[389-users] Re: Introduction & few notes
Le 20/08/2019 à 02:22, William Brown a écrit : > > Hello fellow Australian! Austria, not Australia. No kangaroos here. :o) > > As for the setup - you may notice the Centos7 doesn't match the port389 > quickstart as those tools are part of 1.4.x. Today you can get those through: > > * Fedora > * Centos8/RHEL8 > * OpenSUSE LEAP + network:ldap repository. I'm heavily biased towards CentOS, since this is what I use on all my servers. I published two books about CentOS in France, and I'm currently busy writing the third. https://www.microlinux.fr/administration-linux-par-la-pratique-tome-1/ https://www.microlinux.fr/tag/centos/ > > I'm biased as I work for SUSE so I would advise you to use OpenSUSE and leap, > but the other developers are from Red Hat and they do wonderful work on the > project as well. The SUSE repo has the benefit that network:ldap updates with > "upstream" but supports multiple opensuse versions so you'll always get the > "right packages". It tends to update within 24hours of upstream security > releases etc. I'm using OpenSUSE Leap 15.1 KDE on all my desktops - and those of my clients. Our local school is 100 % OpenSUSE & CentOS. https://www.microlinux.fr/tag/opensuse/ Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12 ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: Introduction & few notes
Le 19/08/2019 à 11:24, Marc Muehlfeld a écrit : > If you are interested in single sign-on, automount, etc., FreeIPA (aka > "Identity Management" in Red Hat) might be interesting for you. FreeIPA is a bit dependency-heavy. I gave it a spin a few years back, and it draws in a whole kitchen sink of dependencies. I prefer learning to use the basic tools and then combine them as needed. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12 ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: Introduction & few notes
> On 19 Aug 2019, at 17:59, Nicolas Kovacs wrote: > > Hi, > > I'm new to this list, so let me introduce myself. I'm a 52-year old > Austrian living in South France, and I'm the manager of a small IT > company with a focus on Linux and Open Source Software. Hello fellow Australian! > > I'm the system administrator of our local school, where I have setup a > small 100 % GNU/Linux network consisting of two servers running CentOS 7 > and 20 desktop clients running OpenSUSE Leap 15.1. > > Currently the network uses a bone-headed single-sign-on configuration > based on NIS and NFS. I'm well aware of the potential flaws of this > setup, and I intend to replace it. In the past I've tried to wrap my > head around LDAP, but I bluntly admit I failed miserably every time. > > I just read the "Single Sign On" chapter in the fine "Unix & Linux > System Administration Handbook", which states 389 Directory Server as a > preferable alternative to the plain OpenLDAP server. > > I have three sandbox machines in my office and some time to experiment, > and I've even managed so far to install 389 DS on one of these machines > using the online documentation and various tutorials. > > First things first. I'm a new user, so I checked out the project pat at > https://www.port389.org/. I clicked on "Get started with a new > install"... and got stuck since the documentation doesn't work on my > system (CentOS 7). > > * https://www.port389.org/docs/389ds/howto/quickstart.html > > Eventually I figured out that Red Hat DS has a working documentation, > although I felt a bit like someone looking for a receipt for pasta > bolognese and getting a full-blown online course in food biochemistry. > > The QuickStart page sports a link "If you want to learn more about what > ldap is, you should read our “ldap concepts” guide." So I clicked on > that but unfortunately the link is dead. I admit I have yet to find a > comprehensive introduction to LDAP that is suitable for folks like me > with an IQ below 200. No problem! Have a look at the following: https://fy.blackhats.net.au/blog/html/pages/ldap_guide_part_1_foundations.html The guide chapters continue on the "left" of the page. As for the setup - you may notice the Centos7 doesn't match the port389 quickstart as those tools are part of 1.4.x. Today you can get those through: * Fedora * Centos8/RHEL8 * OpenSUSE LEAP + network:ldap repository. I'm biased as I work for SUSE so I would advise you to use OpenSUSE and leap, but the other developers are from Red Hat and they do wonderful work on the project as well. The SUSE repo has the benefit that network:ldap updates with "upstream" but supports multiple opensuse versions so you'll always get the "right packages". It tends to update within 24hours of upstream security releases etc. As marc suggested you could use freeipa as well, but it's a bit heavy and brings in a lot more, so assess it and determine what works for you. We are also happy to take feedback and help extend our tooling to support extra use cases if you have them, so please stay in contact with the project! > > Any suggestions ? > > Cheers from the sunny South of France, G'day from Australia - and cheers mate :) — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: Introduction & few notes
Hi Nicholas- I'm a newbie to 389 DS as well, but I've installed it on my CentOS 7 systems, and it's working well. I'm not sure it helps, and I'd like more experienced people to wave me off if anything I suggest is bad- but I did the following: Installed the following packages via yum: 389-admin.x86_64 1.1.46-1.el7 @epel 389-admin-console.noarch 1.1.12-1.el7 @epel 389-adminutil.x86_64 1.1.22-2.el7 @epel 389-console.noarch 1.1.19-5.el7 @epel 389-ds-base.x86_64 1.3.8.4-25.1.el7_6 @updates 389-ds-base-libs.x86_641.3.8.4-25.1.el7_6 @updates 389-ds-console.noarch 1.2.16-1.el7 @epel Once installed, I ran the following setup scripts: /usr/sbin/setup-ds-admin.pl /usr/sbin/setup-ds.pl I used defaults for almost everything except my domain name and hostname. To verify things are working, I brought up: /usr/bin/389-console (make sure you've set your $DISPLAY variable to your X environment) I used that to configure groups and users. It is reasonably self-explanatory. I'd recommend doing groups before users. When you create a user or group, make sure you also set the Posix items as well for UNIX. (The Posix section has the UNIX uid and guid settings) To make sure LDAP is running properly, at any time for a client, you can run: ldapsearch -x You should get all the information that is in the database that way. To get the clients to use the new LDAP server, I ran: authconfig --enableldap --enableldapauth --ldapserver= --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update Note that for the system that is running the 389 DS instance, I substituted localhost for the IP address I used for the other clients. I am not running TLS ATM, but will set that up in the near future. Hope this helps jcm On Mon, Aug 19, 2019 at 3:48 AM Marc Muehlfeld wrote: > Hi Nicolas, > > > On 8/19/19 9:59 AM, Nicolas Kovacs wrote: > > Currently the network uses a bone-headed single-sign-on configuration > > based on NIS and NFS. I'm well aware of the potential flaws of this > > setup, and I intend to replace it. In the past I've tried to wrap my > > head around LDAP, but I bluntly admit I failed miserably every time. > > > > I just read the "Single Sign On" chapter in the fine "Unix & Linux > > System Administration Handbook", which states 389 Directory Server > > as a preferable alternative to the plain OpenLDAP server. > > If you are interested in single sign-on, automount, etc., FreeIPA (aka > "Identity Management" in Red Hat) might be interesting for you. > > FreeIPA uses 389 Directory Server as database, but you usually don't get > in touch with the LDAP server directly. You can manage FreeIPA using the > command line and browser, and a lot of things are automated or at least > should be easier than configuring everything manually. > > These are the Identity Management docs for RHEL 7: > * > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/ > * > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/system-level_authentication_guide/ > * > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/ > (maybe not relevant for your use case) > > > > > > > > > I have three sandbox machines in my office and some time to experiment, > > and I've even managed so far to install 389 DS on one of these machines > > using the online documentation and various tutorials. > > > > First things first. I'm a new user, so I checked out the project pat at > > https://www.port389.org/. I clicked on "Get started with a new > > install"... and got stuck since the documentation doesn't work on my > > system (CentOS 7). > > > >* https://www.port389.org/docs/389ds/howto/quickstart.html > > > > Eventually I figured out that Red Hat DS has a working documentation, > > although I felt a bit like someone looking for a receipt for pasta > > bolognese and getting a full-blown online course in food biochemistry. > > If you use CentOS, the Red Red Hat Directory Server guides should work. > Additionally, they are frequently updated. > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/ > > I understand that the docs contain a lot of information, what could be > overwhelming if you are new to LDAP. If you have any suggestion what we > can improve, please let me know (or open a ticket: > > https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Directory%20Server > ) > > > > > > The QuickStart page sports a link "If you want to learn more about what > > ldap is, you should read our “ldap concepts” guide." So I clicked on > > that but unfortunately the link is dead. I admit I have yet to find a > > comprehensive introduction to LDAP that is suitable for folks like me > > with an IQ below 200. > > It's not a short
[389-users] Re: Introduction & few notes
Hi Nicolas, On 8/19/19 9:59 AM, Nicolas Kovacs wrote: Currently the network uses a bone-headed single-sign-on configuration based on NIS and NFS. I'm well aware of the potential flaws of this setup, and I intend to replace it. In the past I've tried to wrap my head around LDAP, but I bluntly admit I failed miserably every time. > I just read the "Single Sign On" chapter in the fine "Unix & Linux > System Administration Handbook", which states 389 Directory Server > as a preferable alternative to the plain OpenLDAP server. If you are interested in single sign-on, automount, etc., FreeIPA (aka "Identity Management" in Red Hat) might be interesting for you. FreeIPA uses 389 Directory Server as database, but you usually don't get in touch with the LDAP server directly. You can manage FreeIPA using the command line and browser, and a lot of things are automated or at least should be easier than configuring everything manually. These are the Identity Management docs for RHEL 7: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/ * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/system-level_authentication_guide/ * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/ (maybe not relevant for your use case) I have three sandbox machines in my office and some time to experiment, and I've even managed so far to install 389 DS on one of these machines using the online documentation and various tutorials. First things first. I'm a new user, so I checked out the project pat at https://www.port389.org/. I clicked on "Get started with a new install"... and got stuck since the documentation doesn't work on my system (CentOS 7). * https://www.port389.org/docs/389ds/howto/quickstart.html Eventually I figured out that Red Hat DS has a working documentation, although I felt a bit like someone looking for a receipt for pasta bolognese and getting a full-blown online course in food biochemistry. If you use CentOS, the Red Red Hat Directory Server guides should work. Additionally, they are frequently updated. https://access.redhat.com/documentation/en-us/red_hat_directory_server/ I understand that the docs contain a lot of information, what could be overwhelming if you are new to LDAP. If you have any suggestion what we can improve, please let me know (or open a ticket: https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Directory%20Server) The QuickStart page sports a link "If you want to learn more about what ldap is, you should read our “ldap concepts” guide." So I clicked on that but unfortunately the link is dead. I admit I have yet to find a comprehensive introduction to LDAP that is suitable for folks like me with an IQ below 200. It's not a short introduction, but the RHDS Deployment Guide could maybe answer some of your general questions about LDAP: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/deployment_guide/ Regards, Marc -- Marc Muehlfeld (Senior Technical Writer) Customer Content Services ___ Red Hat GmbH, Werner-von-Siemens-Ring 14, 85630 Grasbrunn, Germany http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael O'Neill, Tom Savage, Eric Shander ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org