On August 13, 2009 07:03:29 pm Rich Megginson wrote: > Ryan Braun [ADS] wrote: > > In my testing lab, I have setup 2 servers using MMR replicating both > > userroot and netscaperoot. All replication is working between the 2 > > servers. My 3rd server, a consumer read-only replica of userroot, I > > registered to the first of the 2 MMR servers. My question, is how do I > > configure the slave server to be able to contact the second (or any > > other) MMR server to get is admin server configs automatically if the > > first server ever goes boom? Eventually we will have 4 MMR servers, 2 > > groups of 2 with ip takeover style HA, for example > > > > westldap.example.com (virtual ip) > > westldap0.example.com > > westldap1.example.com > > eastldap.example.com (virtual ip) > > eastldap0.example.com > > eastldap1.example.com > > > > On the slave server, adm.conf looks like so (with host specific details > > replaced). Would I just add another ldapurl option? > > No, unfortunately it's not that smart. Unfortunately, failover is > manual. Please file a bugzilla to request failover. filed. https://bugzilla.redhat.com/show_bug.cgi?id=517413 > > > And would the server be > > smart enough to fail over to the next server listed? > > > > AdminDomain: example.com > > sysuser: nobody > > isie: cn=389 Administration Server, cn=Server Group, > > cn=ywgsrvr4.example.com, ou=example.com, o=NetscapeRoot > > SuiteSpotGroup: nogroup > > sysgroup: nogroup > > userdn: uid=admin, ou=Administrators, ou=TopologyManagement, > > o=NetscapeRoot ldapurl: ldap://srvr0.example.com:389/o=NetscapeRoot > > SuiteSpotUserID: nobody > > sie: cn=admin-serv-srvr4, cn=389 Administration Server, cn=Server Group, > > cn=srvr4.example.com, ou=example.com, o=NetscapeRoot > > > > > > Also, on the slave server I found this in dse.ldif > > > > dn: cn=Pass Through Authentication,cn=plugins,cn=config > > objectClass: top > > objectClass: nsSlapdPlugin > > objectClass: extensibleObject > > cn: Pass Through Authentication > > nsslapd-pluginPath: libpassthru-plugin > > nsslapd-pluginInitfunc: passthruauth_init > > nsslapd-pluginType: preoperation > > nsslapd-pluginEnabled: on > > nsslapd-plugin-depends-on-type: database > > nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot > > nsslapd-pluginId: passthruauth > > nsslapd-pluginVersion: 1.2.1 > > nsslapd-pluginVendor: Fedora Project > > nsslapd-pluginDescription: pass through authentication plugin > > > > I am guessing this pass thru allows me to login to the admin server on > > srvr0.example.com, and then allow me access to the slave server. > > Not exactly. This allows the uid=admin,....,o=NetscapeRoot user to > login to servers that do not have o=NetscapeRoot, by passing through the > credentials to the configuration DS (the server that has o=NetscapeRoot). I'm guilty of a bad habit here, whenever I connect to the console (not very often), I use cn=directory manager. Does the above pass whichever user was authenticated by the console, or just the uid=admin user? For example, I created another admin user uid=TAdmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot I login to the console on srvr0 with uid=TAdmin, and I can open up the ds-console for the slave. When I click on the configuration tab, I get an error saying the user doesn't have permission to perform this operation. Only I don't see anything in either servers access logs about it failing, or the admin server logs. Here is a snippet from srvr0, it binds successfully, then when I click on the config tab, it says no permission, asks for the password again, and does appear to bind successfully but again tells me I don't have permission. [13/Aug/2009:20:08:11 +0000] conn=3 fd=64 slot=64 connection from x.x.x.x to x.x.x.x [13/Aug/2009:20:08:11 +0000] conn=3 op=0 BIND dn="uid=tadmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" method=128 version=3 [13/Aug/2009:20:08:11 +0000] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=tadmin,ou=administrators,ou=topologymanagement,o=netscaperoot" [13/Aug/2009:20:09:09 +0000] conn=3 op=1 BIND dn="uid=tadmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" method=128 version=3 [13/Aug/2009:20:09:09 +0000] conn=3 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=tadmin,ou=administrators,ou=topologymanagement,o=netscaperoot" [13/Aug/2009:20:09:29 +0000] conn=3 op=3 SRCH base="cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsslapd-security" [13/Aug/2009:20:09:29 +0000] conn=3 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [13/Aug/2009:20:09:29 +0000] conn=3 op=4 SRCH base="cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsslapd-port nsslapd-secureport nsslapd-lastmod nsslapd-readonly nsslapd-schemacheck nsslapd-referral" [13/Aug/2009:20:09:29 +0000] conn=3 op=4 RESULT err=0 tag=101 nentries=0 etime=0 [13/Aug/2009:20:10:13 +0000] conn=3 op=6 BIND dn="uid=tadmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" method=128 version=3 [13/Aug/2009:20:10:13 +0000] conn=3 op=6 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=tadmin,ou=administrators,ou=topologymanagement,o=netscaperoot" [13/Aug/2009:20:10:13 +0000] conn=3 op=7 SRCH base="cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsslapd-port nsslapd-secureport nsslapd-lastmod nsslapd-readonly nsslapd-schemacheck nsslapd-referral" [13/Aug/2009:20:10:14 +0000] conn=3 op=7 RESULT err=0 tag=101 nentries=0 etime=1 When I login to the console with the initial uid=Admin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot and fire up the ds-console for the slave, it does work fine. I can browse whatever I need, create items in cn=config etc. > > If so, I > > would assume I would need an entry like this for each MMR server? Would > > I need a whole entry? or just stack the nsslapd-pluginarg0 attribute > > with all the servers ie > > > > dn: cn=Pass Through Authentication,cn=plugins,cn=config > > objectClass: top > > objectClass: nsSlapdPlugin > > objectClass: extensibleObject > > cn: Pass Through Authentication > > nsslapd-pluginPath: libpassthru-plugin > > nsslapd-pluginInitfunc: passthruauth_init > > nsslapd-pluginType: preoperation > > nsslapd-pluginEnabled: on > > nsslapd-plugin-depends-on-type: database > > nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot > > nsslapd-pluginarg0: ldap://srvr1.example.com:389/o=NetscapeRoot > > nsslapd-pluginarg0: ldap://srvr.example.com:389/o=NetscapeRoot > > The attribute is not multi-valued like that. There is a different > syntax for specifying multiple host:port in an LDAP URL: > ldap://srvr0.example.com:389 srvr1.example.com:389 > srvr.example.com:389/o=NetscapeRoot > Ok I'll give it a shot with the url, once I get the above sorted out. Ryan -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
