Install and Configure 389 Directory Server on Linux with SSSD Authentication

  • Technical How To's
  • Install and Configure 389 Directory Server on Linux with SSSD Authentication

Introduction

389 Directory Server (also known as 389-ds) is a powerful, open-source LDAP server developed by the Fedora Project. It provides centralized identity and authentication services for enterprise systems, including support for replication, access control, and schema extensibility.

Installing 389-ds on a system that uses SSSD (System Security Services Daemon) can present unique challenges—particularly around group ID (GID) conflicts. This guide walks you through a successful 389-ds installation and configuration in such environments, based on a real-world scenario.

Prerequisites

Before starting, ensure your system meets the following:

  • A supported Linux distribution (Fedora, RHEL, CentOS, Rocky Linux, AlmaLinux)
  • Root or sudo access
  • DNS configured properly for your hostname
  • SSSD-enabled authentication environment (e.g., with LDAP or AD integration)

Step 1: Understand GID Conflicts with SSSD

When sssd is enabled, group and user information might be pulled from external identity sources (like LDAP or Active Directory). If you attempt to create a local group that overlaps with a remote GID, you may encounter this error:

groupadd: Can't get unique GID (no more available GIDs)

Even if a GID appears unused, SSSD might internally reserve it from a remote directory.

Step 2: Check Existing GIDs

Before installation, inspect used GIDs on your system:

getent group | awk -F: '{print $3}' | sort -n

And check your system’s GID allocation ranges:

grep GID_ /etc/login.defs

Look for:

SYS_GID_MIN 101
SYS_GID_MAX 999

If needed, adjust these values to increase the available range for system groups.

Step 3: Manually Create Users and Groups

If automatic group creation during installation fails, you can manually create the needed system user and group with a safe, unused GID:

sudo groupadd -g 2001 dirsrv
sudo useradd -u 2001 -g dirsrv -r -s /sbin/nologin -d /var/lib/dirsrv dirsrv

You can repeat this process for other expected system users/groups like weldr or _osbuild-composer, using different GIDs.

Step 4: Install 389-ds Using DNF/YUM

Once users/groups are in place:

sudo dnf install 389-ds-base

Or on older systems:

sudo yum install 389-ds-base

Then run the setup:

sudo dscreate interactive

This will guide you through configuring:

  • Instance name
  • LDAP Base DN (e.g., dc=example,dc=com)
  • Directory Manager password
  • Port configuration (389 for LDAP, 636 for LDAPS)

Step 5: Start and Enable the Service

sudo systemctl enable dirsrv.target
sudo systemctl start dirsrv.target

Check the status:

sudo systemctl status dirsrv.target

Step 6: Configure Firewall and SELinux (if enabled)

If using firewalld:

sudo firewall-cmd --permanent --add-port=389/tcp
sudo firewall-cmd --permanent --add-port=636/tcp
sudo firewall-cmd --reload

For SELinux, ensure the ports and policies allow LDAP services.

Step 7: Enable LDAPS (Optional but Recommended)

Generate or import SSL certificates, then enable LDAPS:

dsconf -D "cn=Directory Manager" ldap://localhost security \
    set --startTLS on --ldapsPort 636 --securePort on

Restart the service:

sudo systemctl restart dirsrv@instance-name

Replace instance-name with your configured DS instance.

Step 8: Post-Installation Tips

Access the Web Console (if installed):

https://your-hostname:9830

Login with cn=Directory Manager.

Backup

Use built-in tools:

dsconf -D "cn=Directory Manager" ldap://localhost backup create --offline /var/backups/dirsrv

Add Entries

You can add users and groups via ldapadd or through the Web UI:

ldapadd -x -D "cn=Directory Manager" -W -f new_user.ldif

Troubleshooting

“No more available GIDs” even if GID seems free?

  • Likely an SSSD conflict. GIDs in use by LDAP/AD (even if not visible via getent) may still block local creation.
  • Run sss_cache -G to refresh group cache or manually inspect your identity provider.

Logs

Check:

journalctl -u dirsrv@your-instance
/var/log/dirsrv/slapd-your-instance/errors

Conclusion

Installing 389 Directory Server in environments with SSSD authentication requires a careful approach to avoid group ID conflicts. By manually creating required users/groups and understanding how SSSD manages identity data, you can successfully deploy and configure a robust LDAP server for identity management, authentication, or application integration.

Frequently Asked Questions (FAQ)

🔐 Is 389-ds production-ready?

Yes, it’s used in many enterprise environments as a lightweight, scalable LDAP server.

🧰 Can I use 389-ds alongside Active Directory?

Yes, via synchronization or pass-through authentication, but setup requires careful planning.

🛡️ Is LDAPS required?

Not technically, but it’s highly recommended for secure communications.

This article is inspired by real-world challenges we tackle in our projects. If you're looking for expert solutions or need a team to bring your idea to life,

Let's talk!

    Please fill your details, and we will contact you back

    Related Posts

    In:

    Fixing the “BAD_AUTHENTICATION” Error in Android Apps Using Google Services

    In:

    How to Get the User’s Current Location and Display It on a Map in Angular

    In:

    How to Deploy a .NET Application from Visual Studio to a Linux Server

      Please fill your details, and we will contact you back