Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
project:ldap [2017/04/10 16:19] dron |
project:ldap [2017/04/10 16:39] dron |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Instalace 389 ldap serveru ====== | ====== Instalace 389 ldap serveru ====== | ||
+ | 389 ldap server je reinkarnace ldap serveru původně vyvíjeného jako Netscape directory server viz. [1]. | ||
+ | |||
+ | ===== Instalace ===== | ||
+ | Před vlastní instalací je potřeba provést pár přípravných kroků, především správně doplnit ''/etc/hosts'' soubor (v praxi samozřejmě i dns), aby správně fungoval minimálně lokální resolving. | ||
<code bash> | <code bash> | ||
nano /etc/hosts | nano /etc/hosts | ||
</code> | </code> | ||
+ | |||
+ | V našem případě se server jmenuje ldap a bude používat doménu labka.cz. | ||
<file> | <file> | ||
- | 1.2.3.4 ldap ldap.labka.cz ldap.labka.local | + | 1.2.3.4 ldap ldap.labka.cz |
</file> | </file> | ||
+ | |||
+ | Dále je vhodné provést úpravu a vyladění různých nastavení a limitů OS. | ||
<code bash> | <code bash> | ||
nano /etc/sysctl.conf | nano /etc/sysctl.conf | ||
</code> | </code> | ||
+ | |||
+ | TODO | ||
<code bash> | <code bash> | ||
nano /etc/security/limits.conf | nano /etc/security/limits.conf | ||
</code> | </code> | ||
+ | |||
+ | TODO | ||
<code bash> | <code bash> | ||
nano /etc/profile | nano /etc/profile | ||
</code> | </code> | ||
+ | |||
+ | TODO | ||
<code bash> | <code bash> | ||
nano /etc/pam.d/login | nano /etc/pam.d/login | ||
</code> | </code> | ||
+ | |||
+ | TODO | ||
+ | |||
+ | ...a restartovat. | ||
+ | |||
+ | V CentOS 7 nejsou balíčky serverové části, ale jsou v epel repozitáři. | ||
+ | |||
+ | <code bash> | ||
+ | yum install epel-release | ||
+ | </code> | ||
+ | |||
+ | Vlastní instalace | ||
<code bash> | <code bash> | ||
Line 30: | Line 56: | ||
e 389-ds-console 389-ds-base-libs | e 389-ds-console 389-ds-base-libs | ||
</code> | </code> | ||
+ | |||
+ | Spuštění instalačního průvodce. | ||
<code bash> | <code bash> | ||
setup-ds-admin.pl | setup-ds-admin.pl | ||
</code> | </code> | ||
+ | |||
+ | <file> | ||
+ | ============================================================================== | ||
+ | This program will set up the 389 Directory and Administration Servers. | ||
+ | |||
+ | It is recommended that you have "root" privilege to set up the software. | ||
+ | Tips for using this program: | ||
+ | - Press "Enter" to choose the default and go to the next screen | ||
+ | - Type "Control-B" then "Enter" to go back to the previous screen | ||
+ | - Type "Control-C" to cancel the setup program | ||
+ | |||
+ | Would you like to continue with set up? [yes]: | ||
+ | |||
+ | ============================================================================== | ||
+ | Your system has been scanned for potential problems, missing patches, | ||
+ | etc. The following output is a report of the items found that need to | ||
+ | be addressed before running this software in a production | ||
+ | environment. | ||
+ | |||
+ | 389 Directory Server system tuning analysis version 14-JULY-2016. | ||
+ | |||
+ | NOTICE : System is x86_64-unknown-linux3.10.0-514.10.2.el7.x86_64 (1 processor). | ||
+ | |||
+ | Would you like to continue? [yes]: | ||
+ | |||
+ | ============================================================================== | ||
+ | Choose a setup type: | ||
+ | |||
+ | 1. Express | ||
+ | Allows you to quickly set up the servers using the most | ||
+ | common options and pre-defined defaults. Useful for quick | ||
+ | evaluation of the products. | ||
+ | |||
+ | 2. Typical | ||
+ | Allows you to specify common defaults and options. | ||
+ | |||
+ | 3. Custom | ||
+ | Allows you to specify more advanced options. This is | ||
+ | recommended for experienced server administrators only. | ||
+ | |||
+ | To accept the default shown in brackets, press the Enter key. | ||
+ | |||
+ | Choose a setup type [2]: | ||
+ | |||
+ | ============================================================================== | ||
+ | Enter the fully qualified domain name of the computer | ||
+ | on which you're setting up server software. Using the form | ||
+ | <hostname>.<domainname> | ||
+ | Example: eros.example.com. | ||
+ | |||
+ | To accept the default shown in brackets, press the Enter key. | ||
+ | |||
+ | Warning: This step may take a few minutes if your DNS servers | ||
+ | can not be reached or if DNS is not configured correctly. If | ||
+ | you would rather not wait, hit Ctrl-C and run this program again | ||
+ | with the following command line option to specify the hostname: | ||
+ | |||
+ | General.FullMachineName=your.hostname.domain.name | ||
+ | |||
+ | Computer name [ldap.labka.cz]: | ||
+ | |||
+ | ============================================================================== | ||
+ | The servers must run as a specific user in a specific group. | ||
+ | It is strongly recommended that this user should have no privileges | ||
+ | on the computer (i.e. a non-root user). The setup procedure | ||
+ | will give this user/group some permissions in specific paths/files | ||
+ | to perform server-specific operations. | ||
+ | |||
+ | If you have not yet created a user and group for the servers, | ||
+ | create this user and group using your native operating | ||
+ | system utilities. | ||
+ | |||
+ | System User [dirsrv]: | ||
+ | System Group [dirsrv]: | ||
+ | |||
+ | ============================================================================== | ||
+ | Server information is stored in the configuration directory server. | ||
+ | This information is used by the console and administration server to | ||
+ | configure and manage your servers. If you have already set up a | ||
+ | configuration directory server, you should register any servers you | ||
+ | set up or create with the configuration server. To do so, the | ||
+ | following information about the configuration server is required: the | ||
+ | fully qualified host name of the form | ||
+ | <hostname>.<domainname>(e.g. hostname.example.com), the port number | ||
+ | (default 389), the suffix, the DN and password of a user having | ||
+ | permission to write the configuration information, usually the | ||
+ | configuration directory administrator, and if you are using security | ||
+ | (TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port | ||
+ | number (default 636) instead of the regular LDAP port number, and | ||
+ | provide the CA certificate (in PEM/ASCII format). | ||
+ | |||
+ | If you do not yet have a configuration directory server, enter 'No' to | ||
+ | be prompted to set up one. | ||
+ | |||
+ | Do you want to register this software with an existing | ||
+ | configuration directory server? [no]: | ||
+ | |||
+ | ============================================================================== | ||
+ | Please enter the administrator ID for the configuration directory | ||
+ | server. This is the ID typically used to log in to the console. You | ||
+ | will also be prompted for the password. | ||
+ | |||
+ | Configuration directory server | ||
+ | administrator ID [admin]: | ||
+ | Password: | ||
+ | Password (confirm): | ||
+ | |||
+ | ============================================================================== | ||
+ | The information stored in the configuration directory server can be | ||
+ | separated into different Administration Domains. If you are managing | ||
+ | multiple software releases at the same time, or managing information | ||
+ | about multiple domains, you may use the Administration Domain to keep | ||
+ | them separate. | ||
+ | |||
+ | If you are not using administrative domains, press Enter to select the | ||
+ | default. Otherwise, enter some descriptive, unique name for the | ||
+ | administration domain, such as the name of the organization | ||
+ | responsible for managing the domain. | ||
+ | |||
+ | Administration Domain [labka.cz]: | ||
+ | |||
+ | ============================================================================== | ||
+ | The standard directory server network port number is 389. However, if | ||
+ | you are not logged as the superuser, or port 389 is in use, the | ||
+ | default value will be a random unused port number greater than 1024. | ||
+ | If you want to use port 389, make sure that you are logged in as the | ||
+ | superuser, that port 389 is not in use. | ||
+ | |||
+ | Directory server network port [389]: | ||
+ | |||
+ | ============================================================================== | ||
+ | Each instance of a directory server requires a unique identifier. | ||
+ | This identifier is used to name the various | ||
+ | instance specific files and directories in the file system, | ||
+ | as well as for other uses as a server instance identifier. | ||
+ | |||
+ | Directory server identifier [ldap]: | ||
+ | |||
+ | ============================================================================== | ||
+ | The suffix is the root of your directory tree. The suffix must be a valid DN. | ||
+ | It is recommended that you use the dc=domaincomponent suffix convention. | ||
+ | For example, if your domain is example.com, | ||
+ | you should use dc=example,dc=com for your suffix. | ||
+ | Setup will create this initial suffix for you, | ||
+ | but you may have more than one suffix. | ||
+ | Use the directory server utilities to create additional suffixes. | ||
+ | |||
+ | Suffix [dc=labka, dc=cz]: | ||
+ | |||
+ | ============================================================================== | ||
+ | Certain directory server operations require an administrative user. | ||
+ | This user is referred to as the Directory Manager and typically has a | ||
+ | bind Distinguished Name (DN) of cn=Directory Manager. | ||
+ | You will also be prompted for the password for this user. The password must | ||
+ | be at least 8 characters long, and contain no spaces. | ||
+ | Press Control-B or type the word "back", then Enter to back up and start over. | ||
+ | |||
+ | Directory Manager DN [cn=Directory Manager]: | ||
+ | Password: | ||
+ | Password (confirm): | ||
+ | |||
+ | ============================================================================== | ||
+ | The Administration Server is separate from any of your web or application | ||
+ | servers since it listens to a different port and access to it is | ||
+ | restricted. | ||
+ | |||
+ | Pick a port number between 1024 and 65535 to run your Administration | ||
+ | Server on. You should NOT use a port number which you plan to | ||
+ | run a web or application server on, rather, select a number which you | ||
+ | will remember and which will not be used for anything else. | ||
+ | |||
+ | Administration port [9830]: | ||
+ | |||
+ | ============================================================================== | ||
+ | The interactive phase is complete. The script will now set up your | ||
+ | servers. Enter No or go Back if you want to change something. | ||
+ | |||
+ | Are you ready to set up your servers? [yes]: | ||
+ | Creating directory server . . . | ||
+ | Your new DS instance 'ldap' was successfully created. | ||
+ | Creating the configuration directory server . . . | ||
+ | Beginning Admin Server creation . . . | ||
+ | Creating Admin Server files and directories . . . | ||
+ | Updating adm.conf . . . | ||
+ | Updating admpw . . . | ||
+ | Registering admin server with the configuration directory server . . . | ||
+ | Updating adm.conf with information from configuration directory server . . . | ||
+ | Updating the configuration for the httpd engine . . . | ||
+ | Starting admin server . . . | ||
+ | The admin server was successfully started. | ||
+ | Admin server was successfully created, configured, and started. | ||
+ | Exiting . . . | ||
+ | </file> | ||
+ | |||
+ | Po úspěšné instalaci server již běží, ale je potřeba ještě povolit spouštění i po restartu serveru. | ||
<code bash> | <code bash> | ||
Line 39: | Line 262: | ||
systemctl enable dirsrv@ldap | systemctl enable dirsrv@ldap | ||
</code> | </code> | ||
+ | |||
+ | A nastavit firewall. | ||
+ | |||
+ | <code bash> | ||
+ | firewall-cmd --zone=public --permanent --add-service=ldap | ||
+ | firewall-cmd --zone=public --permanent --add-port=9830/tcp | ||
+ | </code> | ||
+ | |||
===== Links ===== | ===== Links ===== | ||
- | * [[http://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/]] | + | - [[https://cs.wikipedia.org/wiki/389_Directory_Server]] |
- | * [[http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html]] | + | - [[http://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/]] |
+ | - [[http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html]] | ||