Table of Contents


Setup of RHDS (red hat directory server) on rhel6, just for testing.

RHDS setup on rhel6

# setup rhel6u7

echo '* - nofile 8192' >>/etc/security/limits.conf
echo 'session required /lib/security/$ISA/' >> \
rhn-channel -a -c rhel-x86_64-server-6-rhdirserv-9

yum install -y java-1.6.0-openjdk
/usr/sbin/alternatives --config java
yum install -y redhat-ds

chkconfig dirsrv on
chkconfig dirsrv-admin on

# requirements to start the idm-console:
yum -y install 'xorg-x11-font*' xauth

# log out and in again to get x-forwarding working

# This was on rhel5, since rhel6 we do not ship these utils:
# echo 'export PATH=/usr/lib64/mozldap/:$PATH' >>/etc/profile

# for now using openldap client tools, test ldapsearch
ldapsearch -x -b dc=fluxcoil,dc=net '(cn=*)'
ldapsearch -x -b dc=fluxcoil,dc=net -D 'cn=Directory Manager' -W '(cn=*)'

# lets fill in some data
wget ldap_initial_datasets_rhds.ldif
ldapadd -x -D 'cn=Directory Manager' -W -f ldap_initial_datasets_rhds.ldif

setting up ssl/tls

cd /etc/dirsrv/slapd-*
tar -cf /tmp/db-backup.tar *
(umask 377; echo secret >/tmp/pwdfile)
chown nobody /tmp/pwdfile
certutil -N -d . -f /tmp/pwdfile
certutil -S -n "CA certificate" \
  -s "cn=My Org CA cert,dc=example,dc=com" -2 -x -t "CT,," \
  -m 1000 -v 120 -d . -k rsa -f /tmp/pwdfile
certutil -S -n "Server-Cert" -s "" \
  -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . \
  -k rsa -f /tmp/pwdfile
certutil -d . -L -n "CA certificate" -a > cacert.asc
openssl x509 -in cacert.asc -noout -text
(umask 377; echo 'Internal (Software) Token:secret' >pin.txt)
chown nobody:nobody pin.txt 

# verify currently we only listen on :389
netstat -ntlp

# login with 'cn=Directory Manager' / $chosenpassword, 
# then activate encryption:
/usr/bin/redhat-idm-console -a http://localhost:9830
#   click "Directory Server", open
#   configuration, encryption, "enable SSL for this server"
#   "use this cyper family: RSA", save

# here activate ssl, then close the console
service dirsrv restart

# verify we now listen at :636 additionally
netstat -ntlp

using ssl/tls as client

# create the hashes, we will be using the
# cacert /etc/dirsrv/slapd-*/cacert.asc
cacertdir_rehash /etc/dirsrv/slapd-*/

# now configure the openldap client utilities to use the cacert
sed -ie 's,^TLS_CACERTDIR,#TLS_CACERTDIR,' /etc/openldap/ldap.conf
echo 'TLS_CACERTDIR /etc/dirsrv/slapd-rhel6u7a' >>/etc/openldap/ldap.conf

# now verify tls works
ldapsearch -x -b dc=fluxcoil,dc=net -h -ZZZ '(cn=*)'

setting users passwords

# now with the secured connection, setting passwords works:
ldappasswd -x -h -D 'cn=Directory Manager' \
  -W -s redhat -ZZ cn=user0,ou=users,dc=fluxcoil,dc=net
ldappasswd -x -h -D 'cn=Directory Manager' \
  -W -s redhat -ZZ cn=user1,ou=users,dc=fluxcoil,dc=net

# verify bind with new password works
ldapsearch -x -b dc=fluxcoil,dc=net \
  -D 'cn=user0,ou=users,dc=fluxcoil,dc=net' -w redhat -ZZZ '(cn=*)'