LDAP Series Part II - Netscape Directory Server

Two years ago today, Red Hat CEO Matthew Szulik confirmed the purhase of two prized enterprise products from AOL - Netscape Directory Server and Netscape Certificate Management System. He also noted than Red Hat intended to open source the products within 12 months.

Red Hat paid $25 million for the assets. You could say that was pretty good considering that in 1998, AOL paid more than $4 billion for Netscape. Matthew's purchase represented the last divestiture of Netscape's assets by AOL.

If you wander on over to the Fedora Directory Server (FDS) site you can take a look at an enhanced version of the Netscape Directory Server. This isn't your older brother's directory server. Aside from open sourcing the Netscape server, you'll find an abundance of documentation to help you learn and operate a stellar product.

In the case you have little familiarity with FDS, it has features you will not find in other open source LDAP servers. These include:

These features take Linux to another level. In fact, you don't see products like this in the open source world. FDS leads one to consider how far we have to go to bring the rest of the community along. OK, I should get back on topic.

What do the feaures bulleted above mean? Lets look breifly at each.

Large deployments typically use multi-master replication. Up to four master servers can synchronize with one another, for fault-tolerance and speed. In the event you don't have the need for this feature you can use master and slave deployments.

FDS supports hot backups which you can perform while the directory server runs and accepts updates. The FDS stores its active database files under a subdirectory named db, and the hot backup process makes a transactionally consistent copy of all the files.

FDS performs Sync and provides facilities for Microsoft's Active Directory PassSync.msi utility. You can ad and manage users with this function. If you have little or no experience with these functions, consider reviewing Fedora Directory Server's Windows Howto Sync. At the time of this writing the documentation exists at http://directory.fedora.redhat.com/wiki/Howto:WindowsSync

The graphical interface helps LDAP newbies see an LDAP server in action. While the hard core LDAP crowd might not like the graphical interface, it does wonders to spread the news. If you love the command line, the GUI doesn't get in the way at all.

The problem I had with FDS dealt with getting it installed and working. I found lots of documentation and most of it conflicted. I used to call it a kludge/kluge. But once I finally succeeded it getting FDS running, I liked it in spite of its kludginess.

Now, let's setup FDS. Here's the steps without a lot of explanation:

First, setup up Fedora Core 5 with X and Gnome. Use a simple setup.

Install Sun's Java Runtime Environment in the /opt directory. Use the Linux self extracting file rather than the RPM.

Use the shell and remove /etc/alternatives/@java.
# rm /etc/alternatives/java

This removes the symbolic link but the file or directory to which it refers will not be deleted.

Now add a symbolic link from /opt/jre/java to /etc/alternatives

Edit /etc/selinux/config and set the SELINUX parameter to permissive:

SELINUX=permissive

Changing SELINUX can require a system reboot. (Sorry.)

You will need to install httpd and if not installed xorg-x11-deprecated-libs. You can use:

#yum install httpd and xorg-x11-deprecated-libs

Make sure usr/sbin/httpd.worker exists. It comes with Apache2.

Create an unprivileged user and group called ldap and use both when asked during installation.

# useradd ldap
# passwd ldap

Download the Fedora-DS rpm (and PassSync and/or NTDS for Windows authentication) from the FDS download site.

Run as root:
#rpm -ivh fedora-ds-1.0.2-1.PLATFORM.ARCH.opt.rpm

Make sure you choose the correct download for your Fedora platform and version.

Then run the following commands.

#cd /opt/fedora-ds

#./setup/setup

The Fedora web site suggests:

You can use the -k argument to setup to save the .inf file for use with subsequent silent installs. This will create a file called /opt/fedora-ds/setup/install.inf. You can edit this file and use it to perform a silent install using

http://directory.fedora.redhat.com/wiki/Install_Guide

If you are evaluating Fedora Directory Server, use a suffix of dc=example,dc=com during setup. This will allow you to load the example database files which demonstrate the basic functions of the server as well as more advanced features such as Roles, Virtual Views, and i18n handling.

During setup, you will see a prompt that looks like this:
Please select the install mode:

1 - Express - minimal questions
2 - Typical - some customization (default)
3 - Custom - lots of customization
Please select 1, 2, or 3 (default: 2)

Use the default and make sure you enter ldap for the user and group when prompted.

Server user ID to use (default: nobody) ldap

Server group ID to use (default: nobody) ldap

You will see a recommendation to start the Fedora-DS console that looks something like this:

# cd /opt/fedora-ds

./startconsole -u DSAdmin -a http://host1.example.com:21704/ [note: the number 21704 will differ for each install].

You can also start the console with these commands (cd into the directory that corresponds to mine -slapd-host2).

# cd /opt/fedora-ds
# cd slapd-host2
# ./start-slapd
# cd ..
# ./start-admin
$ ./startconsole

If these instructions work, then you will see the Fedora Login Console. A screen shot of the console exists at the FDS Documentation site. It's the first one on the page.

Once you log in, you should see the main Fedora Console, which is the second screen shot on the page. As far as the installation, you got there. OK?

Well, maybe OK and maybe not. Because at this point, you're probably wondering what you do next. Here's my suggestion: Either dig into the doumentation at the FDS wiki or wait until I make the next entry in this series - which should occur real soon.

Now, for the conlusion of Part II: This is the beginning not the end. Remember, the longest journey begins with but a single step.