| 1 | # b | 
|---|
| 2 | # To set up a new LDAP server: | 
|---|
| 3 |  | 
|---|
| 4 | # Temporarily move away the existing slapd-scripts folder | 
|---|
| 5 | mv /etc/dirsrv/slapd-scripts{,.bak} | 
|---|
| 6 |  | 
|---|
| 7 | # Setup directory server | 
|---|
| 8 | /usr/sbin/setup-ds.pl | 
|---|
| 9 | #   - Choose a typical install | 
|---|
| 10 | #   - Tell it to use the fedora-ds user and group | 
|---|
| 11 | #   - Directory server identifier: scripts | 
|---|
| 12 | #   - Suffix: dc=scripts,dc=mit,dc=edu | 
|---|
| 13 | #   - Input directory manager password | 
|---|
| 14 | #     (this can be found in  ~/.ldapvirc) | 
|---|
| 15 |  | 
|---|
| 16 | # Move the schema back | 
|---|
| 17 | cp -R /etc/dirsrv/slapd-scripts.bak/* /etc/dirsrv/slapd-scripts | 
|---|
| 18 | rm -Rf /etc/dirsrv/slapd-scripts.bak | 
|---|
| 19 |  | 
|---|
| 20 | # Check and make sure the sysconfig references the correct keytab | 
|---|
| 21 | svn revert /etc/sysconfig/dirsrv-scripts | 
|---|
| 22 |  | 
|---|
| 23 | # Turn dirsrv off: | 
|---|
| 24 | systemctl stop dirsrv@scripts.service | 
|---|
| 25 |  | 
|---|
| 26 | # Apply the following configuration changes.  If you're editing | 
|---|
| 27 | # dse.ldif, you don't want dirsrv to be on, otherwise it will | 
|---|
| 28 | # overwrite your changes. [XXX: show how to do these changes with | 
|---|
| 29 | # dsconf, which is the "blessed" method, although it seems | 
|---|
| 30 | # dsconf only exists for Red Hat] | 
|---|
| 31 |  | 
|---|
| 32 | vim /etc/dirsrv/slapd-scripts/dse.ldif | 
|---|
| 33 | <<<EOF | 
|---|
| 34 |  | 
|---|
| 35 | # Inside cn=config.  These changes definitely require a restart. | 
|---|
| 36 | nsslapd-ldapilisten: on | 
|---|
| 37 |  | 
|---|
| 38 | # Add these blocks | 
|---|
| 39 |  | 
|---|
| 40 | # mapname, mapping, sasl, config | 
|---|
| 41 | # This is the most liberal mapping you can have for SASL: you can | 
|---|
| 42 | # basically add authentication for any given GSSAPI mechanism by | 
|---|
| 43 | # explicitly creating the UID for that SASL string. | 
|---|
| 44 | dn: cn=mapname,cn=mapping,cn=sasl,cn=config | 
|---|
| 45 | objectClass: top | 
|---|
| 46 | objectClass: nsSaslMapping | 
|---|
| 47 | cn: mapname | 
|---|
| 48 | nsSaslMapRegexString: \(.*\) | 
|---|
| 49 | nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 50 | nsSaslMapFilterTemplate: (objectClass=posixAccount) | 
|---|
| 51 |  | 
|---|
| 52 | EOF; | 
|---|
| 53 |  | 
|---|
| 54 | systemctl start dirsrv@scripts.service | 
|---|
| 55 |  | 
|---|
| 56 | ldapvi -b cn=config | 
|---|
| 57 | # Add these indexes (8 of them): | 
|---|
| 58 |  | 
|---|
| 59 | <<<EOF | 
|---|
| 60 |  | 
|---|
| 61 | add cn=apacheServerName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config | 
|---|
| 62 | objectClass: top | 
|---|
| 63 | objectClass: nsIndex | 
|---|
| 64 | cn: apacheServerName | 
|---|
| 65 | nsSystemIndex: false | 
|---|
| 66 | nsIndexType: eq | 
|---|
| 67 | nsIndexType: pres | 
|---|
| 68 |  | 
|---|
| 69 | add cn=apacheServerAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config | 
|---|
| 70 | objectClass: top | 
|---|
| 71 | objectClass: nsIndex | 
|---|
| 72 | cn: apacheServerAlias | 
|---|
| 73 | nsSystemIndex: false | 
|---|
| 74 | nsIndexType: eq | 
|---|
| 75 | nsIndexType: pres | 
|---|
| 76 |  | 
|---|
| 77 | add cn=scriptsVhostName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config | 
|---|
| 78 | objectClass: top | 
|---|
| 79 | objectClass: nsIndex | 
|---|
| 80 | cn: scriptsVhostName | 
|---|
| 81 | nsSystemIndex: false | 
|---|
| 82 | nsIndexType: eq | 
|---|
| 83 | nsIndexType: pres | 
|---|
| 84 |  | 
|---|
| 85 | add cn=scriptsVhostAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config | 
|---|
| 86 | objectClass: top | 
|---|
| 87 | objectClass: nsIndex | 
|---|
| 88 | cn: scriptsVhostAlias | 
|---|
| 89 | nsSystemIndex: false | 
|---|
| 90 | nsIndexType: eq | 
|---|
| 91 | nsIndexType: pres | 
|---|
| 92 |  | 
|---|
| 93 | add cn=scriptsVhostAccount, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config | 
|---|
| 94 | objectClass: top | 
|---|
| 95 | objectClass: nsIndex | 
|---|
| 96 | cn: scriptsVhostAccount | 
|---|
| 97 | nsSystemIndex: false | 
|---|
| 98 | nsIndexType: eq | 
|---|
| 99 | nsIndexType: pres | 
|---|
| 100 |  | 
|---|
| 101 | add cn=memberuid, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config | 
|---|
| 102 | objectClass: top | 
|---|
| 103 | objectClass: nsIndex | 
|---|
| 104 | cn: memberuid | 
|---|
| 105 | nsSystemIndex: false | 
|---|
| 106 | nsIndexType: eq | 
|---|
| 107 | nsIndexType: pres | 
|---|
| 108 |  | 
|---|
| 109 | add cn=uidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config | 
|---|
| 110 | objectClass: top | 
|---|
| 111 | objectClass: nsIndex | 
|---|
| 112 | cn: uidnumber | 
|---|
| 113 | nsSystemIndex: false | 
|---|
| 114 | nsIndexType: eq | 
|---|
| 115 | nsIndexType: pres | 
|---|
| 116 |  | 
|---|
| 117 | add cn=gidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config | 
|---|
| 118 | objectClass: top | 
|---|
| 119 | objectClass: nsIndex | 
|---|
| 120 | cn: gidnumber | 
|---|
| 121 | nsSystemIndex: false | 
|---|
| 122 | nsIndexType: eq | 
|---|
| 123 | nsIndexType: pres | 
|---|
| 124 |  | 
|---|
| 125 | EOF; | 
|---|
| 126 |  | 
|---|
| 127 | - Build the indexes for all the fields: | 
|---|
| 128 |  | 
|---|
| 129 | /usr/lib64/dirsrv/slapd-scripts/db2index.pl -D "cn=Directory Manager" -j /etc/signup-ldap-pw -n userRoot | 
|---|
| 130 |  | 
|---|
| 131 | (/etc/signup-ldap-pw is the LDAP root password, make sure it's | 
|---|
| 132 | chmodded correctly and chowned to signup. Also, make sure it doesn't | 
|---|
| 133 | have a trailing newline!) | 
|---|
| 134 |  | 
|---|
| 135 | -  Watch for the indexing operations to finish with this command: | 
|---|
| 136 |  | 
|---|
| 137 | ldapsearch -x -y /etc/signup-ldap-pw -D 'cn=Directory Manager' -b cn=tasks,cn=config | 
|---|
| 138 |  | 
|---|
| 139 | (look for nktaskstatus) | 
|---|
| 140 |  | 
|---|
| 141 | - Set up replication. | 
|---|
| 142 |  | 
|---|
| 143 | We used to tell people to go execute | 
|---|
| 144 | http://directory.fedoraproject.org/sources/contrib/mmr.pl manually | 
|---|
| 145 | (manually because that script assumes only two masters and we have | 
|---|
| 146 | every one of our servers set up as a master.)  However, those | 
|---|
| 147 | instructions are inaccurate, because we use GSSAPI, not SSL and | 
|---|
| 148 | because the initializing procedure is actually prone to a race | 
|---|
| 149 | condition.  Here are some better instructions. | 
|---|
| 150 |  | 
|---|
| 151 | LDAP replication is based around producers and consumers.  Producers | 
|---|
| 152 | push changes in LDAP to consumers: these arrangements are called | 
|---|
| 153 | "replication agreements" and the producer will hold a | 
|---|
| 154 | nsDS5ReplicationAgreement object that represents this commitment, | 
|---|
| 155 | as well as some extra configuration to say who consumers will accept | 
|---|
| 156 | replication data from (a nsDS5Replica). | 
|---|
| 157 |  | 
|---|
| 158 | The procedure, at a high level, is this: | 
|---|
| 159 |  | 
|---|
| 160 | 1. Pick an arbitrary existing master.  The current server will | 
|---|
| 161 | be configured as a slave to that master.  Initialize a changelog, | 
|---|
| 162 | then request a replication to populate our server with | 
|---|
| 163 | information. | 
|---|
| 164 |  | 
|---|
| 165 | M1 <---> M2 ---> S | 
|---|
| 166 |  | 
|---|
| 167 | 2. Configure the new server to be replicated back. | 
|---|
| 168 |  | 
|---|
| 169 | M1 <---> M2 <---> S | 
|---|
| 170 |  | 
|---|
| 171 | 3. Set up the rest of the replication agreements. | 
|---|
| 172 |  | 
|---|
| 173 | M1 <---> M2 | 
|---|
| 174 | ^         ^ | 
|---|
| 175 | |         | | 
|---|
| 176 | +--> S <--+ | 
|---|
| 177 |  | 
|---|
| 178 | 4. Push a change from every existing server (to the new server), and | 
|---|
| 179 | then a change from the new server to (all) the existing servers. | 
|---|
| 180 | In addition to merely testing that replication works, this will | 
|---|
| 181 | set up the servers' changelogs properly. | 
|---|
| 182 |  | 
|---|
| 183 | If this step is not completed before any server's LDAP server | 
|---|
| 184 | shuts down, then the replication agreements will fall apart the | 
|---|
| 185 | next time a change is made. You may wish to intentionally reboot | 
|---|
| 186 | any servers that look like they want to crash _before_ beginning | 
|---|
| 187 | this process. | 
|---|
| 188 |  | 
|---|
| 189 | Here's how you do it. | 
|---|
| 190 |  | 
|---|
| 191 | NOTE: There's this spiffy new tool MMR hammer which automates some of | 
|---|
| 192 | this process.  Check the "MMR Hammer" sections to see how.  Install it | 
|---|
| 193 | here:  https://github.com/ezyang/mmr-hammer | 
|---|
| 194 |  | 
|---|
| 195 | 0. Tell -c scripts not to go off and reboot servers until you're | 
|---|
| 196 | done (or to get any rebooting done with first). | 
|---|
| 197 |  | 
|---|
| 198 | 1. Pull open the replication part of the database. It's fairly empty | 
|---|
| 199 | right now. | 
|---|
| 200 |  | 
|---|
| 201 | ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config | 
|---|
| 202 |  | 
|---|
| 203 | 2. Configure the server $SLAVE (this server) to accept $MASTER | 
|---|
| 204 | replications by adding the following LDAP entries: | 
|---|
| 205 |  | 
|---|
| 206 | add cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config | 
|---|
| 207 | objectClass: top | 
|---|
| 208 | objectClass: nsDS5Replica | 
|---|
| 209 | cn: replica | 
|---|
| 210 | nsDS5ReplicaId: $REPLICA_ID | 
|---|
| 211 | nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu | 
|---|
| 212 | nsDS5Flags: 1 | 
|---|
| 213 | nsDS5ReplicaBindDN: uid=ldap/bees-knees.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 214 | nsDS5ReplicaBindDN: uid=ldap/busy-beaver.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 215 | nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 216 | nsDS5ReplicaBindDN: uid=ldap/pancake-bunny.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 217 | nsDS5ReplicaBindDN: uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 218 | nsDS5ReplicaBindDN: uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 219 | nsDS5ReplicaBindDN: uid=ldap/better-mousetrap.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 220 | nsDS5ReplicaBindDN: uid=ldap/old-faithful.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 221 | nsDS5ReplicaBindDN: uid=ldap/shining-armor.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 222 | nsDS5ReplicaBindDN: uid=ldap/golden-egg.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 223 | nsDS5ReplicaBindDN: uid=ldap/miracle-cure.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 224 | nsDS5ReplicaBindDN: uid=ldap/lucky-star.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 225 | nsds5ReplicaPurgeDelay: 604800 | 
|---|
| 226 | nsds5ReplicaLegacyConsumer: off | 
|---|
| 227 | nsDS5ReplicaType: 3 | 
|---|
| 228 |  | 
|---|
| 229 | $REPLICA_ID is the scripts$N number (stella $HOSTNAME to find | 
|---|
| 230 | out.)  You might wonder why we are binding to all servers; | 
|---|
| 231 | weren't we going to replicate from only one server?  That is | 
|---|
| 232 | correct, however, simply binding won't mean we will receive | 
|---|
| 233 | updates; we have to setup the $MASTER to send data $SLAVE. | 
|---|
| 234 |  | 
|---|
| 235 | 3. Although we allowed those uids to bind, that user information | 
|---|
| 236 | doesn't exist on $SLAVE yet.  So you'll need to create the entry | 
|---|
| 237 | for just $MASTER. | 
|---|
| 238 |  | 
|---|
| 239 | REMEMBER: You need to use FOO.mit.edu for the names!  Otherwise you will get | 
|---|
| 240 | unauthorized errors. | 
|---|
| 241 |  | 
|---|
| 242 | add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 243 | uid: ldap/$MASTER | 
|---|
| 244 | objectClass: account | 
|---|
| 245 | objectClass: top | 
|---|
| 246 |  | 
|---|
| 247 | 4. Though our $SLAVE will not be making changes to LDAP, we need to | 
|---|
| 248 | initialize the changelog because we intend to be able to do this | 
|---|
| 249 | later. | 
|---|
| 250 |  | 
|---|
| 251 | add cn=changelog5,cn=config | 
|---|
| 252 | objectclass: top | 
|---|
| 253 | objectclass: extensibleObject | 
|---|
| 254 | cn: changelog5 | 
|---|
| 255 | nsslapd-changelogdir: /etc/dirsrv/slapd-scripts/changelogdb | 
|---|
| 256 |  | 
|---|
| 257 | 5. Ok, now go to your $MASTER server that you picked (it should have | 
|---|
| 258 | been one of the hosts mentioned in nsDS5ReplicaBindDN) and tell | 
|---|
| 259 | it to replicate to $SLAVE. | 
|---|
| 260 |  | 
|---|
| 261 | The last line runs the replication.  This is perhaps the most | 
|---|
| 262 | risky step of the process; see below for help debugging problems. | 
|---|
| 263 |  | 
|---|
| 264 | MMR Hammer: | 
|---|
| 265 | mmr-hammer -h $MASTER init agreements $SLAVE | 
|---|
| 266 | mmr-hammer -h $MASTER update $SLAVE # XXX pick a better name | 
|---|
| 267 |  | 
|---|
| 268 | ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config | 
|---|
| 269 |  | 
|---|
| 270 | add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config | 
|---|
| 271 | objectClass: top | 
|---|
| 272 | objectClass: nsDS5ReplicationAgreement | 
|---|
| 273 | cn: "GSSAPI Replication to $SLAVE" | 
|---|
| 274 | cn: GSSAPI Replication to $SLAVE | 
|---|
| 275 | nsDS5ReplicaHost: $SLAVE | 
|---|
| 276 | nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu | 
|---|
| 277 | nsDS5ReplicaPort: 389 | 
|---|
| 278 | nsDS5ReplicaTransportInfo: LDAP | 
|---|
| 279 | nsDS5ReplicaBindDN: uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 280 | nsDS5ReplicaBindMethod: SASL/GSSAPI | 
|---|
| 281 | nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" | 
|---|
| 282 | nsDS5ReplicaTimeout: 120 | 
|---|
| 283 | nsDS5BeginReplicaRefresh: start | 
|---|
| 284 |  | 
|---|
| 285 | 5. Check that the replication is running; the status will be stored | 
|---|
| 286 | in the object we've been mucking around with. | 
|---|
| 287 |  | 
|---|
| 288 | If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER | 
|---|
| 289 | for more information.  It might be because fedora-ds can't read | 
|---|
| 290 | /etc/dirsrv/keytab or because you setup the account on the SLAVE | 
|---|
| 291 | incorrectly. | 
|---|
| 292 |  | 
|---|
| 293 | 6. Replicate in the other direction.  On $MASTER, add $SLAVE | 
|---|
| 294 | as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config | 
|---|
| 295 | Also, add an account for $SLAVE if it doesn't exist already. | 
|---|
| 296 |  | 
|---|
| 297 | add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 298 | uid: ldap/$SLAVE | 
|---|
| 299 | objectClass: account | 
|---|
| 300 | objectClass: top | 
|---|
| 301 |  | 
|---|
| 302 | On $SLAVE, | 
|---|
| 303 |  | 
|---|
| 304 | MMR Hammer: mmr-hammer -h $SLAVE init agreements $MASTER | 
|---|
| 305 |  | 
|---|
| 306 | add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config | 
|---|
| 307 | objectClass: top | 
|---|
| 308 | objectClass: nsDS5ReplicationAgreement | 
|---|
| 309 | cn: "GSSAPI Replication to $MASTER" | 
|---|
| 310 | cn: GSSAPI Replication to $MASTER | 
|---|
| 311 | nsDS5ReplicaHost: $MASTER | 
|---|
| 312 | nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu | 
|---|
| 313 | nsDS5ReplicaPort: 389 | 
|---|
| 314 | nsDS5ReplicaTransportInfo: LDAP | 
|---|
| 315 | nsDS5ReplicaBindDN: uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 316 | nsDS5ReplicaBindMethod: SASL/GSSAPI | 
|---|
| 317 | nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" | 
|---|
| 318 | nsDS5ReplicaTimeout: 120 | 
|---|
| 319 |  | 
|---|
| 320 | If you get a really scary internal server error, that might mean you | 
|---|
| 321 | forgot to initialize the changelog.  Remove the replication | 
|---|
| 322 | agreement (you'll need to turn off dirsrv), add the changelog, and | 
|---|
| 323 | then try again. | 
|---|
| 324 |  | 
|---|
| 325 | 7. Repeat step 6 to complete the graph of replications (i.e., from | 
|---|
| 326 | every other server to the new server, and from the new server to | 
|---|
| 327 | every other server). | 
|---|
| 328 |  | 
|---|
| 329 | Note the only difference between steps 5 and 6 is the lack of | 
|---|
| 330 | nsDS5ReplicaRefresh: start. That only needs to be done once, to the | 
|---|
| 331 | new server. | 
|---|
| 332 |  | 
|---|
| 333 | With MMR hammer, that's something like: | 
|---|
| 334 |  | 
|---|
| 335 | for i in $SERVER_NAMES; do mmr-hammer -h $i init agreements $SERVER_NAMES; done | 
|---|
| 336 |  | 
|---|
| 337 | 8. If at this point you look at the new server's changelog with | 
|---|
| 338 | cl-dump (preferably /mit/scripts/admin/cl-dump.pl, to not prompt you | 
|---|
| 339 | for a password), you won't see the servers you added in step 7. So, | 
|---|
| 340 | from each of those servers, make a change to some record so it gets | 
|---|
| 341 | propagated to the new server, and then one from the new server so it | 
|---|
| 342 | gets propagated to all the existing servers' changelogs. This is | 
|---|
| 343 | also good for making sure the replication agreements actually work. | 
|---|
| 344 |  | 
|---|
| 345 | With MMR hammer, that's something like: | 
|---|
| 346 |  | 
|---|
| 347 | for i in $SERVER_NAMES; do mmr-hammer -h $i test; sleep 20; done | 
|---|
| 348 |  | 
|---|
| 349 | Troubleshooting | 
|---|
| 350 | =============== | 
|---|
| 351 |  | 
|---|
| 352 | LDAP multimaster replication can fail in a number of colorful ways; | 
|---|
| 353 | combine that with GSSAPI authentication and it goes exponential. | 
|---|
| 354 |  | 
|---|
| 355 | If authentication is failing with LDAP error 49, check if: | 
|---|
| 356 |  | 
|---|
| 357 | * /etc/dirsrv/keytab | 
|---|
| 358 | * fedora-ds is able to read /etc/dirsrv/keytab | 
|---|
| 359 | * /etc/hosts has not been modified by Network Manager (you | 
|---|
| 360 | /did/ uninstall it, right? Right?) | 
|---|
| 361 |  | 
|---|
| 362 | If the failure is local to a single master, usually you can recover | 
|---|
| 363 | by asking another master to refresh that master with: | 
|---|
| 364 |  | 
|---|
| 365 | nsDS5BeginReplicaRefresh: start | 
|---|
| 366 |  | 
|---|
| 367 | In practice, we've also had problems with this technique.  Some of them | 
|---|
| 368 | include: | 
|---|
| 369 |  | 
|---|
| 370 | * Something like https://bugzilla.redhat.com/show_bug.cgi?id=547503 | 
|---|
| 371 | on Fedora 11 ns-slapd, where replication is turned off to do the | 
|---|
| 372 | replication, but then it wedges and you need to forcibly kill the | 
|---|
| 373 | process. | 
|---|
| 374 |  | 
|---|
| 375 | * Failed LDAP authentication because another master attempted to do | 
|---|
| 376 | an incremental update. | 
|---|
| 377 |  | 
|---|
| 378 | * Repropagation of the error because the corrupt master thinks it still | 
|---|
| 379 | should push updates. | 
|---|
| 380 |  | 
|---|
| 381 | So the extremely safe method to bring up a crashed master is as follows: | 
|---|
| 382 |  | 
|---|
| 383 | 1. Disable all incoming and outgoing replication agreements by editing | 
|---|
| 384 | /etc/dirsrv/slapd-scripts/dse.ldif. You'll need to munge: | 
|---|
| 385 |  | 
|---|
| 386 | nsDS5ReplicaBindDN in cn=replica,cn=dc\3Dscripts\2Cdc\3Dmit\2Cdc\3Dedu,cn=mapping tree,cn=config | 
|---|
| 387 |  | 
|---|
| 388 | and all of the push agreements.  Deleting them outright works, but | 
|---|
| 389 | means you'll have to reconstruct all of the agreements from scratch. | 
|---|
| 390 |  | 
|---|
| 391 | 2. Bring up the server. | 
|---|
| 392 |  | 
|---|
| 393 | 3. Accept incoming replication data from a single server. | 
|---|
| 394 |  | 
|---|
| 395 | 4. Initiate a full update from that server. | 
|---|
| 396 |  | 
|---|
| 397 | 5. Finish setting up replication as described above. | 
|---|
| 398 |  | 
|---|
| 399 | If your database gets extremely fucked, other servers may not be able | 
|---|
| 400 | to authenticate because your authentication information has gone missing. | 
|---|
| 401 | In that case, the minimal set of entries you need is: | 
|---|
| 402 |  | 
|---|
| 403 | add dc=scripts,dc=mit,dc=edu | 
|---|
| 404 | objectClass: top | 
|---|
| 405 | objectClass: domain | 
|---|
| 406 | dc: scripts | 
|---|
| 407 |  | 
|---|
| 408 | add ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 409 | objectClass: top | 
|---|
| 410 | objectClass: organizationalunit | 
|---|
| 411 | ou: People | 
|---|
| 412 |  | 
|---|
| 413 | add uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu | 
|---|
| 414 | objectClass: account | 
|---|
| 415 | objectClass: top | 
|---|
| 416 | uid: ldap/whole-enchilada.mit.edu | 
|---|