[K12OSN] What are you using for failover?
Brian Chivers
brian at portsmouth-college.ac.uk
Tue Sep 20 18:09:24 UTC 2005
Have you added the updatedn bit on the slave ??
Brian
Mark Sarria wrote:
> This is what I did, I copied the slapd.conf file from the master and pasted
> on the slave, I no longer get the error message about the ldap owner, now I
> get a configuration error message on the slave server. I removed the
> readonly part
>
> Here is a copy of my slapd.conf file
>
> ***************************************************************
> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24
> 23:19:14 kurt Exp $
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/redhat/autofs.schema
> include /etc/openldap/schema/samba.schema
>
> # Allow LDAPv2 client connections. This is NOT the default.
> allow bind_v2
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral ldap://root.openldap.org
>
> pidfile /var/run/slapd.pid
> #argsfile //var/run/slapd.args
>
> # Load dynamic backend modules:
> # modulepath /usr/sbin/openldap
> # moduleload back_bdb.la
> # moduleload back_ldap.la
> # moduleload back_ldbm.la
> # moduleload back_passwd.la
> # moduleload back_shell.la
>
> # The next three lines allow use of TLS for connections using a dummy test
> # certificate, but you should generate a proper certificate by changing to
> # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
> # slapd.pem so that the ldap user or group can read it.
> # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
> # TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
>
> # Sample security restrictions
> # Require integrity protection (prevent hijacking)
> # Require 112-bit (3DES or better) encryption for updates
> # Require 63-bit encryption for simple bind
> # security ssf=1 update_ssf=112 simple_bind=64
>
> # Sample access control policy:
> # Root DSE: allow anyone to read it
> # Subschema (sub)entry DSE: allow anyone to read it
> # Other DSEs:
> # Allow self write access
> # Allow authenticated users read access
> # Allow anonymous users to authenticate
> # Directives needed to implement policy:
> # access to dn.base="" by * read
> # access to dn.base="cn=Subschema" by * read
> # access to *
> # by self write
> # by users read
> # by anonymous auth
> #
> # if no access controls are present, the default policy is:
> # Allow read by all
> #
> # rootdn can always write!
>
> #######################################################################
> # ldbm and/or bdb database definitions
> #######################################################################
>
> database ldbm
> suffix "dc=shs,dc=edu"
> rootdn "cn=Manager,dc=shs,dc=edu"
> # Cleartext passwords, especially for the rootdn, should
> # be avoided. See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw guesswhat
> # rootpw {crypt}ijFYNcSNctBYg
>
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory /var/lib/ldap
>
> # Indices to maintain for this database
> #index objectClass eq,pres
> #index ou,cn,mail,surname,givenname eq,pres,sub
> #index uidNumber,gidNumber,loginShell eq,pres
> #index uid,memberUid eq,pres,sub
> #index nisMapName,nisMapEntry eq,pres,sub
> index objectClass eq
> index cn pres,sub,eq
> index sn pres,sub,eq
> index uid pres,sub,eq
> index displayName pres,sub,eq
> index uidNumber eq
> index gidNumber eq
> index memberUID eq
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index default sub
>
> # Replicas of this database
> #replogfile /var/lib/ldap/openldap-master-replog
> #replica host=ldap-1.example.com:389 tls=yes
> # bindmethod=sasl saslmech=GSSAPI
> # authcId=host/ldap-master.example.com at EXAMPLE.COM
> ****************************************************************************
> *
>
> -----Original Message-----
> From: Brian Chivers [mailto:brian at tpc.ac.uk]
> Sent: Tuesday, September 20, 2005 10:06 AM
> To: mes4294 at lausd.k12.ca.us; Support list for opensource software in
> schools.
> Subject: RE: [K12OSN] What are you using for failover?
>
> What I did was to run slapcat -l master.ldif on the master server then to
> copy over the ldif file to the slave. Then slapadd -l master.ldif on the
> slave but I've learn't from experience that if you run this as root, root
> owns all the files in /var/lib/ldap and ldap wont start, so it's a swift
>
> chown -R ldap:ldap /var/lib/ldap
> service ldap restart
>
> on the server and away it should go.
>
> Today I converted one of the quieter servers over to run it's own LDAP
> server backend and configured Samba to talk to this and authenticate
> against itself and as long as you follow the instruction on
> http://k12linux.mesd.k12.or.us/ldap/high_availability.html but REMOVE the
> readonly section replication works as OK. I read in my O'Reilly book that
> in readonly mode not even the rootDN can alter the database so that's
> interesting to know if I want to stop anyone tweaking it while I'm away
> :-)
>
> I've got another server to swap tonight as it's a busy one and I'll try
> and fine tune my notes but it looks like it's working OK at the mo.
>
> Once the notes are fine tuned I'll stick them one a server and post a link
> to them so everyone can have a look.
>
> During my experiements doing this I've found some interesting glitches
> which I think I've worked round but not sure why they have happened but at
> this time of year I don't care as long as it works :-)
>
> I'll keep you all posted
> Brian
>
>
>>When I attempt to start the ldap server on the slave server I get the
>>follow
>>errors coming from the /var/lib/ldap file
>>MemberUid.dbb not owned by "ldap"
>>Etc....
>>For every file in that directory has the same message.
>>
>>May I should have not copied it. Any clue on what I can do to get the
>>server
>>started.
>>
>>--mark
>>
>>
>>-----Original Message-----
>>From: k12osn-bounces at redhat.com [mailto:k12osn-bounces at redhat.com] On
>>Behalf
>>Of Mark Sarria
>>Sent: Tuesday, September 20, 2005 8:57 AM
>>To: 'Support list for opensource software in schools.'
>>Subject: RE: [K12OSN] What are you using for failover?
>>
>>Brian,
>>
>>When you copied over the files from /var/lib/ldap did the permissions
>>change
>>to execute (-rwxr--r-) for you?
>>
>>--mark
>>
>>-----Original Message-----
>>From: k12osn-bounces at redhat.com [mailto:k12osn-bounces at redhat.com] On
>>Behalf
>>Of Brian Chivers
>>Sent: Tuesday, September 20, 2005 12:58 AM
>>To: Support list for opensource software in schools.
>>Subject: Re: [K12OSN] What are you using for failover?
>>
>>David Trask wrote:
>>
>>>"Support list for opensource software in schools." <k12osn at redhat.com>
>>>on
>>>Monday, September 19, 2005 at 2:36 PM +0000 wrote:
>>>
>>>
>>>>I'm just working on a test server to see what I need to add to the
>>>>minimal install to get OpenLDAP server running locally. It looks OK at
>>>>the mo just have to setup the replication from the central LDAP but that
>>>>might have to wait till tomorrow.
>>>>
>>>>Brian
>>>
>>>
>>>Document this heavily as I can see many folks....myself included would
>>>like to try it out. :-)
>>>
>>>David N. Trask
>>>Technology Teacher/Coordinator
>>>Vassalboro Community School
>>>dtrask at vcsvikings.org
>>>(207)923-3100
>>>
>>>_______________________________________________
>>>K12OSN mailing list
>>>K12OSN at redhat.com
>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>For more info see <http://www.k12os.org>
>>>
>>OK Will do, I think I've got it working just testing at the mo.
>>
>>It's quite simple just got to sort out the replication with slave's in
>>readonly mode (see other post)
>>
>>Brian
>>
>>---------------------------------------------------------------
>> The views expressed here are my own and not necessarily
>> the views of Portsmouth College
>>
>>_______________________________________________
>>K12OSN mailing list
>>K12OSN at redhat.com
>>https://www.redhat.com/mailman/listinfo/k12osn
>>For more info see <http://www.k12os.org>
>>
>>_______________________________________________
>>K12OSN mailing list
>>K12OSN at redhat.com
>>https://www.redhat.com/mailman/listinfo/k12osn
>>For more info see <http://www.k12os.org>
>>
>>_______________________________________________
>>K12OSN mailing list
>>K12OSN at redhat.com
>>https://www.redhat.com/mailman/listinfo/k12osn
>>For more info see <http://www.k12os.org>
>>
>
>
>
> ---------------------------------------------------------------
> The views expressed here are my own and not necessarily
> the views of Portsmouth College
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
---------------------------------------------------------------
The views expressed here are my own and not necessarily
the views of Portsmouth College
More information about the K12OSN
mailing list