Installation of RCDevs Directory Server

RCDevs Directory Server runs on Linux with GLIBC ≥ 2.5. The package contains the necessary dependencies, enabling RCDevs Directory Server to operate on any Linux system without additional requirements. The package is named slapd for RPM-based OS and rcdevs-slapd for Debian-based OS.
The documentation provides information on installing, setting up, updating the RCDevs Directory Server, and backing up/restoring the LDAP database.
It also provides instructions to set up the RCDevs Directory Server as a standalone server or in cluster mode with 2 replicated nodes.

Package installation

Using RCDevs Repository

Refer to the RCDevs repository documentation to install and configure RCDevs repositories.

RPM Based OS

[root@ldap1 ~]# dnf install slapd

Debian based OS

[root@ldap1 ~]# apt install rcdevs-slapd

Using the Self Installer

The RCDevs Directory Server can be downloaded from the RCDevs website.

Download the file and copy it to the server where you want to install the RCDevs Directory Server. It can be installed on the future WebADM server or on another server.

Unpack and run the installer with the following commands:

[root@ldap1 ~]# gunzip slapd-1.1.12-7-x64.sh.gz

Using Docker

Similarly, we will download the RCDevs Directory Server image from docker repository:

[root@ldap1 ~]# docker pull rcdevs/slapd

Then, you can start the slapd container using the following parameters:

[root@ldap1 ~]# docker run -d --name slapd \
-v slapd_conf:/opt/slapd/conf \
-v slapd_data:/opt/slapd/data \
--network net-webadm \
rcdevs/slapd

The network "net-webadm" is going to be used later by WebADM.

Setup

The setup script creates the RCDevs Directory system user (slapd), server certificates, filesystem permissions and initializes your LDAP database.

Standalone setup (1 node)

Run the setup script and select standalone mode when asked:

[root@ldap1 ~]# /opt/slapd/bin/setup

Checking system architecture...Ok
Enter the server fully qualified host name (FQDN): ldap1.rcdevsdocs.com
Is this server a standalone LDAP or a replication peer in an LDAP cluster?
Enter 's' for standalone server or 'r' for a replication peer: s
Enter WebADM super admin password: ********
Enter WebADM proxy user password: *******
Creating self-signed certificate... Ok
Initializing LDAP data... Ok
Setting file permissions... Ok
Starting LDAP Directory... Ok
Setting WebADM super admin password... Ok
Setting WebADM proxy usera password... Ok
Do you want LDAP Directory to be automatically started at boot (y/n)? y
Adding systemd service... Ok
Do you want to register LDAP Directory logrotate script (y/n)? y
Adding logrotate script... Ok
Do you want to register LDAP Directory DB backup script (y/n)? y
Adding DB backup script... Ok
LDAP Directory has successfully been setup.

Standalone setup is done.

Configuration file of RCDevs Directory Server

The configuration file is /opt/slapd/conf/slapd.conf. If you need to modify LDAP configurations, please refer to the OpenLDAP Online documentation.

The default LDAP administrator is cn=admin,o=Root. The default password is password if the setup script is run silently. Change the default password to something else before running RCDevs Directory Server.

If you need more WebADM administrators, create the administrator users in WebADM and set write permissions for the new administrator DNs in /opt/slapd/conf/slapd.conf.

# RCDevs Directory Server configuration

#loglevel -1

# Objectclasses and attributes definitions
include         /opt/slapd/lib/schema/core.schema
include         /opt/slapd/lib/schema/cosine.schema
include         /opt/slapd/lib/schema/dyngroup.schema
include         /opt/slapd/lib/schema/inetorgperson.schema
include         /opt/slapd/lib/schema/nis.schema
include         /opt/slapd/lib/schema/misc.schema
include         /opt/slapd/lib/schema/msad.schema
include         /opt/slapd/lib/schema/radius.schema
include         /opt/slapd/lib/schema/samba.schema
include         /opt/slapd/lib/schema/sudo.schema
include         /opt/slapd/lib/schema/webadm.schema

# PID file and log file
pidfile         /opt/slapd/temp/slapd.pid
logfile         /opt/slapd/logs/slapd.log
rootdse         /opt/slapd/lib/rootdse.ldif
argsfile        /opt/slapd/temp/slapd.args
loglevel        none
sizelimit       unlimited

# Load dynamic backend modules
modulepath      /opt/slapd/lib/modules
moduleload      dynlist.la
moduleload      memberof.la
moduleload      ppolicy.la
moduleload      refint.la
moduleload      valsort.la
moduleload      syncprov.la
moduleload      pw-sha2.la
moduleload      pw-nthash.la

# The next three lines allow use of TLS for encrypting connections
TLSCertificateFile    /opt/slapd/conf/slapd.crt
TLSCertificateKeyFile /opt/slapd/conf/slapd.key
TLSProtocolMin        3.2
TLSCipherSuite        HIGH:MEDIUM
TLSVerifyClient       never

# Access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow WebADM proxy user write access
#               Allow administrators write access
#               Allow self write access
#               Allow anonymous users to authenticate
# If no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn (e.g., "access to * by * read").
# Rootdn can always read and write EVERYTHING!
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
       by dn="cn=webadm,dc=WebADM" write
       by group="cn=super_admins,dc=WebADM" write
       by group="cn=other_admins,dc=WebADM" write
       by anonymous auth
       by * none

# LDAP database
database        mdb
monitoring      on
suffix          ""
rootdn          "cn=admin,o=Root"

# You uncomment the following line to force a rootdn password.
# When uncommented, both your LDAP password the rootpw are usable
# for the rootdn. You can also use the rootpw as a recovery option
# in case the rootdn password get lost.
#rootpw         "password"

# The database directory must exist prior to running slapd and
# should only be accessible by the slapd and slap tools.
directory       /opt/slapd/data

# Dynamic group objects
overlay         dynlist
dynlist-attrset groupOfURLs memberURL

# Speedup group operations
sortvals member memberOf

# Reverse group membership
overlay         memberof
memberof-refint TRUE

# Referential integrity attributes
overlay         refint
refint_attributes member

# Password policy object
overlay         ppolicy
ppolicy_default "cn=ppolicy,o=Root"
ppolicy_hash_cleartext

# LDAP replication settings
overlay syncprov
syncprov-checkpoint 100 5
syncprov-sessionlog 100
syncprov-reloadhint TRUE

# Indexes to maintain
index objectClass eq,pres
index cn,uid,mail,mobile eq,pres,sub
index o,ou,dc eq,pres
index member,memberUid eq,pres
index uidNumber,gidNumber eq,pres
index entryUUID eq
index entryCSN eq

# Maximum size of the MDB database in bytes. A memory map of this size is
# allocated at startup time and the database  will not be allowed to grow
# beyond this size. The default is 10485760 bytes.
maxsize 64000000

# Max nmber of operations and time between checkpoint operations.
# The database can only be recovered from the last checkpoint.
checkpoint 10000 30
dbnosync

# The rest of the configuration is for LDAP clustering (mirror replication).
# Uncomment all the following lines to setup your LDAP server in mirror mode
# replication with remote server ldap2.example.com.
# For more details see http://www.openldap.org/doc/admin23/syncrepl.html.

# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.

# Global section
#serverID    1
# database section

# syncrepl directive
#syncrepl     rid=001
#             provider=ldap://192.168.4.21
#             bindmethod=simple
#             binddn="cn=admin,o=root"
#             credentials=password
#             searchbase=""
#             schemachecking=on
#             type=refreshAndPersist
#             retry="60 +"
#
#multiprovider on

If you do not intend to set up a secondary node, you can just start the RCDevs Directory services with the following command:

[root@ldap1 ~]# /opt/slapd/bin/slapd start

or with systemctl as the service as been registered with systemctl during the setup:

[root@ldap1 ~]# systemctl start slapd

Cluster setup

Cluster setup require some adjustement in /opt/slpad/conf/slapd.conf on the primary node. Once the adjustement are done, you can repeat installation process on the secondary node and edit the configuration on the secondary node to finish the replication configuration.

Adapt configuration file on Node 1

At the end of the configuration file, you will find the following commented-out section:

# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
#serverID 1
#multiprovider on

#syncrepl rid=001
#	 provider=ldap://ldap2.example.com
#	 bindmethod=simple
#	 binddn="cn=admin,o=Root"
#	 credentials="password"
#	 searchbase=""
#	 schemachecking=on
#	 type=refreshAndPersist
#	 starttls=yes
#	 tls_reqcert=never
#	 retry="10 5 60 +"

Remove the comment in front of the following lines by deleting the # at the beginning of the following lines.

# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
serverID 1

syncrepl rid=001
	 provider=ldap://ldap2.rcdevsdocs.com
	 bindmethod=simple
	 binddn="cn=admin,o=Root"
	 credentials="password"
	 searchbase=""
	 schemachecking=on
	 type=refreshAndPersist
	 starttls=yes
	 tls_reqcert=never
	 retry="10 5 60 +"
multiprovider on

Replace the provider URL with the DNS name or IP address of your secondary instance.

Setup node 2

Install the package and run the setup script as you did for the first node.

When you start the setup script on the secondary node with the command:

[root@ldap2 ~]# /opt/slapd/bin/setup

When prompted by the setup script, select 'r' to setup a replication peer.
You will be asked to provide the admin password you configured during the setup of node 1.

Checking system architecture...Ok
EEnter the server fully qualified host name (FQDN): ldap2.rcdevsdocs.com
Is this server a standalone LDAP or a replication peer in an LDAP cluster?
Enter 's' for standalone server or 'r' for a replication peer: r
We need to fetch LDAP data from the other LDAP server.
Enter IP address or fully qualified host name of the remote LDAP: ldap1.rcdevsdocs.com
Enter LDAP port of the remote LDAP or press Enter for default: 389
Enter the admin DN to connect the remote LDAP: cn=admin,o=root
Enter the admin password to connect the remote LDAP: Testing LDAP connection... Ok
Creating self-signed certificate... Ok
Copying LDAP data from ldap1.rcdevsdocs.com.... Ok
Setting file permissions... Ok
Starting LDAP Directory... Ok
Do you want LDAP Directory to be automatically started at boot (y/n)? y
Adding systemd service... Ok
Do you want to register LDAP Directory logrotate script (y/n)? Please enter y/n y
Adding logrotate script... Ok
Do you want to register LDAP Directory DB backup script (y/n)? y
Adding DB backup script... Ok
LDAP Directory has successfully been setup.
You need to configure the replication on both LDAP servers!
Please refer to RCDevs' WebADM HA Documentation for details...

Installation of node 2 is complete; we can continue with the configuration file adaptation.

Adapt configuration file on Node 2

At the end of the configuration file, you will find the following commented-out section:

# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
#serverID 1
#multiprovider on

#syncrepl rid=001
#	 provider=ldap://ldap2.example.com
#	 bindmethod=simple
#	 binddn="cn=admin,o=Root"
#	 credentials="password"
#	 searchbase=""
#	 schemachecking=on
#	 type=refreshAndPersist
#	 starttls=yes
#	 tls_reqcert=never
#	 retry="10 5 60 +"

Remove the comment in front of the following lines by deleting the # at the beginning of the following lines.

# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
serverID 2

syncrepl rid=001
	 provider=ldap://ldap1.rcdevsdocs.com
	 bindmethod=simple
	 binddn="cn=admin,o=Root"
	 credentials="password"
	 searchbase=""
	 schemachecking=on
	 type=refreshAndPersist
	 starttls=yes
	 tls_reqcert=never
	 retry="10 5 60 +"
multiprovider on

Replace the provider URL with the DNS name or IP address of your primary instance.
Replication peer configuration is done. You can start the RCDevs Directory services:

[root@ldap1 ~]# /opt/slapd/bin/slapd start

or with systemctl as the service as been registered with systemctl during the setup:

[root@ldap1 ~]# systemctl start slapd

Upgrade

To upgrade RCDevs Directory Server, do not remove the previous version and proceed as you did for the installation by running the self-installer or upgrade with dnf or apt.

The upgrade will not override your current configuration files. After an upgrade please read the CHANGELOG and RELEASE_NOTES files to get the list of changes and follow the recommendations if any.

Backend Migration from BDB to MDB

Since the version 1.0.7 of RCDevs Directory Server, the data store is changed from BDB to MDB for better performances. However, if you update an old version of RCDevs Directory Server, you need also to change the backend manually if you want to use MDB. The procedure is pretty easy:

Check the current backend and the data:

[root@ldap1 ~]# grep "^database" /opt/slapd/conf/slapd.conf
database	bdb
[root@ldap1 ~]# ls /opt/slapd/data
alock  cn.bdb  __db.001  __db.002  __db.003  DB_ARCH  DB_CONFIG  dn2id.bdb  entryUUID.bdb  id2entry.bdb  log.0000000001  o.bdb  objectClass.bdb

Export the db to a ldif file:

[root@ldap1 ~]# /opt/slapd/bin/dbdump export.ldif
Backup RCDevs Directory data to export.ldif (y/n)? y
Dumping LDAP data... Ok

Update the configuration:

[root@ldap1 ~]# vi  /opt/slapd/conf/slapd.conf

...
# LDAP database
database mdb      ## replace bdb with mdb
maxsize 64000000  ## set the max size of mermory used for mdb in bytes
...

Import the ldif file:

[root@ldap1 ~]# /opt/slapd/bin/dbload export.ldif
Restore RCDevs Directory Data from export.ldif (y/n)? y
Removing LDAP data... Ok
Restoring LDAP data... Ok
Restoring file permissions... Ok

Check the data and restart slapd:

[root@ldap1 ~]# ls /opt/slapd/data
data.mdb  DB_ARCH  DB_TYPE  lock.mdb
[root@ldap1 ~]# /opt/slapd/bin/slapd start
Checking system architecture... Ok
Checking server configuration... Ok
Starting RCDevs LDAP Directory... Ok

Backup LDAP database

You can back up the database and configuration with:

[root@ldap1 ~]# /opt/slapd/bin/backup mybackup.gz
Are you sure you want to backup RCDevs LDAP Directory (y/n)? y
Adding conf/slapd.conf... Ok
Adding conf/slapd.crt... Ok
Adding conf/slapd.key... Ok
Adding data... Ok
Adding logs... Ok
Adding temp... Ok
Adding conf/slapd.csr... Missing
Adding conf/slapd.env... Missing
Compressing backup file... Ok

RCDevs LDAP Directory backup created in mybackup.gz

Restore LDAP database

And you can restore the previous backup with:

[root@ldap1 ~]# /opt/slapd/bin/restore mybackup.gz
Are you sure you want to restore RCDevs LDAP Directory (y/n)? y
Unpacking backup files... Ok
Checking system architecture...Ok
Setting file permissions... Ok
Starting LDAP Directory... Ok
Setting Admin password... Ok
Adding systemd service... Ok
Adding logrotate script... Ok
Adding DB backup script... Ok
LDAP Directory has successfully been setup.

RCDevs LDAP Directory backup restored from mybackup.gz