NDPF LDAP Backups and Slaves

From PDP/Grid Wiki
Revision as of 09:46, 19 October 2005 by Davidg@nikhef.nl (talk | contribs)
Jump to navigationJump to search

Making a Backup of the LDAP Directory

Apart from the immediately obvious content of the LDAP directory (i.e. the stuff you see with the LDAP Browser or a regular LDAP search), there is some meta-data that must be preserevd on backup: the creator, creation time, modifier and modification time. These attributes must be specified explicitly on the command line.

 ldapsearch -P 3 -x -H ldaps://trog/ -b "dc=farmnet,dc=nikhef,dc=nl" \
   -D "cn=Manager,dc=root" -W \
   creatorsName createTimestamp modifiersName modifyTimestamp \* 

(and provide the LDAP direcotry root password as requested).

The output of this command constitutes the backup of the directory. A backup is made daily on 'trog' in '/project/ndpf/sysdir/data/'.

The backup can be restored with this command (provided the data directory is empty and has the proper permissions):

 ldapadd -c -D "cn=Manager,dc=root" -W -x -H ldap://hooimijt.nikhef.nl/ \
   -f /root/userdb-20051019-1036.ldif 

It works of course on the master, but the same command can also be used on the slaves for the initial synchronization.


Creating a new slave server

The relation between a master (i.e. on trog) and the set of slaves is maintained by the "slupd" daemon, running on the master. The slurps knows about the master "update" password for all slaves, and will push any modifications down to those slaves. The list of slaves is maintained in '/project/ndpf/sysdir/etc/userdb.conf':

 replica host=hooimijt.nikhef.nl:389     
       binddn="cn=Manager,dc=root" bindmethod=simple 
       suffix="dc=farmnet,dc=nikhef,dc=nl"
       credentials="PASSWD1" tls=critical
       
 replica host=tbn06.nikhef.nl:389        
       binddn="cn=Manager,dc=root" bindmethod=simple 
       suffix="dc=farmnet,dc=nikhef,dc=nl"
       credentials="PASSWD2" tls=critical
       
 replogfile /project/ndpf/sysdir/var/replogfile.userdb

The PASSWD1 and PASSWD2 must match the (encrypted) rootpw entries for the respective slaves:

 rootpw          "{SSHA}MYENCRYPTEDPASSWDINTHISHASHMODE"
 updatedn        "cn=Manager,dc=root"
 updateref       ldaps://trog.nikhef.nl/

Notes

  • The ldap directories must be in sync before you start the slurpd service. Use the 'ldapadd' command with a up-to-date backup of the master directory to initialize the slave.
  • Make sure all data is encrypted whilst in transfer ("tls=critical")
  • LDAP logs by default to LOCAL4, enable that in syslog.conf to see the errors.