How to Install an LDAP 389 Master Server: Difference between revisions
Jump to navigation
Jump to search
(Page created based on "How to Install an LDAP Server" from Lab Manual) |
No edit summary |
||
Line 79: | Line 79: | ||
# - Exit | # - Exit | ||
389-console</nowiki> | 389-console</nowiki> | ||
[[Category:Sysadmin]] | |||
[[Category:Tutorials]] |
Latest revision as of 02:33, 2 July 2016
#!/bin/sh #INSTALL REPOS HOST=`hostname -i` DOMAIN='ucsf.bkslab.org' sed -i 's/# ulimit -n 8192/ulimit -n 8192/' /etc/sysconfig/dirsrv echo >> /etc/sysctl.conf <<EOF # Allow more file handles for 389 fs.file-max = 8192 EOF yum -y install 389-ds useradd ds -c "389 Directory Server User" -d /var/lib/dirsrv -M -s /sbin/nologin echo "Running 389 Configuration" echo <<EOF - Use default setup mode - Set user to 'ds' - Set server name to ds-1 - Set hostname to 'ds.cluster.<DOMAIN>' - Set cn to "dc=DOMAIN,dc=ORG" or similar - Set passwords EOF setup-ds-admin.pl # Update certificates with CNAMES mv /var/lib/puppet/ssl /var/lib/puppet/ssl~ echo "dns_alt_names = ds,ds.cluster.$DOMAIN,ds.$DOMAIN,$HOST.$DOMAIN" >> /etc/puppet/puppet.conf puppet agent -t --report --pluginsync --waitforcert=60 ssh puppetmaster "puppet cert $( hostname )" ssh puppetmaster "puppet cert sign $( hostname ) --allow-dns-alt-names" # Convert cert for 389 use certutil -d /etc/dirsrv/slapd-ds-1 -A -n "Cluster PuppetCA Certificate" -t CT,, -a -i /var/lib/puppet/ssl/certs/ca.cert openssl pkcs12 -export -in /var/lib/puppet/ssl/certs/$( hostname ).pem \ -inkey /var/lib/puppet/ssl/private_keys/$( hostname ).pem \ -out /etc/pki/tls/private/$( hostname ).p12 pk12util -i /etc/pki/tls/private/$( hostname ).p12 -d /etc/dirsrv/slapd-ds-1 certutil -d /etc/dirsrv/admin-serv -A -n "Cluster PuppetCA Certificate" -t CT,, -a -i /var/lib/puppet/ssl/certs/ca.cert openssl pkcs12 -export -in /var/lib/puppet/ssl/certs/$( hostname ).pem \ -inkey /var/lib/puppet/ssl/private_keys/$( hostname ).pem \ -out /etc/pki/tls/private/$( hostname ).p12 pk12util -i /etc/pki/tls/private/$( hostname ).p12 -d /etc/dirsrv/admin-dirsrv # Fix annoying TLS bug echo "export NSS_STRICT_NOFORK=DISABLED" >> /etc/sysconfig/dirsrv-admin # Connect to 389 directory server # Username: cn=Directory Manager # Password: PASSWORD # URL: http://ds:9830 # TODO: # - Enable encryption in Directory Server # - Enable encryption in Administration Server # - Ensure encrypted connections are used (port 636) # - Exit 389-console service dirsrv restart service dirsrv-admin restart # Connect to encrypted 389 directory server # Username: cn=Directory Manager # Password: PASSWORD # URL: https://ds:9830 # TODO (Under "Users and Groups") # - Create Group(s) # Create -> Group (Under "Groups" subtree). Add Group Info AND Posix group info # - Create Users # Create -> User (add to "People" subtree). Add User info AND Posix user info # - Add users to groups # - Create Special Directory Reader Group # Create -> User (add to "Special Users" subtree). Name:"LDAP Browser" Password:<SOMETHING SIMPLE> # - Exit 389-console