Install, Configure 389 Directory Server (LDAP) on CentOS, RHEL 8

The 389 Directory Server is an open-source enterprise-class LDAP server for Linux that can be deployed in less than an hour. This guide will help you to set up a 389 Directory Server on CentOS, RHEL 8.

Prerequisites

You will need one (physical or virtual) machine installed with CentOS, or RHEL 8 having root or sudo non-root user privileges.

Disable SELinux

Login to your Linux server and make the following required changes in /etc/selinux/config file:

sudo vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Save and close the editor.

You should set the correct timezone on your Linux system:

sudo timedatectl set-timezone Asia/Karachi

sudo hostnamectl set-hostname idp.techsupportpk.com

Reboot your server to apply these changes.

Add EPEL Repository

Type below command if you are on CentOS 8:

sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf config-manager --set-enabled PowerTools

Type below command if you are on RHEL 8:

sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo ARCH=$( /bin/arch )
sudo subscription-manager repos --enable "codeready-builder-for-rhel-8-${ARCH}-rpms"

Install 389 Directory Server

There are two 389-ds streams available: stable and testing. Testing is a bleeding-edge development version. As its name implies, it is NOT supposed to be used in production. After a period of testing and bug fixing it becomes the next stable version.

Each stream has 3 profiles:

default - 389-ds-base and cockpit web ui
minimal - just 389-ds-base
legacy - same as default plus legacy Perl tools and scripts

Type below command to install 389-ds on your CentOS/RHEL 8:

sudo dnf -y module install 389-directory-server:stable/default

Configure 389 Directory Server

sudo dscreate interactive

You will see the following prompts:

Install Directory Server (interactive mode)
===========================================
selinux is disabled, will not relabel ports or files.

Selinux support will be disabled, continue? [yes]:

Enter system's hostname [localhost]: idp.techsupportpk.com

Enter the instance name [localhost]:idp

Enter port number [389]:

Create self-signed certificate database [yes]:

Enter secure port number [636]:

Enter Directory Manager DN [cn=Directory Manager]:

Enter the Directory Manager password:
Confirm the Directory Manager Password:

Enter the database suffix (or enter "none" to skip) [dc=idp,dc=techsupportpk,dc=com]:

Create sample entries in the suffix [no]: yes

Do you want to start the instance after the installation? [yes]:

Are you ready to install? [no]: yes
Starting installation...
Completed installation for idp

 

Verify ldap instance name with below command:

dsctl --list

 

You will see the output similar to the following:

slapd-idp

 

Check whether your ldap instance is running with below command:

dsctl slapd-idp status

 

You will see the output similar to the following:

Instance "idp" is running

 

You can also check your ldap instance status using the systemctl command:

systemctl status dirsrv@idp.service

 

Next, start cockpit service with below command:

systemctl start cockpit.service
systemctl status cockpit.service

Add Firewall Rules

firewall-cmd --permanent --add-port=389/tcp
firewall-cmd --permanent --add-port=636/tcp
firewall-cmd --permanent --add-port=9090/tcp
firewall-cmd --reload

 

Open up your preferred web browser and access the cockpit web interface by navigating to http://your_server_ip:9090.

Enter the username and password to Log In.

Navigate to 389 Directory Server to administer and manage your LDAP

The 389 Directory Server Development Team says that the old Java Console and Admin Server have been deprecated and there will no longer be a Java Console (389-console), Admin Express, or Directory Server Gateway starting in Fedora 31, RHEL 8, CentOS 8, and SUSE 15. 

 

So User & Group management needs to be done via the new CLI tools or via free products like Apache Directory Studio.

 

How To Install Apache Directory Studio

You can install Apache Directory Studio on your CentOS 8 or RHEL 8 using the below steps.

 

Install java:

sudo dnf -y install java-latest-openjdk libglvnd-glx

 

Verify java version:

java --version

 

Download Apache Directory Studio latest version from official source like below:

cd ~
wget https://downloads.apache.org/directory/studio/2.0.0.v20210213-M16/ApacheDirectoryStudio-2.0.0.v20210213-M16-linux.gtk.x86_64.tar.gz

 

Extract zip archive:

tar -xf ApacheDirectoryStudio-2.0.0.v20210213-M16-linux.gtk.x86_64.tar.gz
cd ApacheDirectoryStudio

 

You should have graphical display to run Apache Directory Studio:

./ApacheDirectoryStudio

 

You will see Apache Directory Studio starting up

 

Click LDAP, New Connection

 

Connection name: your_ldap_server_name

Hostname: your ldap server ip.

Port: 389

Encryption method: No encryption

Click Next

 

If you are using encrypted connection:

Keep Simple Authentication, enter Bind DN and Bind password as shown in screenshot below:

Click Finish

 

You will see your LDAP server connection as shown in screenshot below: 

Conclusion

Now that you have successfully deployed your 389 Directory Server, you can begin configuring your clients for central authentication.