From Linux NFS
Configuring a 389-ds LDAP server for use with FedFS
The purpose of this article is to provide recipes for quickly setting up an NSDB service using a 389-ds LDAP server. If you are already familiar with 389-ds or have existing 389-ds servers, browse this article to get a flavor for what is needed. Otherwise, follow the specific steps here to install and configure an NSDB.
These instructions are useful with Fedora 14 and following.
If at any point you find the need to erase everything and start over, use:
# remove-ds-admin.pl # yum erase 389-ds-base
Then, if you're sure you want to get rid of the backups of old instances and anything in your master schema directory:
# rm -rf /etc/dirsrv
This removes all slapd instances, schemas you may have added, and the admin server.
Install the package
# yum install 389-ds
Add user ID and group ID for directory service
Using local administrative tools, create a local user ID, group ID, and home directory for the new directory service. I use dirsrv:dirsrv (both 1001) and use /sbin/nologin as the shell.
By default on modern RH-based distributions, networking doesn't start until a user logs in on the console. Configure the system's network to start automatically.
By default on modern RH-based distributions, an IP firewall is enabled during a typical install. Allow other systems to access the LDAP service on this machine by adjusting the firewall configuration. On Fedora 16, the firewall configurator is at Applications -> Other -> Firewall. You can poke a hole for LDAP in the "Other Ports" section. Be sure to open "ldap," "ldaps," and "ldap-admin." Or disable the firewall entirely if you are sure that's safe to do.
389-ds requires that the system has a fully-qualified domain name, and that it matches the name that is bound to the system's assigned IP address.
Install the fedfs schema
Copy the FedFS schema from fedfs-utils-0.8/doc/ldap/fedfs-schema.ldif to /etc/dirsrv/schema/91fedfs.ldif on your LDAP server. Ensure that the security context, group, owner, and mode bits match the other files in this directory.
Configure the basic LDAP service
Run the set up script, as root:
- Use the "typical" set-up type.
- Use the local host's hostname to identify the instance.
- When answering "System User" and "System Group," use the special user and group you just created.
- Assume no admin service exists already, so choose "no" when asked if you want to register this software with an existing configuration directory service.
- Use the default "admin" ID (this is created in a directory server, not in the local /etc/passwd).
- Choose the default administrative domain, directory server port, and directory name.
- The Directory Manager DN is the default, cn=Directory Manager.
- The default standard admin port (9830) is sufficient.
The new instance is created under /etc/dirsrv/slapd-<instancename> . "setup-ds.pl" can be used if no admin service is desired.
When the setup script is done, use local administrative tools to ensure both the directory server and the admin server are started automatically when the system boots. On Fedora 14, use:
# chkconfig dirsrv on # chkconfig dirsrv-admin on
On Fedora 16 or later, use:
# systemctl enable dirsrv.target # systemctl enable dirsrv-admin.service
The client-side ldap programs are in /usr/lib/mozldap/ on 32-bit, and /usr/lib64/mozldap on 64-bit. This is usually from the mozldap-tools package.
To invoke the admin console, run "console-389" at the login prompt (in Fedora 14 and later, it's "389-console"). A dialog box will ask for the user ID and password of the administrator ID which you provided above. It may also be necessary to enter the URL of the admin service. By default, it's "http://localhost:9830" .
After updating 389-ds via yum or a preupdate, you must run "setup-ds-admin.pl -u" to refresh the console information. You can also use this to change the admin password.
Create a FedFS NSDB Container Entry
The LDAP server installation process automatically creates a dc-style root suffix, and we can use that here. Let's assume your LDAP server's hostname is ldap.example.net, it's domain name is example.net, and a dc=example,dc=net entry already exists.
Add the LDAP entry under which all FedFS-related records are stored. Edit /tmp/ldif and add only these lines:
dn: ou=fedfs,dc=example,dc=net objectClass: organizationalUnit ou: fedfs
Then use the ldapmodify command to add this entry:
$ ldapmodify -a -x -D "cn=Directory Manager" -W -h ldap.example.net -f /tmp/ldif
Next, on your administrative client, identify your LDAP server as an NSDB. Let's as
# nsdbparams update ldap.example.net
This enables the NSDB client tools to recognize your new LDAP server as an NSDB. Now, identify the entry you just added as the NCE for dc=example,dc=net. This command does the trick:
$ nsdb-update-nci -D "cn=Directory Manager" -l ldap.example.net -e ou=fedfs,dc=example,dc=net