[Fedora-directory-users] Setting up fault tolerant mesh of FDS servers - just checking I have got it right!
Rich Megginson
rmeggins at redhat.com
Fri Feb 29 15:37:02 UTC 2008
Howard Wilkinson wrote:
> Fedora-ds-1.1.1 on Fedora 7 + (the + is back ports from 8/9, all of
> the updates applied, and additional packages I have cross ported)
>
> I have succeeded in getting a fault tolerant mesh configured that
> consists of 2 or more Multi-Master servers, a number of Hub (0+) and a
> number of consumers (0+).
>
> I have done this by modifying mmr.pl to accept --host1_role and
> --host2_role parameters which can be set to supplier, hub, or consumer.
>
> For all of the usual DCROOTs i.e. not o=NetscapeRoot I set the
> relationships up as implied i.e. supplier<->supplier for the
> Multi-Master Hosts, supplier<->hub, hub<->consumer.
> Where the site is too small for hub servers I have gone
> supplier<->consumer direct. Inter-site topology and hub grouping
> within sites is left as an exercise for the reader (me when it comes
> back to bite me...)
>
> For the o=Netscape I have chosen to use supplier<->supplier
> relationships but to apply the same topology.
>
> Sequence of events are:
>
> * On first Master
>
> 1. Install clean environment - erase rpm's delete residual
> files, install rpms, patch dirsrv-admin startup to work!
> 2. Run setup-ds-admin.pl in silent mode, this adds schema
> files. The inf file has SlapdConfigMC=1, UseExistingMC=0
> and points ConfigDirectoryLdapURL to this host.
> 3. Set up SSL certs using certutil commands and openssl
> supplied certificates from our CA.
> 4. Restart dirsrv and dirsrv-admin
> 5. Create 2nd and subsequent DCROOTS with default aci's and
> "standard" container entries
> 6. Preload data into DCROOTS for users and other objects
> being migrated.
>
> * On other servers - doing other masters first, followed by hubs
> and then consumers - carry out steps 1-5 above creating the
> o=NetscapeRoot DCROOT as well.
> o The inf file has SlapdConfigMC=1, UseExistingMC=1 and
> points ConfigDirectoryLdapUrl to the first Master
> * Then run the mmr.pl script on each connection for each DCROOT
> starting with replicating the first master to all other masters,
> then to hubs, then other masters to hubs and finally hubs to
> consumers.
> 1. For o=NetscapeRoot run mmr.pl as supplier<->supplier,
> otherwise honor the role played by each server.
> 2. Replace entries in cn=UserDirectory, ou=Global
> Preferences, ou=<localdomain>, o=NetscapeRoot for
> nsDirectoryFailoverList with one for each server other
> than the first master which is mentioned in the
> nsDirectoryURL entry in the same object. *Is this the
> right sort of thing to do?*
>
Yes.
>
> 1. On every host alter the cn=Pass Through
> Authentication,cn=plugins,cn=config object to have
> nssslapd-pluginarg0 to reference that host rather than the
> first master. *Is this correct on the consumers (or hubs)?*
>
Yes. Note that you can specify failover in pass through auth by using a
special form of the ldap url. See *http://tinyurl.com/32kjqy*
>
> 1. I am assuming that this is for authentication not for
> password modification purposes!
>
Right.
>
> 1. Which brings up the question of where in the consumers and
> hubs do I put referrals to the Master(s)?
>
They are automatically set by the replication protocol. You should not
have to do anything. If you attempt to modify a hub or consumer, your
client should get LDAP Error 10 and a referral to a master.
>
> 1. Edit adm.conf on each host to change the ldapurl to point
> to the local host.
>
> Now assuming that this was the right thing to do I now need to set up
> referrals for writing to the system from the consumers and hubs back
> to the "site" masters. Where do I put this information?
>
> I am also getting these errors logged on the first master!
>
> Feb 28 22:00:35 bastion ns-slapd: auxpropfunc error invalid parameter
> supplied
> Feb 28 22:00:35 bastion ns-slapd: sql_select option missing
> Feb 28 22:00:35 bastion ns-slapd: auxpropfunc error no mechanism available
I think you can ignore these.
>
> These are appearing about every 15 minutes. Anybody any idea where
> these are coming from?
I'm not sure, but the directory server does not support SASL auxprop
with sql.
>
> Finally the shutdown time for the dirsrv servers on the suppliers is
> extremely long - orders of minutes, what could be causing this?
Are they under load while shutting down? Can you post the shutdown
sequence from the error log?
>
> --
>
> Howard Wilkinson
>
>
>
> Phone:
>
>
>
> +44(20)76907075
>
> Coherent Technology Limited
>
>
>
> Fax:
>
>
>
>
>
> 23 Northampton Square,
>
>
>
> Mobile:
>
>
>
> +44(7980)639379
>
> United Kingdom, EC1V 0HL
>
>
>
> Email:
>
>
>
> howard at cohtech.com
>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080229/056cbe2d/attachment.bin>
More information about the Fedora-directory-users
mailing list