In my testing lab, I have setup 2 servers using MMR replicating both userroot and netscaperoot. All replication is working between the 2 servers. My 3rd server, a consumer read-only replica of userroot, I registered to the first of the 2 MMR servers. My question, is how do I configure the slave server to be able to contact the second (or any other) MMR server to get is admin server configs automatically if the first server ever goes boom? Eventually we will have 4 MMR servers, 2 groups of 2 with ip takeover style HA, for example
westldap.example.com (virtual ip) westldap0.example.com westldap1.example.com eastldap.example.com (virtual ip) eastldap0.example.com eastldap1.example.com
On the slave server, adm.conf looks like so (with host specific details replaced). Would I just add another ldapurl option? And would the server be smart enough to fail over to the next server listed?
AdminDomain: example.com sysuser: nobody isie: cn=389 Administration Server, cn=Server Group, cn=ywgsrvr4.example.com, ou=example.com, o=NetscapeRoot SuiteSpotGroup: nogroup sysgroup: nogroup userdn: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot ldapurl: ldap://srvr0.example.com:389/o=NetscapeRoot SuiteSpotUserID: nobody sie: cn=admin-serv-srvr4, cn=389 Administration Server, cn=Server Group, cn=srvr4.example.com, ou=example.com, o=NetscapeRoot
Also, on the slave server I found this in dse.ldif
dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: libpassthru-plugin nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 1.2.1 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: pass through authentication plugin
I am guessing this pass thru allows me to login to the admin server on srvr0.example.com, and then allow me access to the slave server. If so, I would assume I would need an entry like this for each MMR server? Would I need a whole entry? or just stack the nsslapd-pluginarg0 attribute with all the servers ie
dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: libpassthru-plugin nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot nsslapd-pluginarg0: ldap://srvr1.example.com:389/o=NetscapeRoot nsslapd-pluginarg0: ldap://srvr.example.com:389/o=NetscapeRoot nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 1.2.1 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: pass through authentication plugin
All servers are running debian etch|lenny with the following versions ii port389-admin 1.1.8 Fedora Administration Server (admin) ii port389-adminutil 1.1.8 Utility library for directory server adminis ii port389-base 1.2.1 Fedora Directory Server (base)
Thanks
Ryan
Ryan Braun [ADS] wrote:
In my testing lab, I have setup 2 servers using MMR replicating both userroot and netscaperoot. All replication is working between the 2 servers. My 3rd server, a consumer read-only replica of userroot, I registered to the first of the 2 MMR servers. My question, is how do I configure the slave server to be able to contact the second (or any other) MMR server to get is admin server configs automatically if the first server ever goes boom? Eventually we will have 4 MMR servers, 2 groups of 2 with ip takeover style HA, for example
westldap.example.com (virtual ip) westldap0.example.com westldap1.example.com eastldap.example.com (virtual ip) eastldap0.example.com eastldap1.example.com
On the slave server, adm.conf looks like so (with host specific details replaced). Would I just add another ldapurl option?
No, unfortunately it's not that smart. Unfortunately, failover is manual. Please file a bugzilla to request failover.
And would the server be smart enough to fail over to the next server listed?
AdminDomain: example.com sysuser: nobody isie: cn=389 Administration Server, cn=Server Group, cn=ywgsrvr4.example.com, ou=example.com, o=NetscapeRoot SuiteSpotGroup: nogroup sysgroup: nogroup userdn: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot ldapurl: ldap://srvr0.example.com:389/o=NetscapeRoot SuiteSpotUserID: nobody sie: cn=admin-serv-srvr4, cn=389 Administration Server, cn=Server Group, cn=srvr4.example.com, ou=example.com, o=NetscapeRoot
Also, on the slave server I found this in dse.ldif
dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: libpassthru-plugin nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 1.2.1 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: pass through authentication plugin
I am guessing this pass thru allows me to login to the admin server on srvr0.example.com, and then allow me access to the slave server.
Not exactly. This allows the uid=admin,....,o=NetscapeRoot user to login to servers that do not have o=NetscapeRoot, by passing through the credentials to the configuration DS (the server that has o=NetscapeRoot).
If so, I would assume I would need an entry like this for each MMR server? Would I need a whole entry? or just stack the nsslapd-pluginarg0 attribute with all the servers ie
dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: libpassthru-plugin nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot nsslapd-pluginarg0: ldap://srvr1.example.com:389/o=NetscapeRoot nsslapd-pluginarg0: ldap://srvr.example.com:389/o=NetscapeRoot
The attribute is not multi-valued like that. There is a different syntax for specifying multiple host:port in an LDAP URL: ldap://srvr0.example.com:389 srvr1.example.com:389 srvr.example.com:389/o=NetscapeRoot
nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 1.2.1 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: pass through authentication plugin
All servers are running debian etch|lenny with the following versions ii port389-admin 1.1.8 Fedora Administration Server (admin) ii port389-adminutil 1.1.8 Utility library for directory server adminis ii port389-base 1.2.1 Fedora Directory Server (base)
Thanks
Ryan
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
On August 13, 2009 07:03:29 pm Rich Megginson wrote:
Ryan Braun [ADS] wrote:
In my testing lab, I have setup 2 servers using MMR replicating both userroot and netscaperoot. All replication is working between the 2 servers. My 3rd server, a consumer read-only replica of userroot, I registered to the first of the 2 MMR servers. My question, is how do I configure the slave server to be able to contact the second (or any other) MMR server to get is admin server configs automatically if the first server ever goes boom? Eventually we will have 4 MMR servers, 2 groups of 2 with ip takeover style HA, for example
westldap.example.com (virtual ip) westldap0.example.com westldap1.example.com eastldap.example.com (virtual ip) eastldap0.example.com eastldap1.example.com
On the slave server, adm.conf looks like so (with host specific details replaced). Would I just add another ldapurl option?
No, unfortunately it's not that smart. Unfortunately, failover is manual. Please file a bugzilla to request failover.
filed. https://bugzilla.redhat.com/show_bug.cgi?id=517413
And would the server be smart enough to fail over to the next server listed?
AdminDomain: example.com sysuser: nobody isie: cn=389 Administration Server, cn=Server Group, cn=ywgsrvr4.example.com, ou=example.com, o=NetscapeRoot SuiteSpotGroup: nogroup sysgroup: nogroup userdn: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot ldapurl: ldap://srvr0.example.com:389/o=NetscapeRoot SuiteSpotUserID: nobody sie: cn=admin-serv-srvr4, cn=389 Administration Server, cn=Server Group, cn=srvr4.example.com, ou=example.com, o=NetscapeRoot
Also, on the slave server I found this in dse.ldif
dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: libpassthru-plugin nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 1.2.1 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: pass through authentication plugin
I am guessing this pass thru allows me to login to the admin server on srvr0.example.com, and then allow me access to the slave server.
Not exactly. This allows the uid=admin,....,o=NetscapeRoot user to login to servers that do not have o=NetscapeRoot, by passing through the credentials to the configuration DS (the server that has o=NetscapeRoot).
I'm guilty of a bad habit here, whenever I connect to the console (not very often), I use cn=directory manager. Does the above pass whichever user was authenticated by the console, or just the uid=admin user? For example, I created another admin user
uid=TAdmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot
I login to the console on srvr0 with uid=TAdmin, and I can open up the ds-console for the slave. When I click on the configuration tab, I get an error saying the user doesn't have permission to perform this operation. Only I don't see anything in either servers access logs about it failing, or the admin server logs. Here is a snippet from srvr0, it binds successfully, then when I click on the config tab, it says no permission, asks for the password again, and does appear to bind successfully but again tells me I don't have permission.
[13/Aug/2009:20:08:11 +0000] conn=3 fd=64 slot=64 connection from x.x.x.x to x.x.x.x [13/Aug/2009:20:08:11 +0000] conn=3 op=0 BIND dn="uid=tadmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" method=128 version=3 [13/Aug/2009:20:08:11 +0000] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=tadmin,ou=administrators,ou=topologymanagement,o=netscaperoot" [13/Aug/2009:20:09:09 +0000] conn=3 op=1 BIND dn="uid=tadmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" method=128 version=3 [13/Aug/2009:20:09:09 +0000] conn=3 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=tadmin,ou=administrators,ou=topologymanagement,o=netscaperoot" [13/Aug/2009:20:09:29 +0000] conn=3 op=3 SRCH base="cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsslapd-security" [13/Aug/2009:20:09:29 +0000] conn=3 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [13/Aug/2009:20:09:29 +0000] conn=3 op=4 SRCH base="cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsslapd-port nsslapd-secureport nsslapd-lastmod nsslapd-readonly nsslapd-schemacheck nsslapd-referral" [13/Aug/2009:20:09:29 +0000] conn=3 op=4 RESULT err=0 tag=101 nentries=0 etime=0 [13/Aug/2009:20:10:13 +0000] conn=3 op=6 BIND dn="uid=tadmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" method=128 version=3 [13/Aug/2009:20:10:13 +0000] conn=3 op=6 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=tadmin,ou=administrators,ou=topologymanagement,o=netscaperoot" [13/Aug/2009:20:10:13 +0000] conn=3 op=7 SRCH base="cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsslapd-port nsslapd-secureport nsslapd-lastmod nsslapd-readonly nsslapd-schemacheck nsslapd-referral" [13/Aug/2009:20:10:14 +0000] conn=3 op=7 RESULT err=0 tag=101 nentries=0 etime=1
When I login to the console with the initial
uid=Admin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot
and fire up the ds-console for the slave, it does work fine. I can browse whatever I need, create items in cn=config etc.
If so, I would assume I would need an entry like this for each MMR server? Would I need a whole entry? or just stack the nsslapd-pluginarg0 attribute with all the servers ie
dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: libpassthru-plugin nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot nsslapd-pluginarg0: ldap://srvr1.example.com:389/o=NetscapeRoot nsslapd-pluginarg0: ldap://srvr.example.com:389/o=NetscapeRoot
The attribute is not multi-valued like that. There is a different syntax for specifying multiple host:port in an LDAP URL: ldap://srvr0.example.com:389 srvr1.example.com:389 srvr.example.com:389/o=NetscapeRoot
Ok I'll give it a shot with the url, once I get the above sorted out.
Ryan
389-users@lists.fedoraproject.org