LDAP how is Failover done?
Alejandro Imass
aimass-EzYyMjUkBrFWk0Htik3J/w at public.gmane.org
Sat Aug 6 13:52:32 UTC 2011
OK, so you have 2 options with config:
a) keep using the old slapd.conf file
b) use the new ldif format config structure
I am personally more familiar with (a) although it's being deprecated
but it's easily translatable to (b). So here are the important config
options for simple master-slave config, YMMV of course....
Remember, this is a very simple warm slave exact replica, but with
OpenLDAP you could do many other exotic things.
GENERAL
--------------
- Make sure you include the _exact_ same schemas on both sides.
- Make sure the suffix is the same on both sides
MASTER
-------------
# Load the syncprov module and identify this server
# Place right after any other module load
moduleload syncprov
serverID 1
# In your DB config...
# Increase cache size to 256MB
dbconfig set_cachesize 0 268435456 0
# for replication you must index at least these:
index objectclass,entryCSN,entryUUID eq
overlay syncprov
# tailor these two to your specific needs
syncprov-checkpoint 10 10
syncprov-sessionlog 10
# I reduce the checkpoint considerably, read docs and tailor to your needs
checkpoint 10 10
# access rules follow....
SLAVE
----------
# right after the moduleloads, identify this server
serverID 2
# note there is no need for syncprov
# same cache size
dbconfig set_cachesize 0 268435456 0
# same indexes
index objectclass,entryCSN,entryUUID eq
# sync details for slave
syncrepl rid=001
provider=ldap://[MASTER IP HERE]
bindmethod=simple
binddn="[ADMIN CN HERE]"
credentials=[ADMIN PASSWD HERE]
searchbase="[REPL BASE NODE (note 1)]"
schemachecking=on
type=refreshAndPersist
retry="20 +"
# can leave lazy checkpoint here if you want
checkpoint 512 30
HOW IT WORKS:
1) Set-up your master and load the data
2) Fire up the slave and wait a few seconds (or minutes, depending on the size)
3) Voilá, the slave should be a replica within seconds (or minutes)
No need to load the data on the slave. It should load automagically.
WHEN MASTER FAILS:
1) stop the slapd on both sides (your master may already be dead.
2) Swap the config files (note 2)
3) Change the IPs (slave has master IP now and vice-versa)
4) Start the new master.
5) Create a new slave (or fix old master and now turn it into slave)
Notes:
(1) For this simple example use the same root node suffix for this
(2) how to do this with the new ldif config structure is for you to
research, I'm not too clear on this
For now, and to experiment with simple slapd.conf you can disable the
ldif config altogether by changing the /etc/defaults/ldap to point to
the slapd.conf and deleting the ldif config structure. I don't
recommend this but rather research how all this works with the new
ldif config structure and post it back here so I can learn how ;-)
Best,
--
Alejandro Imass
On Fri, Aug 5, 2011 at 10:56 PM, John Miles <jmiles242-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> Thank you Alejandro,
>
> Yes, we are using OpenLDAP, running on Ubuntu 10.04
>
>
> On Fri, Aug 5, 2011 at 10:27 AM, Alejandro Imass <aimass-EzYyMjUkBrFWk0Htik3J/w at public.gmane.org>
> wrote:
>>
>> On Fri, Aug 5, 2011 at 7:48 AM, John Miles <jmiles242-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
>> > Hi,
>> >
>> > I need some direction on where to start with a solution for replacing
>> > some
>> > LDAP infrastructure.
>> >
>> > We presently have 1 LDAP server.
>> >
>>
>> OpenLDAP?
>>
>> > My manager desires multiple LDAP servers (and so do I for
>> > failover/disaster
>> > recover)
>> >
>>
>> [...]
>>
>> > Model 1:
>>
>> [...]
>>
>>
>> OpenLDAP supports several replication models including n-way
>> replication, and should handle several thousand users on a single
>> sever without a hiccup. Unless your set-up is extremely huge your
>> proposed schemes seem overkill IMHO.
>>
>> The easiest scheme in my experience is master -> slave where the slave
>> is just a passive warm stand-by server. When the master goes down,
>> just change the IPs and the config files and re-start the slave as
>> master while you fix the old master to create a new slave. The
>> downtime is minimal and it's easily automate-able, and there are no
>> other external components like an LDAP reverse proxy/balancer or
>> anything like that. The truth is, that unless you partition your DIT
>> and use referrals, etc. you will _always_ have a single point of
>> failure so many elaborate schemes are just complications that will
>> bite you down the line.
>>
>> > Anyone have experience setting up something like this?
>> >
>>
>> If it's OpenLDAP I could help out more.Is this only LDAP or LDAP + Samba ?
>>
>> > Thank you!
>> >
>> > John.
>> >
>> --
>> The Toronto Linux Users Group. Meetings: http://gtalug.org/
>> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
>> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
>
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list