389 Directory Server

Project WEB Page

The orginal WEB-Site is:
http://port389.org

This LDAP server emerge from the Netscape Directory Server and is still similar to the Sun/Oracle Directory Server. It has the same architecture and ACI concept and supports the same COS and role concept. The 389 Directory Serve has a plugin API so that is possible to extend the server features.

Install

Make sure you subscribe to the unstable catalog, e.g. http://mirror.opencsw.org/opencsw/unstable/ (edit /etc/opt/csw/pkgutil.conf, check variable mirror).

# pkgutil -i 389_ds_base
# pkgutil -i 389_dsgw (optional)
# pkgutil -i 389_admin
# pkgutil -i 389_console

You can also the Mozilla LDAP CLI Tools install:

# pkgutil -i mozldap_tools

Disable the default CSW Apache2 Instance

# svcadm disable cswapache2
Used paths:
File or directoy CSW Location FHDS Location
Log files /var/opt/csw/log/dirsrv/slapd-instance /var/log/dirsrv/slapd-instance
Configuration files /etc/opt/csw/dirsrv/slapd-instance /etc/dirsrv/slapd-instance
Instance directory /opt/csw/lib/dirsrv/slap-instance /usr/lib/dirsrv/slapd-instance
Certificate and key databases /etc/opt/csw/dirsrv/slapd-instance /etc/dirsrv/slapd-instance
Database files /var/opt/csw/lib/dirsrv/slapd-instance /var/lib/dirsrv/slapd-instance
Runtime files /var/opt/csw/lock/dirsrv/slapd-instance
/var/opt/csw/run/dirsrv/slapd-instance
/var/lock/dirsrv/slapd-instance
/var/run/dirsrv/slapd-instance
Initscripts svc:/network/dirsrv:default
svc:/network/dirsrv-admin:default
/etc/rc.d/init.d/dirsrv
/etc/rc.d/init.d/dirsrv-admin
Tools /opt/csw/bin
/opt/csw/sbin
/usr/bin/
/usr/sbin

Since version 1.3 you have to use 64bit!

Notes on Solaris spare zones:

On spare zones have to installed at least the packages cas_initsmf, cas_migrate, cas_reserveconf, cas-pycompile, cas_postmsg, cas_usergroup in the global zone:
Run on globale zone:

# pkgutil -i cswclassutils

If you do not like this, you can:

  • remove inherit-pkg-dir dir=/usr from zone config, or
  • use pkguitl -i <pkgs> -x cas and ignore pkgutil errors, after install you have to setup SMF manually

Setup

# /opt/csw/bin/setup-ds-admin.pl

Be sure that you use openCSW perl: set PATH=/opt/csw/bin:….

Answer the questions. For the server user and group you can change nobody to ldap. The CSW389-ds-base package has them added already.

This will create and start an administration server (Apache2) and an LDAP server.

Hints:

  • The Administration Server use the Apache2 in worker model. Do not host other Apache Instances in prefork model on the same host.
  • In Solaris local zones ignore the errors of dsktune about missing prtconf, adb, /etc/system. The hints of dsktune can make later.
  • getent hosts <your-ip> must return the FQDN, if not so, put the FQDN first in your /etc/host

Details of this process described here:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Installation_Guide/about-setup-ds-admin.pl.html

Service start with SMF

The packaes install the SMF network/dirserv and network/dirser-admin, which are disabled on install. After setup you can enable this SMF's. But if you like to host more than one LDAP server instance, you should split the SMF's for the instances so that this controlled separately.
Warning:
If like to stop and start instances via 389_console, you must disable SMF dirsrv, because SMF would restart the service immediately every time you stop this via 389_console!

Setup LDAPS certificate DB

Create a certificate request:

certutil -d /etc/opt/csw/dirsrv/slapd-testcsw -R -s cn=testcsw.example.lan,O=example,c=DE -o /tmp/testcsw1.csr -g 2048 -a

If you don't have already setup a private CA

certutil -d /root.cert -N
certutil -d /root/.cert -S -s "CN=private CA" -n ca-cert -x -t "CT,C,C" -v 120 -m 2014031301 -2

Sign with the private CA

certutil -d /root/.cert/ -C -c ca-cert -i /tmp/testcsw1.csr -o /tmp/testcsw.crt -m 2014031302 -a

Add the signed certificate

certutil -d /etc/opt/csw/dirsrv/slapd-testcsw -A -n server-cert -t u,u,u -i /tmp/testcsw.crt

Export CA certificate

certutil -d /root/.cert -L -n ca-cert -a > /tmp/ca.crt

Add CA certificate

certutil -d /etc/opt/csw/dirsrv/slapd-testcsw -A -n ca-cert -t C,, -i /tmp/ca.crt -a

Show imported certificate

certutil -d /etc/opt/csw/dirsrv/slapd-testcsw -L -n server-cert

For unintended startup of the server the file /etc/opt/csw/dirsrv/slapd-testcsw/pin.txt is needed

internal:ssldbpassword

Run Console

#/opt/csw/bin/389-console

Connect with

Hint: 389-console is a java swing application, witch need JRE1.6!

Documentation

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/

Notes on Upgrade

Upgrades will do by pkgrm — pkgadd. Installed LDAP instances will remain. They have separate directory outside the packages. Different the Administration Server, the configfiles in /etc/opt/csw/dirsrv/admin-serv will copied on pkgrm via preremove. So they will not override on pkgadd, but you must merge the config in the new files or setup the Administration Server again.
If there are changes in schema you can merge this with your instance from /etc/csw/opt/dirsrv/schema.
If there changes in set of features of the Directory Server, so it is best to export the DIt to LDIF, recreate the instance after upgrade and import the LDIF.

Troubleshooting

Trouble with the console

get debug output with option -D 9 (only 9 is a valid value and the space is mandatory!)

$ 389-console -D 9

Trouble with setup-ds-admin.pl

Admin Server could not started? It is possible that Apache2 in worker and prefork model is installed and the link to the proper httpd bin is missing. Check that this link exist:

bash-3.00# ls -l /opt/csw/apache2/sbin/httpd
lrwxrwxrwx   1 root     root          12 Jan 31 14:36 /opt/csw/apache2/sbin/httpd -> httpd.worker

On problems you can get debug output with option '—debug'

# /opt/csw/sbin/setup-ds-admin.pl --debug

Can't see Local Backups in ds-console

admin server and ldap server should run by the same user e.g. ldap. So this user can read also the config files of ldap-server

ls -l /etc/opt/csw/dirsrv/admin-serv/

-rw-------   1 ldap     root         513 Mai  8 08:24 adm.conf
-rw-------   1 ldap     root          40 Apr 24 14:32 admpw
-rw-r--r--   1 root     bin         4051 Apr 29 12:16 admserv.conf
-rw-r--r--   1 root     bin         4051 Apr 29 09:37 admserv.conf.configured
drwxr-xr-x+  2 root     root           9 Apr 24 14:32 bakup
-rw-r--r--   1 ldap     root       65536 Apr 24 14:32 cert8.db
-rw-r--r--   1 root     bin         4515 Mai  8 08:18 console.conf
-rw-r--r--   1 root     bin         4498 Apr 29 09:37 console.conf.configured
-rw-r--r--   1 root     bin        26945 Mai  8 08:05 httpd.conf
-rw-r--r--   1 root     bin        26893 Apr 29 09:37 httpd.conf.configured
-rw-r--r--   1 ldap     root      131072 Apr 24 14:32 key3.db
-rw-------   1 ldap     root       13599 Mai  8 08:19 local.conf
-rw-r--r--   1 root     bin         4506 Apr 29 12:16 nss.conf
-rw-r--r--   1 root     bin         4506 Apr 29 09:37 nss.conf.configured
-rw-r--r--   1 ldap     root      131072 Apr 24 14:32 secmod.db

Need a core file?

httpd and ns-slapd are setuid processes which need core file creation enabled on Solaris:

# coreadm -e proc-setid

For easy locate the core files set the core file name pattern.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License