LDAP Series Part II - Netscape Directory Server

Two years ago today, Red Hat CEO Matthew Szulik confirmed the purhase of two prized enterprise products from AOL - Netscape Directory Server and Netscape Certificate Management System. He also noted than Red Hat intended to open source the products within 12 months.

Red Hat paid $25 million for the assets. You could say that was pretty good considering that in 1998, AOL paid more than $4 billion for Netscape. Matthew's purchase represented the last divestiture of Netscape's assets by AOL.

If you wander on over to the Fedora Directory Server (FDS) site you can take a look at an enhanced version of the Netscape Directory Server. This isn't your older brother's directory server. Aside from open sourcing the Netscape server, you'll find an abundance of documentation to help you learn and operate a stellar product.

In the case you have little familiarity with FDS, it has features you will not find in other open source LDAP servers. These include:

  • Multi-master replication
  • Hot-backups and restores
  • Integration utility for Microsoft Active Directory users and groups
  • A graphical management console and web available administration

  • These features take Linux to another level. In fact, you don't see products like this in the open source world. FDS leads one to consider how far we have to go to bring the rest of the community along. OK, I should get back on topic.

    What do the feaures bulleted above mean? Lets look breifly at each.

    Large deployments typically use multi-master replication. Up to four master servers can synchronize with one another, for fault-tolerance and speed. In the event you don't have the need for this feature you can use master and slave deployments.

    FDS supports hot backups which you can perform while the directory server runs and accepts updates. The FDS stores its active database files under a subdirectory named db, and the hot backup process makes a transactionally consistent copy of all the files.

    FDS performs Sync and provides facilities for Microsoft's Active Directory PassSync.msi utility. You can ad and manage users with this function. If you have little or no experience with these functions, consider reviewing Fedora Directory Server's Windows Howto Sync. At the time of this writing the documentation exists at http://directory.fedora.redhat.com/wiki/Howto:WindowsSync

    The graphical interface helps LDAP newbies see an LDAP server in action. While the hard core LDAP crowd might not like the graphical interface, it does wonders to spread the news. If you love the command line, the GUI doesn't get in the way at all.

    The problem I had with FDS dealt with getting it installed and working. I found lots of documentation and most of it conflicted. I used to call it a kludge/kluge. But once I finally succeeded it getting FDS running, I liked it in spite of its kludginess.

    Now, let's setup FDS. Here's the steps without a lot of explanation:

    First, setup up Fedora Core 5 with X and Gnome. Use a simple setup.

    Install Sun's Java Runtime Environment in the /opt directory. Use the Linux self extracting file rather than the RPM.

    Use the shell and remove /etc/alternatives/@java.
    # rm /etc/alternatives/java

    This removes the symbolic link but the file or directory to which it refers will not be deleted.

    Now add a symbolic link from /opt/jre/java to /etc/alternatives

    Edit /etc/selinux/config and set the SELINUX parameter to permissive:


    Changing SELINUX can require a system reboot. (Sorry.)

    You will need to install httpd and if not installed xorg-x11-deprecated-libs. You can use:

    #yum install httpd and xorg-x11-deprecated-libs

    Make sure usr/sbin/httpd.worker exists. It comes with Apache2.

    Create an unprivileged user and group called ldap and use both when asked during installation.

    # useradd ldap
    # passwd ldap

    Download the Fedora-DS rpm (and PassSync and/or NTDS for Windows authentication) from the FDS download site.

    Run as root:
    #rpm -ivh fedora-ds-1.0.2-1.PLATFORM.ARCH.opt.rpm

    Make sure you choose the correct download for your Fedora platform and version.

    Then run the following commands.

    #cd /opt/fedora-ds


    The Fedora web site suggests:

    You can use the -k argument to setup to save the .inf file for use with subsequent silent installs. This will create a file called /opt/fedora-ds/setup/install.inf. You can edit this file and use it to perform a silent install using


    If you are evaluating Fedora Directory Server, use a suffix of dc=example,dc=com during setup. This will allow you to load the example database files which demonstrate the basic functions of the server as well as more advanced features such as Roles, Virtual Views, and i18n handling.

    During setup, you will see a prompt that looks like this:
    Please select the install mode:

    1 - Express - minimal questions
    2 - Typical - some customization (default)
    3 - Custom - lots of customization
    Please select 1, 2, or 3 (default: 2)

    Use the default and make sure you enter ldap for the user and group when prompted.

    Server user ID to use (default: nobody) ldap

    Server group ID to use (default: nobody) ldap

    You will see a recommendation to start the Fedora-DS console that looks something like this:

    # cd /opt/fedora-ds

    ./startconsole -u DSAdmin -a http://host1.example.com:21704/ [note: the number 21704 will differ for each install].

    You can also start the console with these commands (cd into the directory that corresponds to mine -slapd-host2).

    # cd /opt/fedora-ds
    # cd slapd-host2
    # ./start-slapd
    # cd ..
    # ./start-admin
    $ ./startconsole

    If these instructions work, then you will see the Fedora Login Console. A screen shot of the console exists at the FDS Documentation site. It's the first one on the page.

    Once you log in, you should see the main Fedora Console, which is the second screen shot on the page. As far as the installation, you got there. OK?

    Well, maybe OK and maybe not. Because at this point, you're probably wondering what you do next. Here's my suggestion: Either dig into the doumentation at the FDS wiki or wait until I make the next entry in this series - which should occur real soon.

    Now, for the conlusion of Part II: This is the beginning not the end. Remember, the longest journey begins with but a single step.



    Comment viewing options

    Select your preferred way to display the comments and click "Save settings" to activate your changes.

    What about DNS

    Raymond's picture

    You need to first install a DNS service and configure it correctly before you can use Fedora Directory Server properly. In all the articles that I've seen explained on how to install FDS none have touched on DNS....FDS is a long ways off to being used in a real way...but it does show promise.

    Who the heck doesn't have DNS ?

    David Boreham's picture

    Huh ? Who runs a network with no DNS service ?
    It isn't as if you need anything special for FDS
    to work, just a DNS entry for the host you run the
    server on (and working reverse lookup).

    'FDS is a long ways off to being used in a real way' ...
    er FDS is much the same as Netscape DS, SunDS, iPlanet DS,
    all of which have been used in 'a real way' for many years.

    Windows NT?

    ArticleBee's picture

    Windows NT didn't need to use DNS .. it used WINS instead ;)


    Anonymous's picture

    Please don't suggest a password for the ldap user as you did in this article...I see already the ssh bots knocking at the ldap users! Whoever followed your article will have a hacked Fedora by now!

    #passwd ldap

    Anonymous's picture

    The password for user ldap is being changed/set by the passwd command above. After running the command the user will be prompted for a password. There is no place in the article where a password is suggested.

    Credit for the Bulldozer metaphor and the LDAP prophesy

    Doc Searls's picture

    Hey, Tom. Thanks for the kind words.

    I must add, however, that credit for prophesy about LDAP shouldn't go to me, but to my source on the matter: . My intereview with Eric Hahn of Netscape was a follow-up to an intereview with Craig, which was titled A Bulldozer Through the Intersection. More than ten years later, that interview remains one of the most remarkable documents it has ever been my privilege to write. (Note to selves — we should get both interviews back up on the LInux Journal site. They ran in Websmith, an early Linux Journal sister publication, and I just parked them on my own archival site.)

    Anyway, Craig is the prophet here. I'm just a disciple. :-)

    Meanwhile, good piece. Looking forward to follow-ups on that.

    Doc Searls is the Editor in Chief of Linux Journal

    SELinux requires reboot!

    Ahmed Kamal's picture

    Disabling SELinux doesnt require a reboot! Whatever happened to "setenforce 0" to disable SELinux on the fly!


    Christoph Kilz's picture

    sorry to say .. but i cant stand with netscape .. waehaehklaehe

    Yes Netscape

    Anonymous's picture

    Then i don't think you use firefox/mozilla/gecko based browser... sooo lame

    No: netscape

    piters's picture

    No, I'm perfectly fine with KDE/konqueror/KHTML
    so koool. :-)