How to Install LDAP 389 Directory Server On Linux with Detailed Steps


389 Directory Server is an open source enterprise LDAP Server.

This can handle very huge volume of data. One of the huge benefit of 389 LDAP server is that it is lighting fast and process upto handle several thousands of operations per second.

This has several advanced features including asynchronous multi-master replication for horizontal scaling, which in-turn provides provides 100% fault tolerance and extremely high throughput.

Also, keep in mind that this supports TLS, SASL for authentication and transport. 389 Directory server is fully LDAPv3 compliant.

This tutorial explains how you can install and configure 389 directory server on your Linux environment.

Setup EPEL Repository

If you don’t have EPEL repository setup, make sure you set it up, as we’ll be installing the 389 related packages from EPEL.

First, download the epel rpm from Fedora website as shown below.

Next, Install the epel repository on your server.

If you are interested in OpenLDAP instead of 389 directory server, refer to this: How Install and Configure OpenLDAP on Linux

Setup /etc/host File Properly

Make sure the host file is setup properly.

In this example, the following is the current /etc/host file setup.

In the above:

  • – Is the ip-address of the server
  • – This is the FQDN of the server where 389 directory server is getting installed
  • deploy – This is the hostname of the server

Setup Appropriate sysctl Parameters

Add the following line to your /etc/sysctl.conf file:

Depending on how much resource you have on your system, you may want to bump-up the above file-max number bit more.

Execute “sysctl -p” command as shown below to make sure the above changes are made to your system.

Verify that the changes are made:

Set Appropriate Ulimit Values

Set the ulimit value to 8192 as shown below in your /etc/profile file.

Verify that this entry is added to the /etc/profile file.

Modify pam.d Login File

Modify the /etc/pam.d/login file and add the following line to include the file as shown below.

Make sure the file is present on your system.

Note: On 32-bit, use the following, as the location of this file is different.

Create LDAP Admin User

Create a user called ldapadmin and assign a password as shown below:

Once you’ve setup the LDAP Server properly, this will help: How to Add LDAP Users and Groups

Install 389 Directory Server Base and OpenLDAP Client

Next is to install the 389 directory server base package, and OpenLDAP client utility packages. We need to install these two packages:

  • 389-ds-base.x86_64
  • openldap-clients.x86_64

Using yum command install the above two packages:

Apart from installing the 389-ds-base and openldap-client package, depending on your system, this will also install the following dependent packages:

  • 389-ds-base-libs
  • GeoIP
  • bind-libs
  • bind-utils
  • cyrus-sasl-gssapi
  • cyrus-sasl-md5
  • libicu
  • perl-Archive-Tar
  • perl-DB_File
  • perl-IO-Zlib
  • perl-Mozilla-LDAP
  • perl-NetAddr-IP
  • perl-Package-Constants
  • svrcore

On this particular system, the following packages were also upgraded when the above two packages were installed:

  • bind-libs-lite
  • bind-license
  • openldap

If you are using EPEL repository for the first time on your system, this may ask you to accept the key as shown below. Say “y” here.

Install 389 Directory Server Admin Packages

Next, install the following packages that are related to the 389 LDAP Server administration:

  • 389-ds.noarch This is the 389 directory, administration, and console suite
  • 389-admin.x86_64 This is the admin for 389 Administration Server
  • 389-adminutil.x86_64 This contains the utilities and libraries that are required for 389 administration
  • 389-ds-console-doc.noarch This is web-based docs for 389 directory server management console

Use yum command and install these 389 directory server admin related packages as shown below:

Apart from installing those 4 packages, depending on your system, this also installed the following dependent pcakges:

  • 389-admin-console
  • 389-admin-console-doc
  • 389-console
  • 389-ds-console
  • 389-dsgw
  • copy-jdk-configs
  • idm-console-framework
  • java-1.8.0-openjdk-headless
  • javapackages-tools
  • jss
  • ldapjdk
  • libxslt
  • lksctp-tools
  • mod_nss
  • perl-CGI
  • perl-FCGI
  • python-javapackages
  • python-lxml
  • tzdata-java

On this particular system, the following packages were also upgraded when the above packages were installed:

  • chkconfig
  • nspr
  • nss
  • nss-softokn
  • nss-softokn-freebl
  • nss-sysinit
  • nss-tools
  • nss-util

Setup 389 Directory Server – Execute

After installing the required 389 LDAP Server packages, then execute the script, which will configure the 389 Directory server setup on your system.

The above program will ask you to enter several values. Most of them are intuitive and straight forward.

But, I’ve shown partial output of whereever this is asking for user-input below.

Setup 389 Directory Server – Initial Warning Message

During the 1st few prompts of the above script, depending on yoru system setup, this may give you the following WARNING messages. You can say ‘yes’ to continue here:

Setup 389 Directory Server – Choose Typical Setup Type

In the following screen, if you are new to 389 directory server, choose the typical setup, which will setup all the common configuration options for you.

Setup 389 Directory Server – Enter FQDN

If you’ve setup your /etc/hosts file properly as explained in one of the previous setps, it should properly pick-up your computer-name here as shown below.

You just have to press-enter here and move on.

If your server doesn’t have proper FQDN setup, then you’ll see this error message during your script execution. Press Ctrl-C and come-out of this, address the FQDN issue and then re-run again.

You can also pass the FQDN as a parameter to the script as shown below:

Setup 389 Directory Server – Enter LDAP Admin User

By default, this will use dirsrv as the username and group. Since we created a user called ldapadmin in one of our previous steps, specify that here.

Setup 389 Directory Server – Config Directory Server

Since this is the first setup we are doing, we don’t have a configuration directory server yet. So, press enter here to accept the default choice, which is ‘no’.

But when you are doing multiple installation of this, you might already have configuration directory server setup, in which case, you should say ‘yes’ and specify those information there.

Setup 389 Directory Server – Specify Admin Username and Password

At this stage, you have to specify the admin username and password for the new directory server that this is going to setup.

You’ll be using this uid and password to login to the console.

Setup 389 Directory Server – Enter Additional Parameters

The following are few additional parameters the script will prompt. This domain name was picked up from the FQDN that we’ve defined in the /etc/hosts file:

The default port number as you can imagine from the name is 389. Just leave it as it is by pressing enter:

Enter the unique identifier for your directory server.

Setup 389 Directory Server – Setup LDAP Tree Structure

First, setup your directory tree accordingly. In this example, this is the root of our directory tree, which start with broken down by dc as shown below.

Next, sepcify the directory manager, which is a DN where you’ll have the administrative user who will perform certain directory server operations.

Press enter to accept the default name. Enter the password here for your directory manager user.

Specify the admin port. Please note that this is different from your application server or web server port. Just accept the default value here.

Setup 389 Directory Server – Final Stages of Setup

Say ‘yes’ to the following final confirmation message to start the directory server configuration based on the values that you’ve entered so far.

You’ll see the following output indicating that the script is setting up the directory servers based on your configuration values.

If you don’t have SELinux setup and configured properly, you’ll get the following ERROR message. In this case, you may want to temporarily disable SELinux and run the setup script.

Verify Setup Log File

The last line of the setup script will show the name of the log file.

Open the log file to make sure there are no error message. It should look something like the following:

Start 389 Directory Server using Systemctl

dirsrv is the startup program name.

Use systemctl to start the 389 Directory Server as shown below.

Before starting:

Star the 389 directory server:

After starting:

Start 389 Directory Server using start-dirsrv

Instead of using systemctl, you can also use the start-dirsrv command as shown below to start the directory server:

Use stop-dirsrv to stop it:

The following will display the status of the directory server

Start 389 Directory Server Admin using Systemctl

To control the admin server for your 389 directory, use systemctl as shown below.

The admin program is known as dirsrv-admin as shown below.

You can also use stop-ds-admin command to stop the 389 Administration Server

Validate the Setup Using LDAPSearch Command

Finally, use the ldapsearch command to validate that the setup is done properly.

The following is the partial output of the ldapsearch command:

If you enjoyed this article, you might also like..


Facebook Comments

Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button