[389-users] Specifying failover configuration servers

Ryan Braun [ADS] ryan.braun at ec.gc.ca
Thu Aug 13 20:34:00 UTC 2009 

On August 13, 2009 07:03:29 pm Rich Megginson wrote:
> Ryan Braun [ADS] wrote:
> > In my testing lab,  I have setup 2 servers using MMR replicating both
> > userroot and netscaperoot.  All replication is working between the 2
> > servers.  My 3rd server,  a consumer read-only replica of userroot, I
> > registered to the first of the 2 MMR servers.  My question,  is how do I
> > configure the slave server to be able to contact the second (or any
> > other) MMR server to get is admin server configs automatically if the
> > first server ever goes boom?  Eventually we will have 4 MMR servers,  2
> > groups of 2 with ip takeover style HA, for example
> >
> > westldap.example.com (virtual ip)
> > westldap0.example.com
> > westldap1.example.com
> > eastldap.example.com (virtual ip)
> > eastldap0.example.com
> > eastldap1.example.com
> >
> > On the slave server,  adm.conf looks like so (with host specific details
> > replaced).  Would I just add another ldapurl option?
>
> No, unfortunately it's not that smart.  Unfortunately, failover is
> manual.  Please file a bugzilla to request failover.

filed.  https://bugzilla.redhat.com/show_bug.cgi?id=517413

>
> > And would the server be
> > smart enough to fail over to the next server listed?
> >
> > AdminDomain: example.com
> > sysuser: nobody
> > isie: cn=389 Administration Server, cn=Server Group,
> > cn=ywgsrvr4.example.com, ou=example.com, o=NetscapeRoot
> > SuiteSpotGroup: nogroup
> > sysgroup: nogroup
> > userdn: uid=admin, ou=Administrators, ou=TopologyManagement,
> > o=NetscapeRoot ldapurl: ldap://srvr0.example.com:389/o=NetscapeRoot
> > SuiteSpotUserID: nobody
> > sie: cn=admin-serv-srvr4, cn=389 Administration Server, cn=Server Group,
> > cn=srvr4.example.com, ou=example.com, o=NetscapeRoot
> >
> >
> > Also,  on the slave server I found this in dse.ldif
> >
> > dn: cn=Pass Through Authentication,cn=plugins,cn=config
> > objectClass: top
> > objectClass: nsSlapdPlugin
> > objectClass: extensibleObject
> > cn: Pass Through Authentication
> > nsslapd-pluginPath: libpassthru-plugin
> > nsslapd-pluginInitfunc: passthruauth_init
> > nsslapd-pluginType: preoperation
> > nsslapd-pluginEnabled: on
> > nsslapd-plugin-depends-on-type: database
> > nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot
> > nsslapd-pluginId: passthruauth
> > nsslapd-pluginVersion: 1.2.1
> > nsslapd-pluginVendor: Fedora Project
> > nsslapd-pluginDescription: pass through authentication plugin
> >
> > I am guessing this pass thru allows me to login to the admin server on
> > srvr0.example.com,  and then allow me access to the slave server.
>
> Not exactly.  This allows the uid=admin,....,o=NetscapeRoot user to
> login to servers that do not have o=NetscapeRoot, by passing through the
> credentials to the configuration DS (the server that has o=NetscapeRoot).

I'm guilty of a bad habit here,  whenever I connect to the console (not very often),  I use cn=directory manager.  Does the above pass whichever user was authenticated by the console,  or just the uid=admin user?  For example, I 
created another admin user 

uid=TAdmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot

I login to the console on srvr0 with uid=TAdmin,  and I can open up the ds-console for the slave.  When I click on the configuration tab,  I get an error saying the user doesn't have permission to perform this operation.  Only I 
don't see anything in either servers access logs about it failing,  or the admin server logs.  Here is a snippet from srvr0,  it binds successfully,  then when I click on the config tab,  it says no permission,  asks for the 
password again,  and does appear to bind successfully but again tells me I don't have permission.


[13/Aug/2009:20:08:11 +0000] conn=3 fd=64 slot=64 connection from x.x.x.x to x.x.x.x
[13/Aug/2009:20:08:11 +0000] conn=3 op=0 BIND dn="uid=tadmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" method=128 version=3
[13/Aug/2009:20:08:11 +0000] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=tadmin,ou=administrators,ou=topologymanagement,o=netscaperoot"
[13/Aug/2009:20:09:09 +0000] conn=3 op=1 BIND dn="uid=tadmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" method=128 version=3
[13/Aug/2009:20:09:09 +0000] conn=3 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=tadmin,ou=administrators,ou=topologymanagement,o=netscaperoot"
[13/Aug/2009:20:09:29 +0000] conn=3 op=3 SRCH base="cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsslapd-security"
[13/Aug/2009:20:09:29 +0000] conn=3 op=3 RESULT err=0 tag=101 nentries=0 etime=0
[13/Aug/2009:20:09:29 +0000] conn=3 op=4 SRCH base="cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsslapd-port nsslapd-secureport nsslapd-lastmod nsslapd-readonly nsslapd-schemacheck 
nsslapd-referral"
[13/Aug/2009:20:09:29 +0000] conn=3 op=4 RESULT err=0 tag=101 nentries=0 etime=0
[13/Aug/2009:20:10:13 +0000] conn=3 op=6 BIND dn="uid=tadmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" method=128 version=3
[13/Aug/2009:20:10:13 +0000] conn=3 op=6 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=tadmin,ou=administrators,ou=topologymanagement,o=netscaperoot"
[13/Aug/2009:20:10:13 +0000] conn=3 op=7 SRCH base="cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsslapd-port nsslapd-secureport nsslapd-lastmod nsslapd-readonly nsslapd-schemacheck 
nsslapd-referral"
[13/Aug/2009:20:10:14 +0000] conn=3 op=7 RESULT err=0 tag=101 nentries=0 etime=1

When I login to the console with the initial 

uid=Admin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot

and fire up the ds-console for the slave,  it does work fine.  I can browse whatever I need, create items in cn=config etc.


> > If so,  I
> > would assume I would need an entry like this for each MMR server?  Would
> > I need a whole entry?  or just stack the nsslapd-pluginarg0 attribute
> > with all the servers ie
> >
> > dn: cn=Pass Through Authentication,cn=plugins,cn=config
> > objectClass: top
> > objectClass: nsSlapdPlugin
> > objectClass: extensibleObject
> > cn: Pass Through Authentication
> > nsslapd-pluginPath: libpassthru-plugin
> > nsslapd-pluginInitfunc: passthruauth_init
> > nsslapd-pluginType: preoperation
> > nsslapd-pluginEnabled: on
> > nsslapd-plugin-depends-on-type: database
> > nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot
> > nsslapd-pluginarg0: ldap://srvr1.example.com:389/o=NetscapeRoot
> > nsslapd-pluginarg0: ldap://srvr.example.com:389/o=NetscapeRoot
>
> The attribute is not multi-valued like that.  There is a different
> syntax for specifying multiple host:port in an LDAP URL:
> ldap://srvr0.example.com:389 srvr1.example.com:389
> srvr.example.com:389/o=NetscapeRoot
>

Ok I'll give it a shot with the url,  once I get the above sorted out.

Ryan

More information about the Fedora-directory-users mailing list