How to install 389 Directory Server to serve as LDAP Server for your CentOS 8 / RHEL 8 Machine?

Today, we shall look into an enterprise-class Open Source LDAP server , 389 Directory Server.

Basically, LDAP servers are used to store identities, groups and organization data. They can be used as a structured NoSQL server.

Here at LinuxAPT, as part of our Server Support Services, we regularly help customers to install LDAP Servers on their Linux Machine.

In this context, we shall look into how to install an LDAP server on CentOS 8 / RHEL 8.

More about 389 Directory Server?

389 Directory Server is a free and open source Software which supports multi-master replication, and used in many of the largest LDAP deployments in the world.

It is a high performance LDAP server that can handle thousands of operations per second, and hundreds of thousands of accounts at the same time without encountering any form of downtime. 

Some of its features are listed below;

i. It is an LDAPv3 compliant server.

ii. It is very secure as it has a robust Secure authentication and transport (TLS, and SASL).

iii. It has an asynchronous Multi-Master Replication, to provide fault tolerance and high write performance.

iv. Due to its reliability, its infrastructure is always Online, with zero downtime. 

v. It also features LDAP-based update of schema, configuration, and management including Access Control Information (ACIs).

How to install and configure 389 Directory Server on CentOS 8?

To get started, you need to ensure that the Server Prerequisite is ready. In that, we will need a physical or virtual machine with CentOS 8 which has a root user.

i. SELinux Configuration (Optional)

Start by Logging into your Server as the root user and modify the SELinux configuration file at "/etc/selinux/config" where you can change the value of "SELINUX" from "enforcing" to "disabled". 

To edit this file, run the command below;

sudo vi /etc/selinux/config

The file will now look like this;

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Now after the modification, you can save and exit the file.

You can also correct the timezone as well as the server hostname with the commands below;

timedatectl set-timezone Europe/Oslo
hostnamectl set-hostname your_server_name.domain

After this , perform a reboot of the server to effect changes.

ii. Add EPEL Repository

For an extensive tutorial on how to enable EPEL on CentOS, read the Complete guide on how to enable Epel repository on Linux .

To add EPEL repository on CentOS/RHEL 8, use the following commands accordingly.

For CentOS 8, run the command below;

dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf config-manager --set-enabled PowerTools

For RHEL 8, run the command below;

dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
ARCH=$( /bin/arch )
subscription-manager repos --enable "codeready-builder-for-rhel-8-${ARCH}-rpms"

iii. 389 Directory Server Installation Process

To install 389 Directory Server on CentOS/RHEL 8, run the following command;

dnf -y module install 389-directory-server:stable/default

iv. How to configure 389 Directory Server

Run the command below;

dscreate interactive

Then you have to answer the questions individually as shown below;

Install Directory Server (interactive mode)
===========================================
selinux is disabled, will not relabel ports or files.
Selinux support will be disabled, continue? [yes]:
Enter system's hostname [ldap]: ldap.linuxapt.com
Enter the instance name [ldap]:
Enter port number [389]:
Create self-signed certificate database [yes]:
Enter secure port number [636]:
Enter Directory Manager DN [cn=Directory Manager]:
Enter the Directory Manager password:
Confirm the Directory Manager Password:
Enter the database suffix (or enter "none" to skip) [dc=ldap,dc=linuxapt,dc=com]:
Create sample entries in the suffix [no]: yes
Do you want to start the instance after the installation? [yes]:
Are you ready to install? [no]: yes
Starting installation...
Completed installation for ldap

To know the ldap instance name, run the command below;

dsctl --list

You will see an output like;

slapd-ldap

Now to confirm if slapd-ldap instance is running, run the command below;

dsctl slapd-ldap status

Now you get a response such as;

Instance "ldap" is running

You can also check your ldap instance status using the systemctl command as shown below;

systemctl status dirsrv@ldap.service

Next, start the cockpit service with command below;

systemctl start cockpit.service
systemctl staus cockpit.service

v. How to Set the Firewall Rules for LDAP Server?

Now run the following command to set the firewall rule for LDAP server;

firewall-cmd --permanent --add-port=389/tcp
firewall-cmd --permanent --add-port=636/tcp
firewall-cmd --permanent --add-port=9090/tcp
firewall-cmd --reload

After this, you can test the cockpit web interface on a web browser by using your server ip address and port 9090 as shown below;

http://your_server_ip:9090

Now you have to enter your username as root and use the password your created for root to log in.

This will lead you to the 389 Directory Server Management portal.

Need support in Setting up an LDAP Server on your CentOS 8 Machine? We are available to help you today.