FedFs389DsServer0.9
From Linux NFS
Chucklever (Talk | contribs) (→Configuring a 389-ds LDAP server for use with FedFS) |
Chucklever (Talk | contribs) (→Configuring a 389-ds LDAP server for use with FedFS) |
||
| Line 11: | Line 11: | ||
---- | ---- | ||
| - | + | == Configuring a 389-ds LDAP server for use with FedFS == | |
| - | + | The purpose of this article is to provide recipes for quickly setting up an NSDB service using a 389-ds LDAP server. If you are already familiar with 389-ds or have existing 389-dsservers, browse this article to get a flavor for what is needed. Otherwise, follow the specific steps here to install and configure an NSDB. | |
| + | |||
| + | These instructions are useful with Fedora 16 and following. | ||
| + | |||
| + | === Uninstalling === | ||
If at any point you find the need to erase everything and start over, use: | If at any point you find the need to erase everything and start over, use: | ||
| Line 22: | Line 26: | ||
This removes all slapd instances and the admin server. Apparently you can't remove just one slapd instance? | This removes all slapd instances and the admin server. Apparently you can't remove just one slapd instance? | ||
| - | + | === Install the package === | |
# yum install 389-ds | # yum install 389-ds | ||
| Line 30: | Line 34: | ||
Using local administrative tools, create a local user ID, group ID, and home directory for the new directory service. I use dirsrv:dirsrv (both 501) and use /sbin/nologin as the shell. | Using local administrative tools, create a local user ID, group ID, and home directory for the new directory service. I use dirsrv:dirsrv (both 501) and use /sbin/nologin as the shell. | ||
| - | + | === Networking pre-requisites === | |
By default on modern RH-based distributions, networking doesn't start until a user logs in on the console. Configure the system's network to start automatically. | By default on modern RH-based distributions, networking doesn't start until a user logs in on the console. Configure the system's network to start automatically. | ||
| Line 38: | Line 42: | ||
389-ds requires that the system has a fully-qualified domain name, and that it matches the name that is bound to the system's assigned IP address. | 389-ds requires that the system has a fully-qualified domain name, and that it matches the name that is bound to the system's assigned IP address. | ||
| - | + | === Install the fedfs schema === | |
Extract the FedFS schema from the LDAP/NSDB draft. Run ol2rhds.pl to convert it to RFC 2252 format. | Extract the FedFS schema from the LDAP/NSDB draft. Run ol2rhds.pl to convert it to RFC 2252 format. | ||
| Line 44: | Line 48: | ||
Copy the result to /etc/dirsrv/schema/91fedfs.ldif. Ensure that the security context, group, owner, and mode bits match the other files in this directory. | Copy the result to /etc/dirsrv/schema/91fedfs.ldif. Ensure that the security context, group, owner, and mode bits match the other files in this directory. | ||
| - | + | === Configure it === | |
Run the set up script, as root: | Run the set up script, as root: | ||
| Line 75: | Line 79: | ||
To invoke the admin console, run "console-389" at the login prompt (in Fedora 14 and later, it's "389-console"). A dialog box will ask for the user ID and password of the administrator ID which you provided above. It may also be necessary to enter the URL of the admin service. By default, it's "http://localhost:9830" . | To invoke the admin console, run "console-389" at the login prompt (in Fedora 14 and later, it's "389-console"). A dialog box will ask for the user ID and password of the administrator ID which you provided above. It may also be necessary to enter the URL of the admin service. By default, it's "http://localhost:9830" . | ||
| - | + | === Upgrading 389-ds === | |
After updating 389-ds via yum or a preupdate, you must run "setup-ds-admin.pl -u" to refresh the console information. You can also use this to change the admin password. | After updating 389-ds via yum or a preupdate, you must run "setup-ds-admin.pl -u" to refresh the console information. You can also use this to change the admin password. | ||
| - | + | === Create a fedfs root suffix === | |
This can be done under the Configuration tab of the Directory Server Console. Left-click on Data, then right-click on Data, and pick "New Root Suffix". Name the suffix, and give the storage backend instance a unique name. This also automatically creates a namingContext entry. I usually use "o=fedfs" and "fedfsRoot". | This can be done under the Configuration tab of the Directory Server Console. Left-click on Data, then right-click on Data, and pick "New Root Suffix". Name the suffix, and give the storage backend instance a unique name. This also automatically creates a namingContext entry. I usually use "o=fedfs" and "fedfsRoot". | ||
| - | + | === Create a fedfs NSDB container entry === | |
Under the Directory tab of the Directory Server Console, left-click then right-click on the name of the server (the top entry in the left-hand column), and pick "New Root Entry..." Your root suffix should appear in the submenu. Choose the "organization" class. A new properties dialog will come up, and add the "fedfsNsdbContainerInfo" object class. This will add the fedfsNceDN attribute automatically. Alternatively, use ldapmodify (bound as the Directory Manager) to create the new object. | Under the Directory tab of the Directory Server Console, left-click then right-click on the name of the server (the top entry in the left-hand column), and pick "New Root Entry..." Your root suffix should appear in the submenu. Choose the "organization" class. A new properties dialog will come up, and add the "fedfsNsdbContainerInfo" object class. This will add the fedfsNceDN attribute automatically. Alternatively, use ldapmodify (bound as the Directory Manager) to create the new object. | ||
Revision as of 15:14, 9 October 2012
Contents |
Project: fedfs-utils
[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]
Configuring a 389-ds LDAP server for use with FedFS
The purpose of this article is to provide recipes for quickly setting up an NSDB service using a 389-ds LDAP server. If you are already familiar with 389-ds or have existing 389-dsservers, browse this article to get a flavor for what is needed. Otherwise, follow the specific steps here to install and configure an NSDB.
These instructions are useful with Fedora 16 and following.
Uninstalling
If at any point you find the need to erase everything and start over, use:
# remove-ds-admin.pl # yum erase 389-ds-base
This removes all slapd instances and the admin server. Apparently you can't remove just one slapd instance?
Install the package
# yum install 389-ds
Add special user ID and group ID for directory service
Using local administrative tools, create a local user ID, group ID, and home directory for the new directory service. I use dirsrv:dirsrv (both 501) and use /sbin/nologin as the shell.
Networking pre-requisites
By default on modern RH-based distributions, networking doesn't start until a user logs in on the console. Configure the system's network to start automatically.
By default on modern RH-based distributions, an IP firewall is enabled during a typical install. Allow other systems to access the LDAP service on this machine by adjusting the firewall configuration. On Fedora 16, the firewall configurator is at Applications -> Other -> Firewall. You can poke a hole for LDAP in the "Other Ports" section. Be sure to open "ldap," "ldaps," and "ldap-admin." Or disable the firewall entirely if you are sure that's safe to do.
389-ds requires that the system has a fully-qualified domain name, and that it matches the name that is bound to the system's assigned IP address.
Install the fedfs schema
Extract the FedFS schema from the LDAP/NSDB draft. Run ol2rhds.pl to convert it to RFC 2252 format.
Copy the result to /etc/dirsrv/schema/91fedfs.ldif. Ensure that the security context, group, owner, and mode bits match the other files in this directory.
Configure it
Run the set up script, as root:
# setup-ds-admin.pl
- Use the "typical" set-up type.
- Use the local host's hostname to identify the instance.
- When answering "System User" and "System Group," use the special user and group you just created.
- Assume no admin service exists already, so choose "no" when asked if you want to register this software with an existing configuration directory service.
- Use the default "admin" ID (this is created in a directory server, not in the local /etc/passwd).
- Choose the default administrative domain, directory server port, and directory name.
- The Directory Manager DN is the default, cn=Directory Manager.
- The default standard admin port (9830) is sufficient.
The new instance is created under /etc/dirsrv/slapd-<instancename> . "setup-ds.pl" can be used if no admin service is desired.
When the setup script is done, use local administrative tools to ensure both the directory server and the admin server are started automatically when the system boots. On Fedora 14, use:
# chkconfig dirsrv on # chkconfig dirsrv-admin on
On Fedora 16, use:
# systemctl enable dirsrv.target # systemctl enable dirsrv-admin.service
The client-side ldap programs are in /usr/lib/mozldap/ on 32-bit, and /usr/lib64/mozldap on 64-bit. This is usually from the mozldap-tools package.
To invoke the admin console, run "console-389" at the login prompt (in Fedora 14 and later, it's "389-console"). A dialog box will ask for the user ID and password of the administrator ID which you provided above. It may also be necessary to enter the URL of the admin service. By default, it's "http://localhost:9830" .
Upgrading 389-ds
After updating 389-ds via yum or a preupdate, you must run "setup-ds-admin.pl -u" to refresh the console information. You can also use this to change the admin password.
Create a fedfs root suffix
This can be done under the Configuration tab of the Directory Server Console. Left-click on Data, then right-click on Data, and pick "New Root Suffix". Name the suffix, and give the storage backend instance a unique name. This also automatically creates a namingContext entry. I usually use "o=fedfs" and "fedfsRoot".
Create a fedfs NSDB container entry
Under the Directory tab of the Directory Server Console, left-click then right-click on the name of the server (the top entry in the left-hand column), and pick "New Root Entry..." Your root suffix should appear in the submenu. Choose the "organization" class. A new properties dialog will come up, and add the "fedfsNsdbContainerInfo" object class. This will add the fedfsNceDN attribute automatically. Alternatively, use ldapmodify (bound as the Directory Manager) to create the new object.
Note that this object must be explicitly permitted world-readable by specifying an ACI attribute. Use the 389-ds console, or see:
http://download.oracle.com/docs/cd/E22289_01/html/821-1273/managing-acis-with-ldapmodify.html
