[DNS Caching Server - CentOS]: Setup Caching-Only DNS Server Using “Bind” in CentOS 6.5

Setup Caching-Only DNS Server Using “Bind” in CentOS 6.5

 

There are several type of DNS servers such as master, slave, forwarding and cache, among them Caching-Only DNS is the one, which is easier to setup. DNS use UDP protocol so it will reduce the query time because UDP protocol does not have an acknowledgement.

The caching-only DNS server is also known as a resolver. It will query DNS records and get all DNS information from other servers and stores the each query request in its cache for later use. While we are querying same request for the second time, it will serve from its cache, this way it reduces query time.

My Testing Environment

IP Address : 192.168.0.200
Host-name : dns.tecmintlocal.com
OS  : Centos 6.5 Final
Ports Used : 53
Config File : /etc/named.conf
script file : /etc/init.d/named

Step 1: Installing Caching-Only DNS

1. The Caching-Only DNS, can be installed by using package ‘bind‘. Let’s do a small search for the package name if we don’t remember the fill package name using below command.

# yum search bind

Search Bind Package

2. In the above result, you see the packages that displayed. From that we need to choose the 'bind' and 'bind-utils' packages, let's install them using following 'yum' command.

# yum install bind bind-utils -y

Install DNS Utils

Step 2: Configure Caching-Only DNS

3. Once, DNS packages are installed, move forward to configure DNS. Open and edit ‘named.conf‘ file using vim editor.

# vim /etc/named.conf

4. Next, make changes as suggested below or you can use your settings as per your requirements. Following are the changes, that we need to do for a caching-only DNS server. Here, by default the localhost will be there, we need to add the ‘any‘ to accept query from any range of network.

listen-on port 53 { 127.0.0.1; any; };
allow-query     { localhost; any; };
allow-query-cache       { localhost; any; };

Configure Caching Only DNS

1. listen-on port 53 – This say that Cache server want to use the port 53 for query.
2. allow-query – This Specifies which ip address may query the server, here I have defined for localhost, from anywhere anyone can send query.
3. allow-query-cache – This will add the query request to the bind.
4. recursion – This will query the answer and give back to us, during query it may send query to other DNS server over the internet and pull back the query.

5. After editing the file, we have to confirm whether the ‘named.conf‘ files ownership was not changed from root:named, because the DNS runs under a system user named.

# ls -l /etc/named.conf
# ls -l /etc/named.rfc1912.zones

6. If the server enabled with selinux, after editing ‘named.conf‘ file, we need to check for the selinux context, every named config files need to be in “system_u:object_r:named_conf_t:s0” context as shown in the image below.

# ls -lZ /etc/named.conf
# ls -lZ /etc/named.rfc1912.zones

Okay, here we need to test DNS configuration now for some syntax error, before starting the bind service, if any error found some can be traced from /var/messages too.

# named-checkconf /etc/named.conf

After the syntax check results seems perfect, restart the service to take effect for above changes and make the service to run persistent while reboot the server and confirm the same.

# /etc/init.d/named restart
# chkconfig named on
# chkconfig --list named

Configure and Start DNS

7. Next, open the port 53 on the firewall to allow the access.

# iptables -I INPUT -p udp --dport 53 -j ACCEPT

Iptables Open DNS Port

Step 4: Chroot Caching-Only DNS

8. If you want to run the DNS caching-server under chroot environment, you need to install the chroot package only, no need of further configuration, as it by default hard-link to chroot.

# yum install bind-chroot -y

Once chroot package has been installed, you can restart the named service to take new changes.

# /etc/init.d/named restart

9. Once you restart named service, it automatically create a hard-link from the /etc/named config files to /var/named/chroot/etc/ directory. To confirm, just use the cat command under /var/named/chroot.

# sudo cat /var/named/chroot/etc/named.conf

Chroot Caching Only DNS

In the above configuration, you will see the same /etc/named.conf configuration, as it will be replaced while installing bind-chroot package.

Step 5: Client Side DNS Setup

10. Add the DNS caching servers IP 192.168.0.200 as resolver to the client machines.
In Debian based machines it will be under /etc/resolv.conf and in RPM based machines it will be under setup command or we can edit manually under /etc/sysconfig/network-scripts/ifcfg-eth0 file.
11. Finally it’s time to check our cache server using some tools. We can test using dig & nslookup commands in Linux systems, and in windows you can use the nslookup command.
Let’s query ‘facebook.com‘ for first time, so that it will cache its query.

# dig facebook.com

Check DNS using Dig

Now, issue again same query, you will get replied from our cache server till it expires.

# dig facebook.com

Check DNS Cache

Use ‘nslookup‘ command to confirm the same.

# nslookup facebook.com

Check DNS Query Cache

To read more about dig and nslookup command examples and usage, use the following links.

1. 8 nslookup commands and usage
2. 10 dig commands and usage

Here we have seen how successfully we have setup a DNS caching-only server using bind package and also secured it using chroot package.

 

[LDAP Client]: Configure Linux Clients To Authenticate Using OpenLDAP

Configure Linux Clients To Authenticate Using OpenLDAP

This is the continuation of our previous tutorial. In our previous tutorial we learned how to install and configure OpenLDAP server on Debian and Ubuntu systems. In this guide let us see how to a authenticate a Linux client using OpenLDAP server. This guide was tested on Debian 7 Desktop, although it will work on all Debian and Ubuntu derivatives. If you encounter any difficulties, do let me know. I will check and update this how-to.

Install LDAP client package on Debian 7

I assume that you’ve have a working LDAP server already. Now let us install the required packages in our LDAP client. All steps should be done by ‘root’ user or use ‘sudo’ in-front of every command.

# apt-get install libnss-ldap libpam-ldap nscd

During installation, you will be asked a variety of questions. Read them carefully and enter the appropriate values.

First enter the ldap server IP address as shown in the below screenshot.

Note that you should enter LDAP server URI as ldap://ip-address-of-ldapserver/.

Then enter the distinguished name of the search base. This value should match as per your LDAP server /etc/phpldaadmin/config.php file values. In my case it’s dc=unixmen, dc=com.

Select Ldap version to use as 3.

Enter LDAP administrative account details. In our case it was: cn=admin, dc=unixmen.com, dc=com.

Enter LDAP administrative password:

The next window will say that you have to manually edit nsswitch.conf file. Click Ok to continue.

Now the libnss-ldap package has been installed. Now the above questions will be repeated for libpam-ldap.

We don’t need to act the client LDAP admin account as local root, hence we will select No.

Select No.

Now let us reconfigure libnss-ldap to improve debconf configuration by entering the following command:

# dpkg-reconfigure libnss-ldap

Make sure that the LDAP server URI is correct.

Make sure that the LDAP server search base:

LDAP version to use:

LDAP database doesn’t require login, hence we select No.

Select No.

Select No.

Select Ok.

That’s it. Now we have installed ldap client packages. 

Configure Client

We should tell our client system to look for LDAP server by adjusting their configuration files.

To do so, First edit file /etc/ldap/ldap.conf,

# nano /etc/ldap/ldap.conf

Uncomment the following lines and Enter your LDAP server search BASE and URI as shown below.

[...]
BASE    dc=unixmen,dc=com
URI     ldap://192.168.1.200
[...]

Edit file /etc/nsswitch.conf,

# nano /etc/nsswitch.conf

Find the following three lines and adjust them as shown below.

[...]
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
[...]
netgroup:       ldap
[...]

Now restart nscd service:

# /etc/init.d/nscd restart

PAM Configuration

Now we should verify the PAM configuration. The PAM configuration is modified during libnss-ldap installation. But it is advisable to verify the PAM configuration files as look like below.

Edit file /etc/pam.d/common-auth,

# nano /etc/pam.d/common-auth

Make sure this file contains the following lines.

[...]
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
[...]
auth    requisite                       pam_deny.so
[...]
auth    required                        pam_permit.so
[...]

Edit file /etc/pam.d/common-account,

# nano /etc/pam.d/common-account

[...]
account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 default=ignore]      pam_ldap.so
[...]
account requisite                       pam_deny.so
[...]
account required                        pam_permit.so
[...]

Edit file nano /etc/pam.d/common-password,

# nano /etc/pam.d/common-password

[...]
password        [success=2 default=ignore]      pam_unix.so obscure sha512
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
[...]
password        requisite                       pam_deny.so
[...]
password        required                        pam_permit.so
[...]

Edit file /etc/pam.d/common-session,

# nano /etc/pam.d/common-session

Add the following line at the bottom.

[...]
session  required                                         pam_mkhomedir.so

The above line will create a HOME directory for LDAP users who does not have home directory when login to LDAP server.

Edit file /etc/pam.d/common-session-noninteractive,

# nano /etc/pam.d/common-session-noninteractive

[...]
session [default=1]                     pam_permit.so
[...]
session requisite                       pam_deny.so
[...]
session required                        pam_permit.so
[...]
session required        pam_unix.so
session optional                        pam_ldap.so

Restart nscd service to save changes.

# /etc/init.d/nscd restart

Log In To LDAP Server

Now we have configured our client to be able to log in to our OpenLDAP server. Let us try to login using any ldap users created in the openldap server. Please note that this user doesn’t exist in the local client system. Don’t be confused.

I have already created a user called “kumar” in my OpenLDAP server. Refer the section Sample Configuration in my previous tutorial. So let us login with user “kumar”.

Reboot your client system and try to login with your LDAP user from client system.

Enter LDAP user name.

Enter LDAP user password.

You will be able to log in to your client system with LDAP user.

Issue the print working directory (pwd) command from the Terminal:

You should see that the home directory you selected for your user on the LDAP server is being used on this machine. It has been created on-demand to serve the LDAP user.

You should now be able to authenticate multiple computers using a centralized LDAP server. Your LDAP users will be allowed to use any of the machines you configure in this way, as long as they have the valid login credentials.

Initially this how-to will look bit difficult, but if you follow the steps carefully you will be able to setup the complete LDAP server/client.

Good Luck!

Reference: Setup OpenLDAP On Debian

[LDAP using 389 - CentOS]: setup LDAP server using 389 Directory Server

setup LDAP server using 389 Directory Server

Features

– Multi-Master Replication, to provide fault tolerance and high write performance.
– Scalability: thousands of operations per second, tens of thousands of concurrent users, tens of millions of entries, hundreds of gigabytes of data.
– Active Directory user and group synchronization.
– Secure authentication and transport (SSLv3, TLSv1, and SASL).
– Support for LDAPv3.
– On-line, zero downtime, LDAP-based update of schema, configuration, management and in-tree Access Control Information (ACIs).
– Graphical console for all facets of user, group, and server management.

For the detailed explanation of key features please refer here.

Prerequisites

– The LDAP server should contain the valid FQDN. Add the ldap server details to your DNS server.
– Adjust the firewall to allow ldap ports.
– Enable EPEL and REMI repositories to avoid any dependencies problems.

Follow the below links to Add EPEL and REMI Repository.

– Install EPEL Repository on CentOS / RHEL / Scientific Linx 6.x

– Install REMI Repository on CentOS / RHEL / Scientific Linux 6.x

In this how-to my LDAP server details are given below.

Operating System : CentOS 6.5 server
Host name        : server.unixmen.local
IP Address       : 192.168.1.101/24.

Set your server fully qualified domain in /etc/hosts file.

Edit file /etc/hosts/,

# vi /etc/hosts

Add your hostname as shown below.

[...]
192.168.1.101   server.unixmen.local    server

Change the values as per your requirement. This tutorial will applicable for all RHEL/CentOS/SL 6.x series.

Firewall Configuration

Add the following ldap ports to your iptables. To do that, edit file “/etc/sysconfig/iptables”,

# vi /etc/sysconfig/iptables

Add the following lines.

[...]
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPT
[...]

Restart firewall.

# service iptables restart

Performance and Security tuning for LDAP server

Before installing LDAP server, we have to adjust some files for performance and security.

Edit file “/etc/sysctl.conf”,

# vi /etc/sysctl.conf

Add the following lines at the end.

[...]
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000

Edit file “/etc/security/limits.conf”,

# vi /etc/security/limits.conf

Add the following lines at the bottom.

[...]
*               soft     nofile          8192   
*               hard     nofile          8192

Edit file “/etc/profile”,

# vi /etc/profile

Add the line at the end.

[...]
ulimit -n 8192

Edit file “/etc/pam.d/login”,

# vi /etc/pam.d/login

Add the line at the end.

[...]
session    required     /lib/security/pam_limits.so

Now Restart the server.

Install 389 Directory Server

Create a LDAP user account.

# useradd ldapadmin
# passwd ldapadmin

Now install 389 directory server using command:

# yum install -y 389-ds openldap-clients

Configure LDAP server

Now it’s time to configure LDAP server. It’s quite long way process. Run the following command to configure 389 directory server.

# setup-ds-admin.pl

You will be asked a couple of questions. Please read the instructions carefully and answer them accordingly.

If you made any mistake and want to go back to previous screen press CTRL+B and Enter. To cancel the setup press CTRL+C.

==============================================================================
This program will set up the 389 Directory and Administration Servers.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]:   ## Press Enter ## 
==============================================================================
Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
389 Directory Server system tuning analysis version 23-FEBRUARY-2012.
NOTICE : System is i686-unknown-linux2.6.32-431.el6.i686 (1 processor).
WARNING: 622MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.
WARNING  : The warning messages above should be reviewed before proceeding.
Would you like to continue? [no]: yes  ## Type Yes and Press Enter ##
==============================================================================
Choose a setup type:
   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.
   2. Typical
       Allows you to specify common defaults and options.
   3. Custom
       Allows you to specify more advanced options. This is 
       recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]:  ## Press Enter ##
==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly.  If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:
    General.FullMachineName=your.hostname.domain.name
Computer name [server.unixmen.local]:     ## Press Enter ##
==============================================================================
he servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.
System User [nobody]: ldapadmin  ## Enter LDAP user name created above #
System Group [nobody]: ldapadmin
==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers.  If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server.  To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [no]:   ## Press Enter ##
==============================================================================
Please enter the administrator ID for the configuration directory
server.  This is the ID typically used to log in to the console.  You
will also be prompted for the password.
Configuration directory server
administrator ID [admin]:   ## Press Enter ##
Password:    ## create password ##
Password (confirm):    ## re-type password ##
==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains.  If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.
If you are not using administrative domains, press Enter to select the
default.  Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.
Administration Domain [unixmen.local]:   ## Press Enter ##
==============================================================================
The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]:   ## Press Enter ##
==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [server]:  ## Press Enter ##
==============================================================================
The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
Suffix [dc=unixmen, dc=local]:   ## Press Enter ##
=============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.
Directory Manager DN [cn=Directory Manager]:   ## Press Enter ##
Password:               ## Enter the password ##
Password (confirm): 
==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.
Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.
Administration port [9830]:   ## Press Enter ##
==============================================================================
The interactive phase is complete.  The script will now set up your
servers.  Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]:  ## Press Enter ##
Creating directory server . . .
Your new DS instance 'server' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
output: Starting dirsrv-admin: 
output:                                                    [  OK  ]
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupo1AlDy.log'

Make the LDAP server daemon to start automatically on every reboot.

# chkconfig dirsrv on
# chkconfig dirsrv-admin on

Test LDAP Server

Now let us test our LDAP Server now for any errors using following command.

# ldapsearch -x -b "dc=unixmen,dc=local"

Sample output:

# extended LDIF
#
# LDAPv3
# base <dc=unixmen,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# unixmen.local
dn: dc=unixmen,dc=local
objectClass: top
objectClass: domain
dc: unixmen
# Directory Administrators, unixmen.local
dn: cn=Directory Administrators,dc=unixmen,dc=local
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager
# Groups, unixmen.local
dn: ou=Groups,dc=unixmen,dc=local
objectClass: top
objectClass: organizationalunit
ou: Groups
# People, unixmen.local
dn: ou=People,dc=unixmen,dc=local
objectClass: top
objectClass: organizationalunit
ou: People
# Special Users, unixmen.local
dn: ou=Special Users,dc=unixmen,dc=local
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
# Accounting Managers, Groups, unixmen.local
dn: cn=Accounting Managers,ou=Groups,dc=unixmen,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager
# HR Managers, Groups, unixmen.local
dn: cn=HR Managers,ou=Groups,dc=unixmen,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager
# QA Managers, Groups, unixmen.local
dn: cn=QA Managers,ou=Groups,dc=unixmen,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager
# PD Managers, Groups, unixmen.local
dn: cn=PD Managers,ou=Groups,dc=unixmen,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager
# search result
search: 2
result: 0 Success
# numResponses: 10
# numEntries: 9

The output will look something like above. If you have got result as 2 shown in the  above output, you’re done. Now our LDAP server is ready to use.

Manage 389 ds with Admin Server Console

Please be mindful that if you want to manage your 389 ds server graphically, your server should have installed with a GUI environment. If you did a minimal installation, you can’t access the admin server console.

As i have minimal server, i am going to install XFCE desktop on my server.

# yum groupinstall Xfce

Reboot your server.

# reboot

Log in to server.

Now you can access the 389 ds admin console either locally or remotely.

To access 389 ds admin console locally, type 389-console.

To access 389-ds admin console from your remote system, enter the following command in Terminal.

$ ssh -X root@192.168.1.101 /usr/bin/389-console -a http://192.168.1.101:9830

Now you’ll be asked to enter your LDAP server administrative log in details. In my case my LDAP admin name is admin and password is centos.

This is how my admin server console looks.

From here you can create, delete or edit LDAP organizational units, groups and users graphically.

389-ds admin server console has two groups.

– Administration Server

– Directory Server

You can use any one of the server.

1. Administration Server

To access Administration Server interface, click on your LDAP domain name to expand. Go to Server Group – Administration Server and click Open on the right side. Refer the following screenshot.

Configuration tab:

In the Configuration tab, you change/edit your Admin server ip address, default port, LDAP admin password, default user directory. Also you can define which host names to allow and which ip addresses to allow to access your LDAP server.

Tasks Tab:

In the Tasks section, you can Stop/Restart/Configure your server.

2. Directory server

To access Directory Server interface, click on your LDAP domain name to expand. Go to Server Group – Directory Server and click Open on the right side. Refer the following screenshot.

In Directory Server section, you can do all necessary configuration for your LDAP server. You can change/modify default port, create users, groups, organizational units etc.

There are lot of options available in Directory Server section. Go thorough the each section and configure as per your requirement.

Create Organization units, Groups And Users

Create organizational unit:

Go to your Directory Server from the main console. In the Directory tab, right click on your Domain name (ex. Unixmen). Select New -> Organization Unit. Refer the following screen.

Enter your OU name (ex. Support Division) and click Ok.

The new OU (ex. Support Division) will be created under Unixmen domain.

Create a Group:

Now navigate to Support Division OU and create a new group (ex. support_group).

Enter group name and click Ok.

The new group will be created under Unixmen/Support Division.

Create User:

Right click on the Support_group, and click New -> User.

Enter the user details such as first name, last name, userid, mail id etc., and click Ok.

Verify Organizational Unit, Group, User with following command on our server.

# ldapsearch -x -b "dc=unixmen,dc=local"

Sample output:

# extended LDIF
#
# LDAPv3
# base <dc=unixmen,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# unixmen.local
dn: dc=unixmen,dc=local
objectClass: top
objectClass: domain
dc: unixmen
# Directory Administrators, unixmen.local
dn: cn=Directory Administrators,dc=unixmen,dc=local
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager
# Groups, unixmen.local
dn: ou=Groups,dc=unixmen,dc=local
objectClass: top
objectClass: organizationalunit
ou: Groups
# People, unixmen.local
dn: ou=People,dc=unixmen,dc=local
objectClass: top
objectClass: organizationalunit
ou: People
# Special Users, unixmen.local
dn: ou=Special Users,dc=unixmen,dc=local
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
# Accounting Managers, Groups, unixmen.local
dn: cn=Accounting Managers,ou=Groups,dc=unixmen,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager
# HR Managers, Groups, unixmen.local
dn: cn=HR Managers,ou=Groups,dc=unixmen,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager
# QA Managers, Groups, unixmen.local
dn: cn=QA Managers,ou=Groups,dc=unixmen,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager
# PD Managers, Groups, unixmen.local
dn: cn=PD Managers,ou=Groups,dc=unixmen,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager
# Support Division, unixmen.local
dn: ou=Support Division,dc=unixmen,dc=local
ou: Support Division
objectClass: top
objectClass: organizationalunit
# support_group, Support Division, unixmen.local
dn: cn=support_group,ou=Support Division,dc=unixmen,dc=local
objectClass: top
objectClass: groupofuniquenames
cn: support_group
# skumar, support_group, Support Division, unixmen.local
dn: uid=skumar,cn=support_group,ou=Support Division,dc=unixmen,dc=local
mail: sk@unixmen.com
uid: skumar
givenName: senthil
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: kumar
cn: senthil kumar
# search result
search: 2
result: 0 Success
# numResponses: 13
# numEntries: 12

As you see in the above output, a new OU called Support Division, a new group called support_vision, a new user calledskumar has been created. I have covered only installation part and basic configuration. There are lot to learn about 389 ds. Refer the link provided at the bottom to know more about 389 ds.

Source & Reference: http://directory.fedoraproject.org/wiki/Main_Page