In this tutorial we are going to setup LDAP server using 389 Directory Server. The 389 Directory Server is an enterprise class open source LDAP server developed by Redhat Community.
Features
- Multi-Master Replication, to provide fault tolerance and high write performance.
- Scalability: thousands of operations per second, tens of thousands of concurrent users, tens of millions of entries, hundreds of gigabytes of data.
- Active Directory user and group synchronization.
- Secure authentication and transport (SSLv3, TLSv1, and SASL).
- Support for LDAPv3.
- On-line, zero downtime, LDAP-based update of schema, configuration, management and in-tree Access Control Information (ACIs).
- Graphical console for all facets of user, group, and server management.
For the detailed explanation of key features please refer here.
Prerequisites
- The LDAP server should contain the valid FQDN. Add the ldap server details to your DNS server.
- Adjust the firewall to allow ldap ports.
- Enable EPEL and REMI repositories to avoid any dependencies problems.
Follow the below links to Add EPEL and REMI Repository.
- Install EPEL Repository on CentOS / RHEL / Scientific Linx 6.x
- Install REMI Repository on CentOS / RHEL / Scientific Linux 6.x
In this how-to my LDAP server details are given below.
Set your server fully qualified domain in /etc/hosts file.
Edit file /etc/hosts/,
Add your hostname as shown below.
Change the values as per your requirement. This tutorial will applicable for all RHEL/CentOS/SL 6.x series.
Firewall Configuration
Add the following ldap ports to your iptables. To do that, edit file “/etc/sysconfig/iptables”,
Add the following lines.
Restart firewall.
Performance and Security tuning for LDAP server
Before installing LDAP server, we have to adjust some files for performance and security.
Edit file “/etc/sysctl.conf”,
Add the following lines at the end.
Edit file “/etc/security/limits.conf”,
Add the following lines at the bottom.
Edit file “/etc/profile”,
Add the line at the end.
Edit file “/etc/pam.d/login”,
Add the line at the end.
Now Restart the server.
Install 389 Directory Server
Create a LDAP user account.
Now install 389 directory server using command:
Configure LDAP server
Now it’s time to configure LDAP server. It’s quite long way process. Run the following command to configure 389 directory server.
You will be asked a couple of questions. Please read the instructions carefully and answer them accordingly.
If you made any mistake and want to go back to previous screen press CTRL+B and Enter. To cancel the setup press CTRL+C.
Make the LDAP server daemon to start automatically on every reboot.
Test LDAP Server
Now let us test our LDAP Server now for any errors using following command.
Sample output:
The output will look something like above. If you have got result as 2 shown in the above output, you’re done. Now our LDAP server is ready to use.
Manage 389 ds with Admin Server Console
Please be mindful that if you want to manage your 389 ds server graphically, your server should have installed with a GUI environment. If you did a minimal installation, you can’t access the admin server console.
As i have minimal server, i am going to install XFCE desktop on my server.
Reboot your server.
Log in to server.
Now you can access the 389 ds admin console either locally or remotely.
To access 389 ds admin console locally, type 389-console.
To access 389-ds admin console from your remote system, enter the following command in Terminal.
Now you’ll be asked to enter your LDAP server administrative log in details. In my case my LDAP admin name is admin and password is centos.
This is how my admin server console looks.
From here you can create, delete or edit LDAP organizational units, groups and users graphically.
389-ds admin server console has two groups.
- Administration Server
- Directory Server
You can use any one of the server.
1. Administration Server
To access Administration Server interface, click on your LDAP domain name to expand. Go to Server Group - Administration Server and click Open on the right side. Refer the following screenshot.
Configuration tab:
In the Configuration tab, you change/edit your Admin server ip address, default port, LDAP admin password, default user directory. Also you can define which host names to allow and which ip addresses to allow to access your LDAP server.
Tasks Tab:
In the Tasks section, you can Stop/Restart/Configure your server.
2. Directory server
To access Directory Server interface, click on your LDAP domain name to expand. Go to Server Group - Directory Server and click Open on the right side. Refer the following screenshot.
In Directory Server section, you can do all necessary configuration for your LDAP server. You can change/modify default port, create users, groups, organizational units etc.
There are lot of options available in Directory Server section. Go thorough the each section and configure as per your requirement.
Create Organization units, Groups And Users
Create organizational unit:
Go to your Directory Server from the main console. In the Directory tab, right click on your Domain name (ex. Unixmen). Select New -> Organization Unit. Refer the following screen.
Enter your OU name (ex. Support Division) and click Ok.
The new OU (ex. Support Division) will be created under Unixmen domain.
Create a Group:
Now navigate to Support Division OU and create a new group (ex. support_group).
Enter group name and click Ok.
The new group will be created under Unixmen/Support Division.
Create User:
Right click on the Support_group, and click New -> User.
Enter the user details such as first name, last name, userid, mail id etc., and click Ok.
Verify Organizational Unit, Group, User with following command on our server.
Sample output:
As you see in the above output, a new OU called Support Division, a new group called support_vision, a new user called skumar has been created. I have covered only installation part and basic configuration. There are lot to learn about 389 ds. Refer the link provided at the bottom to know more about 389 ds.
In my personal experience, 389-ds is much easier than openldap in terms of installation and configuration. Let us see how to configure client systems to authenticate using LDAP server in our next article.
Have a Good day!
Source & Reference: http://directory.fedoraproject.org/wiki/Main_Page
---------------------------------------------------------------------
Setup LDAP Server in CentOS, RHEL, Scientific linux 6.5/6.4/6.3