FedFs389DsServer0.9

From Linux NFS

(Difference between revisions)
Jump to: navigation, search
(Configuring a 389-ds LDAP server for use with FedFS)
 
(10 intermediate revisions not shown)
Line 15: Line 15:
The purpose of this article is to provide recipes for quickly setting up an NSDB service using a 389-ds LDAP server. If you are already familiar with 389-ds or have existing 389-dsservers, browse this article to get a flavor for what is needed. Otherwise, follow the specific steps here to install and configure an NSDB.
The purpose of this article is to provide recipes for quickly setting up an NSDB service using a 389-ds LDAP server. If you are already familiar with 389-ds or have existing 389-dsservers, browse this article to get a flavor for what is needed. Otherwise, follow the specific steps here to install and configure an NSDB.
-
These instructions are useful with Fedora 16 and following.
+
These instructions are useful with Fedora 14 and following.
-
=== Uninstalling ===
+
== Uninstalling ==
If at any point you find the need to erase everything and start over, use:
If at any point you find the need to erase everything and start over, use:
Line 24: Line 24:
   # yum erase 389-ds-base
   # yum erase 389-ds-base
-
This removes all slapd instances and the admin server.  Apparently you can't remove just one slapd instance?
+
Then, if you're sure you want to get rid of the backups of old instances and anything in your master schema directory:
-
=== Install the package ===
+
  # rm -rf /etc/dirsrv
 +
 
 +
This removes all slapd instances, schemas you may have added, and the admin server.
 +
 
 +
== Install the package ==
   # yum install 389-ds
   # yum install 389-ds
-
Add special user ID and group ID for directory service
+
== Add user ID and group ID for directory service ==
-
Using local administrative tools, create a local user ID, group ID, and home directory for the new directory service.  I use dirsrv:dirsrv (both 501) and use /sbin/nologin as the shell.
+
Using local administrative tools, create a local user ID, group ID, and home directory for the new directory service.  I use dirsrv:dirsrv (both 1001) and use /sbin/nologin as the shell.
-
=== Networking pre-requisites ===
+
== Networking pre-requisites ==
By default on modern RH-based distributions, networking doesn't start until a user logs in on the console.  Configure the system's network to start automatically.
By default on modern RH-based distributions, networking doesn't start until a user logs in on the console.  Configure the system's network to start automatically.
Line 42: Line 46:
389-ds requires that the system has a fully-qualified domain name, and that it matches the name that is bound to the system's assigned IP address.
389-ds requires that the system has a fully-qualified domain name, and that it matches the name that is bound to the system's assigned IP address.
-
=== Install the fedfs schema ===
+
== Configure the basic LDAP service ==
-
 
+
-
Extract the FedFS schema from the LDAP/NSDB draft.  Run ol2rhds.pl to convert it to RFC 2252 format.
+
-
 
+
-
Copy the result to /etc/dirsrv/schema/91fedfs.ldif.  Ensure that the security context, group, owner, and mode bits match the other files in this directory.
+
-
 
+
-
=== Configure it ===
+
Run the set up script, as root:
Run the set up script, as root:
Line 70: Line 68:
   # chkconfig dirsrv-admin on
   # chkconfig dirsrv-admin on
-
On Fedora 16, use:
+
On Fedora 16 or later, use:
   # systemctl enable dirsrv.target
   # systemctl enable dirsrv.target
Line 79: Line 77:
To invoke the admin console, run "console-389" at the login prompt (in Fedora 14 and later, it's "389-console").  A dialog box will ask for the user ID and password of the administrator ID which you provided above.  It may also be necessary to enter the URL of the admin service.  By default, it's "http://localhost:9830" .
To invoke the admin console, run "console-389" at the login prompt (in Fedora 14 and later, it's "389-console").  A dialog box will ask for the user ID and password of the administrator ID which you provided above.  It may also be necessary to enter the URL of the admin service.  By default, it's "http://localhost:9830" .
-
=== Upgrading 389-ds ===
+
==== Upgrading 389-ds ====
After updating 389-ds via yum or a preupdate, you must run "setup-ds-admin.pl -u" to refresh the console information.  You can also use this to change the admin password.
After updating 389-ds via yum or a preupdate, you must run "setup-ds-admin.pl -u" to refresh the console information.  You can also use this to change the admin password.
-
=== Create a fedfs root suffix ===
+
== Add the FedFS schema ==
 +
 
 +
Go to your administrative client.
 +
 
 +
Use the "add-schema-389" script in the fedfs-utils/contrib/ldap directory to introduce the FedFS schema.  On the command line, supply the DNS hostname of the new 389-ds server and the DN of its directory administrator.  If the administrator DN contains blanks, use double-quotes.
 +
 
 +
  $ ./add-schema-389 ldap.example.net "cn=Directory Manager"
 +
  Enter LDAP password:
 +
 
 +
== Create a FedFS NSDB Container Entry ==
 +
 
 +
On your administrative client, identify your LDAP server as an NSDB.
-
This can be done under the Configuration tab of the Directory Server Console. Left-click on Data, then right-click on Data, and pick "New Root Suffix". Name the suffix, and give the storage backend instance a unique name.  This also automatically creates a namingContext entry.  I usually use "o=fedfs" and "fedfsRoot".
+
  # nsdbparams update ldap.hostname.example.net
-
=== Create a fedfs NSDB container entry ===
+
This enables the NSDB client tools to recognize your new LDAP server as an NSDB.  Now, add the LDAP entry under which all FedFS-related records are stored with the nsdb-simple-nce command.  The LDAP server installation process automatically creates a dc-style root suffix, and we can use that here.  Assuming your new LDAP server's name is "ldap.example.net," this command does the trick:
-
Under the Directory tab of the Directory Server Console, left-click then right-click on the name of the server (the top entry in the left-hand column), and pick "New Root Entry..." Your root suffix should appear in the submenu.   Choose the "organization" class. A new properties dialog will come up, and add the "fedfsNsdbContainerInfo" object class.  This will add the fedfsNceDN attribute automatically.  Alternatively, use ldapmodify (bound as the Directory Manager) to create the new object.
+
  $ nsdb-simple-nce -D "cn=Directory Manager" -l ldap.example.net dc=example,dc=net
 +
  Enter NSDB password:
-
Note that this object must be explicitly permitted world-readable by specifying an ACI attribute.  Use the 389-ds console, or see:
+
Confirm the addition with the nsdb-nces command:
-
   http://download.oracle.com/docs/cd/E22289_01/html/821-1273/managing-acis-with-ldapmodify.html
+
   $ nsdb-nces -l ldap.example.net
 +
  NSDB: ldap.example.net:389
 +
    namingContext 'dc=example,dc=net' hosts an NCE at 'ou=fedfs,dc=example,dc=net'.
 +
    namingContext 'o=netscaperoot' does not host an NCE.

Latest revision as of 20:57, 9 January 2013

Contents

Project: fedfs-utils

[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]


Configuring a 389-ds LDAP server for use with FedFS

The purpose of this article is to provide recipes for quickly setting up an NSDB service using a 389-ds LDAP server. If you are already familiar with 389-ds or have existing 389-dsservers, browse this article to get a flavor for what is needed. Otherwise, follow the specific steps here to install and configure an NSDB.

These instructions are useful with Fedora 14 and following.

Uninstalling

If at any point you find the need to erase everything and start over, use:

 # remove-ds-admin.pl
 # yum erase 389-ds-base

Then, if you're sure you want to get rid of the backups of old instances and anything in your master schema directory:

 # rm -rf /etc/dirsrv

This removes all slapd instances, schemas you may have added, and the admin server.

Install the package

 # yum install 389-ds

Add user ID and group ID for directory service

Using local administrative tools, create a local user ID, group ID, and home directory for the new directory service. I use dirsrv:dirsrv (both 1001) and use /sbin/nologin as the shell.

Networking pre-requisites

By default on modern RH-based distributions, networking doesn't start until a user logs in on the console. Configure the system's network to start automatically.

By default on modern RH-based distributions, an IP firewall is enabled during a typical install. Allow other systems to access the LDAP service on this machine by adjusting the firewall configuration. On Fedora 16, the firewall configurator is at Applications -> Other -> Firewall. You can poke a hole for LDAP in the "Other Ports" section. Be sure to open "ldap," "ldaps," and "ldap-admin." Or disable the firewall entirely if you are sure that's safe to do.

389-ds requires that the system has a fully-qualified domain name, and that it matches the name that is bound to the system's assigned IP address.

Configure the basic LDAP service

Run the set up script, as root:

 # setup-ds-admin.pl
  • Use the "typical" set-up type.
  • Use the local host's hostname to identify the instance.
  • When answering "System User" and "System Group," use the special user and group you just created.
  • Assume no admin service exists already, so choose "no" when asked if you want to register this software with an existing configuration directory service.
  • Use the default "admin" ID (this is created in a directory server, not in the local /etc/passwd).
  • Choose the default administrative domain, directory server port, and directory name.
  • The Directory Manager DN is the default, cn=Directory Manager.
  • The default standard admin port (9830) is sufficient.

The new instance is created under /etc/dirsrv/slapd-<instancename> . "setup-ds.pl" can be used if no admin service is desired.

When the setup script is done, use local administrative tools to ensure both the directory server and the admin server are started automatically when the system boots. On Fedora 14, use:

 # chkconfig dirsrv on
 # chkconfig dirsrv-admin on

On Fedora 16 or later, use:

 # systemctl enable dirsrv.target
 # systemctl enable dirsrv-admin.service

The client-side ldap programs are in /usr/lib/mozldap/ on 32-bit, and /usr/lib64/mozldap on 64-bit. This is usually from the mozldap-tools package.

To invoke the admin console, run "console-389" at the login prompt (in Fedora 14 and later, it's "389-console"). A dialog box will ask for the user ID and password of the administrator ID which you provided above. It may also be necessary to enter the URL of the admin service. By default, it's "http://localhost:9830" .

Upgrading 389-ds

After updating 389-ds via yum or a preupdate, you must run "setup-ds-admin.pl -u" to refresh the console information. You can also use this to change the admin password.

Add the FedFS schema

Go to your administrative client.

Use the "add-schema-389" script in the fedfs-utils/contrib/ldap directory to introduce the FedFS schema. On the command line, supply the DNS hostname of the new 389-ds server and the DN of its directory administrator. If the administrator DN contains blanks, use double-quotes.

 $ ./add-schema-389 ldap.example.net "cn=Directory Manager"
 Enter LDAP password:

Create a FedFS NSDB Container Entry

On your administrative client, identify your LDAP server as an NSDB.

 # nsdbparams update ldap.hostname.example.net

This enables the NSDB client tools to recognize your new LDAP server as an NSDB. Now, add the LDAP entry under which all FedFS-related records are stored with the nsdb-simple-nce command. The LDAP server installation process automatically creates a dc-style root suffix, and we can use that here. Assuming your new LDAP server's name is "ldap.example.net," this command does the trick:

 $ nsdb-simple-nce -D "cn=Directory Manager" -l ldap.example.net dc=example,dc=net
 Enter NSDB password:

Confirm the addition with the nsdb-nces command:

 $ nsdb-nces -l ldap.example.net
 NSDB: ldap.example.net:389
   namingContext 'dc=example,dc=net' hosts an NCE at 'ou=fedfs,dc=example,dc=net'.
   namingContext 'o=netscaperoot' does not host an NCE.
Personal tools