Ryan Braun [ADS] wrote:
In my testing lab, I have setup 2 servers using MMR replicating both userroot and netscaperoot. All replication is working between the 2 servers. My 3rd server, a consumer read-only replica of userroot, I registered to the first of the 2 MMR servers. My question, is how do I configure the slave server to be able to contact the second (or any other) MMR server to get is admin server configs automatically if the first server ever goes boom? Eventually we will have 4 MMR servers, 2 groups of 2 with ip takeover style HA, for example
westldap.example.com (virtual ip) westldap0.example.com westldap1.example.com eastldap.example.com (virtual ip) eastldap0.example.com eastldap1.example.com
On the slave server, adm.conf looks like so (with host specific details replaced). Would I just add another ldapurl option?
No, unfortunately it's not that smart. Unfortunately, failover is manual. Please file a bugzilla to request failover.
And would the server be smart enough to fail over to the next server listed?
AdminDomain: example.com sysuser: nobody isie: cn=389 Administration Server, cn=Server Group, cn=ywgsrvr4.example.com, ou=example.com, o=NetscapeRoot SuiteSpotGroup: nogroup sysgroup: nogroup userdn: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot ldapurl: ldap://srvr0.example.com:389/o=NetscapeRoot SuiteSpotUserID: nobody sie: cn=admin-serv-srvr4, cn=389 Administration Server, cn=Server Group, cn=srvr4.example.com, ou=example.com, o=NetscapeRoot
Also, on the slave server I found this in dse.ldif
dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: libpassthru-plugin nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 1.2.1 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: pass through authentication plugin
I am guessing this pass thru allows me to login to the admin server on srvr0.example.com, and then allow me access to the slave server.
Not exactly. This allows the uid=admin,....,o=NetscapeRoot user to login to servers that do not have o=NetscapeRoot, by passing through the credentials to the configuration DS (the server that has o=NetscapeRoot).
If so, I would assume I would need an entry like this for each MMR server? Would I need a whole entry? or just stack the nsslapd-pluginarg0 attribute with all the servers ie
dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: libpassthru-plugin nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot nsslapd-pluginarg0: ldap://srvr1.example.com:389/o=NetscapeRoot nsslapd-pluginarg0: ldap://srvr.example.com:389/o=NetscapeRoot
The attribute is not multi-valued like that. There is a different syntax for specifying multiple host:port in an LDAP URL: ldap://srvr0.example.com:389 srvr1.example.com:389 srvr.example.com:389/o=NetscapeRoot
nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 1.2.1 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: pass through authentication plugin
All servers are running debian etch|lenny with the following versions ii port389-admin 1.1.8 Fedora Administration Server (admin) ii port389-adminutil 1.1.8 Utility library for directory server adminis ii port389-base 1.2.1 Fedora Directory Server (base)
Thanks
Ryan
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users