Changeset 2066 for trunk/server/doc/install-ldap

Timestamp:

Nov 22, 2011, 12:45:17 AM (13 years ago)

Author:

achernya

Message:

Merge branches/fc15-dev to trunk

Location:

trunk

Files:

• . (modified) (1 prop)
• server/doc/install-ldap (modified) (11 diffs)

trunk/server/doc/install-ldap

@@ -1 @@
-To set up a new LDAP server:
-
-- Install the RPM 389-ds-base with yum (these are installed by kickstart
-  these days, so these two steps are probably not necessary)
-  root# yum install -y 389-ds-base
-  root# yum install -y policycoreutils-python
-  root# yum install -y ldapvi
-- We want to run the directory server as its own user, so create fedora-ds
-  root# useradd -r -d /var/lib/dirsrv fedora-ds
-- Temporarily move away the existing slapd-scripts folder
-  root# mv /etc/dirsrv/slapd-scripts{,.bak}
-- root# /usr/sbin/setup-ds.pl
-    - Choose a typical install
-    - Tell it to use the fedora-ds user and group
-    - Directory server identifier: scripts
-        Needed to remove this from the config file first
-    - Suffix: dc=scripts,dc=mit,dc=edu
-    - Input directory manager password
-      (this can be found in  ~/.ldapvirc)
-- Move the schema back
-  root# cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts
-  root# rm -Rf /etc/dirsrv/slapd-scripts.bak
-- Turn dirsrv off: service dirsrv stop
-- Apply the following configuration changes.  If you're editing
-  dse.ldif, you don't want dirsrv to be on, otherwise it will
-  overwrite your changes. [XXX: show how to do these changes with
-  dsconf, which is the "blessed" method]
+# To set up a new LDAP server:
+
+# Temporarily move away the existing slapd-scripts folder
+mv /etc/dirsrv/slapd-scripts{,.bak}
+
+# Setup directory server
+/usr/sbin/setup-ds.pl
+#   - Choose a typical install
+#   - Tell it to use the fedora-ds user and group
+#   - Directory server identifier: scripts
+#   - Suffix: dc=scripts,dc=mit,dc=edu
+#   - Input directory manager password
+#     (this can be found in  ~/.ldapvirc)
+
+# Move the schema back
+cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts
+rm -Rf /etc/dirsrv/slapd-scripts.bak
+
+# Turn dirsrv off:
+systemctl stop dirsrv.service
+
+# Apply the following configuration changes.  If you're editing
+# dse.ldif, you don't want dirsrv to be on, otherwise it will
+# overwrite your changes. [XXX: show how to do these changes with
+# dsconf, which is the "blessed" method, although it seems
+# dsconf only exists for Red Hat]
+
+vim /etc/dirsrv/slapd-scripts/dse.ldif
+<<<EOF
 
 # Inside cn=config.  These changes definitely require a restart.
-nsslapd-ldapifilepath: /var/run/slapd-scripts.socket
 nsslapd-ldapilisten: on
 nsslapd-syntaxcheck: off
+
+# We need to turn off syntax check because our schema is wrong and too
+# restrictive on some value. This should get fixed.
 
 # Add these blocks
@@ -46 +50 @@
 nsSaslMapFilterTemplate: (objectClass=posixAccount)
 
-- Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab.  Make
-  sure you chown/chgrp it to be readable by fedora-ds
-- Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME
-- chown fedora-ds:fedora-ds /var/run/dirsrv
-- chown fedora-ds /etc/dirsrv/keytab
-- /sbin/service dirsrv start
-- Use ldapvi -b cn=config to add these indexes (8 of them):
+EOF;
+
+systemctl start dirsrv.service
+
+ldapvi -b cn=config
+# Add these indexes (8 of them):
+
+<<<EOF
 
 add cn=apacheServerName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
@@ -117 +122 @@
 nsIndexType: eq
 nsIndexType: pres
+
+EOF;
 
 - Build the indexes for all the fields:
@@ -181 +188 @@
 
   Here's how you do it.
+
+  NOTE: There's this spiffy new tool MMR hammer which automates some of
+  this process.  Check the "MMR Hammer" sections to see how.  Install it
+  here:  https://github.com/ezyang/mmr-hammer
 
     0. Tell -c scripts not to go off and reboot servers until you're
@@ -209 +220 @@
 nsDS5ReplicaBindDN: uid=ldap/old-faithful.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
 nsDS5ReplicaBindDN: uid=ldap/shining-armor.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
+nsDS5ReplicaBindDN: uid=ldap/golden-egg.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
 nsds5ReplicaPurgeDelay: 604800
 nsds5ReplicaLegacyConsumer: off
@@ -223 +235 @@
        for just $MASTER.
 
+       REMEMBER: You need to use FOO.mit.edu for the names!  Otherwise you will get
+       unauthorized errors.
+
 add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu
 uid: ldap/$MASTER
@@ -245 +260 @@
        risky step of the process; see below for help debugging problems.
 
-       WARNING: There is a known bug doing full updates from 1.2.6 to
-       1.2.6, see https://bugzilla.redhat.com/show_bug.cgi?id=637852
+       MMR Hammer: mmr-hammer -h $MASTER init agreements $SLAVE
+
+        ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config
 
 add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
@@ -268 +284 @@
     If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER
     for more information.  It might be because fedora-ds can't read
-    /etc/dirsrv/keytab
+    /etc/dirsrv/keytab or because you setup the account on the SLAVE
+    incorrectly.
 
     6. Replicate in the other direction.  On $MASTER, add $SLAVE
     as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config
-    Also, add an account for $SLAVE
+    Also, add an account for $SLAVE if it doesn't exist already.
 
 add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu
@@ -280 +297 @@
 
     On $SLAVE,
+
+       MMR Hammer: mmr-hammer -h $SLAVE init agreements $MASTER
 
 add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
@@ -308 +327 @@
     new server.
 
+    With MMR hammer, that's something like:
+
+        for i in $SERVER_NAMES; do mmr-hammer -h $i init agreements $SERVER_NAMES; done
+
     8. If at this point you look at the new server's changelog with
     cl-dump (preferably /mit/scripts/admin/cl-dump.pl, to not prompt you
@@ -316 +339 @@
     also good for making sure the replication agreements actually work.
 
+    With MMR hammer, that's something like:
+
+        for i in $SERVER_NAMES; do mmr-hammer -h $i test; sleep 20; done
+
 Troubleshooting
 ===============