FedFs389DsServer0.9

From Linux NFS

Revision as of 16:22, 9 October 2012 by Chucklever (Talk | contribs)
Jump to: navigation, search

Contents

Project: fedfs-utils

[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]


Configuring a 389-ds LDAP server for use with FedFS

The purpose of this article is to provide recipes for quickly setting up an NSDB service using a 389-ds LDAP server. If you are already familiar with 389-ds or have existing 389-dsservers, browse this article to get a flavor for what is needed. Otherwise, follow the specific steps here to install and configure an NSDB.

These instructions are useful with Fedora 14 and following.

Uninstalling

If at any point you find the need to erase everything and start over, use:

 # remove-ds-admin.pl
 # yum erase 389-ds-base

Then, if you're sure you want to get rid of the backups of old instances and anything in your master schema directory:

 # rm -rf /etc/dirsrv

This removes all slapd instances, schemas you may have added, and the admin server.

Install the package

 # yum install 389-ds

Add special user ID and group ID for directory service

Using local administrative tools, create a local user ID, group ID, and home directory for the new directory service. I use dirsrv:dirsrv (both 501) and use /sbin/nologin as the shell.

Networking pre-requisites

By default on modern RH-based distributions, networking doesn't start until a user logs in on the console. Configure the system's network to start automatically.

By default on modern RH-based distributions, an IP firewall is enabled during a typical install. Allow other systems to access the LDAP service on this machine by adjusting the firewall configuration. On Fedora 16, the firewall configurator is at Applications -> Other -> Firewall. You can poke a hole for LDAP in the "Other Ports" section. Be sure to open "ldap," "ldaps," and "ldap-admin." Or disable the firewall entirely if you are sure that's safe to do.

389-ds requires that the system has a fully-qualified domain name, and that it matches the name that is bound to the system's assigned IP address.

Configure the basic LDAP service

Run the set up script, as root:

 # setup-ds-admin.pl
  • Use the "typical" set-up type.
  • Use the local host's hostname to identify the instance.
  • When answering "System User" and "System Group," use the special user and group you just created.
  • Assume no admin service exists already, so choose "no" when asked if you want to register this software with an existing configuration directory service.
  • Use the default "admin" ID (this is created in a directory server, not in the local /etc/passwd).
  • Choose the default administrative domain, directory server port, and directory name.
  • The Directory Manager DN is the default, cn=Directory Manager.
  • The default standard admin port (9830) is sufficient.

The new instance is created under /etc/dirsrv/slapd-<instancename> . "setup-ds.pl" can be used if no admin service is desired.

When the setup script is done, use local administrative tools to ensure both the directory server and the admin server are started automatically when the system boots. On Fedora 14, use:

 # chkconfig dirsrv on
 # chkconfig dirsrv-admin on

On Fedora 16, use:

 # systemctl enable dirsrv.target
 # systemctl enable dirsrv-admin.service

The client-side ldap programs are in /usr/lib/mozldap/ on 32-bit, and /usr/lib64/mozldap on 64-bit. This is usually from the mozldap-tools package.

To invoke the admin console, run "console-389" at the login prompt (in Fedora 14 and later, it's "389-console"). A dialog box will ask for the user ID and password of the administrator ID which you provided above. It may also be necessary to enter the URL of the admin service. By default, it's "http://localhost:9830" .

Upgrading 389-ds

After updating 389-ds via yum or a preupdate, you must run "setup-ds-admin.pl -u" to refresh the console information. You can also use this to change the admin password.

Add the FedFS schema

Use the "add-schema-389" script in the fedfs-utils/contrib/ldap directory to introduce the FedFS schema. On the command line, supply the DNS hostname of the new 389-ds server and the DN of the directory administrator. If the DN contains blanks, use double-quotes.

 $ ./add-schema-389 ldap.hostname.example.net "cn=Directory Manager"
 Enter LDAP password:

Create a fedfs root suffix

This can be done under the Configuration tab of the Directory Server Console. Left-click on Data, then right-click on Data, and pick "New Root Suffix". Name the suffix, and give the storage backend instance a unique name. This also automatically creates a namingContext entry. I usually use "o=fedfs" and "fedfsRoot".

Create a fedfs NSDB container entry

Under the Directory tab of the Directory Server Console, left-click then right-click on the name of the server (the top entry in the left-hand column), and pick "New Root Entry..." Your root suffix should appear in the submenu. Choose the "organization" class. A new properties dialog will come up, and add the "fedfsNsdbContainerInfo" object class. This will add the fedfsNceDN attribute automatically.

Alternatively, use ldapmodify (bound as the Directory Manager) to create the new object. Note that this object must be explicitly permitted world-readable by specifying an ACI attribute. Use the 389-ds console, or see:

 http://download.oracle.com/docs/cd/E22289_01/html/821-1273/managing-acis-with-ldapmodify.html
Personal tools