Today, we shall look into an enterprise-class Open Source LDAP server , 389 Directory Server.
Basically, LDAP servers are used to store identities, groups and organization data. They can be used as a structured NoSQL server.
Here at LinuxAPT, as part of our Server Support Services, we regularly help customers to install LDAP Servers on their Linux Machine.
In this context, we shall look into how to install an LDAP server on CentOS 8 / RHEL 8.
389 Directory Server is a free and open source Software which supports multi-master replication, and used in many of the largest LDAP deployments in the world.
It is a high performance LDAP server that can handle thousands of operations per second, and hundreds of thousands of accounts at the same time without encountering any form of downtime.
i. It is an LDAPv3 compliant server.
ii. It is very secure as it has a robust Secure authentication and transport (TLS, and SASL).
iii. It has an asynchronous Multi-Master Replication, to provide fault tolerance and high write performance.
iv. Due to its reliability, its infrastructure is always Online, with zero downtime.
v. It also features LDAP-based update of schema, configuration, and management including Access Control Information (ACIs).
To get started, you need to ensure that the Server Prerequisite is ready. In that, we will need a physical or virtual machine with CentOS 8 which has a root user.
Start by Logging into your Server as the root user and modify the SELinux configuration file at "/etc/selinux/config" where you can change the value of "SELINUX" from "enforcing" to "disabled".
To edit this file, run the command below;
sudo vi /etc/selinux/config
The file will now look like this;
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Now after the modification, you can save and exit the file.
You can also correct the timezone as well as the server hostname with the commands below;
timedatectl set-timezone Europe/Oslo
hostnamectl set-hostname your_server_name.domain
After this , perform a reboot of the server to effect changes.
For an extensive tutorial on how to enable EPEL on CentOS, read the Complete guide on how to enable Epel repository on Linux .
To add EPEL repository on CentOS/RHEL 8, use the following commands accordingly.
dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf config-manager --set-enabled PowerTools
dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
ARCH=$( /bin/arch )
subscription-manager repos --enable "codeready-builder-for-rhel-8-${ARCH}-rpms"
To install 389 Directory Server on CentOS/RHEL 8, run the following command;
dnf -y module install 389-directory-server:stable/default
Run the command below;
dscreate interactive
Then you have to answer the questions individually as shown below;
Install Directory Server (interactive mode)
===========================================
selinux is disabled, will not relabel ports or files.
Selinux support will be disabled, continue? [yes]:
Enter system's hostname [ldap]: ldap.linuxapt.com
Enter the instance name [ldap]:
Enter port number [389]:
Create self-signed certificate database [yes]:
Enter secure port number [636]:
Enter Directory Manager DN [cn=Directory Manager]:
Enter the Directory Manager password:
Confirm the Directory Manager Password:
Enter the database suffix (or enter "none" to skip) [dc=ldap,dc=linuxapt,dc=com]:
Create sample entries in the suffix [no]: yes
Do you want to start the instance after the installation? [yes]:
Are you ready to install? [no]: yes
Starting installation...
Completed installation for ldap
To know the ldap instance name, run the command below;
dsctl --list
You will see an output like;
slapd-ldap
Now to confirm if slapd-ldap instance is running, run the command below;
dsctl slapd-ldap status
Now you get a response such as;
Instance "ldap" is running
You can also check your ldap instance status using the systemctl command as shown below;
systemctl status dirsrv@ldap.service
Next, start the cockpit service with command below;
systemctl start cockpit.service
systemctl staus cockpit.service
Now run the following command to set the firewall rule for LDAP server;
firewall-cmd --permanent --add-port=389/tcp
firewall-cmd --permanent --add-port=636/tcp
firewall-cmd --permanent --add-port=9090/tcp
firewall-cmd --reload
After this, you can test the cockpit web interface on a web browser by using your server ip address and port 9090 as shown below;
http://your_server_ip:9090
Now you have to enter your username as root and use the password your created for root to log in.
This will lead you to the 389 Directory Server Management portal.