{"id":2519,"date":"2021-05-11T10:42:24","date_gmt":"2021-05-11T08:42:24","guid":{"rendered":"https:\/\/possiblelossofprecision.net\/?p=2519"},"modified":"2021-05-15T11:46:36","modified_gmt":"2021-05-15T09:46:36","slug":"ldap-server-with-389ds-part-1-installation","status":"publish","type":"post","link":"https:\/\/possiblelossofprecision.net\/?p=2519","title":{"rendered":"LDAP server with 389ds: Part 1 – Installation"},"content":{"rendered":"

The Lightweight Directory Access Protocol<\/a> or LDAP for short has been around for quite a while. While more modern technologies like OpenID<\/a>, OAuth<\/a> or SAML<\/a> are often used for authentication and authorisation purposes when it comes to applications, APIs etc. on the internet these days, LDAP is still widely used for various use cases. For same-sign on purposes it is the de-facto industry standard as a reliable and secure<\/a> technology and will probably stay relevant for a really long time to come.<\/p>\n

There are quite a few LDAP server implemenations<\/a>, the most prominent probably Microsoft’s Active Directory<\/a> and OpenLDAP<\/a>. Two notable free and open source implementations with a more modern codebase than OpenLDAP are Apache Directory<\/a> and Redhat’s 389 Directory Server<\/a>. Both do work really well but since ApacheDS lacks at least some features (e.g. https:\/\/issues.apache.org\/jira\/browse\/DIRSERVER-1844<\/a>, the importance and implications of this, of course, depend on the use case) this series of posts will look at the 389 Directory Server and how to set it up in a secure manner.<\/p>\n

<\/p>\n

1. Installation<\/h2>\n

Installation on Fedora or RHEL\/CentOS is farily straightforward:<\/p>\n

\r\ndnf install 389-ds-base\r\n<\/pre>\n
The 389 admin console that’s still referred to in some places in the official documentation<\/a> has been deprecated<\/a> for a while. If you still want to use a graphical user interface to interact with 389ds there is a UI plugin for cockpit that can be installed through<\/p>\n
\r\ndnf install cockpit-389-ds\r\n<\/pre>\n
However, this does not have all the features of the original admin console implemented yet (e.g. users and groups management<\/a>). A convenient tool to complement the cockpit UI plugin in this regard is Apache Directory Studio<\/a>.<\/p>\n
Cockpit can be enabled and started right away:<\/p>\n
\r\nsystemctl enable --now cockpit.socket\r\n<\/pre>\n
After that it’s available at https:\/\/yourhost:9090<\/code>. For 389ds we have to do some homework first and…<\/p>\n
2. Create an instance<\/h2>\n
A 389ds instance can be created through dscreate<\/code>. There’s an interactive mode that goes through all available options one by one<\/p>\n
\r\n# dscreate interactive\r\nInstall Directory Server (interactive mode)\r\n===========================================\r\nEnter system's hostname [fedora]: \r\nEnter the instance name [fedora]: \r\nEnter port number [389]: \r\n...\r\n<\/pre>\n
but the most convenient way is probably to create an instance from what’s called an inf answer file<\/em>. Here’s an example that will serve as the basis for any further configuration:<\/p>\n
\r\n[general]\r\nfull_machine_name = ldap.example.com\r\nstart = True\r\n\r\n[slapd]\r\ninstance_name = localhost\r\nroot_password = mysecret\r\nport = 389\r\nsecure_port = 636\r\nself_sign_cert = False\r\n\r\n[backend-userroot]\r\nsample_entries = yes\r\nsuffix = dc=example,dc=com\r\n<\/pre>\n
To see all available options including a short description one can run dscreate create-template<\/code> which generates an example inf answer file<\/em>.
\nYou should change the highlighted lines<\/strong> to set a more secure password and alter the domain. This will also install some sample data and start the instance right after it’s created:<\/p>\n
\r\n# dscreate from-file instance.inf \r\nStarting installation...\r\nCompleted installation for localhost\r\n<\/pre>\n
During the installation a systemd unit file called dirsrv@INSTANCE_NAME.service<\/code> is created and enabled so the instance is automatically started on boot.<\/p>\n
\r\n# systemctl status dirsrv@localhost.service \r\n\u25cf dirsrv@localhost.service - 389 Directory Server localhost.\r\n     Loaded: loaded (\/usr\/lib\/systemd\/system\/dirsrv@.service; enabled; vendor preset: disabled)\r\n    Drop-In: \/usr\/lib\/systemd\/system\/dirsrv@.service.d\r\n             \u2514\u2500custom.conf\r\n     Active: active (running) since Mon 2021-05-10 06:01:17 CEST; 13min ago\r\n    Process: 4817 ExecStartPre=\/usr\/libexec\/dirsrv\/ds_systemd_ask_password_acl \/etc\/dirsrv\/slapd-localhost\/dse.ldif (code=exited, status=0\/SUCCESS)\r\n   Main PID: 4822 (ns-slapd)\r\n     Status: "slapd started: Ready to process requests"\r\n      Tasks: 27 (limit: 2343)\r\n     Memory: 12.1M\r\n        CPU: 2.662s\r\n     CGroup: \/system.slice\/system-dirsrv.slice\/dirsrv@localhost.service\r\n             \u2514\u25004822 \/usr\/sbin\/ns-slapd -D \/etc\/dirsrv\/slapd-localhost -i \/run\/dirsrv\/slapd-localhost.pid\r\n<\/pre>\n
That’s it. You now have a running LDAP server. The next part<\/a> is going to cover some (essential) plugins.<\/p>\n","protected":false},"excerpt":{"rendered":"
The Lightweight Directory Access Protocol or LDAP for short has been around for quite a while. While more modern technologies like OpenID, OAuth or SAML are often used for authentication and authorisation purposes when it comes to applications, APIs etc. on the internet these days, LDAP is still widely used for various use cases. For same-sign on purposes it is… Read more »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[84,13,7,83],"class_list":["post-2519","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-389ds","tag-centos","tag-fedora","tag-ldap"],"_links":{"self":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/2519","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2519"}],"version-history":[{"count":17,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/2519\/revisions"}],"predecessor-version":[{"id":2625,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/2519\/revisions\/2625"}],"wp:attachment":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2519"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}