[389-users] Specifying failover configuration servers

Rich Megginson rmeggins at redhat.com
Thu Aug 13 19:03:29 UTC 2009 

Ryan Braun [ADS] wrote:
> In my testing lab,  I have setup 2 servers using MMR replicating both userroot 
> and netscaperoot.  All replication is working between the 2 servers.  My 3rd 
> server,  a consumer read-only replica of userroot, I registered to the first 
> of the 2 MMR servers.  My question,  is how do I configure the slave server 
> to be able to contact the second (or any other) MMR server to get is admin 
> server configs automatically if the first server ever goes boom?  Eventually 
> we will have 4 MMR servers,  2 groups of 2 with ip takeover style HA, for 
> example
>
> westldap.example.com (virtual ip)
> westldap0.example.com
> westldap1.example.com
> eastldap.example.com (virtual ip)
> eastldap0.example.com
> eastldap1.example.com
>
> On the slave server,  adm.conf looks like so (with host specific details 
> replaced).  Would I just add another ldapurl option?
No, unfortunately it's not that smart.  Unfortunately, failover is 
manual.  Please file a bugzilla to request failover.
> And would the server be 
> smart enough to fail over to the next server listed?
>
> AdminDomain: example.com
> sysuser: nobody
> isie: cn=389 Administration Server, cn=Server Group, cn=ywgsrvr4.example.com, 
> ou=example.com, o=NetscapeRoot
> SuiteSpotGroup: nogroup
> sysgroup: nogroup
> userdn: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
> ldapurl: ldap://srvr0.example.com:389/o=NetscapeRoot
> SuiteSpotUserID: nobody
> sie: cn=admin-serv-srvr4, cn=389 Administration Server, cn=Server Group, 
> cn=srvr4.example.com, ou=example.com, o=NetscapeRoot
>
>
> Also,  on the slave server I found this in dse.ldif
>
> dn: cn=Pass Through Authentication,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> cn: Pass Through Authentication
> nsslapd-pluginPath: libpassthru-plugin
> nsslapd-pluginInitfunc: passthruauth_init
> nsslapd-pluginType: preoperation
> nsslapd-pluginEnabled: on
> nsslapd-plugin-depends-on-type: database
> nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot
> nsslapd-pluginId: passthruauth
> nsslapd-pluginVersion: 1.2.1
> nsslapd-pluginVendor: Fedora Project
> nsslapd-pluginDescription: pass through authentication plugin
>
> I am guessing this pass thru allows me to login to the admin server on 
> srvr0.example.com,  and then allow me access to the slave server.
Not exactly.  This allows the uid=admin,....,o=NetscapeRoot user to 
login to servers that do not have o=NetscapeRoot, by passing through the 
credentials to the configuration DS (the server that has o=NetscapeRoot).
> If so,  I 
> would assume I would need an entry like this for each MMR server?  Would I 
> need a whole entry?  or just stack the nsslapd-pluginarg0 attribute with all 
> the servers ie
>
> dn: cn=Pass Through Authentication,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> cn: Pass Through Authentication
> nsslapd-pluginPath: libpassthru-plugin
> nsslapd-pluginInitfunc: passthruauth_init
> nsslapd-pluginType: preoperation
> nsslapd-pluginEnabled: on
> nsslapd-plugin-depends-on-type: database
> nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot
> nsslapd-pluginarg0: ldap://srvr1.example.com:389/o=NetscapeRoot
> nsslapd-pluginarg0: ldap://srvr.example.com:389/o=NetscapeRoot
>   
The attribute is not multi-valued like that.  There is a different 
syntax for specifying multiple host:port in an LDAP URL:
ldap://srvr0.example.com:389 srvr1.example.com:389 
srvr.example.com:389/o=NetscapeRoot
> nsslapd-pluginId: passthruauth
> nsslapd-pluginVersion: 1.2.1
> nsslapd-pluginVendor: Fedora Project
> nsslapd-pluginDescription: pass through authentication plugin
>
> All servers are running debian etch|lenny with the following versions
> ii  port389-admin                     1.1.8                                
> Fedora Administration Server (admin)
> ii  port389-adminutil                 1.1.8                                
> Utility library for directory server adminis
> ii  port389-base                      1.2.1                                
> Fedora Directory Server (base)
>
>
> Thanks
>
> Ryan
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090813/20120d73/attachment.bin>

More information about the Fedora-directory-users mailing list