1. If you want to set up a trial instance, start an editor and save the following as /tmp/instance.inf:

   Example 5.2: Basic Instance Configuration File #

   # /tmp/instance.inf
   [general]
   config_version = 2
   
   [slapd]
   root_password = YOUR_PASSWORD_FOR_CN=DIRECTORY_MANAGER1
   
   [backend-userroot]
   sample_entries = yes
   suffix = dc=example,dc=com

   1	Set the root_password to the password for the directory server root user. The password is used for LDAP server administration only.

2. To create the 389 Directory Server instance from Example 5.2, run:

   tux > sudo dscreate from-file /tmp/instance.inf

   This creates a working LDAP server.

3. If dscreate should fail, the messages will tell you why. For more details, repeat the command with the -v option:

   tux > sudo dscreate -v from-file /tmp/instance.inf

4. Check the status of the server with:

   tux > sudo dsctl localhost status
   instance 'Localhost' is running

5. In case you want to delete the instance later on:

   tux > sudo dsctl localhost remove --do-it

   With this command, you can also remove partially installed or corrupted instances.

Before you can import an existing private key and certificate into the NSS (Network Security Services) database, you need to create a bundle of the private key and the server certificate. This results in a *.p12 file.

Important: *.p12 File and Friendly Name

When creating the PKCS12 bundle, you must encode a “friendly name” in the *.p12 file.

Make sure to use Server-Cert as friendly name. Otherwise the TLS connection will fail, because the 389 Directory Server searches for this exact string.

As soon as you have imported the *.p12 file in the NSS database, the friendly name cannot be changed any more.

1. To create the PKCS12 bundle with the required friendly name:

   root # openssl pkcs12 -export -in SERVER.crt \
     -inkey SERVER.key -out SERVER.p12 \
     -name Server-Cert

   Replace SERVER.crt with the server certificate and SERVER.key with the private key to be bundled. With -out, specify the name of the *.p12 file. Use -name to set the friendly name to use, Server-Cert.

2. After you have created the required SERVER.p12 file, import the file into your NSS database:

   pk12util -i SERVER.p12 -d PATH_TO_NSS_DB

1. Create the user wilber:

   tux > sudo dsidm localhost user create --uid \
     --cn wilber --displayName 'Wilber Fox' --uidNumber 1000 --gidNumber 1000 \
     --homeDirectory /home/wilber

2. To look up a user's distinguished name (fully qualified name to the directory object, which is guaranteed unique):

   tux > sudo dsidm localhost user get wilber
   dn: uid=wilber,ou=people,dc=example,dc=com
   [...]

   The system prompts you for the directory server root user password (unless you configured remote or local access as described in Section 5.3.3, “Configuring Admin Credentials for Remote/Local Access”).

   You need the distinguished name for actions such as changing the password for a user.

3. To set or change the password for wilber:

   1. tux > sudo dsidm localhost account reset_password \
        uid=wilber,ou=people,dc=example,dc=com

      The system prompts you for the directory server root user password (unless you configured remote or local access as described in Section 5.3.3, “Configuring Admin Credentials for Remote/Local Access”).

   2. Enter the new password for wilber twice.

      If the action was successful, you get the following message:

      reset password for uid=wilber,ou=people,dc=example,dc=com

4. Create the user geeko:

   tux > sudo dsidm localhost user create --uid \
     --cn geeko --displayName 'Suzanne Geeko' \
     --uidNumber 1001 --gidNumber 1001 --homeDirectory /home/geeko

In the following, we create a group, server_admins, and assign the user wilber to this group.

1. Create the group:

   tux > sudo dsidm localhost group create

   You will be prompted for a group name:

   Enter value for cn :

2. Enter the name for the group, for example: server_admins.

3. Add the user wilber to the group:

   tux > sudo dsidm localhost group add_member server_admins uid=wilber,ou=people,dc=example,dc=com
   added member: uid=wilber,ou=people,dc=example,dc=com

4. Verify if authentication works:

   tux > sudo ldapwhoami -H ldaps://localhost -D \
     uid=wilber,ou=people,dc=example,dc=com -W -x

   If you are prompted for the LDAP password of wilber, authentication works.

   If the command fails with the following error, you are probably using a self-signed certificate:

   ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

   In that case, edit /etc/openldap/ldap.conf and add the path to the certificate. For example:

   TLS_CACERT=/etc/dirsrv/slapd-localhost/ca.crt

   Alternatively, include the path to the certificate in the whoami command:

   tux > sudo LDAPTLS_CACERT=/etc/dirsrv/slapd-localhost/ca.crt \
     ldapwhoami -H ldaps://localhost -D \
     uid=wilber,ou=people,dc=example,dc=com -W -x

1. On a separate server, install the sssd package:

   tux > sudo zypper in sssd

2. Disable and stop the nscd daemon because it conflicts with sssd:

   tux > sudo systemctl disable nscd && systemctl stop nscd

3. Create the SSSD configuration and restrict the login to the members of the group server_admins that we created in Procedure 5.2:

   tux > sudo dsidm localhost client_config sssd.conf server_admins

4. Review the output and paste (or redirect) it to /etc/sssd/sssd.conf. If required, edit the configuration file according to your needs.

5. To configure the certificates on your client, copy ca.crt from the LDAP server to your client:

   tux > sudo mkdir -p /etc/openldap/certs
   cp [...]>/ca.crt /etc/openldap/certs/
   /usr/bin/c_rehash /etc/openldap/certs

6. Enable and start SSSD:

   tux > sudo systemctl enable sssd
   systemctl start sssd

7. To make sure SSSD is part of PAM and NSS, follow the instructions in sections Configure PAM (SUSE) and Configure NSS (SUSE) at http://www.port389.org/docs/389ds/howto/howto-sssd.html.

8. Verify if the client can provide the details for user wilber:

   tux > sudo id wilber
       uid=1000(wilber) gid=100(users) groups=100(users)

   If everything is set up correctly, wilber can access the 389 Directory Server instance via SSH to the machine where you have installed and configured SSSD. However, geeko will fail to do so, because geeko does not belong to the group server_admins that we have configured in Procedure 5.2.

1. In YaST, click Network Services › Create New Directory Server. Alternatively, start the module from command line with yast2 ldap-server.

   In the window that opens, you need to fill in all mandatory text fields.

2. Enter the Fully qualified domain name of the 389 Directory Server. It must be resolvable from the host.

3. In Directory server instance name, enter a local name for the LDAP server instance.

   

   Note: Instance Name

   The instance name cannot be changed after the instance has been created. If you plan for only one LDAP server, use the default instance name localhost. However, if you plan to host multiple LDAP servers, use meaningful names for the individual instances.

4. In Directory suffix, enter the base domain name of the LDAP tree. It is your domain name split by component. For example, example.com becomes dc=example,dc=com.

5. In the mandatory security options, enter the password for the directory manager (LDAP's root/admin account) and repeat the password in the next step. The password must be at least 8 characters long.

6. To run 389 Directory Server with a CA certificate, specify both of the following options:

   1. Enter the path to the Server TLS certificate authority in PEM format, with which the server certificates have been signed.

   2. Enter the path to the Server TLS certificate and key in PKCS12 format with friendly name "Server-Cert". The *.p12 file contains the server's private key and certificate. These must have been signed by the CA in PEM format that you have specified above. The friendly name must be Server-Cert, see Section 5.3.2, “Using CA Certificates for TSL” for details.

      If you do not specify a CA certificate here, a self-signed certificate will be created automatically. After the instance has been created, find the related files in /etc/dirsrv/slapd-INSTANCENAME.

7. If you are ready to create the instance, click OK.

   

   YaST displays a message whether the creation was successful and where to find the log files.

1. In the window LDAP and Kerberos Client, click Change Settings.

   Make sure that the tab Use a Directory as Identity Provider (LDAP) is chosen.

   

2. Specify one or more LDAP server URLs or host names under Enter LDAP server locations. For security reasons, we recommend to use LDAPS:// URLs only. When specifying multiple addresses, separate them with spaces.

3. Specify the appropriate LDAP distinguished name (DN) under DN of Search Base. For example, a valid entry could be dc=example,dc=com.

4. If your LDAP server supports TLS encryption, choose the appropriate security option under Secure LDAP Connection.

   To first ask the server whether it supports TLS encryption and be able to downgrade to an unencrypted connection if it does not, use Secure Communication via StartTLS.

5. Activate other options as necessary:

   • You can Allow users to authenticate via LDAP and Automatically Create Home Directories on the local computer for them.

   • If you want to cache LDAP entries locally, use Cache LDAP Entries For Faster Response.

     

     Warning: Potential Security Risk with Caching

     Using the cache bears security risks, depending on the used mechanism.

     nscd

     If you define an authorization rule (for example, members of group admin can log in), and you remove a user from that group, the client cache will not see that change until the cache expires or refreshes. So a user whose account has been revoked can still log in for a period of time later.

     sssd

     This caching mechanism constantly checks if group memberships are still valid. Thus the cache risk only exists if the sssd daemon is disconnected from the LDAP server for any reason.

   • Specify the types of data that should be used from the LDAP source, such as Users and Groups, Super-User Commands, and Network Disk Locations (network-shared drives that can be automatically mounted on request).

   • Specify the distinguished name (DN) and password of the user under whose name you want to bind to the LDAP directory in DN of Bind User and Password of the Bind User.

     Otherwise, if the server supports it, you can also leave both text boxes empty to bind anonymously to the server.

     

     Warning: Authentication Without Encryption

     When using authentication without enabling transport encryption using TLS or StartTLS, the password will be transmitted in the clear.

   Under Extended Options, you can additionally configure timeouts for BIND operations.

6. To check whether the LDAP connection works, click Test Connection.

7. To leave the dialog, click OK. Then wait for the setup to complete.

   Finally, click Finish.