General installation instructions#

Blitz Identity Provider installation generally proceeds in the order described below.

Tip

Depending on the operating system used, there are specifics on how to install the required environment. For convenience, follow express instructions.

Important

Before getting started with deployment, learn Blitz Identity Provider deployment architecture.

Step 1. JDK#

On the servers designated to install Blitz Identity Provider server software and Blitz Identity Provider admin console, you must install and configure JDK 11 according to the official documentation, using one of the following products:

  • OpenJDK 11;

    Note

    To install OpenJDK 11 in CentOS and RHEL, run the command:

    sudo yum install java-11-openjdk-devel

  • Liberica JDK 11;

  • Oracle JDK 11.

Step 2. Memcached#

Attention

The memcached version must be 1.4.15 or higher. The memcached service must be installed on the servers intended for installing Blitz Identity Provider services: blitz-console, blitz-idp, blitz-registration, blitz-recovery.

  1. Run the command:

    yum -y install memcached

  2. After installation is complete, add the memcached service to the autorun and start the service:

    systemctl enable memcached
systemctl start memcached

Important

The memcached service runs on port 11211. Make sure that this port is open on firewalls and can be used to connect between servers with Blitz Identity Provider services.

Step 3. DBMS#

Couchbase Server Installation

Couchbase Server installation guidelines are provided for CentOS 7 and RHEL 7.

  1. You must install Couchbase Server on each of the servers allocated for DBMS installation according to the instructions. The Couchbase Server distribution package is available for download.

    Important

    In DEV/TEST environments, it is acceptable to install Couchbase Server on existing servers with Blitz Identity Provider, but in this case you have to take into account that Couchbase Server uses its own built-in Memcached service, and to avoid a conflict you need to adjust the Memcached ports used in Blitz Identity Provider and Couchbase Server.

  2. Add the Couchbase Server service to the autorun and start the service:

    systemctl enable couchbase-server
systemctl start couchbase-server

  3. Check if the service is running by executing the command:

    systemctl status couchbase-server

  4. Initialize Couchbase Server cluster on each server according to instructions (the first server initializes the cluster, other servers are included in the cluster). All settings can be set as suggested by default, only you need to set the full server name for each server in hostname. It is not recommended to use the IP address of the server as the server name.

  5. On any of the hosts in the Couchbase Server cluster, run the script to prepare Couchbase Server to use Blitz Identity Provider. The script is located in the couchbase directory in the resources.zip archive as part of Blitz Identity Provider distribution kit. Copy the script to any server in the Couchbase Server cluster, go to the directory, and execute the script to create buckets that will store Blitz Identity Provider information and indexes for executing Blitz Identity Provider search queries in the database:

    ./cb_init.sh

    The script will need to be entered during execution:

    • Couchbase Server URL name - enter a string like http://<hostname>:8091, where hostname is the host name of the server from which the script is executed;

    • Couchbase Server administrator account login - set during cluster initialization when you perform the previous step of the instructions;

    • Couchbase Server administrator account password - set during cluster initialization when you perform the previous step of the instructions;

    • Couchbase Server account login - set during the running of Blitz Identity Provider service connection script;

      Tip

      It is recommended to name it blitz.

    • Couchbase Server account password for Blitz Identity Provider application connection.

  6. After running the script, make the following settings:

    1. In the Couchbase Server administration console, edit the settings for the number of data copies on different Couchbase instances. To do this, select each bucket in turn in the Buckets menu, click Edit on it and set the Enable setting in the Replicas block and set the number of replicas. For a cluster of 3 servers it is recommended to set 1 for the number of replicas. Then, it is recommended to enable the Enable auto-failover setting in the Settings menu and set the Timeout value to 30 seconds (auto-failover will work only if the DBMS cluster has at least 3 servers and bucket replication is configured).

    2. Set up a database backup.

PostgreSQL installation and configuration

Attention

PostgreSQL must be 9.6 or a later version.

PostgreSQL must be installed according to the instructions.

After installing PostgreSQL, run scripts to prepare PostgreSQL to use Blitz Identity Provider. The scripts are located in the postgres directory in the resources.zip archive as part of Blitz Identity Provider distribution kit. Copy the scripts to the PostgreSQL server, go to the directory, and execute the following commands one by one:

su - postgres

createdb blitzdb

psql
CREATE USER blitz WITH ENCRYPTED PASSWORD 'set-your-pwd';
GRANT ALL PRIVILEGES ON DATABASE blitzdb TO blitz;
GRANT ALL ON ALL TABLES IN SCHEMA public TO blitz;

psql -d blitzdb -U blitz -f 000-SCRIPT000.sql
…
psql -d blitzdb -U blitz -f NNN-SCRIPTNNN.sql

Instead of set-your-pwd you should insert the password that will be used to connect to PostgreSQL.

Instead of 000-SCRIPT000.sql NNN-SCRIPTNNN.sql you should insert the names of scripts from the postgres/ddl directory from the resources.zip archive. For example:

psql -d blitzdb -U blitz -f 000-service-tasks.sql
psql -d blitzdb -U blitz -f 001-init-database.sql
psql -d blitzdb -U blitz -f 002-new_pp_columns.sql
psql -d blitzdb -U blitz -f 003-usd_id_table.sql
psql -d blitzdb -U blitz -f 004-usr_auth_table.sql
psql -d blitzdb -U blitz -f 005-usr_agt_table.sql
psql -d blitzdb -U blitz -f 006-usr_htp_hmc_alg.sql
psql -d blitzdb -U blitz -f 007-usr_atr_cfm.sql
psql -d blitzdb -U blitz -f 008-wak.sql
psql -d blitzdb -U blitz -f 009-fix_pp_column.sql
psql -d blitzdb -U blitz -f 010-add_usr_prp.sql
psql -d blitzdb -U blitz -f 011-pp_audit.sql
psql -d blitzdb -U blitz -f 012-geo_to_audit.sql
psql -d blitzdb -U blitz -f 013-tasks.sql
psql -d blitzdb -U blitz -f 014-sec_ch_ua.sql
psql -d blitzdb -U blitz -f 015-5.12.0.sql
psql -d blitzdb -U blitz -f 016-5.13.0.sql
psql -d blitzdb -U blitz -f 017-5.15.0.sql
psql -d blitzdb -U blitz -f 018-5.17.0.sql
psql -d blitzdb -U blitz -f 019-5.18.0.sql
psql -d blitzdb -U blitz -f 020-5.20.0.sql
psql -d blitzdb -U blitz -f 021-5.21.0.sql
psql -d blitzdb -U blitz -f 022-5.23.0.sql
psql -d blitzdb -U blitz -f 023-5.26.0.sql

After running the script, set up a database backup.

Step 4. RabbitMQ#

Optional

Installation of the RabbitMQ Queue server is optional and is required if the Queue server is to be used to pass events to adjacent systems or as a message broker.

You need to install RabbitMQ according to instructions.

Step 5. Blitz Identity Provider#

To install the blitz-console, blitz-idp, blitz-registration, and blitz-recovery services, use the unified blitz-5.X.X.bin installer.

Important

You can install the admin console on any server where the Blitz Identity Provider server is installed, but it is recommended that a separate administrative server be dedicated to the installation of the admin console. The JDK and memcached must be installed on the server beforehand.

To install blitz-console, blitz-idp, blitz-registration, blitz-recovery applications you need to:

  1. Copy blitz-5.X.X.X.bin``file (for example, to ``/tmp directory) from Blitz Identity Provider distribution kit to the servers intended for installation.

  2. Run the blitz-5.X.X.bin installer with the following start options:

    • -i – list of applications to be installed, separated by a space (for example, idp console registration recovery);

    • -j – the JAVA_HOME value is the directory of JDK installation.

    It will be installed in directory /usr/share/identityblitz.

    Installer launch example#
    cd /tmp
chmod +x blitz-5.X.X.bin
./blitz-5.X.X.bin -- -j /opt/oracle/jdk -i "idp console recovery registration"
    Console during the installation process#
    Verifying archive integrity...  100%   MD5 checksums are OK. All good.
Uncompressing Blitz IDP  100%
****************************************************************
Application blitz-registration installed
Application blitz-recovery installed
Application blitz-console installed
Application blitz-idp installed
****************************************************************

  3. Create the blitz_param.txt file with initial Blitz Identity Provider settings:

    • DOMAIN – external domain name where Blitz Identity Provider will be running on;

    • ROOT_CONTEXT – URL path where Blitz Identity Provider will be running on;

      Note

      If not specified, it will be /blitz by default.

    • ADMIN_USER_NAME – administrator account in Blitz Identity Provider;

      Note

      If not specified, it will be admin by default.

    • ADMIN_PASSWORD – password for the administrator account in Blitz Identity Provider;

    • KEYSTORE_PASSWORD – password for a key container that will be created during the installation;

      Note

      If the ADMIN_PASSWORD and KEYSTORE_PASSWORD parameters are not specified, these passwords will automatically be generated and displayed as a result of the configuration script execution.

    • MEMCACHED_SERVERSmemcached servers addresses;

    • DB_MODE – DBMS in use: CB for Couchbase Server;

    • CB_NODES – addresses of servers in the Couchbase Server DBMS;

    • CB_USERNAME – account name in the Couchbase Server DBMS (blitz by default);

    • CB_ PASSWORD – account password in the Couchbase Server DBMS;

    • TRUSTED_SERVERS – addresses of subnets of servers with Blitz Identity Provider services (by default 127.0.0.1/32).

      The example of configuration file#
      DOMAIN=test
MEMCACHED_SERVERS="192.168.122.10 127.0.0.1"
DB_MODE=CB
CB_NODES="192.168.122.20 192.168.122.21 192.168.122.22"
CB_USERNAME=blitz
CB_PASSWORD=12ABcd45

    • DOMAIN – external domain name where Blitz Identity Provider will be running on;

    • ROOT_CONTEXT – URL path where Blitz Identity Provider will be running on;

      Note

      If not specified, it will be /blitz by default.

    • ADMIN_USER_NAME – administrator account in Blitz Identity Provider;

      Note

      If not specified, it will be admin by default.

    • ADMIN_PASSWORD – password for the administrator account in Blitz Identity Provider;

    • KEYSTORE_PASSWORD – password for a key container that will be created during the installation;

      Note

      If the ADMIN_PASSWORD and KEYSTORE_PASSWORD parameters are not specified, these passwords will automatically be generated and displayed as a result of the configuration script execution.

    • MEMCACHED_SERVERSmemcached servers addresses;

    • DB_MODE – DBMS in use: PG for PostgreSQL;

    • PG_HOSTNAME – PostgreSQL DBMS address;

    • PG_DB_NAME – database name in the PostgreSQL DBMS;

      Tip

      It is recommended to set blitzdb.

    • PG_USER_NAME – account name in the PostgreSQL DBMS;

      Tip

      It is recommended to set blitz.

    • PG_USER_PASSWORD – account password in the PostgreSQL DBMS;

    • TRUSTED_SERVERS – addresses of subnets of servers with Blitz Identity Provider services (by default 127.0.0.1/32).

      The example of configuration file#
      DOMAIN=test
ROOT_CONTEXT=/blitz
MEMCACHED_SERVERS="127.0.0.1 192.168.122.96"
DB_MODE=PG
PG_HOSTNAME=192.168.122.20
PG_DB_NAME=blitzdb
PG_USERNAME=blitz
PG_PASSWORD=123456
TRUSTED_SERVERS="127.0.0.1/32 192.168.122.96/32 192.168.122.0/24"
ADMIN_USERNAME=admin1
ADMIN_PASSWORD=0123456789
KEYSTORE_PASSWORD=0123456789

  4. Run Blitz Identity Provider initial setup script with the right path to the blitz_param.txt file:

    /usr/share/identityblitz/blitz-console/bin/configure -f blitz_param.txt

    The script will prepare the configuration files, generate and display the Blitz Identity Provider administrator login and password, and generate a password for the key container:

    ****************************************************************
Your instance is configured on domain: test.loc
The Administration Console available on addresses:
 http://testinstallation.local:9001/blitz/console

Administration user credentials of Console:
  username - admin
  password - 98aAB0D3f2
Your can change user credentials at file - /usr/share/identityblitz/blitz-config/credentials

Create keystore /usr/share/identityblitz/blitz-config/blitz-keystore.bks and generate:
 - JWS(RSA256) keypair - jws_rs256_rsa_default
 - AES(AES128) security key - jdbc

Generated password for keystore: BeEBcd2239
****************************************************************

    Tip

    If input errors were made when running the installer, so that the installation was performed with incorrect parameters, you can use the following command to delete the files that the installer created so that you can perform a clean installation again:

    rm -rf /usr/share/identityblitz /etc/default/blitz-* /etc/blitz-* /var/log/identityblitz/ /lib/systemd/system/blitz-*

  5. Add services to autorun on their respective servers and run them:

    systemctl enable blitz-console
systemctl start blitz-console
systemctl enable blitz-idp
systemctl start blitz-idp
systemctl enable blitz-registration
systemctl start blitz-registration
systemctl enable blitz-recovery
systemctl start blitz-recovery

Step 6. Configuration files synchronization#

Only for installation in a cluster

When you deploy Blitz Identity Provider in a cluster, you must configure synchronization of configuration between Blitz Identity Provider cluster servers:

Actions to take on the Blitz Identity Provider admin console server

  1. Install rsync and incron:

    sudo yum install rsync incron

  2. To switch to user blitz:

    sudo su - blitz

  3. Generate an ssh-key with the command (it is recommended to choose the default answers for all the prompts by the utility):

    ssh-keygen

  4. Read and save the public ssh-key for future use:

    cat /usr/share/identityblitz/.ssh/id_rsa.pub

  5. Open the incrontab settings:

    incrontab -e

    In the opened editor window, insert the following:

    /usr/share/identityblitz/blitz-config IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh ./ $# $%
/usr/share/identityblitz/blitz-config/assets IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh assets $# $%
/usr/share/identityblitz/blitz-config/assets/services IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh assets $# $%
/usr/share/identityblitz/blitz-config/assets/themes IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh assets $# $%
/usr/share/identityblitz/blitz-config/apps IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh apps $# $%
/usr/share/identityblitz/blitz-config/saml IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh saml $# $%
/usr/share/identityblitz/blitz-config/saml/conf IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh saml $# $%
/usr/share/identityblitz/blitz-config/saml/credentials IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh saml $# $%
/usr/share/identityblitz/blitz-config/saml/metadata IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh saml $# $%
/usr/share/identityblitz/blitz-config/custom_messages IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh custom_messages $# $%
/usr/share/identityblitz/blitz-config/custom_messages/dics IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh custom_messages $# $%
/usr/share/identityblitz/blitz-config/devices IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh devices $# $%
/usr/share/identityblitz/blitz-config/simple IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh simple $# $%
/usr/share/identityblitz/blitz-config/certs IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh certs $# $%
/usr/share/identityblitz/blitz-config/flows/login IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh flows $# $%
/usr/share/identityblitz/blitz-config/flows/reg IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh flows $# $%
/usr/share/identityblitz/blitz-config/flows/extIdps IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh flows $# $%
/usr/share/identityblitz/blitz-config/token_exchange IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh token_exchange $# $%
/usr/share/identityblitz/blitz-config/token_exchange/rules IN_MODIFY,IN_ATTRIB,IN_CREATE,IN_DELETE,IN_CLOSE_WRITE /usr/share/identityblitz/scripts/config_sync.sh token_exchange $# $%

  6. Create a file /usr/share/identityblitz/scripts/config_sync.sh and paste the script into it:

    #!/bin/bash
app_dir=/usr/share/identityblitz/blitz-config
node_list="NODES_LIST"
for node in $(echo "${node_list}"); do
rsync -r -a --delete ${app_dir}/${1} ${USER}@${node}:${app_dir};
done

  7. As the value node_list, instead of NODES_LIST, the list of hostname of the Blitz cluster nodes (except for the Blitz Console node) should be entered. The values should be entered with a space. For example:

    node_list="app1.local app2.local"

  8. Make the file /usr/share/identityblitz/scripts/config_sync.sh executable:

    chmod +x /usr/share/identityblitz/scripts/config_sync.sh

  9. Run incrontab by executing the following command as root:

    systemctl enable incrond
systemctl start incrond
Actions to take on the other Blitz Identity Provider servers

  1. Install rsync:

    sudo yum install rsync

  2. To switch to user blitz:

    sudo su - blitz

  3. Run the following script:

    mkdir .ssh
touch .ssh/authorized_keys
chmod 700 .ssh
chmod 640 .ssh/authorized_keys

  4. Open the .ssh/authorized_keys file with any editor, such as vim, and paste the public ssh-key previously obtained from the Blitz Console server.

Step 7. Web Server#

It is recommended to use nginx or HAProxy as a web server.

nginx

A sample configuration file for nginx is included in Blitz Identity Provider distribution package - it is the blitz-idp.conf file from the nginx directory in the resources.zip archive. You need to adjust the following configuration blocks, then upload the file to the server with nginx (/etc/nginx/conf.d directory):

  1. Adjust the balancing settings block:

upstream blitz-idp {
    server [BLITZ-IDP-NODE-01]:9000 max_fails=3 fail_timeout=120;
    server [BLITZ-IDP-NODE-02]:9000 max_fails=3 fail_timeout=120;
}
upstream blitz-reg {
    server [BLITZ-REG-NODE-01]:9002 max_fails=3 fail_timeout=120;
    server [BLITZ-REG-NODE-02]:9002 max_fails=3 fail_timeout=120;
}
upstream blitz-rec {
    server [BLITZ-REC-NODE-01]:9003 max_fails=3 fail_timeout=120;
    server [BLITZ-REC-NODE-02]:9003 max_fails=3 fail_timeout=120;
}
upstream blitz-console {
    server [BLITZ-CONSOLE-NODE-01]:9001 max_fails=3 fail_timeout=120;
}

The parameters have the following designations:

  • [BLITZ-%%%-NODE-XX] - names (hostname) of servers with Blitz Identity Provider services (blitz-idp, blitz-registration, blitz-recovery);

  • [BLITZ-CONSOLE-NODE-01] is the name (hostname) of the server with Blitz Console.

  1. Correct the block of TLS termination settings:

ssl_certificate         [BLITZ-SSL-CERT-FILE];
ssl_certificate_key     [BLITZ-SSL-PRIVATEKEY-FILE];

The parameters have the following designations:

  • [BLITZ-SSL-CERT-FILE] - path (full name) to the file with TLS server certificate;

  • [BLITZ-IDP-CONSOLE-NODE-01] - path (full name) to the file with TLS-server key.

  1. Note that Blitz Identity Provider ignores the X-Forwarded-Proto https header if the nginx X-Forwarded-For contains more than one IP address, for example:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

In this case, it is recommended to use the following directive value:

proxy_set_header X-Forwarded-For $client_ip

In this case, client_ip is calculated using map. The first value from the list will be taken:

map $http_x_forwarded_for $client_ip {
    default $remote_addr;
    "~(?<IP>([0-9]{1,3}\.){3}[0-9]{1,3})*" $IP;
    "~(?<IP>([0-9]{1,3}\.){3}[0-9]{1,3}),.*" $IP;
}

  1. Copy the static_errors folder with the server error page files to the /usr/share/nginx/html` folder on the nginx server. The files with examples of error pages can be found in the |project| distribution kit - it is the ``static_errors folder in the resources.zip archive.

HAProxy

A sample configuration file for HAProxy is included in Blitz Identity Provider distribution package - it is the haproxy.cfg file from the haproxy directory in the resources.zip archive. The configuration file is designed for HAProxy version 2.2+, since the block uses the http-errors, errorfile, errorfiles directives to override the use of error pages from the Blitz Identity Provider distribution.

Attention

What limits the use of HAProxy is that, unlike nginx, it doesn’t support static content. Images, favicon, etc. must be loaded from a separate server. It can be done by using the acl is-blitz-static rule, and the use_backend blitz-static if is-blitz-static and backend blitz-static routes.

  1. The global block defines system parameters (the user on whose behalf the process is executed, logging parameters, permitted encryption algorithms, etc.).

  2. The defaults section defines general parameters for the sections that follow it.

  3. The frontend section defines the rules for processing incoming requests.

  4. The backend section describes the servers to which requests will be redirected to.

Of primary interest are the backend sections with active checks included:

  1. Run the balancing algorithm:

    balance roundrobin

  2. Enable backend HTTP checks:

    option httpchk

  3. Open а new connection:

    http-check connect

  4. Send a GET request to User profile:

    http-check send meth GET uri /blitz/profile hdr Host rocky8

  5. Check the blc session cookie setting:

    http-check expect hdr name set-cookie value -m beg "blc="

  6. Check for redirect:

    http-check expect status 303

  7. Entries for each application server will appear. The server check interval is 5 seconds. In the case of two errors in a row, mark a server as unavailable. After the first successful check, mark it as available.

  8. Monitor error flow at l7 level. If more than 10 errors occur, mark a server as unavailable. If the health-check is successful, mark it as available.

  9. Enter into balancing gradually in 10 seconds:

    server blitz-idp-local 127.0.0.1:9000 check inter 5s rise 1 fall 2 observe layer7 error-limit 10 on-error mark-down slowstart 10s

Step 8. LDAP directory#

Optional

See also

List of supported directories.

If you need to deploy a new LDAP directory, it is recommended that you use 389 Directory Server, which is included with the OS, as your LDAP directory:

  1. Execute the installation commands:

    yum install 389-ds-base 389-adminutil 389-admin 389-admin-console 389-console 389-ds-console
yum install xauth

  2. Set limits according to the 389 Directory Server recommendations:

    echo "fs.file-max = 64000" >> /etc/sysctl.conf
echo "* soft nofile 8192" >> /etc/security/limits.conf
echo "* hard nofile 8192" >> /etc/security/limits.conf
echo "ulimit -n 8192" >> /etc/profile

  3. Initialize the LDAP directory. Answer the installer’s questions:

    setup-ds-admin.pl

  4. After installation is complete, add the LDAP directory to the autorun and start the service:

    systemctl enable dirsrv.target
systemctl start dirsrv.target

After installing 389 Directory Server, configure it to prepare it for use in conjunction with Blitz Identity Provider. To do this:

  1. Copy to the LDAP server the LDAP configuration scripts from Blitz Identity Provider distribution kit (this is the ldap folder in the resources.zip archive).

  2. Execute the initial configuration script ldap_init.sh - the script will create the sub branch for storing users, service user reader, configure user access rights and password policy (perpetual password for service user), create the blitz-schema class with attributes uid, mail, mobile, n, name:

    chmod +x ldap_init.sh
./ldap_init.sh

  3. Run the TLS configuration script on the LDAP server (the script creates a copy of the current NSS DB, then creates a new NSS DB, certificates, and a pin.txt file to start the server without entering a password):

    chmod +x ldap_ssl.sh
./ldap_ssl.sh

  4. After running the script restart the LDAP directory:

    systemctl restart dirsrv.target

  5. If you need to configure and enable global password policies in LDAP, adjust and execute the ldap_pwdpolicy.sh script:

    chmod +x ldap_pwdpolicy.sh
./ldap_pwdpolicy.sh

  6. If you want to create additional attributes:

    1. prepare a text file in which, on each line, write the name of the attribute to be created (i.e. a text file with a column of attributes to be created);

    2. run the script to create additional attributes, answer its prompts:

      chmod +x ldap_add_attr.sh
./ldap_add_attr.sh

    3. edit the text file at /etc/dirsrv/slapd-<instance name>/schema/99user.ldif, add new attributes to objectclass named blitz-schema in the MAY section;

    4. restart the LDAP directory to apply the changes to the directory schema:

      systemctl restart dirsrv.target