LDAP server with 389ds: Part 1 – Installation

The Lightweight Directory Access Protocol or LDAP for short has been around for quite a while. While more modern technologies like OpenID, OAuth or SAML are often used for authentication and authorisation purposes when it comes to applications, APIs etc. on the internet these days, LDAP is still widely used for various use cases. For same-sign on purposes it is the de-facto industry standard as a reliable and secure technology and will probably stay relevant for a really long time to come.

There are quite a few LDAP server implemenations, the most prominent probably Microsoft’s Active Directory and OpenLDAP. Two notable free and open source implementations with a more modern codebase than OpenLDAP are Apache Directory and Redhat’s 389 Directory Server. Both do work really well but since ApacheDS lacks at least some features (e.g. https://issues.apache.org/jira/browse/DIRSERVER-1844, the importance and implications of this, of course, depend on the use case) this series of posts will look at the 389 Directory Server and how to set it up in a secure manner.

1. Installation

Installation on Fedora or RHEL/CentOS is farily straightforward:

dnf install 389-ds-base

The 389 admin console that’s still referred to in some places in the official documentation has been deprecated for a while. If you still want to use a graphical user interface to interact with 389ds there is a UI plugin for cockpit that can be installed through

dnf install cockpit-389-ds

However, this does not have all the features of the original admin console implemented yet (e.g. users and groups management). A convenient tool to complement the cockpit UI plugin in this regard is Apache Directory Studio.

Cockpit can be enabled and started right away:

systemctl enable --now cockpit.socket

After that it’s available at https://yourhost:9090. For 389ds we have to do some homework first and…

2. Create an instance

A 389ds instance can be created through dscreate. There’s an interactive mode that goes through all available options one by one

# dscreate interactive
Install Directory Server (interactive mode)
Enter system's hostname [fedora]: 
Enter the instance name [fedora]: 
Enter port number [389]: 

but the most convenient way is probably to create an instance from what’s called an inf answer file. Here’s an example that will serve as the basis for any further configuration:

full_machine_name = ldap.example.com
start = True

instance_name = localhost
root_password = mysecret
port = 389
secure_port = 636
self_sign_cert = False

sample_entries = yes
suffix = dc=example,dc=com

To see all available options including a short description one can run dscreate create-template which generates an example inf answer file.
You should change the highlighted lines to set a more secure password and alter the domain. This will also install some sample data and start the instance right after it’s created:

# dscreate from-file instance.inf 
Starting installation...
Completed installation for localhost

During the installation a systemd unit file called dirsrv@INSTANCE_NAME.service is created and enabled so the instance is automatically started on boot.

# systemctl status dirsrv@localhost.service 
● dirsrv@localhost.service - 389 Directory Server localhost.
     Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)
    Drop-In: /usr/lib/systemd/system/dirsrv@.service.d
     Active: active (running) since Mon 2021-05-10 06:01:17 CEST; 13min ago
    Process: 4817 ExecStartPre=/usr/libexec/dirsrv/ds_systemd_ask_password_acl /etc/dirsrv/slapd-localhost/dse.ldif (code=exited, status=0/SUCCESS)
   Main PID: 4822 (ns-slapd)
     Status: "slapd started: Ready to process requests"
      Tasks: 27 (limit: 2343)
     Memory: 12.1M
        CPU: 2.662s
     CGroup: /system.slice/system-dirsrv.slice/dirsrv@localhost.service
             └─4822 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-localhost -i /run/dirsrv/slapd-localhost.pid

That’s it. You now have a running LDAP server. The next part is going to cover some (essential) plugins.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.