Red Hat Directory Server (RHDS 9)

1.1. Directory Server Components

Directory Server 9.0 is comprised of several components, which work in tandem:

The Directory Server is the core LDAP server daemon. It is compliant with LDAP v3 standards. This component includes command-line server management and administration programs and scripts for common operations like export and backing up databases.

The Directory Server Console is the user interface that simplifies managing users, groups, and other LDAP data for your enterprise. The Console is used for all aspects of server management, including making backups; configuring security, replication, and databases; adding entries; and monitoring servers and viewing statistics.

The Admin Server is the management agent which administers Directory Servers. It communicates with the Directory Server Console and performs operations on the Directory Server instances. It also provides a simple HT ML interface and on-line help pages. There must be one Admin Server running on each machine which has a Directory Server instance running on it.

1.2. Considerations before Setting up Directory Server

It is best to have the local hosts file and DNS properly configured for the server. Remote clients and server to server operations like replication require that other machines be able to resolve the hostname of the Directory Server's host. Likewise, both T LS/SSL and SASL/Kerberos require an accurate fully-qualified domain name for their configuration.

1.2.2. Port Numbers

The Directory Server setup requires two T CP/IP port numbers: one for the Directory Server and one for the Admin Server. These port numbers must be unique.

The Directory Server instance (LDAP) has a default port number of 389. The Admin Server port number has a default number of 9830. If the default port number for either server is in use, then the setup program randomly generates a port number larger than 1024 to use as the default. Alternatively, you can assign any port number between 1025 and 65535 for the Directory Server and Admin Server ports; you are not required to use the defaults or the randomly-generated ports.

For LDAPS (LDAP with T LS/SSL), the default port number is 636.

1.4. Overview of Setup

There are three kinds of setup modes, depending on what you select when you first launch the setup program:

Express: The fastest setup mode. This requires minimal interaction and uses default values for almost all settings. Because express installation does not offer the choice of selecting the Directory Server server port number or the directory suffix, among other settings, Red Hat recommends that you not use it for production deployments. Also, express setups can fail if default configuration values are not available because there is no way to offer an alternative.

Typical: The default and most common setup mode. This prompts you to supply more detailed information about the directory service, like suffix and configuration directory information, while still proceeding quickly through the setup process.

Custom: The most detailed setup mode. This provides more control over Admin Server settings and also allows data to be imported into the Directory Server at setup, so that entries are already populated in the databases when the setup is complete.

Chapter 2. System Requirements

Before configuring the default Red Hat Directory Server 9.0 instances, it is important to verify that the host server has the required system settings and configuration:

·         The system musthave the required packages, patches, and kernel parameter settings.

·         DNS must be properly configured on the target system.

·         The host server musthave a static IP address (IPv4 or IPv6).

2.1. General Hardware Requirements

Red Hat recommends minimum of 4 GB of disk space for a typical installation, while directories with more than a million entries can require 8 GB or more. Red Hat suggests 1 GB of RAM.

Chapter 3. Setting up Red Hat Directory Server on Red Hat Enterprise Linux

Installing and configuring Red Hat Directory Server on Red Hat Enterprise Linux has three major steps:

3.1. Installing OpenJDK

Necessary Java libraries are not bundled with Directory Server. They must be downloaded and

extracted separately before installing the Directory Server packages. Directory Server 9.0 requires Sun JDK 1.6.0 or OpenJDK 1.6.0.

To install OpenJDK:

# yum install java-1.6.0-openjdk

After installing the JDK, run /usr/sbin/alternatives as root to insure that the proper JDK is

available:

# /usr/sbin/alternatives --config java

There are 3 program s which provide 'java'.

Selection Com m and

-----------------------------------------------

1 /usr/lib/jvm /jre-1.4.2-gcj/bin/java

2 /usr/lib/jvm /jre-1.6.0-openjdk/bin/java

* + 3 /usr/lib/jvm /jre-1.6.0-sun.x86_64/bin/java

3.2. Installing the Directory Server Packages

There are two main packages to install: the base server package (redhat-ds) and the console

package (redhat-ds-console). After the packages are installed, then the setup script must be run to create the server instance.

The simplest method to install the packages is using the native tools (yum ) on Red Hat Enterprise Linux

# yum install redhat-ds

It is also possible to install the Directory Server packages from media:

1. Go to http://access.redhat.com.

Downloading packages from Red Hat Network requires specific entitlements for the account for

the 9.0 release.

2. Click the Downloads tab, and select the Red Hat Enterprise Linux channels.

3. Set the product to filter for Red Hat Directory Server.

4. Select the architecture.

5. Download the packages from Red Hat Network, and burn them to CD or DVD.

6. Insert the media; the system should automatically recognize and mount the disc.

7. There is no autorun feature with the Directory Server packages, so open the directory on the

disc containing the Directory Server packages. For example:

# cd /mnt/Packages

8. Install everything in the directory using rpm :

# ls *.rpm | egrep -iv -e devel -e debuginfo | xargs yum install -y

3.4. Typical Setup

The typical setup process is the most commonly-used setup process. It offers control over the ports for the Directory and Admin Servers, the domain name, and directory suffix.

1. After the Directory Server packages are installed

then launch the setup-ds-adm in.pl script.

# /usr/sbin/setup-ds-admin.pl

Or

You can also run the command:

# /usr/sbin/setup-ds-admin.pl --keepcache

This will create a .inf file in /tmp directory which will contain all the information passed during the setup.

This script allows parameters to be passed with it or to specify configuration files to use.

2. Select y to accept the Red Hat licensing terms.

3. The dsktune utility runs. Select y to continue with the setup.

dsktune checks the available disk space, processor type, physical memory, and other system

data and settings such as T CP/IP ports and file descriptor settings. If your system does not meet these basic Red Hat Directory Server requirements, dsktune returns a warning. dsktune

warnings do not block the setup process; simply enter y to go to the next step.

4. Next, choose the setup type. Accept the default, option 2, to perform a typical setup.

5. Set the computer name of the machine on which the Directory Server is being configured. This defaults to the fully-qualified domain name (FQDN) for the host. For example:

Com puter nam e [ldap.exam ple.com ]:

Note: The hostname is very important. It is used generate the Directory Server instance name, the admin domain, and the base suffix, among others. If you are using SSL/T LS or Kerberos, the

computer name must be the exact name that clients use to connect to the system. If you will use DNS, make sure the name resolves to a valid IP address (IPv4 or IPv6) and that IP address

resolves back to this name.

6. Set the user and group as which the Directory Server process will run. The default is

nobody:nobody. For example:

System User [nobody]:

System Group [nobody]:

7. The next step allows you to register your Directory Server with an existing Directory Server

instance, called the Configuration Directory Server. This registers the new instance so it can be

managed by the Console. If this is the first Directory Server instance set up on your network, it is not possible to register it with another directory. Select n to set up this Directory Server as a

Configuration Directory Server and move to the next typical install step, setting up the

administrator user.

8. Set the administrator username. The default is admin.

9. Set the administrator password and confirm it.

10. Set the administration domain. This defaults to the host's domain. For example:

Administration Domain [example.com ]:

11. Enter the Directory Server port number. The default is 389, but if that port is in use, the setup program supplies a randomly generated one.

Directory server network port [30860]: 1025

12. Enter the Directory Server identifier; this defaults to the hostname.

Directory server identifier [example]:

The server identifier must not contain a period (.) or space character.

13. Enter the directory suffix. This defaults to dc=domain name. For example:

Suffix [dc=example,dc=com ]:

14. Set the Directory Manager username. The default is cn=Directory Manager.

15. Set the Directory Manager password and confirm it.

16. Enter the Admin Server port number. The default is 9830, but if that port is in use, the setup

program supplies a randomly generated one.

Administration port [9830]:

17. The last screen asks if you are ready to set up your servers. Select yes.

Are you ready to set up your servers? [yes]:

Creating directory server . . .

Your new DS instance 'example2' was successfully created.

Creating the configuration directory server . . .

Beginning Admin Server reconfiguration . . .

Creating Admin Server files and directories . . .

Updating adm.conf . . .

Updating admpw . . .

Registering admin server with the configuration directory server . . .

Updating adm.conf with information from configuration directory server . . .

Updating the configuration for the httpd engine . . .

Restarting admin server . . .

The admin server was successfully started.

Admin server was successfully reconfigured and started.

Exiting . . .

Log file is '/tmp/setupulSykp.log'

When the setup-ds-adm in.pl script is done, then the Directory Server is configured and running. Log into the Directory Server Console to begin setting up the directory service:

1. Get the Admin Server port number from the Listen parameter in the console.conf

configuration file.

# grep \^Listen /etc/dirsrv/adm in-serv/console.conf

Listen 0.0.0.0:9830

2. Using the Admin Server port number, launch the Console.

# /usr/bin/redhat-idm-console -a http://localhost:9830

Chapter 4. Advanced Setup and Configuration

4.1. Working with Admin Server Instances

There are two additional setup steps that can be done with the Admin Server. This first allows the Admin Server to be accessed by remote clients, so that users can install and launch the Directory Server Console and still access the remote Directory Server file, such as help files. The next allows proxy HT T P servers to be used for the Admin Server.

4.1.1. Configuring IP Authorization on the Admin Server

The Directory Server Console can be launched from remote machines to access an instance of

Directory Server. The client running Directory Server Console needs access to the Admin Server to access support files like the help content and documentation.

To configure the Admin Server to accept the client IP address:

1. On the same machine on which the Admin Server is running, launch the Console.

# redhat-idm -console

2. In the Admin Server Console, click the Configuration tab, then click the Network tab.

3. In the Connection Restrictions Settings section, select IP Addresses to Allow

from the pull down menu.

4. Click Edit.

5. In the IP Addresses field, enter a wildcard to allow the Admin Server to allow all IP addresses to access it. For example, for IPv4:

* .* .* .*

Both IPv4 and IPv6 addresses are supported.

6. Restart the Admin Server.

***Note: The setup scripts can be used to create additional instances of Directory Server on  the same machine or on different machines than the first instance. The setup-ds-adm in.pl script can install both the Directory Server and Admin Server, while the setup-ds.pl script installs only the Directory Server.

Note: First restart the admin server and then directory server.

Administration:

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

Client configuration:

1. Install the required packages:

# yum -y install openldap-clients authconfig nss-pam-ldapd

2. Changes into file /etc/sysconfig/authconfig:

FORCELEGECY=no

To

FORCELEGECY=yes

3. Run command “authconfig-tui” and point the client to directory server:

# authconfig-tui

4. Now check if the created users are being exported:

# getent passwd

[root@rds2 ~]# getent passwd

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin

usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin

rtkit:x:499:497:RealtimeKit:/proc:/sbin/nologin

avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin

abrt:x:173:173::/etc/abrt:/sbin/nologin

rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

gdm:x:42:42::/var/lib/gdm:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

apache:x:48:48:Apache:/var/www:/sbin/nologin

saslauth:x:498:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin

postfix:x:89:89::/var/spool/postfix:/sbin/nologin

pulse:x:497:496:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

tcpdump:x:72:72::/:/sbin/nologin

nscd:x:28:28:NSCD Daemon:/:/sbin/nologin

nslcd:x:65:55:LDAP Client User:/:/sbin/nologin

rc:*:10001:10001:rc:/home/rc:/bin/bash

dh:*:10002:10002:dh:/home/dh:/bin/bash

[root@rds2 ~]#