Tag/tag.png

Needs Updating
This article needs updating to include the latest versions of Ubuntu. More info...

Overview

389 Directory Server (formerly FDS aka Fedora Directory Server) provides the following key features:

  • Multi-master replication - Provides a highly available directory service for both read and write operations. Multi-master replication can be combined with simple and cascading replication scenarios to provide a highly flexible and scalable replication environment.

  • Chaining and referrals - Increases the power of your directory by storing a complete logical view of your directory on a single server, while maintaining data on a large number of Directory Servers transparently for clients.

  • Roles and Class of Service - Provides a flexible mechanism for grouping and sharing attributes between entries in a dynamic fashion.

  • Improved access control mechanism - Provides support for macros that dramatically reduce the number of access control statements used in the directory and increase the scalability of access control evaluation.

  • Resource-limits by bind DN - Gives you the power to control the amount of server resources allocated to search operations based on the bind DN of the client.

  • Multiple databases - Provides a simple way of breaking down your directory data to simplify the implementation of replication and chaining in your directory service.

  • Password Policy and Account Lockout - Allows you to define a set of rules that govern how passwords and user accounts are managed in the Directory Server.

  • SSL - Provides secure communications over the network, including ciphers with up to 168-bit encryption.

The major components of Directory Server include:

  • An LDAP server - The core of the directory service, provided by the ns-slapd daemon and compliant with the LDAP v3 Internet standards.

  • Directory Server Console - An improved management console that dramatically reduces the effort of setting up and maintaining your directory service. The directory console is part of Red Hat Console, the common management framework for LDAP directory services.

  • SNMP Agent - Permits you to monitor your Directory Server in real time using the Simple Network Management Protocol (SNMP).

  • Online backup and restore - Allows you to create backups and restore from backups while the server is running.

Further Details

For further details visit:

https://www.redhat.com/docs/manuals/dir-server/ag/7.1/adminTOC.html

http://directory.fedora.redhat.com/wiki/Main_Page

Preparing Ubuntu

This howto assumes that you have a working installation of Ubuntu. I have added neccessay steps to prepare Ubuntu before you install Fedora Directory Server. This document describes howto install the Fedora Directory Server (FDS).

Installation of 389 Directory Server under Ubuntu 11.10 Oneiric Ocelot

sudo add-apt-repository ppa:ubuntu-389-directory-server/ppa
sudo apt-get update
sudo apt-get install 389-admin 389-ds-base 389-ds-console

Installation of Fedora Directory Server 1.1.x under Ubuntu 9.10

Add the Directory Server repository to your repository list

Add these lines to your /etc/apt/sources.list file:

  deb http://ppa.launchpad.net/ubuntu-389-directory-server/ppa/ubuntu/ karmic main
  deb-src http://ppa.launchpad.net/ubuntu-389-directory-server/ppa/ubuntu/ karmic main

then go to a terminal and execute

  sudo apt-get update

If you get a NO_PUBKEY error add the trusted key and try the update again

  sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 07B8937284F281ED
  sudo apt-get update

Install Server

First, as of this writing, the dirsrv package fails installation with error "Can't locate Mozilla/LDAP/Conn.pm in @INC". So install it's dependency before the rest:

  sudo apt-get install libmozilla-ldap-perl

EDIT : The libicu40 package is now deprecated but is still a depedency for dirsrv. Download and install it manually :

  wget http://mirrors.kernel.org/ubuntu/pool/main/i/icu/libicu40_4.0.1-2ubuntu2_i386.deb
  sudo dpkg -i libicu40_4.0.1-2ubuntu2_i386.deb

Now install all needed packages (we are also installing java6):

  sudo apt-get install dirsrv dirsrv-admin 389-ds-admin-console 389-ds-console\
  389-idm-console libadminutil1 libapache2-mod-nss libidm-console-framework-java\
  libjss-java libldap-java libsvrcore0 openjdk-6-jdk

After installation, if you get a message like " * /var/run/dirsrv is not writable for " when starting dirsrv-admin, the init script's fix_pid_dir_ownership function has failed. You will need to edit the /etc/init.d/dirsrv-admin script which greps the wrong file for the owner of the service.

Search for the line starting with "owner=grep" and change adminserv.conf to console.conf.

#      owner=`grep \^sysuser /etc/dirsrv/admin-serv/admserv.conf | awk '{print $2}
       owner=`grep \^User /etc/dirsrv/admin-serv/console.conf | awk '{print $2}

and run

sudo chown -R dirsrv /var/run/dirsrv

You can then try starting nd stopping the service

/etc/init.d/dirsrv-admin stop
/etc/init.d/dirsrv-admin start

Now if you try to start the server you'll encounter this error: "apache2: Syntax error on line 123 of /etc/dirsrv/admin-serv/httpd.conf: module log_config_module is built-in and can't be loaded". Don't fret, just comment out that LoadModule line.

There are some missing symbolic links in the java classpath which need to be created.

cd /usr/share/java
sudo ln -s fedora-admin-1.1.3.jar 389-admin-1.1.jar
sudo ln -s fedora-admin-1.1.3_en.jar 389-admin-1.1_en.jar
sudo ln -s fedora-ds-1.2.0.jar 389-ds-1.2.jar
sudo ln -s fedora-ds-1.2.0_en.jar 389-ds-1.2_en.jar
cd /usr/share/dirsrv/html/java/jars
sudo ln -s ../../../../java/389-admin-1.1.jar
sudo ln -s ../../../../java/389-admin-1.1_en.jar
sudo ln -s ../../../../java/389-ds-1.2.jar
sudo ln -s ../../../../java/389-ds-1.2_en.jar

Check you have the correct java installed. (If you have older Java the console complains with a "400 Bad Request")

java -version

If you are not running java6 (also know as 1.6.X) you can switch

update-alternative --config java

Verify the name of your nss_module in the /usr/lib/apache2/modules/ directory. It will likely be mod_nss.so and not libmodness.so, as the /etc/dirsrv/admin-serv/httpd.conf indicates. Edit the /etc/dirsrv/admin-serv/httpd.conf file to read:

# LoadModule nss_module         /usr/lib/apache2/modules/libmodnss.so
LoadModule nss_module         /usr/lib/apache2/modules/mod_nss.so

If you don't already have the 389 Directory server registered in DNS, it must be done before running the ds-admin installation script. Otherwise, a local /etc/hosts entry will need to be made for the server in addition to the 127.0.1.1 entry.

Stop the dirsrv service and delete the server instance directory. Run the ds-admin configuration script.

sudo /etc/init.d/dirsrv stop
sudo rm -R /etc/dirsrv/slapd-<your hostname>/
sudo setup-ds-admin

You can now run the fedora-idm-console. If you accepted the default settings when you ran setup-ds-admin

username : cn=Directory Manager
password : <your password>
URL : http://localhost:9830

You can add additional ldap services by running setup-ds

sudo setup-ds

Installation of Fedora Directory Server 1.1.x under Ubuntu 8.10

Add the Directory Server repository to your repository list

Add these lines to your /etc/apt/sources.list file:

  deb http://fedorads.pearsoncomputing.net/ intrepid main
  deb-src http://fedorads.pearsoncomputing.net/ intrepid main

then go to a terminal and execute

  sudo apt-get update

Install Directory Server IDM Client

You can install the fedora-idm-console package from the terminal with this command: sudo apt-get install fedora-idm-console or you may use a package manager such as Synaptic to install it. After installation, the IDM Console can be launched from the System menu in KDE.

Install Directory Server

Run this command in the terminal to install the neccessary packages:

  sudo apt-get install dirsrv dirsrv-admin fedora-ds-admin-console fedora-ds-console\
  fedora-idm-console libadminutil1 libapache2-mod-nss libidm-console-framework-java\
  libjss-java libldap-java libsvrcore0

After installation, you can run

  sudo setup-ds

to configure your new Fedora Directory Server.

Download Fedora Directory Server Pre-built rpm

Ubuntu 5.10 comes with libc6 version 2.3.5 and you need to download the version suitable for Fedora Core 3 and RHEL4. I assume here that you are using your home directory. It is your choice , select your own directory for downloading and use the path accordingly when you proceed with the installation

To download the prebuilt Fedora-ds rpm , you can type in a terminal:

  wget -c http://directory.fedora.redhat.com/download/fedora-ds-1.0.1-1.RHEL4.i386.opt.rpm

or else you can use following url for downloading.

http://directory.fedora.redhat.com/wiki/Download

Installing Alien Package

Since we are going to use pre-built rpm to install Fedora Directory Server we need to convert rpm to .deb format before we intall Fedora-ds in Ubuntu. Alien is a tool which we can used to convert .rpm into .deb format. To install alien type in a terminal

 sudo apt-get install alien

Convert .rpm Package to .deb Package

Now it is the time to convert downloaded Fedora-ds rpm. to .deb package in your home directory. Type the folowing in a terminal.

 sudo alien fedora-ds-1.0.1-1.RHEL4.i386.opt.rpm

Install Dependencies

The Fedora Directory Server needs 'libtermcap.so.2', so let's install it. Type in a terminal.

 sudo apt-get install termcap-compat

User Note - with Feisty (at least) on AMD64 I was unable to find a .deb anywhere with a usable libtermcap.so.2. What I did is to repeat using alien on an RPM which I found via Google search "termcap rpm". Not the ideal but it did work. An alternative is to download the libtermcap-2*.src.rpm you need and trying to recompile it. Example:

wget ftp://ftp.ntua.gr/pub/FreeBSD/ports/distfiles/rpm/i386/fedora/8/libtermcap-2.0.8-47.src.rpm
rpmbuild --nodeps --rebuild libtermcap-2.0.8-47.src.rpm 2>/dev/null
cp -avu /usr/src/rpm/BUILD/termcap-2.0.8/libtermcap.so.2.0.8 /usr/lib64/
ln -s /usr/lib64/libtermcap.so.2.0.8 /usr/lib64/libtermcap.so.2 

Note that the rebuild process doesn't give you a clean exit code but you can simply copy the lib inside the right folder. With a very little effort you could build a correct .deb package using this process.

Installing Java Run Time Enviorenment

User Note - In Feisty Java is available "apt-get install sun-java6-bin" - you can skip the rest of this section. Smile :)

Fedora-ds console rquires Java Runtime Enviorenment (JRE). Either the Sun or the IBM JRE version 1.4.2 or later is required. In order to install the RPM, the IBM JRE is required before you install Fedora-ds.

The IBM JRE is available from http://www-128.ibm.com/developerworks/java/jdk/linux140/download.html

The Sun JRE is available from http://java.sun.com/j2se/1.4.2/download.html

I know it's annoying to have to do all the click throughs, licenses, registration, etc.

You should download j2re-1_4_2_10-linux-i586.bin if you are downloading from SUN. I assume that you are downloding this package to your home directory. After having finished downloading execute the following commands in a terminal.

 chmod +x j2re-1_4_2_10-linux-i586.bin

 ./j2re-1_4_2_10-linux-i586.bin

The above command will create a direcory called "j2re1.4.2_10" in your current directory. Move this directory to "/usr/local". This step is optional and this is the way which I like to do. You have the liberty to use your own locations. Execute the following commands in a terminal.

  sudo mv j2re1.4.2_10 /usr/local

Next I will rename the above directory to java. This step is optional and this is the way which I like to do,

  sudo mv  /usr/local/j2re1.4.2_10 /usr/local/java

Setting JAVA_HOME enviorenment variable

When intall fedora-ds it will look for JAVA_HOME enviorenment variable and best place to set this is "/etc/profile". Use vi editor to open the file and set the following two lines.

  sudo vi /etc/profile

Following code segment reflects the changes in "/etc/profile".

 ...
 JAVA_HOME=/usr/local/java
 export PATH JAVA_HOME
 ...

Now we need to make this user einvironment modification take effect. Use dot(.) command to achieve this. You do not need logoff and login again or reboot your system. Execute in your terminal.

 . /etc/profile

Test your changes:

echo $JAVA_HOME

Output should be:

/usr/local/java

Installing Apache2

The Fedora-ds admin-server of depends on Apache2 compiled conform the worker model, so let's install it.

 sudo apt-get install apache2-mpm-worker

In Fedora/RedHat Apache daemon is known ad "httpd" while Ubuntu is known as "apache2". Then we need to create sysmbolic links so that we can satisfy the Fedora-ds "setup" utility. Type in a terminal.

 sudo ln -s /usr/sbin/apache2 /usr/sbin/httpd

Installing .deb package

I assume that you have built this package in your home directory. Execute in a terminal.

 sudo dpkg -i fedora-ds_1.0.1-2_i386.deb

Creating a user and group for the daemon

Let's create a user and a group for the fedora-ds daemon.

 sudo groupadd fds
 sudo useradd -s /bin/false -g fds fds

Runing Fedora-ds Setup Program

So far we have setup everything we need to run Fedora-ds setup program. Since setup utility will not find apache2 modules in Ubuntu that it required to operate. We will need to help it by creating an install.inf file by running the setup utility with the '-k' option". Type in a terminal.

  sudo /opt/fedora-ds/setup/setup -k
  • Choose option '1' for as minimal questions as possible.
  • Choose 'fds' when asked which user and group apply. After finalizing the setup wizard, the directory server itself will be started as user 'fds'.
  • It listens on the port you just configured , I chose port '389', the default LDAP-port.

When done, copy the install.inf file to /opt

  sudo cp /opt/fedora-ds/setup/install.inf /opt
  sudo chmod 640 /opt/install.inf

Now we have to edit the [admin] section of the install.inf using

  sudo vi /opt/install.inf

and add "ApacheRoot= /usr/lib/apache2" as in the following example.

The following code segment reflects your changes in "/opt/install.inf" file

  ...
 [admin]
 SysUser=   root
 Port= 16000  
 ServerIpAddress=
 ServerAdminID=   admin
 ServerAdminPwd=   dsadmin
 ApacheDir=   /usr/sbin
 ApacheRoot=   /usr/lib/apache2

After having finished above execute the following command to re-run the setup program using.

 sudo /opt/fedora-ds/setup/setup -s -f /opt/install.inf

Adjusting the admin-server's httpd.conf file

Fedora-ds admin-server has its own httpd.conf file. Since some modules do not have to be loaded as they are compiled in statically we need to dissable them modules. Edit the file using vi and comment out the modules to dissable them.

 sudo vi /opt/fedora-ds/admin-serv/config/httpd.conf

After editing "httpd.conf" file, the following code segment reflects your changes.

 ...
 #LoadModule access_module /usr/lib/apache2/modules/mod_access.so
 #LoadModule auth_module /usr/lib/apache2/modules/mod_auth.so
 #LoadModule log_config_module /usr/lib/apache2/modules/mod_log_config.so
 #LoadModule env_module /usr/lib/apache2/modules/mod_env.so
 ...
 #LoadModule setenvif_module /usr/lib/apache2/modules/mod_setenvif.so
 #LoadModule mime_module /usr/lib/apache2/modules/mod_mime.so
 ...
 #LoadModule negotiation_module /usr/lib/apache2/modules/mod_negotiation.so
 #LoadModule dir_module /usr/lib/apache2/modules/mod_dir.so
 ...
 #LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so
 ...

Starting the admin-server

Lets start the admin-sever

 sudo /opt/fedora-ds/start-admin

If it starts, Good. Cheers from Chinthaka.

Making FDS persistant Across System Reboots

Since Fedora-ds has no init script, to ensure it starts at boot time you can add the following lines to the file /etc/rc.local:

/opt/fedora-ds/slapd-fossedu/start-slapd
/opt/fedora-ds/start-admin

Adding users for centralized authentication

I will now tell you how you should create new users for centralized authentication with Fedora-ds. You need to create Linux user account (Posix) account first. By default user's home directories are created /home directory in Linux systems and I am going to take a different approach here. Later we need to mount users home directories automatically when they login from a workstation in our LAN. If we automount directory server's home directory in to the workstation's home directory then the local users of the workstattion won't be able to access their home directories. We need to avoid this practical issue and I suggest you to create a different home for our roaming users.

Look at my test scenario:

FosseduAutoHome.jpg

Create a new home

sudo mkdir /ahome

To create user:

sudo useradd -m -d /ahome/fmaster -s /bin/bash -c "Foss Master" fmaster

Then the rest you can do

Using Fedora-ds Managent console

I assume the following example configuration here.

  • Hostname:- dsmaster.fossedu.org

  • Console port:-16000

Execute the following command to start the console. Please use your settings accordingly and enter the admin password given by you at the time of running setup program. Execute the following commands in a terminal.

 cd /opt/fedora-ds
 ./startconsole -u admin -a http://dsmaster.fossedu.org:16000 &

FedoraDsMmcLoging.jpg

Once you have logged in, you should see the Fedora-ds MMC main screen.

FdsMmcMainScreen.jpg

Creating a New User

You can create users using the following screens and the second screenshot shows how you can map Fedors-ds user with an existing Linux account.

Screen to create a new user:

FdsMmcCreateUser.jpg

Screen to map Fedora-ds user with a Linux acount:

FdsMmcMapPosixUser.jpg

Setting Workstations with Fedora-ds

I have created a separate howto for client setup.

Please view: FedoraDirectoryServerClientHowto

Howto created by: ChinthakaDeshapriya.


FedoraDirectoryServer (last edited 2014-09-14 19:06:39 by cpe-69-207-170-108)