[K12OSN] What are you using for failover?

Brian Chivers brian at portsmouth-college.ac.uk
Tue Sep 20 18:09:24 UTC 2005 

Have you added the updatedn bit on the slave ??

Brian

Mark Sarria wrote:
> This is what I did, I copied the slapd.conf file from the master and pasted
> on the slave, I no longer get the error message about the ldap owner, now I
> get a configuration error message on the slave server. I removed the
> readonly part
> 
> Here is a copy of my slapd.conf file
> 
> ***************************************************************
> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24
> 23:19:14 kurt Exp $
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include		/etc/openldap/schema/core.schema
> include		/etc/openldap/schema/cosine.schema
> include		/etc/openldap/schema/inetorgperson.schema
> include		/etc/openldap/schema/nis.schema
> include		/etc/openldap/schema/redhat/autofs.schema
> include		/etc/openldap/schema/samba.schema
> 
> # Allow LDAPv2 client connections.  This is NOT the default.
> allow bind_v2
> 
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral	ldap://root.openldap.org
> 
> pidfile	/var/run/slapd.pid
> #argsfile	//var/run/slapd.args
> 
> # Load dynamic backend modules:
> # modulepath	/usr/sbin/openldap
> # moduleload	back_bdb.la
> # moduleload	back_ldap.la
> # moduleload	back_ldbm.la
> # moduleload	back_passwd.la
> # moduleload	back_shell.la
> 
> # The next three lines allow use of TLS for connections using a dummy test
> # certificate, but you should generate a proper certificate by changing to
> # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
> # slapd.pem so that the ldap user or group can read it.
> # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
> # TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> 
> # Sample security restrictions
> #	Require integrity protection (prevent hijacking)
> #	Require 112-bit (3DES or better) encryption for updates
> #	Require 63-bit encryption for simple bind
> # security ssf=1 update_ssf=112 simple_bind=64
> 
> # Sample access control policy:
> #	Root DSE: allow anyone to read it
> #	Subschema (sub)entry DSE: allow anyone to read it
> #	Other DSEs:
> #		Allow self write access
> #		Allow authenticated users read access
> #		Allow anonymous users to authenticate
> #	Directives needed to implement policy:
> # access to dn.base="" by * read
> # access to dn.base="cn=Subschema" by * read
> # access to *
> #	by self write
> #	by users read
> #	by anonymous auth
> #
> # if no access controls are present, the default policy is:
> #	Allow read by all
> #
> # rootdn can always write!
> 
> #######################################################################
> # ldbm and/or bdb database definitions
> #######################################################################
> 
> database	ldbm
> suffix		"dc=shs,dc=edu"
> rootdn		"cn=Manager,dc=shs,dc=edu"
> # Cleartext passwords, especially for the rootdn, should
> # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw		guesswhat
> # rootpw		{crypt}ijFYNcSNctBYg
> 
> # The database directory MUST exist prior to running slapd AND 
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory	/var/lib/ldap
> 
> # Indices to maintain for this database
> #index objectClass                       eq,pres
> #index ou,cn,mail,surname,givenname      eq,pres,sub
> #index uidNumber,gidNumber,loginShell    eq,pres
> #index uid,memberUid                     eq,pres,sub
> #index nisMapName,nisMapEntry            eq,pres,sub
> index objectClass		eq
> index cn			pres,sub,eq
> index sn			pres,sub,eq
> index uid			pres,sub,eq
> index displayName		pres,sub,eq
> index uidNumber			eq
> index gidNumber			eq
> index memberUID			eq
> index sambaSID			eq
> index sambaPrimaryGroupSID	eq
> index sambaDomainName		eq
> index default			sub
> 
> # Replicas of this database
> #replogfile /var/lib/ldap/openldap-master-replog
> #replica host=ldap-1.example.com:389 tls=yes
> #     bindmethod=sasl saslmech=GSSAPI
> #     authcId=host/ldap-master.example.com at EXAMPLE.COM
> ****************************************************************************
> *
> 
> -----Original Message-----
> From: Brian Chivers [mailto:brian at tpc.ac.uk] 
> Sent: Tuesday, September 20, 2005 10:06 AM
> To: mes4294 at lausd.k12.ca.us; Support list for opensource software in
> schools.
> Subject: RE: [K12OSN] What are you using for failover?
> 
> What I did was to run slapcat -l master.ldif on the master server then to
> copy over the ldif file to the slave. Then slapadd -l master.ldif on the
> slave but I've learn't from experience that if you run this as root, root
> owns all the files in /var/lib/ldap and ldap wont start, so it's a swift
> 
> chown -R ldap:ldap /var/lib/ldap
> service ldap restart
> 
> on the server and away it should go.
> 
> Today I converted one of the quieter servers over to run it's own LDAP
> server backend and configured Samba to talk to this and authenticate
> against itself and as long as you follow the instruction on
> http://k12linux.mesd.k12.or.us/ldap/high_availability.html but REMOVE the
> readonly section replication works as OK. I read in my O'Reilly book that
> in readonly mode not even the rootDN can alter the database so that's
> interesting to know if I want to stop anyone tweaking it while I'm away
> :-)
> 
> I've got another server to swap tonight as it's a busy one and I'll try
> and fine tune my notes but it looks like it's working OK at the mo.
> 
> Once the notes are fine tuned I'll stick them one a server and post a link
> to them so everyone can have a look.
> 
> During my experiements doing this I've found some interesting glitches
> which I think I've worked round but not sure why they have happened but at
> this time of year I don't care as long as it works :-)
> 
> I'll keep you all posted
> Brian
> 
> 
>>When I attempt to start the ldap server on the slave server I get the
>>follow
>>errors coming from the /var/lib/ldap file
>>MemberUid.dbb not owned by "ldap"
>>Etc....
>>For every file in that directory has the same message.
>>
>>May I should have not copied it. Any clue on what I can do to get the
>>server
>>started.
>>
>>--mark
>>
>>
>>-----Original Message-----
>>From: k12osn-bounces at redhat.com [mailto:k12osn-bounces at redhat.com] On
>>Behalf
>>Of Mark Sarria
>>Sent: Tuesday, September 20, 2005 8:57 AM
>>To: 'Support list for opensource software in schools.'
>>Subject: RE: [K12OSN] What are you using for failover?
>>
>>Brian,
>>
>>When you copied over the files from /var/lib/ldap did the permissions
>>change
>>to execute (-rwxr--r-) for you?
>>
>>--mark
>>
>>-----Original Message-----
>>From: k12osn-bounces at redhat.com [mailto:k12osn-bounces at redhat.com] On
>>Behalf
>>Of Brian Chivers
>>Sent: Tuesday, September 20, 2005 12:58 AM
>>To: Support list for opensource software in schools.
>>Subject: Re: [K12OSN] What are you using for failover?
>>
>>David Trask wrote:
>>
>>>"Support list for opensource software in schools." <k12osn at redhat.com>
>>>on
>>>Monday, September 19, 2005 at 2:36 PM +0000 wrote:
>>>
>>>
>>>>I'm just working on a test server to see what I need to add to the
>>>>minimal install to get OpenLDAP server running locally. It looks OK at
>>>>the mo just have to setup the replication from the central LDAP but that
>>>>might have to wait till tomorrow.
>>>>
>>>>Brian
>>>
>>>
>>>Document this heavily as I can see many folks....myself included would
>>>like to try it out.  :-)
>>>
>>>David N. Trask
>>>Technology Teacher/Coordinator
>>>Vassalboro Community School
>>>dtrask at vcsvikings.org
>>>(207)923-3100
>>>
>>>_______________________________________________
>>>K12OSN mailing list
>>>K12OSN at redhat.com
>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>For more info see <http://www.k12os.org>
>>>
>>OK Will do, I think I've got it working just testing at the mo.
>>
>>It's quite simple just got to sort out the replication with slave's in
>>readonly mode (see other post)
>>
>>Brian
>>
>>---------------------------------------------------------------
>>    The views expressed here are my own and not necessarily
>>                the views of Portsmouth College
>>
>>_______________________________________________
>>K12OSN mailing list
>>K12OSN at redhat.com
>>https://www.redhat.com/mailman/listinfo/k12osn
>>For more info see <http://www.k12os.org>
>>
>>_______________________________________________
>>K12OSN mailing list
>>K12OSN at redhat.com
>>https://www.redhat.com/mailman/listinfo/k12osn
>>For more info see <http://www.k12os.org>
>>
>>_______________________________________________
>>K12OSN mailing list
>>K12OSN at redhat.com
>>https://www.redhat.com/mailman/listinfo/k12osn
>>For more info see <http://www.k12os.org>
>>
> 
> 
> 
> ---------------------------------------------------------------
>     The views expressed here are my own and not necessarily 
>                 the views of Portsmouth College             
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>


---------------------------------------------------------------
    The views expressed here are my own and not necessarily 
                the views of Portsmouth College

More information about the K12OSN mailing list