Install, Configure 389 Directory Server (LDAP) on CentOS, RHEL 8

The 389 Directory Server is an open-source enterprise-class LDAP server for Linux that can be deployed in less than an hour. This guide will help you to set up a 389 Directory Server on CentOS, RHEL 8.

Prerequisites

You will need one (physical or virtual) machine installed with CentOS, or RHEL 8 having root or sudo non-root user privileges.

Disable SELinux

Login to your Linux server and make the following required changes in /etc/selinux/config file:
sudo vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
Save and close the editor.

You should set the correct timezone on your Linux system:
sudo timedatectl set-timezone Asia/Karachi
sudo hostnamectl set-hostname idp.techsupportpk.com
Reboot your server to apply these changes.

Add EPEL Repository

Type below command if you are on CentOS 8:
sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf config-manager --set-enabled PowerTools

Type below command if you are on RHEL 8:
sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo ARCH=$( /bin/arch )
sudo subscription-manager repos --enable "codeready-builder-for-rhel-8-${ARCH}-rpms"

Install 389 Directory Server

There are two 389-ds streams available: stable and testing. Testing is a bleeding-edge development version. As its name implies, it is NOT supposed to be used in production. After a period of testing and bug fixing it becomes the next stable version.

Each stream has 3 profiles:

default - 389-ds-base and cockpit web ui
minimal - just 389-ds-base
legacy - same as default plus legacy Perl tools and scripts

Type below command to install 389-ds on your CentOS/RHEL 8:
sudo dnf -y module install 389-directory-server:stable/default

Configure 389 Directory Server

sudo dscreate interactive
You will see the following prompts:
Install Directory Server (interactive mode)
===========================================
selinux is disabled, will not relabel ports or files.

Selinux support will be disabled, continue? [yes]:

Enter system's hostname [localhost]: idp.techsupportpk.com

Enter the instance name [localhost]:idp

Enter port number [389]:

Create self-signed certificate database [yes]:

Enter secure port number [636]:

Enter Directory Manager DN [cn=Directory Manager]:

Enter the Directory Manager password:
Confirm the Directory Manager Password:

Enter the database suffix (or enter "none" to skip) [dc=idp,dc=techsupportpk,dc=com]:

Create sample entries in the suffix [no]: yes

Do you want to start the instance after the installation? [yes]:

Are you ready to install? [no]: yes
Starting installation...
Completed installation for idp
 
Verify ldap instance name with below command:
dsctl --list
 
You will see the output similar to the following:
slapd-idp
 
Check whether your ldap instance is running with below command:
dsctl slapd-idp status
 
You will see the output similar to the following:
Instance "idp" is running
 
You can also check your ldap instance status using the systemctl command:
systemctl status dirsrv@idp.service
 
Next, start cockpit service with below command:
systemctl start cockpit.service
systemctl status cockpit.service

Add Firewall Rules

firewall-cmd --permanent --add-port=389/tcp
firewall-cmd --permanent --add-port=636/tcp
firewall-cmd --permanent --add-port=9090/tcp
firewall-cmd --reload
 
Open up your preferred web browser and access the cockpit web interface by navigating to http://your_server_ip:9090.


Enter the username and password to Log In.


Navigate to 389 Directory Server to administer and manage your LDAP


The 389 Directory Server Development Team says that the old Java Console and Admin Server have been deprecated and there will no longer be a Java Console (389-console), Admin Express, or Directory Server Gateway starting in Fedora 31, RHEL 8, CentOS 8, and SUSE 15. 
 
So User & Group management needs to be done via the new CLI tools or via free products like Apache Directory Studio.
 

How To Install Apache Directory Studio

You can install Apache Directory Studio on your CentOS 8 or RHEL 8 using the below steps.
 
Install java:
sudo dnf -y install java-latest-openjdk libglvnd-glx
 
Verify java version:
java --version
 
Download Apache Directory Studio latest version from official source like below:
cd ~
wget https://downloads.apache.org/directory/studio/2.0.0.v20210213-M16/ApacheDirectoryStudio-2.0.0.v20210213-M16-linux.gtk.x86_64.tar.gz
 
Extract zip archive:
tar -xf ApacheDirectoryStudio-2.0.0.v20210213-M16-linux.gtk.x86_64.tar.gz
cd ApacheDirectoryStudio
 
You should have graphical display to run Apache Directory Studio:
./ApacheDirectoryStudio
 
You will see Apache Directory Studio starting up
 
Click LDAP, New Connection
 

Connection name: your_ldap_server_name
Hostname: your ldap server ip.
Port: 389
Encryption method: No encryption

Click Next

 

If you are using encrypted connection:


Keep Simple Authentication, enter Bind DN and Bind password as shown in screenshot below:

Click Finish

 
You will see your LDAP server connection as shown in screenshot below: 



Conclusion

Now that you have successfully deployed your 389 Directory Server, you can begin configuring your clients for central authentication.

10 comments:

  1. Is this for real? In 2020, we are still recommending diabling SELinux?

    ReplyDelete
  2. I thought the same thing.

    Disable it is only for lazy admin...

    ReplyDelete
  3. Thank you for this howto!

    ReplyDelete
  4. How would someone manager 60 LDAPS with 4 masters in one view?

    ReplyDelete
  5. can you client side configuration

    ReplyDelete
    Replies
    1. What are you exactly looking for? What sort of client side configuration you need?

      Delete
  6. I guess client to manage users, groups, GPO.. in WebUI
    I need that configuration too

    ReplyDelete
    Replies
    1. You can install and use 389 Management Console GUI either on LDAP server or on a client machine to manage your LDAP.

      Delete
  7. Please tell me how to authenticate a pc via ldap 389-ds

    ReplyDelete

Comments with links will not be published.

Powered by Blogger.