Chapter 3. Setting up an instance using the command line

Procedure

1. Use the dscreate create-template command to create a template .inf file. For example, to store the template in the /root/<instance_name>.inf file, enter:

   # dscreate create-template /root/<instance_name>.inf

   The created file contains all available parameters including descriptions.

2. Edit the file that you created in the previous step:

   1. Uncomment the parameters that you want to set to customize the installation.

      All parameters have defaults. However, customize certain parameters for a production environment. For example, set at least the following parameters in the [slapd] section:

      instance_name = <instance_name>
      root_password = <password>

      To configure the LMDB backend maximum size, set the following parameter:

      mdb_max_size = 21474836480

      Note that mdb_max_size must be an integer value that depends on your directory size. For more details, see nsslapd-mdb-max-size attribute description.

   2. Optional: To use the instance behind a load balancer with GSSAPI authentication, set the full_machine_name parameter in the [general] section to the fully-qualified domain name (FQDN) of the load balancer instead of the FQDN of the Directory Server host:

      full_machine_name = loadbalancer.example.com

   3. Uncomment the strict_host_checking parameter in the [general] section and set it to False:

      strict_host_checking = False

   4. To automatically create a suffix during instance creation, set the following parameters in the [backend-userroot] section:

      create_suffix_entry = True
      suffix = dc=example,dc=com

      Important

      If you do not create a suffix during instance creation, you must create it later manually before you can store data on this instance.

   5. Optional: Uncomment other parameters and set them to appropriate values for your environment. For example, use these parameters to specify replication options, such as authentication credentials and changelog trimming, or set different ports for the LDAP and LDAPS protocols.

      Note

      By default, new instances that you create include a self-signed certificate and TLS enabled. For increased security, do not disable this feature. Note that you can replace the self-signed certificate with a certificate issued by a Certificate Authority (CA) at a later date.

Procedure

1. Pass the .inf file to the dscreate from-file command to create the new instance:

   # dscreate from-file /root/<instance_name>.inf
   Starting installation ...
   Validate installation settings ...
   Create file system structures ...
   Create self-signed certificate database ...
   Perform SELinux labeling ...
   Perform post-installation tasks ...
   Completed installation for instance: slapd-instance_name

   The dscreate utility automatically starts the instance and configures RHEL to start the service when the system boots.

2. Open the required ports in the firewall:

   # firewall-cmd --permanent --add-port={389/tcp,636/tcp}

3. Reload the firewall configuration:

   # firewall-cmd --reload

Procedure

1. Start the interactive installer:

   # dscreate interactive

2. Answer the questions of the interactive installer.

   To use the default values displayed in square brackets behind most questions in the installer, press Enter without entering a value.

   Install Directory Server (interactive mode)
   ===========================================
   
   Enter system's hostname [server.example.com]:
   
   Enter the instance name [server]: <instance_name>
   
   Enter port number [389]:
   
   Create self-signed certificate database [yes]:
   
   Enter secure port number [636]:
   
   Enter Directory Manager DN [cn=Directory Manager]:
   
   Enter the Directory Manager password: <password>
   Confirm the Directory Manager Password: <password>
   
   Choose whether mdb or bdb is used. [mdb]:
   
   Enter the lmdb database size [14.1 GB]: 10 G
   
   Enter the database suffix (or enter "none" to skip) [dc=server,dc=example,dc=com]: dc=example,dc=com
   
   Create sample entries in the suffix [no]:
   
   Create just the top suffix entry [no]: yes
   
   Do you want to start the instance after the installation? [yes]:
   
   Are you ready to install? [no]: yes

   Note

   Instead of setting a password in clear text you can set a {algorithm}hash string generated by the pwdhash utility.

   For example:

   Enter the Directory Manager password: {PBKDF2-SHA512}100000$Haw7UDcBKUBejEjOTVHbiefT6cokHLo2$PeoP7W3B92Jzby7DGRkicovTN4LDGhnsC4EWCsv6crA2KA0Xn6rxPePX9UXhlM2utOPSQHeVpZzscNTx+fGi7A==

3. Open the required ports in the firewall:

   # firewall-cmd --permanent --add-port={389/tcp,636/tcp}

4. Reload the firewall configuration:

   # firewall-cmd --reload

Procedure

1. Ensure you have $HOME/bin in your PATH variable. If not:

   1. Append the following to the ~/.bash_profile file:

      PATH="$HOME/bin:$PATH"

   2. Re-read the ~/bash_profile file:

      $ source ~/.bash_profile

2. Configure the environment for an instance creation to use the custom location:

   $ dscreate ds-root $HOME/dsroot $HOME/bin

   This command replaces the standard installation paths with $HOME/dsroot/ and creates a copy of the standard Directory Server administration utilities in the $HOME/bin/ directory.

3. To make the shell use new paths:

   1. Clear the cache:

      $ hash -r dscreate

   2. Verify that the shell uses the correct path to the command:

      $ which dscreate
      ~/bin/dscreate

      For the dscreate command, the shell now uses the $HOME/bin/dscreate instead of /usr/bin/dscreate.

Procedure

1. Create an instance using the interactive installer

   1. Start the interactive installer:

      $ dscreate interactive

   2. Answer the questions of the interactive installer.

      To use the default values displayed in square brackets behind most questions in the installer, press Enter without entering a value.

      Note

      During the installation, you must choose the instance port and secure port number higher than 1024 (for example, 1389 and 1636). Otherwise, a user does not have permissions to bind to a privileged port (1-1023).

      Install Directory Server (interactive mode)
      ===========================================
      Non privileged user cannot use semanage, will not relabel ports or files.
      
      Selinux support will be disabled, continue? [yes]: yes
      
      Enter system's hostname [server.example.com]:
      
      Enter the instance name [server]: <instance_name>
      
      Enter port number [389]: 1389
      
      Create self-signed certificate database [yes]:
      
      Enter secure port number [636]: 1636
      
      Enter Directory Manager DN [cn=Directory Manager]:
      
      Enter the Directory Manager password: <password>
      Confirm the Directory Manager Password: <password>
      
      Choose whether mdb or bdb is used. [mdb]:
      
      Enter the lmdb database size [14.1 GB]: 9 G
      
      Enter the database suffix (or enter "none" to skip) [dc=server,dc=example,dc=com]: dc=example,dc=com
      
      Create sample entries in the suffix [no]:
      
      Create just the top suffix entry [no]: yes
      
      Do you want to start the instance after the installation? [yes]:
      
      Are you ready to install? [no]: yes

      Note

      Instead of setting a password in clear text you can set a {algorithm}hash string generated by the pwdhash utility.

      For example:

      Enter the Directory Manager password: {PBKDF2-SHA512}100000$Haw7UDcBKUBejEjOTVHbiefT6cokHLo2$PeoP7W3B92Jzby7DGRkicovTN4LDGhnsC4EWCsv6crA2KA0Xn6rxPePX9UXhlM2utOPSQHeVpZzscNTx+fGi7A==

2. Optional: If you want to make the Directory Server instance available from the outside:

   1. Open the ports in the firewall:

      # sudo firewall-cmd --permanent --add-port={1389/tcp,1636/tcp}

   2. Reload the firewall configuration:

      # sudo firewall-cmd --reload