LDAP Series Part II - Netscape Directory Server
September 30th, 2006 by Tom Adelstein
Two years ago today, Red Hat CEO Matthew Szulik confirmed the purhase of two prized enterprise products from AOL - Netscape Directory Server and Netscape Certificate Management System. He also noted than Red Hat intended to open source the products within 12 months.
Red Hat paid $25 million for the assets. You could say that was pretty good considering that in 1998, AOL paid more than $4 billion for Netscape. Matthew's purchase represented the last divestiture of Netscape's assets by AOL.
If you wander on over to the Fedora Directory Server (FDS) site you can take a look at an enhanced version of the Netscape Directory Server. This isn't your older brother's directory server. Aside from open sourcing the Netscape server, you'll find an abundance of documentation to help you learn and operate a stellar product.
In the case you have little familiarity with FDS, it has features you will not find in other open source LDAP servers. These include:
These features take Linux to another level. In fact, you don't see products like this in the open source world. FDS leads one to consider how far we have to go to bring the rest of the community along. OK, I should get back on topic.
What do the feaures bulleted above mean? Lets look breifly at each.
Large deployments typically use multi-master replication. Up to four master servers can synchronize with one another, for fault-tolerance and speed. In the event you don't have the need for this feature you can use master and slave deployments.
FDS supports hot backups which you can perform while the directory server runs and accepts updates. The FDS stores its active database files under a subdirectory named db, and the hot backup process makes a transactionally consistent copy of all the files.
FDS performs Sync and provides facilities for Microsoft's Active Directory PassSync.msi utility. You can ad and manage users with this function. If you have little or no experience with these functions, consider reviewing Fedora Directory Server's Windows Howto Sync. At the time of this writing the documentation exists at http://directory.fedora.redhat.com/wiki/Howto:WindowsSync
The graphical interface helps LDAP newbies see an LDAP server in action. While the hard core LDAP crowd might not like the graphical interface, it does wonders to spread the news. If you love the command line, the GUI doesn't get in the way at all.
The problem I had with FDS dealt with getting it installed and working. I found lots of documentation and most of it conflicted. I used to call it a kludge/kluge. But once I finally succeeded it getting FDS running, I liked it in spite of its kludginess.
Now, let's setup FDS. Here's the steps without a lot of explanation:
First, setup up Fedora Core 5 with X and Gnome. Use a simple setup.
Install Sun's Java Runtime Environment in the /opt directory. Use the Linux self extracting file rather than the RPM.
Use the shell and remove /etc/alternatives/@java.
# rm /etc/alternatives/java
This removes the symbolic link but the file or directory to which it refers will not be deleted.
Now add a symbolic link from /opt/jre/java to /etc/alternatives
Edit /etc/selinux/config and set the SELINUX parameter to permissive:
SELINUX=permissive
Changing SELINUX can require a system reboot. (Sorry.)
You will need to install httpd and if not installed xorg-x11-deprecated-libs. You can use:
#yum install httpd and xorg-x11-deprecated-libs
Make sure usr/sbin/httpd.worker exists. It comes with Apache2.
Create an unprivileged user and group called ldap and use both when asked during installation.
# useradd ldap
# passwd ldap
Download the Fedora-DS rpm (and PassSync and/or NTDS for Windows authentication) from the FDS download site.
Run as root:
#rpm -ivh fedora-ds-1.0.2-1.PLATFORM.ARCH.opt.rpm
Make sure you choose the correct download for your Fedora platform and version.
Then run the following commands.
#cd /opt/fedora-ds
#./setup/setup
The Fedora web site suggests:
You can use the -k argument to setup to save the .inf file for use with subsequent silent installs. This will create a file called /opt/fedora-ds/setup/install.inf. You can edit this file and use it to perform a silent install using
http://directory.fedora.redhat.com/wiki/Install_Guide
If you are evaluating Fedora Directory Server, use a suffix of dc=example,dc=com during setup. This will allow you to load the example database files which demonstrate the basic functions of the server as well as more advanced features such as Roles, Virtual Views, and i18n handling.
During setup, you will see a prompt that looks like this:
Please select the install mode:
1 - Express - minimal questions
2 - Typical - some customization (default)
3 - Custom - lots of customization
Please select 1, 2, or 3 (default: 2)
Use the default and make sure you enter ldap for the user and group when prompted.
Server user ID to use (default: nobody) ldap
Server group ID to use (default: nobody) ldap
You will see a recommendation to start the Fedora-DS console that looks something like this:
# cd /opt/fedora-ds
./startconsole -u DSAdmin -a http://host1.example.com:21704/ [note: the number 21704 will differ for each install].
You can also start the console with these commands (cd into the directory that corresponds to mine -slapd-host2).
# cd /opt/fedora-ds
# cd slapd-host2
# ./start-slapd
# cd ..
# ./start-admin
$ ./startconsole
If these instructions work, then you will see the Fedora Login Console. A screen shot of the console exists at the FDS Documentation site. It's the first one on the page.
Once you log in, you should see the main Fedora Console, which is the second screen shot on the page. As far as the installation, you got there. OK?
Well, maybe OK and maybe not. Because at this point, you're probably wondering what you do next. Here's my suggestion: Either dig into the doumentation at the FDS wiki or wait until I make the next entry in this series - which should occur real soon.
Now, for the conlusion of Part II: This is the beginning not the end. Remember, the longest journey begins with but a single step.
__________________________
Special Magazine Offer -- 2 Free Trial Issues!
Receive 2 free trial issues of Linux Journal as well as instant online access to current and past issues. There's NO RISK and NO OBLIGATION to buy. CLICK HERE for offer
Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.
Sorry, offer available in the US only. International orders, click here.
Delicious
Digg
Reddit
Newsvine
TechnoratiSubscribe now!
The Latest
Featured Videos
In case you were wondering about the fun side of Linux World Expo, we thought we'd give you a peek at our shenanigans. We at Linux Journal love what we do so much, that we can't help but have a ball wherever we go.
The X Window System is a magnificent platform for many uses, but using it to run an application over a slow network is nearly impossible. This is an introduction to NX, a technology that makes remote applications fly even over commodity internet.
Recently Popular
From the Magazine
September 2008, #173
Feeling a bit like a Thermian? Never give up, never surrender! Someday, you could go from underdog to top dog. Just take a look at a few of the underdogs we highlight in this issue: Mutt, djbdns, Nginix, Gentoo, Xara and the program voted mostly likely to fail just a few years back—Firefox. If Firefox not radical enough for you, check out Chef Marcel's column for some more alternatives. Having trouble mapping your program data to your relational database? If so, Rueven Lerner shows you some tricks in his At The Forge column.
Need to run GUI applications on your server in the next state? In his Paranoid Penguin column, Mick Bauer shows you how to do it securely. Kyle Rankin keeps hacking and slashing and shows you a few split screen secrets you may not be familiar with. Finally, we all know what happens next February, but only Doc knows what happens afterward.
What about DNS
On October 2nd, 2006 Raymond (not verified) says:
You need to first install a DNS service and configure it correctly before you can use Fedora Directory Server properly. In all the articles that I've seen explained on how to install FDS none have touched on DNS....FDS is a long ways off to being used in a real way...but it does show promise.
Who the heck doesn't have DNS ?
On October 3rd, 2006 David Boreham (not verified) says:
Huh ? Who runs a network with no DNS service ?
It isn't as if you need anything special for FDS
to work, just a DNS entry for the host you run the
server on (and working reverse lookup).
'FDS is a long ways off to being used in a real way' ...
er FDS is much the same as Netscape DS, SunDS, iPlanet DS,
all of which have been used in 'a real way' for many years.
Windows NT?
On August 13th, 2007 ArticleBee (not verified) says:
Windows NT didn't need to use DNS .. it used WINS instead ;)
Passwords
On October 2nd, 2006 Anonymous (not verified) says:
Please don't suggest a password for the ldap user as you did in this article...I see already the ssh bots knocking at the ldap users! Whoever followed your article will have a hacked Fedora by now!
i cant help
On September 30th, 2007 sohbet (not verified) says:
i cant help
#passwd ldap
On November 15th, 2006 Anonymous (not verified) says:
The password for user ldap is being changed/set by the passwd command above. After running the command the user will be prompted for a password. There is no place in the article where a password is suggested.
Credit for the Bulldozer metaphor and the LDAP prophesy
On October 1st, 2006 Doc Searls says:
Hey, Tom. Thanks for the kind words.
I must add, however, that credit for prophesy about LDAP shouldn't go to me, but to my source on the matter: Craig Burton. My intereview with Eric Hahn of Netscape was a follow-up to an intereview with Craig, which was titled A Bulldozer Through the Intersection. More than ten years later, that interview remains one of the most remarkable documents it has ever been my privilege to write. (Note to selves — we should get both interviews back up on the LInux Journal site. They ran in Websmith, an early Linux Journal sister publication, and I just parked them on my own archival site.)
Anyway, Craig is the prophet here. I'm just a disciple. :-)
Meanwhile, good piece. Looking forward to follow-ups on that.
__________________________Doc Searls is Senior Editor of Linux Journal
SELinux requires reboot!
On September 30th, 2006 Ahmed Kamal (not verified) says:
Disabling SELinux doesnt require a reboot! Whatever happened to "setenforce 0" to disable SELinux on the fly!
netscape?!
On September 30th, 2006 Christoph Kilz (not verified) says:
sorry to say .. but i cant stand with netscape .. waehaehklaehe
Yes Netscape
On October 2nd, 2006 Anonymous (not verified) says:
Then i don't think you use firefox/mozilla/gecko based browser... sooo lame
linux
On October 2nd, 2007 enigma cross of changes mp3 (not verified) says:
matter taste of this or what? Is a Thanks.
No: netscape
On October 3rd, 2006 piters (not verified) says:
No, I'm perfectly fine with KDE/konqueror/KHTML
so koool. :-)