Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision Both sides next revision
project:ldap [2017/04/10 16:19]
dron
project:ldap [2017/04/10 16:39]
dron
Line 1: Line 1:
 ====== Instalace 389 ldap serveru ====== ====== Instalace 389 ldap serveru ======
  
 +389 ldap server je reinkarnace ldap serveru původně vyvíjeného jako Netscape directory server viz. [1].
 +
 +===== Instalace =====
 +Před vlastní instalací je potřeba provést pár přípravných kroků, především správně doplnit ''/​etc/​hosts''​ soubor (v praxi samozřejmě i dns), aby správně fungoval minimálně lokální resolving.
  
 <code bash> <code bash>
 nano /etc/hosts nano /etc/hosts
 </​code>​ </​code>​
 +
 +V našem případě se server jmenuje ldap a bude používat doménu labka.cz.
  
 <​file>​ <​file>​
-1.2.3.4 ldap ldap.labka.cz ​ldap.labka.local+1.2.3.4 ldap ldap.labka.cz
 </​file>​ </​file>​
 +
 +Dále je vhodné provést úpravu a vyladění různých nastavení a limitů OS.
  
 <code bash> <code bash>
 nano /​etc/​sysctl.conf nano /​etc/​sysctl.conf
 </​code>​ </​code>​
 +
 +TODO
  
 <code bash> <code bash>
 nano /​etc/​security/​limits.conf nano /​etc/​security/​limits.conf
 </​code>​ </​code>​
 +
 +TODO
  
 <code bash> <code bash>
 nano /​etc/​profile nano /​etc/​profile
 </​code>​ </​code>​
 +
 +TODO
  
 <code bash> <code bash>
 nano /​etc/​pam.d/​login ​ nano /​etc/​pam.d/​login ​
 </​code>​ </​code>​
 +
 +TODO
 +
 +...a restartovat.
 +
 +V CentOS 7 nejsou balíčky serverové části, ale jsou v epel repozitáři.
 +
 +<code bash>
 +yum install epel-release
 +</​code>​
 +
 +Vlastní instalace
  
 <code bash> <code bash>
Line 30: Line 56:
 e 389-ds-console 389-ds-base-libs e 389-ds-console 389-ds-base-libs
 </​code>​ </​code>​
 +
 +Spuštění instalačního průvodce.
  
 <code bash> <code bash>
 setup-ds-admin.pl setup-ds-admin.pl
 </​code>​ </​code>​
 +
 +<​file>​
 +==============================================================================
 +This program will set up the 389 Directory and Administration Servers.
 +
 +It is recommended that you have "​root"​ privilege to set up the software.
 +Tips for using this program:
 +  - Press "​Enter"​ to choose the default and go to the next screen
 +  - Type "​Control-B"​ then "​Enter"​ to go back to the previous screen
 +  - Type "​Control-C"​ to cancel the setup program
 +
 +Would you like to continue with set up? [yes]: ​
 +
 +==============================================================================
 +Your system has been scanned for potential problems, missing patches,
 +etc.  The following output is a report of the items found that need to
 +be addressed before running this software in a production
 +environment.
 +
 +389 Directory Server system tuning analysis version 14-JULY-2016.
 +
 +NOTICE : System is x86_64-unknown-linux3.10.0-514.10.2.el7.x86_64 (1 processor).
 +
 +Would you like to continue? [yes]: ​
 +
 +==============================================================================
 +Choose a setup type:
 +
 +   1. Express
 +       ​Allows you to quickly set up the servers using the most
 +       ​common options and pre-defined defaults. Useful for quick
 +       ​evaluation of the products.
 +
 +   2. Typical
 +       ​Allows you to specify common defaults and options.
 +
 +   3. Custom
 +       ​Allows you to specify more advanced options. This is 
 +       ​recommended for experienced server administrators only.
 +
 +To accept the default shown in brackets, press the Enter key.
 +
 +Choose a setup type [2]: 
 +
 +==============================================================================
 +Enter the fully qualified domain name of the computer
 +on which you're setting up server software. Using the form
 +<​hostname>​.<​domainname>​
 +Example: eros.example.com.
 +
 +To accept the default shown in brackets, press the Enter key.
 +
 +Warning: This step may take a few minutes if your DNS servers
 +can not be reached or if DNS is not configured correctly. ​ If
 +you would rather not wait, hit Ctrl-C and run this program again
 +with the following command line option to specify the hostname:
 +
 +    General.FullMachineName=your.hostname.domain.name
 +
 +Computer name [ldap.labka.cz]: ​
 +
 +==============================================================================
 +The servers must run as a specific user in a specific group.
 +It is strongly recommended that this user should have no privileges
 +on the computer (i.e. a non-root user). ​ The setup procedure
 +will give this user/group some permissions in specific paths/files
 +to perform server-specific operations.
 +
 +If you have not yet created a user and group for the servers,
 +create this user and group using your native operating
 +system utilities.
 +
 +System User [dirsrv]: ​
 +System Group [dirsrv]: ​
 +
 +==============================================================================
 +Server information is stored in the configuration directory server.
 +This information is used by the console and administration server to
 +configure and manage your servers. ​ If you have already set up a
 +configuration directory server, you should register any servers you
 +set up or create with the configuration server. ​ To do so, the
 +following information about the configuration server is required: the
 +fully qualified host name of the form
 +<​hostname>​.<​domainname>​(e.g. hostname.example.com),​ the port number
 +(default 389), the suffix, the DN and password of a user having
 +permission to write the configuration information,​ usually the
 +configuration directory administrator,​ and if you are using security
 +(TLS/​SSL). ​ If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
 +number (default 636) instead of the regular LDAP port number, and
 +provide the CA certificate (in PEM/ASCII format).
 +
 +If you do not yet have a configuration directory server, enter '​No'​ to
 +be prompted to set up one.
 +
 +Do you want to register this software with an existing
 +configuration directory server? [no]: 
 +
 +==============================================================================
 +Please enter the administrator ID for the configuration directory
 +server. ​ This is the ID typically used to log in to the console. ​ You
 +will also be prompted for the password.
 +
 +Configuration directory server
 +administrator ID [admin]: ​
 +Password: ​
 +Password (confirm): ​
 +
 +==============================================================================
 +The information stored in the configuration directory server can be
 +separated into different Administration Domains. ​ If you are managing
 +multiple software releases at the same time, or managing information
 +about multiple domains, you may use the Administration Domain to keep
 +them separate.
 +
 +If you are not using administrative domains, press Enter to select the
 +default. ​ Otherwise, enter some descriptive,​ unique name for the
 +administration domain, such as the name of the organization
 +responsible for managing the domain.
 +
 +Administration Domain [labka.cz]: ​
 +
 +==============================================================================
 +The standard directory server network port number is 389.  However, if
 +you are not logged as the superuser, or port 389 is in use, the
 +default value will be a random unused port number greater than 1024.
 +If you want to use port 389, make sure that you are logged in as the
 +superuser, that port 389 is not in use.
 +
 +Directory server network port [389]: ​
 +
 +==============================================================================
 +Each instance of a directory server requires a unique identifier.
 +This identifier is used to name the various
 +instance specific files and directories in the file system,
 +as well as for other uses as a server instance identifier.
 +
 +Directory server identifier [ldap]: ​
 +
 +==============================================================================
 +The suffix is the root of your directory tree.  The suffix must be a valid DN.
 +It is recommended that you use the dc=domaincomponent suffix convention.
 +For example, if your domain is example.com,​
 +you should use dc=example,​dc=com for your suffix.
 +Setup will create this initial suffix for you,
 +but you may have more than one suffix.
 +Use the directory server utilities to create additional suffixes.
 +
 +Suffix [dc=labka, dc=cz]: ​
 +
 +==============================================================================
 +Certain directory server operations require an administrative user.
 +This user is referred to as the Directory Manager and typically has a
 +bind Distinguished Name (DN) of cn=Directory Manager.
 +You will also be prompted for the password for this user.  The password must
 +be at least 8 characters long, and contain no spaces.
 +Press Control-B or type the word "​back",​ then Enter to back up and start over.
 +
 +Directory Manager DN [cn=Directory Manager]: ​
 +Password: ​
 +Password (confirm): ​
 +
 +==============================================================================
 +The Administration Server is separate from any of your web or application
 +servers since it listens to a different port and access to it is
 +restricted.
 +
 +Pick a port number between 1024 and 65535 to run your Administration
 +Server on. You should NOT use a port number which you plan to
 +run a web or application server on, rather, select a number which you
 +will remember and which will not be used for anything else.
 +
 +Administration port [9830]: ​
 +
 +==============================================================================
 +The interactive phase is complete. ​ The script will now set up your
 +servers. ​ Enter No or go Back if you want to change something.
 +
 +Are you ready to set up your servers? [yes]: ​
 +Creating directory server . . .
 +Your new DS instance '​ldap'​ was successfully created.
 +Creating the configuration directory server . . .
 +Beginning Admin Server creation . . .
 +Creating Admin Server files and directories . . .
 +Updating adm.conf . . .
 +Updating admpw . . .
 +Registering admin server with the configuration directory server . . .
 +Updating adm.conf with information from configuration directory server . . .
 +Updating the configuration for the httpd engine . . .
 +Starting admin server . . .
 +The admin server was successfully started.
 +Admin server was successfully created, configured, and started.
 +Exiting . . .
 +</​file>​
 +
 +Po úspěšné instalaci server již běží, ale je potřeba ještě povolit spouštění i po restartu serveru.
  
 <code bash> <code bash>
Line 39: Line 262:
 systemctl enable dirsrv@ldap systemctl enable dirsrv@ldap
 </​code>​ </​code>​
 +
 +A nastavit firewall.
 +
 +<code bash>
 +firewall-cmd --zone=public --permanent --add-service=ldap
 +firewall-cmd --zone=public --permanent --add-port=9830/​tcp
 +</​code>​
 +
  
 ===== Links ===== ===== Links =====
-  ​[[http://​www.unixmen.com/​install-and-configure-ldap-server-in-centos-7/​]] +  ​- [[https://​cs.wikipedia.org/​wiki/​389_Directory_Server]] 
-  ​[[http://​directory.fedoraproject.org/​docs/​389ds/​howto/​howto-resetdirmgrpassword.html]]+  - [[http://​www.unixmen.com/​install-and-configure-ldap-server-in-centos-7/​]] 
 +  ​[[http://​directory.fedoraproject.org/​docs/​389ds/​howto/​howto-resetdirmgrpassword.html]]
  
  • project/ldap.txt
  • Last modified: 2017/05/03 09:05
  • by licho