Ops535-389-ds-install

From CDOT Wiki
Jump to: navigation, search

Note: this wiki page is a work-in-progress

OS and virtual hardware configure on VM

  • Minimal CentOS 7.x installation
  • 2 NICs - one on NAT network (192.168.122.0/24), one on isolated private network (192.168.x.0/24)
  • enable "epel" repository - yum install epel-release
  • Hostname: ds389.cp.net
  • IP address: 192.168.x.20/24 on isolated private network

System Software Configuration

Host name resolution

  • Primary DNS server for your domain:
    • Add A resource record: ds389.cp.net. IN A 192.168.x.20
    • Add PTR resource record: 20.x.168.192.in-addr.arpa. IN PTR ds389.cp.net.
  • If you don't have DNS, add the following record to /etc/hosts
    • 192.168.x.20 ds389.cp.net ds389

Firewall configuration

You need to open tcp ports 389, 636 and 9830 for external access to your 389 directory server.

firewalld.service

Run the following commands to open the ports:

 firewall-cmd --permanent --add-port=389/tcp
 firewall-cmd --permanent --add-port=636/tcp
 firewall-cmd --permanent --add-port=9830/tcp

You need to run the following command to update the current firewall settings:

 firewall-cmd --reload

Please confirm your firewall settings with the following command:

firewall-cmd --list-ports

iptables.service

Run the following command to open the ports

iptables -I INPUT -p tcp --dport 389 -j ACCEPT
iptables -I INPUT -p tcp --dport 636 -j ACCEPT
iptables -I INPUT -p tcp --dport 9830 -j ACCEPT

Run the command to save the current firewall settings:

service iptables save

System resource configuration

  • Add the following lines to /etc/sysctl.conf
net.ipv4.tcp_keepalive_time = 300
  • Add the following lines to /etc/security/limits.conf
*    soft    nofile    8192
*    hard    nofile    8192

389-DS rpm packages

  • yum install 389-ds*
389-ds-console-doc
389-ds-base
389-ds-console
389-ds-base-libs
389-ds-base-devel
389-ds
389-dsgw

Will install the above rpm packages and their dependencies.

Requirements for running the setup-ds.pl program

Create an unprivileged regular

User to act as the Administrator for the 389 Directory Server

useradd ldapadmin

Warning message for system resources

[root@ds389 ~]# setup-ds-admin.pl

==============================================================================
This program will set up the 389 Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: 

==============================================================================
Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production
environment.

389 Directory Server system tuning analysis version 23-FEBRUARY-2012.

NOTICE : System is x86_64-unknown-linux3.10.0-327.36.3.el7.x86_64 (1 processor).

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes).  This may cause temporary server congestion from lost
client connections.

WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.  

WARNING  : The warning messages above should be reviewed before proceeding.

Would you like to continue? [no]: 

Update the files "/etc/sysctl.conf" and "/etc/security/limits.conf" and run the "setup-ds-admin.pl" again:

Setup screen

After updating "/etc/sysctl.conf" and "/etc/security/limits.conf", reboot the VM and login as root. Run the "setup-ds-admin.pl" again and you should get something similar to the following:

[root@ds389 ~]# setup-ds-admin.pl

==============================================================================
This program will set up the 389 Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: 

==============================================================================
Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production
environment.

389 Directory Server system tuning analysis version 23-FEBRUARY-2012.

NOTICE : System is x86_64-unknown-linux3.10.0-327.36.3.el7.x86_64 (1 processor).

Would you like to continue? [yes]:

Post-installation

Start the Directory Server and Admin service

  • systemctl enable dirsrv.target
  • systemctl start dirsrv.target
  • systemctl enable dirsrv-admin.service
  • systemctl start dirsrv-admin.service

Install Xfce for GUI web console

  • yum groupinstall Xfce

Testing the LDAP Server

  • ldapsearch -x -b 'dc=cp,dc=net'

Start the management console

On the local machine

To start the management console, type 389-console

On remote workstation