Worklog

[Installations] Mirrored LDAP

After jumpstarting SITH into another DirectoryServer configuration, I got LDAP set up to mirror between it and ASHTI. It was surprisingly easy.

There’s a new user in the administrators section (same place as the MacOS X config user and the LDAP search user) that is allowed to connect with replication data. Setting up the replication agreements was straightforward (but don’t try to use SSL with our certs — it fails). Replication updates happen right away, and work properly.

Thanks to round robin DNS entries, the load evened out pretty quickly between the two, and now we’re sitting at an average of about .4 to .5 on each. Still a little high for my tastes, but it’s usable. Maybe a new LDAP server pair should be in the future; we’ll see how well this pair does for now.

[Firefighting] More LDAP Indices

Last night I rebuilt the LDAP indices on ASHTI after adding an index for uidNumber.

Everything went fine, and the index rebuilt within about 7 minutes. Total downtime was maybe 20 minutes, what with turning off services and restarting them.

• Turn off LDAP synchronization cron jobs on BARIS, KE, and SHANTI.

• Turn off Sendmail on BARIS and TAIKA (they’re LDAP-capable, and I’d prefer no Sendmail to LDAP connection errors during the downtime).

• Upload new index LDIF.

• Block LDAP access on ASHTI to ports 389 and 636 in the packet filter.

• Run the indexing command.

Then reverse as appropriate to come back out of it.