Fedora directory users - Aug 2008 - questions about 2 node multi-master setup

Hi,
I just set up Fedora Directory Server on two nodes, and have set up
multi-master replication between them following the directions at
http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL

It seems to mostly work, but I have a few questions.

1)After initializing nodeB and restarting nodesA and B, I can no
longer connect to nodeB with the Console application.  If I type in
its hostname, it connects, but I can only open up the slapd directory
if nodeA is up.  I can continue to log into nodes authenticating
against the pair, and I can use the command line utities to connect to
nodeB.  Any ideas what I might be doing wrong?


2)if I change a password (using the passwd command on a client) while
nodeA is down, or add a user with ldapmodify while nodeA is down, the
change does not seem to replicate back to nodeA after it comes back
up.  Do I have to force an initialization in such cases?

Thanks,
Luke

On Fri, Aug 29, 2008 at 03:06:04PM -0400, Luke Schierer
wrote:
> Hi,
> I just set up Fedora Directory Server on two nodes, and have set up
> multi-master replication between them following the directions at
> http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL
> 
> It seems to mostly work, but I have a few questions.
> 
> 1)After initializing nodeB and restarting nodesA and B, I can no
> longer connect to nodeB with the Console application.  If I type in
> its hostname, it connects, but I can only open up the slapd directory
> if nodeA is up.  I can continue to log into nodes authenticating
> against the pair, and I can use the command line utities to connect to
> nodeB.  Any ideas what I might be doing wrong?
> 
> 
> 2)if I change a password (using the passwd command on a client) while
> nodeA is down, or add a user with ldapmodify while nodeA is down, the
> change does not seem to replicate back to nodeA after it comes back
> up.  Do I have to force an initialization in such cases?
> 
> Thanks,
> Luke
A couple of additional details.  This is on a 32-bit Redhat Enterprise
5 server.  The first issue only happens if I set it to replicate
ou=NetscapeRoot, which appears to be necessary for the global password
policy to replicate.  Is there a better way to achieve this?

I tried using the fdstool script in one archived email, but that gave
me errors when I tried to run it, and so I turned to the more manual
instructions in the MultimasterSSL guide. I removed my fedora-ds
install between trying with the script and doing it myself following
the guide. 

Thanks,
Luke

Luke Schierer wrote:
> On Fri, Aug 29, 2008 at 03:06:04PM -0400, Luke Schierer wrote:
>   
>> Hi,
>> I just set up Fedora Directory Server on two nodes, and have set up
>> multi-master replication between them following the directions at
>> http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL
>>
>> It seems to mostly work, but I have a few questions.
>>
>> 1)After initializing nodeB and restarting nodesA and B, I can no
>> longer connect to nodeB with the Console application.  If I type in
>> its hostname, it connects, but I can only open up the slapd directory
>> if nodeA is up.  I can continue to log into nodes authenticating
>> against the pair, and I can use the command line utities to connect to
>> nodeB.  Any ideas what I might be doing wrong?
>>
>>
>> 2)if I change a password (using the passwd command on a client) while
>> nodeA is down, or add a user with ldapmodify while nodeA is down, the
>> change does not seem to replicate back to nodeA after it comes back
>> up.  Do I have to force an initialization in such cases?
>>
>> Thanks,
>> Luke
>>     
>
> A couple of additional details.  This is on a 32-bit Redhat Enterprise
> 5 server.  The first issue only happens if I set it to replicate
> ou=NetscapeRoot, which appears to be necessary for the global password
> policy to replicate.
I don''t think that is true.  What leads you to believe
that?
> Is there a better way to achieve this?
>   
Have you seen this - http://tinyurl.com/6apcfq
> I tried using the fdstool script in one archived email, but that gave
> me errors when I tried to run it, and so I turned to the more manual
> instructions in the MultimasterSSL guide. I removed my fedora-ds
> install between trying with the script and doing it myself following
> the guide. 
>
> Thanks,
> Luke
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On Tue, Sep 02, 2008 at 11:19:55AM -0600, Rich Megginson
wrote:
> Luke Schierer wrote:
>> On Fri, Aug 29, 2008 at 03:06:04PM -0400, Luke Schierer wrote:
>>   
>>> Hi,
>>> I just set up Fedora Directory Server on two nodes, and have set up
>>> multi-master replication between them following the directions at
>>>
http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL
>>>
>>> It seems to mostly work, but I have a few questions.
>>>
>>> 1)After initializing nodeB and restarting nodesA and B, I can no
>>> longer connect to nodeB with the Console application.  If I type in
>>> its hostname, it connects, but I can only open up the slapd
directory
>>> if nodeA is up.  I can continue to log into nodes authenticating
>>> against the pair, and I can use the command line utities to connect
to
>>> nodeB.  Any ideas what I might be doing wrong?
>>>
>>>
>>> 2)if I change a password (using the passwd command on a client)
while
>>> nodeA is down, or add a user with ldapmodify while nodeA is down,
the
>>> change does not seem to replicate back to nodeA after it comes back
>>> up.  Do I have to force an initialization in such cases?
>>>
>>> Thanks,
>>> Luke
>>>     
>>
>> A couple of additional details.  This is on a 32-bit Redhat Enterprise
>> 5 server.  The first issue only happens if I set it to replicate
>> ou=NetscapeRoot, which appears to be necessary for the global password
>> policy to replicate.
> I don''t think that is true.  What leads you to believe that?
Because I tried once without having the ou=NetscapeRoot set to
replicate, and the password policy did not show as set on the other
console.  Still, perhaps I did something wrong.
>> Is there a better way to achieve this?
>>   
> Have you seen this - http://tinyurl.com/6apcfq
I had not, my fault for now reading the full manual it appears, as it
has extra steps for setting up the second instance.  I will try with
these directions.

Thanks for the pointer!!

Luke

Luke Schierer wrote:
> On Tue, Sep 02, 2008 at 11:19:55AM -0600, Rich Megginson wrote:
>   
>> Luke Schierer wrote:
>>     
>>> On Fri, Aug 29, 2008 at 03:06:04PM -0400, Luke Schierer wrote:
>>>   
>>>       
>>>> Hi,
>>>> I just set up Fedora Directory Server on two nodes, and have
set up
>>>> multi-master replication between them following the directions
at
>>>>
http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL
>>>>
>>>> It seems to mostly work, but I have a few questions.
>>>>
>>>> 1)After initializing nodeB and restarting nodesA and B, I can
no
>>>> longer connect to nodeB with the Console application.  If I
type in
>>>> its hostname, it connects, but I can only open up the slapd
directory
>>>> if nodeA is up.  I can continue to log into nodes
authenticating
>>>> against the pair, and I can use the command line utities to
connect to
>>>> nodeB.  Any ideas what I might be doing wrong?
>>>>
>>>>
>>>> 2)if I change a password (using the passwd command on a client)
while
>>>> nodeA is down, or add a user with ldapmodify while nodeA is
down, the
>>>> change does not seem to replicate back to nodeA after it comes
back
>>>> up.  Do I have to force an initialization in such cases?
>>>>
>>>> Thanks,
>>>> Luke
>>>>     
>>>>         
>>> A couple of additional details.  This is on a 32-bit Redhat
Enterprise
>>> 5 server.  The first issue only happens if I set it to replicate
>>> ou=NetscapeRoot, which appears to be necessary for the global
password
>>> policy to replicate.
>>>       
>> I don''t think that is true.  What leads you to believe that?
>>     
>
> Because I tried once without having the ou=NetscapeRoot set to
> replicate, and the password policy did not show as set on the other
> console.  Still, perhaps I did something wrong.
>   
That''s really weird - the global password policy is stored in
cn=config,
not in o=NetscapeRoot, so I''m not sure why replication would have 
anything to do with this.
>   
>>> Is there a better way to achieve this?
>>>   
>>>       
>> Have you seen this - http://tinyurl.com/6apcfq
>>     
>
> I had not, my fault for now reading the full manual it appears, as it
> has extra steps for setting up the second instance.  I will try with
> these directions.
>
> Thanks for the pointer!!
>
> Luke
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>