Creating an LDAP entry

1. Create a new organizational unit called Services that will hold all your services.

2. Select the Services organizational unit. Right click an empty space in the right pane, select New then click Other.

3. In the New Object window, select ipservice and click OK.

4. Fill in the Full name, ipserviceport and ipserviceprotocol and click the Change button.

5. In the Change Naming Attribute window, check cn and uncheck ipserviceprotocol. Click the OK button to close the Change Naming window and click OK again to close the Property Editor window.

6. You should now have a service entry.

Configuring the Client

1. Edit the file /etc/ldap.conf and update at least the items below with the appropriate values for your environment.

host ldap.acme.local
base dc=acme,dc=local
nss_base_services ou=Services,dc=acme,dc=local?one

2. Edit the file /etc/nsswitch.conf and add ldap in the services entry. This will tell the system to also look in the LDAP server when enumerating the list of service.

3. To test, type in the command below. You should be able to see the entry you added.

getent services

Configuring SSL Connection

1. Make sure SSL is enabled in Active Directory. Learn how to enable LDAP SSL in Active Directory.

2. Export a base-64 encoded SSL certificate from your Active Directory Server.

3. Make sure SSL is enabled in 389 Directory Server. Learn how to enable LDAP SSL in 389 Directory Server.

4. Install the exported SSL certificate into 389 Directory Server.

Testing SSL Connection

1. Type the command below to test if you can do a plain LDAP connection to your Active Directory server. You’ll be asked for the password of the user account you specified in the -D option.

/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" 
-h server.acme.local -R 
-D "cn=fds,cn=users,dc=acme,dc=local" 
-w - "objectclass=*"

Replace the value after -b with your search base, the value after -h with your server hostname and the value after -D with the distinguished name of a user account having read/write access to your Active Directory server.

2. Type the command below to test if you can do an SSL enabled LDAP connection to your Active Directory server.

/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" 
-h server.acme.local -R 
-D "cn=fds,cn=users,dc=acme,dc=local" 
-w - -Z -P /etc/dirsrv/slapd-mail "objectclass=*"

Replace the value after -P with the settings path of your 389 Directory server.

If the two test above succeeds, you can use SSL connection to synchronize with Active Directory.

Troubleshooting

If the output from the test above contains

• Invalid credentials
  

  Check the distinguished name of the user account after the -D option and the bind password for it. To check the distinguished name, type the command below.

  /usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" -h server 
  -R -D "ACME\fds" -w - "samaccountname=fds" DN
  

  Replace the value ACME with your own domain and fds with your own user name. It will output the distinguished name of the user name you specified.

• TCP connection reset by peer
  

  Check the host name you specified after -h. If the host name is correct, check the firewall.

• security library: bad database
  

  Make sure SSL is enabled in 389 Directory Server. And check the path you specified after -P.

• Encountered end of file
  

  After configuring SSL in Active Directory, you probably did not reboot your Active Directory server. Reboot your AD server to complete the changes and try the test again.

• Peer’s Certificate has expired
  

  Make sure the system clock is synchronized in the Linux server and the Active Directory server. And the check the certificate, it may indeed be expired.

• Peer’s certificate issuer has been marked as not trusted by the user
  

  Check the trust setting you specified in the certificate of the 389 Directory server. Making connections to other servers should be checked.

Installing JXplorer

1. Install the Java Runtime Environment.

2. Download the JXplorer deploy bz2 archive at http://sourceforge.net/projects/jxplorer/files/

3. Double click the downloaded file to launch the Archive Manager.

4. Click the Extract button to launch the Extract window.

5. Change the destination folder by clicking on Desktop. In the popup menu, select Other….

6. Click the notepad button and in the Location field type in /opt/ and click Open.

7. Click the Extract button to start extracting

8. Type in the commands below in a terminal window to give the proper permission to JXplorer.

Starting JXplorer

1. Type in the commands below in a terminal window to launch JXplorer.

cd /opt/jxplorer
./jxplorer.sh

2. In JXplorer, click the connect button located in the upper left of the window.

3. Fill in the connection information and click Ok.

4. That’s it, it’s working.

The attributes below are required to be filled up to be able to use LDAP authentication.

• uid – User name
• userPassword – User password
• uidNumber – UID
• gidNumber – GID
• homeDirectory – Home directory
• loginShell – Login shell

If you are using Fedora Directory Server, it has a great GUI tool for managing the required Posix attributes.

Setup Authentication

1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.

2. Check Enable LDAP Support and click the Configure LDAP button.

3. Fill in the LDAP Search Base DN and LDAP Server fields. Click Ok when you are done.

4. Click the Authentications tab and check Enable LDAP Support.

5. Click the Options tab and check Local authorization is sufficient for local users and Create home directories on the first login. Click Ok when you are done.

6. Type in getent passwd in a terminal window. You should see your LDAP user accounts.

Finally, reboot your computer. You should now be able to login using LDAP user accounts.

If your LDAP server requires authentication or its attributes does not conform to the RFC 2307 specification, you need to edit the file /etc/ldap.conf to make this work. See Active Directory Authentication for an example.

The version of sudo that comes with RHEL/CentOS 5 does not work with non local user accounts. While this is not yet fixed, use the sudo rpm package for Fedora 8.

• Has graphical tools to manage users, groups, and server configurations
• Supports Active Directory synchronization
• Supports multi-master replication
• Supports secure authentication and communication
• Supports LDAP version 3
• LDAP based update of schema, configurations, and access control information

This article describes how to install and use the 389 Directory Server.

How to install Linux

You can use either Red Hat Enterprise Linux 5 or CentOS 5. RHEL 5 can be purchased from Red Hat and comes with support. CentOS 5 on the other hand can be downloaded here.

1. How to install CentOS 5.

2. How to setup CentOS 5.

How to install and configure the 389 Directory Server

This section is about installing 389 Directory Server and using its graphical management tool.

1. How to setup the 389 Directory Server.

2. How to use the 389 Management Console.

3. How to configure 389 Directory Server plug-ins.

Synchronizing with Active Directory

This section describes how to synchronize with Active Directory. With this feature, you can reduce your Windows Server license requirements for your LDAP applications.

1. How to synchronize with Active Directory.

2. How to synchronize via SSL with Active Directory. This is needed to replicate password changes in 389 DS to Active Directory.

3. How to replicate Active Directory password changes to 389 Directory Server.

Active Directory synchronization is not yet perfect. Here are some issues you need to be aware of when synchronizing with 389 Directory Server with Active Directory.

Centralizing Information

The 389 Directory Server can be used to centralize your users, groups, hosts, services, etc.

How to use LDAP as a centralized users and authentication system

How to use LDAP as a Network Information System (NIS) replacement

Before starting, you need to setup Identity Management for UNIX. If you are using Windows Server prior to 2003 R2, you can use Services for Unix 3.5 which can be downloaded from here.

Setup and Configure LDAP User Information

It is recommended to an Active Directory enabled DNS server, this will ensure that the LDAP lookups and Kerberos authentication will work properly. Also, provide a user account dedicated for the LDAP authentication.

1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.

2. Check Enable LDAP Support and click the Configure LDAP button.

3. Fill in the LDAP Search Base DN and LDAP Server fields. Click Ok when you are done.

4. Click the Options tab and check Local authorization is sufficient for local users and Create home directories on the first login. Click Ok when you are done.

4. Edit the file /etc/ldap.conf and add the following lines below.

binddn user account
bindpw password for binddn
nss_map_objectclass posixAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute homeDirectory unixHomeDirectory

nss_map_attribute uid msSFU30Name
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell

If you are not using an Active Directory enabled DNS server, you need to add the line referrals no to make this work.

5. Type in getent passwd in a terminal window. You should see your Active Directory user accounts.

6. Type in getent group in a terminal window. You should see your Active Directory groups.

Setup and Configure Kerberos Authentication

The Kerberos network authentication protocol requires the clocks of the involved machines to be synchronized or at least the difference is less than 5 minutes.

1. Launch the Authentication Configuration window. Click the Authentication tab and check the Enable Kerberos Support. Next, click the Configure Kerberos button.

2. In the Kerberos Settings window, fill in the Realm, clear out KDC and Admin Servers and check the Use DNS to locate KDCs for realms. Realm is usually your domain name capitalized, capitalization is important. KDC is your Active Directory server. Click Ok when you’re done.

To make sure that your KDC can be automatically located, type in the command host -t any _kerberos._tcp.acme.local in a terminal window. Replace acme.local with your own realm. If it replies “_kerberos._tcp.acme.local has SRV record …” then it works. This should work if you are using an Active Directory enabled DNS server. Otherwise, you need to manually fill in the KDC field above. You can specify more than one KDC by separating each server with a comma or space.

3. Test Kerberos by typing in kinit username in a terminal window. If you need help in making sense of the kinit error messages, check out Test the Kerberos Authentication.

That’s it, you should now be able to login using Active Directory user accounts.

The version of sudo that comes with RHEL/CentOS 5 does not work with non local user accounts. While this is not yet fixed, use the sudo rpm package for Fedora 8.

Make sure that your host name is properly registered in your DNS or /etc/hosts file. Check if your hostname is registered properly by executing

ping mail.acme.local

in a terminal window, replace mail.acme.local with your own host name. If it returns 127.0.0.1 or unknown host that means it is not registered properly.

Installing 389 Directory Server

1. Type in the command below to update your Red Hat Enterprise Linux 5 or CentOS 5 to version 5.3 or higher.

yum update

Version 5.3 and above is required to run the 389 Directory Server.

2. Install 389 Directory Server by typing in the commands below in a terminal window. This is the content of fedora-ds.repo.

cd /etc/yum.repos.d
wget www.linuxmail.info/files/fedora-ds.repo
yum install fedora-ds openldap-clients

3. Create a new user and group named fds. This account will be used to run the fds service. Learn how to create a new user.

4. Type in setup-ds-admin.pl in a terminal window to setup 389 Directory Server. Most of the time, the default is simply accepted indicated by the ↵ in the sample session below.

[root@mail ~]# setup-ds-admin.pl

==============================================================================
This program will set up the 389 Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: ↵

==============================================================================
BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY
AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE
LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS
OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE.

Do you agree to the license terms? [no]: yes

==============================================================================
Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production
environment.

389 Directory Server system tuning analysis version 10-AUGUST-2007.



NOTICE : System is i686-unknown-linux2.6.18-53.el5 (1 processor).

WARNING: 376MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes).  This may cause temporary server congestion from lost
client connections.

WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.  

WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.  

Would you like to continue? [no]: yes

==============================================================================
Choose a setup type:

   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is 
       recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]: ↵

==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.

To accept the default shown in brackets, press the Enter key.

Computer name [mail.acme.local]: ↵

==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.

System User [nobody]: fds
System Group [nobody]: fds

==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers.  If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server.  To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [no]: ↵

==============================================================================
Please enter the administrator ID for the configuration directory
server.  This is the ID typically used to log in to the console.  You
will also be prompted for the password.

Configuration directory server
administrator ID [admin]: ↵
Password: 
Password (confirm): 

==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains.  If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.

If you are not using administrative domains, press Enter to select the
default.  Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.

Administration Domain [acme.local]: ↵

==============================================================================
The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.

Directory server network port [389]: ↵

==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [mail]: ↵

==============================================================================
The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=acme, dc=local]: ↵

==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.

Directory Manager DN [cn=Directory Manager]: ↵
Password: 
Password (confirm): 

==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.

Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.

Administration port [9830]: ↵

==============================================================================
The interactive phase is complete.  The script will now set up your
servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]: ↵
Creating directory server . . .
Your new DS instance 'mail' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupcT78dr.log'

[root@mail ~]# 

5. Setup the 389 Directory Server SSL by executing the commands below in a terminal window

wget http://github.com/richm/scripts/tree/master%2Fsetupssl2.sh?raw=true -O setupssl2.sh
chmod +x setupssl2.sh
./setupssl2.sh /etc/dirsrv/slapd-mail

6. Restart the dirsrv, dirsrv-admin and httpd service. Learn how to stop and start services here.

Administering 389 Directory Server

1. From a terminal window, type in 389-console. This will launch the 389 Management Console Login window.

 

User ID

cn=directory manager

Password

the directory manager password

Administration URL

localhost:9830

 

The values above assumes you have used the default values.

2. Success. Learn more about using the 389 Management Console.

Related Pages

Active Directory/LDAP virtual users in Postfix and Dovecot

Active Directory and Fedora Directory Server Sychronization Howto

This article will show you how to install the Certificate Services in Windows 2003 to enable LDAP SSL in Active Directory.

Before beginning, make sure the Internet Information Server (IIS) is installed in your server.

Installing the Certificate Services

1. Click Start, select Control Panel and click Add or Remove Programs.

2. In the Add or Remove Programs window, click Add/Remove Windows Components, check the Certificate Services and click Next.

3. Click Next in the CA Type page.

4. Fill up the Common name for this CA and click Next.

5. Click Next in the Certificate Database Settings page.

6. The Certificate Services will now be installed.

7. Click Finish and restart your server.

Configuring Automatic Certificate Request for Domain Controllers

1. Click Start, select Administrative Tools and click Domain Controller Security Policy.

2. In the Default Domain Controller Security Settings window, click the Public Key Policies folder.

3. Right click Automatic Certificate Request Settings, select New and click Automatic Certificate Request.

4. Click Next in the Automatic Certificate Request Setup Wizard.

5. Select Domain Controller in the Certificate Template page and click Next.

6. Click Finish and reboot your server.

7. Check if automatic certificate request worked by using the Certificate Authority app located in Start > Administrative Tools. Check the Issued Certificates folder if your server is there.

Related Pages

How to Export an SSL Certificate in Windows Server 2003.

Installing OpenLDAP

The command line equivalent of the steps below is yum install openldap-servers openldap-clients.

1. Click Applications then click Add/Remove Software. This will launch the Package Manager window.

2. Click the Search tab. Next type in openldap and click the Search button.

3. Select the latest version of openldap-servers and openldap-clients then click Apply. Next click on Continue until it proceeds with the installation.

4. After installation, click Ok. You now have successfully installed the OpenLDAP servers and clients.

Configuring OpenLDAP

The example below uses acme.local as the base domain.

1. Edit the file /etc/openldap/slapd.conf.

suffix "dc=acme,dc=local"
rootdn "cn=manager,dc=acme,dc=local"
rootpw password

To avoid storing the password in plain-text, convert the password to a hash by using the command slappasswd -s password and paste the resulting hash into the file.

2. Copy the file /etc/openldap/DB_CONFIG.example and put it into /var/lib/ldap as DB_CONFIG.

3. Start the ldap service. Learn how to start services here.

4. Create a file named base.ldif containing the lines below and save it into your home directory.

dn: dc=acme,dc=local
dc: acme
objectClass: domain

5. Import base.ldif into your directory using the command below.

ldapadd -x -D "cn=manager,dc=acme,dc=local" -w password -f ~/base.ldif

Replace password with the root password you specified in slapd.conf.

To populate your directory, create a file similar to the one below and import it using ldapadd or better yet, use a GUI tool like JXplorer, a Java based LDAP browser.

dn: ou=People,dc=acme,dc=local
ou: People
objectClass: organizationalUnit

dn: uid=bugsbunny,ou=People,dc=acme,dc=local
uid: bugsbunny
cn: Bugs Bunny
displayName: Bugs Bunny
givenName: Bugs
sn: Bunny
objectClass: inetOrgPerson
userPassword: password
mail: bugsbunny@acme.local

The displayName attribute is required for Outlook addressbook users.

Related Pages

Active Directory/LDAP virtual users in Postfix and Dovecot.