Fedora directory users - Dec 2009 - [389-users] setting up multi master replication

Hey folks,

The HOWTO refers to a script that is at the end of a dead link

http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication

And the Red Hat docs tell me to do something that causes an error.

http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Creating_the_Supplier_Bind_DN_Entry.html

 The final entry should resemble Example 8.1, “Example Supplier Bind DN Entry”.

dn: cn=replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: replication manager
sn: RM
userPassword: password
passwordExpirationTime: 20380119031407Z

[root@sandbox2 ~]# /etc/init.d/dirsrv start
Starting dirsrv:
    sandbox2...[03/Dec/2009:16:31:30 -0500] - Entry "cn=replication
manager,cn=config " has unknown object class "inetorgperson "
(remove
the trailing space)
[03/Dec/2009:16:31:30 -0500] - Entry "cn=replication manager,cn=config
" has unknown object class "person " (remove the trailing space)
[03/Dec/2009:16:31:30 -0500] - Entry "cn=replication manager,cn=config
" has unknown object class "top " (remove the trailing space)
                                                           [  OK  ]

And clearly I do not know enough about LDAP at this point to know what
the heck I''m doing here :-)

Both of my servers are set up with custom install but mostly defaults.

Help me Obi-Wan, you are my only hope :-)

BTW, I did order the O''Reilly LDAP book that everyone recommends - it
shipped today.


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

Oh, and another question.

The first server seems to be working fine.  When installing the 2nd
one I came to this question and did not really know what it meant so I
said "yes" and pointed it at the 1st server.  Was this the right thing
to do?

Do you want to register this software with an existing
configuration directory server? [no]: yes




-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

Alan McKay wrote:
> Hey folks,
>
> The HOWTO refers to a script that is at the end of a dead link
>
> http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication
>
> And the Red Hat docs tell me to do something that causes an error.
>
>
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Creating_the_Supplier_Bind_DN_Entry.html
>
>  The final entry should resemble Example 8.1, “Example Supplier Bind DN
Entry”.
>
> dn: cn=replication manager,cn=config
> objectClass: inetorgperson
> objectClass: person
> objectClass: top
> cn: replication manager
> sn: RM
> userPassword: password
> passwordExpirationTime: 20380119031407Z
>
> [root@sandbox2 ~]# /etc/init.d/dirsrv start
> Starting dirsrv:
>     sandbox2...[03/Dec/2009:16:31:30 -0500] - Entry "cn=replication
> manager,cn=config " has unknown object class "inetorgperson
" (remove
> the trailing space)
> [03/Dec/2009:16:31:30 -0500] - Entry "cn=replication manager,cn=config
> " has unknown object class "person " (remove the trailing
space)
> [03/Dec/2009:16:31:30 -0500] - Entry "cn=replication manager,cn=config
> " has unknown object class "top " (remove the trailing
space)
>                                                            [  OK  ]
>   
In the LDIF above, each line ends with the space character.  LDAP does 
not like that.  That''s what the error messages are telling
you.
> And clearly I do not know enough about LDAP at this point to know what
> the heck I''m doing here :-)
>
> Both of my servers are set up with custom install but mostly defaults.
>
> Help me Obi-Wan, you are my only hope :-)
>
> BTW, I did order the O''Reilly LDAP book that everyone recommends -
it
> shipped today.
>
>
>

Alan McKay wrote:
> Oh, and another question.
>
> The first server seems to be working fine.  When installing the 2nd
> one I came to this question and did not really know what it meant so I
> said "yes" and pointed it at the 1st server.  Was this the right
thing
> to do?
>
> Do you want to register this software with an existing
> configuration directory server? [no]: yes
>   
Yes.  It just means you will be able to manage both servers from a 
single 389-console.

On 12/03/2009 01:41 PM, Alan McKay wrote:
> Hey folks,
>
> The HOWTO refers to a script that is at the end of a dead link
>
> http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication
>
> And the Red Hat docs tell me to do something that causes an error.
>
>
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Creating_the_Supplier_Bind_DN_Entry.html
>
>   The final entry should resemble Example 8.1, “Example Supplier Bind DN
Entry”.
>
> dn: cn=replication manager,cn=config
> objectClass: inetorgperson
> objectClass: person
> objectClass: top
> cn: replication manager
> sn: RM
> userPassword: password
> passwordExpirationTime: 20380119031407Z
>
> [root@sandbox2 ~]# /etc/init.d/dirsrv start
> Starting dirsrv:
>      sandbox2...[03/Dec/2009:16:31:30 -0500] - Entry "cn=replication
> manager,cn=config " has unknown object class "inetorgperson
" (remove
> the trailing space)
> [03/Dec/2009:16:31:30 -0500] - Entry "cn=replication manager,cn=config
> " has unknown object class "person " (remove the trailing
space)
> [03/Dec/2009:16:31:30 -0500] - Entry "cn=replication manager,cn=config
> " has unknown object class "top " (remove the trailing
space)
>                                                             [  OK  ]
>
> And clearly I do not know enough about LDAP at this point to know what
> the heck I''m doing here :-)
>
> Both of my servers are set up with custom install but mostly defaults.
>
> Help me Obi-Wan, you are my only hope :-)
>    
As the error message states, you have trailing spaces at the end of the
"top", "person", and "inetorgperson" objectclass
lines.  Remove the trailing
spaces.
> BTW, I did order the O''Reilly LDAP book that everyone recommends -
it
> shipped today.
>
>
>

> (remove
> the trailing space)
duh!  Ok, I''m an idiot!

Sorry, but I get really illogically frightened by anything to do with LDAP

<sigh>

-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

OK, sorry again to cry wolf, but I think this is a real question this time :-)
Back to the Red Hat doc it says :

 Specify the replication settings for the multi-mastered read-write replica.

   1.
      In the Directory Server Console, select the Configuration tab.
   2.
      In the navigation tree, expand the Replication folder, and
highlight the replica database.
      The Replica Settings tab for that database opens in the
right-hand side of the window.


The picture they show does not give me enough detail, because when I
expand the "Replication" folder to highlight the "replica
database", I
see 2 entries in there and I''m not sure which one to use.  I see
"NetscapeRoot" and "userRoot".   I click on either of those
and I see
the tabs like in the Red Hat doc.

http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Replication-Configuring_Multi_Master_Replication.html


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

Well, I blew something.

http://www.redhat.com/docs/manuals/dir-server/8.1/admin/images/replagmt1.png

When I got to this point I did not see at the bottom the subtree
"dc=example,dc=com" I saw "NetscapeRoot"

Which means when I asked the other question about whether to choose
"NetscapeRoot" or "userRoot", the answer must have been
"neither".
But those were the only two choices I had.

My replication failed with error 6.  No such replica.

I''ll go back and retrace my steps tomorrow - getting too late for this
right now.




-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

i recommend you to follow this other howto:

http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL

2009/12/3 Alan McKay <alan.mckay@gmail.com>:
> Well, I blew something.
>
>
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/images/replagmt1.png
>
> When I got to this point I did not see at the bottom the subtree
> "dc=example,dc=com" I saw "NetscapeRoot"
>
> Which means when I asked the other question about whether to choose
> "NetscapeRoot" or "userRoot", the answer must have been
"neither".
> But those were the only two choices I had.
>
> My replication failed with error 6.  No such replica.
>
> I''ll go back and retrace my steps tomorrow - getting too late for
this
> right now.
>
>
>
>
> --
> “Don''t eat anything you''ve ever seen advertised on TV”
>         - Michael Pollan, author of "In Defense of Food"
>
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>


-- 
=======================     ^ ^
     O O
    (_ _)
muzzol(a)muzzol.com
=======================jabber id: muzzol(a)jabber.dk
=======================No atribueixis qualitats humanes als ordinadors.
No els hi agrada.
======================="El gobierno español sólo habla con terroristas,
homosexuales y
catalanes, a ver cuando se decide a hablar con gente normal"
Jiménez Losantos
=======================<echelon spamming>
bomb terrorism bush aznar teletubbies
</echelon spamming>

> http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL
Thanks, that is what I will do tomorrow


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

On 12/03/2009 02:41 PM, Alan McKay wrote:
> Well, I blew something.
>
>
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/images/replagmt1.png
>
> When I got to this point I did not see at the bottom the subtree
> "dc=example,dc=com" I saw "NetscapeRoot"
>
> Which means when I asked the other question about whether to choose
> "NetscapeRoot" or "userRoot", the answer must have been
"neither".
> But those were the only two choices I had.
>    
You need to choose userRoot.  The default database name is userRoot, which
maps to whatever suffix you defined at install time.  The NetscapeRoot 
backend
is used by the Administration Server for things like letting the Console 
application
what servers it has to manage and what it can do.
> My replication failed with error 6.  No such replica.
>
> I''ll go back and retrace my steps tomorrow - getting too late for
this
> right now.
>
>
>
>
>

On Thu, Dec 3, 2009 at 6:14 PM, Nathan Kinder <nkinder@redhat.com>
wrote:
> You need to choose userRoot.  The default database name is userRoot, which
> maps to whatever suffix you defined at install time.  The NetscapeRoot
> backend
> is used by the Administration Server for things like letting the Console
> application
> what servers it has to manage and what it can do.
Story of my life - 50/50 chance and I blew it!

:-)


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

Dang - I went back and did it with userRoot and got the same Error 6.
 So I''ll go off now and look at that doc on the fedora wiki that was
mentioned above.   Not sure where I went wrong ...




-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

Well that was short lived hope.  :-(   Though the -6 in the error here
seems suspiciously like the 6 error by the other means.

http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL

Says to do this :

#> cd /opt/fedora-ds/shared/bin
#> ./ldapmodify -D "cn=Directory Manager" -w YOURPASSWORD
dn: cn=replication manager,cn=config
changetype: add
objectclass: top
objectclass: person
cn: Replication Manager
sn: Manager
userPassword: PASSWORD

So when I try, I get this (on both servers) :


[root@sandbox1 ~]# ldapmodify -D "cn=Directory Manager" -w
MY_REAL_PASSWORD
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
	additional info: SASL(-4): no mechanism available:




-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

> [root@sandbox1 ~]# ldapmodify -D "cn=Directory Manager" -w
MY_REAL_PASSWORD
-x !!!

Fixed so far ...


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

So - failed with error 3 this time but I''m not losing hope.   By that
point I think both servers were a little bastardized from trying this
method and that.

I''m just going to blow them both away and start from scratch.   Doing
the initial install is pretty easy now that I have it documented.
Will also allow me to work on a kickstart image for it :-)

I leave work early today so probably will only get a chance to do the
OS install today.   Replication experiments to continue next week :-)

I''ll keep y''all posted how it goes ...


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

Alan McKay wrote:
> So - failed with error 3 this time but I''m not losing hope.   By
that
> point I think both servers were a little bastardized from trying this
> method and that.
>   
When you say "failed with error 3" you should be more specific - what 
failed?  What is the context?  Is there any additional information in 
the error message?
> I''m just going to blow them both away and start from scratch.  
Doing
> the initial install is pretty easy now that I have it documented.
> Will also allow me to work on a kickstart image for it :-)
>
> I leave work early today so probably will only get a chance to do the
> OS install today.   Replication experiments to continue next week :-)
>
> I''ll keep y''all posted how it goes ...
>
>
>

> When you say "failed with error 3" you should be more specific -
what
> failed?  What is the context?  Is there any additional information in the
> error message?
Yeah, sorry, I wasn''t more specific because I wasn''t really
asking for
help - just giving an update :-)  As mentioned, I''m going to blow it
away and go at it again but this time using 100% of the fedora wiki
doc (but without SSL).

It was when I finished making the replication agreements on both ends
- as the doc suggested, choose "do not replicate now" and then after
that is done, I went to my 1st server and right-clicked on the
replication agreement and told it to "initialize consumer"

But since I''ve typed all this now, I might as well give you the whole
thing :-)

http://picasaweb.google.ca/alan.mckay/Work#5411412134006249250

cheers,
-Alan

-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

Alan McKay wrote:
>> When you say "failed with error 3" you should be more
specific - what
>> failed?  What is the context?  Is there any additional information in
the
>> error message?
>>     
>
> Yeah, sorry, I wasn''t more specific because I wasn''t
really asking for
> help - just giving an update :-)
Sure.  Folks doing a web search for information about similar problems 
will hit this archived email and will wonder if it is the same problem 
they are seeing.
> As mentioned, I''m going to blow it
> away and go at it again but this time using 100% of the fedora wiki
> doc (but without SSL).
>
> It was when I finished making the replication agreements on both ends
> - as the doc suggested, choose "do not replicate now" and then
after
> that is done, I went to my 1st server and right-clicked on the
> replication agreement and told it to "initialize consumer"
>
> But since I''ve typed all this now, I might as well give you the
whole thing :-)
>
> http://picasaweb.google.ca/alan.mckay/Work#5411412134006249250
>   
That usually means you haven''t specified the supplier DN in the
consumer
replica, or you have specified a different supplier DN on the supplier 
side than the supplier DN you specified on the consumer
side.
> cheers,
> -Alan
>
>

> That usually means you haven''t specified the supplier DN in the
consumer
> replica, or you have specified a different supplier DN on the supplier side
> than the supplier DN you specified on the consumer side.
You mean the "replication manager" that I set up like this :

#> cd /opt/fedora-ds/shared/bin
#> ./ldapmodify -D "cn=Directory Manager" -w YOURPASSWORD
dn: cn=replication manager,cn=config
changetype: add
objectclass: top
objectclass: person
cn: Replication Manager
sn: Manager
userPassword: PASSWORD


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

Alan McKay wrote:
>> That usually means you haven''t specified the supplier DN in
the consumer
>> replica, or you have specified a different supplier DN on the supplier
side
>> than the supplier DN you specified on the consumer side.
>>     
>
> You mean the "replication manager" that I set up like this :
>
> #> cd /opt/fedora-ds/shared/bin
> #> ./ldapmodify -D "cn=Directory Manager" -w YOURPASSWORD
> dn: cn=replication manager,cn=config
> changetype: add
> objectclass: top
> objectclass: person
> cn: Replication Manager
> sn: Manager
> userPassword: PASSWORD
>   
Right.  You have to add this DN to the list of supplier DNs in the 
replica entry on the consumer - this says which DNs are allowed to be a 
supplier for this replica.  You also have to specify this DN in your 
supplier replication agreement.

> Right.  You have to add this DN to the list of supplier DNs in the replica
> entry on the consumer - this says which DNs are allowed to be a supplier
for
> this replica.  You also have to specify this DN in your supplier
replication
> agreement.
I did that according to the fedora wiki doc
http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL
Though as noted I''m not using SSL.

Anyway, too late to go back and check since I''m reinstalling in both
VMs now :-)

-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

> Anyway, too late to go back and check since I''m reinstalling in
both VMs now :-)
Bingo - it worked as advertised!  This doc did the trick for me with a
fresh install

http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL

I''m off for the week now - will pull the doc together next week.

Thanks all!


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"