How to Start, Stop and Restart 389 Directory Server on CentOS 6.2

This post will guide you on how to start, stop, restart and check dirsrv status for 389 Directory Server on linux CentOS 6.2 server using EPEL repository. 389 Directory Server is an enterprise-class open source LDAP server for Linux. It is based on Fedora Directory Server. This post assumed that you have already installed and properly configured the 389 Directory Server on CentOS 6.2.

Some of the dirsrv usage for 389 Directory Server :

Usage: /etc/init.d/dirsrv {start|stop|status|restart|condrestart} [instance-name]

How to start 389 Directory Server :

[root@centos62 ~]# /etc/init.d/dirsrv start
Starting dirsrv:
    centos62...                                            [  OK  ]

How to stop 389 Directory Server :

[root@centos62 ~]# /etc/init.d/dirsrv stop
Shutting down dirsrv:
    centos62...                                            [  OK  ]

How to restart 389 Directory Server :

[root@centos62 ~]# /etc/init.d/dirsrv restart
Shutting down dirsrv:
    centos62...                                            [  OK  ]

How to check the status 389 Directory Server :

[root@centos62 ~]# /etc/init.d/dirsrv status
dirsrv centos62 (pid 1296) is running...

How to Tuning 389 Directory Server on CentOS 6.2

This post will share with you on how to perform system tuning analysis for 389 Directory Server on linux CentOS 6.2 server. 389 Directory Server is an enterprise-class open source LDAP server for Linux. It is based on Fedora Directory Server. This post assumed that your CentOS server has been completely installed 389 Directory Server using EPEL repository. Before start to configure the 389 Directory Server, it is better to adjust some performance and security settings. Follow the following steps to tuning the 389 Directory Server on CentOS 6.2.

1. Perform TCP Tuning :

a) Decrease the time default value for tcp_keepalive_time connection. Edit the /etc/sysctl.conf file and add the following lines to the bottom of sysctl.conf.

[root@centos62 ~]# vi /etc/sysctl.conf
#Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 300

b) Increase number of local system ports available by editing this parameter in the /etc/sysctl.conf file :

[root@centos62 ~]# echo "net.ipv4.ip_local_port_range = 1024 65000" >> /etc/sysctl.conf

Show changes :

[root@centos62 ~]# cat /etc/sysctl.conf | grep net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 1024 65000

2. Perform File Tuning :

a) Increase the file descriptors by running these commands:

[root@centos62 ~]# echo "64000" > /proc/sys/fs/file-max

Show changes :

[root@centos62 ~]# cat /proc/sys/fs/file-max
64000

or
Simply run this command :

[root@centos62 ~]# echo "fs.file-max = 64000" >> /etc/sysctl.conf

Show changes :

[root@centos62 ~]# cat /etc/sysctl.conf | grep fs.file-max
fs.file-max = 64000

b) Edit /etc/profile as below :

[root@centos62 ~]# echo "ulimit -n 8192" >> /etc/profile

Show changes :

[root@centos62 ~]# cat /etc/profile | grep ulimit
ulimit -n 8192

c) Edit the file descriptors in /etc/security/limits.conf. Add two parameter at the bottom of the configuration file :

[root@centos62 ~]# vi /etc/security/limits.conf
# End of file
* soft nofile 524288
* hard nofile 524288

3. Directory Server Tuning :

a) Edit /etc/sysconfig/dirsrv and uncomment “ulimit -n 8192”

[root@centos62 ~]# cat /etc/sysconfig/dirsrv | grep ulimit
# hard limits are raised, then use ulimit - uncomment
# ulimit -n 8192

Edit as below :

[root@centos62 ~]# vi /etc/sysconfig/dirsrv
# In order to make more file descriptors available
# to the directory server, first make sure the system
# hard limits are raised, then use ulimit - uncomment
# out the following line and change the value to the
# desired value
ulimit -n 8192

4. Sufficient Memory Assigned :

Make sure you have assign or upgrade the physical memory to at least 1024MB.

How to Configure Squid Proxy for LDAP Authentication on CentOS 6.2 using squid_ldap_auth

In this post i will show on how to configure squid proxy server to go through 389 LDAP authentication on linux CentOS 6.2 server. This authentication is using squid_ldap_auth module in that come with squid proxy. Assumed that you have 389 Ldap Directory server and Squid proxy configured. Squid service plays two main roles which mainly act as a caching proxy server between the user and the web. 389 Directory Server is an enterprise-class open source LDAP server for Linux.

Some informations regarding proxy server and ldap server.
Proxy server : 192.168.1.44 proxy.ehowstuff.local
LDAP server : 192.168.1.48 ldap.ehowstuff.local

Prerequisites :
How to Install and Configure Squid Proxy Server on CentOS 6.2
How to Restrict Web Access By Time Using Squid Proxy Server on CentOS 6.2
How to Install 389 Directory Server on CentOS 6.2
How to Setup and Configure 389 Directory Server on CentOS 6.2

Add in this lines on your squid.conf file :

auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=ehowstuff,dc=local" -f "uid=%s" -h ldap.ehowstuff.local
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
http_access deny all

“http_access deny all” is optional, it’s depend on your configuration.

Open squid.conf file and modify as below :

..
..
..
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl ehowstuff.com src 192.168.1.0/24    # Your internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


#Specifies the base DN for LDAP authentication :
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=ehowstuff,dc=local" -f "uid=%s" -h ldap.ehowstuff.local
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth


#Add this at the bottom of the ACL Section
#
acl surfing_hours time M T W H F 17:00-24:00
acl Bad_Websites  dstdomain "/etc/squid/web/Bad_Websites.squid"

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow cachemgr access from ehowstuff.com
http_access allow ehowstuff.com surfing_hours !Bad_Websites
http_access deny Bad_Websites
http_access deny ehowstuff.com
..
..
..

Proxy ip : 192.168.1.44
Domain/Hostname : proxy.ehowstuff.local
Port : 3128

Browser that was configured with proxy setting will prompt as below :
squid

Complete Squid configuration :

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl ehowstuff.com src 192.168.1.0/24    # Your internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


#Specifies the base DN for LDAP authentication :
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=ehowstuff,dc=local" -f "uid=%s" -h ldap.ehowstuff.local
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth


#Add this at the bottom of the ACL Section
#
acl surfing_hours time M T W H F 17:00-24:00
acl Bad_Websites  dstdomain "/etc/squid/web/Bad_Websites.squid"

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow cachemgr access from ehowstuff.com
http_access allow ehowstuff.com surfing_hours !Bad_Websites
http_access deny Bad_Websites
http_access deny ehowstuff.com



# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

How to Install openldap-clients on CentOS 6.2

In this post i will show how to install openldap-clients on linux CentOS 6.2 server. openldap-clients will be require when you need to run LDAP search tool, ldapsearch command. LDAP search tool is the simplest tool remotely searching on the directory servers such as 389 directory server and Windows active directory. It’s usefull to retrieve the information remotely and greatly helps in troubleshooting the problems.

Simply run this command to install openldap-clients :

[root@centos62 ~]# yum install openldap-clients -y

How to Configure Iptables Firewall for 389 Directory Server on CentOS 6.2

In this post i will show the ports that need to be by passed in iptables firewall in order to make 389 Directory server accessible and working perfectly. Before the Windows Console (installed 389 Console.msi) from client’ PC connecting to 389 administration server, there are 3 important ports has to opened from iptables firewall. This will allow linux administrator or LDAP administrator to perform LDAP server search query or linux administration’s task. There are three(3) ports that are normally should be opened on 389 Directory Server.

a) Port 389 (ldap)
b) Port 636 (ldaps – only if using TLS/SSL)
c) Admin server port (9830 by default)

Run netstat command to see opened port :

[root@centos62 ~]# netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1105/sshd
tcp        0      0 127.0.0.1:5432              0.0.0.0:*                   LISTEN      1140/postmaster
tcp        0      0 0.0.0.0:9830                0.0.0.0:*                   LISTEN      1415/httpd.worker
tcp        0      0 :::22                       :::*                        LISTEN      1105/sshd
tcp        0      0 ::1:5432                    :::*                        LISTEN      1140/postmaster
tcp        0      0 :::389                      :::*                        LISTEN      1792/ns-slapd

Open the iptables firewall configuration file then enable port 389, 636 and 9830 go through iptables firewall :

[root@centos62 ~]# vi /etc/sysconfig/iptables

Add these three(3) lines:

 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPT

Then restart the iptables firewall :

[root@centos62 ~]# service iptables restart

How to Remove 389 Directory Server on CentOS 6.2

In this post, i will show you the quick step to remove 389 Directory Server on linux CentOS 6.2 server. This is actually to remove the directory instances. This can be perform by using ds_removal or remove-ds.pl. It will remove all of the instance specific files and paths except for the slapd-INSTANCENAME directory, which is just renamed to slapd-INSTANCENAME.removed. If you don’t want to keep any of your configuration or key/cert data, you can erase this directory. If you are using the console/admin server, and the machine is the one hosting the configuration directory server (i.e. this is the first machine you ran setup-ds-admin.pl on), and you just want to wipe out everything and start over, use remove-ds-admin.pl.

Usage:

/usr/sbin/remove-ds-admin.pl [-f] [-d -d ...]

 Opts: -f            - force removal
       -d            - turn on debugging output
       -y            - actually do the removal
WARNING: This command is extremely destructive!
         It will remove all of the data and configuration
         of all directory servers and admin servers, with
         no chance of recovery.  Therefore, in order to actually
         do this, you must give the -y option.

To remove 389 Directory Server instances on CentOS 6.2 :

[root@centos62 ~]# remove-ds-admin.pl -y -f
Removed admin server and all directory server instances

To Remove 389 Directory Server packages :

[root@centos62 ~]# yum remove 389-ds-base-libs 389-adminutil idm-console-framework -y

After removing all of the packages, you can do something like this to make sure your system is back to a clean state:

[root@centos62 ~]# rm -rf /etc/dirsrv /usr/lib*/dirsrv /var/*/dirsrv /etc/sysconfig/dirsrv*