[Fedora-directory-users] Setting up fault tolerant mesh of FDS servers - just checking I have got it right!

Rich Megginson rmeggins at redhat.com
Fri Feb 29 15:37:02 UTC 2008 

Howard Wilkinson wrote:
> Fedora-ds-1.1.1 on Fedora 7 + (the + is back ports from 8/9, all of 
> the updates applied, and additional packages I have cross ported)
>
> I have succeeded in getting a fault tolerant mesh configured that 
> consists of 2 or more Multi-Master servers, a number of Hub (0+) and a 
> number of consumers (0+).
>
> I have done this by modifying mmr.pl to accept --host1_role and 
> --host2_role parameters which can be set to supplier, hub, or consumer.
>
> For all of the usual DCROOTs i.e. not o=NetscapeRoot I set the 
> relationships up as implied i.e. supplier<->supplier for the 
> Multi-Master Hosts, supplier<->hub, hub<->consumer.
> Where the site is too small for hub servers I have gone 
> supplier<->consumer direct. Inter-site topology and hub grouping 
> within sites is left as an exercise for the reader (me when it comes 
> back to bite me...)
>
> For the o=Netscape I have chosen to use supplier<->supplier 
> relationships but to apply the same topology.
>
> Sequence of events are:
>
>     * On first Master
>
>          1. Install clean environment - erase rpm's delete residual
>             files, install rpms, patch dirsrv-admin startup to work!
>          2. Run setup-ds-admin.pl in silent mode, this adds schema
>             files. The inf file has SlapdConfigMC=1, UseExistingMC=0
>             and points ConfigDirectoryLdapURL to this host.
>          3. Set up SSL certs using certutil commands and openssl
>             supplied certificates from our CA.
>          4. Restart dirsrv and dirsrv-admin
>          5. Create 2nd and subsequent DCROOTS with default aci's and
>             "standard" container entries
>          6. Preload data into DCROOTS for users and other objects
>             being migrated.
>
>     * On other servers - doing other masters first, followed by hubs
>       and then consumers - carry out steps 1-5 above creating the
>       o=NetscapeRoot DCROOT as well.
>           o The inf file has SlapdConfigMC=1, UseExistingMC=1 and
>             points ConfigDirectoryLdapUrl to the first Master
>     * Then run the mmr.pl script on each connection for each DCROOT
>       starting with replicating the first master to all other masters,
>       then to hubs, then other masters to hubs and finally hubs to
>       consumers.
>          1. For o=NetscapeRoot run mmr.pl as supplier<->supplier,
>             otherwise honor the role played by each server.
>          2. Replace entries in cn=UserDirectory, ou=Global
>             Preferences, ou=<localdomain>, o=NetscapeRoot for
>             nsDirectoryFailoverList with one for each server other
>             than the first master which is mentioned in the
>             nsDirectoryURL entry in the same object. *Is this the
>             right sort of thing to do?*
>
Yes.
>
>          1. On every host alter the cn=Pass Through
>             Authentication,cn=plugins,cn=config object to have
>             nssslapd-pluginarg0 to reference that host rather than the
>             first master. *Is this correct on the consumers (or hubs)?*
>
Yes.  Note that you can specify failover in pass through auth by using a 
special form of the ldap url.  See *http://tinyurl.com/32kjqy*
>
>          1. I am assuming that this is for authentication not for
>             password modification purposes!
>
Right.
>
>          1. Which brings up the question of where in the consumers and
>             hubs do I put referrals to the Master(s)?
>
They are automatically set by the replication protocol.  You should not 
have to do anything.  If you attempt to modify a hub or consumer, your 
client should get LDAP Error 10 and a referral to a master.
>
>          1. Edit adm.conf on each host to change the ldapurl to point
>             to the local host.
>
> Now assuming that this was the right thing to do I now need to set up 
> referrals for writing to the system from the consumers and hubs back 
> to the "site" masters. Where do I put this information?
>
> I am also getting these errors logged on the first master!
>
> Feb 28 22:00:35 bastion ns-slapd: auxpropfunc error invalid parameter 
> supplied
> Feb 28 22:00:35 bastion ns-slapd: sql_select option missing
> Feb 28 22:00:35 bastion ns-slapd: auxpropfunc error no mechanism available
I think you can ignore these.
>
> These are appearing about every 15 minutes. Anybody any idea where 
> these are coming from?
I'm not sure, but the directory server does not support SASL auxprop 
with sql.
>
> Finally the shutdown time for the dirsrv servers on the suppliers is 
> extremely long - orders of minutes, what could be causing this?
Are they under load while shutting down?  Can you post the shutdown 
sequence from the error log?
>
> -- 
>
> Howard Wilkinson
>
> 	
>
> Phone:
>
> 	
>
> +44(20)76907075
>
> Coherent Technology Limited
>
> 	
>
> Fax:
>
> 	
>
>  
>
> 23 Northampton Square,
>
> 	
>
> Mobile:
>
> 	
>
> +44(7980)639379
>
> United Kingdom, EC1V 0HL
>
> 	
>
> Email:
>
> 	
>
> howard at cohtech.com
>
>  
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20080229/056cbe2d/attachment.bin>

More information about the 389-users mailing list