Promoting Replica to LDAP Master 8.0: Difference between revisions

(Created page with "{{ZC}}{{Article Infobox|{{admin}}|{{ZCS 7.0}}|{{ZCS 6.0}}||}}Only one master LDAP server can exist and this LDAP server is authoritative for user information, server configura...")
 
 
(24 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{ZC}}{{Article Infobox|{{admin}}|{{ZCS 7.0}}|{{ZCS 6.0}}||}}Only one master LDAP server can exist and this LDAP server is authoritative for user information, server configuration, etc. The instructions that follow explain how to promote a replica LDAP server to master and disable the previous LDAP master.
{{BC|Certified}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Promoting Replica to LDAP Master 8.0=
{{KB|{{ZC}}|{{ZCS 8.0}}||}}
{{WIP}}
Only one master LDAP server can exist and this LDAP server is authoritative for user information, server configuration, etc. The instructions that follow explain how to promote a replica LDAP server to master and disable the previous LDAP master.


==Promoting a Replica Server – Demoting the Master Server==
==Promoting a Replica Server – Demoting the Master Server==
Line 12: Line 18:
:b. Note the ldap root password, as it will be used extensively: '''zmlocalconfig -s ldap_root_password'''
:b. Note the ldap root password, as it will be used extensively: '''zmlocalconfig -s ldap_root_password'''
:c. Update the main ldap database to be a master:
:c. Update the main ldap database to be a master:
{| class="screen" style="margin-left: .5in; border-collapse: collapse; mso-padding-alt: 0in 5.4pt 0in 5.4pt"
<code>
|- style="mso-yfti-irow: 0; mso-yfti-firstrow: yes; mso-yfti-lastrow: yes"
ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password"
| style="width: 4.65in; background: #E6E6E6; padding: 0in 5.4pt 0in 5.4pt" width="798" |
dn: olcDatabase={2}mdb,cn=config
ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password"<br />
changetype:modify
dn: olcDatabase={2}hdb,cn=config<br />
delete: olcSyncrepl
changetype:modify<br />
 
delete: olcSyncrepl<br /><br />
ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password"
ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password"<br />
dn: olcDatabase={2}mdb,cn=config
dn: olcDatabase={2}hdb,cn=config<br />
changetype:modify
changetype:modify<br />
delete: olcUpdateRef
delete: olcUpdateRef<br /><br />
 
ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password"<br />
ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password"
dn: olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config<br />
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config
changetype:modify<br />
changetype:modify
add: olcSpCheckpoint<br />
add: olcSpCheckpoint
olcSpCheckpoint: 20 10<br /><br />
olcSpCheckpoint: 20 10
ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password"<br />
</code>
dn: olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config<br />
 
changetype:modify<br />
add: olcSpSessionLog<br />
olcSpSessionlog: 500<br />
|}
:d. Prepare the accesslog database for the new master:
:d. Prepare the accesslog database for the new master:
{| class="screen" style="margin-left: .5in; border-collapse: collapse; mso-padding-alt: 0in 5.4pt 0in 5.4pt"
<code>
|- style="mso-yfti-irow: 0; mso-yfti-firstrow: yes; mso-yfti-lastrow: yes"
ldap stop
| style="width: 4.65in; background: #E6E6E6; padding: 0in 5.4pt 0in 5.4pt" width="798" |
cd /opt/zimbra/data/ldap
ldap stop<br /><br />
mkdir -p accesslog/db
cd /opt/zimbra/data/ldap<br />
mkdir -p accesslog/logs
mkdir -p accesslog/db<br />
</code>
mkdir -p accesslog/logs<br />
|}
:e. Copy in the relevant DB_CONFIG file. For a custom DB_CONFIG:
{| class="screen" style="margin-left: .5in; border-collapse: collapse; mso-padding-alt: 0in 5.4pt 0in 5.4pt"
|- style="mso-yfti-irow: 0; mso-yfti-firstrow: yes; mso-yfti-lastrow: yes"
| style="width: 4.65in; background: #E6E6E6; padding: 0in 5.4pt 0in 5.4pt" width="798" |
cp /opt/zimbra/conf/custom/ldap/DB_CONFIG.accesslog /opt/zimbra/data/ldap/accesslog/db/DB_CONFIG
|}
:For the default DB_CONFIG:
{| class="screen" style="margin-left: .5in; border-collapse: collapse; mso-padding-alt: 0in 5.4pt 0in 5.4pt"
|- style="mso-yfti-irow: 0; mso-yfti-firstrow: yes; mso-yfti-lastrow: yes"
| style="width: 4.65in; background: #E6E6E6; padding: 0in 5.4pt 0in 5.4pt" width="798" |
cp /opt/zimbra/openldap/var/openldap-data/DB_CONFIG.accesslog /opt/zimbra/data/ldap/accesslog/db/DB_CONFIG
|}
:Start ldap again:
:Start ldap again:
{| class="screen" style="margin-left: .5in; border-collapse: collapse; mso-padding-alt: 0in 5.4pt 0in 5.4pt"
<code>
|- style="mso-yfti-irow: 0; mso-yfti-firstrow: yes; mso-yfti-lastrow: yes"
ldap start
| style="width: 4.65in; background: #E6E6E6; padding: 0in 5.4pt 0in 5.4pt" width="798" |
</code>
ldap start
:e. Add the accesslog database:
|}
<code>
:f. Add the accesslog database:
ldapadd -x -H ldapi:/// -D "cn=config" -w "ldap root password"
{| class="screen" style="margin-left: .5in; border-collapse: collapse; mso-padding-alt: 0in 5.4pt 0in 5.4pt"
dn: olcDatabase={2}mdb,cn=config
|- style="mso-yfti-irow: 0; mso-yfti-firstrow: yes; mso-yfti-lastrow: yes"
changetype: add
| style="width: 4.65in; background: #E6E6E6; padding: 0in 5.4pt 0in 5.4pt" width="798" |
objectClass: olcDatabaseConfig
ldapadd -x -H ldapi:/// -D "cn=config" -w "ldap root password"<br />
objectClass: olcMdbConfig
dn: olcDatabase={2}hdb,cn=config<br />
olcDatabase: {2}mdb
changetype: add<br />
olcDbDirectory: /opt/zimbra/data/ldap/accesslog/db
objectClass: olcDatabaseConfig<br />
olcSuffix: cn=accesslog
objectClass: olcHdbConfig<br />
olcAccess: {0}to dn.subtree="cn=accesslog"  by dn.exact="uid=zimbra,cn=admins,cn=zimbra" read  by dn.exact="cn=config" read  by dn.exact="uid=zmreplica,cn=admins,cn=zimbra" read
olcDatabase: {2}hdb<br />
olcLastMod: TRUE
olcDbDirectory: /opt/zimbra/data/ldap/accesslog/db<br />
olcMaxDerefDepth: 15
olcSuffix: cn=accesslog<br />
olcReadOnly: FALSE
olcAccess: {0}to dn.subtree="cn=accesslog"  by dn.exact="uid=zimbra,cn=admins,cn=zimbra" read  by dn.exact="cn=config" read  by dn.exact="uid=zmreplica,cn=admins,cn=zimbra" read<br />
olcRootDN: cn=config
olcLastMod: TRUE<br />
olcSizeLimit: unlimited
olcMaxDerefDepth: 15<br />
olcTimeLimit: unlimited
olcReadOnly: FALSE<br />
olcMonitoring: TRUE
olcRootDN: cn=config<br />
olcDbCheckpoint: 64 5
olcSizeLimit: unlimited<br />
olcDbEnvFlags: writemap
olcTimeLimit: unlimited<br />
olcDbEnvFlags: nometasync
olcMonitoring: TRUE<br />
olcDbNoSync: TRUE
olcDbCacheSize: 10000<br />
olcDbIndex: entryCSN eq
olcDbCheckpoint: 64 5<br />
olcDbIndex: objectClass eq
olcDbNoSync: FALSE<br />
olcDbIndex: reqEnd eq
olcDbDirtyRead: FALSE<br />
olcDbIndex: reqResult eq
olcDbIDLcacheSize: 10000<br />
olcDbIndex: reqStart eq
olcDbIndex: entryCSN eq<br />
olcDbMaxSize: 85899345920
olcDbIndex: objectClass eq<br />
olcDbMode: 0600
olcDbIndex: reqEnd eq<br />
olcDbSearchStack: 16
olcDbIndex: reqResult eq<br />
olcDbIndex: reqStart eq<br />
ldapadd -x -H ldapi:/// -D "cn=config" -w "ldap root password"
olcDbLinearIndex: FALSE<br />
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
olcDbMode: 0600<br />
changetype: add
olcDbSearchStack: 16<br />
objectClass: olcOverlayConfig
olcDbShmKey: 0<br />
objectClass: olcSyncProvConfig
olcDbCacheFree: 1<br />
olcOverlay: syncprov
olcDbDNcacheSize: 0<br />
olcSpNoPresent: TRUE
<br />
olcSpReloadHint: TRUE
ldapadd -x -H ldapi:/// -D "cn=config" -w "ldap root password"<br />
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config<br />
ldapadd -x -H ldapi:/// -D "cn=config" -w "ldap root password"
changetype: add<br />
dn: olcOverlay={1}accesslog,olcDatabase={3}mdb,cn=config
objectClass: olcOverlayConfig<br />
changetype: add
objectClass: olcSyncProvConfig<br />
objectClass: olcOverlayConfig
olcOverlay: syncprov<br />
objectClass: olcAccessLogConfig
olcSpNoPresent: TRUE<br />
olcOverlay: {1}accesslog
olcSpReloadHint: TRUE<br />
olcAccessLogDB: cn=accesslog
<br />
olcAccessLogOps: writes
ldapadd -x -H ldapi:/// -D "cn=config" -w "ldap root password"<br />
olcAccessLogSuccess: TRUE
dn: olcOverlay=accesslog,olcDatabase={3}hdb,cn=config<br />
olcAccessLogPurge: 01+00:00  00+04:00
changetype: add<br />
</code>
objectClass: olcOverlayConfig<br />
:f. Update the localconfig values for this server:
objectClass: olcAccessLogConfig<br />
<code>
olcOverlay: accesslog<br />
zmlocalconfig –e ldap_master_url=<new_master_directory_address>
olcAccessLogDB: cn=accesslog<br />
zmlocalconfig –e ldap_url=<new_master_directory_address>
olcAccessLogOps: writes<br />
zmlocalconfig –e ldap_is_master=true
olcAccessLogSuccess: TRUE<br />
zmlocalconfig –e ldap_host=<newmaster_directory_host>
olcAccessLogPurge: 01+00:00  00+04:00<br />
</code>
|}
:g. On all other servers, update the localconfig values:
:g. Update the localconfig values for this server:
<code>
zmlocalconfig –e ldap_master_url=<new_master_directory_address>
zmlocalconfig –e ldap_host=<newmaster_directory_host>
</code>
:h. On all the other servers, update '''zmlocalconfig -e ldap_url''' to remove the old master server.  It should already include the new one.
:i. Use the tool '''zmldapreplicatool''' to update the LDAP Master URI in the syncrepl configuration for any non-MMR replicas. Depending on your circumstances, you will need to add, modify, or remove agreements for your LDAP Replicas. When editing existing agreements, you will need to log into the LDAP server for which needs an update. Then, get the agreement ID using '''zmldapreplicatool -q'''


{| class="screen" style="margin-left: .5in; border-collapse: collapse; mso-yfti-tbllook: 480; mso-padding-alt: 0in 5.4pt 0in 5.4pt"
You may modify it using:
|- style="mso-yfti-irow: 0; mso-yfti-firstrow: yes; mso-yfti-lastrow: yes; page-break-inside: avoid"
<code>zmldapreplicatool -m -r <RID> -p ldap://<new_master_directory_address>:389/</code>
| style="width: 4.9in; background: #E6E6E6; padding: 0in 5.4pt 0in 5.4pt" width="588" |
The tool expects an RID if modifying an agreeemnt and expects a properly formatted URI which must include an ending slash.
zmlocalconfig –e ldap_master_url= <new_master_directory_address> <br>zmlocalconfig –e ldap_url= <new_master_directory_address><br>zmlocalconfig –e ldap_is_master= true<br>
See '''zmldapreplicatool -h''' for more information.
zmlocalconfig –e ldap_host= <newmaster_directory_host>
 
|}
:j. Update the passwords stored in localconfig for the amavis, postfix, and nginx users to match the values stored in localconfig on the old master.  This will ensure that if you run a ZCS upgrade on the new master, the passwords are preserved correctly.
:h. On all other servers, update the localconfig values:
{| class="screen" style="margin-left: .5in; border-collapse: collapse; mso-yfti-tbllook: 480; mso-padding-alt: 0in 5.4pt 0in 5.4pt"
|- style="mso-yfti-irow: 0; mso-yfti-firstrow: yes; mso-yfti-lastrow: yes; page-break-inside: avoid"
| style="width: 4.9in; background: #E6E6E6; padding: 0in 5.4pt 0in 5.4pt" width="588" |
zmlocalconfig –e ldap_master_url= <new_master_directory_address> <br>
zmlocalconfig –e ldap_host= <newmaster_directory_host>
|}
:i. On all the other servers, update '''zmlocalconfig -e ldap_url''' to remove the old master server.  It should already include the new one.
:j. Use the tool '''zmldapreplicatool''' to update the LDAP Master URI in the syncrepl configuration for each replica (ZCS 7.x only)
:k. Update the passwords stored in localconfig for the amavis, postfix, and nginx users to match the values stored in localconfig on the old master.  This will ensure that if you run a ZCS upgrade on the new master, the passwords are preserved correctly.


3. Now you run '''zmmtainit''' to edit the '''ldap*.cf''' files in '''/opt/zimbra/conf''' to set the new master LDAP server as the authority for the MTA.These files tell Postfix how to connect to the LDAP server for various commands. If you are moving the directories, you might have Postfix pointing to a server that no longer runs LDAP, which will cause mail delivery to stop.  
3. Now you run '''zmmtainit''' to edit the '''ldap*.cf''' files in '''/opt/zimbra/conf''' to set the new master LDAP server as the authority for the MTA.These files tell Postfix how to connect to the LDAP server for various commands. If you are moving the directories, you might have Postfix pointing to a server that no longer runs LDAP, which will cause mail delivery to stop.  
Line 141: Line 124:
Note: '''zmmtainit''' should be run on the hosts that are running an MTA, but is not required on the other hosts.
Note: '''zmmtainit''' should be run on the hosts that are running an MTA, but is not required on the other hosts.


As zimbra, type the following. The "XX" is a dummy value. The zmmtainit command will use the ldap_url value from localconfig in spite of this.
As zimbra, type the following:
 
  . ~/bin/zmshutil
{| class="screen" style="margin-left: .5in; border-collapse: collapse; mso-yfti-tbllook: 480; mso-padding-alt: 0in 5.4pt 0in 5.4pt"
zmsetvars
|- style="mso-yfti-irow: 0; mso-yfti-firstrow: yes; mso-yfti-lastrow: yes"
/opt/zimbra/libexec/zmmtainit "$ldap_url"
| style="width: 5.1in; background: #E6E6E6; padding: 0in 5.4pt 0in 5.4pt" width="612" |
/opt/zimbra/libexec/zmmtainit XX
|}


4. Start the new LDAP master, type '''zmcontrol start'''. Then start up the services on all the other servers. At this point, services should be up and running on all hosts, and they should all be working off the new Master LDAP server.
4. Start the new LDAP master, type '''zmcontrol start'''. Then start up the services on all the other servers. At this point, services should be up and running on all hosts, and they should all be working off the new Master LDAP server.
Line 162: Line 142:
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


{{Article Footer|Zimbra Collaboration Suite 6.0.2|10/1/2009}}
{{Article Footer|Zimbra Collaboration Suite 8.0.2|11/29/2012}}


[[Category:Certified]]
[[Category:Certified]]

Latest revision as of 05:09, 14 March 2019

Promoting Replica to LDAP Master 8.0

   KB 20379        Last updated on 2019-03-14  




0.00
(0 votes)

Only one master LDAP server can exist and this LDAP server is authoritative for user information, server configuration, etc. The instructions that follow explain how to promote a replica LDAP server to master and disable the previous LDAP master.

Promoting a Replica Server – Demoting the Master Server

Before you can promote a replica LDAP server to become the master LDAP server, your LDAP replication servers must be up and working correctly; that is the replica LDAP server(s) must be receiving LDAP updates from the master. See the Multi-Server Installation Guide, LDAP Replication Installation chapter.

To promote a replica server to be master

  1. Shut down all services on all ZCS servers by running zmcontrol stop.
  2. On the replica LDAP server that will be the new master LDAP server, do the following as the zimbra user:
a. Start ldap: ldap start
b. Note the ldap root password, as it will be used extensively: zmlocalconfig -s ldap_root_password
c. Update the main ldap database to be a master:

ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password"
dn: olcDatabase={2}mdb,cn=config
changetype:modify
delete: olcSyncrepl
ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password"
dn: olcDatabase={2}mdb,cn=config
changetype:modify
delete: olcUpdateRef
ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password"
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config
changetype:modify
add: olcSpCheckpoint
olcSpCheckpoint: 20 10

d. Prepare the accesslog database for the new master:

ldap stop
cd /opt/zimbra/data/ldap
mkdir -p accesslog/db
mkdir -p accesslog/logs

Start ldap again:

ldap start

e. Add the accesslog database:

ldapadd -x -H ldapi:/// -D "cn=config" -w "ldap root password"
dn: olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /opt/zimbra/data/ldap/accesslog/db
olcSuffix: cn=accesslog
olcAccess: {0}to dn.subtree="cn=accesslog"  by dn.exact="uid=zimbra,cn=admins,cn=zimbra" read  by dn.exact="cn=config" read  by dn.exact="uid=zmreplica,cn=admins,cn=zimbra" read
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcSizeLimit: unlimited
olcTimeLimit: unlimited
olcMonitoring: TRUE
olcDbCheckpoint: 64 5
olcDbEnvFlags: writemap
olcDbEnvFlags: nometasync
olcDbNoSync: TRUE
olcDbIndex: entryCSN eq
olcDbIndex: objectClass eq
olcDbIndex: reqEnd eq
olcDbIndex: reqResult eq
olcDbIndex: reqStart eq
olcDbMaxSize: 85899345920
olcDbMode: 0600
olcDbSearchStack: 16

ldapadd -x -H ldapi:/// -D "cn=config" -w "ldap root password"
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE

ldapadd -x -H ldapi:/// -D "cn=config" -w "ldap root password"
dn: olcOverlay={1}accesslog,olcDatabase={3}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: {1}accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
olcAccessLogPurge: 01+00:00  00+04:00

f. Update the localconfig values for this server:

zmlocalconfig –e ldap_master_url=<new_master_directory_address>
zmlocalconfig –e ldap_url=<new_master_directory_address>
zmlocalconfig –e ldap_is_master=true
zmlocalconfig –e ldap_host=<newmaster_directory_host>

g. On all other servers, update the localconfig values:

zmlocalconfig –e ldap_master_url=<new_master_directory_address>
zmlocalconfig –e ldap_host=<newmaster_directory_host>

h. On all the other servers, update zmlocalconfig -e ldap_url to remove the old master server. It should already include the new one.
i. Use the tool zmldapreplicatool to update the LDAP Master URI in the syncrepl configuration for any non-MMR replicas. Depending on your circumstances, you will need to add, modify, or remove agreements for your LDAP Replicas. When editing existing agreements, you will need to log into the LDAP server for which needs an update. Then, get the agreement ID using zmldapreplicatool -q

You may modify it using:

zmldapreplicatool -m -r <RID> -p ldap://<new_master_directory_address>:389/

The tool expects an RID if modifying an agreeemnt and expects a properly formatted URI which must include an ending slash. See zmldapreplicatool -h for more information.

j. Update the passwords stored in localconfig for the amavis, postfix, and nginx users to match the values stored in localconfig on the old master. This will ensure that if you run a ZCS upgrade on the new master, the passwords are preserved correctly.

3. Now you run zmmtainit to edit the ldap*.cf files in /opt/zimbra/conf to set the new master LDAP server as the authority for the MTA.These files tell Postfix how to connect to the LDAP server for various commands. If you are moving the directories, you might have Postfix pointing to a server that no longer runs LDAP, which will cause mail delivery to stop.

Note: zmmtainit should be run on the hosts that are running an MTA, but is not required on the other hosts.

As zimbra, type the following:

. ~/bin/zmshutil
zmsetvars
/opt/zimbra/libexec/zmmtainit "$ldap_url"

4. Start the new LDAP master, type zmcontrol start. Then start up the services on all the other servers. At this point, services should be up and running on all hosts, and they should all be working off the new Master LDAP server.

Note: After the replica is promoted to Master, you should verify that the backup schedule is correctly set. Run zmschedulebackup -q. The schedule should match the backup schedule on the Mail Stores. If the backup schedule does not, run the zmschedulebackup command to set the backup schedule.

Shut down the previous master

The old LDAP master must be disabled.

Related Articles

LDAP


Verified Against: Zimbra Collaboration Suite 8.0.2 Date Created: 11/29/2012
Article ID: https://wiki.zimbra.com/index.php?title=Promoting_Replica_to_LDAP_Master_8.0 Date Modified: 2019-03-14



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search