1.2. Considerations Before Setting Up Directory Server
1.2.1. Fully Qualified Domain Name Resolution
server.example.com
. The Directory Server installation uses the FQDN to generate default values, such as the instance name, the admin domain, and the LDAP base suffix. The setup script uses operating system's gethostname()
function to obtain the host and domain name.
- Resolving the host name:
# host server.example.com server.example.com has address 192.0.2.1
When using a CNAME record, verify that it resolves correctly:# host ldap.example.com ldap.example.com is an alias for server.example.com. server.example.com has address 192.0.2.1
- Resolving the IP:
# host 192.0.2.1 1.0.2.192.in-addr.arpa domain name pointer server.example.com.
1.2.2. Port Numbers
389
. The Administration Server port number has a default number of 9830
. If the default port number for either server is in use, then the setup program randomly generates a port number larger than 1024
to use as the default. Alternatively, you can assign any port number between 1025
and 65535
for the Directory Server and Administration Server ports; you are not required to use the defaults or the randomly-generated ports.
Note
1
to 65535
, the Internet Assigned Numbers Authority (IANA) has already assigned ports 1
to 1024
to common processes. Never assign a Directory Server port number below 1024
(except for 389
/636
for the LDAP server) because this may conflict with other services.
636
. The server can listen to both the LDAP and LDAPS port at the same time. However, the setup program will not allow you to configure TLS. To use LDAPS, assign the LDAP port number in the setup process, then reconfigure the Directory Server to use LDAPS port and the other TLS parameters afterward. For information on how to configure LDAPS, see the Red Hat Directory Server Administration Guide.
Note
netstat
.
setup-ds-admin.pl
, does not allow you to configure the Administration Server to use TLS. To use TLS (meaning HTTPS) with the Administration Server, first set up the Administration Server to use HTTP, then reconfigure it to use HTTPS.
Important
- Multiple Directory Server instances are installed on one host.
- Each instance is bound to a different local network interface.
- All instances use the same port number, such as
389
.
1024
, such as the default LDAP port (389
), you must run the setup program and start the servers as root
. You do not, however, have to set the server user ID to root
. When it starts, the server binds and listens to its port as root
, then immediately drops its privileges and runs as the non-root
server user ID. When the system restarts, the server is started as root
by the init script. The setuid(2)
man page has detailed technical information.
1.2.3. Opening the Required Ports in the Firewall
- Make sure the
firewalld
service is running.- To find out if
firewalld
is currently running:# systemctl status firewalld
- To start
firewalld
and configure it to start automatically when the system boots:# systemctl start firewalld # systemctl enable firewalld
- Open the required ports using the
firewall-cmd
utility. For example, to open the Directory Server default ports in the default firewall zone:# firewall-cmd --permanent --add-port={389/tcp,636/tcp,9830/tcp}
For details on usingfirewall-cmd
to open ports on a system, see the Red Hat Security Guide or the firewall-cmd(1) man page. - Reload the firewall configuration to ensure that the change takes place immediately:
# firewall-cmd --reload
1.2.4. Directory Server User and Group
dirsrv
on Red Hat Enterprise Linux. The default GID is also dirsrv
.
Important
root
. If an attacker gains access to the server, he might be able to execute arbitrary system commands as the root
user. Using a non-privileged UID adds another layer of security.
Even though port numbers less than 1024
are restricted, the LDAP server can listen to port 389
(and any port number less than 1024
), as long as the server is started by the root
user or by init
when the system starts up. The server first binds and listens to the restricted port as root
, then immediately drops privileges to the non-root server UID. setuid(2)
man page has detailed technical information.
1.2.5. Directory Manager
cn=Directory Manager
. The Directory Manager password must contain at least 8 characters which must be ASCII letters, digits, or symbols.
1.2.6. Directory Administrator
- The administrator cannot create top level entries for a new suffix through an add operation. Either adding an entry in the Directory Server Console or using
ldapadd
, a tool provided with OpenLDAP. Only the Directory Manager can add top-level entries by default. To allow other users to add top-level entries, create entries with the appropriate access control statements in an LDIF file, and perform an import or database initialization procedure using that LDIF file. - Password policies do apply to the administrator, but you can set a user-specific password policy for the administrator.
- Size, time, and look-through limits apply to the administrator, but you can set different resource limits for this user.
admin
. For security, the Directory Administrator's password must not be the same as the Directory Manager's password.
1.2.7. Administration Server User
root
user as the Directory Server. Custom and silent setups provide the option to run the Administration Server as a different user than the Directory Server.
Important
dirsrv
. If the Administration Server is given a different UID, then that user must belong to the group to which the Directory Server user is assigned.
1.2.8. Directory Suffix
ldap.example.com
, the directory suffix is dc=example,dc=com
. The setup program constructs a default suffix based on the DNS domain or from the fully-qualified host and domain name provided during setup. This suffix naming convention is not required, but Red Hat strongly recommends it.
1.2.9. Configuration Directory
o=NetscapeRoot
tree. A single Directory Server instance can be both the configuration directory and the user directory.
o=NetscapeRoot
. Make this decision before installing any compatible Directory Server applications. The configuration directory is usually the first one you set up.
setup
program can directly modify a configuration.
1.2.10. Administration Domain
- Each administration domain must have an administration domain owner with complete access to all the domain servers but no access to the servers in other administration domains. The administration domain owner may grant individual users administrative access on a server-by-server basis within the domain.
- All servers must share the same configuration directory. The Configuration Directory Administrator has complete access to all installed Directory Servers, regardless of the domain.
- Servers on two different domains can use different user directories for authentication and user management.