Setup 389 Directory Server on CentOS 6 (with TLS/SSL/SSSD)

To setup 389 server, we first setup the hostname and domain.

Edit file /etc/sysconfig/network,

# vi /etc/sysconfig/network

HOSTNAME=r65-1

Edit file /etc/hosts/,

# vi /etc/hosts

Add your hostname as shown below.

192.168.1.1   r65-1.local r65-1

To open ports for iptables

vi /etc/sysconfig/iptables

Add the following lines.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPT

Restart firewall.

# service iptables restart

Performance and Security tuning for LDAP server Open “/etc/sysctl.conf” file and add the lines.

# vi /etc/sysctl.conf 
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000

# sysctl -p

Open “/etc/security/limits.conf” and these lines as shown below

# vi /etc/security/limits.conf 
*               soft     nofile          8192   
*               hard     nofile          8192

Open “/etc/profile” file and add the lines

# vi /etc/profile
ulimit -n 8192

Add the lines at “/etc/pam.d/system-auth” file.

# vi /etc/pam.d/system-auth
session    required     pam_limits.so

Disable selinux

# setenforce 0
# vi /etc/selinux/config

SELINUX=disabled

Reboot the server

Setup EPEL repository

# wget http://mirror.nus.edu.sg/Fedora/epel/6/i386/epel-release-6-8.noarch.rpm

# rpm -ivh epel-release-6-8.noarch.rpm

Now install 389 directory server using command:

# yum install sssd httpd
# chkconfig sssd on
# chkconfig httpd on
# service httpd restart
# authconfig --enablesssd --enablesssdauth --enablelocauthorize --update
# yum install 389-ds

After download, lets do a reboot

# reboot

Configure LDAP server

# setup-ds-admin.pl

==============================================================================
This program will set up the 389 Directory and Administration Servers.


It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: ## Press Enter ##

==============================================================================
Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production
environment.

389 Directory Server system tuning analysis version 23-FEBRUARY-2012.

NOTICE : System is x86_64-unknown-linux3.11.10-301.x86_64 (2 processors).

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes).  This may cause temporary server congestion from lost
client connections.

WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.

WARNING  : The warning messages above should be reviewed before proceeding.

Would you like to continue? [no]: yes  ## Type Yes and Press Enter ##

==============================================================================
Choose a setup type:

   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is
       recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]: ## Press Enter ##

==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.

To accept the default shown in brackets, press the Enter key.

Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly.  If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:

    General.FullMachineName=your.hostname.domain.name

Computer name [r65-1.local]: r65-1.local

==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.

System User [nobody]: ## Press Enter ##
System Group [nobody]: ## Press Enter ##

==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers.  If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server.  To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [no]: ## Press Enter ##

==============================================================================
Please enter the administrator ID for the configuration directory
server.  This is the ID typically used to log in to the console.  You
will also be prompted for the password.

Configuration directory server
administrator ID [admin]: ## Press Enter ##
Password:
Password (confirm):

==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains.  If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.

If you are not using administrative domains, press Enter to select the
default.  Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.

Administration Domain [local]: ## Press Enter ##

==============================================================================
The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.

Directory server network port [389]: ## Press Enter ##

==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [r65-1]: ## Press Enter ##

==============================================================================
The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=local]: dc=local

==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.

Directory Manager DN [cn=Directory Manager]: ## Press Enter ##
Password:
Password (confirm):

==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.

Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.

Administration port [9830]: ## Press Enter ##
==============================================================================
The interactive phase is complete.  The script will now set up your
servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]: ## Press Enter ##

Creating directory server . . .
Your new DS instance 'r65-1' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
output: Starting dirsrv-admin:
output:                                                    [  OK  ]

The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupxozWF8.log'

Make the LDAP server daemon to start automatically on every reboot.

# chkconfig dirsrv on
# chkconfig dirsrv-admin on
# chkconfig httpd on

# service dirsrv restart
# service dirsrv-admin restart
# service httpd restart

To test the setup

# ldapsearch -x -b "dc=local"

# extended LDIF
#
# LDAPv3
# base <dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# local
dn: dc=local
objectClass: top
objectClass: domain
dc: local

# Directory Administrators, local
dn: cn=Directory Administrators,dc=local
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager

# Groups, local
dn: ou=Groups,dc=local
objectClass: top
objectClass: organizationalunit
ou: Groups

# People, local
dn: ou=People,dc=local
objectClass: top
objectClass: organizationalunit
ou: People

# Special Users, local
dn: ou=Special Users,dc=local
objectClass: top
objectClass: organizationalUnit
ou: Special Users

description: Special Administrative Accounts

# Accounting Managers, Groups, local
dn: cn=Accounting Managers,ou=Groups,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager

# HR Managers, Groups, local
dn: cn=HR Managers,ou=Groups,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager

# QA Managers, Groups, local
dn: cn=QA Managers,ou=Groups,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager

# PD Managers, Groups, local
dn: cn=PD Managers,ou=Groups,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9

To create user and group,goto server gui(eg gnome)

At gnome>application>terminal>

# 389-console

cn=Directory Manager
**directory manager password**
http://192.168.1.31:9830/

(or)

admin
**admin password**
http://192.168.1.31:9830/

local>r65-1.local>Server Group>Directory Server>Open
Directory>


(To create 1 user)
local>People>*right click*>New>User
enter person's information,userid,passwd
click on, enable posix user attributes,enter the attributes


(To create 1 group,link to above user)
local>Groups>*right click*>New>Group
enter group name,include above user as member,enable posix group attributes

close gui, exit 389-console

Creating Directory Server Certificates through the Command Line
Open the directory where the Directory Server certificate databases are stored.

cd /etc/dirsrv/slapd-*instance_name*

Make a backup copy of all of the filed in the directory as a precaution.

tar -cf /tmp/db-backup.tar *

Create a password file for the security token password.( PIN for Internal (Software) Token):

vi /tmp/pwdfile

secretpw

Create the key and certificate databases databases.

certutil -N -d . -f /tmp/pwdfile

Generate the self-signed CA certificate. certutil creates the required key pairs and the certificate. This certificate is used to generate the other server certificates and can be exported for use with other servers and clients.

certutil -S -n "CA certificate" -s "cn=My Org CA cert,dc=local" -2 -x -t "CT,," -m 1000 -v 120 -d . -k rsa -f /tmp/pwdfile

Generate the Directory Server client certificate. Take note,you must specify the resolvable FQDN, eg r65-1.local

certutil -S -n "Server-Cert" -s "cn=r65-1.local" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -f /tmp/pwdfile

Export the CA certificate for use with other servers and clients. A client usually requires the CA certificate to validate the server certificate in an TLS/SSL connection. Use certutil to export the CA certificate in ASCII/PEM format:

certutil -d . -L -n "CA certificate" -a > cacert.asc

The way that the CA certificate is imported is different for every client. For example, certutil can import a CA certificate into another Directory Server certificate database:

cd /etc/dirsrv/slapd-otherserver
certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc

Use pk12util to export other server certificates and keys created with certutil so that they can be used on a remote server.

pk12util -d . -o ldap1.p12 -n Server-Cert -w /tmp/pwdfile -k /tmp/pwdfile

The -w argument is the password used to encrypt the .p12 file for transport. The -k argument specifies the password for the key database containing the server certificate being exported to .p12. If the Directory Server will run with TLS/SSL enabled, then create a password file (pin.txt) for the server to use so it will not prompt you for a password every time it restarts. Configuring NSS Services to Use SSSD

# authconfig --enablesssd --update

The services map is not enabled by default when SSSD is enabled with authconfig. To include that map, open the nsswitch.conf file and add the sss module to the services map:

# vim /etc/nsswitch.conf
...
services: file sss

To configure the PAM service. Use authconfig to enable SSSD for system authentication.

# authconfig --update --enablesssd --enablesssdauth

Below is an example for SSSD config file:

 
vi /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
reconnection_retries = 3
sbus_timeout = 30

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
filter_groups = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/LDAP]
cache_credentials = false
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://r65-1.local
ldap_search_base = dc=local
ldap_tls_cacert = /etc/dirsrv/slapd-r65-1/cacert.asc
debug_level = 9

Restart SSSD

chmod 600 /etc/sssd/sssd.conf
service sssd restart

To enable TLS/SSL,goto server gui(eg gnome)

At gnome>application>terminal>

# 389-console

cn=Directory Manager
**directory manager password**
http://192.168.1.31:9830/

(or)

admin
**admin password**
http://192.168.1.31:9830/

local>r65-1.local>Server Group>Directory Server>Open
Configuration>Encryption>
Enable SSL for this server
Use this cipher family:RSA internal(software) Server-Cert (save and exit)

Restart dirsrv

service dirsrv restart

It is possible to store the certificate password in a password file. By placing the certificate database password in a file, the server can be started from the Directory Server Console and also restarted automatically when running unattended. The password file must be in the same directory where the other key and certificate databases for Directory Server are stored. This is usually the main configuration directory, /etc/dirsrv/slapd-instance_name. The file should be named pin.txt. The PIN file should be owned by the Directory Server user and set to read-only by the Directory Server user, with no access to anyone other user (mode 0400).

vi /etc/dirsrv/slapd-*instance_name*/pin.txt

Internal (Software) Token:secretpw

chown nobody:nobody /etc/dirsrv/slapd-*instance_name*/pin.txt
chmod 400 /etc/dirsrv/slapd-*instance_name*/pin.txt
service dirsrv restart

Restart SSSD

service sssd restart

==> now you can login to server using the ldap user.

ssh userid@r65-1.local