The Fedora Directory Server, the former Netscape-, Iplanet- and Sun Directory Server, generously made open source by RedHat, is chosen as the preferred LDAP-server for our solution at this moment.

You'll find lots of information on the Fedora Directory Server at the project's wiki, http://directory.fedora.redhat.com/wiki/Main_Page.

At this time there is no apt-repository for the Fedora Directory Server software. Fortunately the rpms from the Fedora community site are perfectly usable.

apt-get install apache2-mpm-worker
ln -s /usr/sbin/apache2 /usr/sbin/httpd

groupadd fds
useradd -d /opt/fedora-ds -s /bin/false -g fds fds

Install a Java-Runtime-Environment on the system. The jdk-1_5_0_02-linux-i586.bin package from Sun-microsystems is known to work.

Now some distro specific steps and downloads. Download a prebuild Fedora Directory Server rpm from the download page which is available at http://directory.fedora.redhat.com/wiki/Download.

Choose the version suitable (explained below) for your server environment.

For Debian-sarge download the prebuild rpm for RHEL-3 (Sarge has libc6 version 2.3.2).

apt-get install termcap-compat

For Ubuntu-dapper download the prebuild rpm for Fedora-Core-4 (Dapper has libc6 version 2.3.6)

Download the packages below manually from the Breezy repository at http://packages.ubuntu.com The Dapper repository doesn't have these, however the packages build for Breezy seem to do just fine.

ldso_1.9.11-15_i386.deb
libc5_5.4.46-15_i386.deb
termcap-compat_1.2.3_i386.deb

In case you want to do an install on a x86_64 platform things seem worse at first as there aren't any termcap-compat packages for Ubuntu (or Debian) at all!

However this procedure provides a workaround to install the Fedora Directory Server on Ubuntu Dapper Server x86_64:

• Download the termcap-5.4-4.noarch.rpm and libtermcap-2.0.8-41.x86_64.rpm from Fedora Core 4 (x86_64 version!!!).
• Convert the rpm's to .deb using the 'alien' tool.
• Install the newly obtained .deb packages using 'dpkg -i'.

Convert the fedora-ds rpm package to .deb using alien:

alien fedora-ds-1.0.x-x.XXX.i386.opt.rpm

Install the newly obtained .deb package:

dpkg -i fedora-ds_1.0.x-y_i386.deb

Create a resource-file (/opt/install.inf):

[General]
FullMachineName=   ldap.intra.example.com
SuiteSpotUserID=   fds
SuiteSpotGroup=   fds
ServerRoot=   /opt/fedora-ds
AdminDomain=   intra.example.com
ConfigDirectoryAdminID=   admin
ConfigDirectoryAdminPwd=   hannibal
ConfigDirectoryLdapURL=   ldap://ldap.intra.example.com:389/o=NetscapeRoot
UserDirectoryAdminID=   admin
UserDirectoryAdminPwd=   hannibal
UserDirectoryLdapURL=   ldap://ldap.intra.example.com:389/dc=intra,dc=example,dc=com

[slapd]
SlapdConfigForMC=   Yes
SecurityOn=   No
UseExistingMC=   No
UseExistingUG=   No
ServerPort=   389
ServerIdentifier=   ldap
Suffix=   dc=intra, dc=example, dc=com
RootDN=   cn=Directory Manager
AddSampleEntries=   No
InstallLdifFile=   suggest
AddOrgEntries=   Yes
DisableSchemaChecking=   No
RootDNPwd=   hannibal
 
[admin]
SysUser=   root
Port=   7777
ServerIpAddress=    
ServerAdminID=   admin
ServerAdminPwd=   hannibal
ApacheDir=   /usr/sbin
ApacheRoot=   /usr/lib/apache2 

This file contains privacy information, so secure it:

chmod 640 /opt/install.inf

Run the setup-script like so:

/opt/fedora-ds/setup/setup -s -f /opt/install.inf

The installation-script will succesfully start the ns-slapd server and throw out some warnings that the admin-server can't be started. We'll solve that now. Make some changes to the /opt/fedora-ds/admin-serv/config/httpd.conf file. Some modules do not have to be loaded as they are compiled in statically. So comment these lines (put the pound-sign before 'LoadModule….etc':

...
#LoadModule access_module /usr/lib/apache2/modules/mod_access.so
#LoadModule auth_module /usr/lib/apache2/modules/mod_auth.so
#LoadModule log_config_module /usr/lib/apache2/modules/mod_log_config.so
#LoadModule env_module /usr/lib/apache2/modules/mod_env.so
...
#LoadModule setenvif_module /usr/lib/apache2/modules/mod_setenvif.so
#LoadModule mime_module /usr/lib/apache2/modules/mod_mime.so
...
#LoadModule negotiation_module /usr/lib/apache2/modules/mod_negotiation.so
#LoadModule dir_module /usr/lib/apache2/modules/mod_dir.so
...
#LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so
...

Now you can manually start the admin-server like so:

/opt/fedora-ds/start-admin

We created four custom LDAP-schemes for our project. They are required for running the other software modules. The LDAP-schemes are available for download below. The target directory for Fedora Directory Server LDAP-schemes is /opt/fedora-ds/slapd-ldap/config/schema

• 61samba.ldif
• 62postfix.ldif
• 63ldapdns.ldif
• 64ldapdhcp.ldif

The directory server will activate the new schemes after a restart.

You can run the necessary commands by hand or use the available all-in-one 'setupssl.sh' script. For ease of configuration the latter option has been chosen. Get the script at the Fedora Directory Server Wiki, which is a very fine source for information on the SSL/TLS configuration details, see http://directory.fedora.redhat.com/wiki/Howto:SSL

The 'setupssl.sh' script requires the ldap-utils to be installed.

apt-get install ldap-utils

As the script runs 'hostname –fqdn' in order to obtain the FQDN, and we want to use the service name (which is 'ldap') rather than the FQDN hostname, we'll change that entry in the script. Change line number 111 to become:

myhost=ldap.intra.example.com

Check that the host can resolve the service name (ldap.intra.example.com) to its service IP address (192.168.1.12).

Now run the script

chmod +x setupssl.sh
./setupssl.sh

Finally restart the Directory Server as well as the Admin-server in order to activate the SSL/TLS.

The directory/admin-server can be managed with a client-server GUI application. This is an X-window-system application, so your workstation might be a good place to install and run this on. Mention that it is possible to run the admin-console from the directory-server itself when you install the X11 libraries on it.

Install the SUN JRE/JDK 1.5 (don't forget to check your PATH en JAVA environment variables).

Install the FDS software (as root) in /opt/fedora-ds

If the IP-number of your directory-server is not resolvable, add an entry in /etc/hosts on your workstation:

192.168.1.12  ldap.intra.example.com ldap

This has to do with the default access-restrictions of the admin-server

As a non-root user start the console (have your X settings correct):

/opt/fedora-ds/startconsole -u admin -a http://ldap.intra.example.com:7777 &

An X window pops up now, type in the admin password (ie. hannibal here).

Choose for a master-slave or a multi-master setup.

The Fedora Directory server supports Multi Master Replication. This allows you to create up to four writable LDAP master-servers. The Fedora wiki contains fine documentation on howto install a MMR-environment. See: http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication

The documentation on setting up a replication LDAP-server is available at: http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#pgfId-1027091

Create a full export of your directory to LDIF on a regular base. You wouldn't want to loose your precious data, would you? This is an example to do so.

#!/bin/sh

# Full LDAP export to LDIF
#
# Olivier Brugman (Pref Sourcing)

LDAPSEARCH=/usr/bin/ldapsearch
FILEDATE=`date +%Y%m%d`
TARGETDIR=/root/ldifs
TARGETFILE=${TARGETDIR}/full_ldap2ldif-${FILEDATE}

/usr/bin/test -d ${TARGETDIR} || mkdir -p ${TARGETDIR}

${LDAPSEARCH}  -x \
               -b 'dc=intra,dc=example,dc=com' \
               -h YOUR_LDAPHOST \
               -D 'cn=Directory Manager' \
               -w 'YOUR_PASSWORD' \
               -LLL \
               '(objectclass=*)' > ${TARGETFILE}

The Fedora Directory Server is the directory server of choice for our project. This part of the documentation that describes the configuration of OpenLDAP is now legacy and not maintained!

Install the software.

(and Ubuntu dapper)

apt-get install slapd ldap-utils libsasl2-modules

advised is also the package db4.2-util, this is for dbrecover actions (which is automatically called by slapd in case of a starting failure).

Stop the LDAP-server

/etc/init.d/slapd stop

/etc/ldap/ldap.conf

BASE    dc=intra, dc=example, dc=com
URI     ldap://ldap.intra.example.com
TLS_CACERT      /etc/ldap/tls/cacert.pem

/etc/ldap/slapd.conf

allow bind_v2
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/postfix.schema
include         /etc/ldap/schema/samba.schema
schemacheck     on
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd.args
loglevel        0
TLSCACertificateFile /etc/ldap/tls/cacert.pem
TLSCertificateFile /etc/ldap/tls/ldapcert.pem
TLSCertificateKeyFile /etc/ldap/tls/ldapkey.pem
modulepath      /usr/lib/ldap
moduleload      back_bdb
backend         bdb
database        bdb
suffix          "dc=intra,dc=example,dc=com"
rootdn          "cn=admin,dc=intra,dc=example,dc=com"
rootpw          {SSHA}passwordstringhere
directory       "/var/lib/ldap"
index           objectClass eq
lastmod         on
access to attribute=userPassword
        by dn="cn=admin,dc=intra,dc=example,dc=com" write
        by self write
        by anonymous auth
        by * none
access to attribute=sambaLMPassword
        by dn="cn=admin,dc=intra,dc=example,dc=com" write
        by self write
        by anonymous auth
        by * none
access to attribute=sambaNTPassword
        by dn="cn=admin,dc=intra,dc=example,dc=com" write
        by self write
        by anonymous auth
        by * none
access to *
        by dn="cn=admin,dc=intra,dc=example,dc=com" write
        by * read

/etc/ldap/schema/postfix.schema

attributetype ( 1.3.6.1.4.1.4203.666.1.200
             NAME 'mailacceptinggeneralid'
             EQUALITY caseIgnoreMatch
             SUBSTR caseIgnoreSubstringsMatch
             SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
attributetype ( 1.3.6.1.4.1.4203.666.1.201
             NAME 'maildrop'
             EQUALITY caseIgnoreMatch
             SUBSTR caseIgnoreSubstringsMatch
             SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
objectClass     ( 1.3.6.1.4.1.4203.666.1.100
         NAME 'postfixUser'
             DESC 'Postfix Mail User'
         SUP top
         AUXILIARY
             MAY  (
                   mailacceptinggeneralid $ maildrop
                     )
             )

/etc/ldap/schema/samba.schema can be gunzipped and copied from /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz after installation of the package samba-doc The installation of samba is described in the samba section of this document.

apt-get install samba-doc
cd /etc/ldap/schema
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz . ; gunzip *.gz

Root DN's password can be generated by issueing the slappasswd command. Add the result to slapd.conf.

slappasswd -vh {SSHA} -s newpasswordhere

Create a directory for the LDAP-server's certificates

mkdir /etc/ldap/tls

The OpenSSL section in this document describes howto create certificates. Create them now and copy them to /etc/ldap/tls. Make sure that their names correspond to the names in slapd.conf.

Make sure that /etc/default/slapd contains a line like 'SLAPD_SERVICES=“ldap://192.168.1.12/ ldaps:192.168.1.12/ ldapi:/”' You can make slapd listen on a specific interface. See for more security considerations http://www.openldap.org/doc/admin21/security.html.

Start the LDAP-server

/etc/init.d/slapd start

Note that the LDAP-server won't start if postfix.schema and samba.schema aren't in place!

Now the LDAP-server is up and running, let's fill it up with domain-entries as we need that to get the ldapdns-server to work.

You can find the hannibal-dnsstuff.ldif here http://hannibal.solstice.nl Download the file and modify it according to your environment. Beware: in some Hannibal configfiles and commands in this document we use IP's rather than domain names; so if you want to make changes to the IP's then pay attention to this in order not to break things!

Add the LDAP-entries like so

/usr/bin/ldapadd -x -D "cn=admin,dc=intra,dc=example,dc=com" -w therootdnpassword \
                 -h 192.168.1.12 -f hannibal-dnsstuff.ldif

Note: you can test the a LDAP-connection over TLS by hand. You could also use this command on regular base in order to make a full backup of the content of the LDAP-server. Just run a script from cron which pipes STOUT of the ldapsearch command to a file; then add the date (and time) to the filename.

ldapsearch -x -b 'dc=intra,dc=example,dc=com' \
           -D "cn=admin,dc=intra,dc=example,dc=com" \
           '(objectclass=*)' -H ldap://ldap.intra.example.com \
           -W -ZZ