[861] | 1 | To set up a new LDAP server: |
---|
| 2 | |
---|
[1296] | 3 | - Install the RPM 389-ds-base with yum |
---|
[1645] | 4 | root# yum install -y 389-ds-base |
---|
| 5 | - We want to run the directory server as its own user, so create fedora-ds |
---|
| 6 | root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds |
---|
| 7 | - root# yum install -y policycoreutils-python |
---|
[861] | 8 | - root# /usr/sbin/setup-ds.pl |
---|
| 9 | - Choose a typical install |
---|
| 10 | - Tell it to use the fedora-ds user and group |
---|
| 11 | - Directory server identifier: scripts |
---|
[1645] | 12 | Needed to remove this from the config file first |
---|
[861] | 13 | - Suffix: dc=scripts,dc=mit,dc=edu |
---|
| 14 | - Input directory manager password |
---|
[1645] | 15 | (this can be found in ~/.ldapvirc) |
---|
| 16 | [XXX: Got error: sh: semanage: command not found; turns out this is in |
---|
| 17 | policycoreutils-python. Don't know if this will cause problems.] |
---|
[861] | 18 | - yum install ldapvi |
---|
[1645] | 19 | - Check if dirsrv starts: /sbin/service dirsrv start |
---|
| 20 | - Apply the following configuration changes. If you're editing |
---|
| 21 | dse.ldif, you don't want dirsrv to be on, otherwise it will |
---|
| 22 | overwrite your changes. [XXX: show how to do these changes with |
---|
| 23 | dsconf, which is the "blessed" method] |
---|
| 24 | |
---|
| 25 | # Inside cn=config. These changes definitely require a restart. |
---|
| 26 | nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket |
---|
| 27 | nsslapd-ldapilisten: on |
---|
| 28 | |
---|
| 29 | # Add these blocks |
---|
| 30 | |
---|
| 31 | # mapname, mapping, sasl, config |
---|
| 32 | # This is the most liberal mapping you can have for SASL: you can |
---|
| 33 | # basically add authentication for any given GSSAPI mechanism by |
---|
| 34 | # explicitly creating the UID for that SASL string. |
---|
| 35 | dn: cn=mapname,cn=mapping,cn=sasl,cn=config |
---|
| 36 | objectClass: top |
---|
| 37 | objectClass: nsSaslMapping |
---|
| 38 | cn: mapname |
---|
| 39 | nsSaslMapRegexString: \(.*\) |
---|
| 40 | nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 41 | nsSaslMapFilterTemplate: (objectClass=posixAccount) |
---|
| 42 | |
---|
[861] | 43 | - /sbin/service dirsrv stop |
---|
[1645] | 44 | - Add the scripts schemas to /var/lib/dirsrv/slapd-scripts [XXX: I don't |
---|
| 45 | know how to do this, but placing them in /etc might be sufficient?] |
---|
| 46 | - Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab. Make |
---|
| 47 | sure you chown/chgrp it to be readable by fedora-ds |
---|
| 48 | - Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME |
---|
| 49 | - mkdir -p /var/run/dirsrv |
---|
| 50 | - chown fedora-ds:fedora-ds /var/run/dirsrv |
---|
[951] | 51 | - chmod 755 /var/run/dirsrv |
---|
[861] | 52 | - /sbin/service dirsrv restart |
---|
[880] | 53 | - Use ldapvi -b cn=config to add these indexes: |
---|
[861] | 54 | |
---|
[880] | 55 | add cn=apacheServerName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 56 | objectClass: top |
---|
| 57 | objectClass: nsIndex |
---|
| 58 | cn: apacheServerName |
---|
| 59 | nsSystemIndex: false |
---|
| 60 | nsIndexType: eq |
---|
| 61 | nsIndexType: pres |
---|
| 62 | |
---|
| 63 | add cn=apacheServerAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 64 | objectClass: top |
---|
| 65 | objectClass: nsIndex |
---|
| 66 | cn: apacheServerAlias |
---|
| 67 | nsSystemIndex: false |
---|
| 68 | nsIndexType: eq |
---|
| 69 | nsIndexType: pres |
---|
| 70 | |
---|
[1473] | 71 | add cn=scriptsVhostName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 72 | objectClass: top |
---|
| 73 | objectClass: nsIndex |
---|
| 74 | cn: scriptsVhostName |
---|
| 75 | nsSystemIndex: false |
---|
| 76 | nsIndexType: eq |
---|
| 77 | nsIndexType: pres |
---|
[880] | 78 | |
---|
[1473] | 79 | add cn=scriptsVhostAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 80 | objectClass: top |
---|
| 81 | objectClass: nsIndex |
---|
| 82 | cn: scriptsVhostAlias |
---|
| 83 | nsSystemIndex: false |
---|
| 84 | nsIndexType: eq |
---|
| 85 | nsIndexType: pres |
---|
| 86 | |
---|
[1532] | 87 | add cn=scriptsVhostAccount, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 88 | objectClass: top |
---|
| 89 | objectClass: nsIndex |
---|
| 90 | cn: scriptsVhostAccount |
---|
| 91 | nsSystemIndex: false |
---|
| 92 | nsIndexType: eq |
---|
| 93 | nsIndexType: pres |
---|
| 94 | |
---|
[1473] | 95 | add cn=memberuid, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 96 | objectClass: top |
---|
| 97 | objectClass: nsIndex |
---|
| 98 | cn: memberuid |
---|
| 99 | nsSystemIndex: false |
---|
| 100 | nsIndexType: eq |
---|
| 101 | nsIndexType: pres |
---|
| 102 | |
---|
| 103 | add cn=uidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 104 | objectClass: top |
---|
| 105 | objectClass: nsIndex |
---|
| 106 | cn: uidnumber |
---|
| 107 | nsSystemIndex: false |
---|
| 108 | nsIndexType: eq |
---|
| 109 | nsIndexType: pres |
---|
| 110 | |
---|
| 111 | add cn=gidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 112 | objectClass: top |
---|
| 113 | objectClass: nsIndex |
---|
| 114 | cn: gidnumber |
---|
| 115 | nsSystemIndex: false |
---|
| 116 | nsIndexType: eq |
---|
| 117 | nsIndexType: pres |
---|
| 118 | |
---|
| 119 | - Build the indexes for all the fields: |
---|
| 120 | |
---|
| 121 | /usr/lib64/dirsrv/slapd-scripts/db2index.pl -D "cn=Directory Manager" -j /etc/signup-ldap-pw -n userRoot |
---|
| 122 | |
---|
[1645] | 123 | (/etc/signup-ldap-pw is the LDAP root password, make sure it's |
---|
| 124 | chmodded correctly and chowned to signup. Also, make sure it doesn't |
---|
| 125 | have a trailing newline!) |
---|
| 126 | |
---|
[1473] | 127 | - Watch for the indexing operations to finish with this command: |
---|
| 128 | |
---|
| 129 | ldapsearch -x -y /etc/signup-ldap-pw -D 'cn=Directory Manager' -b cn=tasks,cn=config |
---|
| 130 | |
---|
[1645] | 131 | (look for nktaskstatus) |
---|
| 132 | |
---|
| 133 | - Set up replication. |
---|
| 134 | |
---|
| 135 | We used to tell people to go execute |
---|
| 136 | http://directory.fedoraproject.org/sources/contrib/mmr.pl manually |
---|
| 137 | (manually because that script assumes only two masters and we have |
---|
| 138 | every one of our servers set up as a master.) However, those |
---|
| 139 | instructions are inaccurate, because we use GSSAPI, not SSL and |
---|
| 140 | because the initializing procedure is actually prone to a race |
---|
| 141 | condition. Here are some better instructions. |
---|
| 142 | |
---|
| 143 | LDAP replication is based around producers and consumers. Producers |
---|
| 144 | push changes in LDAP to consumers: these arrangements are called |
---|
| 145 | "replication agreements" and the producer will hold a |
---|
| 146 | nsDS5ReplicationAgreement object that represents this commitment, |
---|
| 147 | as well as some extra configuration to say who consumers will accept |
---|
| 148 | replication data from (a nsDS5Replica). |
---|
| 149 | |
---|
| 150 | The procedure, at a high level, is this: |
---|
| 151 | |
---|
| 152 | 1. Pick an arbitrary existing master. The current server will |
---|
| 153 | be configured as a slave to that master. Initialize a changelog, |
---|
| 154 | then request a replication to populate our server with |
---|
| 155 | information. |
---|
| 156 | |
---|
| 157 | M1 <---> M2 ---> S |
---|
| 158 | |
---|
| 159 | 2. Configure the new server to be replicated back. |
---|
| 160 | |
---|
| 161 | M1 <---> M2 <---> S |
---|
| 162 | |
---|
| 163 | 3. Set up the rest of the replication agreements at your leisure. |
---|
| 164 | |
---|
| 165 | M1 <---> M2 |
---|
| 166 | ^ ^ |
---|
| 167 | | | |
---|
| 168 | +--> S <--+ |
---|
| 169 | |
---|
| 170 | Here's how you do it. |
---|
| 171 | |
---|
| 172 | 1. Pull open the replication part of the database. It's fairly empty |
---|
| 173 | right now. |
---|
| 174 | |
---|
| 175 | ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config |
---|
| 176 | |
---|
| 177 | 2. Configure the server $SLAVE (this server) to accept $MASTER |
---|
| 178 | replications by adding the following LDAP entries: |
---|
| 179 | |
---|
| 180 | add cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config |
---|
| 181 | objectClass: top |
---|
| 182 | objectClass: nsDS5Replica |
---|
| 183 | cn: replica |
---|
| 184 | nsDS5ReplicaId: $REPLICA_ID |
---|
| 185 | nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu |
---|
| 186 | nsDS5Flags: 1 |
---|
| 187 | nsDS5ReplicaBindDN: uid=ldap/bees-knees.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 188 | nsDS5ReplicaBindDN: uid=ldap/busy-beaver.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 189 | nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 190 | nsDS5ReplicaBindDN: uid=ldap/pancake-bunny.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 191 | nsDS5ReplicaBindDN: uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 192 | nsDS5ReplicaBindDN: uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 193 | # ADD SERVERS HERE AS YOU ADD NEW SERVERS |
---|
| 194 | nsds5ReplicaPurgeDelay: 604800 |
---|
| 195 | nsds5ReplicaLegacyConsumer: off |
---|
| 196 | nsDS5ReplicaType: 3 |
---|
| 197 | |
---|
| 198 | $REPLICA_ID is the scripts$N number (stella $HOSTNAME to find |
---|
| 199 | out.) You might wonder why we are binding to all servers; |
---|
| 200 | weren't we going to replicate from only one server? That is |
---|
| 201 | correct, however, simply binding won't mean we will receive |
---|
| 202 | updates; we have to setup the $MASTER to send data $SALVE. |
---|
| 203 | |
---|
| 204 | 3. Although we allowed those uids to bind, that user information |
---|
| 205 | doesn't exist on $SLAVE yet. So you'll need to create the entry |
---|
| 206 | for just $MASTER. |
---|
| 207 | |
---|
| 208 | add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 209 | uid: ldap/$MASTER |
---|
| 210 | objectClass: account |
---|
| 211 | objectClass: top |
---|
| 212 | |
---|
| 213 | 4. Though our $SLAVE will not be making changes to LDAP, we need to |
---|
| 214 | initialize the changelog because we intend to be able to do this |
---|
| 215 | later. |
---|
| 216 | |
---|
| 217 | add cn=changelog5,cn=config |
---|
| 218 | objectclass: top |
---|
| 219 | objectclass: extensibleObject |
---|
| 220 | cn: changelog5 |
---|
| 221 | nsslapd-changelogdir: /etc/dirsrv/slapd-scripts/changelogdb |
---|
| 222 | |
---|
| 223 | 5. Ok, now go to your $MASTER server that you picked (it should have |
---|
| 224 | been one of the hosts mentioned in nsDS5ReplicaBindDN) and tell |
---|
| 225 | it to replicate to $SLAVE. |
---|
| 226 | |
---|
| 227 | add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config |
---|
| 228 | objectClass: top |
---|
| 229 | objectClass: nsDS5ReplicationAgreement |
---|
| 230 | cn: "GSSAPI Replication to $SLAVE" |
---|
| 231 | cn: GSSAPI Replication to $SLAVE |
---|
| 232 | nsDS5ReplicaHost: $SLAVE |
---|
| 233 | nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu |
---|
| 234 | nsDS5ReplicaPort: 389 |
---|
| 235 | nsDS5ReplicaTransportInfo: LDAP |
---|
| 236 | nsDS5ReplicaBindDN: |
---|
| 237 | uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 238 | nsDS5ReplicaBindMethod: SASL/GSSAPI |
---|
| 239 | nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" |
---|
| 240 | nsDS5ReplicaTimeout: 120 |
---|
| 241 | |
---|
| 242 | 4. Run the replication. (you could fold this into the previous step) |
---|
| 243 | |
---|
| 244 | # under cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config |
---|
| 245 | nsDS5BeginReplicaRefresh: start |
---|
| 246 | |
---|
| 247 | 5. Check that the replication is running; the status will be stored |
---|
| 248 | in the object we've been mucking around with. |
---|
| 249 | |
---|
| 250 | If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER |
---|
| 251 | for more information. It might be because fedora-ds can't read |
---|
| 252 | /etc/dirsrv/keytab |
---|
| 253 | |
---|
| 254 | 6. Replicate in the other direction. On $MASTER, add $SLAVE |
---|
| 255 | as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config |
---|
| 256 | Also, add an account for $SLAVE |
---|
| 257 | |
---|
| 258 | add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 259 | uid: ldap/$SLAVE |
---|
| 260 | objectClass: account |
---|
| 261 | objectClass: top |
---|
| 262 | |
---|
| 263 | On $SLAVE, |
---|
| 264 | |
---|
| 265 | add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config |
---|
| 266 | objectClass: top |
---|
| 267 | objectClass: nsDS5ReplicationAgreement |
---|
| 268 | cn: "GSSAPI Replication to $MASTER" |
---|
| 269 | cn: GSSAPI Replication to $MASTER |
---|
| 270 | nsDS5ReplicaHost: $MASTER |
---|
| 271 | nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu |
---|
| 272 | nsDS5ReplicaPort: 389 |
---|
| 273 | nsDS5ReplicaTransportInfo: LDAP |
---|
| 274 | nsDS5ReplicaBindDN: uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 275 | nsDS5ReplicaBindMethod: SASL/GSSAPI |
---|
| 276 | nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" |
---|
| 277 | nsDS5ReplicaTimeout: 120 |
---|
| 278 | |
---|
| 279 | If you get a really scary internal server error, that might mean you |
---|
| 280 | forgot to initialize the changelog. Remove the replication |
---|
| 281 | agreement (you'll need to turn off dirsrv), add the changelog, and |
---|
| 282 | then try again. |
---|
| 283 | |
---|
| 284 | [XXX: Do we need the referrals?] |
---|