Use Fedora Directory Server For Manageable LDAP (Part 2)
Red Hat's free software offspring boasts a fast, scalable LDAP server with plenty of documentation and easy ActiveDirectory integration
Last week we were introduced to LDAP in general and Fedora Directory Server in particular. Today we'll walk through a simple Fedora Directory Server installation to learn your way around FDS.
FDS is not a substitute for understanding LDAP fundamentals. You still have to know what you're doing. FDS just makes it easier.
Despite the voluminous mounds of documentation, or perhaps because of it, there are a few vital installation steps to take that you might miss on first reading. Red Hat's online manuals link to all kinds of Fedora Directory Server documentation. The important ones are the installation, deployment and administration guides. But we don't really want to wade through all that now, do we? Let's get our hands dirty first on a nice test system where we don't care how messed up it gets.
Prerequisites and Java Madness
You'll need an http server installed and a Sun Java Runtime Environment. Any others tend to not work right, especially whatever comes with Fedora, which horks up the incredibly unhelpful "GC Warning: Out of Memory! Returning NIL!" message when you try to start your FDS console.
Follow Sun's instructions for installing the JRE. After installation go to /etc/alternatives and change the soft link to your new Sun Java executable. For example, I installed it in /opt/java, then created the new soft link:
# cd /etc/alternatives
# ls -sf /opt/java/jre1.5.0_06/bin/java java
When you're finished with that foolishness, make sure your name resolution is working correctly, so that the dnsdomain command returns a domain name, hostname -a returns only the hostname, and hostname -f returns the fully-qualified domain name, like these examples:
# hostname -a
# hostname -f
Then create an unprivileged user and group for the server user, like this:
# useradd ldap
# passwd ldap
Don't use the "nobody" user. Everybody uses nobody, to the point that it's become a security risk. Services should run with their own unique users, not shared ones.
Fedora Directory Server can run on any Linux or Unix. The easy way is to run it on Red Hat or Fedora, or a Red Hat clone like CentOS. My test system runs 64-bit Fedora Core 4. (Why not FC5? Because the darned thing is unfriendly to multi-booting without tweakage, and I'm getting too old and grumpy to hassle with stupid stuff.) So for this I grabbed the RPM from the download page and installed it in the usual fashion:
# rpm -ivh fedora-ds-1.0.2-1.FC4.x86_64.opt.rpm
If you run into any missing dependencies, satisfy them with yum install [foo]. FDS will be installed into /opt/fedora-ds. After installation, run the configuration script:
The first thing it will do is run the dsktune script, which will analyze your system and complain about flaws:
Fedora Directory Server system tuning analysis version 04-APRIL-2005.
NOTICE : System is x86_64-unknown-linux2.6.11-1.1369_FC4 (1 processor).
WARNING: 1000MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.
NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.
WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.
None of these are show-stoppers, so ignore them and move on. Select the Express installation. Then accept the default hostname to use, providing it's a real hostname and not localhost:
Hostname to use (default: uberpc.alrac.net)
For the "server user" use the ldap user and group you just created. This is the user and group that the various FDS servers will run under:
Server user ID to use (default: nobody) ldap
Server group ID to use (default: nobody) ldap
For the next step, you'll invent a new user and not use a Linux system user. In this example I create the "cdadmin" user:
Fedora configuration directory server
administrator ID [admin]:cdadmin
For the next step just use the default. This is the all-powerful root user for FDS. The Directory Manager must not be a user that exists in any existing LDAP directory:
Directory Manager DN [cn=Directory Manager]:
The next thing you'll see is "[slapd-uberpc]: starting up server ..." followed by several more lines out of output, ending with
You can now use the console. Here is the command to use to start the console:
./startconsole -u fdsadmin -a http://uberpc.alrac.net:52710/
You'll see something like Figure 1.
(Click for a larger image)
There are a number of ways to create a new directory: start from scratch, import an existing database from an LDIF file, or enter new users one by one using the form at the "Directory Server Gateway" page. Next week we'll learn more about setting up the actual user database. Meanwhile, do feel free to study the hundreds of pages of documentation listed in Resources and play around with your new Fedora Directory console.