[389-users] Specifying failover configuration servers
Ryan Braun [ADS]
ryan.braun at ec.gc.ca
Thu Aug 13 20:34:00 UTC 2009
On August 13, 2009 07:03:29 pm Rich Megginson wrote:
> Ryan Braun [ADS] wrote:
> > In my testing lab, I have setup 2 servers using MMR replicating both
> > userroot and netscaperoot. All replication is working between the 2
> > servers. My 3rd server, a consumer read-only replica of userroot, I
> > registered to the first of the 2 MMR servers. My question, is how do I
> > configure the slave server to be able to contact the second (or any
> > other) MMR server to get is admin server configs automatically if the
> > first server ever goes boom? Eventually we will have 4 MMR servers, 2
> > groups of 2 with ip takeover style HA, for example
> >
> > westldap.example.com (virtual ip)
> > westldap0.example.com
> > westldap1.example.com
> > eastldap.example.com (virtual ip)
> > eastldap0.example.com
> > eastldap1.example.com
> >
> > On the slave server, adm.conf looks like so (with host specific details
> > replaced). Would I just add another ldapurl option?
>
> No, unfortunately it's not that smart. Unfortunately, failover is
> manual. Please file a bugzilla to request failover.
filed. https://bugzilla.redhat.com/show_bug.cgi?id=517413
>
> > And would the server be
> > smart enough to fail over to the next server listed?
> >
> > AdminDomain: example.com
> > sysuser: nobody
> > isie: cn=389 Administration Server, cn=Server Group,
> > cn=ywgsrvr4.example.com, ou=example.com, o=NetscapeRoot
> > SuiteSpotGroup: nogroup
> > sysgroup: nogroup
> > userdn: uid=admin, ou=Administrators, ou=TopologyManagement,
> > o=NetscapeRoot ldapurl: ldap://srvr0.example.com:389/o=NetscapeRoot
> > SuiteSpotUserID: nobody
> > sie: cn=admin-serv-srvr4, cn=389 Administration Server, cn=Server Group,
> > cn=srvr4.example.com, ou=example.com, o=NetscapeRoot
> >
> >
> > Also, on the slave server I found this in dse.ldif
> >
> > dn: cn=Pass Through Authentication,cn=plugins,cn=config
> > objectClass: top
> > objectClass: nsSlapdPlugin
> > objectClass: extensibleObject
> > cn: Pass Through Authentication
> > nsslapd-pluginPath: libpassthru-plugin
> > nsslapd-pluginInitfunc: passthruauth_init
> > nsslapd-pluginType: preoperation
> > nsslapd-pluginEnabled: on
> > nsslapd-plugin-depends-on-type: database
> > nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot
> > nsslapd-pluginId: passthruauth
> > nsslapd-pluginVersion: 1.2.1
> > nsslapd-pluginVendor: Fedora Project
> > nsslapd-pluginDescription: pass through authentication plugin
> >
> > I am guessing this pass thru allows me to login to the admin server on
> > srvr0.example.com, and then allow me access to the slave server.
>
> Not exactly. This allows the uid=admin,....,o=NetscapeRoot user to
> login to servers that do not have o=NetscapeRoot, by passing through the
> credentials to the configuration DS (the server that has o=NetscapeRoot).
I'm guilty of a bad habit here, whenever I connect to the console (not very often), I use cn=directory manager. Does the above pass whichever user was authenticated by the console, or just the uid=admin user? For example, I
created another admin user
uid=TAdmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot
I login to the console on srvr0 with uid=TAdmin, and I can open up the ds-console for the slave. When I click on the configuration tab, I get an error saying the user doesn't have permission to perform this operation. Only I
don't see anything in either servers access logs about it failing, or the admin server logs. Here is a snippet from srvr0, it binds successfully, then when I click on the config tab, it says no permission, asks for the
password again, and does appear to bind successfully but again tells me I don't have permission.
[13/Aug/2009:20:08:11 +0000] conn=3 fd=64 slot=64 connection from x.x.x.x to x.x.x.x
[13/Aug/2009:20:08:11 +0000] conn=3 op=0 BIND dn="uid=tadmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" method=128 version=3
[13/Aug/2009:20:08:11 +0000] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=tadmin,ou=administrators,ou=topologymanagement,o=netscaperoot"
[13/Aug/2009:20:09:09 +0000] conn=3 op=1 BIND dn="uid=tadmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" method=128 version=3
[13/Aug/2009:20:09:09 +0000] conn=3 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=tadmin,ou=administrators,ou=topologymanagement,o=netscaperoot"
[13/Aug/2009:20:09:29 +0000] conn=3 op=3 SRCH base="cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsslapd-security"
[13/Aug/2009:20:09:29 +0000] conn=3 op=3 RESULT err=0 tag=101 nentries=0 etime=0
[13/Aug/2009:20:09:29 +0000] conn=3 op=4 SRCH base="cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsslapd-port nsslapd-secureport nsslapd-lastmod nsslapd-readonly nsslapd-schemacheck
nsslapd-referral"
[13/Aug/2009:20:09:29 +0000] conn=3 op=4 RESULT err=0 tag=101 nentries=0 etime=0
[13/Aug/2009:20:10:13 +0000] conn=3 op=6 BIND dn="uid=tadmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" method=128 version=3
[13/Aug/2009:20:10:13 +0000] conn=3 op=6 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=tadmin,ou=administrators,ou=topologymanagement,o=netscaperoot"
[13/Aug/2009:20:10:13 +0000] conn=3 op=7 SRCH base="cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsslapd-port nsslapd-secureport nsslapd-lastmod nsslapd-readonly nsslapd-schemacheck
nsslapd-referral"
[13/Aug/2009:20:10:14 +0000] conn=3 op=7 RESULT err=0 tag=101 nentries=0 etime=1
When I login to the console with the initial
uid=Admin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot
and fire up the ds-console for the slave, it does work fine. I can browse whatever I need, create items in cn=config etc.
> > If so, I
> > would assume I would need an entry like this for each MMR server? Would
> > I need a whole entry? or just stack the nsslapd-pluginarg0 attribute
> > with all the servers ie
> >
> > dn: cn=Pass Through Authentication,cn=plugins,cn=config
> > objectClass: top
> > objectClass: nsSlapdPlugin
> > objectClass: extensibleObject
> > cn: Pass Through Authentication
> > nsslapd-pluginPath: libpassthru-plugin
> > nsslapd-pluginInitfunc: passthruauth_init
> > nsslapd-pluginType: preoperation
> > nsslapd-pluginEnabled: on
> > nsslapd-plugin-depends-on-type: database
> > nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot
> > nsslapd-pluginarg0: ldap://srvr1.example.com:389/o=NetscapeRoot
> > nsslapd-pluginarg0: ldap://srvr.example.com:389/o=NetscapeRoot
>
> The attribute is not multi-valued like that. There is a different
> syntax for specifying multiple host:port in an LDAP URL:
> ldap://srvr0.example.com:389 srvr1.example.com:389
> srvr.example.com:389/o=NetscapeRoot
>
Ok I'll give it a shot with the url, once I get the above sorted out.
Ryan
More information about the Fedora-directory-users
mailing list