Installation of RCDevs Directory Server
RCDevs Directory Server runs on Linux with GLIBC ≥ 2.5. The package contains the necessary dependencies, enabling RCDevs Directory Server to operate on any Linux system without additional requirements. The package is named slapd
for RPM-based OS and rcdevs-slapd
for Debian-based OS.
The documentation provides information on installing, setting up, updating the RCDevs Directory Server, and backing up/restoring the LDAP database.
It also provides instructions to set up the RCDevs Directory Server as a standalone server or in cluster mode with 2 replicated nodes.
Package installation
Using RCDevs Repository
Refer to the RCDevs repository documentation to install and configure RCDevs repositories.
RPM Based OS
[root@ldap1 ~]# dnf install slapd
Debian based OS
[root@ldap1 ~]# apt install rcdevs-slapd
Using the Self Installer
The RCDevs Directory Server can be downloaded from the RCDevs website.
Download the file and copy it to the server where you want to install the RCDevs Directory Server. It can be installed on the future WebADM server or on another server.
Unpack and run the installer with the following commands:
[root@ldap1 ~]# gunzip slapd-1.1.12-7-x64.sh.gz
Using Docker
Similarly, we will download the RCDevs Directory Server image from docker repository:
[root@ldap1 ~]# docker pull rcdevs/slapd
Then, you can start the slapd container using the following parameters:
[root@ldap1 ~]# docker run -d --name slapd \
-v slapd_conf:/opt/slapd/conf \
-v slapd_data:/opt/slapd/data \
--network net-webadm \
rcdevs/slapd
The network "net-webadm" is going to be used later by WebADM.
Setup
The setup script creates the RCDevs Directory system user (slapd), server certificates, filesystem permissions and initializes your LDAP database.
Standalone setup (1 node)
Run the setup script and select standalone mode when asked:
[root@ldap1 ~]# /opt/slapd/bin/setup
Checking system architecture...Ok
Enter the server fully qualified host name (FQDN): ldap1.rcdevsdocs.com
Is this server a standalone LDAP or a replication peer in an LDAP cluster?
Enter 's' for standalone server or 'r' for a replication peer: s
Enter WebADM super admin password: ********
Enter WebADM proxy user password: *******
Creating self-signed certificate... Ok
Initializing LDAP data... Ok
Setting file permissions... Ok
Starting LDAP Directory... Ok
Setting WebADM super admin password... Ok
Setting WebADM proxy usera password... Ok
Do you want LDAP Directory to be automatically started at boot (y/n)? y
Adding systemd service... Ok
Do you want to register LDAP Directory logrotate script (y/n)? y
Adding logrotate script... Ok
Do you want to register LDAP Directory DB backup script (y/n)? y
Adding DB backup script... Ok
LDAP Directory has successfully been setup.
Standalone setup is done.
Configuration file of RCDevs Directory Server
The configuration file is /opt/slapd/conf/slapd.conf
. If you need to modify LDAP configurations, please refer to the OpenLDAP Online documentation.
The default LDAP administrator is cn=admin,o=Root. The default password is password if the setup script is run silently. Change the default password to something else before running RCDevs Directory Server.
If you need more WebADM administrators, create the administrator users in WebADM and set write permissions for the new administrator DNs in /opt/slapd/conf/slapd.conf
.
# RCDevs Directory Server configuration
#loglevel -1
# Objectclasses and attributes definitions
include /opt/slapd/lib/schema/core.schema
include /opt/slapd/lib/schema/cosine.schema
include /opt/slapd/lib/schema/dyngroup.schema
include /opt/slapd/lib/schema/inetorgperson.schema
include /opt/slapd/lib/schema/nis.schema
include /opt/slapd/lib/schema/misc.schema
include /opt/slapd/lib/schema/msad.schema
include /opt/slapd/lib/schema/radius.schema
include /opt/slapd/lib/schema/samba.schema
include /opt/slapd/lib/schema/sudo.schema
include /opt/slapd/lib/schema/webadm.schema
# PID file and log file
pidfile /opt/slapd/temp/slapd.pid
logfile /opt/slapd/logs/slapd.log
rootdse /opt/slapd/lib/rootdse.ldif
argsfile /opt/slapd/temp/slapd.args
loglevel none
sizelimit unlimited
# Load dynamic backend modules
modulepath /opt/slapd/lib/modules
moduleload dynlist.la
moduleload memberof.la
moduleload ppolicy.la
moduleload refint.la
moduleload valsort.la
moduleload syncprov.la
moduleload pw-sha2.la
moduleload pw-nthash.la
# The next three lines allow use of TLS for encrypting connections
TLSCertificateFile /opt/slapd/conf/slapd.crt
TLSCertificateKeyFile /opt/slapd/conf/slapd.key
TLSProtocolMin 3.2
TLSCipherSuite HIGH:MEDIUM
TLSVerifyClient never
# Access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow WebADM proxy user write access
# Allow administrators write access
# Allow self write access
# Allow anonymous users to authenticate
# If no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn (e.g., "access to * by * read").
# Rootdn can always read and write EVERYTHING!
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by dn="cn=webadm,dc=WebADM" write
by group="cn=super_admins,dc=WebADM" write
by group="cn=other_admins,dc=WebADM" write
by anonymous auth
by * none
# LDAP database
database mdb
monitoring on
suffix ""
rootdn "cn=admin,o=Root"
# You uncomment the following line to force a rootdn password.
# When uncommented, both your LDAP password the rootpw are usable
# for the rootdn. You can also use the rootpw as a recovery option
# in case the rootdn password get lost.
#rootpw "password"
# The database directory must exist prior to running slapd and
# should only be accessible by the slapd and slap tools.
directory /opt/slapd/data
# Dynamic group objects
overlay dynlist
dynlist-attrset groupOfURLs memberURL
# Speedup group operations
sortvals member memberOf
# Reverse group membership
overlay memberof
memberof-refint TRUE
# Referential integrity attributes
overlay refint
refint_attributes member
# Password policy object
overlay ppolicy
ppolicy_default "cn=ppolicy,o=Root"
ppolicy_hash_cleartext
# LDAP replication settings
overlay syncprov
syncprov-checkpoint 100 5
syncprov-sessionlog 100
syncprov-reloadhint TRUE
# Indexes to maintain
index objectClass eq,pres
index cn,uid,mail,mobile eq,pres,sub
index o,ou,dc eq,pres
index member,memberUid eq,pres
index uidNumber,gidNumber eq,pres
index entryUUID eq
index entryCSN eq
# Maximum size of the MDB database in bytes. A memory map of this size is
# allocated at startup time and the database will not be allowed to grow
# beyond this size. The default is 10485760 bytes.
maxsize 64000000
# Max nmber of operations and time between checkpoint operations.
# The database can only be recovered from the last checkpoint.
checkpoint 10000 30
dbnosync
# The rest of the configuration is for LDAP clustering (mirror replication).
# Uncomment all the following lines to setup your LDAP server in mirror mode
# replication with remote server ldap2.example.com.
# For more details see http://www.openldap.org/doc/admin23/syncrepl.html.
# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
# Global section
#serverID 1
# database section
# syncrepl directive
#syncrepl rid=001
# provider=ldap://192.168.4.21
# bindmethod=simple
# binddn="cn=admin,o=root"
# credentials=password
# searchbase=""
# schemachecking=on
# type=refreshAndPersist
# retry="60 +"
#
#multiprovider on
If you do not intend to set up a secondary node, you can just start the RCDevs Directory services with the following command:
[root@ldap1 ~]# /opt/slapd/bin/slapd start
or with systemctl as the service as been registered with systemctl during the setup:
[root@ldap1 ~]# systemctl start slapd
Cluster setup
Cluster setup require some adjustement in /opt/slpad/conf/slapd.conf
on the primary node. Once the adjustement are done, you can repeat installation process on the secondary node and edit the configuration on the secondary node to finish the replication configuration.
Adapt configuration file on Node 1
At the end of the configuration file, you will find the following commented-out section:
# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
#serverID 1
#multiprovider on
#syncrepl rid=001
# provider=ldap://ldap2.example.com
# bindmethod=simple
# binddn="cn=admin,o=Root"
# credentials="password"
# searchbase=""
# schemachecking=on
# type=refreshAndPersist
# starttls=yes
# tls_reqcert=never
# retry="10 5 60 +"
Remove the comment in front of the following lines by deleting the # at the beginning of the following lines.
# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
serverID 1
syncrepl rid=001
provider=ldap://ldap2.rcdevsdocs.com
bindmethod=simple
binddn="cn=admin,o=Root"
credentials="password"
searchbase=""
schemachecking=on
type=refreshAndPersist
starttls=yes
tls_reqcert=never
retry="10 5 60 +"
multiprovider on
Replace the provider URL with the DNS name or IP address of your secondary instance.
Setup node 2
Install the package and run the setup script as you did for the first node.
When you start the setup script on the secondary node with the command:
[root@ldap2 ~]# /opt/slapd/bin/setup
When prompted by the setup script, select 'r' to setup a replication peer.
You will be asked to provide the admin password you configured during the setup of node 1.
Checking system architecture...Ok
EEnter the server fully qualified host name (FQDN): ldap2.rcdevsdocs.com
Is this server a standalone LDAP or a replication peer in an LDAP cluster?
Enter 's' for standalone server or 'r' for a replication peer: r
We need to fetch LDAP data from the other LDAP server.
Enter IP address or fully qualified host name of the remote LDAP: ldap1.rcdevsdocs.com
Enter LDAP port of the remote LDAP or press Enter for default: 389
Enter the admin DN to connect the remote LDAP: cn=admin,o=root
Enter the admin password to connect the remote LDAP: Testing LDAP connection... Ok
Creating self-signed certificate... Ok
Copying LDAP data from ldap1.rcdevsdocs.com.... Ok
Setting file permissions... Ok
Starting LDAP Directory... Ok
Do you want LDAP Directory to be automatically started at boot (y/n)? y
Adding systemd service... Ok
Do you want to register LDAP Directory logrotate script (y/n)? Please enter y/n y
Adding logrotate script... Ok
Do you want to register LDAP Directory DB backup script (y/n)? y
Adding DB backup script... Ok
LDAP Directory has successfully been setup.
You need to configure the replication on both LDAP servers!
Please refer to RCDevs' WebADM HA Documentation for details...
Installation of node 2 is complete; we can continue with the configuration file adaptation.
Adapt configuration file on Node 2
At the end of the configuration file, you will find the following commented-out section:
# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
#serverID 1
#multiprovider on
#syncrepl rid=001
# provider=ldap://ldap2.example.com
# bindmethod=simple
# binddn="cn=admin,o=Root"
# credentials="password"
# searchbase=""
# schemachecking=on
# type=refreshAndPersist
# starttls=yes
# tls_reqcert=never
# retry="10 5 60 +"
Remove the comment in front of the following lines by deleting the # at the beginning of the following lines.
# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
serverID 2
syncrepl rid=001
provider=ldap://ldap1.rcdevsdocs.com
bindmethod=simple
binddn="cn=admin,o=Root"
credentials="password"
searchbase=""
schemachecking=on
type=refreshAndPersist
starttls=yes
tls_reqcert=never
retry="10 5 60 +"
multiprovider on
Replace the provider URL with the DNS name or IP address of your primary instance.
Replication peer configuration is done. You can start the RCDevs Directory services:
[root@ldap1 ~]# /opt/slapd/bin/slapd start
or with systemctl as the service as been registered with systemctl during the setup:
[root@ldap1 ~]# systemctl start slapd
Upgrade
To upgrade RCDevs Directory Server, do not remove the previous version and proceed as you did for the installation by running the self-installer or upgrade with dnf or apt.
The upgrade will not override your current configuration files. After an upgrade please read the CHANGELOG and RELEASE_NOTES files to get the list of changes and follow the recommendations if any.
Backend Migration from BDB to MDB
Since the version 1.0.7 of RCDevs Directory Server, the data store is changed from BDB to MDB for better performances. However, if you update an old version of RCDevs Directory Server, you need also to change the backend manually if you want to use MDB. The procedure is pretty easy:
Check the current backend and the data:
[root@ldap1 ~]# grep "^database" /opt/slapd/conf/slapd.conf
database bdb
[root@ldap1 ~]# ls /opt/slapd/data
alock cn.bdb __db.001 __db.002 __db.003 DB_ARCH DB_CONFIG dn2id.bdb entryUUID.bdb id2entry.bdb log.0000000001 o.bdb objectClass.bdb
Export the db to a ldif file:
[root@ldap1 ~]# /opt/slapd/bin/dbdump export.ldif
Backup RCDevs Directory data to export.ldif (y/n)? y
Dumping LDAP data... Ok
Update the configuration:
[root@ldap1 ~]# vi /opt/slapd/conf/slapd.conf
...
# LDAP database
database mdb ## replace bdb with mdb
maxsize 64000000 ## set the max size of mermory used for mdb in bytes
...
Import the ldif file:
[root@ldap1 ~]# /opt/slapd/bin/dbload export.ldif
Restore RCDevs Directory Data from export.ldif (y/n)? y
Removing LDAP data... Ok
Restoring LDAP data... Ok
Restoring file permissions... Ok
Check the data and restart slapd:
[root@ldap1 ~]# ls /opt/slapd/data
data.mdb DB_ARCH DB_TYPE lock.mdb
[root@ldap1 ~]# /opt/slapd/bin/slapd start
Checking system architecture... Ok
Checking server configuration... Ok
Starting RCDevs LDAP Directory... Ok
Backup LDAP database
You can back up the database and configuration with:
[root@ldap1 ~]# /opt/slapd/bin/backup mybackup.gz
Are you sure you want to backup RCDevs LDAP Directory (y/n)? y
Adding conf/slapd.conf... Ok
Adding conf/slapd.crt... Ok
Adding conf/slapd.key... Ok
Adding data... Ok
Adding logs... Ok
Adding temp... Ok
Adding conf/slapd.csr... Missing
Adding conf/slapd.env... Missing
Compressing backup file... Ok
RCDevs LDAP Directory backup created in mybackup.gz
Restore LDAP database
And you can restore the previous backup with:
[root@ldap1 ~]# /opt/slapd/bin/restore mybackup.gz
Are you sure you want to restore RCDevs LDAP Directory (y/n)? y
Unpacking backup files... Ok
Checking system architecture...Ok
Setting file permissions... Ok
Starting LDAP Directory... Ok
Setting Admin password... Ok
Adding systemd service... Ok
Adding logrotate script... Ok
Adding DB backup script... Ok
LDAP Directory has successfully been setup.
RCDevs LDAP Directory backup restored from mybackup.gz