[Linux-HA] LDAP Scheme

[Eddie C]

I checked out your cib.xml. I considered using clones in my configuration.

I think the main difference between my configuration and your configuration
is your OCF script and fencing options. I have no fencing and I am using a
heartbeat script.

<op id="2" name="start" timeout="9s" on_fail="fence"/>

I am guessing that a failure to start or monitor ldap fences the node. Does
that fence all resources off that node? Ideally I would like to be able to
fence certain resources off a server not all or nothing.

Edward



On 10/17/06, Chris Gallo <chrisagallo at gmail.com> wrote:
>
> I actually did something similair myself.
>
> I have 2 ldap nodes that serve requests, a primary and a secondary. I
> also have a master node which any updates get resolved to.
>
> The auth server has the .193 IP which gets moved around between the 3
> nodes. But only gets put on the master node in worst case.
> The master node's sole purpose is to replicate changes in passwords
> and provided a 3rd server.
>
> My cib.xml can be found here http://isthesuck.com/cib1.xml if it helps.
> I made my own ping and ldap scripts, but other than  that it should be
> pretty simple.
>
> I hope that helps you.
>
> On 10/16/06, Eddie C <edlinuxguru at gmail.com> wrote:
> > Currently we use i-planet LDAP with single master replication.
> >
> > ldap1.domain.com replicates to ldap5.domain.com. All our LDAP writing
> > applications point to ldap1.domain.com and most read intensive
> applications
> > point at ldap5.idsk.com.
> >
> > We are planning a migration to multi-master replication.
> > ldap2.domain.com <->ldap3.domain.com.
> > What I am trying to accomplish is to float both the ldap1.domain.com and
> > ldap5.domain.com. This way none of the current configuration files will
> have
> > to be re-jigged.
> >
> > Wanted results
> > Both LDAP up:
> > ldap1.domain.com -> ldap2.domain.com
> > ldap5.domain.com -> ldap3.domain.com
> >
> > ldap3 failure.
> > ldap1.domain.com -> ldap2.domain.com
> > ldap5.domain.com -> ldap2.domain.com
> >
> > ldap2 failure
> > ldap1.domain.com -> ldap3.domain.com
> > ldap5.domain.com -> ldap3.domain.com
> >
> > I tried to implement this in this manner:
> >
> > Made resource vip_192.168.200.203 (ldap1.domain.com in DNS)
> > Made resource vip_192.168.200.202 (ldap5.domain.com in DNS)
> > Made resource res_ldap_1(this is an heartbeat/rc init script on both
> servers
> > )
> > Made resource res_ldap_2(this is an heartbeat/rc init script on both
> servers
> > )
> >
> > Co location ldap  (this is to says always run LDAP on two separate
> machines)
> > res_ldap_1, res_ldap_2,-infinity
> >
> > (make 203 prefer one ldap, 202 prefer the other)
> > place_pri  vip_192.168.200.203,res_ldap_1, 100
> > place_pri2  vip_192.168.200.202,res_ldap_2, 100
> >
> > (make 203 fallback one ldap, 202 fallback the other. lower score then
> the
> > other place rules)
> > place_sec  vip_192.168.200.202,res_ldap_1, 90
> > place_sec2  vip_192.168.200.203,res_ldap_2, 90
> >
> > Now if I kill a node everything fails-over and fails-back well.
> > Both IP's transfer to the running node. When the failed node restarts,
> one
> > IP transfers back after the ldap instance starts.
> >
> > However here is the funky part. If I kill the ldap instance on
> > ldap2.domain.com both IP's fail to ldap2.domain.com!. Leaving the
> running
> > ldap3.domain.com with no IP.
> > If I kill the ldap instance on ldap3.domain.com the ip does not float to
> > ldap2.domain.com.
> >
> > Does anyone have a better theory on implementing this design?
> >
> > Edward
> > _______________________________________________
> > Linux-HA mailing list
> > Linux-HA at lists.linux-ha.org
> > http://lists.linux-ha.org/mailman/listinfo/linux-ha
> > See also: http://linux-ha.org/ReportingProblems
> >
> _______________________________________________
> Linux-HA mailing list
> Linux-HA at lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha
> See also: http://linux-ha.org/ReportingProblems
>