- Create directory for FDS mkdir /opt/fedora-ds - Create admin directory in ldap home dir mkdir -p /var/lib/ldap/fedora-ds - Set up Java environment (if required) /tools/install/services/java.sh 1.5 - Add ldap user/group (if needed) # groupadd -g 55 ldap # useradd -g ldap -u 55 -d /var/lib/ldap -s /bin/false -c "LDAP User" ldap - Downloaded code and installed. rpm -ivh fedora-ds-1.0.3-1.FC5.i386.opt.rpm - Run post-installation script /opt/fedora-ds/setup/setup Password: XXXXX Port: 55555 Base dn: dc=yourdomain,dc=com Admin domain: yourdomain.com - Downloaded init.d start scripts for both slapd and admin server. /etc/init.d/fedora-ds (See http://www.directory.fedora.redhat.com/download/FedoraDirectoryServer-init.d) /etc/init.d/fedora-ds-admin - modified to deal pid_file and other diffs from what /etc/rc.d/init.d/functions expects. (See http://www.codefu.org/people/darkness/fedora-ds-admin.init) - Enable and verify init.d scripts # chkconfig --add fedora-ds # chkconfig --add fedora-ds-admin # chkconfig --list fedora-ds fedora-ds 0:off 1:off 2:off 3:on 4:on 5:on 6:off # chkconfig --list fedora-ds-admin fedora-ds-admin 0:off 1:off 2:off 3:off 4:off 5:off 6:off # chkconfig --levels 2345 fedora-ds-admin on # chkconfig --list fedora-ds-admin fedora-ds-admin 0:off 1:off 2:on 3:on 4:on 5:on 6:off - Set up subdomain suffix of top Start admin console * If you need to run remotely, set up ldap server name as alias for * 127.0.0.1 in /etc/hosts and start 2 SSH port forwarding sessions * locally for admin console. # ssh -X -C -L 389:ldapsvr:389 username@sh.yourdomain.com # ssh -X -C -L 55555:ldapsvr:55555 username@sh.yourdomain.com cd /opt/fedora-ds ./startconsole -u admin -a http://ldapsvr:55555/ - Add write ACI (access control) for shadowLastChange *** On master and each slave *** In Directory tab, select root domain (yourdomain) Right click and Select Set Access Permissions Select "Enable self-write for common attributes" and click on Edit Select "Self" and click on Edit Manually button. After "userPassword", insert "|| shadowLastChange " and click on OK and again on OK on the parent window. - Add subdomain (suffix) to root domain *** On master and each slave *** Configuration tab->Data and click on TLD Right click and Select New Sub Suffix Enter subdomain domain component (dc=idg) and corresponding database name (idg). - Set up subdomain suffix of top, entries and attributes Run ldapmodify's to add subdomain, ou's, etc. via LDIF. ldapmodify -a -x -w XXXXXX -D "cn=Directory Manager" -h ldapsvr -f addsub.ldif adding new entry "dc=yourdomain,dc=com" Click on Directory tab and View->Refresh all to verify subdomain was added Add ou's for People, Groups, Netgroup ldapmodify -a -x -w XXXXXX -D "cn=Directory Manager" -h ldapsvr -f addou.ldif adding new entry "ou=People,dc=yourdomain,dc=com" adding new entry "ou=Netgroup,dc=yourdomain,dc=com" adding new entry "ou=Groups,dc=yourdomain,dc=com" - Add people and netgroups # ldapmodify -a -x -w XXXXXX -D "cn=Directory Manager" -h ldapsvr -f netgroup-systems.ldif adding new entry "cn=ldapservers,ou=Netgroup,dc=yourdomain,dc=com" # ldapmodify -a -x -w XXXXXX -D "cn=Directory Manager" -h ldapsvr -f netgroup-users.ldif adding new entry "cn=testusers,ou=Netgroup,dc=yourdomain,dc=com" - Set up replication (See http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm) On Consumer Server (slaves): 1. Add entry for replication binding on the consumer via LDIF: (See http://www.mail-archive.com/fedora-directory-users@redhat.com/msg03733.html) *** Password is xxxxxx [root@lin2600 ldap]# cat consumer.ldif dn: cn=replica, cn="dc=yourdomain,dc=com", cn=mapping tree, cn=config changetype: add objectClass: nsDS5Replica objectClass: top cn: replica nsDS5ReplicaBindDN: cn=replication manager, cn=config nsDS5ReplicaRoot: dc=yourdomain,dc=com nsDS5Flags: 0 nsDS5ReplicaType: 2 nsDS5ReplicaId: 65565 dn: cn=Replication Manager,cn=config changetype: add cn: Replication Manager sn: replication objectClass: top objectClass: person userPassword: xxxxxx passwordExpirationTime: 20380119031407Z # ldapmodify -a -x -w lDapR0cks -D "cn=Directory Manager" -h $host -f consumer.ldif adding new entry "cn=replica, cn="dc=yourdomain,dc=com", cn=mapping tree, cn=config" adding new entry "cn=Replication Manager,cn=config" 2. Specify the replication settings required for a read-only replica. (See section 3 of http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#24437) Add database for suffix to be replicated. In Configuration, select and right click on dc=yourdomain,dc=com Select new sub suffix In Creating New Sub Suffix dialog box, enter "dc=subdomain" in New Suffix field and check the box to create the database automatically and call it "subdomain". Click on OK. On Supplier Server (master): - Set up the Replication Agreement (See http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#33173) In Directory, right click on databases an select New repliccation agreement Name: - Example: subdomain-slavesrv Description: Replication of subdomain suffix/database to slave slavesrv Click on Next In Consumer block, click on Other button Enter host and port ($host and 389) Select Simple Authentication Enter DN for replication set up above: Bind as: cn=Replication Manager,cn=config Password: xxxxxxx Click on Next - Initiate replication In Configuration, under Replication, expand on the domain you just set up the agreement for click on it. Right click and select Initialize Consumer. This will produce a pop-up informing you of the status. You can look on the consumer logs for replication information and/or in the Directory tab to see that the data has been replicated. - Setting up clients for authentication. Edit /etc/ldap.conf and set the ldap servers; a primary and secondary for failover; and a basedn for lookups. Use the subdomain to which this system belongs. host 192.168.1.2 192.168.2.1 base dc=yourdomain,dc=com Set PAM to use ldap. Run the following command to set /etc/nsswitch.conf and /etc/pam.d/system-auth up for LDAP authentication authconfig --enableldap --enableldapauth --update Edit /etc/pam.d/system-auth and add the following auth 'account' line after the "account pam_succeed_if.so" line. account required /lib/security/$ISA/pam_access.so accessfile=/usr/local/lib/security/access.netgroup.conf