1.2. Considerations Before Setting Up Directory Server
1.2.1. Resolving the Fully-qualified Domain Name
ldap) from the local system's
gethostname()function, while it obtains the domain name separately, from the system's
/etc/resolv.conffile. Specifically, the script looks for the domain name in the first entry in either the
domainline, whichever is first. For example:
# # DNS information # search lab.eng.example.com eng.example.com example.com domain example.com
/etc/resolv.conffile, the first parameter is
searchand the first entry is
lab.eng.example.com, so the domain name used by the setup script is
/etc/resolv.conffile must match the information maintained in the local
/etc/hostsfile. If there are aliases in the
/etc/hostsfile, such as
ldap1.example.com, that do not match the specified domains in the
/etc/resolv.confsettings, the setup program cannot generate the correct fully-qualified domain name for the machine as it is used by DNS. All of the default settings then displayed or accepted by the script are wrong, and this can potentially cause the setup to fail.
.inffile or by passing the
General.FullMachineNameargument with the setup command itself. These options are described in Section 1.3, “About the setup-ds-admin.pl Script”. For small deployments or for evaluation, it is possible to use the
/etc/hostsfile to resolve the host name and IP address (IPv4 or IPv6). This is not recommended for production environments, though.
/etc/netconfigfiles, and set the DNS resolver for name resolution.
/etc/defaultdomainfile to include the NIS domain name. This ensures that the fully-qualified host and domain names used for the Directory Server resolve to a valid IP address (IPv4 or IPv6) and that that IP address resolves back to the correct host name.
1.2.2. Port Numbers
389. The Admin Server port number has a default number of
9830. If the default port number for either server is in use, then the setup program randomly generates a port number larger than
1024to use as the default. Alternatively, you can assign any port number between
65535for the Directory Server and Admin Server ports; you are not required to use the defaults or the randomly-generated ports.
65535, the Internet Assigned Numbers Authority (IANA) has already assigned ports
1024to common processes. Never assign a Directory Server port number below
636for the LDAP server) because this may conflict with other services.
636. The server can listen to both the LDAP and LDAPS port at the same time. However, the setup program will not allow you to configure TLS/SSL. To use LDAPS, assign the LDAP port number in the setup process, then reconfigure the Directory Server to use LDAPS port and the other TLS/SSL parameters afterward. For information on how to configure LDAPS, see the Directory Server Administrator's Guide.
setup-ds-admin.pl, does not allow you to configure the Admin Server to use TLS/SSL. To use TLS/SSL (meaning HTTPS) with the Admin Server, first set up the Admin Server to use HTTP, then reconfigure it to use HTTPS.
1024, such as the default LDAP port (
389), you must run the setup program and start the servers as
root. You do not, however, have to set the server user ID to
root. When it starts, the server binds and listens to its port as
root, then immediately drops its privileges and runs as the non-
rootserver user ID. When the system restarts, the server is started as
rootby the init script. The
setuid(2)man page has detailed technical information.
1.2.3. Firewall Considerations
- Protecting sensitive subsystems from unauthorized access
- Allowing appropriate access to other systems and clients outside of the firewall
636) and standard (
389) ports, so that any clients which must access the Directory Server instance are able to contact it.
1.2.4. File Descriptors
- To display the maximum number of file descriptors:
# sysctl fs.file-maxIf the setting is lower than
- Edit the
/etc/sysctl.conffile and set the
fs.file-maxparameter. For example:
fs.file-max = 64000
- For the change to take effect, enter:
# sysctl --system
- To set the number of file descriptors Directory Server can allocate, for example, to
- Verify that the following line exists in the
/etc/pam.d/system-auth-acfile or, if it is missing, add it:
session required pam_limits.so
- Add the following line to the
* - nofile 8192
- Restart Directory Server:
# systemctl restart dirsrv.target
1.2.5. Directory Server User and Group
nobodyon Red Hat Enterprise Linux. Red Hat strongly recommends to change these default values and to create a
dirsrv:dirsrvuser instead of using the default
root. If an attacker gains access to the server, he might be able to execute arbitrary system commands as the
rootuser. Using a non-privileged UID adds another layer of security.
Even though port numbers less than
1024 are restricted, the LDAP server can listen to port
389 (and any port number less than
1024), as long as the server is started by the
root user or by
init when the system starts up. The server first binds and listens to the restricted port as
root, then immediately drops privileges to the non-root server UID.
setuid(2) has detailed technical information.
1.2.6. Directory Manager
cn=Directory Manager. The Directory Manager password must contain at least 8 characters which must be ASCII letters, digits, or symbols.
1.2.7. Directory Administrator
- The administrator cannot create top level entries for a new suffix through an add operation. either adding an entry in the Directory Server Console or using
ldapadd, a tool provided with OpenLDAP. Only the Directory Manager can add top-level entries by default. To allow other users to add top-level entries, create entries with the appropriate access control statements in an LDIF file, and perform an import or database initialization procedure using that LDIF file.
- Password policies do apply to the administrator, but you can set a user-specific password policy for the administrator.
- Size, time, and look-through limits apply to the administrator, but you can set different resource limits for this user.
admin. For security, the Directory Administrator's password must not be the same as the Directory Manager's password.
1.2.8. Admin Server User
rootuser as the Directory Server. Custom and silent setups provide the option to run the Admin Server as a different user than the Directory Server.
nobody. However, Red Hat strongly recommends to use a different user name such as
dirsrvfor the Directory Server user. If the Admin Server is given a different UID, then that user must belong to the group to which the Directory Server user is assigned.
1.2.9. Directory Suffix
ldap.example.com, the directory suffix is
dc=example,dc=com. The setup program constructs a default suffix based on the DNS domain or from the fully-qualified host and domain name provided during setup. This suffix naming convention is not required, but Red Hat strongly recommends it.
1.2.10. Configuration Directory
o=NetscapeRoottree. A single Directory Server instance can be both the configuration directory and the user directory.
o=NetscapeRoot. Make this decision before installing any compatible Directory Server applications. The configuration directory is usually the first one you set up.
setupprogram can directly modify a configuration.
1.2.11. Administration Domain
- Each administration domain must have an administration domain owner with complete access to all the domain servers but no access to the servers in other administration domains. The administration domain owner may grant individual users administrative access on a server-by-server basis within the domain.
- All servers must share the same configuration directory. The Configuration Directory Administrator has complete access to all installed Directory Servers, regardless of the domain.
- Servers on two different domains can use different user directories for authentication and user management.