Free Online Course · Self-paced

389 Directory Server Tutorial: Complete Administration Guide

Learn 389 Directory Server administration from installation and instance creation to ACIs, TLS, plugins, password policies, LMDB tuning, backup, replication, monitoring, migration, and troubleshooting.

  • 38 parts
  • ~595 min total
  • Beginner to Advanced
  • Updated Jul 2026
Reviewed Deepak Prasad
389 Directory Server Tutorial: Complete Administration Guide
By Last updated

389 Directory Server is the upstream LDAP server behind Red Hat Directory Server and the directory component inside FreeIPA. Unlike distribution-specific guides that bury the product under Rocky Linux or RHEL packaging, this course teaches 389 Directory Server administration: instance lifecycle, backends, ACIs, plug-ins, replication, and client integration, using the official CLI tools that ship with the product.

Once the package is installed, the main administration interfaces belong to 389 Directory Server itself. dscreate provisions instances. dsctl handles local and offline instance operations such as status, backup, import, and restore. dsconf changes a running server's configuration over LDAP. dsidm manages directory data: users, groups, and organizational units. Optional Cockpit integration adds a browser console, but the CLI remains the baseline this course tests against. For general Linux tooling used alongside these guides, browse our Linux commands reference.

This is a product-focused 389 Directory Server course tested on selected Linux distributions. Core administration procedures apply to equivalent 389 Directory Server versions, while installation, service management, firewall, and security-framework commands may differ by distribution. We do not claim every procedure works identically everywhere because repository versions vary significantly.

If LDAP terminology is new, read LDAP and OpenLDAP basics in the OpenLDAP tutorial. If you are choosing between LDAP servers or migrating from OpenLDAP, read OpenLDAP vs 389 Directory Server. If you already run 389 Directory Server, jump to Install 389 Directory Server and the dscreate guides. Every article is self-contained. Each guide links back to this hub or to a conceptual prerequisite, but none assumes you began at lesson one.


Platform compatibility

389 Directory Server packages are available across multiple Linux families, although versions and packaging differ.

Platform family Installation method Core course status
RHEL family and Fedora dnf command Fully suitable
Debian and Ubuntu apt Suitable; package version may differ
SLES and supported openSUSE releases zypper Suitable where the package is available
Arch Linux pacman Suitable; generally newer upstream version
Containers Official 389 DS container image Separate deployment track
NOTE
SUSE documentation treats 389 Directory Server as its LDAP server and documents installation, instance setup, backup, TLS, and replication end to end. openSUSE Leap releases may differ. For example, openSUSE Leap 16 currently has no official 389-ds-base package listed. Check your distribution repositories before planning a lab.
IMPORTANT
This course assumes LMDB as the default backend for newly created instances on 389 Directory Server 3.x. Older installations may still run Berkeley DB. Backend migration is covered in a dedicated article. Do not assume BDB tuning guidance applies to LMDB instances without checking your version.

How the course is organized

Five sidebar groups split the published guides by task. Use the sidebar or the chapter cards below to jump to what you need.

Group Lessons What you will do
Installation & instance lifecycle 8 Architecture, package install, dscreate, multi-instance layouts, and dsctl / dsconf / dsidm references
Directory data & schema 8 Suffixes, users, groups, roles, CoS, entry moves, test data, custom schema, read-only modes
Advanced directory features 3 Referrals, database chaining, and directory views
TLS, certificates & authentication 9 LDAPS, ciphers, secure binds, client certificates, Kerberos, cert lifecycle, FIPS, attribute encryption, anonymous access
Password policy & access control 10 Hashing, password policy, lockout, account lifecycle, and the ACI track through Get Effective Rights

Command-reference guides (389-dscreate-inf-file, 389-dsconf-commands, 389-dsidm-commands) sit in the installation group because search intent often starts at the tool name. Additional groups (replication, monitoring, client integration, and troubleshooting) will appear in the sidebar as those guides are published.


Administration tools at a glance

Tool Scope Typical tasks
dscreate Instance provisioning Interactive or inf-file instance creation, backend selection
dsctl Local instance Start/stop, backup, restore, LDIF import/export, offline maintenance
dsconf Online configuration Listeners, replication agreements, indexes, plug-ins, logging
dsidm Directory data Users, groups, organizational units, password resets
Cockpit (cockpit-389-ds) Optional GUI Instance overview, entry browser, basic ACI editing

Version numbers appear in each article's tested-environment box, not in canonical URLs. When a command flag or default changed between 2.x and 3.x, the article calls it out inline.


References


[[FAQ]]

What you'll learn

  • Install 389 Directory Server on supported Linux distributions and create a production-style instance with dscreate
  • Operate instances with dsctl, dsconf, and dsidm for configuration, data, backup, and maintenance
  • Secure the directory with TLS, ACIs, SASL binds, and password policies
  • Tune LMDB backends, indexes, logging, and monitoring for day-two operations
  • Build supplier, consumer, and multi-supplier replication topologies
  • Integrate Linux clients and applications, and migrate data from OpenLDAP or local /etc/passwd sources

Prerequisites

  • One or more Linux VMs or containers for replication and client-integration labs
  • Root or [sudo command](/sudo-command-in-linux/) access on lab hosts
  • Basic command-line skills ([systemctl](/systemctl-command-in-linux/), firewall tools, text editing)
  • LDAP fundamentals — read [LDAP and OpenLDAP basics](/ldap-openldap-basics/) in the [OpenLDAP tutorial](/openldap-tutorial/) if DNs, suffixes, or schema are new

Syllabus

5 chapters · 38 lessons · ~595 min of reading

  1. 1 Installation & instance lifecycle 8 lessons
    1. Part 1 Architecture — instances, backends, plug-ins 13 min read
    2. Part 2 Install 389 Directory Server 20 min read
    3. Part 3 dscreate inf file reference 12 min read
    4. Part 4 Run multiple instances on one host 15 min read
    5. Part 5 Non-root instance (development) 11 min read
    6. Part 6 dsctl — local and offline operations 14 min read
    7. Part 7 dsconf — online configuration 13 min read
    8. Part 8 dsidm — users, groups, directory data 12 min read
  2. 2 Directory data & schema 8 lessons
    1. Part 9 Suffixes and backends 18 min read
    2. Part 10 Manage users and groups 14 min read
    3. Part 11 Roles vs groups 14 min read
    4. Part 12 Class of Service (CoS) 16 min read
    5. Part 13 Rename and move LDAP entries 15 min read
    6. Part 14 Generate test data with ldifgen 15 min read
    7. Part 15 Create custom schema 14 min read
    8. Part 16 Read-only databases and instances 7 min read
  3. 3 Advanced directory features 3 lessons
    1. Part 17 LDAP referrals 14 min read
    2. Part 18 Database chaining 15 min read
    3. Part 19 Directory views 11 min read
  4. 4 TLS, certificates & authentication 9 lessons
    1. Part 20 TLS, STARTTLS, and LDAPS 16 min read
    2. Part 21 TLS versions and cipher suites 17 min read
    3. Part 22 Require secure LDAP connections 16 min read
    4. Part 23 Client certificate authentication 16 min read
    5. Part 24 SASL GSSAPI and Kerberos 19 min read
    6. Part 25 Certificate management 26 min read
    7. Part 26 FIPS mode 21 min read
    8. Part 27 Attribute encryption 11 min read
    9. Part 28 Restrict anonymous access 14 min read
  5. 5 Password policy & access control 10 lessons
    1. Part 29 Password storage schemes 16 min read
    2. Part 30 Global, subtree, and user password policy 22 min read
    3. Part 31 Account lockout 14 min read
    4. Part 32 Disable and inactivate user accounts 17 min read
    5. Part 33 ACI examples 19 min read
    6. Part 34 Advanced ACI targets and bind rules 14 min read
    7. Part 35 Self-service password and profile ACIs 12 min read
    8. Part 36 Delegated administration 25 min read
    9. Part 37 Macro ACIs 17 min read
    10. Part 38 Get Effective Rights — test ACI permissions 20 min read
Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with more than 15 years of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive …