The Directory Server uses the host name of the machine to supply much of the default information for the instance, such as the instance name and base DN. A fully-qualified domain name is the local host name plus the domain name, such as ldap.example.com.

The setup scripts obtains the host name (ldap) from the local system's gethostname() function, while it obtains the domain name separately, from the system's /etc/resolv.conf file. Specifically, the script looks for the domain name in the first entry in either the search or domain line, whichever is first. For example:

#
# DNS information
#
search lab.eng.example.com eng.example.com example.com
domain example.com

In this /etc/resolv.conf file, the first parameter is search and the first entry is lab.eng.example.com, so the domain name used by the setup script is lab.eng.example.com.

Any information in the /etc/resolv.conf file must match the information maintained in the local /etc/hosts file. If there are aliases in the /etc/hosts file, such as ldap1.example.com, that do not match the specified domains in the /etc/resolv.conf settings, the setup program cannot generate the correct fully-qualified domain name for the machine as it is used by DNS. All of the default settings then displayed or accepted by the script are wrong, and this can potentially cause the setup to fail.

It is possible to set the fully-qualified domain name for the host manually using an .inf file or by passing the General.FullMachineName argument with the setup command itself. These options are described in Section 1.3, “About the setup-ds-admin.pl Script”. For small deployments or for evaluation, it is possible to use the /etc/hosts file to resolve the host name and IP address (IPv4 or IPv6). This is not recommended for production environments, though.

It is best to have the local hosts file and DNS properly configured for the server. Remote clients and server to server operations like replication require that other machines be able to resolve the host name of the Directory Server's host. Likewise, both TLS/SSL and SASL/Kerberos require an accurate fully-qualified domain name for their configuration.

Configure the DNS resolver and the NIS domain name by the modifying the /etc/resolv.conf, /etc/nsswitch.conf, and /etc/netconfig files, and set the DNS resolver for name resolution.

Edit the /etc/defaultdomain file to include the NIS domain name. This ensures that the fully-qualified host and domain names used for the Directory Server resolve to a valid IP address (IPv4 or IPv6) and that that IP address resolves back to the correct host name.

Reboot the Red Hat Enterprise Linux machine to apply these changes.

The Directory Server setup requires two TCP/IP port numbers: one for the Directory Server and one for the Admin Server. These port numbers must be unique.

The Directory Server instance (LDAP) has a default port number of 389. The Admin Server port number has a default number of 9830. If the default port number for either server is in use, then the setup program randomly generates a port number larger than 1024 to use as the default. Alternatively, you can assign any port number between 1025 and 65535 for the Directory Server and Admin Server ports; you are not required to use the defaults or the randomly-generated ports.

For LDAPS (LDAP with TLS/SSL), the default port number is 636. The server can listen to both the LDAP and LDAPS port at the same time. However, the setup program will not allow you to configure TLS/SSL. To use LDAPS, assign the LDAP port number in the setup process, then reconfigure the Directory Server to use LDAPS port and the other TLS/SSL parameters afterward. For information on how to configure LDAPS, see the Directory Server Administrator's Guide.

The Admin Server runs on a web server, so it uses HTTP or HTTPS. However, unlike the Directory Server which can run on secure (LDAPS) and insecure (LDAP) ports at the same time, the Admin Server cannot run over both HTTP and HTTPS simultaneously. The setup program, setup-ds-admin.pl, does not allow you to configure the Admin Server to use TLS/SSL. To use TLS/SSL (meaning HTTPS) with the Admin Server, first set up the Admin Server to use HTTP, then reconfigure it to use HTTPS.

If you are using ports below 1024, such as the default LDAP port (389), you must run the setup program and start the servers as root. You do not, however, have to set the server user ID to root. When it starts, the server binds and listens to its port as root, then immediately drops its privileges and runs as the non-root server user ID. When the system restarts, the server is started as root by the init script. The setuid(2) man page has detailed technical information.

Section 1.2.5, “Directory Server User and Group” has more information about the server user ID.

The Directory Server instance may be on a different server or network than clients which need to access it. For example, the Red Hat Certificate System subsystems require a Directory Server LDAP database to store their certificate, key, and user information, but these servers do not need to be on the same machine.

When installing Directory Server, make sure that you consider the location of the instance on the network and that all firewalls, DMZs, and other network services allow the client to access the Directory Server. There are two considerations about using firewalls with Directory Server and directory clients:

Make sure that the firewalls allow access to the Directory Server secure (636) and standard (389) ports, so that any clients which must access the Directory Server instance are able to contact it.

To increase the maximum number of connections, increment the number of file descriptors on the Linux system and the limit for Directory Server.

The setup process sets a user ID (UID) and group ID (GID) as which the servers will run. The default UID is a non-privileged (non-root) user, nobody on Red Hat Enterprise Linux. Red Hat strongly recommends to change these default values and to create a dirsrv:dirsrv user instead of using the default nobody:nobody user.

For security reasons, Red Hat strongly discourages you from setting the Directory Server or Admin Server user to root. If an attacker gains access to the server, he might be able to execute arbitrary system commands as the root user. Using a non-privileged UID adds another layer of security.

Section 1.2.2, “Port Numbers” has more information on port numbers in Directory Server.

The Directory Server setup creates a special user called the Directory Manager. The Directory Manager is a unique, powerful entry that is used to administer all user and configuration tasks. The Directory Manager is a special entry that does not have to conform to a Directory Server configured suffix; additionally, access controls. password policy, and database limits for size, time, and look-through limits do not apply to the Directory Manager. There is no directory entry for the Directory Manager user; it is used only for authentication. You cannot create an actual Directory Server entry that uses the same DN as the Directory Manager DN.

The Directory Server setup process prompts for a distinguished name (DN) and a password for the Directory Manager. The default value for the Directory Manager DN is cn=Directory Manager. The Directory Manager password must contain at least 8 characters which must be ASCII letters, digits, or symbols.

The Directory Server setup also creates an administrator user specifically for Directory Server and Admin Server server management, called the Directory Administrator. The Directory Administrator is the "super user" that manages all Directory Server and Admin Server instances through the Directory Server Console. Every Directory Server is configured to grant this user administrative access.

There are important differences between the Directory Administrator and the Directory Manager:

The Directory Server setup process prompts for a user name and a password for the Directory Administrator. The default Directory Administrator user name is admin. For security, the Directory Administrator's password must not be the same as the Directory Manager's password.

By default, the Admin Server runs as the same non-root user as the Directory Server. Custom and silent setups provide the option to run the Admin Server as a different user than the Directory Server.

The directory suffix is the first entry within the directory tree. At least one directory suffix must be provided when the Directory Server is set up. The recommended directory suffix name matches your organization's DNS domain name. For example, if the Directory Server host name is ldap.example.com, the directory suffix is dc=example,dc=com. The setup program constructs a default suffix based on the DNS domain or from the fully-qualified host and domain name provided during setup. This suffix naming convention is not required, but Red Hat strongly recommends it.

The configuration directory is the main directory where configuration information — such as log files, configuration files, and port numbers — is stored. These configuration data get stored in the o=NetscapeRoot tree. A single Directory Server instance can be both the configuration directory and the user directory.

If you install Directory Server for general directory services and there is more than one Directory Server in your organization, you must determine which Directory Server instance will host the configuration directory tree, o=NetscapeRoot. Make this decision before installing any compatible Directory Server applications. The configuration directory is usually the first one you set up.

Since the main configuration directory generally experiences low traffic, you can permit its server instances to coexist on any machine with a heavier-loaded Directory Server instance. However, for large sites that deploy a large number of Directory Server instances, dedicate a low-end machine for the configuration directory to improve performance. Directory Server instances write to the configuration directory, and for larger sites, this write activity can create performance issues for other directory service activities. The configuration directory can be replicated to increase availability and reliability.

If the configuration directory tree gets corrupted, you may have to re-register or re-configure all Directory Server instances. To prevent that, always back up the configuration directory after setting up a new instance; never change a host name or port number while active in the configuration directory; and do not modify the configuration directory tree; only the setup program can directly modify a configuration.

The administration domain allows servers to be grouped together logically when splitting administrative tasks. That level of organization is beneficial, for example, when different divisions within an organization want individual control of their servers while system administrators require centralized control of all servers.

When setting up the administration domain, consider the following: