How to Install an LDAP 389 Master Server

From DISI
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
#!/bin/sh

 #INSTALL REPOS

 HOST=`hostname -i`
 DOMAIN='ucsf.bkslab.org'

 sed -i 's/# ulimit -n 8192/ulimit -n 8192/' /etc/sysconfig/dirsrv
 echo >> /etc/sysctl.conf <<EOF

 # Allow more file handles for 389
 fs.file-max = 8192
 EOF

 yum -y install 389-ds

 useradd ds -c "389 Directory Server User" -d /var/lib/dirsrv -M -s /sbin/nologin

 echo "Running 389 Configuration"
 echo <<EOF
 - Use default setup mode
 - Set user to 'ds'
 - Set server name to ds-1
 - Set hostname to 'ds.cluster.<DOMAIN>'
 - Set cn to "dc=DOMAIN,dc=ORG" or similar
 - Set passwords
 EOF

 setup-ds-admin.pl

 # Update certificates with CNAMES
 mv /var/lib/puppet/ssl /var/lib/puppet/ssl~
 echo "dns_alt_names    = ds,ds.cluster.$DOMAIN,ds.$DOMAIN,$HOST.$DOMAIN" >> /etc/puppet/puppet.conf
 puppet agent -t --report --pluginsync --waitforcert=60
 ssh puppetmaster "puppet cert $( hostname )"
 ssh puppetmaster "puppet cert sign $( hostname ) --allow-dns-alt-names"

 # Convert cert for 389 use
 certutil -d /etc/dirsrv/slapd-ds-1 -A -n "Cluster PuppetCA Certificate" -t CT,, -a -i /var/lib/puppet/ssl/certs/ca.cert
 openssl pkcs12 -export -in /var/lib/puppet/ssl/certs/$( hostname ).pem \
                       -inkey /var/lib/puppet/ssl/private_keys/$( hostname ).pem \
                       -out /etc/pki/tls/private/$( hostname ).p12
 pk12util -i /etc/pki/tls/private/$( hostname ).p12 -d /etc/dirsrv/slapd-ds-1

 certutil -d /etc/dirsrv/admin-serv -A -n "Cluster PuppetCA Certificate" -t CT,, -a -i /var/lib/puppet/ssl/certs/ca.cert
 openssl pkcs12 -export -in /var/lib/puppet/ssl/certs/$( hostname ).pem \
                       -inkey /var/lib/puppet/ssl/private_keys/$( hostname ).pem \
                       -out /etc/pki/tls/private/$( hostname ).p12
 pk12util -i /etc/pki/tls/private/$( hostname ).p12 -d /etc/dirsrv/admin-dirsrv

 # Fix annoying TLS bug
 echo "export NSS_STRICT_NOFORK=DISABLED" >> /etc/sysconfig/dirsrv-admin

 # Connect to 389 directory server
 # Username: cn=Directory Manager
 # Password: PASSWORD
 # URL: http://ds:9830
 # TODO:
 # - Enable encryption in Directory Server
 # - Enable encryption in Administration Server
 # - Ensure encrypted connections are used (port 636)
 # - Exit
 389-console
 service dirsrv restart
 service dirsrv-admin restart

 # Connect to encrypted 389 directory server
 # Username: cn=Directory Manager
 # Password: PASSWORD
 # URL: https://ds:9830
 # TODO (Under "Users and Groups")
 # - Create Group(s)
 #   Create -> Group (Under "Groups" subtree). Add Group Info AND Posix group info
 # - Create Users
 #   Create -> User (add to "People" subtree). Add User info AND Posix user info
 # - Add users to groups
 # - Create Special Directory Reader Group
 #   Create -> User (add to "Special Users" subtree). Name:"LDAP Browser" Password:<SOMETHING SIMPLE>
 # - Exit
 389-console
Retrieved from "http://wiki.docking.org/index.php?title=How_to_Install_an_LDAP_389_Master_Server&oldid=9501"