Cómo Instalar CentOS Directory Server en CentOS 5

Por Morenisco morenisco@cdsl.cl

Documento completo en: http://morenisco.noc-root.net/files/manuals/Como_Instalar_CentOS_Directory_Server_en_CentOS5.pdf

I Introducción a CentOS Directory Server

1. Es un servidor de directorios basado en RedHat Directory Server, a la manera de un fork, tal como la distro RedHat Enterprise Linux y Fedora.

2. El sistema base está licenciado bajo GPLv2, y RedHat (quien posee el copy right) incluye una excepción para poder linkearlo con software no GPL.

II Principales características de CentOS Directory Server

1. Soporta LDAPv3.

2. Documentación extensa, ya que utiliza la de RedHat Directory Server, la cual puede ser accedida desde internet sin necesidad de tener una licencia de RedHat.

3. Soporta autenticación segura con SSLv3, TLSv1 y SASL.
4. Implementa características avanzadas de replicación, es decir, Multimaster Replication, o Replicación Multi Maestro.
5. Puede sincronizar usuarios y grupos con Active Directory (vamos, a mi no me agrada mucho andar sincronizando cosas con productos de la Microsoft, pero es una característica y hay que mencionarla).
6. Posee una interfaz gráfica de administración muy completa en donde centraliza todo lo relacionado al manejo de los servicios, usuarios, grupos, logs y es posible realizar respaldos , entre otras cosas.

III Aplicaciones del Servicio de Directorio

Las aplicaciones o utilidades de un servicio de directorio son variadas, y a continuación se muestra una lista de algunas de ellas:

1. Principalmente se utiliza para propósitos de autenticación, por lo cual cualquier aplicación que lo necesite, y posea soporte para LDAP, podrá autenticarse y obtener la información que necesita del servidor de directorios, tal como dirección de correo electrónico, teléfono, dirección, etc.
2. Existen diferentes servicios que soportan LDAP, por ejemplo el proxy Squid, servidor smtp Postfix, y se utiliza para implementar “ldap naming”.
3. El cliente de correo Thunderbird (al igual que otros, como Evolution) posee soporte para LDAP, por lo cual puedes conectarte a un servidor de este tipo y obtener tu libreta de direcciones de correo.
4. En sistemas Linux/Unix es posible autenticar usuarios del sistema operativo contra un servidor LDAP, vía PAM y libuser, en vez de la autenticación por defecto (/etc/passwd, /etc/shadow, /etc/group). Esto provee de autenticación centralizada, lo que facilita enormemente la administración de las cuentas para sistemas de terminales livianas, o de acceso compartido.

IV Pasos previos a la instalación

1. Comprobando el hostname

Para que no haya problemas con la instalación, es necesario que el hostname del nodo en el cual estamos instalando CDS corresponda al FQDN del mismo (fully qualified domain name, el nombre completo):

[morenisco@dirserver1 ~]$ hostname dirserver1.cdsl.cl Comprobando la versión del sistema operativo Esta documentación fue realizada para CentOS 5.2:

[morenisco@dirserver1 ~]$ cat /etc/issue CentOS release 5.2 (Final) Kernel \r on an \m

2. Obteniendo el archivo del repositorio de testing de CentOS

[root@dirserver1 ~]# cd /etc/yum.repos.d/

[root@dirserver1 yum.repos.d]# ls -l

total 16

-rw-r--r-- 1 root root 2049 Jun 19 2008 CentOS-Base.repo

-rw-r--r-- 1 root root 626 Jun 19 2008 CentOS-Media.repo

[root@dirserver1 yum.repos.d]#

[root@dirserver1 yum.repos.d]# wget -v http://dev.centos.org/centos/5/CentOS-Testing.repo

--09:21:16-- http://dev.centos.org/centos/5/CentOS-Testing.repo

Resolving dev.centos.org... 204.15.73.242

Connecting to dev.centos.org|204.15.73.242|:80... connected. HTTP request sent, awaiting response... 200 OK

Length: 710 [text/plain]

Saving to: `CentOS-Testing.repo'

100%[===============================================================>] 710 --.-K/s in 0s

09:21:17 (60.0 MB/s) - `CentOS-Testing.repo' saved [710/710]

[root@dirserver1 yum.repos.d]#

3. Excluyendo una versión específica de java del repositorio de testing

En el archivo que describe el repositorio es necesario agregar la línea exclude=java-1.7.0-icedtea, con el fin de excluir este paquete para ser instalado.

[root@dirserver1 ~]# cd /etc/yum.repos.d/

[root@dirserver1 yum.repos.d]# ls -l

total 24

-rw-r--r-- 1 root root 2049 Jun 19 2008 CentOS-Base.repo

-rw-r--r-- 1 root root 626 Jun 19 2008 CentOS-Media.repo

-rw-r--r-- 1 root root 710 Apr 17 2007 CentOS-Testing.repo

[root@dirserver1 yum.repos.d]#

[root@dirserver1 yum.repos.d]# vim CentOS-Testing.repo

[c5-testing]

name=CentOS-5 Testing

baseurl=http://dev.centos.org/centos/$releasever/testing/$basearch/

enabled=0

gpgcheck=1

gpgkey=http://dev.centos.org/centos/RPM-GPG-KEY-CentOS-testing

# Added by hand

exclude=java-1.7.0-icedtea

# CentOS-Testing:

# !!!! CAUTION !!!!

# This repository is a proving grounds for packages on their way to CentOSPlus and CentOS Extras.

# They may or may not replace core CentOS packages, and are not guaranteed to function properly.

# These packages build and install, but are waiting for feedback from testers as to

# functionality and stability. Packages in this repository will come and go during the

# development period, so it should not be left enabled or used on production systems without due

# consideration.

4. Instalando algunas dependencias necesarias.

[root@dirserver1 ~]# yum install xorg-x11-xauth bitstream-vera-fonts dejavu-lgc-fonts urw-fonts

Setting up Install Process

[...salida suprimida...]

Installed: urw-fonts.noarch 0:2.3-6.1.1

Complete!

[root@dirserver1 ~]#

Instalación de CentOS Directory Server

Para instalar el meta paquete que contiene la distribución de CentOS Directory Server, es necesario habilitar el repositorio de testing, para que el meta paquete sea obtenido desde ahí. El comando para realizar ambas operaciones junto a su salida es el siguiente:

[root@dirserver1 ~]# yum --enablerepo=c5-testing install centos-ds

c5-testing 100% |=========================| 1.9 kB 00:00

primary.sqlite.bz2 100% |=========================| 389 kB 00:01

Excluding Packages from CentOS-5 Testing

Finished

Setting up Install Process

[...salida suprimida...]

Installed: centos-ds.i386 0:8.0.0-1.4.el5.centos.4

Dependency Installed: adminutil.i386 0:1.1.7-3.el5.centos.1 antlr.i386 0:2.7.6-4jpp.2 apr.i386 0:1.2.7-11 apr-util.i386 0:1.2.7-7.el5 ca-certificates.noarch 0:2008-6 centos-admin-console.noarch 0:8.0.0-11.el5.centos.4 centos-ds-admin.i386 0:8.0.4-3.el5.centos.1 centos-ds-base.i386 0:8.0.4-7.el5.centos.0 centos-ds-console.noarch 0:8.0.0-11.el5.centos.4 centos-idm-console.i386 0:1.0.0-17.el5.centos.4 cyrus-sasl-gssapi.i386 0:2.1.22-4 cyrus-sasl-md5.i386 0:2.1.22-4 giflib.i386 0:4.1.3-7.1.el5.1 gjdoc.i386 0:0.7.7-12.el5 httpd.i386 0:2.2.8-1.el5s2.centos idm-console-framework.noarch 0:1.1.1-0.el5.centos.4 java-1.4.2-gcj-compat.i386 0:1.4.2.0-40jpp.115 java-1.6.0-openjdk.i386 1:1.6.0.0-0.16.b09.el5.centos jpackage-utils.noarch 0:1.7.5-1jpp.1.el5.centos jss.i386 0:4.2.4-41.el5.centos.4 ldapjdk.i386 0:4.18-2jpp.3.el5 libicu.i386 0:3.6-5.11.1 mod_nss.i386 0:1.0.3-4.el5 mozldap.i386 0:6.0.5-1.el5 mozldap-tools.i386 0:6.0.5-1.el5 net-snmp-libs.i386 1:5.3.1-24.el5_2.2 perl-Mozilla-LDAP.i386 0:1.5.2-4.el5 postgresql-libs.i386 0:8.1.11-1.el5_1.1 svrcore.i386 0:4.0.4-3.el5 tzdata-java.noarch 0:2007k-2.el5.centos

Complete!

[root@dirserver1 ~]#

Verificando la versión de java en uso

[morenisco@dirserver1 ~]$ rpm -qa | grep java

java-1.6.0-openjdk-1.6.0.0-0.16.b09.el5.centos

tzdata-java-2007k-2.el5.centos

java-1.4.2-gcj-compat-1.4.2.0-40jpp.115

[morenisco@dirserver1 ~]$ java -version

java version "1.6.0"

OpenJDK Runtime Environment (build 1.6.0-b09)

OpenJDK Client VM (build 1.6.0-b09, mixed mode)

[morenisco@dirserver1 ~]$

Configurando el servicio de directorio

En esta sección aparece con negrita las líneas en las cuales hay que responder, o simplemente asentir presionando enter.

Ejecutar el utilitario de configuración:

[root@dirserver1 ~]# /usr/sbin/setup-ds-admin.pl

==================================================================

This program will set up the CentOS Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.

Tips for using this program:

- Press "Enter" to choose the default and go to the next screen

- Type "Control-B" then "Enter" to go back to the previous screen

- Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: yes

==================================================================

BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY

AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE

LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS

OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE.

Do you agree to the license terms? [no]: yes

==================================================================

Your system has been scanned for potential problems, missing patches,

etc. The following output is a report of the items found that need to be

addressed before running this software in a production environment.

CentOS Directory Server system tuning analysis version 10-AUGUST-2007.

NOTICE : System is i686-unknown-linux2.6.18-92.el5 (1 processor).

WARNING: 503MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections.

WARNING: There are only 1024 file descriptors (hard limit) available, which limit the number of simultaneous connections.

WARNING: There are only 1024 file descriptors (soft limit) available, which limit the number of simultaneous connections.

Would you like to continue? [no]: yes

==================================================================

Choose a setup type:

1. Express

Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products.

2. Typical

Allows you to specify common defaults and options.

3. Custom

Allows you to specify more advanced options. This is recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]:

==================================================================

Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form

<hostname>.<domainname>

Example: eros.example.com.

To accept the default shown in brackets, press the Enter key.

Computer name [dirserver1.cdsl.cl]:

==================================================================

The servers must run as a specific user in a specific group.

It is strongly recommended that this user should have no privileges

on the computer (i.e. a non-root user). The setup procedure

• will give this user/group some permissions in specific paths/files

to perform server-specific operations.

If you have not yet created a user and group for the servers,

create this user and group using your native operating

system utilities.

System User [nobody]:

System Group [nobody]:

==================================================================

Server information is stored in the configuration directory server.

This information is used by the console and administration server to

configure and manage your servers. If you have already set up a

configuration directory server, you should register any servers you

set up or create with the configuration server. To do so, the

following information about the configuration server is required: the

fully qualified host name of the form

<hostname>.<domainname>(e.g. hostname.example.com), the port number

(default 389), the suffix, the DN and password of a user having

permission to write the configuration information, usually the

configuration directory administrator, and if you are using security

(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port

number (default 636) instead of the regular LDAP port number, and

provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' to be prompted to set up one.

Do you want to register this software with an existing configuration directory server? [no]:

==================================================================

Please enter the administrator ID for the configuration directory

server. This is the ID typically used to log in to the console. You

will also be prompted for the password.

Configuration directory server

administrator ID [admin]:

Password:

Password (confirm):

==================================================================

The information stored in the configuration directory server can be

separated into different Administration Domains. If you are managing

multiple software releases at the same time, or managing information

about multiple domains, you may use the Administration Domain to keep

them separate.

If you are not using administrative domains, press Enter to select the

default. Otherwise, enter some descriptive, unique name for the

administration domain, such as the name of the organization

responsible for managing the domain.

Administration Domain [cdsl.cl]:

==================================================================

The standard directory server network port number is 389. However, if

you are not logged as the superuser, or port 389 is in use, the

default value will be a random unused port number greater than 1024.

If you want to use port 389, make sure that you are logged in as

the superuser, that port 389 is not in use.

Directory server network port [389]:

==================================================================

Each instance of a directory server requires a unique identifier.

This identifier is used to name the various

instance specific files and directories in the file system,

as well as for other uses as a server instance identifier.

Directory server identifier [dirserver1]:

==================================================================

The suffix is the root of your directory tree. The suffix must be a valid DN.

It is recommended that you use the dc=domaincomponent suffix convention.

For example, if your domain is example.com,

you should use dc=example,dc=com for your suffix.

Setup will create this initial suffix for you,

but you may have more than one suffix.

Use the directory server utilities to create additional suffixes.

Suffix [dc=cdsl, dc=cl]:

==================================================================

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and typically has a

bind Distinguished Name (DN) of cn=Directory Manager.

You will also be prompted for the password for this user. The password must

be at least 8 characters long, and contain no spaces.

Directory Manager DN [cn=Directory Manager]:

Password:

Password (confirm):

==================================================================

The Administration Server is separate from any of your web or application

servers since it listens to a different port and access to it is

restricted.

Pick a port number between 1024 and 65535 to run your Administration

Server on. You should NOT use a port number which you plan to

run a web or application server on, rather, select a number which you

will remember and which will not be used for anything else.

Administration port [9830]:

==================================================================

The interactive phase is complete. The script will now set up your

servers. Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]:

Creating directory server . . .

Your new DS instance 'dirserver1' was successfully created.

Creating the configuration directory server . . .

Beginning Admin Server creation . . .

Creating Admin Server files and directories . . .

Updating adm.conf . . .

Updating admpw . . .

Registering admin server with the configuration directory server . . .

Updating adm.conf with information from configuration directory server . . .

Updating the configuration for the httpd engine . . .

Starting admin server . . .

The admin server was successfully started.

Admin server was successfully created, configured, and started.

Exiting . . .

Log file is '/tmp/setupmKPwo4.log'

[root@dirserver1 ~]#

Algunas comprobaciones post instalación/configuración

1. Verificando si se inició el servicio de directorio

[root@dirserver1 ~]# /etc/init.d/dirsrv status

dirsrv dirserver1 (pid 4879) is running...

==> está corriendo.

2. Verificando si se “levantó el puerto” 389

[root@dirserver1 ~]# netstat -tln | grep 389

tcp 0 0 :::389 :::* LISTEN

==> está escuchando.

Veamos qué programa está utilizando el puerto 389:

[root@dirserver1 ~]# lsof -i:389

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

ns-slapd 6394 nobody 7u IPv6 18701 TCP *:ldap (LISTEN)

[root@dirserver1 ~]#

Ok, el binario ns-slapd es quien está implementando el servicio y ocupando el puerto 389, solo para saber...

3. Comprobando si se inició el servicio de administración

Esto es importantísimo, ya que a través de este servicio podremos logearnos a la aplicación de administración cuando sea necesario, desde donde se tiene control del árbol del directorio, se puede realizar operaciones como detención, inicio y reinicio del servicio de directorio (naturalmente también se puede hacer desde una línea de comandos), configurar Multi Master Replication, etc.

[root@dirserver1 ~]# /etc/init.d/dirsrv-admin status dirsrv-admin (pid 6482) is running...

==> Ok, está corriendo.

4. Lanzando la consola de administración

Lanzamos la consola de administración con el siguiente comando:

[morenisco@dirserver1 ~]$ centos-idm-console -a http://localhost:9830

Nota: el puerto 9830 se seteó durante el proceso de configuración. Y si especificaron otro, entonces deberían reemplazarlo en el comando.

Luego se presenta la ventana de login, en donde se debe ingresar el login (por defecto es admin, a menos que hayan especificado otro durante el proceso de configuración).

Autenticando a un usuario y realizando una búsqueda

Esta prueba tiene por objetivo probar en forma simple que el servicio de directorio está funcionando, por medio de realizar dos operaciones básicas:

• bind
• search

El bind significa acceder con algún tipo de credenciales al sistema ldap, ya sea un acceso anónimo, que no es en si una cuenta anónima, o especificando un usuario y una password (muchas veces se permite el bind y search anónimo, o con un usuario y sin password, pero por cierto no es lo más seguro).

En esta parte creé un usuario, el cual tiene por DN (distinguished name, o nombre distintivo por decirlo de alguna forma) lo siguiente :

"uid=lvivero,ou=people,dc=cdsl,dc=cl"

Entonces, utilizando una de las herramientas que provee openldap-clients.i386, ldapsearch, realicé una bésqueda simple, especificando el DN y password del usuario, de la siguiente forma:

[morenisco@dirserver1 ~]$ ldapsearch -x -D "uid=lvivero,ou=people,dc=cdsl,dc=cl" -w L34rn1n6 -b "ou=people,dc=cdsl,dc=cl" "objectclass=*"

• # extended LDIF

#

# LDAPv3

# base <ou=people,dc=cdsl,dc=cl> with scope subtree

# filter: objectclass=*

# requesting: ALL

#

# People, cdsl.cl

dn: ou=People, dc=cdsl, dc=cl

objectClass: top

objectClass: organizationalunit

ou: People

# LVivero, People, cdsl.cl

dn: uid=LVivero,ou=People, dc=cdsl, dc=cl

mail: morenisco@noc-root.net

uid: LVivero

givenName: Luis

objectClass: top

objectClass: person

• objectClass: organizationalPerson

objectClass: inetorgperson

sn: Vivero

cn: Luis Vivero

# search result

search: 2

result: 0 Success

# numResponses: 3

# numEntries: 2

Como se observa, se obtuvo la salida fruto de la búsqueda, permitida por un bind correcto.

Si uno ingresa mal la password, o si la autenticacion no funciona, entonces obtendriamos lo siguiente:

[morenisco@dirserver1 ~]$ ldapsearch -x -D "uid=lvivero,ou=people,dc=cdsl,dc=cl" -w L34rn1n7 -b "ou=people,dc=cdsl,dc=cl" "objectclass=*"

ldap_bind: Invalid credentials (49)