Install And Configure LDAP Server In CentOS 7
This tutorial describes how to install and configure LDAP server (389-DS) in CentOS 7.
About 389-DS Server
389-DS (389 Directory Server) is an open source enterprise class LDAP server for Linux, and is developed by Red Hat community. It is hardened by real-world use, is full-featured, supports multi-master replication, and already handles many of the largest LDAP deployments in the world. The 389 Directory Server can be downloaded for free, and set up in less than an hour using the graphical console. 389-DS can handle thousands of concurrent users more effectively.
Features
Concerning about 389-DS features, we can list the following:
- High performance ;
- Multi-Master Replication, to provide fault tolerance and high write performance ;
- The codebase has been developed and deployed continuously by the same team for more than a decade ;
- Active Directory user and group synchronization ;
- Secure authentication and transport (TLSv1, and SASL) ;
- Support for LDAPv3 ;
- On-line, zero downtime, LDAP-based update of schema, configuration, management and in-tree Access Control Information (ACIs) ;
- Graphical console for all facets of user, group, and server management ;
- Continuous Integration Testing (lib389) – prevents regressions and helps maintain stability with each release.
For more details, check the Features page.
Install and Configure LDAP server in CentOS 7
In this how-to, I will be using the following system as LDAP server.
- Operating System: CentOS 7 server
- Host name: server1.unixmen.local
- IP Address: 192.168.1.150/24.
Prerequisites
Before installing LDAP server, you must do the following requirements.
1. Set your server fully qualified domain in /etc/hosts file
Edit file /etc/hosts/,
vi /etc/hosts
Add your hostname as shown below.
[...] 192.168.1.150 server1.unixmen.local server1
Change the values as per your requirement.
2. Firewall Configuration
Allow the following ldap ports to your iptables.
firewall-cmd --permanent --add-port=389/tcp
firewall-cmd --permanent --add-port=636/tcp
firewall-cmd --permanent --add-port=9830/tcp
Restart firewall.
firewall-cmd --reload
3. Add EPEL and REMI Repository
Follow the below links to install and enable EPEL and REMI repositories.
4. Performance and Security tuning for LDAP server
Before installing LDAP server, we have to adjust some files for performance and security.
Edit file “/etc/sysctl.conf”,
vi /etc/sysctl.conf
Add the following lines at the end.
[...] net.ipv4.tcp_keepalive_time = 300 net.ipv4.ip_local_port_range = 1024 65000 fs.file-max = 64000
Edit file “/etc/security/limits.conf”,
vi /etc/security/limits.conf
Add the following lines at the bottom.
[...] * soft nofile 8192 * hard nofile 8192
Edit file “/etc/profile”,
vi /etc/profile
Add the line at the end.
[...] ulimit -n 8192
Edit file “/etc/pam.d/login”,
vi /etc/pam.d/login
Add the line at the end.
[...] session required /lib/security/pam_limits.so
Now Restart the server.
Install 389 Directory Server
Create a LDAP user account.
useradd ldapadmin
passwd ldapadmin
Install 389-ds-base package using command:
yum install 389-ds-base openldap-clients
Right now, all required packages for 389-DS server are not available in the CentOS repositories. We have to download and install manually the following packages.
Now, install the above packages one by one as shown below.
yum localinstall ftp://rpmfind.net/linux/epel/testing/7/x86_64/i/idm-console-framework-1.1.14-1.el7.noarch.rpm
yum localinstall ftp://rpmfind.net/linux/epel/testing/7/x86_64/3/389-adminutil-1.1.22-1.el7.x86_64.rpm
yum localinstall ftp://rpmfind.net/linux/epel/testing/7/x86_64/3/389-admin-1.1.42-1.el7.x86_64.rpm
yum localinstall ftp://rpmfind.net/linux/epel/testing/7/x86_64/3/389-admin-console-1.1.10-1.el7.noarch.rpm
yum localinstall ftp://rpmfind.net/linux/epel/testing/7/x86_64/3/389-console-1.1.9-1.el7.noarch.rpm
yum localinstall ftp://rpmfind.net/linux/epel/testing/7/x86_64/3/389-ds-console-1.2.12-1.el7.noarch.rpm
That’s it.
Configure LDAP server
Now it’s time to configure LDAP server. It’s quite long way process. Run the following command to configure 389 directory server.
setup-ds-admin.pl
You will be asked to answer for a couple of questions. Please read the instructions carefully and answer them accordingly.
If you made any mistake and want to go back to previous screen press CTRL+B and Enter. To cancel the setup press CTRL+C. ============================================================================== This program will set up the 389 Directory and Administration Servers. It is recommended that you have "root" privilege to set up the software. Tips for using this program: - Press "Enter" to choose the default and go to the next screen - Type "Control-B" then "Enter" to go back to the previous screen - Type "Control-C" to cancel the setup program Would you like to continue with set up? [yes]: ## Press Enter ============================================================================== Your system has been scanned for potential problems, missing patches, etc. The following output is a report of the items found that need to be addressed before running this software in a production environment. 389 Directory Server system tuning analysis version 23-FEBRUARY-2012. NOTICE : System is x86_64-unknown-linux3.10.0-123.9.3.el7.x86_64 (1 processor). WARNING: 616MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system. NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections. WARNING: There are only 1024 file descriptors (soft limit) available, which limit the number of simultaneous connections. WARNING : The warning messages above should be reviewed before proceeding. Would you like to continue? [no]: yes ## Type 'Yes' and press Enter ============================================================================== Choose a setup type: 1. Express Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical Allows you to specify common defaults and options. 3. Custom Allows you to specify more advanced options. This is recommended for experienced server administrators only. To accept the default shown in brackets, press the Enter key. Choose a setup type [2]: ## Press Enter ============================================================================== Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: eros.example.com. To accept the default shown in brackets, press the Enter key. Warning: This step may take a few minutes if your DNS servers can not be reached or if DNS is not configured correctly. If you would rather not wait, hit Ctrl-C and run this program again with the following command line option to specify the hostname: General.FullMachineName=your.hostname.domain.name Computer name [server1.unixmen.local]: ## Press Enter ============================================================================== The servers must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. If you have not yet created a user and group for the servers, create this user and group using your native operating system utilities. System User [nobody]: ldapadmin ## Type LDAP user name which we created earlier System Group [nobody]: ldapadmin ## Type ldap group ============================================================================== Server information is stored in the configuration directory server. This information is used by the console and administration server to configure and manage your servers. If you have already set up a configuration directory server, you should register any servers you set up or create with the configuration server. To do so, the following information about the configuration server is required: the fully qualified host name of the form <hostname>.<domainname>(e.g. hostname.example.com), the port number (default 389), the suffix, the DN and password of a user having permission to write the configuration information, usually the configuration directory administrator, and if you are using security (TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port number (default 636) instead of the regular LDAP port number, and provide the CA certificate (in PEM/ASCII format). If you do not yet have a configuration directory server, enter 'No' to be prompted to set up one. Do you want to register this software with an existing configuration directory server? [no]: ## Press Enter ============================================================================== Please enter the administrator ID for the configuration directory server. This is the ID typically used to log in to the console. You will also be prompted for the password. Configuration directory server administrator ID [admin]: ## Press Enter Password: ## Type Password Password (confirm): ## Re-type password ============================================================================== The information stored in the configuration directory server can be separated into different Administration Domains. If you are managing multiple software releases at the same time, or managing information about multiple domains, you may use the Administration Domain to keep them separate. If you are not using administrative domains, press Enter to select the default. Otherwise, enter some descriptive, unique name for the administration domain, such as the name of the organization responsible for managing the domain. Administration Domain [unixmen.local]: ## Press Enter ============================================================================== The standard directory server network port number is 389. However, if you are not logged as the superuser, or port 389 is in use, the default value will be a random unused port number greater than 1024. If you want to use port 389, make sure that you are logged in as the superuser, that port 389 is not in use. Directory server network port [389]: ## Press Enter ============================================================================== Each instance of a directory server requires a unique identifier. This identifier is used to name the various instance specific files and directories in the file system, as well as for other uses as a server instance identifier. Directory server identifier [server1]: ## Press Enter ============================================================================== The suffix is the root of your directory tree. The suffix must be a valid DN. It is recommended that you use the dc=domaincomponent suffix convention. For example, if your domain is example.com, you should use dc=example,dc=com for your suffix. Setup will create this initial suffix for you, but you may have more than one suffix. Use the directory server utilities to create additional suffixes. Suffix [dc=unixmen, dc=local]: ##Press Enter ============================================================================== Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and typically has a bind Distinguished Name (DN) of cn=Directory Manager. You will also be prompted for the password for this user. The password must be at least 8 characters long, and contain no spaces. Press Control-B or type the word "back", then Enter to back up and start over. Directory Manager DN [cn=Directory Manager]: ## Press Enter Password: ## Type Password Password (confirm): ## Re-enter password ============================================================================== The Administration Server is separate from any of your web or application servers since it listens to a different port and access to it is restricted. Pick a port number between 1024 and 65535 to run your Administration Server on. You should NOT use a port number which you plan to run a web or application server on, rather, select a number which you will remember and which will not be used for anything else. Administration port [9830]: ## Press Enter ============================================================================== The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. Are you ready to set up your servers? [yes]: ## Press Enter Creating directory server . . . Your new DS instance 'server1' was successfully created. Creating the configuration directory server . . . Beginning Admin Server creation . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Updating the configuration for the httpd engine . . . Starting admin server . . . The admin server was successfully started. Admin server was successfully created, configured, and started. Exiting . . . Log file is '/tmp/setupOLhgGH.log'
Congratulations! We have successfully configured 389 Directory Server.
Starting/Stopping 389-ds services
Make the LDAP server services to start automatically on every reboot.
systemctl enable dirsrv.target
systemctl enable dirsrv-admin
To start directory server, run:
systemctl start dirsrv.target
Or
start-dirsrv
To stop it, run:
systemctl stop dirsrv.target
Or
stop-dirsrv
Likewise, to start directory admin, run:
systemctl start dirsrv-admin
Or
start-ds-admin
To stop it:
systemctl stop dirsrv-admin
Or
stop-ds-admin
Likewise, you can check the status of the both services using commands:
systemctl status dirsrv.target
systemctl status dirsrv-admin
To restart the above services. run:
systemctl restart dirsrv.target
systemctl restart dirsrv-admin
All configuration files will be found under /etc/dirsrv/ directory and all log files will found under /var/log/dirsrv/ directory.
Test LDAP Server
Now let us test our LDAP Server now for any errors using following command.
ldapsearch -x -b "dc=unixmen,dc=local"
Sample output:
# extended LDIF # # LDAPv3 # base <dc=unixmen,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # unixmen.local dn: dc=unixmen,dc=local objectClass: top objectClass: domain dc: unixmen # Directory Administrators, unixmen.local dn: cn=Directory Administrators,dc=unixmen,dc=local objectClass: top objectClass: groupofuniquenames cn: Directory Administrators uniqueMember: cn=Directory Manager # Groups, unixmen.local dn: ou=Groups,dc=unixmen,dc=local objectClass: top objectClass: organizationalunit ou: Groups # People, unixmen.local dn: ou=People,dc=unixmen,dc=local objectClass: top objectClass: organizationalunit ou: People # Special Users, unixmen.local dn: ou=Special Users,dc=unixmen,dc=local objectClass: top objectClass: organizationalUnit ou: Special Users description: Special Administrative Accounts # Accounting Managers, Groups, unixmen.local dn: cn=Accounting Managers,ou=Groups,dc=unixmen,dc=local objectClass: top objectClass: groupOfUniqueNames cn: Accounting Managers ou: groups description: People who can manage accounting entries uniqueMember: cn=Directory Manager # HR Managers, Groups, unixmen.local dn: cn=HR Managers,ou=Groups,dc=unixmen,dc=local objectClass: top objectClass: groupOfUniqueNames cn: HR Managers ou: groups description: People who can manage HR entries uniqueMember: cn=Directory Manager # QA Managers, Groups, unixmen.local dn: cn=QA Managers,ou=Groups,dc=unixmen,dc=local objectClass: top objectClass: groupOfUniqueNames cn: QA Managers ou: groups description: People who can manage QA entries uniqueMember: cn=Directory Manager # PD Managers, Groups, unixmen.local dn: cn=PD Managers,ou=Groups,dc=unixmen,dc=local objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries uniqueMember: cn=Directory Manager # search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9
The output will look something like above. If you have got result as 2 shown in the above output, you’re done.
Now, our LDAP server is ready to use.
Manage 389 Directory Server Graphically Using 389 Management Console
Today, we will see how to manage 389-DS more easily via a graphical interface.
About 389 Management Console
389 management console is a built-in, Java based remote management console that can be used to manage your LDAP server (389-DS) server from any remote or local system. This console helps you to easily create, edit or delete Organizational units, groups, users more easily via a cool graphical interface. You don’t need to memorize or know all commands to manage LDAP server. Everything can be done via 389 management console.
Please be mindful that if you want to manage your 389 ds server graphically, you LDAP server should have installed with a GUI desktop environment. If you did a minimal installation and don’t have GUI in your LDAP server, then, you can’t access the management console.
As I had installed LDAP server in minimal CentOS 7 server, Here, I am going to install XFCE desktop on my server.
yum groupinstall Xfce
After installing GUI, reboot the server to take effect the changes.
reboot
Log in to server.
Now, you can access the 389 ds admin console either from the local server itself or from a remote desktop client.
To access 389 ds admin console locally, type the following command in the Terminal:
389-console
To access 389-ds admin console from the remote system, enter the following command in Terminal.
ssh -X root@192.168.1.150 /usr/bin/389-console -a http://192.168.1.150:9830
Replace the IP address with your own.
Now, you’ll be asked to enter your LDAP server administrative log in details. In my case my LDAP admin name is admin and password is centos.
From here, you can create, delete or edit LDAP organizational units, groups and users graphically.
389-ds admin server console has two groups by default:
- Administration Server
- Directory Server
You can use any one of the server group.
1. Administration Server
To access Administration Server interface, click on your LDAP domain name to expand.
Go to Server Group –> Administration Server and click Open on the right side. Refer the following screenshot.
The following screen should appear.
The Admin server has tabs.
- Tasks,
- Configuration.
Tasks Tab:
In the Tasks section, you can Stop/Restart/Configure admin server.
Configuration tab:
In the Configuration tab, you change/edit your Admin server ip address, default port, LDAP admin password, default user directory. Also you can define which host names to allow and which ip addresses to allow to access your LDAP server.
2. Directory server
To access Directory Server interface, click on your LDAP domain name to expand.
Go to Server Group – Directory Server and click Open on the right side. Refer the following screenshot.
In Directory Server section, you can do all necessary configuration for your LDAP server. You can change/modify default port, create users, groups, organizational units etc.
There are lot of options available in Directory Server section. Go thorough the each section and configure your LDAP server as per your requirement.
Create Organization units, Groups And Users
Create organizational unit:
Go to your Directory Server from the main console.
Select Directory tab.
Right click on your Domain name (Ex. Unixmen). Select New -> Organization Unit. Refer the following screen.
Enter your OU name (ex. Support Division) and click Ok.
The new OU (ex. Support Division) will be created under Unixmen domain.
Create a Group:
Now navigate to Support Division OU and create a new group (ex. support_group).
Enter group name and click Ok.
The new group will be created under Unixmen/Support Division.
Create User:
Right click on the Support_group, and click New -> User.
Enter the user details such as first name, last name, userid, mail id etc., and click Ok.
That’s it. Now, we have created OU, Group and an user in LDAP server.
Test LDAP server
Verify whether the newly created Organizational Unit, Group, User with following command on our server.
ldapsearch -x -b "dc=unixmen,dc=local"
Sample output:
Check the result that I have marked as bold at the end.
# extended LDIF # # LDAPv3 # base <dc=unixmen,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # unixmen.local dn: dc=unixmen,dc=local objectClass: top objectClass: domain dc: unixmen # Directory Administrators, unixmen.local dn: cn=Directory Administrators,dc=unixmen,dc=local objectClass: top objectClass: groupofuniquenames cn: Directory Administrators uniqueMember: cn=Directory Manager # Groups, unixmen.local dn: ou=Groups,dc=unixmen,dc=local objectClass: top objectClass: organizationalunit ou: Groups # People, unixmen.local dn: ou=People,dc=unixmen,dc=local objectClass: top objectClass: organizationalunit ou: People # Special Users, unixmen.local dn: ou=Special Users,dc=unixmen,dc=local objectClass: top objectClass: organizationalUnit ou: Special Users description: Special Administrative Accounts # Accounting Managers, Groups, unixmen.local dn: cn=Accounting Managers,ou=Groups,dc=unixmen,dc=local objectClass: top objectClass: groupOfUniqueNames cn: Accounting Managers ou: groups description: People who can manage accounting entries uniqueMember: cn=Directory Manager # HR Managers, Groups, unixmen.local dn: cn=HR Managers,ou=Groups,dc=unixmen,dc=local objectClass: top objectClass: groupOfUniqueNames cn: HR Managers ou: groups description: People who can manage HR entries uniqueMember: cn=Directory Manager # QA Managers, Groups, unixmen.local dn: cn=QA Managers,ou=Groups,dc=unixmen,dc=local objectClass: top objectClass: groupOfUniqueNames cn: QA Managers ou: groups description: People who can manage QA entries uniqueMember: cn=Directory Manager # PD Managers, Groups, unixmen.local dn: cn=PD Managers,ou=Groups,dc=unixmen,dc=local objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries uniqueMember: cn=Directory Manager # Support Division, unixmen.local dn: ou=Support Division,dc=unixmen,dc=local ou: Support Division objectClass: top objectClass: organizationalunit # support_group, Support Division, unixmen.local dn: cn=support_group,ou=Support Division,dc=unixmen,dc=local objectClass: top objectClass: groupofuniquenames cn: support_group # skumar, support_group, Support Division, unixmen.local dn: uid=skumar,cn=support_group,ou=Support Division,dc=unixmen,dc=local mail: sk@unixmen.com uid: skumar givenName: senthil objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: kumar cn: senthil kumar # search result search: 2 result: 0 Success # numResponses: 13 # numEntries: 12
As you see in the above output, a new OU called Support Division, a new group called support_vision, a new user called skumar have been created. Voila! Our LDAP server is working.
Conclusion
In this tutorial, I covered only installation part and basic configuration. There are lot to learn about 389 ds. Refer the link provided at the bottom to know more about 389 ds.
In my personal experience, 389-ds is much easier than openldap in terms of installation and configuration. We will see how to configure client systems to authenticate using LDAP server in our next article.
Good luck. Cheers!
Reference:
No comments:
Post a Comment