Installation of RCDevs Directory Server
RCDevs Directory Server runs on Linux with GLIBC ≥ 2.5. The package
contains the necessary dependencies, enabling RCDevs Directory Server to
operate on any Linux system without additional requirements. The
package is named slapd for RPM-based OS and rcdevs-slapd for
Debian-based OS.
The documentation provides information on installing, setting up,
updating the RCDevs Directory Server, and backing up/restoring the LDAP
database.
It also provides instructions to set up the RCDevs Directory Server as a
standalone server or in cluster mode with 2 replicated nodes.
Package installation
Using RCDevs Repository
Refer to the RCDevs repository documentation to install and configure
RCDevs repositories.
RPM Based OS
[root@ldap1 ~]# dnf install slapd
Debian based OS
[root@ldap1 ~]# apt install rcdevs-slapd
Using the Self Installer
The RCDevs Directory Server can be downloaded from the RCDevs
website.
Download the file and copy it to the server where you want to install
the RCDevs Directory Server. It can be installed on the future WebADM
server or on another server.
Unpack and run the installer with the following commands:
[root@ldap1 ~]# gunzip slapd-1.1.12-7-x64.sh.gz
Using Docker
Similarly, we will download the RCDevs Directory Server image from
docker repository:
[root@ldap1 ~]# docker pull rcdevs/slapd
Then, you can start the slapd container using the following
parameters:
[root@ldap1 ~]# docker run -d --name slapd \
-v slapd_conf:/opt/slapd/conf \
-v slapd_data:/opt/slapd/data \
--network net-webadm \
rcdevs/slapd
The network "net-webadm" is going to be used later by WebADM.
Setup
The setup script creates the RCDevs Directory system user (slapd),
server certificates, filesystem permissions and initializes your LDAP
database.
Standalone setup (1 node)
Run the setup script and select standalone mode when asked:
[root@ldap1 ~]# /opt/slapd/bin/setup
Checking system architecture...Ok
Enter the server fully qualified host name (FQDN): ldap1.rcdevsdocs.com
Is this server a standalone LDAP or a replication peer in an LDAP
cluster?
Enter 's' for standalone server or 'r' for a replication peer: s
Enter WebADM super admin password: ********
Enter WebADM proxy user password: *******
Creating self-signed certificate... Ok
Initializing LDAP data... Ok
Setting file permissions... Ok
Starting LDAP Directory... Ok
Setting WebADM super admin password... Ok
Setting WebADM proxy usera password... Ok
Do you want LDAP Directory to be automatically started at boot (y/n)? y
Adding systemd service... Ok
Do you want to register LDAP Directory logrotate script (y/n)? y
Adding logrotate script... Ok
Do you want to register LDAP Directory DB backup script (y/n)? y
Adding DB backup script... Ok
LDAP Directory has successfully been setup.
Standalone setup is done.
Configuration file of RCDevs Directory Server
The configuration file is /opt/slapd/conf/slapd.conf. If you need to
modify LDAP configurations, please refer to the OpenLDAP Online
documentation.
The default LDAP administrator is cn=admin,o=Root. The default
password is password if the setup script is run silently. Change the
default password to something else before running RCDevs Directory
Server.
If you need more WebADM administrators, create the administrator users
in WebADM and set write permissions for the new administrator DNs in
/opt/slapd/conf/slapd.conf.
# RCDevs Directory Server configuration
#loglevel -1
# Objectclasses and attributes definitions
include /opt/slapd/lib/schema/core.schema
include /opt/slapd/lib/schema/cosine.schema
include /opt/slapd/lib/schema/dyngroup.schema
include /opt/slapd/lib/schema/inetorgperson.schema
include /opt/slapd/lib/schema/nis.schema
include /opt/slapd/lib/schema/misc.schema
include /opt/slapd/lib/schema/msad.schema
include /opt/slapd/lib/schema/radius.schema
include /opt/slapd/lib/schema/samba.schema
include /opt/slapd/lib/schema/sudo.schema
include /opt/slapd/lib/schema/webadm.schema
# PID file and log file
pidfile /opt/slapd/temp/slapd.pid
logfile /opt/slapd/logs/slapd.log
rootdse /opt/slapd/lib/rootdse.ldif
argsfile /opt/slapd/temp/slapd.args
loglevel none
sizelimit unlimited
# Load dynamic backend modules
modulepath /opt/slapd/lib/modules
moduleload dynlist.la
moduleload memberof.la
moduleload ppolicy.la
moduleload refint.la
moduleload valsort.la
moduleload syncprov.la
moduleload pw-sha2.la
moduleload pw-nthash.la
# The next three lines allow use of TLS for encrypting connections
TLSCertificateFile /opt/slapd/conf/slapd.crt
TLSCertificateKeyFile /opt/slapd/conf/slapd.key
TLSProtocolMin 3.2
TLSCipherSuite HIGH:MEDIUM
TLSVerifyClient never
# Access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow WebADM proxy user write access
# Allow administrators write access
# Allow self write access
# Allow anonymous users to authenticate
# If no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn (e.g., "access to * by * read").
# Rootdn can always read and write EVERYTHING!
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by dn="cn=webadm,dc=WebADM" write
by group="cn=super_admins,dc=WebADM" write
by group="cn=other_admins,dc=WebADM" write
by anonymous auth
by * none
# LDAP database
database mdb
monitoring on
suffix ""
rootdn "cn=admin,o=Root"
# You uncomment the following line to force a rootdn password.
# When uncommented, both your LDAP password the rootpw are usable
# for the rootdn. You can also use the rootpw as a recovery option
# in case the rootdn password get lost.
#rootpw "password"
# The database directory must exist prior to running slapd and
# should only be accessible by the slapd and slap tools.
directory /opt/slapd/data
# Dynamic group objects
overlay dynlist
dynlist-attrset groupOfURLs memberURL
# Speedup group operations
sortvals member memberOf
# Reverse group membership
overlay memberof
memberof-refint TRUE
# Referential integrity attributes
overlay refint
refint_attributes member
# Password policy object
overlay ppolicy
ppolicy_default "cn=ppolicy,o=Root"
ppolicy_hash_cleartext
# LDAP replication settings
overlay syncprov
syncprov-checkpoint 100 5
syncprov-sessionlog 100
syncprov-reloadhint TRUE
# Indexes to maintain
index objectClass eq,pres
index cn,uid,mail,mobile eq,pres,sub
index o,ou,dc eq,pres
index member,memberUid eq,pres
index uidNumber,gidNumber eq,pres
index entryUUID eq
index entryCSN eq
# Maximum size of the MDB database in bytes. A memory map of this size
is
# allocated at startup time and the database will not be allowed to
grow
# beyond this size. The default is 10485760 bytes.
maxsize 64000000
# Max nmber of operations and time between checkpoint operations.
# The database can only be recovered from the last checkpoint.
checkpoint 10000 30
dbnosync
# The rest of the configuration is for LDAP clustering (mirror
replication).
# Uncomment all the following lines to setup your LDAP server in mirror
mode
# replication with remote server ldap2.example.com.
# For more details see
http://www.openldap.org/doc/admin23/syncrepl.html.
# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
# Global section
#serverID 1
# database section
# syncrepl directive
#syncrepl rid=001
# provider=ldap://192.168.4.21
# bindmethod=simple
# binddn="cn=admin,o=root"
# credentials=password
# searchbase=""
# schemachecking=on
# type=refreshAndPersist
# retry="60 +"
#
#multiprovider on
If you do not intend to set up a secondary node, you can just start the
RCDevs Directory services with the following command:
[root@ldap1 ~]# /opt/slapd/bin/slapd start
or with systemctl as the service as been registered with systemctl
during the setup:
[root@ldap1 ~]# systemctl start slapd
Cluster setup
Cluster setup require some adjustment in /opt/slpad/conf/slapd.conf
on the primary node. Once the adjustment are done, you can repeat
installation process on the secondary node and edit the configuration on
the secondary node to finish the replication configuration.
Adapt configuration file on Node 1
At the end of the configuration file, you will find the following
commented-out section:
# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
#serverID 1
#multiprovider on
#syncrepl rid=001
# provider=ldap://ldap2.example.com
# bindmethod=simple
# binddn="cn=admin,o=Root"
# credentials="password"
# searchbase=""
# schemachecking=on
# type=refreshAndPersist
# starttls=yes
# tls_reqcert=never
# retry="10 5 60 +"
Remove the comment in front of the following lines by deleting the # at
the beginning of the following lines.
# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
serverID 1
syncrepl rid=001
provider=ldap://ldap2.rcdevsdocs.com
bindmethod=simple
binddn="cn=admin,o=Root"
credentials="password"
searchbase=""
schemachecking=on
type=refreshAndPersist
starttls=yes
tls_reqcert=never
retry="10 5 60 +"
multiprovider on
Replace the provider URL with the DNS name or IP address of your
secondary instance.
Setup node 2
Install the package and run the setup script as you did for the first
node.
When you start the setup script on the secondary node with the command:
[root@ldap2 ~]# /opt/slapd/bin/setup
When prompted by the setup script, select 'r' to set up a replication
peer.
You will be asked to provide the admin password you configured during
the setup of node 1.
Checking system architecture...Ok
EEnter the server fully qualified host name (FQDN): ldap2.rcdevsdocs.com
Is this server a standalone LDAP or a replication peer in an LDAP
cluster?
Enter 's' for standalone server or 'r' for a replication peer: r
We need to fetch LDAP data from the other LDAP server.
Enter IP address or fully qualified host name of the remote LDAP:
ldap1.rcdevsdocs.com
Enter LDAP port of the remote LDAP or press Enter for default: 389
Enter the admin DN to connect the remote LDAP: cn=admin,o=root
Enter the admin password to connect the remote LDAP: Testing LDAP
connection... Ok
Creating self-signed certificate... Ok
Copying LDAP data from ldap1.rcdevsdocs.com.... Ok
Setting file permissions... Ok
Starting LDAP Directory... Ok
Do you want LDAP Directory to be automatically started at boot (y/n)? y
Adding systemd service... Ok
Do you want to register LDAP Directory logrotate script (y/n)? Please
enter y/n y
Adding logrotate script... Ok
Do you want to register LDAP Directory DB backup script (y/n)? y
Adding DB backup script... Ok
LDAP Directory has successfully been setup.
You need to configure the replication on both LDAP servers!
Please refer to RCDevs' WebADM HA Documentation for details...
Installation of node 2 is complete; we can continue with the
configuration file adaptation.
Adapt configuration file on Node 2
At the end of the configuration file, you will find the following
commented-out section:
# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
#serverID 1
#multiprovider on
#syncrepl rid=001
# provider=ldap://ldap2.example.com
# bindmethod=simple
# binddn="cn=admin,o=Root"
# credentials="password"
# searchbase=""
# schemachecking=on
# type=refreshAndPersist
# starttls=yes
# tls_reqcert=never
# retry="10 5 60 +"
Remove the comment in front of the following lines by deleting the # at
the beginning of the following lines.
# The serverID must be set to '2' on the secondary LDAP server.
# Multiple syncrepl RIDs can be setup with more than two nodes.
serverID 2
syncrepl rid=001
provider=ldap://ldap1.rcdevsdocs.com
bindmethod=simple
binddn="cn=admin,o=Root"
credentials="password"
searchbase=""
schemachecking=on
type=refreshAndPersist
starttls=yes
tls_reqcert=never
retry="10 5 60 +"
multiprovider on
Replace the provider URL with the DNS name or IP address of your primary
instance.
Replication peer configuration is done. You can start the RCDevs
Directory services:
[root@ldap1 ~]# /opt/slapd/bin/slapd start
or with systemctl as the service as been registered with systemctl
during the setup:
[root@ldap1 ~]# systemctl start slapd
Upgrade
To upgrade RCDevs Directory Server, do not remove the previous version
and proceed as you did for the installation by running the
self-installer or upgrade with dnf or apt.
The upgrade will not override your current configuration files. After an
upgrade please read the CHANGELOG and RELEASE_NOTES files to get the
list of changes and follow the recommendations if any.
Backend Migration from BDB to MDB
Since the version 1.0.7 of RCDevs Directory Server, the data store is
changed from BDB to MDB for better performances. However, if you update
an old version of RCDevs Directory Server, you need also to change the
backend manually if you want to use MDB. The procedure is pretty easy:
Check the current backend and the data:
[root@ldap1 ~]# grep "^database" /opt/slapd/conf/slapd.conf
database bdb
[root@ldap1 ~]# ls /opt/slapd/data
alock cn.bdb __db.001 __db.002 __db.003 DB_ARCH DB_CONFIG
dn2id.bdb entryUUID.bdb id2entry.bdb log.0000000001 o.bdb
objectClass.bdb
Export the data to an LDIF file:
[root@ldap1 ~]# /opt/slapd/bin/dbdump export.ldif
Backup RCDevs Directory data to export.ldif (y/n)? y
Dumping LDAP data... Ok
Update the configuration:
[root@ldap1 ~]# vi /opt/slapd/conf/slapd.conf
...
# LDAP database
database mdb ## replace bdb with mdb
maxsize 64000000 ## set the max size of mermory used for mdb in bytes
...
Import the LDIF file:
[root@ldap1 ~]# /opt/slapd/bin/dbload export.ldif
Restore RCDevs Directory Data from export.ldif (y/n)? y
Removing LDAP data... Ok
Restoring LDAP data... Ok
Restoring file permissions... Ok
Check the data and restart slapd:
[root@ldap1 ~]# ls /opt/slapd/data
data.mdb DB_ARCH DB_TYPE lock.mdb
[root@ldap1 ~]# /opt/slapd/bin/slapd start
Checking system architecture... Ok
Checking server configuration... Ok
Starting RCDevs LDAP Directory... Ok
Backup LDAP database
You can back up the database and configuration with:
[root@ldap1 ~]# /opt/slapd/bin/backup mybackup.gz
Are you sure you want to backup RCDevs LDAP Directory (y/n)? y
Adding conf/slapd.conf... Ok
Adding conf/slapd.crt... Ok
Adding conf/slapd.key... Ok
Adding data... Ok
Adding logs... Ok
Adding temp... Ok
Adding conf/slapd.csr... Missing
Adding conf/slapd.env... Missing
Compressing backup file... Ok
RCDevs LDAP Directory backup created in mybackup.gz
Restore LDAP database
You can restore the previous backup with:
[root@ldap1 ~]# /opt/slapd/bin/restore mybackup.gz
Are you sure you want to restore RCDevs LDAP Directory (y/n)? y
Unpacking backup files... Ok
Checking system architecture...Ok
Setting file permissions... Ok
Starting LDAP Directory... Ok
Setting Admin password... Ok
Adding systemd service... Ok
Adding logrotate script... Ok
Adding DB backup script... Ok
LDAP Directory has successfully been setup.
RCDevs LDAP Directory backup restored from mybackup.gz
