389 Directory Server is an open source enterprise LDAP Server.
This can handle very huge volume of data. One of the huge benefit of 389 LDAP server is that it is lighting fast and process upto handle several thousands of operations per second.
This has several advanced features including asynchronous multi-master replication for horizontal scaling, which in-turn provides provides 100% fault tolerance and extremely high throughput.
Also, keep in mind that this supports TLS, SASL for authentication and transport. 389 Directory server is fully LDAPv3 compliant.
This tutorial explains how you can install and configure 389 directory server on your Linux environment.
Setup EPEL Repository
If you don’t have EPEL repository setup, make sure you set it up, as we’ll be installing the 389 related packages from EPEL.
First, download the epel rpm from Fedora website as shown below.
Next, Install the epel repository on your server.
# rpm -ivh epel-release-7-9.noarch.rpm warning: epel-release-7-9.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY Preparing... ################################# [100%] Updating / installing... 1:epel-release-7-9 ################################# [100%]
If you are interested in OpenLDAP instead of 389 directory server, refer to this: How Install and Configure OpenLDAP on Linux
Setup /etc/host File Properly
Make sure the host file is setup properly.
In this example, the following is the current /etc/host file setup.
# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.101.10 deploy.thegeekstuff.com deploy
In the above:
- 192.168.101.10 – Is the ip-address of the server
- deploy.thegeekstuff.com – This is the FQDN of the server where 389 directory server is getting installed
- deploy – This is the hostname of the server
Setup Appropriate sysctl Parameters
Add the following line to your /etc/sysctl.conf file:
# cat /etc/sysctl.conf net.ipv4.tcp_keepalive_time = 300 net.ipv4.ip_local_port_range = 1024 65000 fs.file-max = 64000
Depending on how much resource you have on your system, you may want to bump-up the above file-max number bit more.
Execute “sysctl -p” command as shown below to make sure the above changes are made to your system.
# sysctl -p net.ipv4.tcp_keepalive_time = 300 net.ipv4.ip_local_port_range = 1024 65000 fs.file-max = 64000
Verify that the changes are made:
# sysctl fs.file-max net.ipv4.tcp_keepalive_time net.ipv4.ip_local_port_range fs.file-max = 64000 net.ipv4.tcp_keepalive_time = 300 net.ipv4.ip_local_port_range = 1024 65000
Set Appropriate Ulimit Values
Set the ulimit value to 8192 as shown below in your /etc/profile file.
# echo "ulimit -n 8192" >> /etc/profile
Verify that this entry is added to the /etc/profile file.
# tail /etc/profile .. .. unset i unset -f pathmunge ulimit -n 8192
Modify pam.d Login File
Modify the /etc/pam.d/login file and add the following line to include the pam_limits.so file as shown below.
# vi /etc/pam.d/login session required /usr/lib64/security/pam_limits.so
Make sure the pam_limits.so file is present on your system.
# ls -l /usr/lib64/security/pam_limits.so -rwxr-xr-x. 1 root root 19584 Aug 18 2015 /usr/lib64/security/pam_limits.so
Note: On 32-bit, use the following, as the location of this file is different.
# vi /etc/pam.d/login session required /lib/security/pam_limits.so
Create LDAP Admin User
Create a user called ldapadmin and assign a password as shown below:
useradd ldapadmin passwd ldapadmin
Once you’ve setup the LDAP Server properly, this will help: How to Add LDAP Users and Groups
Install 389 Directory Server Base and OpenLDAP Client
Next is to install the 389 directory server base package, and OpenLDAP client utility packages. We need to install these two packages:
Using yum command install the above two packages:
# yum install 389-ds-base.x86_64 openldap-clients.x86_64
Apart from installing the 389-ds-base and openldap-client package, depending on your system, this will also install the following dependent packages:
On this particular system, the following packages were also upgraded when the above two packages were installed:
If you are using EPEL repository for the first time on your system, this may ask you to accept the key as shown below. Say “y” here.
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Importing GPG key 0x352C64E5: Userid : "Fedora EPEL (7) <firstname.lastname@example.org>" Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5 Package : epel-release-7-9.noarch (installed) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Is this ok [y/N]: y
Install 389 Directory Server Admin Packages
Next, install the following packages that are related to the 389 LDAP Server administration:
- 389-ds.noarch This is the 389 directory, administration, and console suite
- 389-admin.x86_64 This is the admin for 389 Administration Server
- 389-adminutil.x86_64 This contains the utilities and libraries that are required for 389 administration
- 389-ds-console-doc.noarch This is web-based docs for 389 directory server management console
Use yum command and install these 389 directory server admin related packages as shown below:
# yum install 389-admin.x86_64 \ 389-adminutil.x86_64 389-ds.noarch \ 389-ds-base.x86_64 389-ds-console-doc.noarch
Apart from installing those 4 packages, depending on your system, this also installed the following dependent pcakges:
On this particular system, the following packages were also upgraded when the above packages were installed:
Setup 389 Directory Server – Execute setup-ds-admin.pl
After installing the required 389 LDAP Server packages, then execute the setup-ds-admin.pl script, which will configure the 389 Directory server setup on your system.
The above program will ask you to enter several values. Most of them are intuitive and straight forward.
But, I’ve shown partial output of whereever this is asking for user-input below.
Setup 389 Directory Server – Initial Warning Message
During the 1st few prompts of the above setup-ds-admin.pl script, depending on yoru system setup, this may give you the following WARNING messages. You can say ‘yes’ to continue here:
389 Directory Server system tuning analysis version 14-JULY-2016. NOTICE : System is x86_64-unknown-linux3.10.0-327.10.1.el7.x86_64 (2 processors). WARNING: There are only 1024 file descriptors (soft limit) available, which limit the number of simultaneous connections. WARNING : The warning messages above should be reviewed before proceeding. Would you like to continue? [no]: yes
Setup 389 Directory Server – Choose Typical Setup Type
In the following screen, if you are new to 389 directory server, choose the typical setup, which will setup all the common configuration options for you.
1. Express Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical Allows you to specify common defaults and options. 3. Custom Allows you to specify more advanced options. This is recommended for experienced server administrators only. To accept the default shown in brackets, press the Enter key. Choose a setup type : 2
Setup 389 Directory Server – Enter FQDN
If you’ve setup your /etc/hosts file properly as explained in one of the previous setps, it should properly pick-up your computer-name here as shown below.
You just have to press-enter here and move on.
Computer name [deploy.thegeekstuff.com]:
If your server doesn’t have proper FQDN setup, then you’ll see this error message during your setup-ds-admin.pl script execution. Press Ctrl-C and come-out of this, address the FQDN issue and then re-run setup-ds-admin.pl again.
WARNING: There are problems with the hostname. The hostname 'deploy' does not look like a fully qualified host and domain name. Please check the spelling of the hostname and/or your network configuration. If you proceed with this hostname, you may encounter problems. Do you want to proceed with hostname 'deploy'? [no]: no Computer name [deploy]: ^C
You can also pass the FQDN as a parameter to the setup-ds-admin.pl script as shown below:
# setup-ds-admin.pl General.FullMachineName=deploy.thegeekstuff.com .. Computer name [deploy.thegeekstuff.com]: ..
Setup 389 Directory Server – Enter LDAP Admin User
By default, this will use dirsrv as the username and group. Since we created a user called ldapadmin in one of our previous steps, specify that here.
System User [dirsrv]: ldapadmin System Group [dirsrv]: ldapadmin
Setup 389 Directory Server – Config Directory Server
Since this is the first setup we are doing, we don’t have a configuration directory server yet. So, press enter here to accept the default choice, which is ‘no’.
But when you are doing multiple installation of this, you might already have configuration directory server setup, in which case, you should say ‘yes’ and specify those information there.
Do you want to register this software with an existing configuration directory server? [no]:
Setup 389 Directory Server – Specify Admin Username and Password
At this stage, you have to specify the admin username and password for the new directory server that this is going to setup.
You’ll be using this uid and password to login to the console.
Configuration directory server administrator ID [admin]: Password: Password (confirm):
Setup 389 Directory Server – Enter Additional Parameters
The following are few additional parameters the setup-ds-admin.pl script will prompt. This domain name was picked up from the FQDN that we’ve defined in the /etc/hosts file:
Administration Domain [thegeekstuff.com]:
The default port number as you can imagine from the name is 389. Just leave it as it is by pressing enter:
Directory server network port :
Enter the unique identifier for your directory server.
Directory server identifier [deploy]:
Setup 389 Directory Server – Setup LDAP Tree Structure
First, setup your directory tree accordingly. In this example, this is the root of our directory tree, which start with thegeekstuff.com broken down by dc as shown below.
Suffix [dc=thegeekstuff, dc=com]:
Next, sepcify the directory manager, which is a DN where you’ll have the administrative user who will perform certain directory server operations.
Press enter to accept the default name. Enter the password here for your directory manager user.
Directory Manager DN [cn=Directory Manager]: Password: Password (confirm):
Specify the admin port. Please note that this is different from your application server or web server port. Just accept the default value here.
Administration port :
Setup 389 Directory Server – Final Stages of Setup
Say ‘yes’ to the following final confirmation message to start the directory server configuration based on the values that you’ve entered so far.
Are you ready to set up your servers? [yes]: yes
You’ll see the following output indicating that the script is setting up the directory servers based on your configuration values.
Creating directory server . . . Your new DS instance 'deploy' was successfully created. Creating the configuration directory server . . . Beginning Admin Server creation . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server Updating adm.conf with information from configuration directory server Updating the configuration for the httpd engine . . . .. .. Starting admin server . . . The admin server was successfully started. Admin server was successfully created, configured, and started. Exiting . . . Log file is '/tmp/setupqxoZug.log'
If you don’t have SELinux setup and configured properly, you’ll get the following ERROR message. In this case, you may want to temporarily disable SELinux and run the setup script.
ERROR: policydb version 30 does not match my version range 15-29 ERROR: Unable to open policy //etc/selinux/targeted/policy/policy.30. Traceback (most recent call last): File "/usr/sbin/semanage", line 32, in import seobject File "/usr/lib/python2.7/site-packages/seobject/__init__.py", line 27, in import sepolicy File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 798, in raise e ValueError: Failed to read //etc/selinux/targeted/policy/policy.30 policy file
Verify Setup Log File
The last line of the setup script will show the name of the log file.
Open the log file to make sure there are no error message. It should look something like the following:
# vi /tmp/setupqxoZug.log [21:50:57] - [Setup] Info This program will set up the 389 Directory and Administration Servers. [21:50:57] - [Setup] Info Would you like to continue with set up? [21:50:58] - [Setup] Info yes .. .. [21:55:50] - [Setup] Info Updating admpw . . . [21:55:50] - [Setup] Info Registering admin server with the configuration directory server . . . [21:55:50] - [Setup] Info Updating adm.conf with information from configuration directory server . . . [21:55:50] - [Setup] Info Updating the configuration for the httpd engine . . . [21:55:52] - [Setup] Info Starting admin server . . . [21:55:53] - [Setup] Info The admin server was successfully started. [21:55:53] - [Setup] Info Admin server was successfully created, configured, and started. [21:55:53] - [Setup] Success Exiting . . .
Start 389 Directory Server using Systemctl
dirsrv is the startup program name.
Use systemctl to start the 389 Directory Server as shown below.
# systemctl status dirsrv.target ? dirsrv.target - 389 Directory Server Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; disabled; vendor preset: disabled) Active: inactive (dead)
Star the 389 directory server:
# systemctl start dirsrv.target
# systemctl status dirsrv.target ? dirsrv.target - 389 Directory Server Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; disabled; vendor preset: disabled) Active: active since Fri 2017-07-07 21:58:26 UTC; 2s ago 21:58:26 deploy systemd: Reached target 389 Directory Server. 21:58:26 deploy systemd: Starting 389 Directory Server. ..
Start 389 Directory Server using start-dirsrv
Instead of using systemctl, you can also use the start-dirsrv command as shown below to start the directory server:
# start-dirsrv Starting instance "deploy"
Use stop-dirsrv to stop it:
# stop-dirsrv Stopping instance "deploy"
The following will display the status of the directory server
# status-dirsrv ? dirsrv.target - 389 Directory Server Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; disabled; vendor preset: disabled) Active: active since Fri 2017-07-07 21:58:26 UTC; 1min 39s ago 21:58:26 deploy systemd: Reached target 389 Directory Server. 21:58:26 deploy systemd: Starting 389 Directory Server. Status of instance "deploy" ? email@example.com - 389 Directory Server deploy. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2017-07-07 22:00:01 UTC; 4s ago Process: 4754 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS) Main PID: 4761 (ns-slapd) Status: "slapd started: Ready to process requests" CGroup: /firstname.lastname@example.org +-4761 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-deploy -i /var/run/dirsrv/slapd-deploy.pid
Start 389 Directory Server Admin using Systemctl
To control the admin server for your 389 directory, use systemctl as shown below.
The admin program is known as dirsrv-admin as shown below.
# systemctl start dirsrv-admin # systemctl stop dirsrv-admin # systemctl status dirsrv-admin ? dirsrv-admin.service - 389 Administration Server. Loaded: loaded (/usr/lib/systemd/system/dirsrv-admin.service; disabled; vendor preset: disabled) Active: inactive (dead) ..
You can also use stop-ds-admin command to stop the 389 Administration Server
Validate the Setup Using LDAPSearch Command
Finally, use the ldapsearch command to validate that the setup is done properly.
The following is the partial output of the ldapsearch command:
# ldapsearch -x -b "dc=thegeekstuff,dc=com" .. .. dn: dc=thegeekstuff,dc=com objectClass: top objectClass: domain dc: thegeekstuff # Directory Administrators, thegeekstuff.com dn: cn=Directory Administrators,dc=thegeekstuff,dc=com objectClass: top objectClass: groupofuniquenames cn: Directory Administrators uniqueMember: cn=Directory Manager .. .. search: 2 result: 0 Success # numResponses: 10 # numEntries: 9