source: branches/fc17-dev/server/doc/install-ldap @ 2205

Last change on this file since 2205 was 2068, checked in by ezyang, 13 years ago
More doc updates.
File size: 14.2 KB
Line 
1# To set up a new LDAP server:
2
3# Temporarily move away the existing slapd-scripts folder
4mv /etc/dirsrv/slapd-scripts{,.bak}
5
6# Setup directory server
7/usr/sbin/setup-ds.pl
8#   - Choose a typical install
9#   - Tell it to use the fedora-ds user and group
10#   - Directory server identifier: scripts
11#   - Suffix: dc=scripts,dc=mit,dc=edu
12#   - Input directory manager password
13#     (this can be found in  ~/.ldapvirc)
14
15# Move the schema back
16cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts
17rm -Rf /etc/dirsrv/slapd-scripts.bak
18
19# Turn dirsrv off:
20systemctl stop dirsrv.service
21
22# Apply the following configuration changes.  If you're editing
23# dse.ldif, you don't want dirsrv to be on, otherwise it will
24# overwrite your changes. [XXX: show how to do these changes with
25# dsconf, which is the "blessed" method, although it seems
26# dsconf only exists for Red Hat]
27
28vim /etc/dirsrv/slapd-scripts/dse.ldif
29<<<EOF
30
31# Inside cn=config.  These changes definitely require a restart.
32nsslapd-ldapilisten: on
33nsslapd-syntaxcheck: off
34
35# We need to turn off syntax check because our schema is wrong and too
36# restrictive on some value. This should get fixed.
37
38# Add these blocks
39
40# mapname, mapping, sasl, config
41# This is the most liberal mapping you can have for SASL: you can
42# basically add authentication for any given GSSAPI mechanism by
43# explicitly creating the UID for that SASL string.
44dn: cn=mapname,cn=mapping,cn=sasl,cn=config
45objectClass: top
46objectClass: nsSaslMapping
47cn: mapname
48nsSaslMapRegexString: \(.*\)
49nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu
50nsSaslMapFilterTemplate: (objectClass=posixAccount)
51
52EOF;
53
54systemctl start dirsrv.service
55
56ldapvi -b cn=config
57# Add these indexes (8 of them):
58
59<<<EOF
60
61add cn=apacheServerName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
62objectClass: top
63objectClass: nsIndex
64cn: apacheServerName
65nsSystemIndex: false
66nsIndexType: eq
67nsIndexType: pres
68
69add cn=apacheServerAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
70objectClass: top
71objectClass: nsIndex
72cn: apacheServerAlias
73nsSystemIndex: false
74nsIndexType: eq
75nsIndexType: pres
76
77add cn=scriptsVhostName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
78objectClass: top
79objectClass: nsIndex
80cn: scriptsVhostName
81nsSystemIndex: false
82nsIndexType: eq
83nsIndexType: pres
84
85add cn=scriptsVhostAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
86objectClass: top
87objectClass: nsIndex
88cn: scriptsVhostAlias
89nsSystemIndex: false
90nsIndexType: eq
91nsIndexType: pres
92
93add cn=scriptsVhostAccount, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
94objectClass: top
95objectClass: nsIndex
96cn: scriptsVhostAccount
97nsSystemIndex: false
98nsIndexType: eq
99nsIndexType: pres
100
101add cn=memberuid, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
102objectClass: top
103objectClass: nsIndex
104cn: memberuid
105nsSystemIndex: false
106nsIndexType: eq
107nsIndexType: pres
108
109add cn=uidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
110objectClass: top
111objectClass: nsIndex
112cn: uidnumber
113nsSystemIndex: false
114nsIndexType: eq
115nsIndexType: pres
116
117add cn=gidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
118objectClass: top
119objectClass: nsIndex
120cn: gidnumber
121nsSystemIndex: false
122nsIndexType: eq
123nsIndexType: pres
124
125EOF;
126
127- Build the indexes for all the fields:
128
129    /usr/lib64/dirsrv/slapd-scripts/db2index.pl -D "cn=Directory Manager" -j /etc/signup-ldap-pw -n userRoot
130
131  (/etc/signup-ldap-pw is the LDAP root password, make sure it's
132  chmodded correctly and chowned to signup. Also, make sure it doesn't
133  have a trailing newline!)
134
135-  Watch for the indexing operations to finish with this command:
136
137    ldapsearch -x -y /etc/signup-ldap-pw -D 'cn=Directory Manager' -b cn=tasks,cn=config
138
139  (look for nktaskstatus)
140
141- Set up replication.
142
143  We used to tell people to go execute
144  http://directory.fedoraproject.org/sources/contrib/mmr.pl manually
145  (manually because that script assumes only two masters and we have
146  every one of our servers set up as a master.)  However, those
147  instructions are inaccurate, because we use GSSAPI, not SSL and
148  because the initializing procedure is actually prone to a race
149  condition.  Here are some better instructions.
150
151  LDAP replication is based around producers and consumers.  Producers
152  push changes in LDAP to consumers: these arrangements are called
153  "replication agreements" and the producer will hold a
154  nsDS5ReplicationAgreement object that represents this commitment,
155  as well as some extra configuration to say who consumers will accept
156  replication data from (a nsDS5Replica).
157
158  The procedure, at a high level, is this:
159
160    1. Pick an arbitrary existing master.  The current server will
161       be configured as a slave to that master.  Initialize a changelog,
162       then request a replication to populate our server with
163       information.
164
165            M1 <---> M2 ---> S
166
167    2. Configure the new server to be replicated back.
168
169            M1 <---> M2 <---> S
170
171    3. Set up the rest of the replication agreements.
172
173                M1 <---> M2
174                ^         ^
175                |         |
176                +--> S <--+
177
178    4. Push a change from every existing server (to the new server), and
179       then a change from the new server to (all) the existing servers.
180       In addition to merely testing that replication works, this will
181       set up the servers' changelogs properly.
182
183       If this step is not completed before any server's LDAP server
184       shuts down, then the replication agreements will fall apart the
185       next time a change is made. You may wish to intentionally reboot
186       any servers that look like they want to crash _before_ beginning
187       this process.
188
189  Here's how you do it.
190
191  NOTE: There's this spiffy new tool MMR hammer which automates some of
192  this process.  Check the "MMR Hammer" sections to see how.  Install it
193  here:  https://github.com/ezyang/mmr-hammer
194
195    0. Tell -c scripts not to go off and reboot servers until you're
196       done (or to get any rebooting done with first).
197
198    1. Pull open the replication part of the database. It's fairly empty
199       right now.
200
201        ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config
202
203    2. Configure the server $SLAVE (this server) to accept $MASTER
204       replications by adding the following LDAP entries:
205
206add cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
207objectClass: top
208objectClass: nsDS5Replica
209cn: replica
210nsDS5ReplicaId: $REPLICA_ID
211nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu
212nsDS5Flags: 1
213nsDS5ReplicaBindDN: uid=ldap/bees-knees.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
214nsDS5ReplicaBindDN: uid=ldap/busy-beaver.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
215nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
216nsDS5ReplicaBindDN: uid=ldap/pancake-bunny.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
217nsDS5ReplicaBindDN: uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
218nsDS5ReplicaBindDN: uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
219nsDS5ReplicaBindDN: uid=ldap/better-mousetrap.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
220nsDS5ReplicaBindDN: uid=ldap/old-faithful.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
221nsDS5ReplicaBindDN: uid=ldap/shining-armor.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
222nsDS5ReplicaBindDN: uid=ldap/golden-egg.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
223nsds5ReplicaPurgeDelay: 604800
224nsds5ReplicaLegacyConsumer: off
225nsDS5ReplicaType: 3
226
227        $REPLICA_ID is the scripts$N number (stella $HOSTNAME to find
228        out.)  You might wonder why we are binding to all servers;
229        weren't we going to replicate from only one server?  That is
230        correct, however, simply binding won't mean we will receive
231        updates; we have to setup the $MASTER to send data $SLAVE.
232
233    3. Although we allowed those uids to bind, that user information
234       doesn't exist on $SLAVE yet.  So you'll need to create the entry
235       for just $MASTER.
236
237       REMEMBER: You need to use FOO.mit.edu for the names!  Otherwise you will get
238       unauthorized errors.
239
240add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu
241uid: ldap/$MASTER
242objectClass: account
243objectClass: top
244
245    4. Though our $SLAVE will not be making changes to LDAP, we need to
246       initialize the changelog because we intend to be able to do this
247       later.
248
249add cn=changelog5,cn=config
250objectclass: top
251objectclass: extensibleObject
252cn: changelog5
253nsslapd-changelogdir: /etc/dirsrv/slapd-scripts/changelogdb
254
255    5. Ok, now go to your $MASTER server that you picked (it should have
256       been one of the hosts mentioned in nsDS5ReplicaBindDN) and tell
257       it to replicate to $SLAVE.
258
259       The last line runs the replication.  This is perhaps the most
260       risky step of the process; see below for help debugging problems.
261
262       MMR Hammer:
263        mmr-hammer -h $MASTER init agreements $SLAVE
264        mmr-hammer -h $MASTER update $SLAVE # XXX pick a better name
265
266        ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config
267
268add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
269objectClass: top
270objectClass: nsDS5ReplicationAgreement
271cn: "GSSAPI Replication to $SLAVE"
272cn: GSSAPI Replication to $SLAVE
273nsDS5ReplicaHost: $SLAVE
274nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu
275nsDS5ReplicaPort: 389
276nsDS5ReplicaTransportInfo: LDAP
277nsDS5ReplicaBindDN: uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu
278nsDS5ReplicaBindMethod: SASL/GSSAPI
279nsDS5ReplicaUpdateSchedule: "0000-2359 0123456"
280nsDS5ReplicaTimeout: 120
281nsDS5BeginReplicaRefresh: start
282
283    5. Check that the replication is running; the status will be stored
284    in the object we've been mucking around with.
285
286    If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER
287    for more information.  It might be because fedora-ds can't read
288    /etc/dirsrv/keytab or because you setup the account on the SLAVE
289    incorrectly.
290
291    6. Replicate in the other direction.  On $MASTER, add $SLAVE
292    as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config
293    Also, add an account for $SLAVE if it doesn't exist already.
294
295add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu
296uid: ldap/$SLAVE
297objectClass: account
298objectClass: top
299
300    On $SLAVE,
301
302       MMR Hammer: mmr-hammer -h $SLAVE init agreements $MASTER
303
304add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
305objectClass: top
306objectClass: nsDS5ReplicationAgreement
307cn: "GSSAPI Replication to $MASTER"
308cn: GSSAPI Replication to $MASTER
309nsDS5ReplicaHost: $MASTER
310nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu
311nsDS5ReplicaPort: 389
312nsDS5ReplicaTransportInfo: LDAP
313nsDS5ReplicaBindDN: uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu
314nsDS5ReplicaBindMethod: SASL/GSSAPI
315nsDS5ReplicaUpdateSchedule: "0000-2359 0123456"
316nsDS5ReplicaTimeout: 120
317
318    If you get a really scary internal server error, that might mean you
319    forgot to initialize the changelog.  Remove the replication
320    agreement (you'll need to turn off dirsrv), add the changelog, and
321    then try again.
322
323    7. Repeat step 6 to complete the graph of replications (i.e., from
324    every other server to the new server, and from the new server to
325    every other server).
326
327    Note the only difference between steps 5 and 6 is the lack of
328    nsDS5ReplicaRefresh: start. That only needs to be done once, to the
329    new server.
330
331    With MMR hammer, that's something like:
332
333        for i in $SERVER_NAMES; do mmr-hammer -h $i init agreements $SERVER_NAMES; done
334
335    8. If at this point you look at the new server's changelog with
336    cl-dump (preferably /mit/scripts/admin/cl-dump.pl, to not prompt you
337    for a password), you won't see the servers you added in step 7. So,
338    from each of those servers, make a change to some record so it gets
339    propagated to the new server, and then one from the new server so it
340    gets propagated to all the existing servers' changelogs. This is
341    also good for making sure the replication agreements actually work.
342
343    With MMR hammer, that's something like:
344
345        for i in $SERVER_NAMES; do mmr-hammer -h $i test; sleep 20; done
346
347Troubleshooting
348===============
349
350LDAP multimaster replication can fail in a number of colorful ways;
351combine that with GSSAPI authentication and it goes exponential.
352
353If authentication is failing with LDAP error 49, check if:
354
355    * /etc/dirsrv/keytab
356    * fedora-ds is able to read /etc/dirsrv/keytab
357    * /etc/hosts has not been modified by Network Manager (you
358      /did/ uninstall it, right? Right?)
359
360If the failure is local to a single master, usually you can recover
361by asking another master to refresh that master with:
362
363nsDS5BeginReplicaRefresh: start
364
365In practice, we've also had problems with this technique.  Some of them
366include:
367
368* Something like https://bugzilla.redhat.com/show_bug.cgi?id=547503
369  on Fedora 11 ns-slapd, where replication is turned off to do the
370  replication, but then it wedges and you need to forcibly kill the
371  process.
372
373* Failed LDAP authentication because another master attempted to do
374  an incremental update.
375
376* Repropagation of the error because the corrupt master thinks it still
377  should push updates.
378
379So the extremely safe method to bring up a crashed master is as follows:
380
3811. Disable all incoming and outgoing replication agreements by editing
382   /etc/dirsrv/slapd-scripts/dse.ldif. You'll need to munge:
383
384   nsDS5ReplicaBindDN in cn=replica,cn=dc\3Dscripts\2Cdc\3Dmit\2Cdc\3Dedu,cn=mapping tree,cn=config
385
386   and all of the push agreements.  Deleting them outright works, but
387   means you'll have to reconstruct all of the agreements from scratch.
388
3892. Bring up the server.
390
3913. Accept incoming replication data from a single server.
392
3934. Initiate a full update from that server.
394
3955. Finish setting up replication as described above.
396
397If your database gets extremely fucked, other servers may not be able
398to authenticate because your authentication information has gone missing.
399In that case, the minimal set of entries you need is:
400
401add dc=scripts,dc=mit,dc=edu
402objectClass: top
403objectClass: domain
404dc: scripts
405
406add ou=People,dc=scripts,dc=mit,dc=edu
407objectClass: top
408objectClass: organizationalunit
409ou: People
410
411add uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
412objectClass: account
413objectClass: top
414uid: ldap/whole-enchilada.mit.edu
Note: See TracBrowser for help on using the repository browser.