This Chapter contains the following topics:
Since 10g (10.1.4.0.1), Oracle Internet Directory has supported failover of LDAP replicas from one supplier to another. Administrator intervention is required. Figure 40-1 shows a typical failover scenario.
This scenario has the following features:
Apple, Banana and Candy are multimaster replicas in the same DRG.
Damson is a read-only fan-out replica of Banana. That is, it is a partial replica using one-way LDAP replication.
Eggplant is an updatable fan-out replica of Banana. That is, it is a partial replica using two-way LDAP replication.
If Banana goes down, replication between the multimaster DRG and its fan-out replicas is broken.
An administrator can switch Eggplant and Damson to a new supplier, Candy.
Only two failover topology types are supported:
The consumer and new supplier are both connected to the old supplier with LDAP-based replication agreements. This is shown in Figure 40-2. Node 1 and Node 3 both have LDAP replication agreements with Node 2. Node 2 is the original supplier for Node 1. When Node 2 fails, you can fail over Node 1 to a new supplier, Node 3.
The consumer is connected to the old supplier with an LDAP-based agreement and the old supplier is in the same Advanced Replication group as the new supplier. This is shown in Figure 40-3. Node 2 and Node 3 are in the same Advanced Replication DRG. Node 2 is the original supplier for Node 4. When Node 4 fails, you can fail over Node 4 to a new supplier, Node 3.
This section describes limitations and warnings related to the use of replication failover.
As of Oracle Internet Directory 11g Release 1 (11.1.1), replication failover requires administrator intervention.
Following failover, you must compare and reconcile the consumer with the new supplier.
The new agreement must be of the same type and direction as the old agreement.
Only two topology types are supported.
When a supplier fails, its directly connected replica can only fail over to another directly connected replica of the failed supplier.
The replication filtering policy for the agreement between the new supplier and old supplier must match that between the old supplier and consumer.
In most cases, you should fail over the replica in a way that preserves the original replica type. In the case shown in Figure 40-4, node 2 is the old supplier for both node 1 and 3, and node 1 is read-only. When node 2 fails, you could, in theory, set up either node 1 or 3 as the new supplier node. Best practice, however, is to fail over node 1 so that node 3 is the supplier. This preserves node 1's original, read-only replica type.
If the new agreement is a two-way agreement, after you compare and reconcile the consumer with its new supplier, you must also compare and reconcile all other replicas that are connected to the new supplier with the new supplier. For example, in Figure 40-5, Node 2 has a two-way agreement with Node 3. Node 3 is connected to another replica, Node 4. When Node 2 fails, you set up a two-way agreement between node 3 and node 1. After comparing and reconciling node 3 with node 1, you must also compare and reconcile Node 4 with node 3 to ensure that the replicas are synchronized.
There are two types of replication failover. They are:
Stateless
Time-based
Use stateless failover when you are unable to plan for the failover in advance. Stateless replication failover makes no assumptions about the state of the replicas. You can fail over to a new supplier at any time. Stateless failover requires more work after failover to synchronize the nodes.
Use time-based failover for planned failover. Time-based failover results in less work after failover. However, it requires some setup ahead of time to ensure that the following assumptions are true at the time of failover:
The nodes are mostly synchronized
The new supplier has preserved its change logs so that complete synchronization can be achieved quickly.
This section explains how to perform a stateless replication failover. It consists of the following tasks:
Task 1: Stop all Directory Replication Server on related Nodes
Task 2: Break Old Replication Agreement and Set up New Agreement
Task 7: Start All Directory Replication Server on related Nodes
Stop the Oracle directory replication servers on the new supplier, old supplier and consumer, by typing:
oidctl connect=connStr server=oidrepld instance=1 componentname=oidComponentName \ flags="-h LdapHost -p LdapPort" stop
Break the old replication agreement between the old supplier and consumer and set up a new agreement between the new supplier and consumer. Do this by using the Replication Environment Management Tool. Type:
remtool -pchgmaster [-v] [-bind consumer_host::port_number]
you are prompted for the replication_dn_password
.
See Also:
The remtool
command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management
Obtain the last change number from the new supplier.
For a one-way agreement, use the following command:
ldapsearch -h new_supplier_host -p port_number -b "" \ -s base "objectclass=*" lastchangenumber
For a two-way agreement, use the following command:
ldapsearch -h consumer_host -p port_number -b "" \ -s base "objectclass=*" lastchangenumber
Save this number!
Use the Oracle Internet Directory Comparison and Reconciliation Tool to compare and reconcile the new supplier and consumer. For a one-way agreement, type:
oidcmprec operation=reconcile \ source=new_supplier_host:port \ destination=consumer_host:port \ base='""' scope=sub
For a two-way agreement, type:
oidcmprec operation=merge \ source=new_supplier_host:port\ destination=consumer_host:port/ \ base='""' scope=sub
you are prompted for the source and destination replication dn passwords.
This example assumes that the entire directory is replicated and, therefore, that base
is set to " ". If you are using partial replication, use the base
and dns2exclude
arguments to the oidcmprec
tool to include the desired DIT.
See Also:
The oidcmprec
command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management
Modify the new agreement with the retrieved last applied number at the new supplier. To do this:
Create an LDIF file with the last change number you retrieved in "Task 3: Save Last Change Number".
For a one-way agreement, it should look similar to this:
dn: agreement_dn changetype: modify replace: orclLastAppliedChangeNumber;apply$new_supplier_host$consumer_host orclLastAppliedChangeNumber;apply$new_supplier_host$consumer_host: last_change_number_retrieved. - replace: orclLastAppliedChangeNumber;transport$new_supplier_host$consumer_host orclLastAppliedChangeNumber;transport$new_supplier_host$consumer_host: last_change_number_retrieved_from_new_supplier
For a two-way agreement, it should look similar to this:
dn: agreement_dn changetype: modify replace: orclLastAppliedChangeNumber;apply$new_supplier_host$consumer_host orclLastAppliedChangeNumber;apply$new_supplier_host$consumer_host: last_change_number_retrieved_from_new_supplier - replace: orclLastAppliedChangeNumber;transport$new_supplier$consumer orclLastAppliedChangeNumber;transport$new_supplier$consumer: last_change_number_retrieved_from_new_supplier - replace: orclLastAppliedChangeNumber;apply$consumer_host$new_supplier_host orclLastAppliedChangeNumber;apply$consumer_host$new_supplier_host: last_change_number_retrieved_from_consumer - replace: orclLastAppliedChangeNumber;transport$consumer_host$new_supplier_host orclLastAppliedChangeNumber;transport$consumer_host$new_supplier_host: last_change_number_retrieved_from_consumer
Modify the agreement by using ldapmodify
, as follows:
ldapmodify -D "cn=orcladmin" -q -h host_name -p port_number -f LDIF_file
If the old supplier was down when you performed "Task 2: Break Old Replication Agreement and Set up New Agreement", the old agreement on the old supplier was not cleaned up. Clean it up now by using the Replication Environment Management Tool. Type:
remtool -pcleanup -agrmt [-v] [-bind consumer_host::port_number]
you are prompted for the replication_dn_password
.
See Also:
The remtool
command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management
Start the Oracle directory replication servers on the new supplier, the old supplier and the consumer, by typing:
oidctl connect=connStr server=oidrepld instance=1 \ name=instance_name componentname=component_name \ flags="-h LdapHost -p LdapPort" start
This section explains how to perform a time-based replication failover. It contains these topics:
Task 1: Configure Change Log Garbage Collection Object on New Supplier
Task 5: Stop all Directory Replication Servers on Related Nodes
Task 6: Break Old Replication Agreement and Set Up New Agreement
Task 9: Start All Directory Replication Servers on Related Nodes
Configure the changelog purging configuration entry on the new supplier so that it preserves change logs for the desired period, for example, 24 hours, as follows:
Create an LDIF file similar to this:
dn: cn=changelog purgeconfig,cn=purgeconfig,cn=subconfigsubentry changetype:modify replace: orclpurgetargetage orclpurgetargetage: 24
Apply the LDIF file by typing:
ldapmodify -D "cn=orcladmin" -q -p port -h host -D dn -f LDIF_file
Obtain the last change number from the new supplier, as follows:
ldapsearch -h new_supplier_host -p port_number -D cn=orcladmin -q \ -b "" -s base "objectclass=*" lastchangenumber
Save this number!
Enable change log regeneration at the new supplier, as follows:
Create an LDIF file like this:
dn: changetype: modify replace: orcldiprepository orcldiprepository: TRUE
Apply the LDIF file by typing:
ldapmodify -D "cn=orcladmin" -q -h host_name -p port_number -f LDIF_file
Wait for a period no greater than the value of orclpurgetargetage
in the changelog purging configuration entry.
Stop the Oracle directory replication servers on the new supplier, old supplier and consumer, by typing:
oidctl connect=connStr server=oidrepld instance=1 \ componentname=oidComponentName \ flags="-h LdapHost -p LdapPort" stop
Break the old replication agreement between the old supplier and the consumer, then set up a new agreement between the new supplier and the consumer. Do this by using the Replication Environment Management Tool, as follows:
remtool -pchgmaster [-v] [-bind hostname:port_number]
you are prompted for the replication_dn_password
.
See Also:
The remtool
command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management
Modify the new agreement at the new supplier so that its last applied change number has the value you retrieved in "Task 2: Save Last Change Number from New Supplier", as follows:
Create an LDIF file with the retrieved last applied change number, similar to this:
dn: agreement_dn changetype: modify replace: orclLastAppliedChangeNumber orclLastAppliedChangeNumber: last_change_number_retrieved
Apply the LDIF file to the agreement by using ldapmodify
:
ldapmodify -D "cn=orcladmin" -q -h host_name -p port_number -f LDIF_file
If the old supplier was down when you performed "Task 6: Break Old Replication Agreement and Set Up New Agreement", the old agreement on the old supplier was not cleaned up. Clean it up now by using the Replication Environment Management Tool. Type:
remtool -pcleanup -agrmt [-v] [-bind hostname:port_number]
you are prompted for the replication_dn_password
.
See Also:
The remtool
command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management
Start the Oracle directory replication servers on the new supplier, the old supplier and the consumer, by typing:
oidctl connect=connStr server=oidrepld instance=1 \ componentname=oidComponentName \ flags="-h LdapHost -p LdapPort" start
See Also:
Chapter 4, "Understanding Process Control of Oracle Internet Directory Components"
The oidctl
command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management.