On 04/02/2012 04:13 PM, Herb Burnswell wrote:
On Fri, Mar 23, 2012 at 10:53 AM, Rich Megginson <[email protected]
<mailto:[email protected]>> wrote:
On 03/23/2012 11:09 AM, Herb Burnswell wrote:
Thanks for the reply David.
>> 1. How can I find out which system(s) is/are master, consumer,
hub, etc?
>>>>You should be able to determine the role of the Directory
Server for each
>>>>system by logging into the LDAP console under
>>>>"Configuration->Replication". The role is either "Single
Master", "Hub" or
>>>>"Dedicated Consumer".
>I was able to determine that we have two "Multiple Master"
systems. Let's call >them 'A' and 'B'. System A has been the
only system running for what appears to >be several years (it is
being backed up nightly). System B has been off for some >time
but is running now.
>> 2. How do I confirm that the systems have the correct
credentials for
>replication? (I am receiving: "Unable to acquire replica: Permission
>denied.")
>a. How can I change the bind dn "cn=replication,cn=config"
credentials
>on each system to ensure replication will work?
>>>>You can do that on the console as well. Just navigate down
the directory
>>>>tree and manually reset the password for the replication user
account.
>>>>There's a possibility that your replication user account's
password expired.
>I can navigate to the screen to reset the password for the
replication user account. I >have not reset the passwords yet as
I am reading documentation to confirm that >system B will simply
update it's data to system A's upon resuming replication.
>When you change the password of the replication user on B, you'll
also have to update >those credentials in the replication
agreement on A for the agreement from A to B.
>Note that if replication has been down for years, you will have
to perform a manual >replica initialization procedure -
replication will not automatically "catch up" if it has >been down
that long.
Rich - Thank you for the response. I was diverted to another urgent
issue but have come back to this replication fix.
I've confirmed that there are two Dedicated Consumer's (C and D) to go
along with the two Dual Master's (A and B). I want to replicate to one
of the dedicated consumers, C, prior to syncing the dual master B. I
changed the passwords for dn:cn=replication,cn=config on A via the
Directory Manager console, and via ldapmodify on C. I am confident
that the passwords are the same on both systems.
What exactly did you do?
Note that you'll have to update the password in cn=replication,cn=config
on the consumer (C) and update the replication agreement on A for the
replication agreement between A and C.
I followed section 8.10.5.1 on initializing the consumer replica from
backup files and it worked with the following:
[02/Apr/2012:11:58:03 -0700] - Add Attribute readonly Value off
[02/Apr/2012:11:58:03 -0700] - Add Attribute nsslapd-directory Value
/new/path/from/master/server
[02/Apr/2012:11:58:04 -0700] - Del Attribute nsslapd-directory Value
/old/path/from/consumer
[02/Apr/2012:11:58:04 -0700] - WARNING!!: current Instance Config is
different from backed up configuration; The backup is restored.
First, do I need to reset these attributes back to 'readonly' and the
original nsslapd-directory?
Second, I am now receiving the following error from the master A:
Unable to acquire replica: permission denied. The bind dn
"cn=replication,cn=config" does not have permission to supply
replication updates to the replica. Will retry later.
On another note, I see plain text passwords in the error logs on A for
the consumers but passwd = {SSHA}0bgDq2f1IM/2nNOOIHUh8lXfkG13XUOHTYD==
for B, the other master. Is there specific reason for this?
As always, any guidance that can be provided is greatly appreciated.
TIA,
Herb
>> 3. I assume that upon repairing replication (apparently it has
not been
working for several years) the systems will all replicate to the most
recent information. Correct?
>>>>I think that's the tricky part. Make sure you backup your
directory on all
>>>>the LDAP first so you have something to roll back. I
*believe* the last
>>>>step when setting up replication is initializing the
directory and that
>>>>will wipe out directory on the other LDAP. Someone on the
list might be
>>>>able to provide a better on this but I am just giving you a
heads up that
>>>>this can be a complicated process.
Given the fact that system B has not been running for some time,
ideally it would simply replicate to the current data on system
A. After replication is reestablished the systems are set up to
"Always keep directories in sync". If anyone can confirm the
behavior that will occur upon replication on these two systems it
would be greatly appreciated.
Thanks in advance,
Herb
------------------------------
Message: 2
Date: Thu, 22 Mar 2012 10:40:34 -0400
From: Chun Tat David Chu <[email protected]
<mailto:[email protected]>>
To: "General discussion list for the 389 Directory server
project."
<[email protected]
<mailto:[email protected]>>
Subject: Re: [389-users] Repair replication
Message-ID:
<cancf8olyket99sb_ou4u3cer8u89ugwzhgubthekcf9hwnk...@mail.gmail.com
<mailto:cancf8olyket99sb_ou4u3cer8u89ugwzhgubthekcf9hwnk...@mail.gmail.com>>
Content-Type: text/plain; charset="iso-8859-1"
Hey Herb,
You should refer to the Red Hat Directory Server
administration guide for
detail about setting up replication which you can locate in here.
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/
>> 1. How can I find out which system(s) is/are master,
consumer, hub, etc?
You should be able to determine the role of the Directory
Server for each
system by logging into the LDAP console under
"Configuration->Replication". The role is either "Single
Master", "Hub" or
"Dedicated Consumer".
>> 2. How do I confirm that the systems have the correct
credentials for
replication? (I am receiving: "Unable to acquire replica:
Permission
denied.")
a. How can I change the bind dn "cn=replication,cn=config"
credentials
on each system to ensure replication will work?
You can do that on the console as well. Just navigate down
the directory
tree and manually reset the password for the replication user
account.
There's a possibility that your replication user account's
password expired.
>> 3. I assume that upon repairing replication (apparently it
has not been
working for several years) the systems will all replicate to
the most
recent information. Correct?
I think that's the tricky part. Make sure you backup your
directory on all
the LDAP first so you have something to roll back. I
*believe* the last
step when setting up replication is initializing the
directory and that
will wipe out directory on the other LDAP. Someone on the
list might be
able to provide a better on this but I am just giving you a
heads up that
this can be a complicated process.
Good luck
- David
2012/3/21 Herb Burnswell <[email protected]
<mailto:[email protected]>>
> Hi All,
>
> I'm new to LDAP administration and have been tasked with
fixing the system
> replication of 4 Linux systems running Fedora Directory
Services. I am
> very comfortable working with Linux/Unix but am not
experienced with LDAP.
> I've been reading the communications from this user group
and reading as
> much as I can from documentation. I believe this
environment is not too
> complex but I am looking for some guidance, any assistance
is greatly
> appreciated.
>
> Info:
>
> OS: Fedora Core 4
> LDAP: Fedora Directory Server v 7.1
>
> First, I know that both the systems and FDS versions are
ancient.
> However, at this point I need to get the replication
working prior to
> putting together a migration plan. I have access to the
Directory Manager
> console and am comfortable running command line commands as
well. Either
> way is fine.
>
> Questions:
>
> 1. How can I find out which system(s) is/are master,
consumer, hub, etc?
>
> 2. How do I confirm that the systems have the correct
credentials for
> replication? (I am receiving: "Unable to acquire replica:
Permission
> denied.")
> a. How can I change the bind dn
"cn=replication,cn=config" credentials
> on each system to ensure replication will work?
>
> 3. I assume that upon repairing replication (apparently it
has not been
> working for several years) the systems will all replicate
to the most
> recent information. Correct?
>
> Again, any guidance is greatly appreciated.
>
> Thanks in advance,
>
> Herb
>
> --
> 389 users mailing list
> [email protected]
<mailto:[email protected]>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.fedoraproject.org/pipermail/389-users/attachments/20120322/edfe5e8f/attachment-0001.html>
--
389 users mailing list
[email protected]
<mailto:[email protected]>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
