This chapter describes the procedures for installing and configuring the Sun Cluster HA for Netscape Directory Server data service. This data service was formerly known as Sun Cluster HA for Netscape LDAP. Some error messages from the application might still use the name Netscape LDAP, but they refer to Netscape Directory Server (NDS).
This chapter contains the following procedures.
"How to Install Sun Cluster HA for Netscape Directory Server Packages"
"How to Complete the Sun Cluster HA for Netscape Directory Server Configuration"
You must configure the Sun Cluster HA for Netscape Directory Server data service as a failover service. See Chapter 1, Planning for Sun Cluster Data Services and the Sun Cluster 3.0 U1 Concepts document for general information about data services, resource groups, resources, and other related topics.
You can use SunPlex Manager to install and configure this data service. See the SunPlex Manager online help for details.
Use this section in conjunction with the worksheets in the Sun Cluster 3.0 U1 Release Notes as a checklist before installation and configuration.
Consider the following points prior to starting your installation.
Where will the server root reside?
You can store files and data that do not change on the local file system of each cluster node. However, place dynamic data on the cluster file system so that you can view or update the data from any cluster node.
If you plan to use multiple NDS instances on a node, you must set the listenhost directive in the slapd.conf file with the appropriate network resource as the IP address (a logical hostname). This setting is necessary because the default NDS behavior is for the instance to bind to all IP addresses on the node.
For example, to set up a particular instance to use the logical hostname nds-1, add the following entry to the instance's slapd.conf file: listenhost nds-1. This setting causes the instance to bind to the logical hostname nds-1 only, rather than to all the IP addresses on the node.
The LDAP administrative server is case-sensitive in its consideration of hostnames. Therefore, all hostnames specified in the LDAP configuration for the administrative server must match their case with the LDAP specification in the name service in use on the cluster node. If DNS is the name service in use, this case-matching is particularly important because the DNS domain name must also match the host-name specification in the LDAP configuration.
Be sure that the case of the fully qualified domain name of the machine for LDAP matches the case of the domain name that the resolver returns. For example, if the DNS resolver returns Eng.Sun.COM as the domain name (note the mixed case), you must spell that name exactly the same way when you configure the LDAP administrative server.
The following table lists the sections that describe the installation and configuration tasks.
Table 4-1 Task Map: Installing and Configuring Sun Cluster HA for Netscape Directory Server
Task |
For Instructions, Go To |
---|---|
Configure and activate network resources | |
Install and configure Netscape Directory Server | |
Install the Sun Cluster HA for Netscape Directory Server-data service packages |
"Installing Sun Cluster HA for Netscape Directory Server Packages" |
Configure application resources and start the Sun Cluster HA for Netscape Directory Server data service |
"Completing the Sun Cluster HA for Netscape Directory Server Configuration" |
Configure resource extension properties |
"Configuring Sun Cluster HA for Netscape Directory Server Extension Properties" |
If you are running multiple data services in your Sun Cluster configuration, you can set up the data services in any order, with the following exception. If you use the Sun Cluster HA for DNS data service, you must set up the Sun Cluster HA for DNS data service before you set up Netscape Directory Server. See Chapter 6, Installing and Configuring Sun Cluster HA for Domain Name Service (DNS) for details. DNS software is included in the Solaris operating environment. If the cluster is to obtain the DNS service from another server, configure the cluster to be a DNS client first.
After installation, use only the cluster administration command scswitch(1M) to manually start and stop Netscape Directory Server. See the man page for details. After Netscape Directory Server is started, the Sun Cluster software controls it.
Before you install and configure Netscape Directory Server, set up the network resources that the server will attempt to use after the server has been installed and configured. To configure and activate the network resources, use the following command-line procedure.
To perform this procedure, you need the following information about your configuration.
The names of the cluster nodes that can master the data service.
The logical hostname that clients use to access the Sun Cluster HA for Netscape Directory Server data service. Normally, you set up this hostname when you install the cluster. See the section in the Sun Cluster 3.0 U1 Installation Guide on how to set up logical hostnames for details.
Perform this procedure on any cluster member.
Become superuser on a cluster member.
Verify that all network addresses that you use have been added to your name-service database.
You should have performed this verification during the Sun Cluster installation. See the planning chapter in the Sun Cluster 3.0 U1 Installation Guide for details.
To avoid any failures because of name-service lookup, ensure that all logical hostnames and shared addresses are present in the /etc/hosts file on all cluster nodes. Configure name-service mapping in the /etc/nsswitch.conf file on the servers to first check the local files before trying to access NIS, NIS+, or DNS.
Create a failover resource group to hold the network and application resources.
# scrgadm -a -g resource-group [-h nodelist] |
Specifies the name of the resource group. This name can be your choice.
Specifies an optional comma-separated list of physical node names or IDs that identify potential masters. The order here determines the order in which the nodes are considered as primary during failover.
Use the -h option to specify the order of the node list. If all the nodes in the cluster are potential masters, you need not use the -h option.
Add logical-hostname resources to the resource group.
# scrgadm -a -L -g resource-group -l hostname, ...[-n netiflist] |
Specifies that a logical-hostname resource is being added.
Specifies the name of the resource group.
Specifies a comma-separated list of logical hostnames.
Specifies an optional comma-separated list that identifies the NAFO groups on each node. All the nodes in nodelist of the resource group must be represented in netiflist. If you do not specify this option, scrgadm(1M) attempts to discover a net adapter on the subnet that the hostname list identifies for each node in nodelist.
Verify that all logical hostnames that you use have been added to your name-service database.
You should have performed this verification during the Sun Cluster installation. See the planning chapter in the Sun Cluster 3.0 U1 Installation Guide for details.
Run the scswitch command to enable the resource group and bring the resource group online.
# scswitch -Z -g resource-group |
Moves the resource group to the managed state, and brings the resource group online.
Specifies the name of the resource group.
After you configure and activate the network resources, go to "Installing and Configuring Netscape Directory Server".
The Sun Cluster HA for Netscape Directory Server data service is the Netscape Directory Server that uses Netscape Lightweight Directory Access Protocol (LDAP) and runs under the control of the Sun Cluster software. This section describes the steps to install Netscape Directory Server (using the setup command) and enable Netscape Directory Server to run as the Sun Cluster HA for Netscape Directory Server data service.
Netscape Directory Server requires some variation from the default installation parameters. When you install and configure Netscape Directory Server, consider the following points.
For the service to fail over correctly, when prompted for the name of Netscape Directory Server, instead of specifying a physical machine, you must specify a logical hostname (IP address) that can fail over between nodes. This requirement means that before you begin the installation, you must set up the logical hostname in your name services. You normally perform this step, which the Sun Cluster 3.0 U1 Installation Guide describes, as part of the Sun Cluster installation.
Do not use the default server root disk path when prompted. Place your files on the cluster file system.
Do not remove or relocate any of the installed files or directories that the Netscape Directory Server installation places on the cluster file system. For example, do not relocate any of the client binaries, such as ldapsearch, that are installed along with the rest of the Netscape Directory Server software.
This procedure describes the interaction with the Netscape setup command. Only the sections that are specific to the Sun Cluster HA for Netscape Directory Server data service are included here. For the other sections, choose or change the default values as appropriate. This procedure includes only basic steps. See the Netscape LDAP documentation for details.
Become superuser on a cluster member.
Run the setup command from the install directory on the Netscape CD.
From setup, choose the menu items to install a Netscape Server with a Custom Installation.
Supply the logical hostname when the setup command prompts you for the full server name.
For the install location, select a location on the global file system, for example, /global/nsldap.
Supply the logical hostname when the setup command prompts you for the full server name. This step is required for failover to work correctly.
The logical host that you specify must be online on the node from which you run the Netscape Directory Server installation. This state is necessary because at the end of the Netscape Directory Server installation, Netscape Directory Server automatically starts and will fail if the logical host is offline on that node.
Select the logical hostname along with your domain for the computer name, for example, schost-1.eng.sun.com.
When prompted for the IP address to be used as the LDAP Administrative Server, specify an IP address for one of the cluster nodes.
As part of the installation, you set up an LDAP Administrative Server. The IP address that you specify for this server must be that of a physical cluster node, not the name of the logical host that will fail over.
Use the Netscape Administration Server to configure and test Netscape Directory Server.
See your Netscape documentation for details.
After completing the configuration, Netscape Directory Server starts automatically. Before you proceed to the next part of the installation and configuration process, you must use stop-slapd to stop the server.
If you have not installed the data-service packages for Netscape Directory Server from the Sun Cluster Agents CD, go to "Installing Sun Cluster HA for Netscape Directory Server Packages". If you have installed the packages, go to "Completing the Sun Cluster HA for Netscape Directory Server Configuration".
You can use the scinstall(1M) utility to install SUNWscnsl, the Sun Cluster HA for Netscape Directory Server data-service package, on a cluster. Do not use the -s option to non-interactive scinstall to install all data service packages on the CD.
If you installed the data-service packages during your initial Sun Cluster installation, proceed to "Completing the Sun Cluster HA for Netscape Directory Server Configuration". Otherwise, use the following procedure to install the SUNWscnsl package now.
You need the Sun Cluster Agents CD to complete this procedure. Run this procedure on all cluster members that can master the Sun Cluster HA for Netscape Directory Server data service.
Load the Agents CD into the CD-ROM drive.
Run the scinstall utility with no options.
This step starts the scinstall utility in interactive mode.
Select the Add Support for New Data Service to This Cluster Node menu option.
This option enables you to load software for any data services that exist on the CD.
Exit the scinstall utility.
Unload the CD from the drive.
See "Completing the Sun Cluster HA for Netscape Directory Server Configuration" to register the Sun Cluster HA for Netscape Directory Server data service and to configure the cluster for the data service.
This procedure describes how to use the scrgadm command to register and configure the Sun Cluster HA for Netscape Directory Server data service.
Other options also enable you to register and configure the data service. See "Tools for Data-Service Resource Administration" for details about these options.
To perform this procedure, you need the following information about your configuration.
The name of the resource type for the Sun Cluster HA for Netscape Directory Server data service. This name is SUNW.nsldap.
The names of the cluster nodes that can master the data service.
The logical hostname that clients use to access the Sun Cluster HA for Netscape Directory Server data service. Normally, you set up this logical hostname when you install the cluster. See the section on how to set up logical hostnames in the Sun Cluster 3.0 U1 Installation Guide for details.
The path to the Netscape Directory Server application binaries that are the resources for the Sun Cluster HA for Netscape Directory Server data service. You can install the binaries on the local disks or the cluster file system. See Chapter 1, Planning for Sun Cluster Data Services for a discussion of the advantages and disadvantages of each location.
The port where Netscape Directory Server listens. For non-secure instances, the Port_list standard resource property for the Netscape Directory Server resource defaults to 389/tcp, and the value for the secure port is 636/tcp. If you set the port to a number other than 389, you must specify that value when you configure the Port_list property. See Chapter 11, Administering Data-Service Resources for instructions on how to set resource properties.
Perform this procedure on any cluster member.
Perform the following steps to complete your configuration.
Become superuser on a cluster member.
Register the resource type for the data service.
# scrgadm -a -t SUNW.nsldap |
Adds the data-service resource type.
Specifies the predefined resource-type name.
Add the Netscape Directory Server application resource t the failover resource group that you created for your network resources.
The resource group that contains the application resources is the same resource group that you created for your network resources in "How to Configure and Activate Network Resources".
# scrgadm -a -j resource -g resource-group \ -t resource-type [-y Network_resources_used=network-resource, ...] \ -y Port_list=port-number/protocol -x Confdir_list=pathname |
Specifies the LDAP application resource name.
Specifies a comma-separated list of network resources (logical hostnames or shared addresses) in resource-group, which the LDAP application resource must use.
Specifies the resource type to which the resource belongs, for example, SUNW.iws.
Specifies a port number and the protocol to be used, for example, 389/tcp. The Port_list property must have exactly one entry.
Specifies a path for your LDAP configuration directory. The Confdir_list extension property is required. The Confdir_list property must have exactly one entry.
Enable the resource and its monitor.
# scswitch -e -j resource |
Enables the resource and its monitor.
Specifies the name of the application resource being enabled.
This example shows how to register the Sun Cluster HA for Netscape Directory Server data service.
Cluster Information Node names: phys-schost-1, phys-schost-2 Logical hostname: schost-1 Resource group: resource-group-1 (for all resources) Resources: schost-1 (logical hostname), nsldap-1 (LDAP application resource) (Create a failover resource group.) # scrgadm -a -g resource-group-1 -h phys-schost-1,phys-schost-2 (Add a logical hostname resource to the resource group.) # scrgadm -a -L -g resource-group-1 -l schost-1 (Bring the resource group online.) # scswitch -Z -g resource-group-1 (Install and configure Netscape Directory Server.) (Stop the LDAP server.) (Register the SUNW.nsldap resource type.) # scrgadm -a -t SUNW.nsldap (Create an LDAP resource and add it to the resource group.) # scrgadm -a -j nsldap-1 -g resource-group-1 \ -t SUNW.nsldap -y Network_resources_used=schost-1 \ -y Port_list=389/tcp \ -x Confdir_list=/global/nsldap/slapd-schost-1 (Enable the application resources.) # scswitch -e -j nsldap-1 |
The SUNW.HAStorage resource type synchronizes actions between HA storage and the data service. The Sun Cluster HA for Netscape Directory Server data service is not disk-intensive and not scalable, and therefore configuring the SUNW.HAStorage resource type is optional.
See the SUNW.HAStorage(5) man page and "Relationship Between Resource Groups and Disk Device Groups" for background details. See "How to Set Up SUNW.HAStorage Resource Type for New Resources" for information about the procedure.
This section describes how to configure the Sun Cluster HA for Netscape Directory Server extension properties. Typically, you use the command line scrgadm -x parameter=value to configure extension properties when you create the Netscape Directory Server resource. You can also use the procedures that Chapter 11, Administering Data-Service Resources describes to configure them later.
See Appendix A, Standard Properties for details on all Sun Cluster properties.
Table 4-2 describes the extension properties that you can configure for Netscape Directory Server. The only required extension property for creating a Netscape Directory Server resource is the Confdir_list property, which specifies a directory in which the Netscape Directory Server configuration files reside. You can update some extension properties dynamically. You can update others, however, only when you create the resource. The Tunable column of the following table indicates when you can update each property.
Table 4-2 Sun Cluster HA for Netscape Directory Server Extension Properties
Name/Data Type |
Default |
Range |
Tunable |
Description |
---|---|---|---|---|
Confdir_list (string array) |
None |
None |
At creation |
A path name that points to the server root, including the slapd-hostname subdirectory where the start-slapd and stop-slapd scripts reside. The Sun Cluster HA for Netscape Directory Server data service requires this extension property, and the property must have one entry only. If Netscape Directory Server is in secure mode, then the path name must also contain a file named keypass, which contains the secure key password needed to start this instance. |
Monitor_retry_count (integer) |
4 |
0 - 2,147,483,641
-1 indicates an infinite number of retry attempts. |
Any time |
The number of times the process monitor facility (PMF) restarts the fault monitor during the time window that the Monitor_retry_interval property specifies. Note that this property refers to restarts of the fault monitor itself rather than to the resource. The system-defined properties Retry_interval and Retry_count control restarts of the resource. |
Monitor_retry_interval (integer) |
2 |
0 - 2,147,483,641
-1 indicates an infinite retry interval. |
Any time |
The time (in minutes) over which failures of the fault monitor are counted. If the number of times the fault monitor fails exceeds the value specified in the extension property Monitor_retry_count within this period, the PMF cannot restart the fault monitor. |
Probe_timeout (integer) |
30 |
0 - 2,147,483,641 |
Any time |
The time-out value (in seconds) that the fault monitor uses to probe a Netscape Directory Server instance. |
The probe for the Sun Cluster HA for Netscape Directory Server data service accesses particular IP addresses and port numbers. The IP addresses are from network resources that the Network_resources_used property lists. The Port_list resource property lists the port. See Appendix A, Standard Properties for descriptions of these properties.
The fault monitor determines whether the Sun Cluster HA for Netscape Directory Server instance is secure or non-secure. The monitor probes secure and non-secure directory servers differently. If the keyword "security" is not found in the configuration file (slapd.conf), or the setting security off is found, then the instance is determined to be non-secure. Otherwise, the instance is determined to be secure.
The probe for a secure instance consists of a simple TCP connect. If the connect succeeds, the probe is successful. Secure connect failure or timeout is interpreted as complete failure.
The probe for an insecure instance depends on running the ldapsearch executable provided with the Sun Cluster HA for Netscape Directory Server data service. The search filter that is used is intended to always find something. The probe detects partial and complete failures. The following conditions are considered partial failures. All other conditions are interpreted as complete failures.
Probe_timeout duration is exceeded while the set of IP addresses is probed for the port. The following list identifies potential causes of this problem.
System load.
Network-traffic load.
Directory-server load.
Probe_timeout is set too low for the typical load or the number of directory-server instances (that is, IP address and port combinations) that are being monitored.
A problem other than timeout occurs while ldapsearch is invoked. Note that this scenario does not apply to the situation where ldapsearch is invoked successfully but returns an error.