[389-users] Specifying failover configuration servers
Rich Megginson
rmeggins at redhat.com
Thu Aug 13 19:03:29 UTC 2009
Ryan Braun [ADS] wrote:
> In my testing lab, I have setup 2 servers using MMR replicating both userroot
> and netscaperoot. All replication is working between the 2 servers. My 3rd
> server, a consumer read-only replica of userroot, I registered to the first
> of the 2 MMR servers. My question, is how do I configure the slave server
> to be able to contact the second (or any other) MMR server to get is admin
> server configs automatically if the first server ever goes boom? Eventually
> we will have 4 MMR servers, 2 groups of 2 with ip takeover style HA, for
> example
>
> westldap.example.com (virtual ip)
> westldap0.example.com
> westldap1.example.com
> eastldap.example.com (virtual ip)
> eastldap0.example.com
> eastldap1.example.com
>
> On the slave server, adm.conf looks like so (with host specific details
> replaced). Would I just add another ldapurl option?
No, unfortunately it's not that smart. Unfortunately, failover is
manual. Please file a bugzilla to request failover.
> And would the server be
> smart enough to fail over to the next server listed?
>
> AdminDomain: example.com
> sysuser: nobody
> isie: cn=389 Administration Server, cn=Server Group, cn=ywgsrvr4.example.com,
> ou=example.com, o=NetscapeRoot
> SuiteSpotGroup: nogroup
> sysgroup: nogroup
> userdn: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
> ldapurl: ldap://srvr0.example.com:389/o=NetscapeRoot
> SuiteSpotUserID: nobody
> sie: cn=admin-serv-srvr4, cn=389 Administration Server, cn=Server Group,
> cn=srvr4.example.com, ou=example.com, o=NetscapeRoot
>
>
> Also, on the slave server I found this in dse.ldif
>
> dn: cn=Pass Through Authentication,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> cn: Pass Through Authentication
> nsslapd-pluginPath: libpassthru-plugin
> nsslapd-pluginInitfunc: passthruauth_init
> nsslapd-pluginType: preoperation
> nsslapd-pluginEnabled: on
> nsslapd-plugin-depends-on-type: database
> nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot
> nsslapd-pluginId: passthruauth
> nsslapd-pluginVersion: 1.2.1
> nsslapd-pluginVendor: Fedora Project
> nsslapd-pluginDescription: pass through authentication plugin
>
> I am guessing this pass thru allows me to login to the admin server on
> srvr0.example.com, and then allow me access to the slave server.
Not exactly. This allows the uid=admin,....,o=NetscapeRoot user to
login to servers that do not have o=NetscapeRoot, by passing through the
credentials to the configuration DS (the server that has o=NetscapeRoot).
> If so, I
> would assume I would need an entry like this for each MMR server? Would I
> need a whole entry? or just stack the nsslapd-pluginarg0 attribute with all
> the servers ie
>
> dn: cn=Pass Through Authentication,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> cn: Pass Through Authentication
> nsslapd-pluginPath: libpassthru-plugin
> nsslapd-pluginInitfunc: passthruauth_init
> nsslapd-pluginType: preoperation
> nsslapd-pluginEnabled: on
> nsslapd-plugin-depends-on-type: database
> nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot
> nsslapd-pluginarg0: ldap://srvr1.example.com:389/o=NetscapeRoot
> nsslapd-pluginarg0: ldap://srvr.example.com:389/o=NetscapeRoot
>
The attribute is not multi-valued like that. There is a different
syntax for specifying multiple host:port in an LDAP URL:
ldap://srvr0.example.com:389 srvr1.example.com:389
srvr.example.com:389/o=NetscapeRoot
> nsslapd-pluginId: passthruauth
> nsslapd-pluginVersion: 1.2.1
> nsslapd-pluginVendor: Fedora Project
> nsslapd-pluginDescription: pass through authentication plugin
>
> All servers are running debian etch|lenny with the following versions
> ii port389-admin 1.1.8
> Fedora Administration Server (admin)
> ii port389-adminutil 1.1.8
> Utility library for directory server adminis
> ii port389-base 1.2.1
> Fedora Directory Server (base)
>
>
> Thanks
>
> Ryan
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090813/20120d73/attachment.bin>
More information about the Fedora-directory-users
mailing list