For those who seek help in different areas of software and hardware platform.

How To Set Up 389 Directory Server on CentOS/RHEL 8

The 389 Directory Server is an open-source enterprise-class LDAP server for Linux that can be deployed in less than an hour. This guide will help you to set up a 389 Directory Server on CentOS/RHEL 8.


You will need one (physical or virtual) machine installed with CentOS/RHEL 8 having root user privileges.

Configure SELinux

Login to your server with root user and make the following required changes to prepare your server for 389-ds installation.

First, edit /etc/selinux/config and change SELINUX=enforcing to SELINUX=disabled:
sudo vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.

Save and close the editor.

You should correct the timezone and set the appropriate hostname on your server with below command:
timedatectl set-timezone Asia/Karachi
hostnamectl set-hostname your_server_name.domain
Reboot your server to apply these changes.

Add EPEL Repository

You can add epel repository to your CentOS/RHEL 8 server using the following command:

Type below if you are on CentOS 8:
dnf -y install
dnf config-manager --set-enabled PowerTools

Type below if you are on RHEL 8:
dnf -y install
ARCH=$( /bin/arch )
subscription-manager repos --enable "codeready-builder-for-rhel-8-${ARCH}-rpms"

Install 389 Directory Server

There are two 389-ds streams available: stable and testing. Testing is a bleeding-edge development version. As its name implies, it is NOT supposed to be used in production. After a period of testing and bug fixing it becomes the next stable version.

Each stream has 3 profiles:

default - 389-ds-base and cockpit web ui
minimal - just 389-ds-base
legacy - same as default plus legacy Perl tools and scripts

Type below command to install 389-ds on your CentOS/RHEL 8:
dnf -y module install 389-directory-server:stable/default

Configure 389 Directory Server

dscreate interactive
You will see the following prompts:
Install Directory Server (interactive mode)
selinux is disabled, will not relabel ports or files.

Selinux support will be disabled, continue? [yes]:

Enter system's hostname [ldapsvr01]:

Enter the instance name [ldapsvr01]:

Enter port number [389]:

Create self-signed certificate database [yes]:

Enter secure port number [636]:

Enter Directory Manager DN [cn=Directory Manager]:

Enter the Directory Manager password:
Confirm the Directory Manager Password:

Enter the database suffix (or enter "none" to skip) [dc=ldapsvr01,dc=techsupport,dc=pk]:

Create sample entries in the suffix [no]: yes

Do you want to start the instance after the installation? [yes]:

Are you ready to install? [no]: yes
Starting installation...
Completed installation for ldapsvr01
Next, check the ldap instance name with below command:
dsctl --list
You will see the output similar to the following:
Confirm that slapd-ldapsvr instance is running with below command:
dsctl slapd-ldapsvr01 status
You will see the output similar to the following:
Instance "ldapsvr01" is running
You can also check your ldap instance status using the systemctl command:
systemctl status dirsrv@ldapsvr01.service
Next, start cockpit service with below command:
systemctl start cockpit.service
systemctl staus cockpit.service

Add Firewall Rules

firewall-cmd --permanent --add-port=389/tcp
firewall-cmd --permanent --add-port=636/tcp
firewall-cmd --permanent --add-port=9090/tcp
firewall-cmd --reload
Open up your preferred web browser and access the cockpit web interface by navigating to http://your_server_ip:9090.

Enter the user root and password you created for root to log in.

From here you can manage your 389 Directory Server.

Wrapping up

Congratulation, your 389 Directory Server is now ready to serve the purpose.


  1. Is this for real? In 2020, we are still recommending diabling SELinux?

  2. I thought the same thing.

    Disable it is only for lazy admin...

  3. Thank you for this howto!

  4. How would someone manager 60 LDAPS with 4 masters in one view?

  5. can you client side configuration

    1. What are you exactly looking for? What sort of client side configuration you need?

  6. I guess client to manage users, groups, GPO.. in WebUI
    I need that configuration too

  7. Please tell me how to authenticate a pc via ldap 389-ds


Comments with links will not be published.

Video Tutorials