The Version 6 CLI: Scripting Replication Configuration

In Directory Service Control Center: Replication, I explained Directory Server replication, and showed you how to set up replication among four master replica with Directory Service Control Center. This entry shows you how to set up replication with command line tools.

To avoid having to enter passwords over and over, I set the environment variable LDAP_ADMIN_PWF to point to a file containing the Directory Manager password, here the same password for all server instances.

$ export LDAP_ADMIN_PWF=/tmp/pwd.txt

LDAP_ADMIN_PWF is designed to point to a file containing the password for the Directory Service Manager. Directory Service Manager is the Directory Service Control Center user, the user with the capability to manage any server instance registered with Directory Service Control Center.

Creating Empty Directory Server Instances

As with Directory Service Control Center, the first step consists of setting up empty server instances.

$ dsadm create -p 1389 -P 1636 -w $LDAP_ADMIN_PWF /local/ds1
$ dsadm create -p 2389 -P 2636 -w $LDAP_ADMIN_PWF /local/ds2
$ dsadm create -p 3389 -P 3636 -w $LDAP_ADMIN_PWF /local/ds3
$ dsadm create -p 4389 -P 4636 -w $LDAP_ADMIN_PWF /local/ds4
$ dsadm start /local/ds1
Server started: pid=26602
$ dsadm start /local/ds2
Server started: pid=26606
$ dsadm start /local/ds3
Server started: pid=26610
$ dsadm start /local/ds4
Server started: pid=26614

Initial setup is the step that must be performed on the system where Directory Server runs. The other steps in this procedure could be carried out remotely.

Creating Empty Suffixes

The replicated suffix is going to contain sample data. In this example, the suffix has DN dc=example,dc=com. Before setting up replication, I create the suffix on each server.

$ dsconf create-suffix -p 1389 dc=example,dc=com
Certificate "CN=hostname, CN=1636" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y
$ dsconf create-suffix -p 2389 dc=example,dc=com
Certificate "CN=hostname, CN=2636" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y
$ dsconf create-suffix -p 3389 dc=example,dc=com
Certificate "CN=hostname, CN=3636" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y
$ dsconf create-suffix -p 4389 dc=example,dc=com
Certificate "CN=hostname, CN=4636" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y

Unlike the dsadm command, the dsconf command connects to the server over LDAP. Notice here that I accept the self-signed certificates for each server instance. This allows me to connect over SSL using TLS.

Enabling Replication for Each Suffix

With all suffixes created, I enable replication for each suffix I created. I make each replica a master, and assign a unique replica ID to each replica using the -d option.

$ dsconf enable-repl -p 1389 -d 1 master dc=example,dc=com
Use "dsconf create-repl-agmt" to create replication agreements on "dc=example,dc=com".
$ dsconf enable-repl -p 2389 -d 2 master dc=example,dc=com
Use "dsconf create-repl-agmt" to create replication agreements on "dc=example,dc=com".
$ dsconf enable-repl -p 3389 -d 3 master dc=example,dc=com
Use "dsconf create-repl-agmt" to create replication agreements on "dc=example,dc=com".
$ dsconf enable-repl -p 4389 -d 4 master dc=example,dc=com
Use "dsconf create-repl-agmt" to create replication agreements on "dc=example,dc=com".

Creating Replication Agreements for All Replicas

As you see in the output from dsconf enable-repl, the next step is creating replication agreements. Replication is peer-to-peer, so each server must have a replication agreement pointing to each other server. All the servers are on the local system in my example. I differentiate between them only with port numbers.

$ dsconf create-repl-agmt -p 1389 dc=example,dc=com localhost:2389 localhost:3389 localhost:4389
Use "dsconf init-repl-dest dc=example,dc=com localhost:2389" to start replication of "dc=example,dc=com" data.
Use "dsconf init-repl-dest dc=example,dc=com localhost:3389" to start replication of "dc=example,dc=com" data.
Use "dsconf init-repl-dest dc=example,dc=com localhost:4389" to start replication of "dc=example,dc=com" data.
$ dsconf create-repl-agmt -p 2389 dc=example,dc=com localhost:1389 localhost:3389 localhost:4389
Use "dsconf init-repl-dest dc=example,dc=com localhost:1389" to start replication of "dc=example,dc=com" data.
Use "dsconf init-repl-dest dc=example,dc=com localhost:3389" to start replication of "dc=example,dc=com" data.
Use "dsconf init-repl-dest dc=example,dc=com localhost:4389" to start replication of "dc=example,dc=com" data.
$ dsconf create-repl-agmt -p 3389 dc=example,dc=com localhost:1389 localhost:2389 localhost:4389
Use "dsconf init-repl-dest dc=example,dc=com localhost:1389" to start replication of "dc=example,dc=com" data.
Use "dsconf init-repl-dest dc=example,dc=com localhost:2389" to start replication of "dc=example,dc=com" data.
Use "dsconf init-repl-dest dc=example,dc=com localhost:4389" to start replication of "dc=example,dc=com" data.
$ dsconf create-repl-agmt -p 4389 dc=example,dc=com localhost:1389 localhost:2389 localhost:3389
Use "dsconf init-repl-dest dc=example,dc=com localhost:1389" to start replication of "dc=example,dc=com" data.
Use "dsconf init-repl-dest dc=example,dc=com localhost:2389" to start replication of "dc=example,dc=com" data.
Use "dsconf init-repl-dest dc=example,dc=com localhost:3389" to start replication of "dc=example,dc=com" data.

Importing Data into One Suffix and Initiating Replication

Finally, I import data into the first master. Then I initialize replication from that master to the other replica. Here, I use sample data installed with Directory Server Enterprise Edition 6.0.

$ dsconf import -p 1389 /local/ds6/ldif/Example.ldif dc=example,dc=com
New data will override existing data of the suffix "dc=example,dc=com".
Initialization will have to be performed on replicated suffixes. 
Do you want to continue [y/n] ?  y
## Index buffering enabled with bucket size 40
## Beginning import job...
## Processing file "/local/ds6/ldif/Example.ldif"
## Finished scanning file "/local/ds6/ldif/Example.ldif" (160 entries)
## Workers finished; cleaning up...
## Workers cleaned up.
## Cleaning up producer thread...
## Indexing complete.
## Starting numsubordinates attribute generation. This may take a while, please wait for further activity reports.
## Numsubordinates attribute generation complete. Flushing caches...
## Closing files...
## Import complete.  Processed 160 entries in 5 seconds. (32.00 entries/sec)

Task completed (slapd exit code: 0).
$ dsconf init-repl-dest -p 1389 dc=example,dc=com localhost:2389 localhost:3389 localhost:4389
Started initialization of "localhost:2389"; Mar 7, 2007 7:10:05 PM
Sent 160 entries...
Sent 161 entries.
Completed initialization of "localhost:2389"; Mar 7, 2007 7:10:11 PM
Started initialization of "localhost:3389"; Mar 7, 2007 7:10:20 PM
Sent 160 entries...
Sent 161 entries.
Completed initialization of "localhost:3389"; Mar 7, 2007 7:10:25 PM
Started initialization of "localhost:4389"; Mar 7, 2007 7:10:33 PM
Sent 160 entries...
Sent 161 entries.
Completed initialization of "localhost:4389"; Mar 7, 2007 7:10:39 PM

For more instructions on handling Directory Server replication, see the Administration Guide.

Comments:

Is there a way to use dsconf to replicate the DSCC ? We need to have zero single points of failure.
DSCC has no clear cut path for replicating the DSCC data.

Posted by Jay Biddle on August 15, 2007 at 08:04 AM CEST #

First of all -- I understand you have the requirement for no single point of failure, not only for directory services but also for browser-based administration of directory services -- many deployments can tolerate a temporary interruption in browser-based administration, and so can rely on file system backup of the installation instead of something more complicated, such was what I'm going to suggest next.

DSCC stores its data in a Directory Server instance on the same host where you install DSCC, the DSCC registry. The dsccsetup man page, http://docs.sun.com/app/docs/doc/819-0986/6n3chglmg?a=view, tells you the default location and port numbers used by this server instance. The man page also tells you what suffix contains the DSCC registry data.

Since the DSCC registry is just another Directory Server instance, you can replicate it as you would any other server instance.

However, DSCC always looks to this local instance for the data it stores about your configuration. You need to install DSCC to get a DSCC registry instance. So install DSCC on as many systems as you want DSCC registry replica. Then setup replication among the DSCC registry instances.

Posted by Mark on August 20, 2007 at 01:35 AM CEST #

As a side note on the DSCC replication, you can follow the steps above for the DSCC configuration data suffix. Unless you've changed it, which I'm not sure is a wise idea, the default should be cn=dscc

So a simple replication command order would appear as:

$ dsconf enable-repl -p 1389 -d 1 master cn=dscc
Use "dsconf create-repl-agmt" to create replication agreements on "cn=dscc".
$ dsconf enable-repl -p 2389 -d 2 master cn=dscc
Use "dsconf create-repl-agmt" to create replication agreements on "cn=dscc".
$ dsconf enable-repl -p 3389 -d 3 master cn=dscc
Use "dsconf create-repl-agmt" to create replication agreements on "cn=dscc".
$ dsconf enable-repl -p 4389 -d 4 master cn=dscc
Use "dsconf create-repl-agmt" to create replication agreements on "cn=dscc".

$ dsconf create-repl-agmt -p 1389 cn=dscc localhost:2389 localhost:3389 localhost:4389
Use "dsconf init-repl-dest cn=dscc localhost:2389" to start replication of "cn=dscc" data.
Use "dsconf init-repl-dest cn=dscc localhost:3389" to start replication of "cn=dscc" data.
Use "dsconf init-repl-dest cn=dscc localhost:4389" to start replication of "cn=dscc" data.
$ dsconf create-repl-agmt -p 2389 cn=dscc localhost:1389 localhost:3389 localhost:4389
Use "dsconf init-repl-dest cn=dscc localhost:1389" to start replication of "cn=dscc" data.
Use "dsconf init-repl-dest cn=dscc localhost:3389" to start replication of "cn=dscc" data.
Use "dsconf init-repl-dest cn=dscc localhost:4389" to start replication of "cn=dscc" data.
$ dsconf create-repl-agmt -p 3389 cn=dscc localhost:1389 localhost:2389 localhost:4389
Use "dsconf init-repl-dest cn=dscc localhost:1389" to start replication of "cn=dscc" data.
Use "dsconf init-repl-dest cn=dscc localhost:2389" to start replication of "cn=dscc" data.
Use "dsconf init-repl-dest cn=dscc localhost:4389" to start replication of "cn=dscc" data.
$ dsconf create-repl-agmt -p 4389 cn=dscc localhost:1389 localhost:2389 localhost:3389
Use "dsconf init-repl-dest cn=dscc localhost:1389" to start replication of "cn=dscc" data.
Use "dsconf init-repl-dest cn=dscc localhost:2389" to start replication of "cn=dscc" data.
Use "dsconf init-repl-dest cn=dscc localhost:3389" to start replication of "cn=dscc" data.

$ dsconf init-repl-dest -p 1389 cn=dscc localhost:2389 localhost:3389 localhost:4389

Obviously it's not the best idea to run DSCC multiple times on the same machine (localhost) as listed above, but I was just trying to stick with the theme of the rest of the commands ;-)

Posted by Joshua Preston on May 13, 2008 at 08:00 PM CEST #

Yes, good point.

I would add that configuring replicated DSCC registries for failover is a supported feature. See http://docs.sun.com/app/docs/doc/820-2491/gdrjs for the official docs, for example.

Posted by Mark on May 22, 2008 at 07:25 AM CEST #

Mr. Craig, thanks for your time in advance.

I am working on a project for my organization to replace an existing Sun DSEE 5.2 with a newer ORACLE/Sun DSEE 7.0 system.

I have to consolidate 3 suffixes x.dcn.disn.mil, y.dcn.disn.mil and z.dcn.disn.mil into a single suffix such as dcn.disn.mil. I know the true LDAP convention buut wantted to keep this text short.

Anywaay, I have been working with an ORACLE/Sun sales engineer because I can't officially receive support from ORACLE yet. I am on a time-crunch as this task impacts another one I am working directly as well.

I have the notes in a Word document I have already typed up. I have a different model than what this page (of yours) portrays and would like to submit both my notes and the diagram that portrays the future model as myself and the ORACLE/Sun sales engineer came up with.

Would you please help me with your professional and in-depth input please? I have learned quite a bit in the last 3 weeks from my sales engineer cohort but I have reached the extent of his knowledge.

--Warron French

P.S. I am willing to leave you my notes for your use if you want to post them on your blog. I simply need the information and my job is sort of being impacted.

Posted by Warron French on August 23, 2010 at 09:56 AM CEST #

Warron, very sorry for the late reply :-(

I'd really recommend you get in touch with your Oracle representative to look at the deployment. Your Oracle representative can help you to work with an experienced consultant to build out the deployment as needed for your organization, so that once you get everything in place it will work as expected.

These folks in the field have lots of real-world experience, and they'll come back to us in product development when necessary.

Regards,
Mark

Posted by Mark Craig on September 22, 2010 at 10:33 AM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Mark Craig writes about Directory Services products and technologies. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today