Changeset 2066 for trunk/server/doc/install-ldap
- Timestamp:
- Nov 22, 2011, 12:45:17 AM (14 years ago)
- Location:
- trunk
- Files:
- 
          - 2 edited
 
 - 
          . (modified) (1 prop)
- 
          server/doc/install-ldap (modified) (11 diffs)
 
Legend:
- Unmodified
- Added
- Removed
- 
        trunk- Property svn:mergeinfo changed
 
- 
        trunk/server/doc/install-ldapr1986 r2066 1 To set up a new LDAP server: 2 3 - Install the RPM 389-ds-base with yum (these are installed by kickstart 4 these days, so these two steps are probably not necessary) 5 root# yum install -y 389-ds-base 6 root# yum install -y policycoreutils-python 7 root# yum install -y ldapvi 8 - We want to run the directory server as its own user, so create fedora-ds 9 root# useradd -r -d /var/lib/dirsrv fedora-ds 10 - Temporarily move away the existing slapd-scripts folder 11 root# mv /etc/dirsrv/slapd-scripts{,.bak} 12 - root# /usr/sbin/setup-ds.pl 13 - Choose a typical install 14 - Tell it to use the fedora-ds user and group 15 - Directory server identifier: scripts 16 Needed to remove this from the config file first 17 - Suffix: dc=scripts,dc=mit,dc=edu 18 - Input directory manager password 19 (this can be found in ~/.ldapvirc) 20 - Move the schema back 21 root# cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts 22 root# rm -Rf /etc/dirsrv/slapd-scripts.bak 23 - Turn dirsrv off: service dirsrv stop 24 - Apply the following configuration changes. If you're editing 25 dse.ldif, you don't want dirsrv to be on, otherwise it will 26 overwrite your changes. [XXX: show how to do these changes with 27 dsconf, which is the "blessed" method] 1 # To set up a new LDAP server: 2 3 # Temporarily move away the existing slapd-scripts folder 4 mv /etc/dirsrv/slapd-scripts{,.bak} 5 6 # Setup directory server 7 /usr/sbin/setup-ds.pl 8 # - Choose a typical install 9 # - Tell it to use the fedora-ds user and group 10 # - Directory server identifier: scripts 11 # - Suffix: dc=scripts,dc=mit,dc=edu 12 # - Input directory manager password 13 # (this can be found in ~/.ldapvirc) 14 15 # Move the schema back 16 cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts 17 rm -Rf /etc/dirsrv/slapd-scripts.bak 18 19 # Turn dirsrv off: 20 systemctl stop dirsrv.service 21 22 # Apply the following configuration changes. If you're editing 23 # dse.ldif, you don't want dirsrv to be on, otherwise it will 24 # overwrite your changes. [XXX: show how to do these changes with 25 # dsconf, which is the "blessed" method, although it seems 26 # dsconf only exists for Red Hat] 27 28 vim /etc/dirsrv/slapd-scripts/dse.ldif 29 <<<EOF 28 30 29 31 # Inside cn=config. These changes definitely require a restart. 30 nsslapd-ldapifilepath: /var/run/slapd-scripts.socket31 32 nsslapd-ldapilisten: on 32 33 nsslapd-syntaxcheck: off 34 35 # We need to turn off syntax check because our schema is wrong and too 36 # restrictive on some value. This should get fixed. 33 37 34 38 # Add these blocks … … 46 50 nsSaslMapFilterTemplate: (objectClass=posixAccount) 47 51 48 - Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab. Make 49 sure you chown/chgrp it to be readable by fedora-ds 50 - Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME 51 - chown fedora-ds:fedora-ds /var/run/dirsrv 52 - chown fedora-ds /etc/dirsrv/keytab 53 - /sbin/service dirsrv start 54 - Use ldapvi -b cn=config to add these indexes (8 of them): 52 EOF; 53 54 systemctl start dirsrv.service 55 56 ldapvi -b cn=config 57 # Add these indexes (8 of them): 58 59 <<<EOF 55 60 56 61 add cn=apacheServerName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config … … 117 122 nsIndexType: eq 118 123 nsIndexType: pres 124 125 EOF; 119 126 120 127 - Build the indexes for all the fields: … … 181 188 182 189 Here's how you do it. 190 191 NOTE: There's this spiffy new tool MMR hammer which automates some of 192 this process. Check the "MMR Hammer" sections to see how. Install it 193 here: https://github.com/ezyang/mmr-hammer 183 194 184 195 0. Tell -c scripts not to go off and reboot servers until you're … … 209 220 nsDS5ReplicaBindDN: uid=ldap/old-faithful.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 210 221 nsDS5ReplicaBindDN: uid=ldap/shining-armor.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 222 nsDS5ReplicaBindDN: uid=ldap/golden-egg.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 211 223 nsds5ReplicaPurgeDelay: 604800 212 224 nsds5ReplicaLegacyConsumer: off … … 223 235 for just $MASTER. 224 236 237 REMEMBER: You need to use FOO.mit.edu for the names! Otherwise you will get 238 unauthorized errors. 239 225 240 add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu 226 241 uid: ldap/$MASTER … … 245 260 risky step of the process; see below for help debugging problems. 246 261 247 WARNING: There is a known bug doing full updates from 1.2.6 to 248 1.2.6, see https://bugzilla.redhat.com/show_bug.cgi?id=637852 262 MMR Hammer: mmr-hammer -h $MASTER init agreements $SLAVE 263 264 ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config 249 265 250 266 add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config … … 268 284 If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER 269 285 for more information. It might be because fedora-ds can't read 270 /etc/dirsrv/keytab 286 /etc/dirsrv/keytab or because you setup the account on the SLAVE 287 incorrectly. 271 288 272 289 6. Replicate in the other direction. On $MASTER, add $SLAVE 273 290 as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config 274 Also, add an account for $SLAVE 291 Also, add an account for $SLAVE if it doesn't exist already. 275 292 276 293 add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu … … 280 297 281 298 On $SLAVE, 299 300 MMR Hammer: mmr-hammer -h $SLAVE init agreements $MASTER 282 301 283 302 add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config … … 308 327 new server. 309 328 329 With MMR hammer, that's something like: 330 331 for i in $SERVER_NAMES; do mmr-hammer -h $i init agreements $SERVER_NAMES; done 332 310 333 8. If at this point you look at the new server's changelog with 311 334 cl-dump (preferably /mit/scripts/admin/cl-dump.pl, to not prompt you … … 316 339 also good for making sure the replication agreements actually work. 317 340 341 With MMR hammer, that's something like: 342 343 for i in $SERVER_NAMES; do mmr-hammer -h $i test; sleep 20; done 344 318 345 Troubleshooting 319 346 =============== 
Note: See TracChangeset
          for help on using the changeset viewer.
      
