Hi Nicholas-
I'm a newbie to 389 DS as well, but I've installed it on my CentOS 7 systems, and it's working well. I'm not sure it helps, and I'd like more
experienced people to wave me off if anything I suggest is bad- but I did the following:
Installed the following packages via yum:
389-admin.x86_64 1.1.46-1.el7 @epel
389-admin-console.noarch 1.1.12-1.el7 @epel
389-adminutil.x86_64 1.1.22-2.el7 @epel
389-console.noarch 1.1.19-5.el7 @epel
389-ds-base.x86_64 1.3.8.4-25.1.el7_6 @updates
389-ds-base-libs.x86_64 1.3.8.4-25.1.el7_6 @updates
389-ds-console.noarch 1.2.16-1.el7 @epel
389-admin-console.noarch 1.1.12-1.el7 @epel
389-adminutil.x86_64 1.1.22-2.el7 @epel
389-console.noarch 1.1.19-5.el7 @epel
389-ds-base.x86_64 1.3.8.4-25.1.el7_6 @updates
389-ds-base-libs.x86_64 1.3.8.4-25.1.el7_6 @updates
389-ds-console.noarch 1.2.16-1.el7 @epel
Once installed, I ran the following setup scripts:
/usr/sbin/setup-ds-admin.pl /usr/sbin/setup-ds.pl
I used defaults for almost everything except my domain name and hostname.
To verify things are working, I brought up:
/usr/bin/389-console (make sure you've set your $DISPLAY variable to your X environment)
I used that to configure groups and users. It is reasonably self-explanatory. I'd recommend doing groups before users. When you create
a user or group, make sure you also set the Posix items as well for UNIX. (The Posix section has the UNIX uid and guid settings)
To make sure LDAP is running properly, at any time for a client, you can run: ldapsearch -x
You should get all the information that is in the database that way.
To get the clients to use the new LDAP server, I ran:
authconfig --enableldap --enableldapauth --ldapserver=<hostname> --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update
Note that for the system that is running the 389 DS instance, I substituted localhost for the IP address I used for the other clients.
I am not running TLS ATM, but will set that up in the near future.
Hope this helps
jcm
On Mon, Aug 19, 2019 at 3:48 AM Marc Muehlfeld <mmuehlfeld@xxxxxxxxxx> wrote:
Hi Nicolas,
On 8/19/19 9:59 AM, Nicolas Kovacs wrote:
> Currently the network uses a bone-headed single-sign-on configuration
> based on NIS and NFS. I'm well aware of the potential flaws of this
> setup, and I intend to replace it. In the past I've tried to wrap my
> head around LDAP, but I bluntly admit I failed miserably every time.
>
> I just read the "Single Sign On" chapter in the fine "Unix & Linux
> System Administration Handbook", which states 389 Directory Server
> as a preferable alternative to the plain OpenLDAP server.
If you are interested in single sign-on, automount, etc., FreeIPA (aka
"Identity Management" in Red Hat) might be interesting for you.
FreeIPA uses 389 Directory Server as database, but you usually don't get
in touch with the LDAP server directly. You can manage FreeIPA using the
command line and browser, and a lot of things are automated or at least
should be easier than configuring everything manually.
These are the Identity Management docs for RHEL 7:
*
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/
*
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/system-level_authentication_guide/
*
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/
(maybe not relevant for your use case)
> I have three sandbox machines in my office and some time to experiment,
> and I've even managed so far to install 389 DS on one of these machines
> using the online documentation and various tutorials.
>
> First things first. I'm a new user, so I checked out the project pat at
> https://www.port389.org/. I clicked on "Get started with a new
> install"... and got stuck since the documentation doesn't work on my
> system (CentOS 7).
>
> * https://www.port389.org/docs/389ds/howto/quickstart.html
>
> Eventually I figured out that Red Hat DS has a working documentation,
> although I felt a bit like someone looking for a receipt for pasta
> bolognese and getting a full-blown online course in food biochemistry.
If you use CentOS, the Red Red Hat Directory Server guides should work.
Additionally, they are frequently updated.
https://access.redhat.com/documentation/en-us/red_hat_directory_server/
I understand that the docs contain a lot of information, what could be
overwhelming if you are new to LDAP. If you have any suggestion what we
can improve, please let me know (or open a ticket:
https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Directory%20Server)
> The QuickStart page sports a link "If you want to learn more about what
> ldap is, you should read our “ldap concepts” guide." So I clicked on
> that but unfortunately the link is dead. I admit I have yet to find a
> comprehensive introduction to LDAP that is suitable for folks like me
> with an IQ below 200.
It's not a short introduction, but the RHDS Deployment Guide could maybe
answer some of your general questions about LDAP:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/deployment_guide/
Regards,
Marc
--
Marc Muehlfeld (Senior Technical Writer)
Customer Content Services
_______________________________________________________________________________
Red Hat GmbH, Werner-von-Siemens-Ring 14, 85630 Grasbrunn, Germany
http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael O'Neill,
Tom Savage, Eric Shander
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
Confidential and Proprietary Communication of Apex Semiconductor Inc. If you are not the intended recipient, any dissemination, distribution or copying this communication is prohibited. If you think that you have received this email message in error, please email the sender.
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
