Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Installing Red Hat Directory Server

Red Hat Directory Server 12

Instructions for managing a Directory Server installation, update, and uninstallation. Basic tasks you need to start working with an instance

Red Hat Customer Content Services

Abstract

Install, update, and uninstall Directory Server 12 and associated services by using the command line or the web console. Learn how to run an instance in FIPS mode, create test entries, log into the web console, start and stop Directory Server instances, and change the LDAP and LDAPS port numbers.

Providing feedback on Red Hat Directory Server
Copia collegamento

We appreciate your input on our documentation and products. Please let us know how we could make it better. To do so:

  • For submitting feedback on the Red Hat Directory Server (RHDS) documentation through Jira (account required):

    1. Go to the Red Hat Issue Tracker for the RHDS project.
    2. Enter a descriptive title in the Summary field.
    3. Enter your suggestion for improvement in the Description field. Include links to the relevant parts of the documentation.

    4. Click Create at the bottom of the dialogue.

      Alternatively, you can use the Share Feedback option on the product documentation page.

  • For submitting feedback on the RHDS product through Jira (account required):

    1. Go to the Red Hat Issue Tracker for the RHDS project.
    2. Enter a descriptive title in the Summary field.
    3. Select the component in the Component field.

    4. Fill in the Description field including:

      1. The version number of the selected component.
      2. Steps to reproduce the problem or your suggestion for improvement.
    5. Click Create at the bottom of the dialogue.

Chapter 1. Enabling Directory Server repositories
Copia collegamento

Before installing Directory Server packages, you must enable Directory Server repositories. Depending on your subscription type, you can enable the following Directory Server repositories:

  • The default Directory Server repository
  • The Extended Update Support (EUS) repository

Use the following procedure to enable the default and EUS repositories.

Prerequisites

  • You registered the system to the Red Hat Subscription Management service.
  • You have a valid Red Hat Directory Server subscription in your Red Hat account.

Procedure

  1. Optional: If you do not have enabled RHEL default BaseOS and AppStream repositories, you must enable these repositories:

    • To enable the default RHEL repositories, run: 

      # subscription-manager repos \
	--enable=rhel-9-for-x86_64-appstream-rpms \
	--enable=rhel-9-for-x86_64-baseos-rpms
Repository 'rhel-9-for-x86_64-appstream-rpms' is enabled for this system.
Repository 'rhel-9-for-x86_64-baseos-rpms' is enabled for this system.

    • To enable the RHEL EUS repositories:

      1. Optional: If you do not have the RHEL EUS release set to the minor version, for example to 9.6, run: 

        # subscription-manager release --set=9.6

      2. Enable the RHEL EUS repositories: 

        # subscription-manager repos \
	--enable=rhel-9-for-x86_64-appstream-eus-rpms \
	--enable=rhel-9-for-x86_64-baseos-eus-rpms
Repository 'rhel-9-for-x86_64-appstream-eus-rpms' is enabled for this system.
Repository 'rhel-9-for-x86_64-baseos-eus-rpms' is enabled for this system.

  2. Enable the Directory Server repository:

    1. To enable the default Directory Server repository, run: 

      # subscription-manager repos --enable=dirsrv-12-for-rhel-9-x86_64-rpms
Repository 'dirsrv-12-for-rhel-9-x86_64-rpms' is enabled for this system.

    2. To enable the Directory Server EUS repository for the, run: 

      # subscription-manager repos --enable=dirsrv-12-for-rhel-9-x86_64-eus-rpms
Repository 'dirsrv-12-for-rhel-9-x86_64-eus-rpms' is enabled for this system.
      Important
      When you enable the Directory Server EUS repository, make sure that you also enabled RHEL EUS repositories.

Verification

  • List enabled default Directory Server repositories: 

    # subscription-manager repos --list-enabled

    The following is the output of the command depending of the repository type:

    • For Directory Server 12.6, the command displays: 

      +----------------------------------------------------------+
    Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID:   rhel-9-for-x86_64-appstream-rpms
Repo Name: Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel9/9/x86_64/appstream/os
Enabled:   1

Repo ID:   rhel-9-for-x86_64-baseos-rpms
Repo Name: Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os
Enabled:   1

Repo ID:   dirsrv-12-for-rhel-9-x86_64-rpms
Repo Name: Red Hat Directory Server 12 for RHEL 9 x86_64 (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel9/9/x86_64/dirsrv/12/os
Enabled:   1

    • For Directory Server 12.6 EUS, the command displays: 

      +----------------------------------------------------------+
    Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID:   rhel-9-for-x86_64-appstream-eus-rpms
Repo Name: Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel9/9.6/x86_64/appstream/os
Enabled:   1

Repo ID:   rhel-9-for-x86_64-baseos-eus-rpms
Repo Name: Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel9/9.6/x86_64/baseos/os
Enabled:   1

Repo ID:   dirsrv-12-for-rhel-9-x86_64-eus-rpms
Repo Name: Red Hat Directory Server 12 for RHEL 9 x86_64 (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel9/9.6/x86_64/dirsrv/12/os
Enabled:   1

Chapter 2. Setting up an instance using the command line
Copia collegamento

On the command line, you can use either a .inf file or interactive installer to set up a new instance. Additionally, you can set up a new instance as a non-root user.

2.1. Prerequisites
Copia collegamento

2.2. Setting up a new instance on the command line using a .inf file
Copia collegamento

When you set up Directory Server using a .inf file on the command line you can customize advanced settings. For example, you can customize in the .inf file the following settings:

  • The user and group the ns-slapd Directory Server process uses after the service has started. Note that, if you use a different user and group, you must manually create the user and group before you start the installation.
  • Paths, such as the configuration, backup, and data directory.
  • Certificate validity.

2.2.1. Installing the Directory Server packages
Copia collegamento

Use the following procedure to install the Directory Server packages.

Prerequisites

Procedure

  1. Enable the redhat-ds:12 module and install Directory Server packages: 

    # dnf module enable redhat-ds:12
# dnf install 389-ds-base cockpit-389-ds

2.2.2. Creating a .inf file for a Directory Server instance installation
Copia collegamento

Create a .inf file for the dscreate utility, and adjust the file to your environment. In a later step, you will use this file to create the new Directory Server instance.

Prerequisites

  • You installed the redhat-ds:12 module.

Procedure

  1. Use the dscreate create-template command to create a template .inf file. For example, to store the template in the /root/instance_name.inf file, enter: 

    # dscreate create-template /root/instance_name.inf

    The created file contains all available parameters including descriptions.

  2. Edit the file that you created in the previous step:

    1. Uncomment the parameters that you want to set to customize the installation.

      All parameters have defaults. However, customize certain parameters for a production environment. For example, set at least the following parameters in the [slapd] section: 

      instance_name = instance_name
root_password = password

      By default, Directory Server creates an instance with the Berkeley Database (BDB). To install an instance with the LMDB backend that is a Technology Preview starting with Directory Server 12.5, set the following parameters: 

      db_lib = mdb
mdb_max_size = 21474836480

      Note that mdb_max_size must be an integer value that depends on your directory size. For more details, see nsslapd-mdb-max-size attribute description.

    2. To automatically create a suffix during instance creation, set the following parameters in the [backend-userroot] section: 

      create_suffix_entry = True
suffix = dc=example,dc=com
      Important

      If you do not create a suffix during instance creation, you must create it later manually before you can store data in this instance.

    3. Optional: Uncomment other parameters and set them to appropriate values for your environment. For example, use these parameters to specify replication options, such as authentication credentials and changelog trimming, or set different ports for the LDAP and LDAPS protocols.

      Note

      By default, new instances that you create include a self-signed certificate and TLS enabled. For increased security, do not disable this feature. Note that you can replace the self-signed certificate with a certificate issued by a Certificate Authority (CA) at a later date.

2.2.3. Using a .inf file to set up a new Directory Server instance
Copia collegamento

This section describes how to use a .inf file to set up a new Directory Server instance using the command line.

Prerequisites

  • You created a .inf file for the Directory Server instance.

Procedure

  1. Pass the .inf file to the dscreate from-file command to create the new instance: 

    # dscreate from-file /root/instance_name.inf
Starting installation ...
Validate installation settings ...
Create file system structures ...
Create self-signed certificate database ...
Perform SELinux labeling ...
Perform post-installation tasks ...
Completed installation for instance: slapd-instance_name

    The dscreate utility automatically starts the instance and configures RHEL to start the service when the system boots.

  2. Open the required ports in the firewall: 

    # firewall-cmd --permanent --add-port={389/tcp,636/tcp}

  3. Reload the firewall configuration: 

    # firewall-cmd --reload

Administrators can use the Directory Server interactive installer to set up a new instance by answering questions about the configuration for the new instance.

If you want to customize additional settings during the installation, use a .inf file instead of the interactive installer. For details, see Setting up a new instance on the command line using a .inf file.

2.3.1. Prerequisites
Copia collegamento

2.3.2. Installing the Directory Server packages
Copia collegamento

Use the following procedure to install the Directory Server packages.

Prerequisites

Procedure

  1. Enable the redhat-ds:12 module and install Directory Server packages: 

    # dnf module enable redhat-ds:12
# dnf install 389-ds-base cockpit-389-ds

2.3.3. Creating an instance using the interactive installer
Copia collegamento

This section explains how to use the interactive installer to create a new Directory Server instance.

Procedure

  1. Start the interactive installer: 

    # dscreate interactive

  2. Answer the questions of the interactive installer.

    To use the default values displayed in square brackets behind most questions in the installer, press Enter without entering a value. 

    Install Directory Server (interactive mode)
===========================================

Enter system's hostname [server.example.com]:

Enter the instance name [server]: instance_name

Enter port number [389]:

Create self-signed certificate database [yes]:

Enter secure port number [636]:

Enter Directory Manager DN [cn=Directory Manager]:

Enter the Directory Manager password: password
Confirm the Directory Manager Password: password

Choose whether mdb or bdb is used. [bdb]:
    Note

    By default, Directory Server creates an instance with the Berkeley Database (BDB). To install an LMDB instance that is a Technology Preview starting with Directory Server 12.5, set mdb and, on the next step, set the LMDB database size in bytes. 

    Enter the database suffix (or enter "none" to skip) [dc=server,dc=example,dc=com]: dc=example,dc=com

Create sample entries in the suffix [no]:

Create just the top suffix entry [no]: yes

Do you want to start the instance after the installation? [yes]:

Are you ready to install? [no]: yes
    Note

    Instead of setting a password in clear text you can set a {algorithm}hash string generated by the pwdhash utility. For example: 

    Enter the Directory Manager password: {PBKDF2-SHA512}100000$Haw7UDcBKUBejEjOTVHbiefT6cokHLo2$PeoP7W3B92Jzby7DGRkicovTN4LDGhnsC4EWCsv6crA2KA0Xn6rxPePX9UXhlM2utOPSQHeVpZzscNTx+fGi7A==

  3. Open the required ports in the firewall: 

    # firewall-cmd --permanent --add-port={389/tcp,636/tcp}

  4. Reload the firewall configuration: 

    # firewall-cmd --reload

2.4. Setting up a new instance as a non-root user
Copia collegamento

If you do not have root permissions, you can perform the Directory Server installation as a non-root user. Use this method to test Directory Server and develop LDAP applications. However, note that instances running by a non-root user have limitations, such as:

  • They do not support Simple Network Management Protocol (SNMP).
  • They can use only ports higher or equal to 1024.

As a non-root user, before you can create and administer Directory Server instances, you need to prepare a proper environment by using the dscreate ds-root command.

Prerequisites

  • You installed the Directory Server packages as a root user.

Procedure

  1. Ensure you have $HOME/bin in your PATH variable. If not:

    1. Append the following to the ~/.bash_profile file: 

      PATH="$HOME/bin:$PATH"

    2. Re-read the ~/bash_profile file: 

      $ source ~/.bash_profile

  2. Configure the environment for an instance creation to use the custom location: 

    $ dscreate ds-root $HOME/dsroot $HOME/bin

    This command replaces the standard installation paths with $HOME/dsroot/ and creates a copy of the standard Directory Server administration utilities in the $HOME/bin/ directory.

  3. To make the shell use new paths:

    1. Clear the cache: 

      $ hash -r dscreate

    2. Verify that the shell uses the correct path to the command: 

      $ which dscreate
~/bin/dscreate

For the dscreate command, the shell now uses the $HOME/bin/dscreate instead of /usr/bin/dscreate.

2.4.2. Installing a new instance as non-root user
Copia collegamento

To install Directory Server without root permissions, you can use the interactive installer. After the installation, Directory Server creates an instance in the custom location and a user can run dscreate, dsctl, dsconf utilities as usual.

Prerequisites

  • You prepared the environment for non-root installation.
  • You have sudo permissions to use the firewall-cmd utility If you want to make the Directory Server instance available from the outside.

Procedure

  1. Create an instance using the interactive installer

    1. Start the interactive installer: 

      $ dscreate interactive

    2. Answer the questions of the interactive installer.

      To use the default values displayed in square brackets behind most questions in the installer, press Enter without entering a value.

      Note

      During the installation, you must choose the instance port and secure port number higher than 1024 (for example, 1389 and 1636). Otherwise, a user does not have permissions to bind to a privileged port (1-1023). 

      Install Directory Server (interactive mode)
===========================================
Non privileged user cannot use semanage, will not relabel ports or files.

Selinux support will be disabled, continue? [yes]: yes

Enter system's hostname [server.example.com]:

Enter the instance name [server]: instance_name

Enter port number [389]: 1389

Create self-signed certificate database [yes]:

Enter secure port number [636]: 1636

Enter Directory Manager DN [cn=Directory Manager]:

Enter the Directory Manager password: password
Confirm the Directory Manager Password: password

Choose whether mdb or bdb is used. [bdb]:
      Note

      By default, Directory Server creates an instance with the Berkeley Database (BDB). To install an LMDB instance that is a Technology Preview starting with Directory Server 12.5, set mdb and, on the next step, set the LMDB database size in bytes. 

      Enter the database suffix (or enter "none" to skip) [dc=server,dc=example,dc=com]: dc=example,dc=com

Create sample entries in the suffix [no]:

Create just the top suffix entry [no]: yes

Do you want to start the instance after the installation? [yes]:

Are you ready to install? [no]: yes
      Note

      Instead of setting a password in clear text you can set a {algorithm}hash string generated by the pwdhash utility. For example: 

      Enter the Directory Manager password: {PBKDF2-SHA512}100000$Haw7UDcBKUBejEjOTVHbiefT6cokHLo2$PeoP7W3B92Jzby7DGRkicovTN4LDGhnsC4EWCsv6crA2KA0Xn6rxPePX9UXhlM2utOPSQHeVpZzscNTx+fGi7A==

  2. Optional: If you want to make the Directory Server instance available from the outside:

    1. Open the ports in the firewall: 

      # sudo firewall-cmd --permanent --add-port={1389/tcp,1636/tcp}

    2. Reload the firewall configuration: 

      # sudo firewall-cmd --reload

Verification

  • Run ldapsearch command to test that a user can connect to the instance: 

    $ ldapsearch -D "cn=Directory Manager" -W -H ldap://server.example.com:1389 -b "dc=example,dc=com" -s sub -x "(objectclass=*)"

Chapter 3. Setting up a new instance using the web console
Copia collegamento

If you prefer a browser-based interface to set up Directory Server, you can use the Directory Server web console.

3.1. Prerequisites
Copia collegamento

3.2. Using the web console to set up a new Directory Server instance
Copia collegamento

This section describes how to use the web console to set up a new Directory Server instance.

Prerequisites

  • The cockpit web console package is installed.
  • The cockpit.socket systemd unit is enabled and started.
  • You opened port 9090 in the local firewall to allow accessing the web console.

Procedure

  1. Use a browser to connect to the web console running on port 9090 on the Directory Server host: 

    https://server.example.com:9090
  2. Log in as the root user or as a user with sudo privileges.
  3. Select the Red Hat Directory Server entry.

  4. Create a new instance:

    • If no instance exists on the server, click the Create New Instance button.
    • If the server already runs existing instances, select Actions and click Create New Instance.

  5. Complete the fields of the Create New Server Instance form:

    • Instance Name: Sets the name of the instance. Note that you cannot change the name of an instance after it has been created.
    • Port: Sets the port number of the LDAP protocol. The port must not be in use by another instance or service. The default port is 389.
    • Secure Port: Sets the port number of the LDAPS protocol. The port must not be in use by another instance or service. The default port is 636.

    • Create Self-Signed TLS Certificate DB: Enables TLS encryption in the instance, and creates a self-signed certificate.

      For increased security, Red Hat recommends that you create the new instance with the self-signed certificate and TLS enabled. Note that you can replace the self-signed certificate with a certificate issued by a Certificate Authority (CA) at a later date.

    • Directory Manager DN: Sets the distinguished name (DN) of the administrative user of the instance. The default value is cn=Directory Manager.
    • Directory Manager Password: Sets the password of the administrative user of the instance.
    • Confirm Password: Must be set to the same value as in the Directory Manager Password field.

    • Create Database: Select this field to automatically create a suffix during instance creation.

      Important

      If you do not create a suffix during instance creation, you must create it later manually before you can store data in this instance.

      If you enabled this option, fill the addition fields:

      • Database Suffix: Sets the suffix for the back end.
      • Database Name: Sets the name of the back end database.
      • Database Initialization: Set this field to Create Suffix Entry.

  6. Click Create Instance.

    The new instance starts and is configured to start automatically when the system boots.

  7. Open the required ports in the firewall: 

    # firewall-cmd --permanent --add-port={389/tcp,636/tcp}

  8. Reload the firewall configuration: 

    # firewall-cmd --reload

Installing Directory Server instances that work behind a load balancer and support Kerberos authentication require additional steps compared during the installation.

If a user accesses a service using Generic Security Services API (GSSAPI), the Kerberos principal includes the DNS name of the service’s host. In case the user connects to a load balancer, the principal contains the DNS name of the load balancer, for example: ldap/loadbalancer.example.com@EXAMPLE.COM, and not the DNS name of the Directory Server instance.

To facilitate successful connection, the Directory Server instance that receives the request must use the same name as the load balancer, even if the load balancer DNS name is different.

This section describes how to set up an Directory Server instance with Kerberos authentication support behind a load balancer.

4.1. Prerequisites
Copia collegamento

4.2. Installing the Directory Server packages
Copia collegamento

Use the following procedure to install the Directory Server packages.

Prerequisites

Procedure

  1. Enable the redhat-ds:12 module and install Directory Server packages: 

    # dnf module enable redhat-ds:12
# dnf install 389-ds-base cockpit-389-ds

4.3. Creating a .inf file for a Directory Server instance installation
Copia collegamento

Create a .inf file for the dscreate utility, and adjust the file to your environment. In a later step, you will use this file to create the new Directory Server instance.

Prerequisites

  • You installed the redhat-ds:12 module.

Procedure

  1. Use the dscreate create-template command to create a template .inf file. For example, to store the template in the /root/instance_name.inf file, enter: 

    # dscreate create-template /root/instance_name.inf

    The created file contains all available parameters including descriptions.

  2. Edit the file that you created in the previous step:

    1. Uncomment the parameters that you want to set to customize the installation.

      All parameters have defaults. However, customize certain parameters for a production environment. For example, set at least the following parameters in the [slapd] section: 

      instance_name = instance_name
root_password = password

      By default, Directory Server creates an instance with the Berkeley Database (BDB). To install an instance with the LMDB backend that is a Technology Preview starting with Directory Server 12.5, set the following parameters: 

      db_lib = mdb
mdb_max_size = 21474836480

      Note that mdb_max_size must be an integer value that depends on your directory size. For more details, see nsslapd-mdb-max-size attribute description.

    2. To use the instance behind a load balancer with GSSAPI authentication, set the full_machine_name parameter in the [general] section to the fully-qualified domain name (FQDN) of the load balancer instead of the FQDN of the Directory Server host: 

      full_machine_name = loadbalancer.example.com

    3. Uncomment the strict_host_checking parameter in the [general] section and set it to False: 

      strict_host_checking = False

    4. To automatically create a suffix during instance creation, set the following parameters in the [backend-userroot] section: 

      create_suffix_entry = True
suffix = dc=example,dc=com
      Important

      If you do not create a suffix during instance creation, you must create it later manually before you can store data in this instance.

    5. Optional: Uncomment other parameters and set them to appropriate values for your environment. For example, use these parameters to specify replication options, such as authentication credentials and changelog trimming, or set different ports for the LDAP and LDAPS protocols.

      Note

      By default, new instances that you create include a self-signed certificate and TLS enabled. For increased security, do not disable this feature. Note that you can replace the self-signed certificate with a certificate issued by a Certificate Authority (CA) at a later date.

4.4. Using a .inf file to set up a new Directory Server instance
Copia collegamento

This section describes how to use a .inf file to set up a new Directory Server instance using the command line.

Prerequisites

  • You created a .inf file for the Directory Server instance.

Procedure

  1. Pass the .inf file to the dscreate from-file command to create the new instance: 

    # dscreate from-file /root/instance_name.inf
Starting installation ...
Validate installation settings ...
Create file system structures ...
Create self-signed certificate database ...
Perform SELinux labeling ...
Perform post-installation tasks ...
Completed installation for instance: slapd-instance_name

    The dscreate utility automatically starts the instance and configures RHEL to start the service when the system boots.

  2. Open the required ports in the firewall: 

    # firewall-cmd --permanent --add-port={389/tcp,636/tcp}

  3. Reload the firewall configuration: 

    # firewall-cmd --reload

Before user can authenticate to Directory Server behind a load balancer using GSSAPI, you must create a Kerberos principal for the load balancer and configure Directory Server to use the Kerberos principal. This section describes this procedure.

Prerequisites

  • An instance that contains the following .inf file configuration:

    • The full_machine_name parameter set to the DNS name of the load balancer.
    • The strict_host_checking parameter set to False.

Procedure

  1. Create the Kerberos principal for the load balancer, for example ldap/loadbalancer.example.com_@_EXAMPLE.COM. The procedure to create the service principal depends on your Kerberos installation. For details, see your Kerberos server’s documentation.
  2. Optional: You can add further principals to the keytab file. For example, to enable users to connect to the Directory Server instance behind the load balancer directly using Kerberos authentication, add additional principals for the Directory Server host. For example, ldap/server1.example.com@EXAMPLE.COM.
  3. Copy the service keytab file to the Directory Server host, and store it, for example, in the /etc/dirsrv/slapd-instance_name/ldap.keytab file.

  4. Add the path to the service keytab to the /etc/sysconfig/slapd-instance_name file: 

    KRB5_KTNAME=/etc/dirsrv/slapd-instance_name/ldap.keytab

  5. Restart the Directory Server instance: 

    # dsctl instance_name restart

Verification

  • Verify that you can connect to the load balancer using the GSSAPI protocol: 

    # ldapsearch -H ldap://loadbalancer.example.com -Y GSSAPI

    If you added additional Kerberos principals to the keytab file, such as for the Directory Server host itself, also verify these connections: 

    # ldapsearch -H ldap://server1.example.com -Y GSSAPI

Chapter 5. Running Directory Server in FIPS mode
Copia collegamento

Directory Server fully supports the Federal Information Processing Standard (FIPS) 140-2. When you run Directory Server run in FIPS mode, security-related settings change. For example, SSL is automatically disabled and only TLS 1.2 and 1.3 encryption is used.

5.1. Enabling the FIPS mode
Copia collegamento

To use Directory Server in Federal Information Processing Standard (FIPS) mode, enable the mode in RHEL and Directory Server.

Prerequisites

  • You enabled the FIPS mode in RHEL.

Procedure

  1. Enable the FIPS mode for the network security services (NSS) database: 

    # modutil -dbdir /etc/dirsrv/slapd-instance_name/ -fips true

  2. Restart the instance: 

    # dsctl instance_name restart

Verification

  • Verify that FIPS mode is enabled for the NSS database: 

    # modutil -dbdir /etc/dirsrv/slapd-instance_name/ -chkfips true
FIPS mode enabled.

    The command returns FIPS mode enabled, if the module is in FIPS mode.

Chapter 6. Updating Directory Server to a new minor version
Copia collegamento

Red Hat frequently releases updated versions of Red Hat Directory Server 12. This section describes how to update the Directory Server packages.

In case you want to migrate Red Hat Directory Server from version 10 or 11 to version 12, see:

6.1. Updating the Directory Server packages
Copia collegamento

Use the dnf utility to update the module, which also automatically updates the related packages.

Prerequisites

  • You have installed Directory Server packages.
  • You have a valid Red Hat Directory Server subscription in your Red Hat account.

Procedure

  1. Make sure you enabled correct repositories. For details, see Enabling Directory Server repositories.

  2. Update the Directory Server packages and their dependencies to the latest available version: 

    # dnf update 389-ds-base cockpit-389-ds

    The update process automatically restarts the dirsrv services for all instances on the server.

If you have an instance with the Berkeley Database (BDB) backend, you can change the BDB on this instance to Lightning Memory-Mapped Database (LMDB).

Note

Migration from BDB to LMDB is available only for instances with Directory Server version 12.5 or later.

In mixed environment, consider the following limitations:

  • You cannot use a backup to restore an instance with a different database type, because backup and restore formats are tied to this type.
  • You cannot mix backends with different types on an instance.

However, the following mix of implementations is possible:

  • You can mix instances with different backend types on a host.
  • You can mix replicas with different types in your replicated topology.

Currently, you can use only the command line to migrate from BDB to LMDB or backwards.

7.1. Migrating the database type from BDB to LMDB using dsctl
Copia collegamento

You can use the dsctl utility to automatically migrate the Berkeley Database (BDB) backend on an instance to the Lightning Memory-Mapped Database (LMDB).

Prerequisites

  • You have root permissions.

Procedure

  1. Start the migration from BDB to LMDB: 

    # dsctl instance_name dblib bdb2mdb
...
Backends importation 0.000000% (userroot)
Backends importation 100%

    The command sets the nsslapd-backend-implement global configuration parameter to mdb and calculates the database size that you can adjust by setting the nsslapd-mdb-max-size parameter value.

  2. Remove the migration .ldif file and the old database: 

    # dsctl instance_name dblib cleanup
cleanup dbmapdir=/var/lib/dirsrv/slapd-instance_name/db dbhome=/dev/shm/slapd-instance_name dblib=mdb

Note that you can migrate back from LMDB to BDB by using the dsctl instance_name dblib mdb2bdb command.

Verification

  • Check that the nsslapd-backend-implement configuration parameter value is set to mdb: 
# dsconf -D "cn=Directory Manager" ldap://server.example.com backend config get | grep nsslapd-backend-implement
Enter password for cn=Directory Manager on ldap://server.example.com: password
nsslapd-backend-implement: mdb

7.2. Manually migrating the database type from BDB to LMDB
Copia collegamento

Use manual migration from the Berkeley Database (BDB) backend on an instance to the Lightning Memory-Mapped Database (LMDB) in the following cases:

  • The migration by the dsctl utility cannot be performed.
  • You want to set LMDB configuration attributes manually.

Prerequisites

  • You have root permissions.
  • You have the Directory Manager password.

Procedure

  1. Export all your databases to an LDIF file as described in Exporting data using the command line while the server is offline.

  2. Determine the LMDB database maximum size by clarifying the existing databases size and adding a safety margin of 20%. Skip this step if you migrate back from LMDB to BDB.

    1. Clarify the existing databases size: 

      # du -hs /var/lib/dirsrv/slapd-instance_name/db/*/ 
1.8GB

    2. Add the safety margin of 20%: 

      1.8 GB + 20% = 2.16 GB

      You require the maximum database size in the future steps.

  3. Change the database type to LMDB on the instance and restart the instance: 

    # dsconf instance_name backend config set --db-lib mdb
Successfully updated database configuration

# dsctl instance_name restart
Instance "instance_name" has been restarted

    When you migrate back from LMDB to BDB, set the --db-lib option to bdb.

  4. Set the LMDB maximum size to the value you calculated in the previous steps (2.16 GB) in bytes and restart the instance: 

    # dsconf instance_name backend config set --mdb-max-size 2319282339
Successfully updated database configuration

# dsctl instance_name restart
Instance "instance_name" has been restarted

    The command sets the nsslapd-mdb-max-size configuration parameter value.

    Note

    Skip this step if you migrate back from LMDB to BDB.

  5. Import all databases from the LDIF file as described in Importing data using the command line while the server is offline.

Verification

  • Check that the nsslapd-backend-implement configuration parameter value is set to mdb: 
# dsconf -D "cn=Directory Manager" ldap://server.example.com backend config get | grep nsslapd-backend-implement
Enter password for cn=Directory Manager on ldap://server.example.com: password
nsslapd-backend-implement: mdb

Chapter 8. Migrating Directory Server 11 to Directory Server 12
Copia collegamento

Learn about migrating from Red Hat Directory Server 11 to 12, including tasks that you must perform before the migration begins.

Important

Red Hat supports migration only from Red Hat Directory Server 10 or 11 to version 12. To migrate Directory Server from earlier version, you must perform incremental migrations to Directory Server 10 or 11.

Red Hat does not support an in-place upgrade of Directory Server 10 or 11 servers to version 12 by using the leapp upgrade tool.

For migration, you can use one of the following ways:

  • If you have a replication topology, use the replication method.
  • If you have a disconnected topology without planned replication between Directory Server 10 and Directory Server 12, or if your database is more that 1 GB, use the export and import method.

8.1. Prerequisites
Copia collegamento

  • The existing Directory Server installation runs on version 11 and has all available updates installed.
  • You installed a Directory Server 12 host and created an instance on the host.

8.2. Migrating to Directory Server 12 using the replication method
Copia collegamento

In a replication topology, use the replication method to migrate to Directory Server 12.

Procedure

  1. On the Directory Server 12 host, enable replication, but do not create a replication agreement. For details about enabling replication, see the Configuring and managing replication documentation for Red Hat Directory Server 12.

  2. On the Directory Server 11 host, enable replication and create a replication agreement that points to the Directory Server 12 host. For more information, see the Multi-Supplier Replication section in the Red Hat Directory Server 11 Administrator Guide.

    Important

    If you used a custom configuration on the Directory Server 11 host, do not replace the dse.ldif configuration file on the Directory Server 12 host with the file from the Directory Server 11 host, because the dse.ldif layout changes between versions. Instead, use the dsconf utility or the web console to add the custom configuration for each parameter and plug-in that you require.

  3. Optional: Set up further Directory Server 12 hosts with replication agreements between Directory Server 12 hosts.
  4. Configure your clients to use only Directory Server 12 hosts.
  5. On the Directory Server 11 host, remove the replication agreements that point to Directory Server 12 host. See Removing a Directory Server Instance from the Replication Topology in the Red Hat Directory Server 11 Administration Guide.
  6. Uninstall the Directory Server 11 hosts. See Uninstalling Directory Server in the Red Hat Directory Server 11 Installation Guide.

8.3. Migrating to Directory Server 12 using the export and import method
Copia collegamento

Use the export and import method for migration in the following cases:

  • You have instances without replication.
  • Your database is more that 1 GB.

Procedure

  1. Perform the following steps on the existing Directory Server 11 host:

    1. Stop and disable the dirsrv service: 

      # dsctl DS11_instance_name stop
# systemctl disable dirsrv@DS11_instance_name

    2. Export the backend. For example, to export the userRoot database and store it in the /var/lib/dirsrv/slapd-DS11_instance_name/migration.ldif file, run: 

      # dsctl DS11_instance_name db2ldif userroot /var/lib/dirsrv/slapd-DS11_instance_name/migration.ldif

    3. Copy the following files to the new host where you want to install Directory Server 12:

      • The /var/lib/dirsrv/slapd-DS11_instance_name/migration.ldif file that you exported in the previous step.

      • The /etc/dirsrv/slapd-DS11_instance_name/dse.ldif configuration file.

        Important

        Do not replace the dse.ldif configuration file on the Directory Server 12 host with the file from the Directory Server 11 host because the dse.ldif layout changes different versions. Store the dse.ldif file for the reference.

      • The /etc/dirsrv/slapd-DS11_instance_name/schema/99user.ldif file, if you use a custom schema.

      • If you want to migrate an instance with TLS enabled and reuse the same host name for the Directory Server 12 installation, copy the following files to the new host:

        • /etc/dirsrv/slapd-DS11_instance_named/cert9.db
        • /etc/dirsrv/slapd-DS11_instance_name/key4.db
        • /etc/dirsrv/slapd-DS11_instance_name/pin.txt
    4. If you want to use the same host name and IP on the Directory Server 12 host, disconnect the old server from the network.

  2. Perform the following steps on the new Directory Server 12 host:

    1. Optional: Configure TLS encryption:

      • If the new installation uses a different host name than the Directory Server 11 instance, see the Enabling TLS-encrypted connections to Directory Server section in the Securing Red Hat Directory Server documentation.

      • To use the same host name as the previous Directory Server 11 installation:

        1. Stop the instance: 

          # dsctl DS12_instance_name stop

        2. Remove the Network Security Services (NSS) databases and the password file for Directory Server, if they already exist: 

          # rm /etc/dirsrv/slapd-DS12_instance_name/cert*.db /etc/dirsrv/slapd-DS12_instance_name/key*.db /etc/dirsrv/slapd-DS12_instance_name/pin.txt
        3. Place the cert9.db, key4.db, and pin.txt files that you copied from the Directory Server 11 host in the /etc/dirsrv/slapd-DS12_instance_name/ directory:

        4. Set the correct permissions for the NSS databases and the password file: 

          # chown dirsrv:root /etc/dirsrv/slapd-DS12_instance_name/cert9.db /etc/dirsrv/slapd-DS12_instance_name/key4.db /etc/dirsrv/slapd-DS12_instance_name/pin.txt

# chmod 600 /etc/dirsrv/slapd-DS12_instance_name/cert9.db /etc/dirsrv/slapd-DS12_instance_name/key4.db /etc/dirsrv/slapd-DS12_instance_name/pin.txt

        5. Start the instance: 

          # dsctl DS12_instance_name start

    2. If you used a custom schema, place the 99user.ldif file into the /etc/dirsrv/slapd-DS12_instance_name/schema/ directory, set appropriate permissions, and restart the instance: 

      # cp /etc/dirsrv/slapd-DS11_instance_name/schema/99user.ldif /etc/dirsrv/slapd-DS12_instance_name/schema/

# chmod 644 /etc/dirsrv/slapd-DS12_instance_name/schema/99user.ldif

# chown root:root /etc/dirsrv/slapd-DS12_instance_name/schema/99user.ldif

# dsctl DS12_instance_name restart

    3. Place the /var/lib/dirsrv/slapd-DS11_instance_name/migration.ldif file that you copied from the Directory Server 11 host in the /var/lib/dirsrv/slapd-DS12_instance_name/ldif/ directory and set the correct permissions: 

      # cp /var/lib/dirsrv/slapd-DS11_instance_name/migration.ldif /var/lib/dirsrv/slapd-DS12_instance_name/ldif/

# chown dirsrv:dirsrv /var/lib/dirsrv/slapd-DS12_instance_name/ldif/migration.ldif

    4. Import the migration.ldif file to restore the userRoot database with all entries: 

      # dsconf -D 'cn=Directory Manager' ldap://server.example.com backend import userRoot /var/lib/dirsrv/slapd-DS12_instance_name/ldif/migration.ldif

      Note that Directory Server requires the LDIF file you want to import in the /var/lib/dirsrv/slapd-DS12_instance_name/ directory.

      Important

      If you used a custom configuration on the Directory Server 11 host, do not replace the dse.ldif configuration file on the Directory Server 12 host with the file from the Directory Server 11 host. Instead, use the dsconf utility or the web console to add the custom configuration manually for each parameter and plug-in that you require.

Chapter 9. Migrating Directory Server 10 to Directory Server 12
Copia collegamento

Learn about migration from Red Hat Directory Server 10 to 12, including tasks that you must perform before you start the migration.

Important

Red Hat supports migration only from Red Hat Directory Server 10 or 11 to version 12. To migrate Directory Server from earlier version, you must perform incremental migrations to Directory Server 10 or 11.

Red Hat does not support an in-place upgrade of Directory Server 10 or 11 servers to version 12 by using the leapp upgrade tool.

For migration, you can use one of the following ways:

  • If you have a replication topology, use the replication method.
  • If you have a disconnected topology without planned replication between Directory Server 10 and Directory Server 12, or if your database is more that 1 GB, use the export and import method.

9.1. Prerequisites
Copia collegamento

  • The existing Directory Server installation runs on version 10 and has all available updates installed.
  • You installed a Directory Server 12 host and created an instance on the host.

9.2. Migrating Directory Server 10 to version 12 using the replication method
Copia collegamento

In a replication topology, use the replication method to migrate to Directory Server 12.

Procedure

  1. On the Directory Server 12 host, enable replication, but do not create a replication agreement. For details about enabling replication, see the Configuring and managing replication in the Red Hat Directory Server 12 documentation.

  2. On the Directory Server 10 host, enable replication and create a replication agreement that points to the Directory Server 12 host. For details about enabling replication, see chapter 15 "Managing Replication" in the Red Hat Directory Server 10 Administration Guide.

    Important

    If you used a custom configuration on the Directory Server 10 host, do not replace the dse.ldif configuration file on the Directory Server 12 host with the file from previous versions, because the dse.ldif layout changes between versions. Instead, use the dsconf utility or the web console to add the custom configuration for each parameter and plug-in that you require.

  3. Optional: Set up further Directory Server 12 hosts with replication agreements between the Directory Server 12 hosts.
  4. Configure your clients to use only the Directory Server 12 hosts.

  5. On the Directory Server 10 host, remove the replication agreements that point to the Directory Server 12 host: 

    # ldapmodify -D "cn=Directory Manager" -W -x -p 389 -h server_ds_10.example.com
dn: cn=agreement-to-DS-12-server,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config
changetype: delete
  6. Uninstall the Directory Server 10 hosts. See the chapter 4.8 "Uninstalling Directory Server" in the Red Hat Directory Server 10 Installation Guide.

Use the export and import method to migrate large Directory Server environments or instances without replication.

Procedure

  1. Perform the following steps on the existing Directory Server 10 host:

    1. Stop and disable the dirsrv service: 

      # dsctl DS10_instance_name stop
# systemctl disable dirsrv@DS10_instance_name

    2. Export the backend. For example, to export the userRoot database and store it in the /tmp/userRoot.ldif file: 

      # db2ldif -Z DS10_instance_name -n userRoot -a /tmp/userRoot.ldif

    3. Copy the following files to the new Directory Server 12 host:

      • The LDIF file userRoot.ldif that you exported in the previous step.
      • The /etc/dirsrv/slapd-DS10_instance_name/schema/99user.ldif file if you use a custom schema.

      • The /etc/dirsrv/slapd-DS10_instance_name/dse.ldif configuration file.

        Important

        Do not replace the dse.ldif configuration file on the Directory Server 12 host with the file from the Directory Server 10 host because the dse.ldif layout changes between versions. Store the dse.ldif file for the reference.

      • If you want to migrate an instance with TLS enabled and reuse the same host name for the Directory Server 12 installation, copy:

        • /etc/dirsrv/slapd-DS10_instance_name/cert8.db
        • /etc/dirsrv/slapd-DS10_instance_name/key3.db
        • /etc/dirsrv/slapd-DS10_instance_name/pin.txt
    4. If you want to use the same host name and IP on the Directory Server 12 host, disconnect the old server from the network.

  2. Perform the following steps on the new Directory Server 12 host:

    1. Optional: Configure TLS encryption:

      • If the new installation uses a different host name than the Directory Server 10 instance, see the Enabling TLS-encrypted connections to Directory Server section in the Securing Red Hat Directory Server documentation.

      • If you want to use the same host name as the previous Directory Server 10 installation:

        1. Stop the instance: 

          # dsctl DS12_instance_name stop

        2. Remove the Network Security Services (NSS) databases and the password file for Directory Server, if they already exist: 

          # rm /etc/dirsrv/slapd-DS12_instance_name/cert*.db /etc/dirsrv/slapd-DS12_instance_name/key*.db /etc/dirsrv/slapd-DS12_instance_name/pin.txt
        3. Move the cert8.db, key3.db, and pin.txt files that you copied from the Directory Server 10 host to the /etc/dirsrv/slapd-DS12_instance_name/ directory.

        4. Set the correct permissions for the NSS databases and the password file: 

          # chown dirsrv:root /etc/dirsrv/slapd-DS12_instance_name/cert8.db /etc/dirsrv/slapd-DS12_instance_name/key3.db /etc/dirsrv/slapd-DS12_instance_name/pin.txt

# chmod 600 /etc/dirsrv/slapd-DS12_instance_name/cert8.db /etc/dirsrv/slapd-DS12_instance_name/key3.db /etc/dirsrv/slapd-DS12_instance_name/pin.txt

        5. Start the instance: 

          # dsctl DS12_instance_name start

    2. If you used a custom schema, place the 99user.ldif file in the /etc/dirsrv/slapd-DS12_instance_name/schema/ directory, set appropriate permissions, and restart the instance: 

      # cp /etc/dirsrv/slapd-DS10_instance_name/schema/99user.ldif /etc/dirsrv/slapd-DS12_instance_name/schema/

# chmod 644 /etc/dirsrv/slapd-DS12_instance_name/schema/99user.ldif

# chown root:root /etc/dirsrv/slapd-DS12_instance_name/schema/99user.ldif

# dsctl DS12_instance_name restart

    3. Place the /tmp/userRoot.ldif file you prepared on the Directory Server 10 host in the /var/lib/dirsrv/slapd-DS12_instance_name/ldif/ directory and set the correct permissions: 

      # cp /tmp/userRoot.ldif /etc/dirsrv/slapd-DS12_instance_name/ldif/

# chown dirsrv:dirsrv /var/lib/dirsrv/slapd-DS12_instance_name/ldif/userRoot.ldif

    4. Import the userRoot.ldif file to restore the userRoot backend with all entries: 

      # dsconf -D 'cn=Directory Manager' ldap://server.example.com backend import userRoot /var/lib/dirsrv/slapd-instance_name/ldif/userRoot.ldif

      Note that Directory Server 12 can import LDIF files only from the /var/lib/dirsrv/slapd-DS12_instance_name/ directory.

      Important

      If you used a custom configuration on the Directory Server 10 host, do not replace the dse.ldif configuration file on the Directory Server 12 host with the file from previous versions. Instead, use the dsconf utility or the web console to add the custom configuration manually for each parameter and plug-in that you require.

To synchronize passwords between Active Directory and Red Hat Directory Server, you use the password password synchronization service. You can install, update, and remove the password synchronization service.

10.1. The password synchronization service
Copia collegamento

When you set up password synchronization with Active Directory, Directory Server retrieves all attributes of user objects except the password. Active Directory stores only encrypted passwords, but Directory Server uses different encryption. As a result, Active Directory users passwords must be encrypted by Directory Server.

To enable password synchronization between Active Directory and Directory Server, the Red Hat Directory Password Sync service hooks up into the Windows password changing routine of a domain controller (DC). If a user or administrator sets or updates a password, the service retrieves the password in plain text before it is encrypted and stored in Active Directory. This process enables Red Hat Directory Password Sync to send the plain text password to Directory Server. To protect the password, the service supports only LDAPS connections to Directory Server. When Directory Server stores the password in the user’s entry, the password is automatically encrypted with the password storage scheme configured in Directory Server.

Important

In an Active Directory, all writable DCs can process password actions. Therefore, you must install Red Hat Directory Password Sync on every writable DC in the Active Directory domain.

10.2. Downloading the password synchronization service installer
Copia collegamento

To install Red Hat Directory Password Sync service, download the installer from the Customer Portal.

Prerequisites

Procedure

  1. Go to the Red Hat Directory Server download page.

  2. Select PassSync Installer for RHDS 11 and 12 from the list and click Download Now button.

    NOTE
    The PassSync package is deprecated starting with Red Hat Directory Server 12.6.
  3. Copy the installer to every writable Active Directory domain controller (DC).

10.3. Installing the password synchronization service
Copia collegamento

This section describes how to install the Red Hat Directory Password Sync on Windows domain controllers (DC). Perform this procedure on every writable Windows DC.

Prerequisites

  • You downloaded the latest version of the PassSync Installer to the Windows Active Directory domain controller (DC).
  • You enabled TLS encryption in Directory Server.
  • You prepared the Active Directory domain.
  • You created an account for synchronization in Directory Server.

Procedure

  1. Log in to the Active Directory DC with a user that has permissions to install software on the DC.
  2. Double-click the RedHat-PassSync-ds12.*-x86_64.msi file to install it.
  3. The Red Hat Directory Password Sync Setup appears. Click Next.

  4. Fill the fields according to your Directory Server environment. For example:

    PassSync settings

    Fill the following information of the Directory Server host into the fields:

    • Host Name: Sets the name of the Directory Server host. Alternatively, you can set the field to the IPv4 or IPv6 address of the Directory Server host.
    • Port Number: Sets the LDAPS port number.
    • User Name: Sets the distinguished name (DN) of the synchronization user account.
    • Password: Sets the password of the synchronization user.
    • Cert Token: Sets the password of the server certificate copied from the Directory Server host.
    • Search Base: Sets the DN of the Directory Server entry that contains the synchronized user accounts.
  5. Click Next to start the installation.
  6. Click Finish.

  7. Reboot the Windows DC.

    Important

    Without rebooting the DC, the PasswordHook.dll library is not enabled and password synchronization fails.

  8. Enable replication in Directory Server and create a WinSync agreement.

10.4. Updating the password synchronization service
Copia collegamento

This section describes how to update an existing Red Hat Directory Password Sync installation on a Windows domain controller (DC).

Perform this procedure on every writable Windows DC.

Prerequisites

  • Red Hat Directory Password Sync is running on your Windows DC.
  • You downloaded the latest version of the PassSync Installer to the Windows Active Directory DC.

Procedure

  1. Log in to the Active Directory domain controller with a user that has permissions to install software on the DC.
  2. Double-click the RedHat-PassSync-ds12.*-x86_64.msi file.
  3. Click Next to begin installing.
  4. Click the Modify button.
  5. The setup displays the configuration set during the previous installation. Click Next to keep the existing settings.
  6. Click Next to start the installation.
  7. Click Finish.

  8. Reboot the Windows DC.

    Important

    Without rebooting the DC, the PasswordHook.dll library is not enabled and password synchronization will fail.

10.5. Uninstalling the password synchronization service
Copia collegamento

If you no longer require the Red Hat Directory Password Sync service, remove it from the Active Directory domain controller (DC).

Prerequisites

  • Red Hat Directory Password Sync is installed on the Windows DC.

Procedure

Log in to the Active Directory domain controller with a user that has permissions to remove software from the DC.

  1. Open the Control Panel
  2. Click Programs and then Programs and Features

  3. Select the Red Hat Directory Password Sync entry, and click the Uninstall button.

    remove PassSync using control panel
  4. Click Yes to confirm.

Chapter 11. Removing a Directory Server instance
Copia collegamento

If you no longer require a Directory Server instance, you can remove it to regain disk space. If you run multiple instances on one server, removing a specific instance does not affect the other instances.

11.1. Removing an instance using the command line
Copia collegamento

You can remove a Directory Server instance using the command line.

Prerequisites

  • The instance has been removed from a replication topology, if it was part of one.

Procedure

  1. Optional: Create a backup of the Directory Server directories:

    1. Stop the instance: 

      # dsctl instance_name stop

    2. Copy the /var/lib/dirsrv/slapd-instance_name/ directory: 

      # cp -rp /var/lib/dirsrv/slapd-instance_name/ /root/var-lib-dirsrv-instance_name.bak/

      This directory contains the database, as well as the backup and export directory.

    3. Copy the /etc/dirsrv/slapd-instance_name/ directory: 

      # cp -rp /etc/dirsrv/slapd-instance_name/ /root/etc-dirsrv-instance_name.bak/

  2. Remove the instance: 

    # dsctl instance_name remove --do-it
Removing instance ...
Completed instance removal

Verification

  • Verify that the /var/lib/dirsrv/slapd-instance_name/ and /etc/dirsrv/slapd-instance_name/ directories have been removed: 

    # ls /var/lib/dirsrv/slapd-instance_name /etc/dirsrv/slapd-instance_name/
ls: cannot access '/var/lib/dirsrv/slapd-instance_name': No such file or directory
ls: cannot access '/etc/dirsrv/slapd-instance_name': No such file or directory

11.2. Removing an instance using the web console
Copia collegamento

You can remove a Directory Server instance using the web console. However, if you want to create a backup of the Directory Server directories which contain, for example, the databases and configuration files, you must copy these directories on the command line.

Prerequisites

  • The instance has been removed from a replication topology, if it was part of one.
  • You are logged in to the instance in the web console.

Procedure

  1. Optional: Create a backup of the Directory Server directories.

    1. Click the Actions button, and select Stop instance.

    2. Copy the /var/lib/dirsrv/slapd-instance_name/ directory: 

      # cp -rp /var/lib/dirsrv/slapd-instance_name/ /root/var-lib-dirsrv-instance_name.bak/

      This directory contains the database, as well as the backup and export directory.

    3. Copy the /etc/dirsrv/slapd-instance_name/ directory: 

      # cp -rp /var/lib/dirsrv/slapd-instance_name/ /root/etc-dirsrv-instance_name.bak/
  2. Click the Actions button, and select Remove this instance.
  3. Select Yes, I am sure, and click Remove Instance to confirm.

Verification

  • Verify that the /var/lib/dirsrv/slapd-instance_name/ and /etc/dirsrv/slapd-instance_name/ directories have been removed: 

    # ls /var/lib/dirsrv/slapd-instance_name /etc/dirsrv/slapd-instance_name/
ls: cannot access '/var/lib/dirsrv/slapd-instance_name': No such file or directory
ls: cannot access '/etc/dirsrv/slapd-instance_name': No such file or directory

Chapter 12. Uninstalling Directory Server
Copia collegamento

If you no longer need a Directory Server instance, you can uninstall it to reclaim space.

12.1. Uninstalling Directory Server
Copia collegamento

If you no longer require Directory Server running on a server, uninstall the packages as described in this section.

Procedure

  1. Remove all instances from the replication topology. If your instance is not a member of a replication topology skip this step.

  2. Remove all instances from the server. For each instance, enter: 

    # dsctl instance_name remove --do-it

  3. Remove the Directory Server packages: 

    # dnf module remove redhat-ds

  4. Optional: Disable the dirsrv-12-for-rhel-8-x86_64-rpms repository: 

    # subscription-manager repos --disable=dirsrv-12-for-rhel-8-x86_64-rpms
Repository 'dirsrv-12-for-rhel-8-x86_64-rpms' is disabled for this system.

  5. Optional: Remove the Red Hat Directory Server subscription from the system:

    Important

    If you remove a subscription that provides additional products than Directory Server, you will not be able to install or update packages for these products.

    • List the subscriptions attached to the host: 

      # subscription-manager list --consumed
Subscription Name:   Example Subscription
...
Pool-ID:             5ab6a8df96b03fd30aba9a9c58da57a1
...

    • Remove the subscription using the pool id from the previous step: 

      # subscription-manager remove --pool=5ab6a8df96b03fd30aba9a9c58da57a1
2 local certificates have been deleted.
The entitlement server successfully removed these pools:
   5ab6a8df96b03fd30aba9a9c58da57a1
The entitlement server successfully removed these serial numbers:
   1658239469356282126

Chapter 13. Logging in to the Directory Server by using the web console
Copia collegamento

The web console is a browser-based graphical user interface (GUI) that you can use for performing administrative tasks. The Directory Server package automatically installs the Directory Server user interface for the web console.

Prerequisites

  • You have permissions to access the web console.

Procedure

  1. Access the web console by using the following URL in your browser: 

    https://<directory_server_host>:9090
  2. Log in as a user with sudo privileges.

  3. Select the Red Hat Directory Server entry.

    logging-to-DS-web-console

Chapter 14. Starting and stopping a Directory Server instance
Copia collegamento

You can start, stop, and restart a Directory Server instance by using the command line or the web console.

Use the dsctl utility to start, stop, or restart a Directory Server instance.

Important

The dsctl utility is the only correct way to stop the Directory Server instances. Do not use the kill command to terminate the ns-slapd process to avoid any data loss and corruption.

Procedure

  • To start the instance, run: 

    # dsctl instance_name start

  • To stop the instance, run: 

    # dsctl instance_name stop

  • To restart the instance, run: 

    # dsctl instance_name restart

Optionally, you can enable Directory Server instances to automatically start when the system boots:

  • For a single instance, run: 

    # systemctl enable dirsrv@instance_name

  • For all instances on a server, run: 

    # systemctl enable dirsrv.target

Verification

You can check the instance status by using the dsctl or systemctl utility:

  • To view the instance status by using the dsctl utility, run: 

    # dsctl instance_name status

  • To view the instance status by using the systemctl utility, run: 

    # systemctl status dirsrv@instance_name

You can use the web console to start, stop, or restart a Directory Server instance.

Prerequisites

Procedure

  1. Select the Directory Server instance.

  2. Click the Actions button and select the action to execute:

    • Start Instance
    • Stop Instance

    • Restart Instance

      start stop DS

Verification

  • Ensure that the Directory Server instance is running. When the instance is not running, the web console displays the following message: 

    This server instance is not running, either start it from the Actions dropdown menu, or choose a different instance.

Chapter 15. Changing the LDAP and LDAPS port numbers
Copia collegamento

By default, Directory Server uses port 389 for the LDAP and, if you enabled, port 636 for the LDAPS protocol. You can change the port numbers, for example, to run multiple Directory Server instances on one host.

Important

Other services must not use new ports that you assigned to the protocols for an instance.

15.1. Changing the port numbers using the command line
Copia collegamento

You can change the port numbers of the LDAP and LDAPS protocol using the command line. LDAP and LDAPs port change requires update of the nsslapd-port and nsslapd-securePort parameters.

Procedure

  1. Optionally: Display the current port numbers for the instance: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com config get nsslapd-port nsslapd-securePort

  2. Change the LDAP port:

    1. Set the new port for the LDAP protocol. For example, to set it to 1389, run: 

      # dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-port=1389

    2. Set the ldap_port_t type for the LDAP port you assigned in the previous step: 

      # semanage port -a -t ldap_port_t -p tcp 1389

  3. Change the LDAPS port:

    1. Set the new port for the LDAPS protocol. For example, to set it to 1636, run: 

      # dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-securePort=1636

    2. Set the ldap_port_t type for the LDAPS port you assigned in the previous step: 

      # semanage port -a -t ldap_port_t -p tcp 1636

  4. Restart the instance: 

    # dsctl instance_name restart

Verification

  1. Verify that Directory Server now uses the new LDAP port by the command: 

    # dsconf instance_name config get nsslapd-port

  2. Verify that Directory Server now uses the new LDAPS port number by the command: 

    # dsconf instance_name config get nsslapd-securePort

15.2. Changing the port numbers using the web console
Copia collegamento

You can change the port numbers of the LDAP and LDAPS protocol using the web console.

Prerequisites

  • You are logged in to the instance in the web console.

Procedure

  1. Change the LDAP port:

    1. Open the Server Setting menu.
    2. On the Server Setting tab, enter the new port number into the LDAP Port field.
  2. Click Save.

  3. Change the LDAPS port:

    1. Open the Server Setting menu.
    2. On the General Settings tab, enter the new port number into the LDAPS Port field.
    3. Click Save.
  4. Restart the instance by clicking Action and selecting Restart Instance.

Verification

  1. Verify in the server setting that the changed port is reflected .

A ~/.dsrc file simplifies commands that use the Directory Server command-line utilities. By default, you can pass information, for example, the LDAP URL or the bind distinguished name (DN) to the command for these utilities. You can store the settings in a ~/.dsrc file to use the command-line utilities without specifying these settings each time.

16.1. How a .dsrc file simplifies commands
Copia collegamento

You can specify the LDAP URL of an instance and a bind DN in a ~/.dsrc file: 

# server1
uri = ldap://server1.example.com
binddn = cn=Directory Manager
basedn = dc=example,dc=com

You can use shorter Directory Server commands with these settings. For example, to create a user account: 

# dsidm server1 user create

Without the ~/.dsrc file, you must specify the bind DN, LDAP URL, and base DN in the command: 

# dsidm -D cn=Directory Manager ldap://server1.example.com -b "dc=example,dc=com" user create

16.2. Using the dsctl utility to create a .dsrc file
Copia collegamento

You can use the dsctl utility to create a ~/.dsrc file instead of creating it manually.

Procedure

  • Run: 
# dsctl instance_name dsrc create ...

You can add these options in the command:

  • --uri

When using the --uri option, sets the URL to the instance in the format protocol://host_name_or_IP_address_or_socket

For example:

  1. --uri ldap://server.example.com
  2. --uri = ldaps://server.example.com
  3. --uri = ldapi://%%2fvar%%2frun%%2fslapd-instance_name.socket

When you set the path to the Directory Server socket, use %%02 instead of slashes (/) in the path.

Important

The server identifies the user ID (UID) and group ID (GID) of the user who runs the Directory Server command-line utility when you use the ldapi URL. If you run the command as the root user, both UID and GID are 0 and Directory Server automatically authenticates you as cn=Directory Manager without entering the corresponding password.

  • --starttls

When using the --starttls option, configures the utilities to connect to an LDAP port and then send the STARTTLS command to switch to an encrypted connection.

  • --basedn

When using the --basedn option, sets the base distinguished name (DN).

For example: --basedn dc=example,dc=com

  • --binddn

When using the --basedn option, sets the bind DN.

For example: --binddn cn=Directory Manager

  • --pwdfile

When using the --pwdfile, sets the path to a file that contains the password of bind DN.

For example: --pwdfile /root/rhds.pwd

  • --tls-cacertdir

When using the --tls-cacertdir option, sets the path in this parameter which defines the directory with the certificate authority (CA) certificate that is required to verify the server’s certificate if you use the LDAPS connection.

For example: --tls-cacertdir /etc/pki/CA/certs/

Note

You can use the c_rehash /etc/pki/CA/certs/ command only when you copy the CA certificate to the specified directory.

  • --tls-cert

When using the --tls-certl option, sets the absolute path to the server’s certificate.

For example: --tls-cert /etc/dirsrv/slapd-instance_name/Server-Cert.crt

  • --tls-key

When using the --tls-key option, sets the absolute path to the server’s private key.

For example: --tls-key /etc/dirsrv/slapd-instance_name/Server-Cert.key

  • --tls-reqcert

When using the --tls-reqcert option, sets what checks the client utilities perform on server certificates in a TLS session.

For example: --tls-reqcert hard

These parameters are available:

  1. never: The utilities do not request or check the server certificate.
  2. allow: The utilities ignore certificate errors and the connection is established anyway.

  3. hard: The utilities terminate the connection on certificate errors.

    • --saslmech

When using the --saslmech option, sets the SASL mechanism to use to PLAIN or EXTERNAL.

For example: --saslmech PLAIN

You can call Directory Server commands remotely and locally when securing the Directory Server connection. When you run a Directory Server command with an LDAP URL specified, the server considers it as a remote connection and checks the /etc/openldap/ldap.conf configuration file along with system-wide settings to proceed with the command.

When you run a Directory Server command with an instance name specified, the server checks if the ~/.dsrc file is present and applies the following logic to proceed:

  1. The Directory Server considers the ~/.dsrc file as a remote connection and checks whether the /etc/openldap/ldap.conf configuration file and system-wide settings contain both the instance name and the LDAP URL.
  2. The Directory Server considers the ~/.dsrc file as a local connection and uses the nsslapd-certdir setting from the local dse.ldif file to secure the connection if the ~/.dsrc file contains only the specified instance name, or if the ~/.dsrc file does not exist. The server uses the default path /etc/dirsrv/slapd-instance_name/ to store the Network Security Services (NSS) database of the instance if nsslapd-certdir is not present.

Chapter 17. Creating test entries
Copia collegamento

The dsctl ldifgen command creates LDIF files with different types of test entries. For example, you can use this LDIF file to populate a test instance or a sub-tree to test the performance of Directory Server with the example entries.

17.1. Overview of testing entries you can create
Copia collegamento

You can pass one of the following entry type arguments to dsctl ldifgen:

  • users: Creates an LDIF file that contains user entries.
  • groups: Creates an LDIF file that contains static group and member entries.
  • cos-def: Creates an LDIF file that either contains a classic pointer or an indirect Class of Service (CoS) definition.
  • cos-template: Creates an LDIF file that contains a CoS template.
  • roles: Creates an LDIF file that contains managed, filtered, or indirect role entries.
  • mod-load: Creates an LDIF file that contains modify operations. Use the ldapmodify utility to load the file into the directory.
  • nested: Creates an LDIF file that contains heavily nested entries in a cascading or fractal tree design.
Note

The dsctl ldifgen command creates only the LDIF file. To load the file into your Directory Server instance, use the:

  • ldapmodify utility after you created an LDIF file using the mod-load option
  • ldapadd utility for all other options

Except for the nested entry type, if you do not provide any command line options, the dsctl ldifgen command uses an interactive mode: 

# dsctl instance_name ldifgen entry_type

17.2. Creating an LDIF file with example user entries
Copia collegamento

Use the dsctl ldifgen users command to create an LDIF file with example user entries.

Procedure

  1. For example, to create an LDIF file named /tmp/users.ldif that adds 100,000 generic users to the dc=example,dc=com suffix, enter: 

    # dsctl instance_name ldifgen users --suffix "dc=example,dc=com" --number 100000 --generic --ldif-file=/tmp/users.ldif

    Note that the command creates the following organizational units (OU) and randomly assigns the users to these OUs:

    • ou=accounting
    • ou=product development
    • ou=product testing
    • ou=human resources
    • ou=payroll
    • ou=people

    • ou=groups

      For further details and other options you can use to create the LDIF file, enter: 

      # dsctl instance_name ldifgen users --help

  2. Optional: Add the test entries to the directory: 

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x -c -f /tmp/users.ldif

17.3. Creating an LDIF file with example group entries
Copia collegamento

Use the dsctl ldifgen groups command to create an LDIF file with example user entries.

Procedure

  1. For example, to create an LDIF file named /tmp/groups.ldif that adds 500 groups to the ou=groups,dc=example,dc=com entry, and each group has 100 members, enter: 

    # dsctl instance_name ldifgen groups --number 500 --suffix "dc=example,dc=com" --parent "ou=groups,dc=example,dc=com" --num-members 100 --create-members --member-parent "ou=People,dc=example,dc=com" --ldif-file /tmp/groups.ldif example_group__

    Note that the command also creates LDIF statements to add the user entries in ou=People,dc=example,dc=com.

    For further details and other options you can use to create the LDIF file, enter: 

    # dsctl instance_name ldifgen groups --help

  2. Optional: Add the test entries to the directory: 

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x -c -f /tmp/groups.ldif

17.4. Creating an LDIF file with an example CoS definition
Copia collegamento

Use the dsctl ldifgen cos-def command to create an LDIF file with a Class of Service (CoS) definition.

Procedure

  1. For example, to create an LDIF file named /tmp/cos-definition.ldif that adds a classic CoS definition to the ou=cos-definitions,dc=example,dc=com entry, enter: 

    # dsctl instance_name ldifgen cos-def Postal_Def --type classic --parent "ou=cos definitions,dc=example,dc=com" --cos-specifier businessCatagory --cos-template "cn=sales,cn=classicCoS,dc=example,dc=com" --cos-attr postalcode telephonenumber --ldif-file /tmp/cos-definition.ldif

    For further details and other options you can use to create the LDIF file, enter: 

    # dsctl instance_name ldifgen cos-def --help

  2. Optional: Add the test entries to the directory: 

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x -c -f /tmp/cos-definition.ldif

17.5. Creating an LDIF file with example modification statements
Copia collegamento

Use the dsctl ldifgen mod-load command to create an LDIF file that contains update operations.

Procedure

  1. For example, to create an LDIF file named /tmp/modifications.ldif: 

    # dsctl instance_name ldifgen mod-load --num-users 1000 --create-users --parent="ou=People,dc=example,dc=com" --mod-attrs="sn" --add-users 10 --modrdn-users 100 --del-users 100 --delete-users --ldif-file=/tmp/modifications.ldif

    This command creates a file named /tmp/modifications.ldif file with the statements that do the following:

    • Create an LDIF file with 1000 ADD operations to create user entries in ou=People,dc=example,dc=com.
    • Modify all entries by changing their sn attributes.
    • Add additional 10 user entries.
    • Perform 100 MODRDN operations.
    • Delete 100 entries

    • Delete all remaining entries at the end

      For further details and other options you can use to create the LDIF file, enter: 

      # dsctl instance_name ldifgen mod-load --help

  2. Optional: Add the test entries to the directory: 

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x -c -f /tmp/modifications.ldif

17.6. Creating an LDIF file with nested example entries
Copia collegamento

Use the dsctl ldifgen nested command to create an LDIF file that contains a heavily nested cascading fractal structure.

Procedure

  1. For example, to create an LDIF file named /tmp/nested.ldif that adds 600 users in total in different organizational units (OU) under the dc=example,dc=com entry, with each OU containing a maximum number of 100 users, enter: 

    # dsctl instance_name ldifgen nested --num-users 600 --node-limit 100 --suffix "dc=example,dc=com" --ldif-file /tmp/nested.ldif

    For further details and other options you can use to create the LDIF file, enter: 

    # dsctl instance_name ldifgen nested --help

  2. Optional: Add the test entries to the directory: 

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x -c -f /tmp/nested.ldif

Legal Notice
Copia collegamento

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red HatTorna in cima