Hey,
I've installed Fedora DS 1.1.3 on RHEL5 and configured two server instances using setup-ds-admin.pl. It seems to work fine, including single-master replication. I can manage both servers through the fedora-idm-console.
I'm left with some some questions I couldn't find answers to in the documentation however, and was hoping someone could help me clear some of them.
1) The Red Hat documentation makes references to both an admin server and a configuration server. I can't seem to get a handle on what's what. Is it simply two terms for the same thing or does one refer to the web-interface while the other refers to the o=NetscapeRoot suffix on one of the ldap instances?
2) Slightly connected with 1). Is it advisable to create a completely separate ldap instance for the configuration server or does one generally just use the first instance created? For example in my test setup I created two instances. slapd-primary and slapd-secondary, where the configuration server for secondary was set to ldap://ldap.test.org:389/o=NetscapeRoot. I'm assuming pointers to all servers managed by this console etc. is stored here. Would it instead be advisable to have a completely separate instance for this, so that instead of slapd-primary and slapd-secondary, I'd have slapd-admin, slapd-primary and slapd-secondary? In production (and further along in my testing) they would all live on separate boxes obviously.
3) I'm assuming it's only possible to have one admin console/config server per machine. Ie not possible to have four server instances on the same box but have the first two managed through one console and the remaining two through another (on the same machine)?
tamarin p wrote:
Hey,
I've installed Fedora DS 1.1.3 on RHEL5 and configured two server instances using setup-ds-admin.pl. It seems to work fine, including single-master replication. I can manage both servers through the fedora-idm-console.
I'm left with some some questions I couldn't find answers to in the documentation however, and was hoping someone could help me clear some of them.
- The Red Hat documentation makes references to both an admin server
and a configuration server. I can't seem to get a handle on what's what. Is it simply two terms for the same thing or does one refer to the web-interface while the other refers to the o=NetscapeRoot suffix on one of the ldap instances?
The admin server is the httpd server + admin server module (apache httpd.worker + mod_admserv) - config in /etc/dirsrv/admin-serv The configuration (directory) server is the directory server (ns-slapd) that hosts o=NetscapeRoot for your admin domain - config in /etc/dirsrv/slapd-yourinstancename
- Slightly connected with 1). Is it advisable to create a completely
separate ldap instance for the configuration server or does one generally just use the first instance created? For example in my test setup I created two instances. slapd-primary and slapd-secondary, where the configuration server for secondary was set to ldap://ldap.test.org:389/o=NetscapeRoot http://ldap.test.org:389/o=NetscapeRoot. I'm assuming pointers to all servers managed by this console etc. is stored here. Would it instead be advisable to have a completely separate instance for this, so that instead of slapd-primary and slapd-secondary, I'd have slapd-admin, slapd-primary and slapd-secondary? In production (and further along in my testing) they would all live on separate boxes obviously.
If you have a very large deployment with hundreds of thousands of entries, thousands of client connections, and lots of updates and replication, you might want to have separate instances for ease of manageability. Otherwise, having them both on the same instance is fine.
- I'm assuming it's only possible to have one admin console/config
server per machine. Ie not possible to have four server instances on the same box but have the first two managed through one console and the remaining two through another (on the same machine)?
There can be only 1 admin server per machine. The admin server on that machine manages all directory server instances on that machine. You can create directory server instances that cannot be managed in the console at all using setup-ds.pl. I don't know if that answers your question.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
2009/3/11 Rich Megginson rmeggins@redhat.com
tamarin p wrote:
- I'm assuming it's only possible to have one admin console/config server
per machine. Ie not possible to have four server instances on the same box but have the first two managed through one console and the remaining two through another (on the same machine)?
There can be only 1 admin server per machine. The admin server on that machine manages all directory server instances on that machine. You can create directory server instances that cannot be managed in the console at all using setup-ds.pl. I don't know if that answers your question.
Thanks for the explanation, Rich.
One additional question with regards to the above, though, if I may: Does this mean it's not intended/possible to register ldap instance(s) on machine A with the config-server on machine B? I assumed it was because answering "yes" on the register-with-existing-configserv step in setup-ds-admin.pl prompts you for a full ldap-URL. However, creating an instance with setup-ds.pl and then later running register-ds-admin.pl it only seems possible to register locally by folder/identifier, not ldap-URL.
tamarin p wrote:
2009/3/11 Rich Megginson <rmeggins@redhat.com mailto:rmeggins@redhat.com>
tamarin p wrote: 3) I'm assuming it's only possible to have one admin console/config server per machine. Ie not possible to have four server instances on the same box but have the first two managed through one console and the remaining two through another (on the same machine)? There can be only 1 admin server per machine. The admin server on that machine manages all directory server instances on that machine. You can create directory server instances that cannot be managed in the console at all using setup-ds.pl. I don't know if that answers your question.
Thanks for the explanation, Rich.
One additional question with regards to the above, though, if I may: Does this mean it's not intended/possible to register ldap instance(s) on machine A with the config-server on machine B? I assumed it was because answering "yes" on the register-with-existing-configserv step in setup-ds-admin.pl prompts you for a full ldap-URL.
You usually have a single configuration directory server for a single admin domain, which may consist of many machines. So yes, that's what that dialog does - it registers your directory server with a (possibly) remote configuration directory server, used to store configuration for many machines.
However, creating an instance with setup-ds.pl and then later running register-ds-admin.pl it only seems possible to register locally by folder/identifier, not ldap-URL.
It should be possible both ways.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
2009/3/12 Rich Megginson rmeggins@redhat.com
One additional question with regards to the above, though, if I may:
Does this mean it's not intended/possible to register ldap instance(s) on machine A with the config-server on machine B? I assumed it was because answering "yes" on the register-with-existing-configserv step in setup-ds-admin.pl prompts you for a full ldap-URL.
You usually have a single configuration directory server for a single admin domain, which may consist of many machines. So yes, that's what that dialog does - it registers your directory server with a (possibly) remote configuration directory server, used to store configuration for many machines.
However, creating an instance with setup-ds.pl and then later running register-ds-admin.pl it only seems possible to register locally by folder/identifier, not ldap-URL.
It should be possible both ways.
Following up on this, I think I discovered a small bug in the script: the first time you run setup-ds-admin.pl the adm.conf ldapurl property isn't updated correctly and the instance wont find the config directory for registration.
I have two machines: ldap1.test.com and ldap2.test.com. ldap1 has the instances slapd-config on port 4000 (holding NetscapeRoot) and slapd-test1 on port 4001. ldap2 only has slapd-test2 on port 4002. (different ports so I can use the same infs to create all instances on same machine if I need to). I have been able to set this up successfully, and I can can see them both under the same admin domain in the fedora-idm-console.
The problem surfaces when I create slapd-test2 instance on ldap2 with setup-ds-admin.pl -s -f slapd-test2.inf for the first time only (ensured by running remove-ds-admin.pl -y first). The first time I create the server I get normal log output and the instance is started successfully but it does not show up in the idm-console. Then I try to remove it with ds_removal and I get this: Error:The server 'ldap://:4002/o=NetscapeRoot' is not reachable. Error: unknown error
Checking /etc/dirsrv/admin-serv/adm.conf and notice that it has the wrong ldapurl: ldap://:4002/o=NetscapeRoot.. Then I run setup-ds-admin.pl again exactly like before, and then it works. I can see the new instance in the idm-console and I can ds_removal it again without errors. /etc/dirsrv/admin-serv/adm.conf now holds the right ldapurl for the configdirectory: ldapurl: ldap://ldap1.test.com:4000/o=NetscapeRoot. The rest of the adm.conf is identical in both cases.
If I add FullMachineName directive to the inf then this is added instead of empty string, but according to the docs http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide... should be the hostname of the machine you're installing ON. Additionally this still leaves me with the wrong port, ie ldap:// ldap01.test.com:4002 (it uses the FullMachineName but local port for the instance being created). But on the second run it is always corrected. So the workaround I have found is to just make sure adm.conf exists already. Then it always works, even when the file is blank.
tamarin p wrote:
2009/3/12 Rich Megginson <rmeggins@redhat.com mailto:rmeggins@redhat.com>
One additional question with regards to the above, though, if I may: Does this mean it's not intended/possible to register ldap instance(s) on machine A with the config-server on machine B? I assumed it was because answering "yes" on the register-with-existing-configserv step in setup-ds-admin.pl prompts you for a full ldap-URL. You usually have a single configuration directory server for a single admin domain, which may consist of many machines. So yes, that's what that dialog does - it registers your directory server with a (possibly) remote configuration directory server, used to store configuration for many machines. However, creating an instance with setup-ds.pl and then later running register-ds-admin.pl it only seems possible to register locally by folder/identifier, not ldap-URL. It should be possible both ways.
Following up on this, I think I discovered a small bug in the script: the first time you run setup-ds-admin.pl the adm.conf ldapurl property isn't updated correctly and the instance wont find the config directory for registration.
I have two machines: ldap1.test.com http://ldap1.test.com and ldap2.test.com http://ldap2.test.com. ldap1 has the instances slapd-config on port 4000 (holding NetscapeRoot) and slapd-test1 on port 4001. ldap2 only has slapd-test2 on port 4002. (different ports so I can use the same infs to create all instances on same machine if I need to). I have been able to set this up successfully, and I can can see them both under the same admin domain in the fedora-idm-console.
The problem surfaces when I create slapd-test2 instance on ldap2 with setup-ds-admin.pl -s -f slapd-test2.inf for the first time only (ensured by running remove-ds-admin.pl -y first). The first time I create the server I get normal log output and the instance is started successfully but it does not show up in the idm-console. Then I try to remove it with ds_removal and I get this: Error:The server 'ldap://:4002/o=NetscapeRoot' is not reachable. Error: unknown error
Can you post your slapd-test2.inf? Be sure to obscure any sensitive info first.
Checking /etc/dirsrv/admin-serv/adm.conf and notice that it has the wrong ldapurl: ldap://:4002/o=NetscapeRoot.. Then I run setup-ds-admin.pl again exactly like before, and then it works. I can see the new instance in the idm-console and I can ds_removal it again without errors. /etc/dirsrv/admin-serv/adm.conf now holds the right ldapurl for the configdirectory: ldapurl: ldap://ldap1.test.com:4000/o=NetscapeRoot http://ldap1.test.com:4000/o=NetscapeRoot. The rest of the adm.conf is identical in both cases.
If I add FullMachineName directive to the inf then this is added instead of empty string, but according to the docs http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide... this should be the hostname of the machine you're installing ON. Additionally this still leaves me with the wrong port, ie ldap://ldap01.test.com:4002 http://ldap01.test.com:4002 (it uses the FullMachineName but local port for the instance being created). But on the second run it is always corrected. So the workaround I have found is to just make sure adm.conf exists already. Then it always works, even when the file is blank.
Ok. Looks like the auto hostname thing is not working. We use perl Net::Domain hostfqdn if FullMachineName is absent - it uses some complicated formula involving sys::hostname, /etc/resolv.conf, etc. I'm not sure why it would fail completely though.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
2009/4/24 Rich Megginson rmeggins@redhat.com
tamarin p wrote: Can you post your slapd-test2.inf? Be sure to obscure any sensitive info first.
Here it is. It is mostly a copy of the example 6.2 in the installation doc for silent installs.
# slapd-test2.inf for installation on ldap2.test.com # config directory on ldap1.test.com [General] AdminDomain = test.com SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://ldap1.test.com:4000/o=NetscapeRoot ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = pwd SuiteSpotUserID = nobody
[slapd] InstallLdifFile = suggest ServerIdentifier = test2 ServerPort = 4002 AddOrgEntries = No RootDN = cn=Directory Manager RootDNPwd = pwd Suffix = dc=test,dc=com UseExistingMC = Yes UseExistingUG= No AddSampleEntries = No
[admin] ServerAdminID = admin ServerAdminPwd = pwd ServerIpAddress = 0.0.0.0 Port = 9830
If I add FullMachineName directive to the inf then this is added instead of
empty string, but according to the docs http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide... should be the hostname of the machine you're installing ON. Additionally this still leaves me with the wrong port, ie ldap:// ldap01.test.com:4002 http://ldap01.test.com:4002 (it uses the FullMachineName but local port for the instance being created). But on the second run it is always corrected. So the workaround I have found is to just make sure adm.conf exists already. Then it always works, even when the file is blank.
Ok. Looks like the auto hostname thing is not working. We use perl Net::Domain hostfqdn if FullMachineName is absent - it uses some complicated formula involving sys::hostname, /etc/resolv.conf, etc. I'm not sure why it would fail completely though.
Could be I'm missing some lib, but on the other hand, it looks as if the ldapurl in adm.conf must point to the config directory so it wouldn't do any good if it did correctly set the hostname of the machine you install on ( ldap2.test.com in my case), since the configdir is on another machine. The correct ldap url for config directory is always going to be ldap:// ldap1.test.com:4000 and looks like the script should always just use the host:port from ConfigDirectoryLdapURL for ldapurl in adm.conf. Also, regardless if fullmachinename is set or not, when adm.conf already exists on running setup-ds-admin, the property is always set correctly to ldap:// ldap1.test.com:4000 and the registration/unregistration works after.
tamarin p wrote:
2009/4/24 Rich Megginson <rmeggins@redhat.com mailto:rmeggins@redhat.com>
tamarin p wrote: Can you post your slapd-test2.inf? Be sure to obscure any sensitive info first.
Here it is. It is mostly a copy of the example 6.2 in the installation doc for silent installs.
# slapd-test2.inf for installation on ldap2.test.com http://ldap2.test.com # config directory on ldap1.test.com http://ldap1.test.com [General] AdminDomain = test.com http://test.com SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://ldap1.test.com:4000/o=NetscapeRoot http://ldap1.test.com:4000/o=NetscapeRoot ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = pwd SuiteSpotUserID = nobody
[slapd] InstallLdifFile = suggest ServerIdentifier = test2 ServerPort = 4002 AddOrgEntries = No RootDN = cn=Directory Manager RootDNPwd = pwd Suffix = dc=test,dc=com UseExistingMC = Yes UseExistingUG= No AddSampleEntries = No
[admin] ServerAdminID = admin ServerAdminPwd = pwd ServerIpAddress = 0.0.0.0 Port = 9830
If I add FullMachineName directive to the inf then this is added instead of empty string, but according to the docs http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Advanced_Configuration-Silent.html this should be the hostname of the machine you're installing ON. Additionally this still leaves me with the wrong port, ie ldap://ldap01.test.com:4002 <http://ldap01.test.com:4002> <http://ldap01.test.com:4002> (it uses the FullMachineName but local port for the instance being created). But on the second run it is always corrected. So the workaround I have found is to just make sure adm.conf exists already. Then it always works, even when the file is blank. Ok. Looks like the auto hostname thing is not working. We use perl Net::Domain hostfqdn if FullMachineName is absent - it uses some complicated formula involving sys::hostname, /etc/resolv.conf, etc. I'm not sure why it would fail completely though.
Could be I'm missing some lib, but on the other hand, it looks as if the ldapurl in adm.conf must point to the config directory so it wouldn't do any good if it did correctly set the hostname of the machine you install on (ldap2.test.com http://ldap2.test.com in my case), since the configdir is on another machine. The correct ldap url for config directory is always going to be ldap://ldap1.test.com:4000 http://ldap1.test.com:4000 and looks like the script should always just use the host:port from ConfigDirectoryLdapURL for ldapurl in adm.conf. Also, regardless if fullmachinename is set or not, when adm.conf already exists on running setup-ds-admin, the property is always set correctly to ldap://ldap1.test.com:4000 http://ldap1.test.com:4000 and the registration/unregistration works after.
So the problem is that it does not correctly parse the host:port from the ConfigDirectoryLdapURL?
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
2009/4/24 Rich Megginson rmeggins@redhat.com
tamarin p wrote:
Could be I'm missing some lib, but on the other hand, it looks as if the ldapurl in adm.conf must point to the config directory so it wouldn't do any good if it did correctly set the hostname of the machine you install on ( ldap2.test.com http://ldap2.test.com in my case), since the configdir is on another machine. The correct ldap url for config directory is always going to be ldap://ldap1.test.com:4000 http://ldap1.test.com:4000 and looks like the script should always just use the host:port from ConfigDirectoryLdapURL for ldapurl in adm.conf. Also, regardless if fullmachinename is set or not, when adm.conf already exists on running setup-ds-admin, the property is always set correctly to ldap:// ldap1.test.com:4000 http://ldap1.test.com:4000 and the registration/unregistration works after.
So the problem is that it does not correctly parse the host:port from the ConfigDirectoryLdapURL?
Not really. There seems to be two things to what the script ends up doing. 1. if /etc/dirsrv/admin-serv/adm.conf exists, it applies the value in ConfigDirectoryLdapURL correctly and everything works 2. if /etc/dirsrv/admin-serv/adm.conf does NOT exist, it tries to use (based on observation) ldap://<FullMachineName>:<ServerPort> (no error to see from the script output though I haven't tried with --debug) It seems to me option 1 is what it should ayways do, even when the file doesn't exist. Option 2 is not likely to be correct for any multihomed install. In my case, without FullMachineName, the result is ldap://:4002. No hostname and the wrong port. This is the port of the instance I'm creating with the inf, not the config dir. If I set FullMachineName to point to the host with the config directory (assuming this doesn't have other side effects elsewhere, the docs do say it should be the full hostname for the machine you're installing on after all) I would get ldap:// ldap1.test.com:4002 which is still the wrong port as my actual ConfigDirectoryLdapURL is ldap://ldap1.test.com:4000/ (plus o=NetscapeRoot) Note that I dont actually know what ldapuri in adm.conf is used for. I'm just guessing based on observation, but it seems to be used by register-ds-admin and ds_removal among others, since ds_removal seems to try that URL when unregistering (see error message from a previous post in this thread)
tamarin p wrote:
2009/4/24 Rich Megginson <rmeggins@redhat.com mailto:rmeggins@redhat.com>
tamarin p wrote: Could be I'm missing some lib, but on the other hand, it looks as if the ldapurl in adm.conf must point to the config directory so it wouldn't do any good if it did correctly set the hostname of the machine you install on (ldap2.test.com <http://ldap2.test.com> <http://ldap2.test.com> in my case), since the configdir is on another machine. The correct ldap url for config directory is always going to be ldap://ldap1.test.com:4000 <http://ldap1.test.com:4000> <http://ldap1.test.com:4000> and looks like the script should always just use the host:port from ConfigDirectoryLdapURL for ldapurl in adm.conf. Also, regardless if fullmachinename is set or not, when adm.conf already exists on running setup-ds-admin, the property is always set correctly to ldap://ldap1.test.com:4000 <http://ldap1.test.com:4000> <http://ldap1.test.com:4000> and the registration/unregistration works after. So the problem is that it does not correctly parse the host:port from the ConfigDirectoryLdapURL?
Not really. There seems to be two things to what the script ends up doing.
- if /etc/dirsrv/admin-serv/adm.conf exists, it applies the value
in ConfigDirectoryLdapURL correctly and everything works
If adm.conf exists, and did not have a correct ldapurl, then something went wrong with the original/initial setup.
- if /etc/dirsrv/admin-serv/adm.conf does NOT exist, it tries to use
(based on observation) ldap://<FullMachineName>:<ServerPort> (no error to see from the script output though I haven't tried with --debug)
Right - see below
It seems to me option 1 is what it should ayways do, even when the file doesn't exist. Option 2 is not likely to be correct for any multihomed install. In my case, without FullMachineName, the result is ldap://:4002. No hostname and the wrong port. This is the port of the instance I'm creating with the inf, not the config dir. If I set FullMachineName to point to the host with the config directory (assuming this doesn't have other side effects elsewhere, the docs do say it should be the full hostname for the machine you're installing on after all) I would get ldap://ldap1.test.com:4002 http://ldap1.test.com:4002 which is still the wrong port as my actual ConfigDirectoryLdapURL is ldap://ldap1.test.com:4000/ http://ldap1.test.com:4000/ (plus o=NetscapeRoot)
The way it should work is that if you are registering a non-config DS with the config DS, you should provide ConfigDirectoryLdapURL. If you do not, the script tries to use the one from adm.conf. If that is not available, the script assumes that you have not yet set up a Config DS and admin server, and therefore assumes you are going to be creating the Config DS, so it tries to construct a URL based on the FullMachineName and ServerPort.
So it looks as though something somehow went wrong with the original/initial setup, and it wrote a bogus ldapurl without the hostname in adm.conf.
Note that I dont actually know what ldapuri in adm.conf is used for. I'm just guessing based on observation, but it seems to be used by register-ds-admin and ds_removal among others, since ds_removal seems to try that URL when unregistering (see error message from a previous post in this thread)
It's used by the admin server to find the configuration DS (where it stores its config information and information needed by the console). If ldapurl is not correct, then admin server and console operations will likely fail. It's also used by the scripts to find default config DS information (as your have surmised).
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org