Project WEB Page
The orginal WEB-Site is:
http://port389.org
This LDAP server emerge from the Netscape Directory Server and is still similar to the Sun/Oracle Directory Server. It has the same architecture and ACI concept and supports the same COS and role concept. The 389 Directory Serve has a plugin API so that is possible to extend the server features.
Install
Make sure you subscribe to the unstable catalog, e.g. http://mirror.opencsw.org/opencsw/unstable/ (edit /etc/opt/csw/pkgutil.conf, check variable mirror).
# pkgutil -i 389_ds_base
# pkgutil -i 389_dsgw (optional)
# pkgutil -i 389_admin
# pkgutil -i 389_console
You can also the Mozilla LDAP CLI Tools install:
# pkgutil -i mozldap_tools
Disable the default CSW Apache2 Instance
# svcadm disable cswapache2
File or directoy | CSW Location | FHDS Location |
---|---|---|
Log files | /var/opt/csw/log/dirsrv/slapd-instance | /var/log/dirsrv/slapd-instance |
Configuration files | /etc/opt/csw/dirsrv/slapd-instance | /etc/dirsrv/slapd-instance |
Instance directory | /opt/csw/lib/dirsrv/slap-instance | /usr/lib/dirsrv/slapd-instance |
Certificate and key databases | /etc/opt/csw/dirsrv/slapd-instance | /etc/dirsrv/slapd-instance |
Database files | /var/opt/csw/lib/dirsrv/slapd-instance | /var/lib/dirsrv/slapd-instance |
Runtime files | /var/opt/csw/lock/dirsrv/slapd-instance /var/opt/csw/run/dirsrv/slapd-instance |
/var/lock/dirsrv/slapd-instance /var/run/dirsrv/slapd-instance |
Initscripts | svc:/network/dirsrv:default svc:/network/dirsrv-admin:default |
/etc/rc.d/init.d/dirsrv /etc/rc.d/init.d/dirsrv-admin |
Tools | /opt/csw/bin /opt/csw/sbin |
/usr/bin/ /usr/sbin |
Since version 1.3 you have to use 64bit!
Notes on Solaris spare zones:
On spare zones have to installed at least the packages cas_initsmf, cas_migrate, cas_reserveconf, cas-pycompile, cas_postmsg, cas_usergroup in the global zone:
Run on globale zone:
# pkgutil -i cswclassutils
If you do not like this, you can:
- remove inherit-pkg-dir dir=/usr from zone config, or
- use pkguitl -i <pkgs> -x cas and ignore pkgutil errors, after install you have to setup SMF manually
Setup
# /opt/csw/bin/setup-ds-admin.pl
Be sure that you use openCSW perl: set PATH=/opt/csw/bin:….
Answer the questions. For the server user and group you can change nobody to ldap. The CSW389-ds-base package has them added already.
This will create and start an administration server (Apache2) and an LDAP server.
Hints:
- The Administration Server use the Apache2 in worker model. Do not host other Apache Instances in prefork model on the same host.
- In Solaris local zones ignore the errors of dsktune about missing prtconf, adb, /etc/system. The hints of dsktune can make later.
- getent hosts <your-ip> must return the FQDN, if not so, put the FQDN first in your /etc/host
Details of this process described here:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Installation_Guide/about-setup-ds-admin.pl.html
Service start with SMF
The packaes install the SMF network/dirserv and network/dirser-admin, which are disabled on install. After setup you can enable this SMF's. But if you like to host more than one LDAP server instance, you should split the SMF's for the instances so that this controlled separately.Warning: If like to stop and start instances via 389_console, you must disable SMF dirsrv, because SMF would restart the service immediately every time you stop this via 389_console! |
Setup LDAPS certificate DB
Create a certificate request:
certutil -d /etc/opt/csw/dirsrv/slapd-testcsw -R -s cn=testcsw.example.lan,O=example,c=DE -o /tmp/testcsw1.csr -g 2048 -a
If you don't have already setup a private CA
certutil -d /root.cert -N
certutil -d /root/.cert -S -s "CN=private CA" -n ca-cert -x -t "CT,C,C" -v 120 -m 2014031301 -2
Sign with the private CA
certutil -d /root/.cert/ -C -c ca-cert -i /tmp/testcsw1.csr -o /tmp/testcsw.crt -m 2014031302 -a
Add the signed certificate
certutil -d /etc/opt/csw/dirsrv/slapd-testcsw -A -n server-cert -t u,u,u -i /tmp/testcsw.crt
Export CA certificate
certutil -d /root/.cert -L -n ca-cert -a > /tmp/ca.crt
Add CA certificate
certutil -d /etc/opt/csw/dirsrv/slapd-testcsw -A -n ca-cert -t C,, -i /tmp/ca.crt -a
Show imported certificate
certutil -d /etc/opt/csw/dirsrv/slapd-testcsw -L -n server-cert
For unintended startup of the server the file /etc/opt/csw/dirsrv/slapd-testcsw/pin.txt is needed
internal:ssldbpassword
Run Console
#/opt/csw/bin/389-console
Connect with
- <administrator ID>, default: admin
- <adminpassword>
- http://<hostname>:<Administration port>, default: 9830
Hint: 389-console is a java swing application, witch need JRE1.6!
Documentation
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/
Notes on Upgrade
Upgrades will do by pkgrm — pkgadd. Installed LDAP instances will remain. They have separate directory outside the packages. Different the Administration Server, the configfiles in /etc/opt/csw/dirsrv/admin-serv will copied on pkgrm via preremove. So they will not override on pkgadd, but you must merge the config in the new files or setup the Administration Server again.
If there are changes in schema you can merge this with your instance from /etc/csw/opt/dirsrv/schema.
If there changes in set of features of the Directory Server, so it is best to export the DIt to LDIF, recreate the instance after upgrade and import the LDIF.
Troubleshooting
Trouble with the console
get debug output with option -D 9 (only 9 is a valid value and the space is mandatory!)
$ 389-console -D 9
Trouble with setup-ds-admin.pl
Admin Server could not started? It is possible that Apache2 in worker and prefork model is installed and the link to the proper httpd bin is missing. Check that this link exist:
bash-3.00# ls -l /opt/csw/apache2/sbin/httpd
lrwxrwxrwx 1 root root 12 Jan 31 14:36 /opt/csw/apache2/sbin/httpd -> httpd.worker
On problems you can get debug output with option '—debug'
# /opt/csw/sbin/setup-ds-admin.pl --debug
Can't see Local Backups in ds-console
admin server and ldap server should run by the same user e.g. ldap. So this user can read also the config files of ldap-server
ls -l /etc/opt/csw/dirsrv/admin-serv/
-rw------- 1 ldap root 513 Mai 8 08:24 adm.conf
-rw------- 1 ldap root 40 Apr 24 14:32 admpw
-rw-r--r-- 1 root bin 4051 Apr 29 12:16 admserv.conf
-rw-r--r-- 1 root bin 4051 Apr 29 09:37 admserv.conf.configured
drwxr-xr-x+ 2 root root 9 Apr 24 14:32 bakup
-rw-r--r-- 1 ldap root 65536 Apr 24 14:32 cert8.db
-rw-r--r-- 1 root bin 4515 Mai 8 08:18 console.conf
-rw-r--r-- 1 root bin 4498 Apr 29 09:37 console.conf.configured
-rw-r--r-- 1 root bin 26945 Mai 8 08:05 httpd.conf
-rw-r--r-- 1 root bin 26893 Apr 29 09:37 httpd.conf.configured
-rw-r--r-- 1 ldap root 131072 Apr 24 14:32 key3.db
-rw------- 1 ldap root 13599 Mai 8 08:19 local.conf
-rw-r--r-- 1 root bin 4506 Apr 29 12:16 nss.conf
-rw-r--r-- 1 root bin 4506 Apr 29 09:37 nss.conf.configured
-rw-r--r-- 1 ldap root 131072 Apr 24 14:32 secmod.db
Need a core file?
httpd and ns-slapd are setuid processes which need core file creation enabled on Solaris:
# coreadm -e proc-setid
For easy locate the core files set the core file name pattern.