Changeset 1677 for branches/fc13-dev/server/doc/install-ldap
- Timestamp:
- Sep 27, 2010, 4:45:14 PM (14 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/fc13-dev/server/doc/install-ldap
r1674 r1677 6 6 root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds 7 7 - root# yum install -y policycoreutils-python 8 - Temporarily move away the existing slapd-scripts folder 9 root# mv /etc/dirsrv/slapd-scripts{,.bak} 8 10 - root# /usr/sbin/setup-ds.pl 9 11 - Choose a typical install … … 14 16 - Input directory manager password 15 17 (this can be found in ~/.ldapvirc) 16 [XXX: Got error: sh: semanage: command not found; turns out this is in 17 policycoreutils-python. Don't know if this will cause problems.] 18 - Move the schema back 19 root# cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts 20 root# rm -Rf /etc/dirsrv/slapd-scripts.bak 18 21 - yum install ldapvi 19 22 - Check if dirsrv starts: /sbin/service dirsrv start 23 then turn it back off: service dirsrv stop 20 24 - Apply the following configuration changes. If you're editing 21 25 dse.ldif, you don't want dirsrv to be on, otherwise it will … … 41 45 nsSaslMapFilterTemplate: (objectClass=posixAccount) 42 46 43 - /sbin/service dirsrv stop44 - Add the scripts schemas to /var/lib/dirsrv/slapd-scripts [XXX: I don't45 know how to do this, but placing them in /etc might be sufficient?]46 47 - Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab. Make 47 48 sure you chown/chgrp it to be readable by fedora-ds 48 49 - Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME 49 - mkdir -p /var/run/dirsrv50 50 - chown fedora-ds:fedora-ds /var/run/dirsrv 51 51 - chmod 755 /var/run/dirsrv 52 - /sbin/service dirsrv restart53 - Use ldapvi -b cn=config to add these indexes :52 - /sbin/service dirsrv start 53 - Use ldapvi -b cn=config to add these indexes (8 of them): 54 54 55 55 add cn=apacheServerName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config … … 191 191 nsDS5ReplicaBindDN: uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 192 192 nsDS5ReplicaBindDN: uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 193 nsDS5ReplicaBindDN: uid=ldap/better-mousetrap.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 194 nsDS5ReplicaBindDN: uid=ldap/old-faithful.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 193 195 # ADD SERVERS HERE AS YOU ADD NEW SERVERS 194 196 nsds5ReplicaPurgeDelay: 604800 … … 200 202 weren't we going to replicate from only one server? That is 201 203 correct, however, simply binding won't mean we will receive 202 updates; we have to setup the $MASTER to send data $S ALVE.204 updates; we have to setup the $MASTER to send data $SLAVE. 203 205 204 206 3. Although we allowed those uids to bind, that user information … … 224 226 been one of the hosts mentioned in nsDS5ReplicaBindDN) and tell 225 227 it to replicate to $SLAVE. 228 229 WARNING: There is a known bug doing full updates from 1.2.6 to 230 1.2.6, see https://bugzilla.redhat.com/show_bug.cgi?id=637852 226 231 227 232 add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config … … 240 245 nsDS5ReplicaTimeout: 120 241 246 242 4. Run the replication. (you could fold this into the previous step) 247 4. Run the replication. This is perhaps the most risky step of 248 the process; see below for help debugging problems. 243 249 244 250 # under cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config … … 285 291 =============== 286 292 287 LDAP multimaster replication can fail in a number of colorful ways. 293 LDAP multimaster replication can fail in a number of colorful ways; 294 combine that with GSSAPI authentication and it goes exponential. 295 296 If authentication is failing with LDAP error 49, check if: 297 298 * /etc/dirsrv/keytab 299 * fedora-ds is able to read /etc/dirsrv/keytab 300 * /etc/hosts has not been modified by Network Manager (you 301 /did/ uninstall it, right? Right?) 302 288 303 If the failure is local to a single master, usually you can recover 289 304 by asking another master to refresh that master with: … … 337 352 ou: People 338 353 339 add uid=ldap/ real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu354 add uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 340 355 objectClass: account 341 356 objectClass: top 342 uid: ldap/ real-mccoy.mit.edu357 uid: ldap/whole-enchilada.mit.edu
Note: See TracChangeset
for help on using the changeset viewer.