source: branches/fc13-dev/server/doc/install-ldap @ 1672

Last change on this file since 1672 was 1672, checked in by ezyang, 14 years ago
More updates from installing b-m and o-f.
File size: 11.8 KB
Line 
1To set up a new LDAP server:
2
3- Install the RPM 389-ds-base with yum
4  root# yum install -y 389-ds-base
5- We want to run the directory server as its own user, so create fedora-ds
6  root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds
7- root# yum install -y policycoreutils-python
8- root# /usr/sbin/setup-ds.pl
9    - Choose a typical install
10    - Tell it to use the fedora-ds user and group
11    - Directory server identifier: scripts
12        Needed to remove this from the config file first
13    - Suffix: dc=scripts,dc=mit,dc=edu
14    - Input directory manager password
15      (this can be found in  ~/.ldapvirc)
16        [XXX: Got error: sh: semanage: command not found; turns out this is in
17        policycoreutils-python.  Don't know if this will cause problems.]
18- yum install ldapvi
19- Check if dirsrv starts: /sbin/service dirsrv start
20- Apply the following configuration changes.  If you're editing
21  dse.ldif, you don't want dirsrv to be on, otherwise it will
22  overwrite your changes. [XXX: show how to do these changes with
23  dsconf, which is the "blessed" method]
24
25# Inside cn=config.  These changes definitely require a restart.
26nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket
27nsslapd-ldapilisten: on
28
29# Add these blocks
30
31# mapname, mapping, sasl, config
32# This is the most liberal mapping you can have for SASL: you can
33# basically add authentication for any given GSSAPI mechanism by
34# explicitly creating the UID for that SASL string.
35dn: cn=mapname,cn=mapping,cn=sasl,cn=config
36objectClass: top
37objectClass: nsSaslMapping
38cn: mapname
39nsSaslMapRegexString: \(.*\)
40nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu
41nsSaslMapFilterTemplate: (objectClass=posixAccount)
42
43- /sbin/service dirsrv stop
44- Add the scripts schemas to /var/lib/dirsrv/slapd-scripts [XXX: I don't
45  know how to do this, but placing them in /etc might be sufficient?]
46- Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab.  Make
47  sure you chown/chgrp it to be readable by fedora-ds
48- Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME
49- mkdir -p /var/run/dirsrv
50- chown fedora-ds:fedora-ds /var/run/dirsrv
51- chmod 755 /var/run/dirsrv
52- /sbin/service dirsrv restart
53- Use ldapvi -b cn=config to add these indexes:
54
55add cn=apacheServerName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
56objectClass: top
57objectClass: nsIndex
58cn: apacheServerName
59nsSystemIndex: false
60nsIndexType: eq
61nsIndexType: pres
62
63add cn=apacheServerAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
64objectClass: top
65objectClass: nsIndex
66cn: apacheServerAlias
67nsSystemIndex: false
68nsIndexType: eq
69nsIndexType: pres
70
71add cn=scriptsVhostName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
72objectClass: top
73objectClass: nsIndex
74cn: scriptsVhostName
75nsSystemIndex: false
76nsIndexType: eq
77nsIndexType: pres
78
79add cn=scriptsVhostAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
80objectClass: top
81objectClass: nsIndex
82cn: scriptsVhostAlias
83nsSystemIndex: false
84nsIndexType: eq
85nsIndexType: pres
86
87add cn=scriptsVhostAccount, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
88objectClass: top
89objectClass: nsIndex
90cn: scriptsVhostAccount
91nsSystemIndex: false
92nsIndexType: eq
93nsIndexType: pres
94
95add cn=memberuid, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
96objectClass: top
97objectClass: nsIndex
98cn: memberuid
99nsSystemIndex: false
100nsIndexType: eq
101nsIndexType: pres
102
103add cn=uidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
104objectClass: top
105objectClass: nsIndex
106cn: uidnumber
107nsSystemIndex: false
108nsIndexType: eq
109nsIndexType: pres
110
111add cn=gidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
112objectClass: top
113objectClass: nsIndex
114cn: gidnumber
115nsSystemIndex: false
116nsIndexType: eq
117nsIndexType: pres
118
119- Build the indexes for all the fields:
120
121    /usr/lib64/dirsrv/slapd-scripts/db2index.pl -D "cn=Directory Manager" -j /etc/signup-ldap-pw -n userRoot
122
123  (/etc/signup-ldap-pw is the LDAP root password, make sure it's
124  chmodded correctly and chowned to signup. Also, make sure it doesn't
125  have a trailing newline!)
126
127-  Watch for the indexing operations to finish with this command:
128
129    ldapsearch -x -y /etc/signup-ldap-pw -D 'cn=Directory Manager' -b cn=tasks,cn=config
130
131  (look for nktaskstatus)
132
133- Set up replication.
134
135  We used to tell people to go execute
136  http://directory.fedoraproject.org/sources/contrib/mmr.pl manually
137  (manually because that script assumes only two masters and we have
138  every one of our servers set up as a master.)  However, those
139  instructions are inaccurate, because we use GSSAPI, not SSL and
140  because the initializing procedure is actually prone to a race
141  condition.  Here are some better instructions.
142
143  LDAP replication is based around producers and consumers.  Producers
144  push changes in LDAP to consumers: these arrangements are called
145  "replication agreements" and the producer will hold a
146  nsDS5ReplicationAgreement object that represents this commitment,
147  as well as some extra configuration to say who consumers will accept
148  replication data from (a nsDS5Replica).
149
150  The procedure, at a high level, is this:
151
152    1. Pick an arbitrary existing master.  The current server will
153       be configured as a slave to that master.  Initialize a changelog,
154       then request a replication to populate our server with
155       information.
156
157            M1 <---> M2 ---> S
158
159    2. Configure the new server to be replicated back.
160
161            M1 <---> M2 <---> S
162
163    3. Set up the rest of the replication agreements at your leisure.
164
165                M1 <---> M2
166                ^         ^
167                |         |
168                +--> S <--+
169
170  Here's how you do it.
171
172    1. Pull open the replication part of the database. It's fairly empty
173       right now.
174
175        ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config
176
177    2. Configure the server $SLAVE (this server) to accept $MASTER
178       replications by adding the following LDAP entries:
179
180add cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
181objectClass: top
182objectClass: nsDS5Replica
183cn: replica
184nsDS5ReplicaId: $REPLICA_ID
185nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu
186nsDS5Flags: 1
187nsDS5ReplicaBindDN: uid=ldap/bees-knees.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
188nsDS5ReplicaBindDN: uid=ldap/busy-beaver.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
189nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
190nsDS5ReplicaBindDN: uid=ldap/pancake-bunny.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
191nsDS5ReplicaBindDN: uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
192nsDS5ReplicaBindDN: uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
193# ADD SERVERS HERE AS YOU ADD NEW SERVERS
194nsds5ReplicaPurgeDelay: 604800
195nsds5ReplicaLegacyConsumer: off
196nsDS5ReplicaType: 3
197
198        $REPLICA_ID is the scripts$N number (stella $HOSTNAME to find
199        out.)  You might wonder why we are binding to all servers;
200        weren't we going to replicate from only one server?  That is
201        correct, however, simply binding won't mean we will receive
202        updates; we have to setup the $MASTER to send data $SALVE.
203
204    3. Although we allowed those uids to bind, that user information
205       doesn't exist on $SLAVE yet.  So you'll need to create the entry
206       for just $MASTER.
207
208add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu
209uid: ldap/$MASTER
210objectClass: account
211objectClass: top
212
213    4. Though our $SLAVE will not be making changes to LDAP, we need to
214       initialize the changelog because we intend to be able to do this
215       later.
216
217add cn=changelog5,cn=config
218objectclass: top
219objectclass: extensibleObject
220cn: changelog5
221nsslapd-changelogdir: /etc/dirsrv/slapd-scripts/changelogdb
222
223    5. Ok, now go to your $MASTER server that you picked (it should have
224       been one of the hosts mentioned in nsDS5ReplicaBindDN) and tell
225       it to replicate to $SLAVE.
226
227add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
228objectClass: top
229objectClass: nsDS5ReplicationAgreement
230cn: "GSSAPI Replication to $SLAVE"
231cn: GSSAPI Replication to $SLAVE
232nsDS5ReplicaHost: $SLAVE
233nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu
234nsDS5ReplicaPort: 389
235nsDS5ReplicaTransportInfo: LDAP
236nsDS5ReplicaBindDN:
237uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu
238nsDS5ReplicaBindMethod: SASL/GSSAPI
239nsDS5ReplicaUpdateSchedule: "0000-2359 0123456"
240nsDS5ReplicaTimeout: 120
241
242    4. Run the replication. (you could fold this into the previous step)
243
244# under cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
245nsDS5BeginReplicaRefresh: start
246
247    5. Check that the replication is running; the status will be stored
248    in the object we've been mucking around with.
249
250    If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER
251    for more information.  It might be because fedora-ds can't read
252    /etc/dirsrv/keytab
253
254    6. Replicate in the other direction.  On $MASTER, add $SLAVE
255    as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config
256    Also, add an account for $SLAVE
257
258add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu
259uid: ldap/$SLAVE
260objectClass: account
261objectClass: top
262
263    On $SLAVE,
264
265add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
266objectClass: top
267objectClass: nsDS5ReplicationAgreement
268cn: "GSSAPI Replication to $MASTER"
269cn: GSSAPI Replication to $MASTER
270nsDS5ReplicaHost: $MASTER
271nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu
272nsDS5ReplicaPort: 389
273nsDS5ReplicaTransportInfo: LDAP
274nsDS5ReplicaBindDN: uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu
275nsDS5ReplicaBindMethod: SASL/GSSAPI
276nsDS5ReplicaUpdateSchedule: "0000-2359 0123456"
277nsDS5ReplicaTimeout: 120
278
279    If you get a really scary internal server error, that might mean you
280    forgot to initialize the changelog.  Remove the replication
281    agreement (you'll need to turn off dirsrv), add the changelog, and
282    then try again.
283
284Troubleshooting
285===============
286
287LDAP multimaster replication can fail in a number of colorful ways.
288If the failure is local to a single master, usually you can recover
289by asking another master to refresh that master with:
290
291nsDS5BeginReplicaRefresh: start
292
293In practice, we've also had problems with this technique.  Some of them
294include:
295
296* Something like https://bugzilla.redhat.com/show_bug.cgi?id=547503
297  on Fedora 11 ns-slapd, where replication is turned off to do the
298  replication, but then it wedges and you need to forcibly kill the
299  process.
300
301* Failed LDAP authentication because another master attempted to do
302  an incremental update.
303
304* Repropagation of the error because the corrupt master thinks it still
305  should push updates.
306
307So the extremely safe method to bring up a crashed master is as follows:
308
3091. Disable all incoming and outgoing replication agreements by editing
310   /etc/dirsrv/slapd-scripts/dse.ldif. You'll need to munge:
311
312   nsDS5ReplicaBindDN in cn=replica,cn=dc\3Dscripts\2Cdc\3Dmit\2Cdc\3Dedu,cn=mapping tree,cn=config
313
314   and all of the push agreements.  Deleting them outright works, but
315   means you'll have to reconstruct all of the agreements from scratch.
316
3172. Bring up the server.
318
3193. Accept incoming replication data from a single server.
320
3214. Initiate a full update from that server.
322
3235. Finish setting up replication as described above.
324
325If your database gets extremely fucked, other servers may not be able
326to authenticate because your authentication information has gone missing.
327In that case, the minimal set of entries you need is:
328
329add dc=scripts,dc=mit,dc=edu
330objectClass: top
331objectClass: domain
332dc: scripts
333
334add ou=People,dc=scripts,dc=mit,dc=edu
335objectClass: top
336objectClass: organizationalunit
337ou: People
338
339add uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
340objectClass: account
341objectClass: top
342uid: ldap/real-mccoy.mit.edu
Note: See TracBrowser for help on using the repository browser.