Chapter 4. Setting up a new instance as a non-root user

If you do not have root permissions, you can perform the Directory Server installation as a user. Use this method to test Directory Server and develop LDAP applications. However, note that instances running by a non-root user have limitations, such as:

  • They do not support Simple Network Management Protocol (SNMP).
  • They can use only ports higher or equal to 1024.

4.1. Preparing the environment to install Directory Server as a user

Without root permissions, before you can create and administer Directory Server instances, you need to prepare a proper environment using the dscreate ds-root command.

Prerequisites

  • You installed the Directory Server packages as a root user.

Procedure

  1. Ensure you have $HOME/bin in your PATH variable. If not:

    1. Append the following to the ~/.bash_profile file:

      PATH="$HOME/bin:$PATH"
    2. Re-read the ~/bash_profile file:

      $ source ~/.bash_profile
  2. Configure the environment for an instance creation to use the custom location:

    $ dscreate ds-root $HOME/dsroot $HOME/bin

    This command replaces the standard installation paths with $HOME/dsroot/ and creates a copy of the standard Directory Server administration utilities in the $HOME/bin/ directory.

  3. To make the shell use new paths:

    1. Clear the cache:

      $ hash -r dscreate
    2. Verify that the shell uses the correct path to the command:

      $ which dscreate
      ~/bin/dscreate

For the dscreate command, the shell now uses the $HOME/bin/dscreate instead of /usr/bin/dscreate.

4.2. Installing a new instance as non-root user

To install Directory Server without root permissions, you can use the interactive installer. After the installation, Directory Server creates an instance in the custom location and a user can run dscreate, dsctl, dsconf utilities as usual.

Prerequisites

  • You prepared the environment for non-root installation.
  • You have sudo permissions to use the firewall-cmd utility If you want to make the Directory Server instance available from the outside.

Procedure

  1. Create an instance using the interactive installer

    1. Start the interactive installer:

      $ dscreate interactive
    2. Answer the questions of the interactive installer.

      To use the default values displayed in square brackets behind most questions in the installer, press Enter without entering a value.

      Note

      During the installation, you must choose the instance port and secure port number higher than 1024 (for example, 1389 and 1636). Otherwise, a user does not have permissions to bind to a privileged port (1-1023).

      Install Directory Server (interactive mode)
      ===========================================
      Non privileged user cannot use semanage, will not relabel ports or files.
      
      Selinux support will be disabled, continue? [yes]: yes
      
      Enter system's hostname [server.example.com]:
      
      Enter the instance name [server]: instance_name
      
      Enter port number [389]: 1389
      
      Create self-signed certificate database [yes]:
      
      Enter secure port number [636]: 1636
      
      Enter Directory Manager DN [cn=Directory Manager]:
      
      Enter the Directory Manager password: password
      Confirm the Directory Manager Password: password
      
      Enter the database suffix (or enter "none" to skip) [dc=server,dc=example,dc=com]: dc=example,dc=com
      
      Create sample entries in the suffix [no]:
      
      Create just the top suffix entry [no]: yes
      
      Do you want to start the instance after the installation? [yes]:
      
      Are you ready to install? [no]: yes
      Note

      Instead of setting a password in clear text you can set a {algorithm}hash string generated by the pwdhash utility.

  2. Optional: If you want to make the Directory Server instance available from the outside:

    1. Open the ports in the firewall:

      # sudo firewall-cmd --permanent --add-port={1389/tcp,1636/tcp}
    2. Reload the firewall configuration:

      # sudo firewall-cmd --reload

Verification

  • Run ldapsearch command to test that a user can connect to the instance:

    $ ldapsearch -D "cn=Directory Manager" -W -H ldap://server.example.com:1389 -b "dc=example,dc=com" -s sub -x "(objectclass=*)"