Difference between revisions of "NDPF LDAP Backups and Slaves"
m |
m |
||
Line 11: | Line 11: | ||
The output of this command constitutes the backup of the directory. A backup | The output of this command constitutes the backup of the directory. A backup | ||
is made daily on 'trog' in '/project/ndpf/sysdir/data/'. | is made daily on 'trog' in '/project/ndpf/sysdir/data/'. | ||
+ | |||
+ | The backup can be restored with this command (provided the data directory | ||
+ | is empty and has the proper permissions): | ||
+ | |||
+ | ldapadd -c -D "cn=Manager,dc=root" -W -x -H ldap://hooimijt.nikhef.nl/ \ | ||
+ | -f /root/userdb-20051019-1036.ldif | ||
+ | |||
+ | It works of course on the master, but the same command can also be used on the slaves for the initial synchronization. | ||
+ | |||
= Creating a new slave server = | = Creating a new slave server = | ||
− | The relation between a master (i.e. on trog) and the set of slaves is maintained by the "slupd" daemon, running on the master. The slurps knows about the master "update" password for all slaves, and will push any modifications down to those slaves. The list of slaves is maintained in | + | The relation between a master (i.e. on trog) and the set of slaves is maintained by the "slupd" daemon, running on the master. The slurps knows about the master "update" password for all slaves, and will push any modifications down to those slaves. The list of slaves is maintained in '/project/ndpf/sysdir/etc/userdb.conf': |
+ | |||
+ | replica host=hooimijt.nikhef.nl:389 | ||
+ | binddn="cn=Manager,dc=root" bindmethod=simple | ||
+ | suffix="dc=farmnet,dc=nikhef,dc=nl" | ||
+ | credentials="PASSWD1" tls=critical | ||
+ | |||
+ | replica host=tbn06.nikhef.nl:389 | ||
+ | binddn="cn=Manager,dc=root" bindmethod=simple | ||
+ | suffix="dc=farmnet,dc=nikhef,dc=nl" | ||
+ | credentials="PASSWD2" tls=critical | ||
+ | |||
+ | replogfile /project/ndpf/sysdir/var/replogfile.userdb | ||
+ | |||
+ | The PASSWD1 and PASSWD2 must match the (encrypted) rootpw entries for | ||
+ | the respective slaves: | ||
+ | |||
+ | rootpw "{SSHA}MYENCRYPTEDPASSWDINTHISHASHMODE" | ||
+ | updatedn "cn=Manager,dc=root" | ||
+ | updateref ldaps://trog.nikhef.nl/ | ||
+ | |||
+ | === Notes === | ||
+ | * The ldap directories must be in sync before you start the slurpd service. Use the 'ldapadd' command with a up-to-date backup of the master directory to initialize the slave. | ||
+ | * Make sure all data is encrypted whilst in transfer ("tls=critical") | ||
+ | * LDAP logs by default to LOCAL4, enable that in syslog.conf to see the errors. |
Revision as of 09:46, 19 October 2005
Making a Backup of the LDAP Directory
Apart from the immediately obvious content of the LDAP directory (i.e. the stuff you see with the LDAP Browser or a regular LDAP search), there is some meta-data that must be preserevd on backup: the creator, creation time, modifier and modification time. These attributes must be specified explicitly on the command line.
ldapsearch -P 3 -x -H ldaps://trog/ -b "dc=farmnet,dc=nikhef,dc=nl" \ -D "cn=Manager,dc=root" -W \ creatorsName createTimestamp modifiersName modifyTimestamp \*
(and provide the LDAP direcotry root password as requested).
The output of this command constitutes the backup of the directory. A backup is made daily on 'trog' in '/project/ndpf/sysdir/data/'.
The backup can be restored with this command (provided the data directory is empty and has the proper permissions):
ldapadd -c -D "cn=Manager,dc=root" -W -x -H ldap://hooimijt.nikhef.nl/ \ -f /root/userdb-20051019-1036.ldif
It works of course on the master, but the same command can also be used on the slaves for the initial synchronization.
Creating a new slave server
The relation between a master (i.e. on trog) and the set of slaves is maintained by the "slupd" daemon, running on the master. The slurps knows about the master "update" password for all slaves, and will push any modifications down to those slaves. The list of slaves is maintained in '/project/ndpf/sysdir/etc/userdb.conf':
replica host=hooimijt.nikhef.nl:389 binddn="cn=Manager,dc=root" bindmethod=simple suffix="dc=farmnet,dc=nikhef,dc=nl" credentials="PASSWD1" tls=critical replica host=tbn06.nikhef.nl:389 binddn="cn=Manager,dc=root" bindmethod=simple suffix="dc=farmnet,dc=nikhef,dc=nl" credentials="PASSWD2" tls=critical replogfile /project/ndpf/sysdir/var/replogfile.userdb
The PASSWD1 and PASSWD2 must match the (encrypted) rootpw entries for the respective slaves:
rootpw "{SSHA}MYENCRYPTEDPASSWDINTHISHASHMODE" updatedn "cn=Manager,dc=root" updateref ldaps://trog.nikhef.nl/
Notes
- The ldap directories must be in sync before you start the slurpd service. Use the 'ldapadd' command with a up-to-date backup of the master directory to initialize the slave.
- Make sure all data is encrypted whilst in transfer ("tls=critical")
- LDAP logs by default to LOCAL4, enable that in syslog.conf to see the errors.