Simplify LDAP with Fedora’s 389 Directory Server

3297

If you’ve ever had to deal with LDAP, you know it is not an easy beast to master. In fact, the command line tools for LDAP alone would keep many users from even attempting to learn how to take advantage of this powerful tool. If you look, you’ll find several tools that make the job of managing LDAP data easier. One of the best is the 389 Directory Server for Fedora and Red Hat Enterprise Linux. 389 is extremely powerful and offers a simple to use GUI for all aspects of user, group, and server management.

Don’t be fooled, just because 389 Directory Server has been created as an enterprise-level tool, doesn’t mean that anyone with a smaller organization (or lesser needs) need not apply. 389 Directory Server can aid anyone in the management of their LDAP data — no matter the size. In this tutorial, you’ll learn how to master your LDAP data in a few simple steps using the 389 Directory Server.

Installation

The 389 Directory Server requires Java be installed. For many, the installation of Java on Linux is a deal-breaker… but not this time. A single command will install the 389 Directory Server and all of its dependencies. Follow these steps and you will have 389 DS on your machine ready to go:

  1. Open up a terminal window.

  2. su to the root user (type su at the command line and enter your root user password).

  3. Issue the command yum install fedora-ds.

  4. Accept all dependencies.

  5. Sit back and watch the magic happen.

Believe it or not, that is all you need to do to get 389 Directory Server installed. And now that the installation is done, it’s time to configure the server.

Configuration

The configuration of 389 Directory Server isn’t terribly difficult. You do need to have some information on hand however. The information you will need is:

  • Fully qualified domain name of server.

  • Administration ID.

  • Administration domain.

  • Server port.

  • Directory server identifier.

  • Valid DN for your directory suffix.

Once you have that information you are ready to go. Note that, even if you are planning on having your LDAP server only visible to your internal LAN, you will still want to have a fully qualified domain name for your server. If this means you need to change the hostname of your LDAP server, then do so before you run the configuration script for 389 DS.

For my example I set all my machines to work with the name wallen.local. So I have on my internal LAN: ubuntu.wallen.local, fedora.wallen.local, mac.wallen.local, and variations on that same theme. My LDAP server is at fedora.wallen.local. Naturally, in order for each machine to see the LDAP server, I will need to map all machines to that server in their /etc/hosts file (or whatever version of a hosts file they use).

With all of your information in hand, go back to your terminal window and issue the command (as root)setup-ds-admin.pl and walk through the various set up screens. Once you are finished with the setup, you can then open up the 389 Directory Server GUI with the command 389-console.

Logging in and administering your data

When you issue the command to start the GUI you will be greeted by a login screen. You will have set your admin ID, password, admin URL, and port in the configuration process. Enter that information and click OK to enter the console.

389 Directory Server main screenThe first screen you will see (shown in Figure 1) gives you a quick summary of your server in the right pane and a navigation tree in the left pane. If you expand that tree you will see the Server Group. If you expand that you will see the Administration Server and the Directory Server. Click on any of those to get a summary. If you double click on either the Administration Server or Directory Server you then open up a new window which allows you to administer that particular server. To really begin managing your LDAP data you want to double click on the Directory server to open up the Directory Server administration tool (see Figure 2).

Directory Server managerNOTE: In this window you will want to click on the Directory tab to do the next bit of work.

In the Directory tab, If you right-click on any white space in this new window you will find a menu that allows you to create new objects.

You will probably want to create a new Organizational Unit first. To do this first select the Directory of Administrators (in my example it would be wallen), right-click any blank space, and click New > Organizational Unit. In the resulting window you will need to give the group a name and an optional description, phone, fax, alias, and address . Once you have done that click OK and the Organizational Unit will be created.

Now, let’s add a new Group to that Organizational Unit we just created. To do this right-click the new OU we just created and click New > Group. Now just give the Group a name, an optional description, and then click OK.

If you click on the Directory of administers (again, in my example wallen) in the left pane, you will see your new Organizational Unit in the right pane. If you then click on the new OU you created in the left pane you will see the new Group you created in the right pane. Now let’s add a user to our new group.

The process of adding a new user is nearly the same as adding a new group. Click on your new Organizational Unit in the left pane and then right-click the Group you want to add the user into. Click New > User and then fill out all of the information for this new user. Once you have filled out all of the necessary information, click OK and the user will be added.

POSIX AttributesYou can continue on to create as many Organizational Units, Groups, and Users as you want. You can also edit any of the information associated with any of those objects. Let’s say you want to add POSIX attributes to a user so they can authenticate from a Linux machine. Even this is simple using 389 Directory Server. To do this navigate to that user so the user is displayed in the right pane. Right-click the user and select Properties. In this new window (see Figure 3) click on the POSIX User section, click the Enable check box, fill out the necessary information, and click OK when you are done. That user now has their POSIX attributes set.

How simple is that? Far more simple than using the command line for LDAP. Not convinced? Let me show you. Let’s say we want to add that same user, Olivia Dunham, using the ldapadd command. First we would create an ldiff file (say user.ldif) for the user with contents that looked similar to:

dn: cn=Olivia Dunham,ou=people,dc=wallen,dc=local
cn: Olivia Dunham
objectClass: person
sn: Dunham

Note: The above is just very basic information. Now, to actually add that user the command:

ldapadd -x -D cn=admin,dc=wallen,dc=local -W -f user.ldif

would have to be run as root. Imagine having to do this for an entire company worth of data! And then having to make changes using the ldapmodify command would consume even more of your time and efforts.

Final thoughts

The 389 Directory Server makes the job of managing your LDAP data a task just about anyone can do. Of course we have only scratched the surface of what this powerhouse of a tool can do. But now you should at least have it running and you should be able to easily manage your LDAP data. LDAP has been an elusive tool for many people for a long time. No longer is this the case with tools like the 389 Directory Server.