Use Fedora Directory Server For Manageable LDAP (Part 3)

By Carla Schroder | Aug 8, 2006 | Print this Page
http://www.enterprisenetworkingplanet.com/netos/article.php/3625371/Use-Fedora-Directory-Server-For-Manageable-LDAP-Part-3.htm

Welcome to the final installment of our Fedora Directory Server series. Today we're going to cover starting and stopping the server, remote administration, creating a new root suffix, importing LDIF data and protecting data by putting it in read-only mode. It's whirlwind crash course, so don your safety helmet and hang on.

Finding the Right Manuals
While the documentation for FDS is abundant and excellent, there are a few lingering pitfalls. The installation manual linked on the very front page of Fedora Directory Server leads to the Red Hat Directory server installation manual. If you're running Fedora you need the Fedora installation manual. There are differences that will bite and cause hair loss. The biggest differences are:

  • With Fedora you need to install the httpd server separately
  • You must fetch and install the Sun JRE (Java Runtime Environment), and configure Fedora to use it

We did all this in part 2, but since it's a common source of troubles a little repetition seems a good thing.

You'll find the help docs installed at /opt/fedora-ds/manual. They're formatted for the "help" buttons in the Console, but you can also read them in a Web browser.

Version Numbering Fun
Another amusing quirk is the version numbering. You'll see references to "upgrading from 7.1 to 1.0.x." 7.1 is the oldest version, re-branded from Red Hat Directory Server 7.1. The current stable Fedora release is 1.0.2.

All these little glitches will get worked out; don't let them get in the way of using this fine directory server.

Starting and Stopping FDS
Currently FDS does not include an init script to start it automatically at boot. Future releases will probably include one. Meanwhile, you can either start it manually or write your own init script. Which is easy as pie if you use the init script template that comes with Fedora at /usr/share/doc/initscript-[version]/sysvinitfiles. This is part of the "initscripts" package, if you don't have it already.

It takes two commands to start up the server, then one command to start the administration console. You don't need to be root to run the console, and remember that "slapd-uberpc" will have your own servername:

# cd /opt/fedora-ds
[root@uberpc fedora-ds]# slapd-uberpc/start-slapd
[root@uberpc fedora-ds]# ./start-admin
[carla@uberpc fedora-ds]$ ./startconsole

Why are they are in different directories? Because every LDAP server gets its own directory with its own set of administration commands; in this example, slapd-uberpc is the only one. The Console is the interface to the Administration Server, which bosses all of the directory servers in a Red Hat/Fedora network.

Figure 1.
(Click for a larger image)
After you're logged in select a server to look at, then click the "Open" button at the far right. You'll see a screen like Figure 1.

At the very bottom left of the Directory Server window is a tiny login button. Click this in case you forgot who you logged in as.

Remote Access
The Console itself cannot be run remotely. However, there is a Web-based form for adding or deleting entries and performing some server administration. By default the local subnet is allowed access; just enter http://servername:portnumber in any Web browser. And of course you can do command-line administration over SSH, just like any good Linux server.

Port Number Madness
If you forget what your admin server port number is, look in /opt/fedora-ds/admin-serv/config/adm.conf. The standard port for client access is 389. You may change these to anything you like in the Administration Server console.

Create New Suffix
The Express Installation is meant for testing, so it's quick and doesn't have many options. FDS comes with some example LDIF files to play with. You need a suffix of dc=example,dc=com to use the example files. Think of a suffix as the root of a database tree which may contain several databases, as this diagram shows:

    dc=example,dc=com
___________|____________
|          |            |
ou=people ou=groups  ou=assets

The databases can be anywhere; on the local server, or scattered all over the planet, so you have a lot of flexibility for organizing and presenting your data.

If you don't have an example.com root suffix already, it's easy as pie to create one. You must be logged in as the Directory Manager, which means entering "cn=Directory Manager" in the Console login.

Figure 2.
(Click for a larger image)
In the Directory Server console, go to the Configuration tab. Expand the Data button, then right-click on it and left-click "New Root Suffix", like Figure 2.

The new suffix must be "dc=example,dc=com", but the database name can be any name you want.

Import LDIF
Now you can populate your new database by importing an example LDIF file. Go to the Configuration tab, right-click the database name, and select "Initialize database." (Figure 3)

Figure 3.
(Click for a larger image)
Use this only on new, empty databases, because it overwrites the whole thing. The example LDIFs are in /opt/fedora-ds/slapd-[servername]/ldif/. The "reject" file must be in a directory that you have write access to; that is, whatever user originally ran ./startconsole.

Now go back to the Directory tab and copy the "server group" from the root suffix that was created when you installed FDS, like Figure 4 shows.

Add example.com to Admin Console

Figure 4.
(Click for a larger image)
The Administration Console, which is the screen that you see when you first log in, won't display your new root suffix until you add it. Go back to the Console, click "Console" on the upper left menu, and select "Create Administration Domain." Add your new root suffix, and voila! Figure 5 ensues.

Now you can administer your new root suffix just like the old one. Want to import new data to the example.com database without losing the old data? Open the Directory Server and click on "Import Databases." Check both "Add Only" and "Continue On Error," then select your import file. "Continue On Error" means it will won't stop when it hits something that generates an error message, such as a duplicate entry or a syntax error.

Seeing Your Stuff
Go to the Directory tab of the Directory Server console and expand the entries in the left pane to see all your data. All of your data are viewable and editable from this page.

Read-Only Mode

Figure 5.
(Click for a larger image)
There are times when you'll want some data to be available, but not editable. Perhaps you are sharing data with a customer, or your users are cunning little monkeys who find ways to mess with your stuff. In the Directory Server Console, select the Configuration tab and expand Data in the left pane. Select the database you want to put in read-only mode, then go to the Database Settings tab in the right pane and check the "Database is read-only" checkbox, then Save.

Connecting Clients
The point of all this work is to provide a directory for client applications to use, whether it's Samba, Web servers, Active Directory, mail servers, whatever you need. Configuring client access depends entirely on the client; see the FDS Wiki for a good howto page for a number of applications.

Resources

Add to del.icio.us | DiggThis