NOTE-: I have already configured YUM Repository in this Server
Step 1: First you need to configure ELEP Repository to download and install 389-ds packages.
#rpm -ivh ~/Downloads/epel<tab>
#yum install 389-ds
Step 2: Now First you need to configure keep Alive setting.
#sysctl net.ipv4.tcp_keepalive_time
(default is 7200 Seconds it means it is approx 120 Minutes)
#vim /etc/sysctl.conf
net.ipv4.tcp_keepalive_time = 300
:wq (save and exit)
#sysctl -p
Step 3: Now Configure maximum number of file Descriptors
#ulimit -n
#vim /etc/security/limits.conf
* - nofile 102400
:wq (save and exit)
#ulimit -n
if your file Descriptors value is not change, please reboot your machine.
#reboot
Step 4: Now setup the 389 directory server, by using the following command:
#setup-ds-admin.pl -k
Would you like to continue with set up? [yes]: yes
Would you like to continue? [yes]: yes
Choose a setup type [2]: PRESS ENTER
Computer name [server1.example.com]: PRESS ENTER
System User [nobody]: PRESS ENTER
System Group [nobody]: PRESS ENTER
Do you want to register this software with an existing
configuration directory server? [no]: no and the PRESS ENTER
Configuration directory server
administrator ID [admin]: PRESS ENTER
Password: admin@123
Password (confirm): admin@123
Administration Domain [example.com]: PRESS ENTER
Directory server network port [389]: PRESS ENTER
Directory server identifier [server1]: PRESS ENTER
Suffix [dc=example, dc=com]: PRESS ENTER
Directory Manager DN [cn=Directory Manager]: PRESS ENTER
Password: manager@123
Password (confirm): manager@123
Administration port [9830]: PRESS ENTER
Are you ready to set up your servers? [yes]: PRESS ENTER
when your installation will finish, it will create 2 file in /tmp/ directory.
1. setup3JTPkq.inf
2. setupHw2jOr.log
Actually "setup3JTPkq.inf" is having your configuration perameters which you passed during installing of 389-ds directory server. So keep this file in your root directory or somewhere else in secure place so that nobody can access or read this file.
#cp /tmp/setup*.inf /root/389-ds-setting.inf
Step 5: Now test your 389-directory server, it's working or not
# service dirsrv restart
# chkconfig dirsrv on
#service dirsrv-admin restart
#chkconfig dirsrv-admin on
Now run the following command to open 389-ds console
#389-console
User ID = cn=Directory Manager
password = manager@123
Administration URL = http://server1.example.com:9830
Step 6: Now Create some base structure of your directory server, like your DIT.
So to create the DIT, I am using "migrationtools", First you need to install that using YUM.
#yum install migrationtools -y
now go to # cd /usr/share/migrationtools/ directory and use the "ls -l". these is a file name is "migrate_common.ph". you need to modify that according to your DIT. I am modifying this according to my DIT.
#vim migrate_common.ph
##########in this file you have to do some following changes.########################
$NAMINGCONTEXT{'group'} = "ou=Groups";
$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";
$EXTENDED_SCHEMA = 1;
:wq (save and exit)
Step 7: now create some users, those can login from 389-ds Directory Server on client machines.
#mkdir /home/guests
#useradd -d /home/guests/ldapuser1 ldapuser1
#useradd -d /home/guests/ldapuser2 ldapuser2
#useradd -d /home/guests/ldapuser3 ldapuser3
#useradd -d /home/guests/ldapuser4 ldapuser4
#useradd -d /home/guests/ldapuser5 ldapuser5
Now set the password for these users
# passwd ldapuser1
# passwd ldapuser2
# passwd ldapuser3
# passwd ldapuser4
# passwd ldapuser5
all users have password is "123"
Step 8: now you need to migrate these users from /etc/passwd to LDAP database, and also you need to migrate password information as well as groups. So do the following.
1. now first filter out your those users from /etc/passwd into a file
# cat /etc/passwd | tail -n 5 > /root/users
2. now second filter out the password for the users from /etc/shadow into a file
# cat /etc/shadow | tail -n 5 > /root/password
3. ow third filter out your groups from /etc/grpup into a file
# cat /etc/group | tail -n 5 > /root/groups
Step 9: Now you need to generate base.ldif, users.ldif and groups.ldif file using migrationtools from your filtered users, password, and groups file.
1. First I am creating a base.ldif file
# cd /usr/share/migrationtools/
# ./migrate_base.pl > /root/base.ldif
2. Second I am creating users.ldif file, so open the following file and do the following changes
# vim migrate_passwd.pl
Go to the line number 188 line number and change "/etc/shadow" into "/root/password", save and exit. you line will look like the following.
open(SHADOW, "/root/password") || return;
Now Generate users.ldif file
# ./migrate_passwd.pl /root/users > /root/users.ldif
3. now generate groups.ldif file
# ./migrate_group.pl /root/groups > /root/groups.ldif
Step 10: Now you have to upload it into LDAP Database. so you can you the command line or 389-console to upload that.
#389-console
User ID = cn=Directory Manager
password = manager@123
Administration URL = http://server1.example.com:9830
Now Expand "server1.example.com"
Now Expand "Server Groups"
Now Double click on "Directory Server"
Now Click on "Import Databases"
Now Click on "Browse" button and select your "base.ldif" file from /root/ directory
and then click on "OK" button.
Now click on "browse" button again and select "users.ldif" and "OK".
Now click on "browse" button again and select "group.ldif" and "OK".
Step 11: Now to check your LDAP directory server DIT, from command mode, so do the following changes in /etc/openldap/ldap.conf
# vim /etc/openldap/ldap.conf
BASE dc=example,dc=com
URI ldap://server1.example.com
:wq (save and exit)
Now use the following command to check DIT.
#yum install openldap-clients -y
#ldapsearch -x -b "dc=example,dc=com"
NOTE: you 389-ds Directory Server is working fine on port number 389, so I am going to secure this, so it will run on 636 port.
NOTE: I am having another Machine here, which is using for CA Server. So I am configuring CA server on that Machine:
Step 12: now you need to configure CA Server first. So I am configuring CA Server on the same machine. you can configuration CA Server on another machine using the same steps:
#yum install openssl -y
Now go to /etc/pki/tls/ directory
#cd /etc/pki/tls/
# vim openssl.cnf
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/my-ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/my-ca.crl # The current CRL
private_key = $dir/private/my-ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file
[ req_distinguished_name ]
countryName_default = IN
stateOrProvinceName_default = Delhi
localityName_default = New Delhi
0.organizationName_default = Example, Inc.
organizationalUnitName_default = Traning
Now you need to create some directory for CA Server.if they are not exist in /etc/pki/CA/ directory.
#mkdir /etc/pki/CA/{certs,crl,newcerts}
Create an empty certificate index:
#touch /etc/pki/CA/index.txt
In addition, create a file to indicate the next certificate serial number to be issued:
#echo 01 > /etc/pki/CA/serial
You need to generate a private key and a self-signed CA certificate. You will be prompted for a passphrase, which will be needed later: use one you will remember:
#cd /etc/pki/CA/
#(umask 077; openssl genrsa -out /etc/pki/CA/private/my-ca.key -des3 2048)
Enter pass phrase for private/my-ca.key: ca@123
Verifying - Enter pass phrase for private/my-ca.key: ca@123
Now Generate CA Server Certificate
#openssl req -new -x509 -key /etc/pki/CA/private/my-ca.key -days 365 > /etc/pki/CA/my-ca.crt
Enter pass phrase for private/my-ca.key: ca@123
Country Name (2 letter code) [IN]: PRESS ENTER
State or Province Name (full name) [Delhi]: PRESS ENTER
Locality Name (eg, city) [New Delhi]: PRESS ENTER
Organization Name (eg, company) [Example, Inc.]: PRESS ENTER
Organizational Unit Name (eg, section) [Traning]: PRESS ENTER
Common Name (eg, your name or your server's hostname) []: server1.example.com
Email Address []: root@server1.example.com
Create a directory /var/www/html/certs and copy /etc/pki/CA/my-ca.crt there.
#mkdir /var/www/html/certs
#cp /etc/pki/CA/my-ca.crt /var/www/html/certs/
#restorecon -R /var/www/html/
#service httpd restart
#chkconfig httpd on
NOTE: Now you have to log out from CA Server and Log-in on 389-ds Directory Server.
Step 13: To configure SSL/TLS on 389-ds Directory, open 389-console, and supply USER ID, Password, Administration URL as following:
#389-console
User ID = cn=Directory Manager
password = manager@123
Administration URL = http://server1.example.com:9830
Now Expand "server1.example.com"
Now Expend "Server Group"
Now Double click on "Directory Server"
Now click on "Manage Certificates"
Type the new password to manage certificate like "password@123"
and New password (again) to manage certificate "password@123"
Then click on OK
Now Click on "Server Certs" tab and click on "Request" and then Select "Request Certificate Manually" then click on "Next"
Now fill the Requestor Information like:
Server Name: server1.example.com
Organization Name: Example, Inc.
Organizational Unit: Training
City/locality: New Delhi
State/province: Delhi
Country/region: IN
You have to fill up this information according to you CA Server.
Now click on "Next" button Now type your password here, which you typed to "Manage Certificates" such as "password@123"
Now Click on "save to file" button to save this certificate in the directory.
Now type the name of the server certificate like "server1.csr" and save that into /root/ directory then click on "done" button.
Now close your "Manage Certificates" and exit from the "389-ds console"
Step 14: Now you need to send this certificate on CA Server and sign this certificate using CA Server key file.
NOTE: My 389-ds directory Server is running on "server1.example.com" but my CA Server is "ca.example.com".
Now I am on "server1.example.com" and sending "server1.csr" certificate to "ca.example.com".
#scp /root/server1.csr ca.example.com:/root/
Now go to "ca.example.com" and sign this certificate.
#ssh ca.example.com
#openssl ca -policy policy_anything -in /root/server1.csr -out /root/server1.crt
Enter pass phrase for /etc/pki/CA/private/my-ca.key: ca@123
Certificate is to be certified until Oct 18 09:16:25 2014 GMT (365 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Now you need to send back this certificate to "server1.example.com" using "scp" command.
#scp /root/server1.crt server1.example.com:/root/
Now exit from "ca.example.com" using "exit" command.
#exit
Now you need to upload CA Certificate and Server certificate in to 389-ds directory server, using command line or you can use the 389-console also.
First I am download CA Certificate from "ca.example.com" into "server1.example.com" so that I can upload that into 389-ds directory server.
#wget http://ca.example.com/certs/my-ca.crt
Now Open your 389-console
#389-console
User ID = cn=Directory Manager
password = manager@123
Administration URL = http://server1.example.com:9830
Now Expand "server1.example.com"
Now Expand "Server Groups"
Now Double click on "Directory Server"
Now Click on Manage "Certificates"
Now Click on "CA Certs" tab
Now Click on Install Button
Now select "in this local file"
Now click in "browse" button
Now Select your CA certificate "my-ca.crt" and then click on "Open" button.
Now Click on "next" then "next" then "next" then "Done"
Now Click on "Server certs" tab
Now click on "install" button
Now Click on Install Button
Now select "in this local file"
Now click in "browse" button
Now Select your server certificate "server1.crt" and then click on "Open" button.
Now Click on "next" then "next" then "next"
Now type your password "password@123" and the "Done"
Now Configure your 389-ds directory server to use these certificate and provide access on SSL/TLS
Now open 389-ds Console
#389-console
User ID = cn=Directory Manager
password = manager@123
Administration URL = http://server1.example.com:9830
Now Expand "server1.example.com"
Now Expand "Server Groups"
Now Double click on "Directory Server"
Now Click on "Configuration" tab
Now click on "Encryption" tab
Now Select "[] enable SSL for this server"
Now Select "[] Use the chiper family: RSA"
Now Click on "SAVE"
Now Click "OK" -> "OK" -> "OK"
Now Close your Directory Server dialog box and use the following command to check:
So First I need to start Directory server services:
#service dirsrv restart
NOTE: You need to type "Manage Certificates" Password Here, and that is "password@123"
#service dirsrv-admin restart
#chkconfig dirsrv on
#chkconfig dirsrv-admin on
Now use the following command:
#netstat -tunlp | egrep '389|636'
Note: it should display the follwoing output:
tcp 0 0 :::636 :::* LISTEN 4272/ns-slapd
tcp 0 0 :::389 :::* LISTEN 4272/ns-slapd
Now configure your server1.example.com as a client or you can configure another machines as a client of LDAP.
#authconfig-gtk
User Account Database = LDAP
LDAP Search Base DN = dc=example,dc=com
LDAP Server = ldap://server1.example.com
Select "[] Use TLS to encrypt connection" and then click on "Download button" and type the following path to download CA certificate.
http://ca.example.com/certs/my-ca.crt
Now click on "OK"
Authentication Method = LDAP Password
Now click on "Apply"
Now you can use the following command to check the 389-ds directory server.
First check 389-ds Directory Server without SSL/TLS
#ldapsearch -x -b "dc=example,dc=com"
Now check 389-ds Directory Server SSL/TLS
#ldapsearch -x -ZZ -b "dc=example,dc=com"
NOTE-: if you have any kind of problem in these steps, so Click Here to Watch the Video.
it's done, so Enjoy .......................!
Step 1: First you need to configure ELEP Repository to download and install 389-ds packages.
#rpm -ivh ~/Downloads/epel<tab>
#yum install 389-ds
Step 2: Now First you need to configure keep Alive setting.
#sysctl net.ipv4.tcp_keepalive_time
(default is 7200 Seconds it means it is approx 120 Minutes)
#vim /etc/sysctl.conf
net.ipv4.tcp_keepalive_time = 300
:wq (save and exit)
#sysctl -p
Step 3: Now Configure maximum number of file Descriptors
#ulimit -n
#vim /etc/security/limits.conf
* - nofile 102400
:wq (save and exit)
#ulimit -n
if your file Descriptors value is not change, please reboot your machine.
#reboot
Step 4: Now setup the 389 directory server, by using the following command:
#setup-ds-admin.pl -k
Would you like to continue with set up? [yes]: yes
Would you like to continue? [yes]: yes
Choose a setup type [2]: PRESS ENTER
Computer name [server1.example.com]: PRESS ENTER
System User [nobody]: PRESS ENTER
System Group [nobody]: PRESS ENTER
Do you want to register this software with an existing
configuration directory server? [no]: no and the PRESS ENTER
Configuration directory server
administrator ID [admin]: PRESS ENTER
Password: admin@123
Password (confirm): admin@123
Administration Domain [example.com]: PRESS ENTER
Directory server network port [389]: PRESS ENTER
Directory server identifier [server1]: PRESS ENTER
Suffix [dc=example, dc=com]: PRESS ENTER
Directory Manager DN [cn=Directory Manager]: PRESS ENTER
Password: manager@123
Password (confirm): manager@123
Administration port [9830]: PRESS ENTER
Are you ready to set up your servers? [yes]: PRESS ENTER
when your installation will finish, it will create 2 file in /tmp/ directory.
1. setup3JTPkq.inf
2. setupHw2jOr.log
Actually "setup3JTPkq.inf" is having your configuration perameters which you passed during installing of 389-ds directory server. So keep this file in your root directory or somewhere else in secure place so that nobody can access or read this file.
#cp /tmp/setup*.inf /root/389-ds-setting.inf
Step 5: Now test your 389-directory server, it's working or not
# service dirsrv restart
# chkconfig dirsrv on
#service dirsrv-admin restart
#chkconfig dirsrv-admin on
Now run the following command to open 389-ds console
#389-console
User ID = cn=Directory Manager
password = manager@123
Administration URL = http://server1.example.com:9830
Step 6: Now Create some base structure of your directory server, like your DIT.
So to create the DIT, I am using "migrationtools", First you need to install that using YUM.
#yum install migrationtools -y
now go to # cd /usr/share/migrationtools/ directory and use the "ls -l". these is a file name is "migrate_common.ph". you need to modify that according to your DIT. I am modifying this according to my DIT.
#vim migrate_common.ph
##########in this file you have to do some following changes.########################
$NAMINGCONTEXT{'group'} = "ou=Groups";
$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";
$EXTENDED_SCHEMA = 1;
:wq (save and exit)
Step 7: now create some users, those can login from 389-ds Directory Server on client machines.
#mkdir /home/guests
#useradd -d /home/guests/ldapuser1 ldapuser1
#useradd -d /home/guests/ldapuser2 ldapuser2
#useradd -d /home/guests/ldapuser3 ldapuser3
#useradd -d /home/guests/ldapuser4 ldapuser4
#useradd -d /home/guests/ldapuser5 ldapuser5
Now set the password for these users
# passwd ldapuser1
# passwd ldapuser2
# passwd ldapuser3
# passwd ldapuser4
# passwd ldapuser5
all users have password is "123"
Step 8: now you need to migrate these users from /etc/passwd to LDAP database, and also you need to migrate password information as well as groups. So do the following.
1. now first filter out your those users from /etc/passwd into a file
# cat /etc/passwd | tail -n 5 > /root/users
2. now second filter out the password for the users from /etc/shadow into a file
# cat /etc/shadow | tail -n 5 > /root/password
3. ow third filter out your groups from /etc/grpup into a file
# cat /etc/group | tail -n 5 > /root/groups
Step 9: Now you need to generate base.ldif, users.ldif and groups.ldif file using migrationtools from your filtered users, password, and groups file.
1. First I am creating a base.ldif file
# cd /usr/share/migrationtools/
# ./migrate_base.pl > /root/base.ldif
2. Second I am creating users.ldif file, so open the following file and do the following changes
# vim migrate_passwd.pl
Go to the line number 188 line number and change "/etc/shadow" into "/root/password", save and exit. you line will look like the following.
open(SHADOW, "/root/password") || return;
Now Generate users.ldif file
# ./migrate_passwd.pl /root/users > /root/users.ldif
3. now generate groups.ldif file
# ./migrate_group.pl /root/groups > /root/groups.ldif
Step 10: Now you have to upload it into LDAP Database. so you can you the command line or 389-console to upload that.
#389-console
User ID = cn=Directory Manager
password = manager@123
Administration URL = http://server1.example.com:9830
Now Expand "server1.example.com"
Now Expand "Server Groups"
Now Double click on "Directory Server"
Now Click on "Import Databases"
Now Click on "Browse" button and select your "base.ldif" file from /root/ directory
and then click on "OK" button.
Now click on "browse" button again and select "users.ldif" and "OK".
Now click on "browse" button again and select "group.ldif" and "OK".
Step 11: Now to check your LDAP directory server DIT, from command mode, so do the following changes in /etc/openldap/ldap.conf
# vim /etc/openldap/ldap.conf
BASE dc=example,dc=com
URI ldap://server1.example.com
:wq (save and exit)
Now use the following command to check DIT.
#yum install openldap-clients -y
#ldapsearch -x -b "dc=example,dc=com"
NOTE: you 389-ds Directory Server is working fine on port number 389, so I am going to secure this, so it will run on 636 port.
NOTE: I am having another Machine here, which is using for CA Server. So I am configuring CA server on that Machine:
Step 12: now you need to configure CA Server first. So I am configuring CA Server on the same machine. you can configuration CA Server on another machine using the same steps:
#yum install openssl -y
Now go to /etc/pki/tls/ directory
#cd /etc/pki/tls/
# vim openssl.cnf
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/my-ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/my-ca.crl # The current CRL
private_key = $dir/private/my-ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file
[ req_distinguished_name ]
countryName_default = IN
stateOrProvinceName_default = Delhi
localityName_default = New Delhi
0.organizationName_default = Example, Inc.
organizationalUnitName_default = Traning
Now you need to create some directory for CA Server.if they are not exist in /etc/pki/CA/ directory.
#mkdir /etc/pki/CA/{certs,crl,newcerts}
Create an empty certificate index:
#touch /etc/pki/CA/index.txt
In addition, create a file to indicate the next certificate serial number to be issued:
#echo 01 > /etc/pki/CA/serial
You need to generate a private key and a self-signed CA certificate. You will be prompted for a passphrase, which will be needed later: use one you will remember:
#cd /etc/pki/CA/
#(umask 077; openssl genrsa -out /etc/pki/CA/private/my-ca.key -des3 2048)
Enter pass phrase for private/my-ca.key: ca@123
Verifying - Enter pass phrase for private/my-ca.key: ca@123
Now Generate CA Server Certificate
#openssl req -new -x509 -key /etc/pki/CA/private/my-ca.key -days 365 > /etc/pki/CA/my-ca.crt
Enter pass phrase for private/my-ca.key: ca@123
Country Name (2 letter code) [IN]: PRESS ENTER
State or Province Name (full name) [Delhi]: PRESS ENTER
Locality Name (eg, city) [New Delhi]: PRESS ENTER
Organization Name (eg, company) [Example, Inc.]: PRESS ENTER
Organizational Unit Name (eg, section) [Traning]: PRESS ENTER
Common Name (eg, your name or your server's hostname) []: server1.example.com
Email Address []: root@server1.example.com
Create a directory /var/www/html/certs and copy /etc/pki/CA/my-ca.crt there.
#mkdir /var/www/html/certs
#cp /etc/pki/CA/my-ca.crt /var/www/html/certs/
#restorecon -R /var/www/html/
#service httpd restart
#chkconfig httpd on
NOTE: Now you have to log out from CA Server and Log-in on 389-ds Directory Server.
Step 13: To configure SSL/TLS on 389-ds Directory, open 389-console, and supply USER ID, Password, Administration URL as following:
#389-console
User ID = cn=Directory Manager
password = manager@123
Administration URL = http://server1.example.com:9830
Now Expand "server1.example.com"
Now Expend "Server Group"
Now Double click on "Directory Server"
Now click on "Manage Certificates"
Type the new password to manage certificate like "password@123"
and New password (again) to manage certificate "password@123"
Then click on OK
Now Click on "Server Certs" tab and click on "Request" and then Select "Request Certificate Manually" then click on "Next"
Now fill the Requestor Information like:
Server Name: server1.example.com
Organization Name: Example, Inc.
Organizational Unit: Training
City/locality: New Delhi
State/province: Delhi
Country/region: IN
You have to fill up this information according to you CA Server.
Now click on "Next" button Now type your password here, which you typed to "Manage Certificates" such as "password@123"
Now Click on "save to file" button to save this certificate in the directory.
Now type the name of the server certificate like "server1.csr" and save that into /root/ directory then click on "done" button.
Now close your "Manage Certificates" and exit from the "389-ds console"
Step 14: Now you need to send this certificate on CA Server and sign this certificate using CA Server key file.
NOTE: My 389-ds directory Server is running on "server1.example.com" but my CA Server is "ca.example.com".
Now I am on "server1.example.com" and sending "server1.csr" certificate to "ca.example.com".
#scp /root/server1.csr ca.example.com:/root/
Now go to "ca.example.com" and sign this certificate.
#ssh ca.example.com
#openssl ca -policy policy_anything -in /root/server1.csr -out /root/server1.crt
Enter pass phrase for /etc/pki/CA/private/my-ca.key: ca@123
Certificate is to be certified until Oct 18 09:16:25 2014 GMT (365 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Now you need to send back this certificate to "server1.example.com" using "scp" command.
#scp /root/server1.crt server1.example.com:/root/
Now exit from "ca.example.com" using "exit" command.
#exit
Now you need to upload CA Certificate and Server certificate in to 389-ds directory server, using command line or you can use the 389-console also.
First I am download CA Certificate from "ca.example.com" into "server1.example.com" so that I can upload that into 389-ds directory server.
#wget http://ca.example.com/certs/my-ca.crt
Now Open your 389-console
#389-console
User ID = cn=Directory Manager
password = manager@123
Administration URL = http://server1.example.com:9830
Now Expand "server1.example.com"
Now Expand "Server Groups"
Now Double click on "Directory Server"
Now Click on Manage "Certificates"
Now Click on "CA Certs" tab
Now Click on Install Button
Now select "in this local file"
Now click in "browse" button
Now Select your CA certificate "my-ca.crt" and then click on "Open" button.
Now Click on "next" then "next" then "next" then "Done"
Now Click on "Server certs" tab
Now click on "install" button
Now Click on Install Button
Now select "in this local file"
Now click in "browse" button
Now Select your server certificate "server1.crt" and then click on "Open" button.
Now Click on "next" then "next" then "next"
Now type your password "password@123" and the "Done"
Now Configure your 389-ds directory server to use these certificate and provide access on SSL/TLS
Now open 389-ds Console
#389-console
User ID = cn=Directory Manager
password = manager@123
Administration URL = http://server1.example.com:9830
Now Expand "server1.example.com"
Now Expand "Server Groups"
Now Double click on "Directory Server"
Now Click on "Configuration" tab
Now click on "Encryption" tab
Now Select "[] enable SSL for this server"
Now Select "[] Use the chiper family: RSA"
Now Click on "SAVE"
Now Click "OK" -> "OK" -> "OK"
Now Close your Directory Server dialog box and use the following command to check:
So First I need to start Directory server services:
#service dirsrv restart
NOTE: You need to type "Manage Certificates" Password Here, and that is "password@123"
#service dirsrv-admin restart
#chkconfig dirsrv on
#chkconfig dirsrv-admin on
Now use the following command:
#netstat -tunlp | egrep '389|636'
Note: it should display the follwoing output:
tcp 0 0 :::636 :::* LISTEN 4272/ns-slapd
tcp 0 0 :::389 :::* LISTEN 4272/ns-slapd
Now configure your server1.example.com as a client or you can configure another machines as a client of LDAP.
#authconfig-gtk
User Account Database = LDAP
LDAP Search Base DN = dc=example,dc=com
LDAP Server = ldap://server1.example.com
Select "[] Use TLS to encrypt connection" and then click on "Download button" and type the following path to download CA certificate.
http://ca.example.com/certs/my-ca.crt
Now click on "OK"
Authentication Method = LDAP Password
Now click on "Apply"
Now you can use the following command to check the 389-ds directory server.
First check 389-ds Directory Server without SSL/TLS
#ldapsearch -x -b "dc=example,dc=com"
Now check 389-ds Directory Server SSL/TLS
#ldapsearch -x -ZZ -b "dc=example,dc=com"
NOTE-: if you have any kind of problem in these steps, so Click Here to Watch the Video.
it's done, so Enjoy .......................!
Awesome article and steps man , Really Appreciate your effort and help.
ReplyDeleteHi You forgot to mention about how to start the server without entering the Token store code. The whole pin.txt thing, worth a mention. I only sat that because it taken me a couple hours on google to figure it out.
ReplyDeleteGreat article. I wish I had found it last week.
Many thanks Suresh.... Excellent blog !!!
ReplyDeleteI just followed the steps you mentioned but when I do query, IT says " NO such Object" as mentioned below:
[root@LBNILINUX02 guests]# ldapsearch -x -D "cn=ldapuser1,dc=test,dc =com" -w 123
ldap_bind: No such object (32)
matched DN: dc=test,dc=com
[root@LBNILINUX02 guests]# ldapsearch -x -Z -D "cn=ldapuser1,dc=test,dc =com" -w 123
ldap_start_tls: Operations error (1)
additional info: SSL connection already established.
ldap_bind: No such object (32)
matched DN: dc=test,dc=com
[root@LBNILINUX02 guests]#
could please let me kow what could be the issue ? Is it some thing to do with the ldapquery ?