This chapter describes the procedures to install and configure Sun Cluster HA for iPlanet Directory Server. This data service was formerly known as Sun Cluster HA for Netscape LDAP. Some error messages from the application might still use the name Netscape LDAP, but they refer to iPlanet Directory Server.
This chapter contains the following procedures.
"How to Install Sun Cluster HA for iPlanet Directory Server Packages"
"How to Complete the Sun Cluster HA for iPlanet Directory Server Configuration"
You must configure Sun Cluster HA for iPlanet Directory Server as a failover data service. See Chapter 1, Planning for Sun Cluster Data Services and the Sun Cluster 3.0 12/01 Concepts document for general information about data services, resource groups, resources, and other related topics.
You can use SunPlex Manager to install and configure this data service. See the SunPlex Manager online help for details.
Use this section in conjunction with the worksheets in the Sun Cluster 3.0 12/01 Release Notes as a checklist before installation and configuration.
Consider the following points before you start your installation.
Where will the server root reside?
You can store files and data that do not change on the local file system of each cluster node. However, place dynamic data on the cluster file system so that you can view or update the data from any cluster node.
If you plan to use multiple iPlanet Directory Server instances on a node, you must set the nsslapd-listenhost directive with the appropriate network resource as the IP address. This setting is necessary because the default iPlanet Directory Server behavior is for the instance to bind to all IP addresses on the node.
For example, to set up a particular instance to use the network resource nds-1, use the following entry.
nsslapd-listenhost: nds-1.
This setting causes the instance to bind to the network resource nds-1 only, rather than to all of the IP addresses on the node.
The iPlanet Directory Server administrative server is case-sensitive in its consideration of hostnames. Therefore, all hostnames specified in the iPlanet Directory Server configuration for the administrative server must match their case with the iPlanet Directory Server specification in the name service in use on the cluster node. This case-matching is particularly important because the DNS domain name must also match the host-name specification in the iPlanet Directory Server configuration.
Be sure that the case of the fully qualified domain name of the machine for iPlanet Directory Server matches the case of the domain name that the resolver returns. For example, if the DNS resolver returns Eng.Sun.COM as the domain name (note the mixed case), you must identically spell that name when you configure the iPlanet Directory Server administrative server.
The following table lists the sections that describe the installation and configuration tasks.
Table 4-1 Task Map: Installing and Configuring Sun Cluster HA for iPlanet Directory Server
Task |
For Instructions, Go To |
---|---|
Configure and activate network resources | |
Install and configure iPlanet Directory Server | |
Install the Sun Cluster HA for iPlanet Directory Server packages |
"Installing Sun Cluster HA for iPlanet Directory Server Packages" |
Configure application resources and start Sun Cluster HA for iPlanet Directory Server |
"Completing the Sun Cluster HA for iPlanet Directory Server Configuration" |
Configure resource extension properties |
"Configuring Sun Cluster HA for iPlanet Directory Server Extension Properties" |
View fault monitor information |
If you run multiple data services in your Sun Cluster configuration, you can set up the data services in any order, with the following exception. You must set up Sun Cluster HA for DNS before you set up iPlanet Directory Server. See Chapter 6, Installing and Configuring Sun Cluster HA for Domain Name Service (DNS) for details. DNS software is included in the Solaris operating environment. If the cluster is to obtain the DNS service from another server, configure the cluster to be a DNS client first.
After installation, use only the cluster administration command scswitch(1M) to manually start and stop iPlanet Directory Server. See the man page for details. After you start iPlanet Directory Server, the Sun Cluster software controls it.
Before you install and configure iPlanet Directory Server, set up the network resources that the server will attempt to use after the server has been installed and configured. To configure and activate the network resources, use the following command-line procedure.
To perform this procedure, you need the following information about your configuration.
The names of the cluster nodes that can master the data service.
The network resource that clients use to access Sun Cluster HA for iPlanet Directory Server. Normally, you set up this hostname when you install the cluster. See the Sun Cluster 3.0 12/01 Concepts document for details on network resources.
Perform this procedure on any cluster member.
Become superuser on a cluster member.
Verify that all of the network addresses that you use have been added to your name service database.
You should have performed this verification during the Sun Cluster installation. See the planning chapter in the Sun Cluster 3.0 12/01 Software Installation Guide for details.
To avoid any failures because of name service lookup, ensure that all of the logical hostnames and shared addresses are present in the /etc/hosts file on all of the cluster nodes. Configure name service mapping in the /etc/nsswitch.conf file on the servers to first check the local files before trying to access NIS, NIS+, or DNS.
Create a failover resource group to hold the network and application resources.
# scrgadm -a -g resource-group [-h nodelist] |
Specifies the name of the resource group. This name can be your choice.
Specifies an optional comma-separated list of physical node names or iPlanet Directory Server that identify potential masters. The order here determines the order in which the nodes are considered as primary during failover.
Use the -h option to specify the order of the node list. If all of the nodes in the cluster are potential masters, you do not need to use the -h option.
Add network resources to the resource group.
For example, run the following command to add a logical hostname to a resource group.
# scrgadm -a -L -g resource-group -l hostname, ...[-n netiflist] |
Specifies that a network resource is being added.
Specifies the name of the resource group.
Specifies a comma-separated list of network resources.
Specifies an optional, comma-separated list that identifies the NAFO groups on each node. All the nodes in nodelist of the resource group must be represented in the netiflist. If you do not specify this option, the scrgadm(1M) command attempts to discover a net adapter on the subnet that the hostname list identifies for each node in nodelist. For example, -n nafo0@nodename, nafo0@nodename2.
Verify that all of the network resources that you use have been added to your name service database.
You should have performed this verification during the Sun Cluster installation. See the planning chapter in the Sun Cluster 3.0 12/01 Software Installation Guide for details.
Run the scswitch command to enable the resource group and bring the resource group online.
# scswitch -Z -g resource-group |
Moves the resource group to the managed state, and brings the resource group online.
Specifies the name of the resource group.
After you configure and activate the network resources, go to "Installing and Configuring iPlanet Directory Server".
Sun Cluster HA for iPlanet Directory Server is the iPlanet Directory Server that uses Netscape Lightweight Directory Access Protocol (LDAP) and runs under the control of the Sun Cluster software. This section describes the steps to install iPlanet Directory Server (using the setup command) and enable iPlanet Directory Server to run as Sun Cluster HA for iPlanet Directory Server.
The iPlanet Directory Server software requires some variation from the default installation parameters. When you install and configure iPlanet Directory Server, consider the following points.
For the service to fail over correctly, when prompted for the computer name, instead of specifying a physical machine, you must specify a network resource (IP address) that can fail over between nodes. This requirement means that before you begin the installation, you must set up the network resource in your name services. You normally perform this step as part of the Sun Cluster installation. See the Sun Cluster 3.0 12/01 Concepts document for details on network resources.
Do not use the default server root disk path when prompted. Place your files on the cluster file system.
Do not remove or relocate any of the installed files or directories that the iPlanet Directory Server installation places on the cluster file system. For example, do not relocate any of the client binaries, such as ldapsearch, that are installed with the rest of the iPlanet Directory Server software.
This procedure describes the interaction with the iPlanet setup command. Only the sections that are specific to Sun Cluster HA for iPlanet Directory Server are included here. For the other sections, choose or change the default values as appropriate. This procedure includes only basic steps. See the iPlanet Directory Server documentation for details.
Become superuser on a cluster member.
Run the setup command from the install directory on the iPlanet CD.
From setup, choose the menu items to install iPlanet Directory Server with a custom installation.
Custom installation allows you to specify the physical hostname for the administrative server. This enables you to access the administrative server whether the logical host is up or down.
For the install location, select a location on the cluster file system, for example, /global/nsldap.
The logical host that you specify must be online on the node from which you run the iPlanet Directory Server installation. This state is necessary because at the end of the iPlanet Directory Server installation, iPlanet Directory Server automatically starts and will fail if the logical host is offline on that node.
Select the network resource along with your domain for the computer name, for example, schost-1.eng.sun.com.
Supply the hostname that is associated with a network resource when the setup command prompts you for the full server name.
When prompted for the IP address to be used as the iPlanet Directory Server Administrative Server, specify an IP address for one of the cluster nodes.
As part of the installation, you set up an iPlanet Directory Server Administrative Server. The IP address that you specify for this server must be that of a physical cluster node, not the name of the logical host that will fail over.
Use the iPlanet Administration Server to configure and test iPlanet Directory Server.
See your iPlanet documentation for details.
After completing the configuration, iPlanet Directory Server starts automatically. Before you proceed to the next part of the installation and configuration process, you must use stop-slapd to stop the server.
If you have not installed the data service packages for iPlanet Directory Server from the Sun Cluster 3.0 Agents 12/01 CD-ROM, go to "Installing Sun Cluster HA for iPlanet Directory Server Packages". If you have installed the packages, go to "Completing the Sun Cluster HA for iPlanet Directory Server Configuration".
You can use the scinstall(1M) utility to install SUNWscnsl, the Sun Cluster HA for iPlanet Directory Server package, on a cluster. Do not use the -s option to non-interactive scinstall to install all of the data service packages on the CD.
If you installed the data service packages during your initial Sun Cluster installation, proceed to "Completing the Sun Cluster HA for iPlanet Directory Server Configuration". Otherwise, use the following procedure to install the SUNWscnsl package now.
You need the Sun Cluster 3.0 Agents 12/01 CD-ROM to complete this procedure. Perform this procedure on all cluster members that can master Sun Cluster HA for iPlanet Directory Server.
Load the Sun Cluster 3.0 Agents 12/01 CD-ROM into the CD-ROM drive.
Run the scinstall utility with no options.
This step starts the scinstall utility in interactive mode.
Choose the menu option, Add Support for New Data Service to This Cluster Node.
The scinstall utility prompts you for additional information.
Provide the path to the Sun Cluster 3.0 Agents 12/01 CD-ROM.
The utility refers to the CD as the "data services cd."
Specify the data service to install.
The scinstall utility lists the data service that you selected and asks you to confirm your choice.
Exit the scinstall utility.
Unload the CD from the drive.
See "Completing the Sun Cluster HA for iPlanet Directory Server Configuration" to register Sun Cluster HA for iPlanet Directory Server and to configure the cluster for the data service.
This procedure describes how to use the scrgadm command to register and configure Sun Cluster HA for iPlanet Directory Server.
Other options also enable you to register and configure the data service. See "Tools for Data Service Resource Administration" for details about these options.
To perform this procedure, you need the following information about your configuration.
The name of the resource type for Sun Cluster HA for iPlanet Directory Server. This name is SUNW.nsldap.
The names of the cluster nodes that can master the data service.
The network resource that clients use to access Sun Cluster HA for iPlanet Directory Server. Normally, you set up this network resource when you install the cluster. See the Sun Cluster 3.0 12/01 Concepts document for details on network resources.
The path to the iPlanet Directory Server application binaries that are the resources for Sun Cluster HA for iPlanet Directory Server. You can install the binaries on the local disks or the cluster file system. See Chapter 1, Planning for Sun Cluster Data Services for a discussion of the advantages and disadvantages of each location.
The port where iPlanet Directory Server listens. For non-secure instances, the Port_list standard resource property for the iPlanet Directory Server resource defaults to 389/tcp, and the value for the secure port is 636/tcp. If you set the port to a number other than 389, you must specify that value when you configure the Port_list property. See Chapter 13, Administering Data Service Resources for instructions on how to set resource properties.
Perform this procedure on any cluster member.
The fault monitor determines whether the Sun Cluster HA for iPlanet Directory Server instance is secure or non-secure. The monitor probes secure and non-secure directory servers differently. If you have created a password file, the instance is determined to be secure. If you have not created a password file, the instance is determined to be non-secure. The password file is named keypass and is in a different format than iPlanet's password file. The keypass file contains only the password for which a secure instance of directory server prompts when started manually. This password file is located in the same directory as the start-slapd program that is used to start this instance of the directory server.
If iPlanet Directory Server is in secure mode, then the path name must also contain a file named keypass, which contains the secure key password that is needed to start this instance. If a keypass file exists, then Sun Cluster HA for iPlanet Directory Server assumes that the keypass instance is secure.
Perform the following steps to complete your configuration.
Become superuser on a cluster member.
Register the resource type for the data service.
# scrgadm -a -t SUNW.nsldap |
Adds the data service resource type.
Specifies the predefined resource type name.
Add the iPlanet Directory Server application resource to the failover resource group that you created for your network resources.
The resource group that contains the application resources is the same resource group that you created for your network resources in "How to Configure and Activate Network Resources".
# scrgadm -a -j resource -g resource-group \ -t SUNW.nsldap [-y Network_resources_used=network-resource, ...] \ -y Port_list=port-number/protocol -x Confdir_list=pathname |
Specifies the iPlanet Directory Server application resource name.
Specifies a comma-separated list of network resources (logical hostnames or shared addresses) in resource-group, which the iPlanet Directory Server application resource must use.
Specifies the type of resource to add.
Specifies a port number and the protocol to be used, for example, 389/tcp. The Port_list property must have one or two entries.
Specifies a path for your iPlanet Directory Server configuration directory. The Confdir_list extension property is required. The Confdir_list property must have exactly one entry.
Enable the resource and its monitor.
# scswitch -e -j resource |
Enables the resource and its monitor.
Specifies the name of the application resource that is being enabled.
This example shows how to register Sun Cluster HA for iPlanet Directory Server.
Cluster Information Node names: phys-schost-1, phys-schost-2 Logical hostname: schost-1 Resource group: resource-group-1 (for all resources) Resources: schost-1 (logical hostname), nsldap-1 (iPlanet Directory Server application resource) (Create a failover resource group.) # scrgadm -a -g resource-group-1 -h phys-schost-1,phys-schost-2 (Add a logical hostname resource to the resource group.) # scrgadm -a -L -g resource-group-1 -l schost-1 (Bring the resource group online.) # scswitch -Z -g resource-group-1 (Install and configure iPlanet Directory Server.) (To install and configure the iPlanet Directory Server, run the "setup" program from the node that is currently hosting the logical hostname." (Stop the iPlanet Directory Server server.) (Register the SUNW.nsldap resource type.) # scrgadm -a -t SUNW.nsldap (Create an iPlanet Directory Server resource and add it to the resource group.) # scrgadm -a -j nsldap-1 -g resource-group-1 \ -t SUNW.nsldap -y Network_resources_used=schost-1 \ -y Port_list=389/tcp \ -x Confdir_list=/global/nsldap/slapd-schost-1 (Enable the application resources.) # scswitch -e -j nsldap-1 |
The SUNW.HAStorage resource type synchronizes actions between HA storage and the data service. Sun Cluster HA for iPlanet Directory Server is not disk-intensive and not scalable, and therefore configuring the SUNW.HAStorage resource type is optional.
See the SUNW.HAStorage(5) man page and "Relationship Between Resource Groups and Disk Device Groups" for background details. See "How to Set Up SUNW.HAStorage Resource Type for New Resources" for information about the procedure.
This section describes how to configure the Sun Cluster HA for iPlanet Directory Server extension properties. Typically, you use the command line scrgadm -x parameter=value to configure extension properties when you create the iPlanet Directory Server resource. You can also use the procedures that Chapter 13, Administering Data Service Resources describes to configure them later.
See Appendix A, Standard Properties for details on all Sun Cluster properties.
Table 4-2 describes the extension properties that you can configure for iPlanet Directory Server. The only required extension property for creating a iPlanet Directory Server resource is the Confdir_list property, which specifies a directory in which the iPlanet Directory Server configuration files reside. You can update some extension properties dynamically. You can update others, however, only when you create the resource. The Tunable entries indicate when you can update each property.
Table 4-2 Sun Cluster HA for iPlanet Directory Server Extension Properties
Name/Data Type |
Description |
---|---|
Confdir_list (string array) |
A path name that points to the server root, including the slapd-hostname subdirectory where the start-slapd and stop-slapd scripts reside. Sun Cluster HA for iPlanet Directory Server requires this extension property, and the property must have one entry. If iPlanet Directory Server is in secure mode, then the path name must also contain a file named keypass, which contains the secure key password needed to start this instance.
Default: None Range: None Tunable: At creation |
Monitor_retry_count (integer) |
The number of times that the process monitor facility (PMF) restarts the fault monitor during the time window that the Monitor_retry_interval property specifies. Note that this property refers to restarts of the fault monitor itself rather than to the resource. The system-defined properties Retry_interval and Retry_count control restarts of the resource.
Default: 4 Range: 0 - 2,147,483,641 -1 indicates an infinite number of retry attempts. Tunable: Any time |
Monitor_retry_interval (integer) |
The time (in minutes) over which failures of the fault monitor are counted. If the number of times that the fault monitor fails exceeds the value that is specified in the extension property Monitor_retry_count within this period, the PMF cannot restart the fault monitor.
Default: 2 Range: 0 - 2,147,483,641 -1 indicates an infinite retry interval. Tunable: Any time |
Probe_timeout (integer) |
The time-out value (in seconds) that the fault monitor uses to probe a iPlanet Directory Server instance.
Default: 30 Range: 0 - 2,147,483,641 Tunable: Any time |
The probe for Sun Cluster HA for iPlanet Directory Server accesses particular IP addresses and port numbers. The IP addresses are from network resources that the Network_resources_used property lists. The Port_list resource property lists the port(s). See Appendix A, Standard Properties for descriptions of these properties.
The fault monitor determines whether the Sun Cluster HA for iPlanet Directory Server instance is secure or non-secure. The monitor probes secure and non-secure directory servers differently. If you have created a password file, the instance is determined to be secure. If you have not created a password file, the instance is determined to be non-secure. The password file is named keypass and if in a different format than iPlanet's password file. The keypass file contains only the password for which a secure instance of directory server prompts when started manually. This password file is located in the same directory as the start-slapd program used to start this instance of the directory server.
If two ports are specified and you have created a password file, the data service accepts secure requests on one and non-secure requests on the other. However the HA-agent probes both ports as secure.
The probe for a secure instance consists of a TCP connect. If the connect succeeds, the probe is successful. Connect failure or timeout is interpreted as complete failure.
The probe for an insecure instance depends on running the ldapsearch executable that is provided with Sun Cluster HA for iPlanet Directory Server. The search filter that is used is intended to always find something. The probe detects partial and complete failures. The following conditions are considered as partial failures. All other error conditions are interpreted as complete failures.
Probe_timeout duration is exceeded while the set of IP addresses is probed for the port. The following list identifies potential causes of this problem.
System load.
Network-traffic load.
Directory-server load.
Probe_timeout is set too low for the typical load or the number of directory-server instances (that is, IP address and port combinations) that are being monitored.
A problem other than timeout occurs while ldapsearch is invoked. Note that this scenario does not apply to the situation where ldapsearch is invoked successfully but returns an error.