How to Install an LDAP 389 Master Server

From DISI
Jump to: navigation, search
#!/bin/sh

 #INSTALL REPOS

 HOST=`hostname -i`
 DOMAIN='ucsf.bkslab.org'

 sed -i 's/# ulimit -n 8192/ulimit -n 8192/' /etc/sysconfig/dirsrv
 echo >> /etc/sysctl.conf <<EOF

 # Allow more file handles for 389
 fs.file-max = 8192
 EOF

 yum -y install 389-ds

 useradd ds -c "389 Directory Server User" -d /var/lib/dirsrv -M -s /sbin/nologin

 echo "Running 389 Configuration"
 echo <<EOF
 - Use default setup mode
 - Set user to 'ds'
 - Set server name to ds-1
 - Set hostname to 'ds.cluster.<DOMAIN>'
 - Set cn to "dc=DOMAIN,dc=ORG" or similar
 - Set passwords
 EOF

 setup-ds-admin.pl

 # Update certificates with CNAMES
 mv /var/lib/puppet/ssl /var/lib/puppet/ssl~
 echo "dns_alt_names    = ds,ds.cluster.$DOMAIN,ds.$DOMAIN,$HOST.$DOMAIN" >> /etc/puppet/puppet.conf
 puppet agent -t --report --pluginsync --waitforcert=60
 ssh puppetmaster "puppet cert $( hostname )"
 ssh puppetmaster "puppet cert sign $( hostname ) --allow-dns-alt-names"

 # Convert cert for 389 use
 certutil -d /etc/dirsrv/slapd-ds-1 -A -n "Cluster PuppetCA Certificate" -t CT,, -a -i /var/lib/puppet/ssl/certs/ca.cert
 openssl pkcs12 -export -in /var/lib/puppet/ssl/certs/$( hostname ).pem \
                       -inkey /var/lib/puppet/ssl/private_keys/$( hostname ).pem \
                       -out /etc/pki/tls/private/$( hostname ).p12
 pk12util -i /etc/pki/tls/private/$( hostname ).p12 -d /etc/dirsrv/slapd-ds-1

 certutil -d /etc/dirsrv/admin-serv -A -n "Cluster PuppetCA Certificate" -t CT,, -a -i /var/lib/puppet/ssl/certs/ca.cert
 openssl pkcs12 -export -in /var/lib/puppet/ssl/certs/$( hostname ).pem \
                       -inkey /var/lib/puppet/ssl/private_keys/$( hostname ).pem \
                       -out /etc/pki/tls/private/$( hostname ).p12
 pk12util -i /etc/pki/tls/private/$( hostname ).p12 -d /etc/dirsrv/admin-dirsrv

 # Fix annoying TLS bug
 echo "export NSS_STRICT_NOFORK=DISABLED" >> /etc/sysconfig/dirsrv-admin

 # Connect to 389 directory server
 # Username: cn=Directory Manager
 # Password: PASSWORD
 # URL: http://ds:9830
 # TODO:
 # - Enable encryption in Directory Server
 # - Enable encryption in Administration Server
 # - Ensure encrypted connections are used (port 636)
 # - Exit
 389-console
 service dirsrv restart
 service dirsrv-admin restart

 # Connect to encrypted 389 directory server
 # Username: cn=Directory Manager
 # Password: PASSWORD
 # URL: https://ds:9830
 # TODO (Under "Users and Groups")
 # - Create Group(s)
 #   Create -> Group (Under "Groups" subtree). Add Group Info AND Posix group info
 # - Create Users
 #   Create -> User (add to "People" subtree). Add User info AND Posix user info
 # - Add users to groups
 # - Create Special Directory Reader Group
 #   Create -> User (add to "Special Users" subtree). Name:"LDAP Browser" Password:<SOMETHING SIMPLE>
 # - Exit
 389-console