How to Install LDAP 389 Directory Server On Linux with Detailed Steps

389 Directory Server is an open source enterprise LDAP Server.

This can handle very huge volume of data. One of the huge benefit of 389 LDAP server is that it is lighting fast and process upto handle several thousands of operations per second.

This has several advanced features including asynchronous multi-master replication for horizontal scaling, which in-turn provides provides 100% fault tolerance and extremely high throughput.

Also, keep in mind that this supports TLS, SASL for authentication and transport. 389 Directory server is fully LDAPv3 compliant.

This tutorial explains how you can install and configure 389 directory server on your Linux environment.

Setup EPEL Repository

If you don’t have EPEL repository setup, make sure you set it up, as we’ll be installing the 389 related packages from EPEL.

First, download the epel rpm from Fedora website as shown below.

wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm

Next, Install the epel repository on your server.

# rpm -ivh epel-release-7-9.noarch.rpm 
warning: epel-release-7-9.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing...             ################################# [100%]
Updating / installing...
   1:epel-release-7-9    ################################# [100%]

If you are interested in OpenLDAP instead of 389 directory server, refer to this: How Install and Configure OpenLDAP on Linux

Setup /etc/host File Properly

Make sure the host file is setup properly.

In this example, the following is the current /etc/host file setup.

# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.101.10  deploy.thegeekstuff.com deploy

In the above:

  • 192.168.101.10 – Is the ip-address of the server
  • deploy.thegeekstuff.com – This is the FQDN of the server where 389 directory server is getting installed
  • deploy – This is the hostname of the server

Setup Appropriate sysctl Parameters

Add the following line to your /etc/sysctl.conf file:

# cat /etc/sysctl.conf 
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000

Depending on how much resource you have on your system, you may want to bump-up the above file-max number bit more.

Execute “sysctl -p” command as shown below to make sure the above changes are made to your system.

# sysctl -p
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000

Verify that the changes are made:

# sysctl fs.file-max net.ipv4.tcp_keepalive_time net.ipv4.ip_local_port_range
fs.file-max = 64000
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024     65000

Set Appropriate Ulimit Values

Set the ulimit value to 8192 as shown below in your /etc/profile file.

# echo "ulimit -n 8192" >> /etc/profile

Verify that this entry is added to the /etc/profile file.

# tail /etc/profile
..
..
unset i
unset -f pathmunge
ulimit -n 8192

Modify pam.d Login File

Modify the /etc/pam.d/login file and add the following line to include the pam_limits.so file as shown below.

# vi /etc/pam.d/login 
session    required     /usr/lib64/security/pam_limits.so

Make sure the pam_limits.so file is present on your system.

# ls -l /usr/lib64/security/pam_limits.so 
-rwxr-xr-x. 1 root root 19584 Aug 18  2015 /usr/lib64/security/pam_limits.so

Note: On 32-bit, use the following, as the location of this file is different.

# vi /etc/pam.d/login 
session    required     /lib/security/pam_limits.so

Create LDAP Admin User

Create a user called ldapadmin and assign a password as shown below:

useradd ldapadmin

passwd ldapadmin

Once you’ve setup the LDAP Server properly, this will help: How to Add LDAP Users and Groups

Install 389 Directory Server Base and OpenLDAP Client

Next is to install the 389 directory server base package, and OpenLDAP client utility packages. We need to install these two packages:

  • 389-ds-base.x86_64
  • openldap-clients.x86_64

Using yum command install the above two packages:

# yum install 389-ds-base.x86_64 openldap-clients.x86_64

Apart from installing the 389-ds-base and openldap-client package, depending on your system, this will also install the following dependent packages:

  • 389-ds-base-libs
  • GeoIP
  • bind-libs
  • bind-utils
  • cyrus-sasl-gssapi
  • cyrus-sasl-md5
  • libicu
  • perl-Archive-Tar
  • perl-DB_File
  • perl-IO-Zlib
  • perl-Mozilla-LDAP
  • perl-NetAddr-IP
  • perl-Package-Constants
  • svrcore

On this particular system, the following packages were also upgraded when the above two packages were installed:

  • bind-libs-lite
  • bind-license
  • openldap

If you are using EPEL repository for the first time on your system, this may ask you to accept the key as shown below. Say “y” here.

Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
 Userid     : "Fedora EPEL (7) <epel@fedoraproject.org>"
 Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
 Package    : epel-release-7-9.noarch (installed)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y

Install 389 Directory Server Admin Packages

Next, install the following packages that are related to the 389 LDAP Server administration:

  • 389-ds.noarch This is the 389 directory, administration, and console suite
  • 389-admin.x86_64 This is the admin for 389 Administration Server
  • 389-adminutil.x86_64 This contains the utilities and libraries that are required for 389 administration
  • 389-ds-console-doc.noarch This is web-based docs for 389 directory server management console

Use yum command and install these 389 directory server admin related packages as shown below:

# yum install 389-admin.x86_64 \
       389-adminutil.x86_64 389-ds.noarch \
       389-ds-base.x86_64 389-ds-console-doc.noarch

Apart from installing those 4 packages, depending on your system, this also installed the following dependent pcakges:

  • 389-admin-console
  • 389-admin-console-doc
  • 389-console
  • 389-ds-console
  • 389-dsgw
  • copy-jdk-configs
  • idm-console-framework
  • java-1.8.0-openjdk-headless
  • javapackages-tools
  • jss
  • ldapjdk
  • libxslt
  • lksctp-tools
  • mod_nss
  • perl-CGI
  • perl-FCGI
  • python-javapackages
  • python-lxml
  • tzdata-java

On this particular system, the following packages were also upgraded when the above packages were installed:

  • chkconfig
  • nspr
  • nss
  • nss-softokn
  • nss-softokn-freebl
  • nss-sysinit
  • nss-tools
  • nss-util

Setup 389 Directory Server – Execute setup-ds-admin.pl

After installing the required 389 LDAP Server packages, then execute the setup-ds-admin.pl script, which will configure the 389 Directory server setup on your system.

# setup-ds-admin.pl 

The above program will ask you to enter several values. Most of them are intuitive and straight forward.

But, I’ve shown partial output of whereever this is asking for user-input below.

Setup 389 Directory Server – Initial Warning Message

During the 1st few prompts of the above setup-ds-admin.pl script, depending on yoru system setup, this may give you the following WARNING messages. You can say ‘yes’ to continue here:

389 Directory Server system tuning analysis version 14-JULY-2016.

NOTICE : System is x86_64-unknown-linux3.10.0-327.10.1.el7.x86_64 (2 processors).

WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.  

WARNING  : The warning messages above should be reviewed before proceeding.

Would you like to continue? [no]: yes

Setup 389 Directory Server – Choose Typical Setup Type

In the following screen, if you are new to 389 directory server, choose the typical setup, which will setup all the common configuration options for you.

1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is 
       recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]: 2

Setup 389 Directory Server – Enter FQDN

If you’ve setup your /etc/hosts file properly as explained in one of the previous setps, it should properly pick-up your computer-name here as shown below.

You just have to press-enter here and move on.

Computer name [deploy.thegeekstuff.com]: 

If your server doesn’t have proper FQDN setup, then you’ll see this error message during your setup-ds-admin.pl script execution. Press Ctrl-C and come-out of this, address the FQDN issue and then re-run setup-ds-admin.pl again.

WARNING: There are problems with the hostname.
The hostname 'deploy' does not look like a
fully qualified host and domain name.

Please check the spelling of the hostname and/or your network configuration.
If you proceed with this hostname, you may encounter problems.

Do you want to proceed with hostname 'deploy'? [no]: no  
Computer name [deploy]: ^C

You can also pass the FQDN as a parameter to the setup-ds-admin.pl script as shown below:

# setup-ds-admin.pl General.FullMachineName=deploy.thegeekstuff.com
..
Computer name [deploy.thegeekstuff.com]: 
..

Setup 389 Directory Server – Enter LDAP Admin User

By default, this will use dirsrv as the username and group. Since we created a user called ldapadmin in one of our previous steps, specify that here.

System User [dirsrv]: ldapadmin
System Group [dirsrv]: ldapadmin

Setup 389 Directory Server – Config Directory Server

Since this is the first setup we are doing, we don’t have a configuration directory server yet. So, press enter here to accept the default choice, which is ‘no’.

But when you are doing multiple installation of this, you might already have configuration directory server setup, in which case, you should say ‘yes’ and specify those information there.

Do you want to register this software with an existing
configuration directory server? [no]: 

Setup 389 Directory Server – Specify Admin Username and Password

At this stage, you have to specify the admin username and password for the new directory server that this is going to setup.

You’ll be using this uid and password to login to the console.

Configuration directory server
administrator ID [admin]: 
Password: 
Password (confirm): 

Setup 389 Directory Server – Enter Additional Parameters

The following are few additional parameters the setup-ds-admin.pl script will prompt. This domain name was picked up from the FQDN that we’ve defined in the /etc/hosts file:

Administration Domain [thegeekstuff.com]: 

The default port number as you can imagine from the name is 389. Just leave it as it is by pressing enter:

Directory server network port [389]: 

Enter the unique identifier for your directory server.

Directory server identifier [deploy]: 

Setup 389 Directory Server – Setup LDAP Tree Structure

First, setup your directory tree accordingly. In this example, this is the root of our directory tree, which start with thegeekstuff.com broken down by dc as shown below.

Suffix [dc=thegeekstuff, dc=com]: 

Next, sepcify the directory manager, which is a DN where you’ll have the administrative user who will perform certain directory server operations.

Press enter to accept the default name. Enter the password here for your directory manager user.

Directory Manager DN [cn=Directory Manager]: 
Password: 
Password (confirm): 

Specify the admin port. Please note that this is different from your application server or web server port. Just accept the default value here.

Administration port [9830]: 

Setup 389 Directory Server – Final Stages of Setup

Say ‘yes’ to the following final confirmation message to start the directory server configuration based on the values that you’ve entered so far.

Are you ready to set up your servers? [yes]: yes

You’ll see the following output indicating that the script is setting up the directory servers based on your configuration values.

Creating directory server . . .
Your new DS instance 'deploy' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server
Updating adm.conf with information from configuration directory server
Updating the configuration for the httpd engine . . .
..
..
Starting admin server . . .
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupqxoZug.log'

If you don’t have SELinux setup and configured properly, you’ll get the following ERROR message. In this case, you may want to temporarily disable SELinux and run the setup script.

ERROR: policydb version 30 does not match my version range 15-29
ERROR: Unable to open policy //etc/selinux/targeted/policy/policy.30.
Traceback (most recent call last):
File "/usr/sbin/semanage", line 32, in 
  import seobject
File "/usr/lib/python2.7/site-packages/seobject/__init__.py", line 27, in 
  import sepolicy
File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 798, in 
  raise e
ValueError: Failed to read //etc/selinux/targeted/policy/policy.30 policy file

Verify Setup Log File

The last line of the setup script will show the name of the log file.

Open the log file to make sure there are no error message. It should look something like the following:

# vi /tmp/setupqxoZug.log
[21:50:57] - [Setup] Info This program will set up the 389 Directory and Administration Servers.
[21:50:57] - [Setup] Info Would you like to continue with set up?
[21:50:58] - [Setup] Info yes
..
..
[21:55:50] - [Setup] Info Updating admpw . . .
[21:55:50] - [Setup] Info Registering admin server with the configuration directory server . . .
[21:55:50] - [Setup] Info Updating adm.conf with information from configuration directory server . . .
[21:55:50] - [Setup] Info Updating the configuration for the httpd engine . . .
[21:55:52] - [Setup] Info Starting admin server . . .
[21:55:53] - [Setup] Info The admin server was successfully started.
[21:55:53] - [Setup] Info Admin server was successfully created, configured, and started.
[21:55:53] - [Setup] Success Exiting . . .

Start 389 Directory Server using Systemctl

dirsrv is the startup program name.

Use systemctl to start the 389 Directory Server as shown below.

Before starting:

# systemctl status dirsrv.target
? dirsrv.target - 389 Directory Server
   Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; disabled; vendor preset: disabled)
   Active: inactive (dead)

Star the 389 directory server:

# systemctl start dirsrv.target

After starting:

# systemctl status dirsrv.target
? dirsrv.target - 389 Directory Server
   Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; disabled; vendor preset: disabled)
   Active: active since Fri 2017-07-07 21:58:26 UTC; 2s ago

21:58:26 deploy systemd[1]: Reached target 389 Directory Server.
21:58:26 deploy systemd[1]: Starting 389 Directory Server.
..

Start 389 Directory Server using start-dirsrv

Instead of using systemctl, you can also use the start-dirsrv command as shown below to start the directory server:

# start-dirsrv
Starting instance "deploy"

Use stop-dirsrv to stop it:

# stop-dirsrv
Stopping instance "deploy"

The following will display the status of the directory server

# status-dirsrv
? dirsrv.target - 389 Directory Server
   Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; disabled; vendor preset: disabled)
   Active: active since Fri 2017-07-07 21:58:26 UTC; 1min 39s ago

21:58:26 deploy systemd[1]: Reached target 389 Directory Server.
21:58:26 deploy systemd[1]: Starting 389 Directory Server.
Status of instance "deploy"
? dirsrv@deploy.service - 389 Directory Server deploy.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2017-07-07 22:00:01 UTC; 4s ago
  Process: 4754 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS)
 Main PID: 4761 (ns-slapd)
   Status: "slapd started: Ready to process requests"
   CGroup: /system.slice/system-dirsrv.slice/dirsrv@deploy.service
           +-4761 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-deploy -i /var/run/dirsrv/slapd-deploy.pid

Start 389 Directory Server Admin using Systemctl

To control the admin server for your 389 directory, use systemctl as shown below.

The admin program is known as dirsrv-admin as shown below.

# systemctl start dirsrv-admin

# systemctl stop dirsrv-admin

# systemctl status dirsrv-admin
? dirsrv-admin.service - 389 Administration Server.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv-admin.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
..

You can also use stop-ds-admin command to stop the 389 Administration Server

Validate the Setup Using LDAPSearch Command

Finally, use the ldapsearch command to validate that the setup is done properly.

The following is the partial output of the ldapsearch command:

# ldapsearch -x -b "dc=thegeekstuff,dc=com"
..
..
dn: dc=thegeekstuff,dc=com
objectClass: top
objectClass: domain
dc: thegeekstuff

# Directory Administrators, thegeekstuff.com
dn: cn=Directory Administrators,dc=thegeekstuff,dc=com
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager
..
..
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9