Chapter 4 Installing Sun Java System Directory Server and Creating Instances for Sun Java System Access Manager Configuration Data

This chapter contains instructions for installing Sun Java™ System Directory Server and creating the instances in which Sun Java System Access Manager configuration data will be stored. It also includes the procedure for enabling multi-master replication between the two instances and configuring the configuration data load balancer. It contains the following sections:

• 4.1 Installing and Configuring Directory Server 1 and Directory Server 2

• 4.2 Enabling Multi-Master Replication Between the Access Manager Configuration Data Instances

• 4.3 Configuring a Load Balancer for the Directory Server Configuration Data Instances

4.1 Installing and Configuring Directory Server 1 and Directory Server 2

This section contains the instructions for installing Directory Server on two different host machines and creating the instances in which Access Manager configuration data will be stored. Use the following list of procedures as a checklist for completing the tasks.

1. To Download Sun Java System Directory Server Enterprise Edition 6.0 and Required Patches

2. To Patch the Directory Server Host Machines

3. To Install Directory Server 1

4. To Create an Access Manager Configuration Data Instance for Directory Server 1

5. To Create a Base Suffix for the Directory Server 1 Access Manager Configuration Data Instance

6. To Install Directory Server 2

7. To Create the Access Manager Configuration Data Instance for Directory Server 2

8. To Create a Base Suffix for the Directory Server 2 Access Manager Configuration Data Instance

To Download Sun Java System Directory Server Enterprise Edition 6.0 and Required Patches

Perform this procedure to download the Sun Java System Directory Server 6.0 bits and the required system patches to both the DirectoryServer–1 host machine and the DirectoryServer–2 host machine.

1. Go to http://www.sun.com/software/products/directory_srvr_ee/get.jsp.

2. Provide the following information in the Select product configuration section and click View Downloads.

   Step 1: Select Component

   Directory Server Enterprise Edition

   Step 2: Select Version

   6.0

   Step 3: Select Delivery Type

   Compress Archive (ZIP)

   Step 4: Select Platform

   Choose the platform you are using.

   The Selection Results page will be displayed with links to the download sites for the Directory Server and required patches.

   ---

   Note –

   The patch numbers generated for download on the Selection Results page are based on your input. Check the most recent Directory Server Enterprise Edition 6.0 Release Notes to determine if you need to install other patches based on your machine's architecture and operating system. In this deployment, the Release Notes indicate that based on the hardware and operating system being used, patch 118855–36, patch 119964–08, and patch 122033–05 are required.

   ---

3. Log into the DirectoryServer–1 host machine as a root user.

4. Run the patchadd command to see if the patches are already installed.

   # patchadd -p | grep 118855–36

   No results are returned which indicates that the patch is not yet installed on the system.

   # patchadd -p | grep 119964–08

   No results are returned which indicates that the patch is not yet installed on the system.

   # patchadd -p | grep 122033–05

   No results are returned which indicates that the patch is not yet installed on the system.

   ---

   Note –

   If these patches are already installed on your machine, proceed to step 7.

   ---

5. Make a directory for the patch downloads and change into it.

   # mkdir /export/patches # cd /export/patches

6. Download the patches.

   You can click on the patch links from the Selection Results page or search for patches directly at http://sunsolve.sun.com. If searching directly, navigate to the PatchFinder page and enter the patch number. For each patch you are downloading, click the HTTP link beside the heading Download Signed Patch (xxx bytes).

   ---

   Note –

   Signed patches are downloaded as JAR files. Unsigned patches are downloaded as ZIP files. In this step, ZIP files are downloaded.

   ---

7. Make a directory for the Directory Server download and change into it.

   # mkdir /export/DS6 # cd /export/DS6

8. Download the Directory Server EE 6.0 - Zip Distribution, Multi Language, (DS/DPS/DE/ISW/DSRK) - No Console) bits.

   ---

   Note –

   No Directory Server Administration Console is installed with these bits. This deployment example uses the command line to configure the software.

   ---

9. Log out of the DirectoryServer–1 host machine.

10. Repeat this same procedure on the DirectoryServer–2 host machine.

To Patch the Directory Server Host Machines

If necessary, perform this procedure to patch both the Directory Server 1 host machine and the Directory Server 2 host machine.

1. Log in to the DirectoryServer–1 host machine as a root user.

2. Change into the directory that contains the downloaded patch files.

   # cd /export/patches

3. Unzip the patch files.

   # unzip 118855–36.zip # unzip 119964-08.zip # unzip 122033-05.zip

4. Install the patches.

   # patchadd /export/patches/118855-36 # patchadd /export/patches/119964-08 # patchadd /export/patches/122033-05

   ---

   Tip –

   You can use the -M option to install all patches at once. See the patchadd man page for more information.

   ---

5. Reboot your machine, if requested.

6. After installation is complete, verify that each patch was added successfully.

   # patchadd -p | grep 118855–36

   A series of patch numbers are displayed, and the patch 118855–36 is present.

   # patchadd -p | grep 119964-08

   A series of patch numbers are displayed, and the patch 119964-08 is present.

   # patchadd -p | grep 122033-05

   A series of patch numbers are displayed, and the patch 122033-05 is present.

7. Log out of the DirectoryServer–1 host machine.

8. Repeat this same procedure on the DirectoryServer–2 host machine.

To Install Directory Server 1

Before You Begin

Patch your machine accordingly and download the Directory Server bits to the host machine.

1. As a root user, log in to the DirectoryServer–1 host machine.

2. Resolve the following issues, if necessary.

   • The LD_LIBRARY_PATH environment variable should not be set to the default setting. Change the value to empty as in the following example:

     # setenv LD_LIBRARY_PATH

   • The JAVA_HOME environment variable should be set appropriately for your system architecture. For example:

     # setenv JAVA_HOME /usr/jdk/jdk1.5.0_07

3. Unzip the Directory Server ZIP file.

   # cd /export/DS6 # ls DSEE.6.0Solaris10-X86_AMD64-full.tar.gz # gunzip DSEE.6.0Solaris10-X86_AMD64-full.tar.gz

4. Untar the resulting Directory Server tar file.

   # tar xvf DSEE.6.0Solaris10-X86_AMD64-full.tar

5. From the resulting directory, run dsee_deploy install to install Directory Server.

   # cd DSEE_ZIP_Distribution # ./dsee_deploy install -c DS -i /var/opt/mps/serverroot

   The Licensing Agreement is displayed. At each Type return to continue prompt, press Return to continue.

6. When Do you accept the license terms? is displayed, enter yes to continue.

   Once you accept the license terms, the Directory Server binaries will be installed in the /var/opt/mps/serverroot/ds6 directory.

To Create an Access Manager Configuration Data Instance for Directory Server 1

After installing the binaries, create an instance of Directory Server 1 named am-config on the DirectoryServer–1 host machine. The instance uses the default ports for non-root users: 1389 for LDAP and 1636 for LDAPS. It will be populated with Access Manager configuration data in To Configure Access Manager 1.

By default, Directory Server always creates a secure LDAP port when creating an instance. We do not use this port.

Before You Begin

This procedure assumes you have just completed To Install Directory Server 1.

1. As a root user on the DirectoryServer–1 host machine, run dsadm create to create the instance.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsadm create -p 1389 -P 1636 /var/opt/mps/am-config Choose the Directory Manager password: d1rm4n4ger Confirm the Directory Manager password: d1rm4n4ger use 'dsadm start /var/opt/mps/am-config' to start the instance

2. Run dsadm start to start the instance.

   # ./dsadm start /var/opt/mps/am-config Server started: pid=10381

3. Run netstat to verify that the new instance is up and running.

   # netstat -an | grep 1389 .1389 *.* 0 0 49152 0 LISTEN

4. Run ldapsearch to verify that you can read the root Directory Server entry (DSE) of the new instance.

   # ldapsearch -h DirectoryServer-1.example.com -p 1389 -b "" -s base "(objectclass=*)" version: 1 dn: objectClass: top ... supportedLDAPVersion: 3 vendorname: Sun Microsystems, Inc. vendorVersion: Sun-Java(tm)-System-Directory/6.0 ...

To Create a Base Suffix for the Directory Server 1 Access Manager Configuration Data Instance

After creating the configuration data instance of DirectoryServer–1, create a base suffix in which the entries will be stored.

Before You Begin

This procedure assumes you have just completed To Create an Access Manager Configuration Data Instance for Directory Server 1.

1. As a root user on the Directory Server 1 host machine, run dsconf create-suffix to create a new base suffix.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsconf create-suffix -p 1389 -B dbExample -L /var/opt/mps/am-config/db/exampleDS dc=example,dc=com

2. Provide the appropriate information when prompted.

   Certificate "CN=DirectoryServer-1, CN=1636, CN=directory Server, O=Sun Microsystems" presented by the server is not trusted. Type "Y" to accept, "y" to accept just one, "n" to refuse, "d" for more details: Y Enter "cn=Directory Manager" password: d1rm4n4ger

   ---

   Tip –

   When you enter an uppercase Y, you are not asked for the certificate again in the next steps.

   ---

3. Run dsconf list-suffixes to verify that the base suffix was successfully created.

   # ./dsconf list-suffixes -p 1389 Enter "cn=Directory Manager" password: d1rm4n4ger dc=example,dc=com

4. Log out of the Directory Server 1 host machine.

To Install Directory Server 2

Before You Begin

Patch your machine accordingly and download the Directory Server bits to the host machine.

1. As a root user, log in to the Directory Server 2 host machine.

2. Resolve the following issues, if necessary.

   • The LD_LIBRARY_PATH environment variable should not be set to the default setting. Change the value to empty as in the following example:

     # setenv LD_LIBRARY_PATH

   • The JAVA_HOME environment variable should be set appropriately for your system architecture. For example:

     # setenv JAVA_HOME /usr/jdk/jdk1.5.0_07

3. Unzip the Directory Server ZIP file.

   # cd /export/DS6 # ls DSEE.6.0Solaris10-X86_AMD64-full.tar.gz # gunzip DSEE.6.0Solaris10-X86_AMD64-full.tar.gz

4. Untar the resulting Directory Server tar file.

   # tar xvf DSEE.6.0Solaris10-X86_AMD64-full.tar

5. In the resulting directory, run dsee_deploy install to install Directory Server.

   # cd DSEE_ZIP_Distribution # ./dsee_deploy install -c DS -i /var/opt/mps/serverroot

   The Licensing Agreement is displayed. At each Type return to continue prompt, press Return to continue.

6. When Do you accept the license terms? is displayed, enter yes to continue.

   Once you accept the license terms, the Directory Server binaries will be installed in the /var/opt/mps/serverroot/ds6 directory.

To Create the Access Manager Configuration Data Instance for Directory Server 2

After installing the binaries, create an instance of Directory Server 2 named am-config on the DirectoryServer–2 host machine. The instance uses the default ports for non-root users: 1389 for LDAP and 1636 for LDAPS. It will be populated with Access Manager configuration data in To Configure Access Manager 2.

By default, Directory Server always creates a secure LDAP port when creating an instance. We do not use this port.

Before You Begin

This procedure assumes you have just completed To Install Directory Server 2.

1. As a root user on the DirectoryServer–2 host machine, run dsadm create to create the instance.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsadm create -p 1389 -P 1636 /var/opt/mps/am-config Choose the Directory Manager password: d1rm4n4ger Confirm the Directory Manager password: d1rm4n4ger use 'dsadm start /var/opt/mps/am-config' to start the instance

2. Run dsadm start to start the instance.

   # ./dsadm start /var/opt/mps/am-config Server started: pid=10381

3. Run netstat to verify that the new instance is up and running.

   # netstat -an | grep 1389 .1389 *.* 0 0 49152 0 LISTEN

4. Run ldapsearch to verify that you can read the root DSE of the new instance.

   # ldapsearch -h DirectoryServer-2.example.com -p 1389 -b "" -s base "(objectclass=*)" version: 1 dn: objectClass: top ... supportedLDAPVersion: 3 vendorname: Sun Microsystems, Inc. vendorVersion: Sun-Java(tm)-System-Directory/6.0 ...

To Create a Base Suffix for the Directory Server 2 Access Manager Configuration Data Instance

After creating the configuration data instance of DirectoryServer–2, create a base suffix in which the entries will be stored.

Before You Begin

This procedure assumes you have completed To Create the Access Manager Configuration Data Instance for Directory Server 2.

1. As a root user on the DirectoryServer–2 host machine, run dsconf create-suffix to create a new base suffix.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsconf create-suffix -p 1389 -B dbExample -L /var/opt/mps/am-config/db/exampleDS dc=example,dc=com

2. Provide the appropriate information when prompted.

   Certificate "CN=DirectoryServer-2, CN=1636, CN=directory Server, O=Sun Microsystems" presented by the server is not trusted. Type "Y" to accept, "y" to accept just one, "n" to refuese, "d" for more details: Y Enter "cn=Directory Manager" password: d1rm4n4ger

   ---

   Tip –

   When you enter an uppercase Y, you are not asked for the certificate again in the next steps.

   ---

3. Run dsconf list-suffixes to verify that the base suffix was successfully created.

   # ./dsconf list-suffixes -p 1389 Enter "cn=Directory Manager" password: d1rm4n4ger dc=example,dc=com

4. Log out of the DirectoryServer–2 host machine.

4.2 Enabling Multi-Master Replication Between the Access Manager Configuration Data Instances

This section contains the instructions to enable multi-master replication (MMR) between two directory masters. This includes creating replication agreements between the masters and initializing the second directory master with the data and schema from the first directory master. The previously created am-config instances will serve as the two masters. An illustration of the architecture can be seen in Figure 4–1.

Use the following list of procedures as a checklist for completing the tasks.

1. To Enable Multi-Master Replication for the Directory Server 1 Configuration Data Instance

2. To Enable Multi-Master Replication for the Directory Server 2 Configuration Data Instance

3. To Change the Default Replication Manager Passwords for Each Configuration Data Instance

4. To Create Replication Agreements for Each Configuration Data Instance

5. To Initialize the Configuration Data Instance Replication Agreements

6. To Verify that Configuration Data Replication Works Properly

To Enable Multi-Master Replication for the Directory Server 1 Configuration Data Instance

1. As a root user, log in to the DirectoryServer–1 host machine.

2. (Optional) Run dsconf list-suffixes to verify that the instance is not already enabled for replication.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsconf list-suffixes -p 1389 -v Enter "cn=Directory Manager" password: d1rm4n4ger ... dc=example,dc=com 1 not-replicated N/A N/A 29 The "list-suffixes" operation succeeded on "localhost:1389"

   The base suffix of the instance is not-replicated as displayed in the resulting list.

3. Run dsconf enable-repl to enable replication.

   # ./dsconf enable-repl -h DirectoryServer-1.example.com -p 1389 -d 11 master dc=example,dc=com Enter "cn=Directory Manager" password: d1rm4n4ger Use "dsconf create-repl-agmt" to create replication agreements on "dc=example,dc=com".

   The -d option takes as input a randomly chosen identifier to represent the Directory Server 1 configuration data instance; in this case, 11. master indicates that the instance is a master and not a replica. The base suffix is specified as dc=example,dc=com.

4. Run dsconf list-suffixes again to verify that the instance is now enabled for replication.

   # ./dsconf list-suffixes -p 1389 -v Enter "cn=Directory Manager" password: d1rm4n4ger ... dc=example,dc=com 1 master(11) N/A N/A 29 The "list-suffixes" operation succeeded on "localhost:1389"

   The base suffix of the instance is master(11) as displayed in the resulting list, indicating that the master was successfully enabled.

5. Log out of the DirectoryServer–1 host machine.

To Enable Multi-Master Replication for the Directory Server 2 Configuration Data Instance

1. As a root user, log in to the DirectoryServer–2 host machine.

2. (Optional) Run the dsconf list-suffixes command to verify that the instance is not already enabled for replication.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsconf list-suffixes -p 1389 -v Enter "cn=Directory Manager" password: d1rm4n4ger ... dc=example,dc=com 1 not-replicated N/A N/A 29 The "list-suffixes" operation succeeded on "localhost:1389"

   The base suffix of the instance is not-replicated as displayed in the resulting list.

3. Run dsconf enable-repl to enable replication.

   # ./dsconf enable-repl -h DirectoryServer-2.example.com -p 1389 -d 22 master dc=example,dc=com Enter "cn=Directory Manager" password: d1rm4n4ger Use "dsconf create-repl-agmt" to create replication agreements on "dc=example,dc=com".

   The -d option takes as input a randomly chosen identifier to represent the Directory Server 2 configuration data instance; in this case, 22. master indicates that the instance is a master and not a replica. The base suffix is specified as dc=example,dc=com.

4. Run dsconf list-suffixes again to verify that the instance is now enabled for replication.

   # ./dsconf list-suffixes -p 1389 -v Enter "cn=Directory Manager" password: d1rm4n4ger ... dc=example,dc=com 1 master(22) N/A N/A 29 The "list-suffixes" operation succeeded on "localhost:1389"

   The base suffix of the instance is master(22) as displayed in the resulting list, indicating that the master was successfully enabled.

5. Log out of the DirectoryServer–2 host machine.

To Change the Default Replication Manager Passwords for Each Configuration Data Instance

The replication manager is the user that suppliers use to bind to the consumer server when sending replication updates. (In MMR the consumer server refers to whichever master happens to be the consumer for that particular operation.) It is recommended by the Directory Server documentation to change the default password created during the process of enabling replication.

1. As a root user, log in to the DirectoryServer–1 host machine.

2. Create a temporary file that contains the new replication manager password.

   This file will be read once, and the password stored for future use.

   # cd /var/opt/mps/serverroot/ds6/bin # echo replm4n4ger > pwd.txt

3. Verify that the file was successfully created.

   # cat pwd.txt replm4n4ger

4. Run dsconf set-server-prop to set the new replication manager password using pwd.txt as input.

   # ./dsconf set-server-prop -h DirectoryServer-1.example.com -p 1389 def-repl-manager-pwd-file:pwd.txt Enter "cn=Directory Manager" password: d1rm4n4ger

5. Remove the pwd.txt file.

6. Log out of the DirectoryServer–1 host machine.

7. As a root user, log in to the DirectoryServer–2 host machine.

8. Create a temporary file that contains the new replication manager password.

   This file will be read once, and the password stored for future use.

   # cd /var/opt/mps/serverroot/ds6/bin # echo replm4n4ger > pwd.txt

9. Verify that the file was successfully created.

   # cat pwd.txt replm4n4ger

10. Run dsconf set-server-prop to set the new replication manager password using pwd.txt as input.

    # ./dsconf set-server-prop -h DirectoryServer-2.example.com -p 1389 def-repl-manager-pwd-file:pwd.txt Enter "cn=Directory Manager" password: d1rm4n4ger

11. Remove the pwd.txt file.

12. Log out of the DirectoryServer–2 host machine.

To Create Replication Agreements for Each Configuration Data Instance

A replication agreement is a set of parameters on a supplier that controls how updates are sent to a given consumer. In this case, we are making the configuration data instances aware of each other.

1. As a root user, log in to the DirectoryServer–1 host machine.

2. Run dsconf create-repl-agmt to create the replication agreement.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsconf create-repl-agmt -h DirectoryServer-1.example.com -p 1389 dc=example,dc=com DirectoryServer-2.example.com:1389 Enter "cn=Directory Manager" password: d1rm4n4ger Use "dsconf init-repl-dest dc=example,dc=com DirectoryServer-2.example.com:1389" to start replication of "dc=example,dc=com" data.

3. Run dsconf list-repl-agmts to verify that the replication agreement was successfully created.

   # ./dsconf list-repl-agmts -p 1389 Enter "cn=Directory Manager" password: d1rm4n4ger dc=example,dc=com DirectoryServer-2.example.com:1389

   The response indicates that the Directory Server 1 configuration data base suffix will be replicated to Directory Server 2.

4. Log out of the DirectoryServer–1 host machine.

5. As a root user, log in to the DirectoryServer–2 host machine.

6. Run dsconf create-repl-agmt to create the replication agreement.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsconf create-repl-agmt -h DirectoryServer-2.example.com -p 1389 dc=example,dc=com DirectoryServer-1.example.com:1389 Enter "cn=Directory Manager" password: d1rm4n4ger Use "dsconf init-repl-dest dc=example,dc=com DirectoryServer-1.example.com:1389" to start replication of "dc=example,dc=com" data.

7. Run dsconf list-repl-agmts to verify that the replication agreement was successfully created.

   # ./dsconf list-repl-agmts -p 1389 Enter "cn=Directory Manager" password: d1rm4n4ger dc=example,dc=com DirectoryServer-1.example.com:1389

   The response indicates that the Directory Server 2 configuration data base suffix will be replicated to Directory Server 1.

8. Log out of the DirectoryServer–2 host machine.

To Initialize the Configuration Data Instance Replication Agreements

In this procedure, initialize the configuration data instance on Directory Server 1. The previously created replication agreement will replicate the data to Directory Server 2.

Initialization is not required on both instances when configuring for MMR.

1. As a root user, log in to the DirectoryServer–1 host machine.

2. Run dsconf show-repl-agmt-status to verify that the replication agreements have not yet been initialized.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsconf show-repl-agmt-status -h DirectoryServer-1.example.com -p 1389 dc=example,dc=com DirectoryServer-2.example.com:1389 Enter "cn=Directory Manager" password: d1rm4n4ger Configuration Status : OK Authentication Status : OK Initialization Status : NOT OK Status: : Dest. Not Initialized

3. Run dsconf init-repl-dest to initialize the replication agreements.

   # ./dsconf init-repl-dest -h DirectoryServer-1.example.com -p 1389 dc=example,dc=com DirectoryServer-2.example.com:1389 Enter "cn=Directory Manager" password: d1rm4n4ger Sent 1 entries... Sent 2 entries... Completed initialization of "DirectoryServer-2.example.com:1389"; May 15, 2007 1:53:32 PM

4. Run dsconf show-repl-agmt-status again to verify that the replication agreements are now initialized.

   # ./dsconf show-repl-agmt-status -h DirectoryServer-1.example.com -p 1389 dc=example,dc=com DirectoryServer-2.example.com:1389 Enter "cn=Directory Manager" password: d1rm4n4ger Configuration Status : OK Authentication Status : OK Initialization Status : OK Status: : Enabled Last Update Date : Jul 12, 2007 8:47 PM

5. Log out of the DirectoryServer–1 host machine.

To Verify that Configuration Data Replication Works Properly

1. As a root user, log in to the Directory Server 1 host machine.

2. Run ldapmodify to create a new directory entry.

   # ldapmodify -a -h DirectoryServer-1.example.com -p 1389 -D cn=admin,cn=Administrators,cn=config -w d1rm4n4ger dn: ou=People,dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: People description: Container for user entries Hit ENTER to indicate end of input. adding new entry ou=People,dc=example,dc=com Hit Control C to terminate the command. ^C

   This step creates a new organization unit on Directory Server 1.

3. As a root user, log in to the Director Server–2 host machine.

4. Run ldapsearch on Directory Server 2 to verify that the entry was successfully replicated.

   # ldapsearch -b "dc=example,dc=com" -p 1389 -D "cn=Directory Manager" -w d1rm4n4ger "objectclass=organizationalUnit" version: 1 dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: People description Container for user entries

5. Run ldapdelete on Directory Server 2 to delete the entry.

   # ldapdelete -h DirectoryServer-2.example.com -p 1389 -D "cn=Directory Manager" -w d1rm4n4ger "ou=People,dc=example,dc=com"

6. Run ldapsearch on Directory Server 1 to verify that the entry was deleted.

   # ldapsearch -b "dc=example,dc=com" -p 1389 -D "cn=Directory Manager" -w d1rm4n4ger "objectclass=organizationalUnit"

   If the delete was successfully replicated to Directory Server 1, the search will return no results.

7. Log out of the Directory Server host machines.

4.3 Configuring a Load Balancer for the Directory Server Configuration Data Instances

Two load balancers are configured for the Directory Server installations. Load Balancer 1 fronts the configuration data instances and Load Balancer 2 fronts the user data instances. In the following procedure, you configure a load balancer in front of the configuration data instances. The following figure illustrates this architecture.

Figure 4–1 Directory Server Instances Configured for Multi-Master Replication and Load Balancing

To Configure the Access Manager Configuration Data Load Balancer 1

Before You Begin

• This procedure assumes that you have already installed a load balancer.

• The load balancer hardware and software used in this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.

• Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.

• Know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.

• Get the IP addresses for Directory Server 1 and Directory Server 2 by running the following command on each host machine:

  # ifconfig -a

1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

2. Log in using the following information:

   User name:

   username

   Password:

   password

3. Click Configure your BIG-IP (R) using the Configuration Utility.

4. Create a Pool.

   A pool contains all the backend server instances.

   1. In the left pane, click Pools.

   2. On the Pools tab, click Add.

   3. In the Add Pool dialog, provide the following information:

      Pool Name

      DirectoryServer-ConfigData-Pool

      Load Balancing Method

      Round Robin

      Resources

      Add the IP address and port number of both Directory Server hosts: DirectoryServer-1:1389 and DirectoryServer-2:1389.

   4. Click Done.

5. Add a Virtual Server.

   This step defines instances of the load balancer.

   ---

   Tip –

   If you encounter JavaScript^TM errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer.

   ---

   1. In the left frame, Click Virtual Servers.

   2. On the Virtual Servers tab, click Add.

   3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      Enter the IP address for the LoadBalancer-1.example.com

      Service

      389

      Pool

      DirectoryServer-ConfigData-Pool

   4. Continue to click Next until you reach the Pool Selection dialog box.

   5. In the Pool Selection dialog box, assign DirectoryServer-ConfigData-Pool to the virtual server.

   6. Click Done.

6. Add Monitors

   Monitors are required by the load balancer to detect backend server failures.

   1. In the left frame, click Monitors.

   2. Click the Basic Associations tab.

   3. Add an LDAP monitor for the Directory Server 1 node.

      In the Node column, locate the IP address and port number, DirectoryServer–1:1389, and select the Add checkbox.

   4. Add an LDAP monitor for the Directory Server 2 node.

      In the Node column, locate the IP address and port number, DirectoryServer–2:1389, and select the Add checkbox.

   5. At the top of the Node column, in the drop-down list, choose ldap-tcp.

   6. Click Apply.

7. Configure the load balancer for simple persistence.

   The configuration data load balancer is configured for simple persistence. With simple persistence, all requests sent within a specified interval are processed by the same Directory Server instance, ensuring complete replication of entries. For example, when a request requires information to be written to Directory Server 1, that information must also be replicated to Directory Server 2. As the replication takes time to complete, if a related request is directed by the load balancer to Directory Server 2 during the replication process itself, the request may fail as the entry might only be partially created. When properly configured, simple persistence ensures that both requests are routed to Directory Server 1 and processed in consecutive order; the first request is finished before the second request begins processing. Simple persistence ensures that within the specified interval, no errors or delays occur due to replication time or redirects when retrieving data. Simple persistence tracks connections based only on the client IP address.

   1. In the left frame, click Pools.

   2. Click the name of the pool you want to configure.

      In this example, DirectoryServer-ConfigData-Pool.

   3. Click the Persistence tab.

   4. Under Persistence Type, select Simple.

   5. Enter 300 seconds for the Timeout interval.

   6. Click Apply.

8. Verify the Directory Server load balancer configuration.

   1. Log in as a root user to the host machine of each Directory Server instance.

   2. On each Directory Server host machine, use the tail command to monitor the Directory Server access log.

      # cd /var/opt/mps/am-config/logs # tail -f access

      You should see connections to the load balancer IP address opening and closing. For example:

      [12/Oct/2006:13:10:20-0700] conn=54 op=-1 msgId=-1 — 
      fd=22 slot=22 LDAP connection from IP_address to IP_address
      [12/Oct/2006:13:10:20-0700] conn=54 op=-1 msgId=-1 — closing — B1
      [12/Oct/2006:13:10:20-0700] conn=54 op=-1 msgId=-1 — closed.

   3. Execute the following LDAP search against the Directory Server load balancer.

      # ldapsearch -h LoadBalancer-1.example.com -p 389 -b "dc=example,dc=com" -D "cn=directory manager" -w d1rm4n4ger "(objectclass=*)"

      The ldapsearch operation should return entries. Make sure they display in the access log on only one Directory Server.

   4. Run dsadm stop to stop Directory Server 1.

      # cd /var/opt/mps/serverroot/ds6/bin # ./dsadm stop /var/opt/mps/am-config

   5. Again perform the LDAP search against the Directory Server load balancer to confirm that the request is forwarded to the running Directory Server 2.

      # ldapsearch -h LoadBalancer-1.example.com -p 389 -b "dc=example,dc=com" -D "cn=directory manager" -w d1rm4n4ger "(objectclass=*)"

      The ldapsearch operation should return entries. Verify that the entries display in the access log only on Directory Server 2.

      ---

      Note –

      You may encounter the following error message:

      ldap_simple_bind: Cant' connect to the LDAP 
      server — Connection refused

      This means that the load balancer may not fully detect that Directory Server 1 is stopped. In this case, you may have started the search too soon based on the polling interval setting. For example, if the polling interval is set to 10 seconds, you should wait ten seconds to start the search. You can reset the timeout properties to a lower value using the following procedure.

      1. Click the Monitors tab.

      2. Click the ldap-tcp monitor name.

      3. In the Interval field, set the value to 5.

         This tells the load balancer to poll the server every 5 seconds.

      4. In the Timeout field, set the value to 16.

      5. Click Apply and repeat the LDAP search.

      See your load balancer documentation for more information on the timeout property.

      ---

   6. Start Directory Server 1.

      # ./dsadm start /var/opt/mps/am-config

   7. Stop Directory Server 2.

      # cd /var/opt/mps/serverroot/ds6/bin # ./dsadm stop /var/opt/mps/am-config

   8. Perform the following LDAP search against the Directory Server load balancer to confirm that the request is forwarded to the running Directory Server 1.

      # ldapsearch -h LoadBalancer-1.example.com -p 389 -b "dc=example,dc=com" -D "cn=Directory Manager" -w d1rm4n4ger "(objectclass=*)"

      The ldapsearch operation should return entries. Verify that the entries display in the access log only on Directory Server 1.

   9. Start Directory Server 2.

      # ./dsadm start /var/opt/mps/am-config

   10. Log out of both Directory Server host machines and the load balancer console.