An authentication naming service is one of those things you tend to put off until you really need it – until your user population hits critical mass. It may seem like a big job at first, but it doesn’t need to be, and the results are worth it.
In selecting an authentication service, I’ve gone with LDAP. It’s big and extensible and can handle any kind of data. So LDAP it is. I’m going to put it everywhere and get everything to use it – Cisco, SSH, TRAC, SVN. I’ll be using 389 Directory Server, formerly known as Fedora Directory Server.
Before I start with any new system, I like to know where all the parts of the machine are. Things rarely work the first time, and I feel better knowing where to debug.
The moving parts of LDAP 389 Directory Server
These are found in the Fedora extras repository.
# yum install centos-ds
which will install the dependencies:
The key configuration files that will be created by the installation process, and edited later, are:
These configuration files are relevant on clients which authenticate against our LDAP server.
(You probably don’t need to ever be in here)
- LDAP: 389
- LDAPS: 636
- LDAP Admin GUI: 9830
Installation & Setup
The installation procedure is all here – http://directory.fedoraproject.org/wiki/FDS_Setup – but my abbreviated experience follows.
Install packages and dependencies:
# yum install centos-ds
With all dependencies, my installation downloaded about 75 MB. There are a few prerequisite kernel parameters that are nice-to-have, and the setup script later will mention it so:
# echo 300 > /proc/sys/net/ipv4/tcp_keepalive_time
# ulimit -n 8192
# echo "* soft nofile 8192" >> /etc/security/limits.conf
# echo "* hard nofile 8192" >> /etc/security/limits.conf
# echo "ulimit -n 8192" >> /etc/profile
Next, the setup script. There are lot of options you can run it with, but since you’re probably only doing this once, run it interactively – with no arguments:
Most of the answers are “yes”, then select “2” for a Typical installation.
When prompted for the server name, ensure you type the fully qualified domain name. If you’re going to secure LDAP later with certificates, this is especially important, but frankly, it’s just a little sloppy not to.
The next few questions are just regarding system user accounts, and passwords, “nobody” is fine and pick a tough password for the admin password.
The other questions are fairly straightforward. The Directory Server Identifier is probably best set to the FQDN, to make things less confusing.
When prompted to enter the Suffix, the suggestions revolve around using the server domain, which is for the most part fine, but I find it easier to make it as simple as that, even if your domain isn’t. So if your server was 2ldap.internal.example.net”, I’d still set the Suffix to “dc=example,dc=com”. That way, you fit in with everybody else.
Set a good Directory Manager password, because you’ll be using this a lot, accept the defaults for the next question, and kick of the script setup with a “yes”.
It’s nice to have a single setup script. I’m getting too old and lazy to mess about with configuration files and too many man pages. If the script completes without errors, you’re done.
So if you bollocks it up completely, it’s nice to roll back to square one and start again. If you can’t revert to a snapshot or backup, then you can freshen things up like so:
# service dirsrv stop
# service dirsrv-admin stop
# yum remove centos-ds*
# rm -rf /var/lib/dirsrv/slapd- /etc/disrv/slapd-instance
Then, you should be OK to reinstall the packages and start again.
Once the setup script is completed, if you’re a novice to LDAP, the first question seems to be, “What now?” The query syntax takes some getting used to, and there’s a lot to absorb. The next post will explore how to set things up, and how to query the LDAP database. For now, the following command is a simple way to check things are working:
# ldapsearch -x -h -p 389 -s base -b "" "objectclass=*"
Matt Parsons is a freelance Linux specialist who has designed, built and supported Unix and Linux systems in the finance, telecommunications and media industries.
He lives and works in London.