Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   Moving admin servers (http://www.linux-archive.org/fedora-directory/528647-moving-admin-servers.html)

Roland Schwingel 05-20-2011 09:04 AM
Moving admin servers
 
Hi...



I got a question on how to move administration
servers.



In my network I do have at present 3
subnets that are managed by 389ds.



Lets call them Net-A, Net-B and Net-C.
Each subnet hosts a replica of the

ldap tree. All ldap/admin servers are
registered to the admin server on Net-A.



Due to some network restructurings Net-A
will become a more or less "private"

networks. And I also will add 10 more
networks (each will host a replica) to 389ds.

They all should register to a new adminserver
in Net-C.



So I need to move the central admin
server from Net-A to Net-C. Is this possible

while being in production? As I understand
389ds the adminservers are independant

of the slapd processes doing the concrete
ldap. For Net-A there will be a hole

in the firewall to allow traffic to
port 389,636 and 9830 to the other networks.



Any advice on how to accomplish the
move of the adminserver de- and reregistration?



Thanks in advance for your help,



Roland

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 05-20-2011 02:51 PM
Moving admin servers
 
On 05/20/2011 03:04 AM, Roland Schwingel wrote:
Hi...




I got a question on how to move
administration
servers.




In my network I do have at
present 3
subnets that are managed by 389ds.




Lets call them Net-A, Net-B and
Net-C.
Each subnet hosts a replica of the


ldap tree. All ldap/admin servers
are
registered to the admin server on Net-A.




Due to some network
restructurings Net-A
will become a more or less "private"


networks. And I also will add 10
more
networks (each will host a replica) to 389ds.


They all should register to a new
adminserver
in Net-C.




So I need to move the central
admin
server from Net-A to Net-C. Is this possible


while being in production? As I
understand
389ds the adminservers are independant


of the slapd processes doing the
concrete
ldap. For Net-A there will be a hole


in the firewall to allow traffic
to
port 389,636 and 9830 to the other networks.




Any advice on how to accomplish
the
move of the adminserver de- and reregistration?



So currently you have all of the directory servers registered with a
directory server running in Net-A - this is the directory server
that hosts the o=netscaperoot suffix used to register and configure
those servers in the console.* This is on a machine with hostname
ldap.neta or something like that.* Now you want instead to have a
new server ldap.netc and have all of the directory servers
registered with that server instead?




Thanks in advance for your help,




Roland




--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Roland Schwingel 05-20-2011 08:25 PM
Moving admin servers
 
Hi Rich...



Thanks for the reply,



> So currently you have all of the directory servers
registered with a

> directory server running in Net-A - this is the directory server

> that hosts the o=netscaperoot suffix used to register and configure


> those servers in the console. *This is on a machine with hostname


> ldap.neta or something like that. *Now you want instead to have
a

> new server ldap.netc and have all of the directory servers

> registered with that server instead?



You are right....

When running setup-ds-admin.pl you have the option
to register

a new server to another already running server. This
one is at

present the one in net-a. Now I have to register all
server to a

server in net-c.



Thanks for your kind help,



Roland--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 05-20-2011 08:36 PM
Moving admin servers
 
On 05/20/2011 02:25 PM, Roland Schwingel wrote:



Hi Rich...




Thanks for the reply,




> So currently you have all of the directory
servers
registered with a

> directory server running in Net-A - this is the directory
server

> that hosts the o=netscaperoot suffix used to register and
configure


> those servers in the console. *This is on a machine with
hostname


> ldap.neta or something like that. *Now you want instead
to have
a

> new server ldap.netc and have all of the directory
servers

> registered with that server instead?




You are right....


When running setup-ds-admin.pl you have the
option
to register


a new server to another already running server.
This
one is at


present the one in net-a. Now I have to
register all
server to a


server in net-c.



Are you moving any of the servers other than the one that contains
o=NetscapeRoot?* If not, then you could try the following:

1) export the o=NetscapeRoot (NetscapeRoot) database from the server
in net-a

*db2ldif -U -n NetscapeRoot -a /path/to/nsroot.ldif

2) use perl/sed/awk/whatever you are most comfortable with to change
references to net-a to net-c in nsroot.ldif

3) Create a suffix o=NetscapeRoot and database NetscapeRoot in the
server in net-c

4) Import (initialize) the new o=NetscapeRoot with the old server
data



Then, you'll have to edit the /etc/dirsrv/admin-serv/adm.conf in all
of your servers to change any references to net-a to net-c, then
restart the admin server (restart-ds-admin)



Finally, you'll have to run ldapmodify on all of your servers
(except the one that has the new o=NetscapeRoot) to do something
like this:



ldapmodify -x -h hostname -D "cn=directory manager" -W <<EOF

dn: cn=Pass Through Authentication,cn=plugins,cn=config

changetype: modify

replace: nsslapd-pluginarg0

nsslapd-pluginarg0:
ldap://hostname.of.new.server.in.net-c/o=NetscapeRoot



You'll have to restart the server in order for this change to take
effect, but if you don't want to manage the server via the console,
you don't have to restart it.






Thanks for your kind help,




Roland


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Roland Schwingel 05-20-2011 08:42 PM
Moving admin servers
 
Thanks rich... I will give that a try
as soon as possible....












Re: [389-users] Moving
admin servers




Rich Megginson
to:
General discussion list for the 389
Directory server project. * * * *

20.05.2011 22:38







Sent by:
389-users-bounces@lists.fedoraproject.org

Cc:
Roland Schwingel

Please respond to "General discussion
list for the 389 Directory server project." * * * *














On 05/20/2011 02:25 PM, Roland Schwingel wrote:



Hi Rich...



Thanks for the reply,



> So currently you have all of the directory servers registered with
a

> directory server running in Net-A - this is the directory server

> that hosts the o=netscaperoot suffix used to register and configure


> those servers in the console. *This is on a machine with hostname


> ldap.neta or something like that. *Now you want instead to have
a

> new server ldap.netc and have all of the directory servers

> registered with that server instead?



You are right....

When running setup-ds-admin.pl you have the option to register


a new server to another already running server. This one is at


present the one in net-a. Now I have to register all server to a


server in net-c.

Are you moving any of the servers other than the one that
contains o=NetscapeRoot? *If not, then you could try the following:

1) export the o=NetscapeRoot (NetscapeRoot) database from the server in
net-a

db2ldif -U -n NetscapeRoot -a /path/to/nsroot.ldif

2) use perl/sed/awk/whatever you are most comfortable with to change references
to net-a to net-c in nsroot.ldif

3) Create a suffix o=NetscapeRoot and database NetscapeRoot in the server
in net-c

4) Import (initialize) the new o=NetscapeRoot with the old server data



Then, you'll have to edit the /etc/dirsrv/admin-serv/adm.conf in all of
your servers to change any references to net-a to net-c, then restart the
admin server (restart-ds-admin)



Finally, you'll have to run ldapmodify on all of your servers (except the
one that has the new o=NetscapeRoot) to do something like this:



ldapmodify -x -h hostname -D "cn=directory manager" -W <<EOF

dn: cn=Pass Through Authentication,cn=plugins,cn=config

changetype: modify

replace: nsslapd-pluginarg0

nsslapd-pluginarg0: ldap://hostname.of.new.server.in.net-c/o=NetscapeRoot



You'll have to restart the server in order for this change to take effect,
but if you don't want to manage the server via the console, you don't have
to restart it.





Thanks for your kind help,



Roland





--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 01:29 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.