used to log in to the console. You will also be prompted for the password. Configuration directory server administrator ID [admin]: Password: Password (confirm): ============================================================================== The information stored in the configuration directory server can be separated into different Administration Domains. If you are managing multiple software releases at the same time, or managing information about multiple domains, you may use the Administration Domain to keep them separate. If you are not using administrative domains, press Enter to select the default. Otherwise, enter some descriptive, unique name for the administration domain, such as the name of the organization responsible for managing the domain. Administration Domain [ehowstuff.local]: ============================================================================== The standard directory server network port number is 389. However, if you are not logged as the superuser, or port 389 is in use, the default value will be a random unused port number greater than 1024. If you want to use port 389, make sure that you are logged in as the superuser, that port 389 is not in use. Directory server network port [389]: ============================================================================== Each instance of a directory server requires a unique identifier. This identifier is used to name the various instance specific files and directories in the file system, as well as for other uses as a server instance identifier. Directory server identifier [ldap]: ============================================================================== The suffix is the root of your directory tree. The suffix must be a valid DN. It is recommended that you use the dc=domaincomponent suffix convention. For example, if your domain is example.com, you should use dc=example,dc=com for your suffix. Setup will create this initial suffix for you, but you may have more than one suffix. Use the directory server utilities to create additional suffixes. Suffix [dc=ehowstuff, dc=local]: ============================================================================== Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and typically has a bind Distinguished Name (DN) of cn=Directory Manager. You will also be prompted for the password for this user. The password must be at least 8 characters long, and contain no spaces. Press Control-B or type the word "back", then Enter to back up and start over. Directory Manager DN [cn=Directory Manager]: Password: Password (confirm): ============================================================================== The Administration Server is separate from any of your web or application servers since it listens to a different port and access to it is restricted. Pick a port number between 1024 and 65535 to run your Administration Server on. You should NOT use a port number which you plan to run a web or application server on, rather, select a number which you will remember and which will not be used for anything else. Administration port [9830]: ============================================================================== The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. Are you ready to set up your servers? [yes]: Creating directory server . . . Warning: Hostname ldap.ehowstuff.local is valid, but none of the IP addresses resolve back to ldap.ehowstuff.local address 192.168.0.5 resolves to host centos6.5.ehowstuff.local Your new DS instance 'ldap' was successfully created. Creating the configuration directory server . . . Beginning Admin Server reconfiguration . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Updating the configuration for the httpd engine . . . Starting admin server . . . output: Starting dirsrv-admin: output: [ OK ] The admin server was successfully started. Admin server was successfully reconfigured and started. Exiting . . . Log file is '/tmp/setupGwS8hs.log'
7. Start dirsrv and dirsrv-admin service :
[root@ldap ~]# /etc/init.d/dirsrv start [root@ldap ~]# /etc/init.d/dirsrv-admin start
8. Make dirsrv and dirsrv-admin service auto start at boot :
[root@ldap ~]# chkconfig dirsrv on [root@ldap ~]# chkconfig dirsrv-admin on
9. Configure Iptables to allow server listen on port 22, 389 and 9830 :
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Restart iptables to take effect the changes :
[root@ldap ~]# service iptables restart iptables: Applying firewall rules: [ OK ]
10. Verify port listen by the server using netstat :
[root@ldap ~]# netstat -plunt | grep LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1083/rpcbind tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1125/perl tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1116/sshd tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN 1508/httpd.worker tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1126/php-fpm tcp 0 0 :::8140 :::* LISTEN 1161/httpd tcp 0 0 :::111 :::* LISTEN 1083/rpcbind tcp 0 0 :::80 :::* LISTEN 1161/httpd tcp 0 0 :::22 :::* LISTEN 1116/sshd tcp 0 0 :::443 :::* LISTEN 1161/httpd tcp 0 0 :::8443 :::* LISTEN 1161/httpd tcp 0 0 :::389 :::* LISTEN 1391/./ns-slapd
11. Verify port listen by the server and opened by iptables firewall :
[root@ldap ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9830 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
2 Comments
Fantastic how-to !
Very usefull. Many thanks.
Welcome..