Creating an LDAP entry

1. Create a new organizational unit called Services that will hold all your services.

2. Select the Services organizational unit. Right click an empty space in the right pane, select New then click Other.

3. In the New Object window, select ipservice and click OK.

4. Fill in the Full name, ipserviceport and ipserviceprotocol and click the Change button.

5. In the Change Naming Attribute window, check cn and uncheck ipserviceprotocol. Click the OK button to close the Change Naming window and click OK again to close the Property Editor window.

6. You should now have a service entry.

Configuring the Client

1. Edit the file /etc/ldap.conf and update at least the items below with the appropriate values for your environment.

host ldap.acme.local
base dc=acme,dc=local
nss_base_services ou=Services,dc=acme,dc=local?one

2. Edit the file /etc/nsswitch.conf and add ldap in the services entry. This will tell the system to also look in the LDAP server when enumerating the list of service.

3. To test, type in the command below. You should be able to see the entry you added.

getent services

Configuring SSL Connection

1. Make sure SSL is enabled in Active Directory. Learn how to enable LDAP SSL in Active Directory.

2. Export a base-64 encoded SSL certificate from your Active Directory Server.

3. Make sure SSL is enabled in 389 Directory Server. Learn how to enable LDAP SSL in 389 Directory Server.

4. Install the exported SSL certificate into 389 Directory Server.

Testing SSL Connection

1. Type the command below to test if you can do a plain LDAP connection to your Active Directory server. You’ll be asked for the password of the user account you specified in the -D option.

/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" 
-h server.acme.local -R 
-D "cn=fds,cn=users,dc=acme,dc=local" 
-w - "objectclass=*"

Replace the value after -b with your search base, the value after -h with your server hostname and the value after -D with the distinguished name of a user account having read/write access to your Active Directory server.

2. Type the command below to test if you can do an SSL enabled LDAP connection to your Active Directory server.

/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" 
-h server.acme.local -R 
-D "cn=fds,cn=users,dc=acme,dc=local" 
-w - -Z -P /etc/dirsrv/slapd-mail "objectclass=*"

Replace the value after -P with the settings path of your 389 Directory server.

If the two test above succeeds, you can use SSL connection to synchronize with Active Directory.

Troubleshooting

If the output from the test above contains

• Invalid credentials
  

  Check the distinguished name of the user account after the -D option and the bind password for it. To check the distinguished name, type the command below.

  /usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" -h server 
  -R -D "ACME\fds" -w - "samaccountname=fds" DN
  

  Replace the value ACME with your own domain and fds with your own user name. It will output the distinguished name of the user name you specified.

• TCP connection reset by peer
  

  Check the host name you specified after -h. If the host name is correct, check the firewall.

• security library: bad database
  

  Make sure SSL is enabled in 389 Directory Server. And check the path you specified after -P.

• Encountered end of file
  

  After configuring SSL in Active Directory, you probably did not reboot your Active Directory server. Reboot your AD server to complete the changes and try the test again.

• Peer’s Certificate has expired
  

  Make sure the system clock is synchronized in the Linux server and the Active Directory server. And the check the certificate, it may indeed be expired.

• Peer’s certificate issuer has been marked as not trusted by the user
  

  Check the trust setting you specified in the certificate of the 389 Directory server. Making connections to other servers should be checked.

• Has graphical tools to manage users, groups, and server configurations
• Supports Active Directory synchronization
• Supports multi-master replication
• Supports secure authentication and communication
• Supports LDAP version 3
• LDAP based update of schema, configurations, and access control information

This article describes how to install and use the 389 Directory Server.

How to install Linux

You can use either Red Hat Enterprise Linux 5 or CentOS 5. RHEL 5 can be purchased from Red Hat and comes with support. CentOS 5 on the other hand can be downloaded here.

1. How to install CentOS 5.

2. How to setup CentOS 5.

How to install and configure the 389 Directory Server

This section is about installing 389 Directory Server and using its graphical management tool.

1. How to setup the 389 Directory Server.

2. How to use the 389 Management Console.

3. How to configure 389 Directory Server plug-ins.

Synchronizing with Active Directory

This section describes how to synchronize with Active Directory. With this feature, you can reduce your Windows Server license requirements for your LDAP applications.

1. How to synchronize with Active Directory.

2. How to synchronize via SSL with Active Directory. This is needed to replicate password changes in 389 DS to Active Directory.

3. How to replicate Active Directory password changes to 389 Directory Server.

Active Directory synchronization is not yet perfect. Here are some issues you need to be aware of when synchronizing with 389 Directory Server with Active Directory.

Centralizing Information

The 389 Directory Server can be used to centralize your users, groups, hosts, services, etc.

How to use LDAP as a centralized users and authentication system

How to use LDAP as a Network Information System (NIS) replacement

Users

The Last Name is required in 389 Directory Server so make sure all users have it in Active Directory.

User Passwords

The Active Directory user passwords can only be replicated to 389 Directory Server by installing the PassSync utility to capture password changes before they are stored in a hashed format. This is the only way to get the user’s password from Active Directory.

The PassSync utility does not work in the 64 bit versions of Windows Server. It also stores the passwords used to authenticate with 389 Directory Server and the certificate database unencrypted in the registry.

Organizational Units

Organizational Units, like Accounting, Domain Controllers, Engineering and Sales and Marketing in the screen shot, are not automatically synchronized. Every time you create a new one in Active Directory, you need to manually create the same in Fedora Directory Server to synchronize its contents.

Containers

Containers, like Computers, ForeignSecurityPrincipals, and Users in the screen shot, is similar to the Organizational Unit but uses a different distinguished name.

It uses CN=name instead of OU=name for its relative distinguished name.

To create an organizational unit with the same naming convention, you have to extend the FDS schema.

You can use the setupusers.sh script to create the Users organizational unit for you. Just type in ./setupusers.sh “dc=acme,dc=local” to automatically create the Users container in FDS. Replace “dc=acme,dc=local” with your own base DN.

Launching the 389 Management Console

1. From a terminal window, type in 389-console. This will launch the 389 Management Console Login window.

 

User ID

cn=directory manager

Password

the directory manager password

Administration URL

localhost:9830

 

The values above assumes you have used the default values.

2. Click the + sign corresponding to your server. Next, click the + sign corresponding to Server Group and click Directory Server. Finally, click the Open button in the Directory Server page.

3. Click the Configuration tab.

Configuring 389 Directory Server Plug-ins

1. Click the + sign corressponding to Plug-ins.

2. Click the Distributed Numeric Assignment Plugin.

3. Check Enable plug-in and click the Save button.

4. Click Ok.

5. Restart the dirsrv service. Learn how to stop and start services here.

Launching the 389 Management Console

1. From a terminal window, type in 389-console. This will launch the 389 Management Console Login window.

 

User ID

cn=directory manager

Password

the directory manager password

Administration URL

localhost:9830

 

The values above assumes you have used the default values.

2. Click the + sign corresponding to your server. Next, click the + sign corresponding to Server Group and click Directory Server. Finally, click the Open button in the Directory Server page.

3. Click the Directory tab.

4. Click the folder corresponding to your domain.

Creating a New User

A User is an object used to store user information and authentication information.

1. Right click your domain, select New and click User.

2. In the Create New User window, fill in the user information and click Ok when you are done.

Creating a New Group

A Group is a container used to logically organize users into an easily identifiable structure.

1. Right click your domain, select New and click Group.

2. In the Create New Group window, fill in the group information.

3. Add the member users in the Members section. Click Ok when you are done.

Creating a New Organizational Unit

An organizational unit is an administrative-level container that is used to logically organize objects. You can create objects into an Organization Unit or copy and paste an existing object into it.

1. Right click your domain, select New and click Organizational Unit.

2. In the Create New Organizational Unit window, fill in the organizational unit information and click Ok when you are done.

Related Pages

How to configure plug-ins in 389 Directory Server

Configuring the User Permission

The 389 Directory Server sync user account should be given permission to update the password field. In our example, it is uid=SMaster,cn=config. You can create a sync user account using this article.

1. Launch the 389 Management Console.

2. Click the + sign corresponding to your server. Next, click the + sign corresponding to Server Group and click Directory Server. Finally, click the Open button in the Directory Server page.

3. Click the Directory tab and click the folder corresponding to your domain. Next, right click that same folder and click Set Access Permissions.

4. In the Manage Access Control window, click New.

5. In the Edit ACI window, click Edit Manually.

6. Change the value of the ACI to the one below. Click Ok when you are done.

(targetattr = "*") 
(version 3.0;
acl "PassSync";
allow (all)
(userdn = "ldap:///uid=SMaster,cn=config")
;)

userdn should correspond to your sync user account.

7. Finally, click Ok.

Installing PassSync

PassSync should be installed in every Windows domain controller in your domain. You can download the PassSync installer here.

1. Launch the PassSync installer and click Next.

2. Fill up the Password Synchronization Information page and click Next. Below are the description of the fields. Specify in Cert Token the password you plan to assign to the certificate database when you create it later. The password should be at least 8 characters long, and should contain at least one non-alphabetic character.

 

Host Name

389 Directory Server host name

Port Number

389 Directory Server SSL port number

User Name

User account in 389 Directory Server

Password

Password of user account

Cert Token

Certificate database password

Search Base

389 Directory Server base DN

The settings above will be stored in the registry located in the HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync path.

3. Click Next in the Ready to Install page.

4. Finally, click Finish.

Creating the Certificate Database

1. Export the 389 Directory Server certificate using the command below. Execute the command in the /etc/dirsrv/slapd-xxx directory where xxx corresponds to your directory server identifier. Copy the output file servercert.p12 to your target Windows Server.

pk12util -d . -o servercert.p12 -n Server-Cert -k pwdfile.txt

pwdfile.txt contains the certificate database password created by the setupssl2.sh script. Use -K password to provide your own password if you manually configured SSL in 389 Directory Server.

2. In the Windows Server, create the certificate database and load the 389 Directory Server certificate into it using the commands below. Before executing the commands below, change the Command Prompt’s current directory to the installation directory of PassSync, usually at “C:\Program Files\Red Hat Directory Password Synchronization”.

certutil -d . -N
pk12util -d . -i servercert.p12
certutil -d . -M -n Server-Cert -t "P,P,P"

Testing PassSync

1. Restart the Password Synchronization service.

2. Reset a user password and check if it synchronizes with 389 Directory Server.

If you encounter any problems, check the log file at C:\Program Files\Red Hat Directory Password Synchronization\passsync.log

Launching the 389 Management Console

1. Launch the 389 Management Console.

2. Click the + sign corresponding to your server. Next, click the + sign corresponding to Server Group and click Directory Server. Finally, click the Open button in the Directory Server page.

Creating the Sync User Account

The sync user account will be used by the replication plugin to update the 389 Directory Server. For security reason, it should not be part of the synchronized sub tree.

1. Click the Directory tab and click the config folder. Next, right click config, select New and click User.

2. Fill in the First Name, Last Name, Common Name, User ID, Password and Confirm Password fields. Click OK when you are done.

3. Note down the distinguished name of the newly created user located in the bottom part of the window.

Configuring Replication

The configuration below is for one way synchronization only, from Active Directory to 389 Directory Server. If you need two way synchronization, select Single Master or Multiple Master as the Replica Role and specify a numeric value for Replica ID (ex. 1) instead of using the default which is Dedicated Consumer.

1. Click the Configuration tab and click the Replication folder. In the Supplier Settings page, check Enable Changelog and click the Use default button. Click Save when you are done.

2. Click the + sign corresponding to Replication and click userRoot. Check Enable Replica.

3. Type in the distinguished name of sync user account (uid=SMaster,cn=config in the example above) into the Enter a new Supplier DN field and press Add. Click Save when you are done.

Creating a Windows Sync Agreement

To synchronize with Active Directory, you need an Active Directory user account. In the sample below, the fds user account (cn=fds,dc=acme,dc=local) has been created in Active Directory specifically for that purpose. Learn how to create a new user account in Windows Server.

1. Right click userRoot and click New Windows Sync Agreement.

2. In the Agreement Name window, fill in the Name and Description fields and click Next.

3. Fill in the Windows Sync Server Info form and click Next when you are done. See the sample values below.

 

Windows Domain Information

Windows Domain Name

acme.local

Sync New Windows Users

On

Sync New Windows Groups

On

Windows Subtree

dc=acme,dc=local

DS Subtree

dc=acme,dc=local

Domain Controller Host

server.acme.local

Port Num

389

Connection

Using encrypted SSL connection

Off

Bind as

cn=fds,dc=acme,dc=local

Password

secret

If you prefer to enable encrypted SSL connection, you need to install an SSL certificate in 389 Directory Server.

If you want the password changes on 389 Directory Server to replicate into the Active Directory Server you need the following

• A working Single Master/Multiple Master replication
• Encrypted SSL connection should be enabled
• The bind account (fds in the example above) must have permission to reset user password. The easiest way to accomplish this is to make the bind account a member of Domain Admins.

If you want the password changes on Active Directory Server to replicate into the 389 Directory Server, see Synch Active Directory Password to FDS.

4. Review the settings in the Summary window and click Done.

Starting the Synch Process

1. Right click the newly created agreement and click Initiate Full Re-synchronization.

2. Click the Status tab and click the Replication Status to check if the replication has completed.

3. Click the Error Logs under the Logs folder to check for any synch errors.

Check out Active Directory and 389 Directory Server Synchronization Issues for some of the problems you might encounter while implementing this.

Make sure that your host name is properly registered in your DNS or /etc/hosts file. Check if your hostname is registered properly by executing

ping mail.acme.local

in a terminal window, replace mail.acme.local with your own host name. If it returns 127.0.0.1 or unknown host that means it is not registered properly.

Installing 389 Directory Server

1. Type in the command below to update your Red Hat Enterprise Linux 5 or CentOS 5 to version 5.3 or higher.

yum update

Version 5.3 and above is required to run the 389 Directory Server.

2. Install 389 Directory Server by typing in the commands below in a terminal window. This is the content of fedora-ds.repo.

cd /etc/yum.repos.d
wget www.linuxmail.info/files/fedora-ds.repo
yum install 389-ds openldap-clients

3. Create a new user and group named fds. This account will be used to run the fds service. Learn how to create a new user.

4. Type in setup-ds-admin.pl in a terminal window to setup 389 Directory Server. Most of the time, the default is simply accepted indicated by the ↵ in the sample session below.

[root@mail ~]# setup-ds-admin.pl

==============================================================================
This program will set up the 389 Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: ↵

==============================================================================
BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY
AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE
LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS
OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE.

Do you agree to the license terms? [no]: yes

==============================================================================
Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production
environment.

389 Directory Server system tuning analysis version 10-AUGUST-2007.



NOTICE : System is i686-unknown-linux2.6.18-53.el5 (1 processor).

WARNING: 376MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes).  This may cause temporary server congestion from lost
client connections.

WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.  

WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.  

Would you like to continue? [no]: yes

==============================================================================
Choose a setup type:

   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is 
       recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]: ↵

==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.

To accept the default shown in brackets, press the Enter key.

Computer name [mail.acme.local]: ↵

==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.

System User [nobody]: fds
System Group [nobody]: fds

==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers.  If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server.  To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [no]: ↵

==============================================================================
Please enter the administrator ID for the configuration directory
server.  This is the ID typically used to log in to the console.  You
will also be prompted for the password.

Configuration directory server
administrator ID [admin]: ↵
Password: 
Password (confirm): 

==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains.  If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.

If you are not using administrative domains, press Enter to select the
default.  Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.

Administration Domain [acme.local]: ↵

==============================================================================
The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.

Directory server network port [389]: ↵

==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [mail]: ↵

==============================================================================
The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=acme, dc=local]: ↵

==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.

Directory Manager DN [cn=Directory Manager]: ↵
Password: 
Password (confirm): 

==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.

Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.

Administration port [9830]: ↵

==============================================================================
The interactive phase is complete.  The script will now set up your
servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]: ↵
Creating directory server . . .
Your new DS instance 'mail' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupcT78dr.log'

[root@mail ~]# 

5. Setup the 389 Directory Server SSL by executing the commands below in a terminal window

wget http://github.com/richm/scripts/tree/master%2Fsetupssl2.sh?raw=true -O setupssl2.sh
chmod +x setupssl2.sh
./setupssl2.sh /etc/dirsrv/slapd-mail

6. Restart the dirsrv, dirsrv-admin and httpd service. Learn how to stop and start services here.

Administering 389 Directory Server

1. From a terminal window, type in 389-console. This will launch the 389 Management Console Login window.

 

User ID

cn=directory manager

Password

the directory manager password

Administration URL

localhost:9830

 

The values above assumes you have used the default values.

2. Success. Learn more about using the 389 Management Console.

Related Pages

Active Directory/LDAP virtual users in Postfix and Dovecot

Active Directory and Fedora Directory Server Sychronization Howto