The Lightweight Directory Access Protocol or LDAP for short has been around for quite a while. While more modern technologies like OpenID, OAuth or SAML are often used for authentication and authorisation purposes when it comes to applications, APIs etc. on the internet these days, LDAP is still widely used for various use cases. For same-sign on purposes it is the de-facto industry standard as a reliable and secure technology and will probably stay relevant for a really long time to come.
There are quite a few LDAP server implemenations, the most prominent probably Microsoft’s Active Directory and OpenLDAP. Two notable free and open source implementations with a more modern codebase than OpenLDAP are Apache Directory and Redhat’s 389 Directory Server. Both do work really well but since ApacheDS lacks at least some features (e.g. https://issues.apache.org/jira/browse/DIRSERVER-1844, the importance and implications of this, of course, depend on the use case) this series of posts will look at the 389 Directory Server and how to set it up in a secure manner.
Installation on Fedora or RHEL/CentOS is farily straightforward:
dnf install 389-ds-base
The 389 admin console that’s still referred to in some places in the official documentation has been deprecated for a while. If you still want to use a graphical user interface to interact with 389ds there is a UI plugin for cockpit that can be installed through
dnf install cockpit-389-ds
However, this does not have all the features of the original admin console implemented yet (e.g. users and groups management). A convenient tool to complement the cockpit UI plugin in this regard is Apache Directory Studio.
Cockpit can be enabled and started right away:
systemctl enable --now cockpit.socket
After that it’s available at
https://yourhost:9090. For 389ds we have to do some homework first and…
2. Create an instance
A 389ds instance can be created through
dscreate. There’s an interactive mode that goes through all available options one by one
# dscreate interactive Install Directory Server (interactive mode) =========================================== Enter system's hostname [fedora]: Enter the instance name [fedora]: Enter port number : ...
but the most convenient way is probably to create an instance from what’s called an inf answer file. Here’s an example that will serve as the basis for any further configuration:
[general] full_machine_name = ldap.example.com start = True [slapd] instance_name = localhost root_password = mysecret port = 389 secure_port = 636 self_sign_cert = False [backend-userroot] sample_entries = yes suffix = dc=example,dc=com
To see all available options including a short description one can run
dscreate create-template which generates an example inf answer file.
You should change the highlighted lines to set a more secure password and alter the domain. This will also install some sample data and start the instance right after it’s created:
# dscreate from-file instance.inf Starting installation... Completed installation for localhost
During the installation a systemd unit file called
dirsrv@INSTANCE_NAME.service is created and enabled so the instance is automatically started on boot.
# systemctl status firstname.lastname@example.org ● email@example.com - 389 Directory Server localhost. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/dirsrv@.service.d └─custom.conf Active: active (running) since Mon 2021-05-10 06:01:17 CEST; 13min ago Process: 4817 ExecStartPre=/usr/libexec/dirsrv/ds_systemd_ask_password_acl /etc/dirsrv/slapd-localhost/dse.ldif (code=exited, status=0/SUCCESS) Main PID: 4822 (ns-slapd) Status: "slapd started: Ready to process requests" Tasks: 27 (limit: 2343) Memory: 12.1M CPU: 2.662s CGroup: /firstname.lastname@example.org └─4822 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-localhost -i /run/dirsrv/slapd-localhost.pid
That’s it. You now have a running LDAP server. The next part is going to cover some (essential) plugins.