The Fedora Project's 389 Directory Server, an advanced and complete open source LDAP (Lightweight Directory Access Protocol) server, can satisfy every corporate demand for an alternative to popular commercial solutions such as Microsoft's Active Directory. It come bundled with a powerful, intuitive, easy-to-use graphical interface to facilitate the administration of directory servers.
This article assumes you have the fundamental understanding of LDAP and directory services. If not, the article OpenLDAP for Remote Authentication is a good introduction to the idea of LDAP and directory servers as a whole.
To install the 389 Directory Server in CentOS 6 you must have the EPEL repository enabled. This repository allows you to install many additional packages besides 389 Directory Server. If you don't have it installed yet, run the command rpm -ivh http://ftp-stud.hs-esslingen.de/pub/epel/6/i386/epel-release-6-8.noarch.rpm, then run the command yum install 389-ds.noarch to install the directory server and its dependencies.
rpm -ivh http://ftp-stud.hs-esslingen.de/pub/epel/6/i386/epel-release-6-8.noarch.rpm
yum install 389-ds.noarch
The installation provides you with a few essential packages and executables. dirsrv is the directory server itself; make sure that it is always started and stopped with the system by running the command chkconfig dirsrv on. dirsrv-admin handles administration; you should also run chkconfig dirsrv-admin on.
chkconfig dirsrv on
chkconfig dirsrv-admin on
Another essential package is the graphical admin console, 389-console. If you have full a X environment on the server, you can start it with the command /usr/bin/389-console. Production servers usually don't have full X environments, but you can still run the console one of two ways.
The first option is to run the console on a local client and connect to the remote server with it. The project provides console installation packages for various platforms, including Windows (389-Console-1.1.6-i386.msi and 389-Console-1.1.6-x86_64.msi), from its official download page. In many Linux distributions the console can be installed directly from the official repository. In Debian- and Ubuntu-based distributions the package is under the name 389-console. If you choose to connect from a remote client, make sure that your connection to the server is secure, because sensitive information is passed.
The second option for using the admin console is to forward your X session over SSH. To do this you need a basic X environment set up on the production server, which you can install by running yum install xhost xorg-x11-server-Xorg xorg-x11-xauth dejavu-sans-fonts dejavu-serif-fonts. After that, set and export the shell variable DISPLAY with the command export DISPLAY=localhost:0. You should then be able to run remote X programs, including 389-console, over SSH. Establish an SSH connection first with the command ssh -X serveripaddress, where the -X argument enables forwarding.
yum install xhost xorg-x11-server-Xorg xorg-x11-xauth dejavu-sans-fonts dejavu-serif-fonts
ssh -X serveripaddress
To start the initial configuration of the directory server, run the command /usr/sbin/setup-ds-admin.pl. It invokes an intuitive, text-based wizard that guides you through the whole configuration process. It configures both the 389 Directory Server and its admin management service.
The configuration wizard offers three installation types: express, typical, and custom. Start with the typical choice, which is good enough for a beginning.
The script first checks your server setup for possible problems. Make sure to resolve any warnings it displays after you complete the setup.
The wizard provides good explanations for all the options and helps you making the correct choices with autodetected default values. Here are a few hints for the most important options in their order of occurrence:
One of the key questions the wizard asks is whether you want to register this software with an existing configuration directory server. Make sure to answer no, which instructs the setup script to continue through the complete setup.
After completing the configuration you have to configure your firewall. Usually the LDAP port (389) should be wide open to your internal network or servers' subnetwork so that servers can use the LDAP service. The administration port (9830) should be allowed only for the IP address of your admin station, if you're accessing it remotely, or not allowed at all if you run the admin console locally on the server.
To start using the 389 Directory Server console locally, run the command /usr/bin/389-console. You will be prompted for your admin user ID, password, and administration URL. The URL should look like http://localhost:9830/ if you are connecting locally to localhost.
As the left menu tree shows, the console lets you administer both the administration server and the directory server. Double-click on the server you want to manage in the menu tree.
The interface for the administration server lets you do everything from starting and stopping the service to configuring logging, SSL certificates, and encryption. All of its menus are intuitive and user-friendly.
The interface for the directory server gives you the most common controls and options for operations such as starting and stopping the server. It also allows you to easily back up and restore the directory information, which is useful because the usual methods of backing up and restoring LDAP information are not easy or straightforward.
The console for the directory server provides some advanced options. You can extend functionality through various plugins, set up SNMP agent for monitoring, configure complex replication, and even browse the LDAP directory data straight from the console.
For more information and complete guidance read Red Hat's guide to the commercially supported version of the directory server; it covers everything you can find in the freely available one.
Without a doubt, 389 Directory Server is the leader for open source directory management. It's the only complete solution that provides all the enterprise features you can find in similar commercial products.
Allowed tags: <a> link, <b> bold, <i> italics