389-ds
Contents
About
http://directory.fedoraproject.org/docs/389ds/documentation.html
http://directory.fedoraproject.org/docs/389ds/howto/howto-debianubuntu.html
https://access.redhat.com/documentation/en/red-hat-directory-server/
http://www.admin-magazin.de/Das-Heft/2010/01/Der-Directory-Server-389
Installation
- purge "slapd"
- install "389-ds"
1 aptitude install 389-ds
Configuration
Recursive listing of a bare installation
/etc/dirsrv
1 root@mail /etc/dirsrv # ll -R /etc/dirsrv
2 /etc/dirsrv:
3 insgesamt 4
4 drwxr-xr-x 2 dirsrv dirsrv 76 Jan 17 16:55 admin-serv/
5 drwxr-xr-x 2 dirsrv dirsrv 101 Jan 17 16:55 config/
6 drwxr-xr-x 2 dirsrv dirsrv 28 Jan 17 16:55 dsgw/
7 drwxr-xr-x 2 dirsrv dirsrv 4096 Jan 17 16:55 schema/
8
9 /etc/dirsrv/admin-serv:
10 insgesamt 48
11 -rw-r--r-- 1 dirsrv dirsrv 4026 Sep 16 08:58 admserv.conf
12 -rw-r--r-- 1 dirsrv dirsrv 4467 Sep 16 08:58 console.conf
13 -rw-r--r-- 1 dirsrv dirsrv 26775 Sep 16 08:58 httpd.conf
14 -rw-r--r-- 1 dirsrv dirsrv 4502 Sep 16 08:58 nss.conf
15
16 /etc/dirsrv/config:
17 insgesamt 28
18 -rw-r--r-- 1 dirsrv dirsrv 1676 Dez 9 07:33 certmap.conf
19 -rw-r--r-- 1 dirsrv dirsrv 1006 Dez 9 07:33 ldap-agent.conf
20 -rw-r--r-- 1 dirsrv dirsrv 15148 Dez 9 07:33 slapd-collations.conf
21 -rw-r--r-- 1 dirsrv dirsrv 770 Dez 9 07:33 template-initconfig
22
23 /etc/dirsrv/dsgw:
24 insgesamt 4
25 -rw-r--r-- 1 dirsrv dirsrv 3085 Sep 16 08:59 dsgw-httpd.conf
26
27 /etc/dirsrv/schema:
28 insgesamt 328
29 -rw-r--r-- 1 dirsrv dirsrv 26733 Dez 9 07:33 00core.ldif
30 -rw-r--r-- 1 dirsrv dirsrv 58615 Dez 9 07:33 01core389.ldif
31 -rw-r--r-- 1 dirsrv dirsrv 31696 Dez 9 07:33 02common.ldif
32 -rw-r--r-- 1 dirsrv dirsrv 701 Dez 9 07:33 05rfc2927.ldif
33 -rw-r--r-- 1 dirsrv dirsrv 5854 Dez 9 07:33 05rfc4523.ldif
34 -rw-r--r-- 1 dirsrv dirsrv 10481 Dez 9 07:33 05rfc4524.ldif
35 -rw-r--r-- 1 dirsrv dirsrv 4750 Dez 9 07:33 06inetorgperson.ldif
36 -rw-r--r-- 1 dirsrv dirsrv 3285 Dez 9 07:33 10automember-plugin.ldif
37 -rw-r--r-- 1 dirsrv dirsrv 7345 Dez 9 07:33 10dna-plugin.ldif
38 -rw-r--r-- 1 dirsrv dirsrv 2412 Dez 9 07:33 10mep-plugin.ldif
39 -rw-r--r-- 1 dirsrv dirsrv 7292 Dez 9 07:33 10rfc2307.ldif
40 -rw-r--r-- 1 dirsrv dirsrv 4466 Dez 9 07:33 20subscriber.ldif
41 -rw-r--r-- 1 dirsrv dirsrv 2705 Dez 9 07:33 25java-object.ldif
42 -rw-r--r-- 1 dirsrv dirsrv 1726 Dez 9 07:33 28pilot.ldif
43 -rw-r--r-- 1 dirsrv dirsrv 8914 Dez 9 07:33 30ns-common.ldif
44 -rw-r--r-- 1 dirsrv dirsrv 6455 Dez 9 07:33 50ns-admin.ldif
45 -rw-r--r-- 1 dirsrv dirsrv 947 Dez 9 07:33 50ns-certificate.ldif
46 -rw-r--r-- 1 dirsrv dirsrv 16404 Dez 9 07:33 50ns-directory.ldif
47 -rw-r--r-- 1 dirsrv dirsrv 8902 Dez 9 07:33 50ns-mail.ldif
48 -rw-r--r-- 1 dirsrv dirsrv 2857 Dez 9 07:33 50ns-value.ldif
49 -rw-r--r-- 1 dirsrv dirsrv 946 Dez 9 07:33 50ns-web.ldif
50 -rw-r--r-- 1 dirsrv dirsrv 1948 Dez 9 07:33 60acctpolicy.ldif
51 -rw-r--r-- 1 dirsrv dirsrv 1129 Dez 9 07:33 60autofs.ldif
52 -rw-r--r-- 1 dirsrv dirsrv 3311 Dez 9 07:33 60eduperson.ldif
53 -rw-r--r-- 1 dirsrv dirsrv 6856 Dez 9 07:33 60mozilla.ldif
54 -rw-r--r-- 1 dirsrv dirsrv 741 Dez 9 07:33 60nss-ldap.ldif
55 -rw-r--r-- 1 dirsrv dirsrv 2350 Dez 9 07:33 60pam-plugin.ldif
56 -rw-r--r-- 1 dirsrv dirsrv 720 Dez 9 07:33 60posix-winsync-plugin.ldif
57 -rw-r--r-- 1 dirsrv dirsrv 3552 Dez 9 07:33 60pureftpd.ldif
58 -rw-r--r-- 1 dirsrv dirsrv 3497 Dez 9 07:33 60rfc2739.ldif
59 -rw-r--r-- 1 dirsrv dirsrv 15312 Dez 9 07:33 60rfc3712.ldif
60 -rw-r--r-- 1 dirsrv dirsrv 2045 Dez 9 07:33 60sabayon.ldif
61 -rw-r--r-- 1 dirsrv dirsrv 3611 Dez 9 07:33 60sudo.ldif
62 -rw-r--r-- 1 dirsrv dirsrv 1281 Dez 9 07:33 60trust.ldif
63 -rw-r--r-- 1 dirsrv dirsrv 291 Dez 9 07:33 99user.ldif
Create a admin-instance
- You should use --keepcache and --file=setup.inf during your experiments.
- Temporary setup-files (".inf" and ".log") will be created in "/tmp", make sure to delete them after you have copied the ".inf".
- make sure to
- set the correct unix-filesystem permissions to the working directory and files "/etc/dirsrv/setup/*"
- delete confidential info (like hashed or plaintext passwords) from the setup-files when finished.
1 root@mail /etc/dirsrv # mkdir /etc/dirsrv/setup
2 root@mail /etc/dirsrv/setup # chown 750 /etc/dirsrv/setup
3 root@mail /etc/dirsrv/setup # chown 640 /etc/dirsrv/setup/*
4 root@mail /etc/dirsrv # setup-ds-admin --file=/etc/dirsrv/setup/setup-mail.inf --keepcache
5
6 ==============================================================================
7 This program will set up the 389 Directory and Administration Servers.
8
9 It is recommended that you have "root" privilege to set up the software.
10 Tips for using this program:
11 - Press "Enter" to choose the default and go to the next screen
12 - Type "Control-B" then "Enter" to go back to the previous screen
13 - Type "Control-C" to cancel the setup program
14
15 Would you like to continue with set up? [yes]:
16
17 ==============================================================================
18 Your system has been scanned for potential problems, missing patches,
19 etc. The following output is a report of the items found that need to
20 be addressed before running this software in a production
21 environment.
22
23 389 Directory Server system tuning analysis version 23-FEBRUARY-2012.
24
25 NOTICE : System is x86_64-unknown-linux3.16.0-4-amd64 (2 processors).
26
27 NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
28 (120 minutes). This may cause temporary server congestion from lost
29 client connections.
30
31 Would you like to continue? [yes]:
32
33 ==============================================================================
34 Choose a setup type:
35
36 1. Express
37 Allows you to quickly set up the servers using the most
38 common options and pre-defined defaults. Useful for quick
39 evaluation of the products.
40
41 2. Typical
42 Allows you to specify common defaults and options.
43
44 3. Custom
45 Allows you to specify more advanced options. This is
46 recommended for experienced server administrators only.
47
48 To accept the default shown in brackets, press the Enter key.
49
50 Choose a setup type [2]: 3
51
52 ==============================================================================
53 Enter the fully qualified domain name of the computer
54 on which you're setting up server software. Using the form
55 <hostname>.<domainname>
56 Example: eros.example.com.
57
58 To accept the default shown in brackets, press the Enter key.
59
60 Warning: This step may take a few minutes if your DNS servers
61 can not be reached or if DNS is not configured correctly. If
62 you would rather not wait, hit Ctrl-C and run this program again
63 with the following command line option to specify the hostname:
64
65 General.FullMachineName=your.hostname.domain.name
66
67 Computer name [mail.rockstable.org]:
68
69 ==============================================================================
70 The servers must run as a specific user in a specific group.
71 It is strongly recommended that this user should have no privileges
72 on the computer (i.e. a non-root user). The setup procedure
73 will give this user/group some permissions in specific paths/files
74 to perform server-specific operations.
75
76 If you have not yet created a user and group for the servers,
77 create this user and group using your native operating
78 system utilities.
79
80 System User [dirsrv]:
81 System Group [dirsrv]:
82
83 ==============================================================================
84 Server information is stored in the configuration directory server.
85 This information is used by the console and administration server to
86 configure and manage your servers. If you have already set up a
87 configuration directory server, you should register any servers you
88 set up or create with the configuration server. To do so, the
89 following information about the configuration server is required: the
90 fully qualified host name of the form
91 <hostname>.<domainname>(e.g. hostname.example.com), the port number
92 (default 389), the suffix, the DN and password of a user having
93 permission to write the configuration information, usually the
94 configuration directory administrator, and if you are using security
95 (TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
96 number (default 636) instead of the regular LDAP port number, and
97 provide the CA certificate (in PEM/ASCII format).
98
99 If you do not yet have a configuration directory server, enter 'No' to
100 be prompted to set up one.
101
102 Do you want to register this software with an existing
103 configuration directory server? [no]:
104
105 ==============================================================================
106 Please enter the administrator ID for the configuration directory
107 server. This is the ID typically used to log in to the console. You
108 will also be prompted for the password.
109
110 Configuration directory server
111 administrator ID [ds_admin]:
112 Password:
113 Password (confirm):
114
115 ==============================================================================
116 The information stored in the configuration directory server can be
117 separated into different Administration Domains. If you are managing
118 multiple software releases at the same time, or managing information
119 about multiple domains, you may use the Administration Domain to keep
120 them separate.
121
122 If you are not using administrative domains, press Enter to select the
123 default. Otherwise, enter some descriptive, unique name for the
124 administration domain, such as the name of the organization
125 responsible for managing the domain.
126
127 Administration Domain [rockstable.org]:
128
129 ==============================================================================
130 The standard directory server network port number is 389. However, if
131 you are not logged as the superuser, or port 389 is in use, the
132 default value will be a random unused port number greater than 1024.
133 If you want to use port 389, make sure that you are logged in as the
134 superuser, that port 389 is not in use.
135
136 Directory server network port [389]:
137
138
139 ==============================================================================
140 Each instance of a directory server requires a unique identifier.
141 This identifier is used to name the various
142 instance specific files and directories in the file system,
143 as well as for other uses as a server instance identifier.
144
145 Directory server identifier [mail]:
146
147 ==============================================================================
148 The suffix is the root of your directory tree. The suffix must be a valid DN.
149 It is recommended that you use the dc=domaincomponent suffix convention.
150 For example, if your domain is example.com,
151 you should use dc=example,dc=com for your suffix.
152 Setup will create this initial suffix for you,
153 but you may have more than one suffix.
154 Use the directory server utilities to create additional suffixes.
155
156 Suffix [dc=rockstable,dc=org]:
157
158 ==============================================================================
159 Certain directory server operations require an administrative user.
160 This user is referred to as the Directory Manager and typically has a
161 bind Distinguished Name (DN) of cn=Directory Manager.
162 You will also be prompted for the password for this user. The password must
163 be at least 8 characters long, and contain no spaces.
164 Press Control-B or type the word "back", then Enter to back up and start over.
165
166 Directory Manager DN [cn=Directory Manager]:
167 Password:
168 Password (confirm):
169
170 ==============================================================================
171 You may install some sample entries in this directory instance. These
172 entries will be installed in a separate suffix and will not interfere
173 with the normal operation of the directory server.
174
175 Do you want to install the sample entries? [no]: yes
176
177 ==============================================================================
178 You may wish to populate your new directory instance with some data.
179 "You may already have a file in LDIF format to use or some suggested
180 entries can be added. If you want to import entries from an LDIF
181 file, you may type in the full path and filename at the prompt. If
182 you want the setup program to add the suggested entries, type the
183 word suggest at the prompt. The suggested entries are common
184 container entries under your specified suffix, such as ou=People and
185 ou=Groups, which are commonly used to hold the entries for the persons
186 and groups in your organization. If you do not want to add any of
187 these entries, type the word none at the prompt.
188
189 Type the full path and filename, the word suggest, or the word none [suggest]:
190
191 ==============================================================================
192 The Administration Server is separate from any of your web or application
193 servers since it listens to a different port and access to it is
194 restricted.
195
196 Pick a port number between 1024 and 65535 to run your Administration
197 Server on. You should NOT use a port number which you plan to
198 run a web or application server on, rather, select a number which you
199 will remember and which will not be used for anything else.
200
201 Administration port [9830]:
202
203 ==============================================================================
204 If you want to configure the Administration Server to bind
205 to a specific IP address, enter the address below.
206
207 IP address [127.0.0.1]:
208
209 ==============================================================================
210 The Administration Server program runs as a certain user on your
211 system. This user must have permission to modify files and directories
212 for your Directory server as well as the Administration server. You
213 are strongly encouraged to use a non-privileged (i.e. non-root) user.
214
215 Run Administration Server as [dirsrv]:
216
217 ==============================================================================
218 The interactive phase is complete. The script will now set up your
219 servers. Enter No or go Back if you want to change something.
220
221 Are you ready to set up your servers? [yes]:
222 Creating directory server . . .
223 Your new DS instance 'mail' was successfully created.
224 Creating the configuration directory server . . .
225 Beginning Admin Server reconfiguration . . .
226 Creating Admin Server files and directories . . .
227 Updating adm.conf . . .
228 Updating admpw . . .
229 Registering admin server with the configuration directory server . . .
230 Updating adm.conf with information from configuration directory server . . .
231 Updating the configuration for the httpd engine . . .
232 Restarting admin server . . .
233 The admin server was successfully started.
234 Admin server was successfully reconfigured and started.
235 Exiting . . .
236 Log file is '/tmp/setupFb5PSc.log'
- here a automatically generated setup.inf
1 [General]
2 AdminDomain = rockstable.org
3 ConfigDirectoryAdminID = ds_admin
4 ConfigDirectoryAdminPwd = aServAdmPassword
5 ConfigDirectoryLdapURL = ldap://mail.rockstable.org:389/o=NetscapeRoot
6 FullMachineName = mail.rockstable.org
7 ServerRoot = /usr/lib/x86_64-linux-gnu/dirsrv
8 SuiteSpotGroup = dirsrv
9 SuiteSpotUserID = dirsrv
10 [slapd]
11 AddOrgEntries = Yes
12 AddSampleEntries = Yes
13 HashedRootDNPwd = {SSHA}ZrmavzBcDWEQqSpmJaWER/2BZDVKw6WSEEd7mQ==
14 InstallLdifFile = suggest
15 RootDN = cn=Directory Manager
16 RootDNPwd = aSecurePassword
17 ServerIdentifier = mail
18 ServerPort = 389
19 SlapdConfigForMC = yes
20 Suffix = dc=rockstable,dc=org
21 UseExistingMC = 0
22 bak_dir = /var/lib/dirsrv/slapd-mail/bak
23 bindir = /usr/bin
24 cert_dir = /etc/dirsrv/slapd-mail
25 config_dir = /etc/dirsrv/slapd-mail
26 datadir = /usr/share
27 db_dir = /var/lib/dirsrv/slapd-mail/db
28 ds_bename = userRoot
29 inst_dir = /usr/lib/x86_64-linux-gnu/dirsrv/slapd-mail
30 ldif_dir = /var/lib/dirsrv/slapd-mail/ldif
31 localstatedir = /var
32 lock_dir = /var/lock/dirsrv/slapd-mail
33 log_dir = /var/log/dirsrv/slapd-mail
34 naming_value = rockstable
35 run_dir = /var/run/dirsrv
36 sbindir = /usr/sbin
37 schema_dir = /etc/dirsrv/slapd-mail/schema
38 sysconfdir = /etc
39 tmp_dir = /tmp
40 [admin]
41 Port = 9830
42 ServerAdminID = ds_admin
43 ServerAdminPwd = aServAdmPassword
44 ServerIpAddress = 127.0.0.1
45 SysUser = dirsrv
Remove DS-Instance
- Don't just delete the configuration. The instance is probably already running. The database files are located under "/var/lib/dirsrv"
Systemd
1 1 root@mail /etc/dirsrv/setup # systemctl status dirsrv@mail.service
2 ● dirsrv@mail.service - 389 Directory Server mail.
3 Loaded: loaded (/lib/systemd/system/dirsrv@.service; enabled)
4 Active: active (running) since So 2016-01-17 21:29:40 CET; 8min ago
5 Main PID: 13809 (ns-slapd)
6 CGroup: /system.slice/system-dirsrv.slice/dirsrv@mail.service
7 └─13809 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-mail -i /var/run/dirsrv/slapd-mail.pid -w /var/run/dirsrv/slapd-mail.startpid
Directory Server Admin
- Create a ssh-port forward to the server for Port 8930 with ssh-escape-character "~C"
- use your browser to connect to and authenticate
http://ds_admin@localhost:9830/
Trouble Shooting
Runtime Linker
- "apache2ctl graceful" shows
1 root@mail /etc/apache2/mods-available # apache2ctl graceful
2 apache2: Syntax error on line 219 of /etc/apache2/apache2.conf: Syntax error on line 147 of /etc/apache2/sites-enabled/mail.rockstable.org_443.conf: Syntax error on line 41 of /etc/apache2/sites-available/389.conf: Cannot load /usr/lib/x8
3 6_64-linux-gnu/dirsrv/modules/mod_admserv.so into server: libsoftokn3.so: cannot open shared object file: No such file or directory
4 Action 'graceful' failed.
5 The Apache error log may have more information.
- configure runtime linker
NULL ADMConfigDIR
- /var/log/apache2/error.log shows: