Harry,
Perhaps this document might be of help?
http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication
Thanks, - Todd
On 1/11/11 1:53 PM, "harry.devine@faa.gov" harry.devine@faa.gov wrote:
OK, so we are testing 389-ds in our environment (version 1.2.7.5). We have 1 machine set up with user accounts, and we just set another one up. The new one doesn't have any accounts or anything on it yet. We would like to get replication going between the 2 DS's, but can't find any current documention on how to do it. When we set up the 2nd machine, we set it up as if it were its own DS (i.e. not tied into the existing one). Not sure it that is relevant, but I thought I'd mention it for full disclosure.
We'd like to have this be a 2-way multi-master replication, so if our main DS server ever went down, the 2nd one could pick up and service login requests. Is there any current documention that explains this anywhere? Is multi-master the correct method to use for this type of setup?
Thanks, Harry
Harry Devine Common ARTS Software Development AJT-144 (609)485-4218 Harry.Devine@faa.gov
On Tue, 11 Jan 2011, harry.devine@faa.gov wrote:
OK, so we are testing 389-ds in our environment (version 1.2.7.5). We have 1 machine set up with user accounts, and we just set another one up. The new one doesn't have any accounts or anything on it yet. We would like to get replication going between the 2 DS's, but can't find any current documention on how to do it. When we set up the 2nd machine, we set it up as if it were its own DS (i.e. not tied into the existing one). Not sure it that is relevant, but I thought I'd mention it for full disclosure.
We'd like to have this be a 2-way multi-master replication, so if our main DS server ever went down, the 2nd one could pick up and service login requests. Is there any current documention that explains this anywhere? Is multi-master the correct method to use for this type of setup?
The 389 wiki has a *ton* of documentation on replication (and just about everything else). A good start for you might be here:
http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication
It's not clear from your description exactly what your requirements are, but if you want to be able to write to either server at any time, multi-master is the way to go. If you just need a readable fallback server, it may not be.
On 01/11/2011 12:53 PM, harry.devine@faa.gov wrote:
OK, so we are testing 389-ds in our environment (version 1.2.7.5). We have 1 machine set up with user accounts, and we just set another one up. The new one doesn't have any accounts or anything on it yet. We would like to get replication going between the 2 DS's, but can't find any current documention on how to do it. When we set up the 2nd machine, we set it up as if it were its own DS (i.e. not tied into the existing one). Not sure it that is relevant, but I thought I'd mention it for full disclosure.
Should not be a problem.
We'd like to have this be a 2-way multi-master replication, so if our main DS server ever went down, the 2nd one could pick up and service login requests. Is there any current documention that explains this anywhere?
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/A...
Is multi-master the correct method to use for this type of setup?
Yes.
Thanks, Harry
Harry Devine Common ARTS Software Development AJT-144 (609)485-4218 Harry.Devine@faa.gov mailto:Harry.Devine@faa.gov
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 01/11/2011 01:40 PM, harry.devine@faa.gov wrote:
We just ran the mmr.pl script from server 1, and the data got replicated across to server 2. If we create a new user on server 2, it does not get replicated to server 1. It appears to be a 1 way replication.
mmr.pl has bit rotted - no one maintains it any more - you're on your own if you decide to use it - patches/maintainer welcome
Any thoughts? Harry
Harry Devine Common ARTS Software Development AJT-144 (609)485-4218 Harry.Devine@faa.gov mailto:Harry.Devine@faa.gov
-----Rich Megginson rmeggins@redhat.com wrote: -----
To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> From: Rich Megginson <rmeggins@redhat.com> Date: 01/11/2011 03:09PM cc: Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA Subject: Re: [389-users] Replication On 01/11/2011 12:53 PM, harry.devine@faa.gov wrote:OK, so we are testing 389-ds in our environment (version 1.2.7.5). We have 1 machine set up with user accounts, and we just set another one up. The new one doesn't have any accounts or anything on it yet. We would like to get replication going between the 2 DS's, but can't find any current documention on how to do it. When we set up the 2nd machine, we set it up as if it were its own DS (i.e. not tied into the existing one). Not sure it that is relevant, but I thought I'd mention it for full disclosure.Should not be a problem.We'd like to have this be a 2-way multi-master replication, so if our main DS server ever went down, the 2nd one could pick up and service login requests. Is there any current documention that explains this anywhere?http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Managing_ReplicationIs multi-master the correct method to use for this type of setup?Yes.Thanks, Harry Harry Devine Common ARTS Software Development AJT-144 (609)485-4218 Harry.Devine@faa.gov <mailto:Harry.Devine@faa.gov> -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On Jan 11, 2011, at 3:50 PM, Rich Megginson wrote:
On 01/11/2011 01:40 PM, harry.devine@faa.gov wrote:
We just ran the mmr.pl script from server 1, and the data got replicated across to server 2. If we create a new user on server 2, it does not get replicated to server 1. It appears to be a 1 way replication.
mmr.pl has bit rotted - no one maintains it any more - you're on your own if you decide to use it - patches/maintainer welcome
I've successfully used mmr.pl (last time with 389 1.2.6.1). I would try restarting your two 389 instances, and if that doesn't magically fix it, use the mmr.pl script to --remove the existing replication agreement and then add it back while keeping an eye on the 389 logs for errors. I've had rare cases where I've had to run mmr.pl twice to get it to take.
The --with-ssl option was broken in the last version I used (but that's clearly not the cause of Harry's issue). For working patched version, should you want SSL replication, see http://crashingdaily.wordpress.com/2010/11/13/fixing-the-mmr-pl-script-for-s...
Any thoughts? Harry
Harry Devine Common ARTS Software Development AJT-144 (609)485-4218 Harry.Devine@faa.gov
-----Rich Megginson rmeggins@redhat.com wrote: -----
To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org From: Rich Megginson rmeggins@redhat.com Date: 01/11/2011 03:09PM cc: Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA Subject: Re: [389-users] Replication
On 01/11/2011 12:53 PM, harry.devine@faa.gov wrote:
OK, so we are testing 389-ds in our environment (version 1.2.7.5). We have 1 machine set up with user accounts, and we just set another one up. The new one doesn't have any accounts or anything on it yet. We would like to get replication going between the 2 DS's, but can't find any current documention on how to do it. When we set up the 2nd machine, we set it up as if it were its own DS (i.e. not tied into the existing one). Not sure it that is relevant, but I thought I'd mention it for full disclosure.
Should not be a problem.
We'd like to have this be a 2-way multi-master replication, so if our main DS server ever went down, the 2nd one could pick up and service login requests. Is there any current documention that explains this anywhere?
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/A...
Is multi-master the correct method to use for this type of setup?
Yes.
Thanks, Harry
Harry Devine Common ARTS Software Development AJT-144 (609)485-4218 Harry.Devine@faa.gov
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Odd, I got MMR working with SSL...and I only referenced that documentation (well, and assistance from this list and the IRC room...). It was 1.2.6, but surely that didn't really change things?
Sounds like everyone is agreeing (even if indirectly) that the documentation is outdated though - is it due to work focusing on FreeIPA? Some say good software with bad documentation is worse than bad software with good documentation...I'm a hands-on guy so I would disagree, but I do see the point none the less.
I did make a few howtos for internal use, covering everything from setting up the first server, getting SSL working, getting replication working, then getting OSX and Linux hosts pulling from the mess. They were docs meant for me to read (complete with the shorthand and shortcuts that I understand) but if you have problems then let me know and I'll see what I can clean up. As it so happens, I'm setting up an all new MMR 389 pair in the next few days (our company is somewhat splitting, and I don't want to have it be different trees on the same directory)...so I'll know pretty quick if something has changed the last half-year. Hell, if you were maybe going to be working on it in the next few days anyway, we can sortof step through it together online - just let me know.
Brian
On Tue, Jan 11, 2011 at 1:14 PM, crashingdaily crashingdaily@gmail.comwrote:
On Jan 11, 2011, at 3:50 PM, Rich Megginson wrote:
On 01/11/2011 01:40 PM, harry.devine@faa.gov wrote:
We just ran the mmr.pl script from server 1, and the data got replicated across to server 2. If we create a new user on server 2, it does not get replicated to server 1. It appears to be a 1 way replication.
mmr.pl has bit rotted - no one maintains it any more - you're on your own if you decide to use it - patches/maintainer welcome
I've successfully used mmr.pl (last time with 389 1.2.6.1). I would try restarting your two 389 instances, and if that doesn't magically fix it, use the mmr.pl script to --remove the existing replication agreement and then add it back while keeping an eye on the 389 logs for errors. I've had rare cases where I've had to run mmr.pl twice to get it to take.
The --with-ssl option was broken in the last version I used (but that's clearly not the cause of Harry's issue). For working patched version, should you want SSL replication, see
http://crashingdaily.wordpress.com/2010/11/13/fixing-the-mmr-pl-script-for-s...
Any thoughts? Harry
Harry Devine Common ARTS Software Development AJT-144 (609)485-4218 Harry.Devine@faa.gov
-----Rich Megginson rmeggins@redhat.com wrote: -----
To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org From: Rich Megginson rmeggins@redhat.com Date: 01/11/2011 03:09PM cc: Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA Subject: Re: [389-users] Replication
On 01/11/2011 12:53 PM, harry.devine@faa.gov wrote:
OK, so we are testing 389-ds in our environment (version 1.2.7.5). We have 1 machine set up with user accounts, and we just set another one up. The new one doesn't have any accounts or anything on it yet. We would like to get replication going between the 2 DS's, but can't find any current documention on how to do it. When we set up the 2nd machine, we set it up as if it were its own DS (i.e. not tied into the existing one). Not sure it that is relevant, but I thought I'd mention it for full disclosure.
Should not be a problem.
We'd like to have this be a 2-way multi-master replication, so if our main DS server ever went down, the 2nd one could pick up and service login requests. Is there any current documention that explains this anywhere?
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/A...
Is multi-master the correct method to use for this type of setup?
Yes.
Thanks, Harry
Harry Devine Common ARTS Software Development AJT-144 (609)485-4218 Harry.Devine@faa.gov
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 01/14/2011 10:32 AM, Brian LaMere wrote:
Odd, I got MMR working with SSL...and I only referenced that documentation
which documentation?
(well, and assistance from this list and the IRC room...). It was 1.2.6, but surely that didn't really change things?
It hasn't changed between 1.2.6 and 1.2.7
Sounds like everyone is agreeing (even if indirectly) that the documentation is outdated though
Which documentation?
- is it due to work focusing on FreeIPA? Some say good software with
bad documentation is worse than bad software with good documentation...I'm a hands-on guy so I would disagree, but I do see the point none the less.
I did make a few howtos for internal use, covering everything from setting up the first server, getting SSL working, getting replication working, then getting OSX and Linux hosts pulling from the mess. They were docs meant for me to read (complete with the shorthand and shortcuts that I understand) but if you have problems then let me know and I'll see what I can clean up. As it so happens, I'm setting up an all new MMR 389 pair in the next few days (our company is somewhat splitting, and I don't want to have it be different trees on the same directory)...so I'll know pretty quick if something has changed the last half-year. Hell, if you were maybe going to be working on it in the next few days anyway, we can sortof step through it together online - just let me know.
I have mmr.pl in my private github repo - if anyone wants to send me patches, I will push them.
Brian
On Tue, Jan 11, 2011 at 1:14 PM, crashingdaily <crashingdaily@gmail.com mailto:crashingdaily@gmail.com> wrote:
On Jan 11, 2011, at 3:50 PM, Rich Megginson wrote: > On 01/11/2011 01:40 PM, harry.devine@faa.gov <mailto:harry.devine@faa.gov> wrote: >> >> We just ran the mmr.pl <http://mmr.pl> script from server 1, and the data got >> replicated across to server 2. If we create a new user on server >> 2, it does not get replicated to server 1. It appears to be a 1 >> way replication. > mmr.pl <http://mmr.pl> has bit rotted - no one maintains it any more - you're on > your own if you decide to use it - patches/maintainer welcome I've successfully used mmr.pl <http://mmr.pl> (last time with 389 1.2.6.1). I would try restarting your two 389 instances, and if that doesn't magically fix it, use the mmr.pl <http://mmr.pl> script to --remove the existing replication agreement and then add it back while keeping an eye on the 389 logs for errors. I've had rare cases where I've had to run mmr.pl <http://mmr.pl> twice to get it to take. The --with-ssl option was broken in the last version I used (but that's clearly not the cause of Harry's issue). For working patched version, should you want SSL replication, see http://crashingdaily.wordpress.com/2010/11/13/fixing-the-mmr-pl-script-for-ssl/ >> >> Any thoughts? >> Harry >> >> Harry Devine >> Common ARTS Software Development >> AJT-144 >> (609)485-4218 >> Harry.Devine@faa.gov <mailto:Harry.Devine@faa.gov> >> >> -----Rich Megginson <rmeggins@redhat.com <mailto:rmeggins@redhat.com>> wrote: ----- >> >> To: "General discussion list for the 389 Directory server project." >> <389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>> >> From: Rich Megginson <rmeggins@redhat.com <mailto:rmeggins@redhat.com>> >> Date: 01/11/2011 03:09PM >> cc: Harry Devine/ACT/FAA@FAA, Ted Rush/ACT/FAA@FAA >> Subject: Re: [389-users] Replication >> >> On 01/11/2011 12:53 PM, harry.devine@faa.gov <mailto:harry.devine@faa.gov> wrote: >>> >>> OK, so we are testing 389-ds in our environment (version >>> 1.2.7.5). We have 1 machine set up with user accounts, and we >>> just set another one up. The new one doesn't have any accounts or >>> anything on it yet. We would like to get replication going >>> between the 2 DS's, but can't find any current documention on how >>> to do it. When we set up the 2nd machine, we set it up as if it >>> were its own DS (i.e. not tied into the existing one). Not sure >>> it that is relevant, but I thought I'd mention it for full >>> disclosure. >> Should not be a problem. >>> >>> We'd like to have this be a 2-way multi-master replication, so if >>> our main DS server ever went down, the 2nd one could pick up and >>> service login requests. Is there any current documention that >>> explains this anywhere? >> >> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Managing_Replication >>> Is multi-master the correct method to use for this type of setup? >> Yes. >>> >>> Thanks, >>> Harry >>> >>> Harry Devine >>> Common ARTS Software Development >>> AJT-144 >>> (609)485-4218 >>> Harry.Devine@faa.gov <mailto:Harry.Devine@faa.gov> >>> >>> -- >>> 389 users mailing list >>> 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >> >> > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On Fri, Jan 14, 2011 at 9:42 AM, Rich Megginson rmeggins@redhat.com wrote:
On 01/14/2011 10:32 AM, Brian LaMere wrote:
Odd, I got MMR working with SSL...and I only referenced that documentation
which documentation?
the documentation that references things which are no longer true, and points at a script that people seem to agree doesn't always work very well?
That said, I also noted that I used that very documentation and script successfully, so obviously it's not too far off ;) I'll see if the steps I followed last time still work now - which you're saying they should. If they do, maybe I'll just clean them up regardless whether Harry wants them, and make a few suggestions for minor changes in the documentation. Even just basic things like http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication referencing /opt/fedora-ds - while that is obviously not terribly difficult to figure out where the right place is, what it does is make the documentation seem questionable as to it's relevance to the current version. That second part is the key - the fact that it doesn't seem relevant. People don't like using documentation that doesn't seem current, even if it can still be followed.
Brian
On 01/14/2011 10:57 AM, Brian LaMere wrote:
On Fri, Jan 14, 2011 at 9:42 AM, Rich Megginson <rmeggins@redhat.com mailto:rmeggins@redhat.com> wrote:
On 01/14/2011 10:32 AM, Brian LaMere wrote:Odd, I got MMR working with SSL...and I only referenced that documentationwhich documentation?the documentation that references things which are no longer true, and points at a script that people seem to agree doesn't always work very well?
Ok - the wiki page - it wasn't clear to me that that was the document being referred to, or if the docs.redhat.com pages were being referred to.
That said, I also noted that I used that very documentation and script successfully, so obviously it's not too far off ;) I'll see if the steps I followed last time still work now - which you're saying they should. If they do, maybe I'll just clean them up regardless whether Harry wants them, and make a few suggestions for minor changes in the documentation. Even just basic things like http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication referencing /opt/fedora-ds - while that is obviously not terribly difficult to figure out where the right place is, what it does is make the documentation seem questionable as to it's relevance to the current version. That second part is the key - the fact that it doesn't seem relevant. People don't like using documentation that doesn't seem current, even if it can still be followed.
Sure, I understand.
Brian
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On Jan 14, 2011, at 12:42 PM, Rich Megginson wrote:
On 01/14/2011 10:32 AM, Brian LaMere wrote:
Odd, I got MMR working with SSL...and I only referenced that documentation
which documentation?
(well, and assistance from this list and the IRC room...). It was 1.2.6, but surely that didn't really change things?
It hasn't changed between 1.2.6 and 1.2.7
Sounds like everyone is agreeing (even if indirectly) that the documentation is outdated though
Which documentation?
- is it due to work focusing on FreeIPA? Some say good software
with bad documentation is worse than bad software with good documentation...I'm a hands-on guy so I would disagree, but I do see the point none the less.
I did make a few howtos for internal use, covering everything from setting up the first server, getting SSL working, getting replication working, then getting OSX and Linux hosts pulling from the mess. They were docs meant for me to read (complete with the shorthand and shortcuts that I understand) but if you have problems then let me know and I'll see what I can clean up. As it so happens, I'm setting up an all new MMR 389 pair in the next few days (our company is somewhat splitting, and I don't want to have it be different trees on the same directory)...so I'll know pretty quick if something has changed the last half-year. Hell, if you were maybe going to be working on it in the next few days anyway, we can sortof step through it together online - just let me know.
I have mmr.pl in my private github repo - if anyone wants to send me patches, I will push them.
mmr.pl patch for --with-ssl is attached (maybe).
On 01/14/2011 01:42 PM, crashingdaily wrote:
On Jan 14, 2011, at 12:42 PM, Rich Megginson wrote:
On 01/14/2011 10:32 AM, Brian LaMere wrote:
Odd, I got MMR working with SSL...and I only referenced that documentation
which documentation?
(well, and assistance from this list and the IRC room...). It was 1.2.6, but surely that didn't really change things?
It hasn't changed between 1.2.6 and 1.2.7
Sounds like everyone is agreeing (even if indirectly) that the documentation is outdated though
Which documentation?
- is it due to work focusing on FreeIPA? Some say good software
with bad documentation is worse than bad software with good documentation...I'm a hands-on guy so I would disagree, but I do see the point none the less.
I did make a few howtos for internal use, covering everything from setting up the first server, getting SSL working, getting replication working, then getting OSX and Linux hosts pulling from the mess. They were docs meant for me to read (complete with the shorthand and shortcuts that I understand) but if you have problems then let me know and I'll see what I can clean up. As it so happens, I'm setting up an all new MMR 389 pair in the next few days (our company is somewhat splitting, and I don't want to have it be different trees on the same directory)...so I'll know pretty quick if something has changed the last half-year. Hell, if you were maybe going to be working on it in the next few days anyway, we can sortof step through it together online - just let me know.
I have mmr.pl in my private github repo - if anyone wants to send me patches, I will push them.
mmr.pl patch for --with-ssl is attached (maybe).
Thanks! Pushed to https://github.com/richm/scripts
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org
-
Brian LaMere -
crashingdaily -
harry.devine@faa.gov -
Hendricks, Todd -
Morris, Patrick -
Rich Megginson