Difference between revisions of "NDPF LDAP Backups and Slaves"

From PDP/Grid Wiki
Jump to navigationJump to search
m
Line 23: Line 23:
 
= Creating a new slave server =
 
= Creating a new slave server =
  
The relation between a master (i.e. on trog) and the set of slaves is maintained by the "slupd" daemon, running on the master. The slurps knows about the master "update" password for all slaves, and will push any modifications down to those slaves. The list of slaves is maintained in '/project/ndpf/sysdir/etc/userdb.conf':
+
The relation between a master (i.e. on trog) and the set of slaves is maintained by the "slupd" daemon, running on the master. The slurps knows about the master "update" password for all slaves, and will push any modifications down to those slaves. The list of slaves is maintained in '/project/ndpf/sysdir/etc/userdb.conf' (currently hooimijt and karnton):
  
 
   replica host=hooimijt.nikhef.nl:389     
 
   replica host=hooimijt.nikhef.nl:389     
Line 30: Line 30:
 
         credentials="PASSWD1" tls=critical
 
         credentials="PASSWD1" tls=critical
 
          
 
          
   replica host=tbn06.nikhef.nl:389      
+
   replica host=karnton.nikhef.nl:389    
 
         binddn="cn=Manager,dc=root" bindmethod=simple  
 
         binddn="cn=Manager,dc=root" bindmethod=simple  
 
         suffix="dc=farmnet,dc=nikhef,dc=nl"
 
         suffix="dc=farmnet,dc=nikhef,dc=nl"
         credentials="PASSWD2" tls=critical
+
         credentials="PASSWD1" tls=critical
 
          
 
          
 
   replogfile /project/ndpf/sysdir/var/replogfile.userdb
 
   replogfile /project/ndpf/sysdir/var/replogfile.userdb

Revision as of 11:59, 11 January 2007

Making a Backup of the LDAP Directory

Apart from the immediately obvious content of the LDAP directory (i.e. the stuff you see with the LDAP Browser or a regular LDAP search), there is some meta-data that must be preserevd on backup: the creator, creation time, modifier and modification time. These attributes must be specified explicitly on the command line.

 ldapsearch -P 3 -x -H ldaps://trog/ -b "dc=farmnet,dc=nikhef,dc=nl" \
   -D "cn=Manager,dc=root" -W \
   creatorsName createTimestamp modifiersName modifyTimestamp \* 

(and provide the LDAP direcotry root password as requested).

The output of this command constitutes the backup of the directory. A backup is made daily on 'trog' in '/project/ndpf/sysdir/data/'.

The backup can be restored with this command (provided the data directory is empty and has the proper permissions):

 ldapadd -c -D "cn=Manager,dc=root" -W -x -H ldap://hooimijt.nikhef.nl/ \
   -f /root/userdb-20051019-1036.ldif 

It works of course on the master, but the same command can also be used on the slaves for the initial synchronization.


Creating a new slave server

The relation between a master (i.e. on trog) and the set of slaves is maintained by the "slupd" daemon, running on the master. The slurps knows about the master "update" password for all slaves, and will push any modifications down to those slaves. The list of slaves is maintained in '/project/ndpf/sysdir/etc/userdb.conf' (currently hooimijt and karnton):

 replica host=hooimijt.nikhef.nl:389     
       binddn="cn=Manager,dc=root" bindmethod=simple 
       suffix="dc=farmnet,dc=nikhef,dc=nl"
       credentials="PASSWD1" tls=critical
       
 replica host=karnton.nikhef.nl:389     
       binddn="cn=Manager,dc=root" bindmethod=simple 
       suffix="dc=farmnet,dc=nikhef,dc=nl"
       credentials="PASSWD1" tls=critical
       
 replogfile /project/ndpf/sysdir/var/replogfile.userdb

The PASSWD1 and PASSWD2 must match the (encrypted) rootpw entries for the respective slaves:

 rootpw          "{SSHA}MYENCRYPTEDPASSWDINTHISHASHMODE"
 updatedn        "cn=Manager,dc=root"
 updateref       ldaps://trog.nikhef.nl/

Notes

  • The ldap directories must be in sync before you start the slurpd service. Use the 'ldapadd' command with a up-to-date backup of the master directory to initialize the slave.
  • Make sure all data is encrypted whilst in transfer ("tls=critical")
  • LDAP logs by default to LOCAL4, enable that in syslog.conf to see the errors.