How to setup the CentOS Directory Server (389 Directory Server)
1 Introduction
This document describes the installation of the CentOS Directory Server on a CentOS 5 server. The CentOS Directory Server is the CentoOS distribution of the 389 Directory Server which was formerly known as the Fedora Directory Server. The Fedora Directory Server Project has changed its name to 380DS in May 2009.
2 Centos 5 Server Installation
- Download CentOS 5 DVD ISO from http://mirror.centos.org/centos/5/isos/ (the i386 ISO was used in this HowTo)
- Install package group "Server - GUI". Uncheck all other groups.
- Configure interface eth0 with a static IP
- Set hostname to centos-ds.mydomain.de
- Disable firewall and SELinux
- Enable NTP service
- Create user "sysadmin"
- Reboot
- SSH login as user root
- yum install firefox (optional)
- yum update
- Reboot
- Optional installation of VMWareTools (if server runs virtualized)
- Optional installation of the VNC Server
- Optional for vi users: ln -fs /usr/bin/vim /usr/local/bin/vi
3 Installation of the SSL setup script
This installs a modified version of the SSL setup script from Rich Megginson.
rpm -Uvh http://repo.neddix.com/centos/5/neddix/i386/RPMS/centos-neddix-repository-1.0.0-1.el5.nx.i386.rpm yum --enablerepo=neddix install centos-ds-sslsetup
4 Directory Server Setup
Login as user root over ssh or run
su - root
in a terminal window.
4.1 Add User
The directory service will run under this user acoount.
useradd centos-ds
4.2 Install Packages
yum install centos-ds openldap-clients
4.3 Verifiy DNS
Before you continuing with the setup it is important to verify that your DNS settings are correct. Both, localhost and centos-ds must be resolved to 127.0.0.1.
ping -c 1 localhost
Response: 64 bytes from centos-ds.mydomain.de (127.0.0.1): icmp_seq=1 ttl=64 time=0.060 ms
ping -c 1 centos-ds
Response: 64 bytes from centos-ds.mydomain.de (127.0.0.1): icmp_seq=1 ttl=64 time=0.060 ms
4.4 Run Setup
Set the TCP keepalive time to 5 minutes
echo 300 > /proc/sys/net/ipv4/tcp_keepalive_time
Increase the number of file descriptors
ulimit -n 8192 echo "* soft nofile 8192" >> /etc/security/limits.conf echo "* hard nofile 8192" >> /etc/security/limits.conf echo "ulimit -n 8192" >> /etc/profile
Run the configuration script
setup-ds-admin.pl
You are asked a bunch of question now. In most cases the default values are ok and you can simply hit the enter key. In the following is a list of the questions. Replace mydomain.de by your domain name.
- Would you like to continue with set up? [yes]: hit enter key
- Do you agree to the license terms? [no]: y
- Would you like to continue? [no]: y
- Choose a setup type [2]: hit enter key
- Computer name [centos-ds.mydomain.de]: hit enter key
- System User [nobody]: centos-ds
- System Group [nobody]: centos-ds
- Do you want to register this software with an existing configuration directory server? [no]: hit enter key
- Configuration directory server administrator ID [admin]: hit enter key
- Password:
- Password (confirm):
- Administration Domain [mydomain.de]: hit enter key
- Directory server network port [389]: hit enter key
- Directory server identifier [centos-ds]: hit enter key
- Suffix [dc=mydomain, dc=de]: hit enter key
- Directory Manager DN [cn=Directory Manager]: hit enter key
- Password:
- Password (confirm):
- Administration port [9830]: hit enter key
- Are you ready to set up your servers? [yes]: hit enter key
When all worked well, the script shows this output:
Creating directory server . . . Your new DS instance 'centos-ds' was successfully created. Creating the configuration directory server . . . Beginning Admin Server creation . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Updating the configuration for the httpd engine . . . Starting admin server . . . The admin server was successfully started. Admin server was successfully created, configured, and started. Exiting . . . Log file is '/tmp/setupAVvnGF.log'
Make the increased number of file descriptors available to the directory server. Edit /etc/sysconfig/dirsrv and uncomment this line:
ulimit -n 8192
Add the new limit to cn=config
echo -e "dn: cn=config\nnsslapd-maxdescriptors: 8192\n"|ldapmodify -x -h localhost -D "cn=Directory Manager" -W service dirsrv restart
5 Configure openldap-client tools
Add the following lines to /etc/openldap/ldap.conf
BASE dc=mydomain,dc=de HOST localhost PORT 389
6 Configure Services to start up at Boot Time
chkconfig dirsrv on chkconfig dirsrv-admin on
7 Running the Administration Console
Open a terminal and run the command
centos-idm-console &
8 Create Certificate for secure ldaps connections
This script creates certificates with 10 years life time.
ds-ssl-setup /etc/dirsrv/slapd-centos-ds # where centos-ds is the name of the server instance
9 Samba Schema
If you want a Samba server use the CentOS-DS as a database backend you need to setup the Samba schema. This allows you to use the Samba object classes.
wget http://port389.org/download/ol-schema-migrate.pl perl ol-schema-migrate.pl -b /usr/share/doc/samba-*/LDAP/samba.schema > /etc/dirsrv/slapd-centos-ds/schema/61samba.ldif service dirsrv restart
10 References
- Read-Write Replica: Setup of Centos Directory Server Read-Write Replicas
- 389DS Wiki: http://port389.org
- Documentation: http://www.redhat.com/docs/manuals/dir-server/
- Manual: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/
- Useful scripts used with Fedora Directory Server: http://github.com/richm/scripts/tree/master