Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2014/02/20, 1.0
Abstract:
The purpose of this article is to demonstrate the use of ISDS (IBM Security Directory Server), formerly known
as ITDS (IBM Tivoli Directory Server), using Heartbeat for creating a highly available authentication system
with fail-over mechanism. High availability is very critical for enterprise authentication services since
consolidating any service on a particular server is not at all reliable. Depending on a single server eventually
creates a "single point of failure" (SPOF), which can break the entire organization's authentication system.
You will see here one method of creating a reliable authentication server using IBM Security Directory Server,
which can be adapted by many different applications. We will use the Heartbeat package from the Linux HA
project (see the "Resources" section) to design a highly available authentication system using IBM Security
Directory Server.
Table of Contents
1Introduction .............................................................................................................................................4
2Environment setup...................................................................................................................................5
3About IBM Security Directory Server (ISDS).........................................................................................5
4About Heartbeat.......................................................................................................................................5
5Prerequisite...............................................................................................................................................6
6IBM Security Directory Server replication..............................................................................................7
6.1Log in to Web Administration Tool..................................................................................................8
6.2WAT introduction page.....................................................................................................................8
6.3Adding servers to WAT....................................................................................................................9
6.4Log in to the ISDS instance to configure replication.....................................................................11
6.5Setting up the replication................................................................................................................11
6.5.1Check replication-related entries in ISDS using command line.............................................23
6.6Synchronize data between two replication servers.........................................................................23
6.6.1Exporting data.........................................................................................................................24
6.6.2Exporting data using salt and seed of the destination server..................................................24
How to obtain salt and seed of an ISDS server..........................................................................25
6.6.3Importing data.........................................................................................................................25
6.7Resume replication queue..............................................................................................................26
7Heartbeat setup.......................................................................................................................................28
7.1Installing Heartbeat........................................................................................................................28
7.2Configuring Heartbeat....................................................................................................................28
7.2.1The authkeys file.....................................................................................................................28
7.2.2The ha.cf file...........................................................................................................................29
7.2.3The haresources file................................................................................................................30
7.3Propagating configuration files to peer servers..............................................................................30
7.4Starting Heartbeat...........................................................................................................................31
7.4.1Network configuration before starting heartbeat....................................................................31
7.4.2Network configuration after starting heartbeat.......................................................................34
7.4.3Checking Heartbeat status......................................................................................................34
8Testing high-availability scenario..........................................................................................................35
8.1.1Checking the network configuration on ldaphost2.................................................................35
9DNS hack...............................................................................................................................................37
10Query ISDS server using virtual IP......................................................................................................37
11Resources.............................................................................................................................................38
Table of Figures
Figure 1: Directory operations under normal condition.............................................................................4
Figure 2: Directory operations under failover condition............................................................................5
Figure 3: WAT Console administration login.............................................................................................8
Figure 4: WAT console introduction page..................................................................................................8
Figure 5: Adding servers to WAT...............................................................................................................9
Figure 6: Adding servers to WAT(2)..........................................................................................................9
Figure 7: WAT servers list........................................................................................................................10
Figure 8: WAT Directory server login......................................................................................................11
Figure 9: WAT Introduction page.............................................................................................................12
Figure 10: Add replication subtree...........................................................................................................12
Figure 11: Browse subtree(1)...................................................................................................................13
Table of Listings
Listing 1: "idsilist" output from ldaphost1.................................................................................................6
Listing 2: "idsilist" output from ldaphost2.................................................................................................7
Listing 3: ISDS and admin server running on ldaphost1...........................................................................7
Listing 4: ISDS and admin server running on ldaphost2...........................................................................7
Listing 5: ISDS instance list.....................................................................................................................10
Listing 6: Information added to DIT after adding replication suffix.......................................................14
Listing 7: Bind credential.........................................................................................................................18
Listing 8: Supplier bind credential information.......................................................................................19
Listing 9: Information added to server ldaphost1....................................................................................21
Listing 10: Information added to server ldaphost2..................................................................................22
Listing 11: Exporting data with seed and salt..........................................................................................24
Listing 12: ISDS server's crypto salt........................................................................................................25
Listing 13: Copy the exported LDIF file to the target server...................................................................25
Listing 14: Importing data into the server................................................................................................26
Listing 15: View Heartbeat's document...................................................................................................28
Listing 16: The /etc/ha.d/authkeys file.....................................................................................................29
Listing 17: authkeys permission..............................................................................................................29
Listing 18: Sample ha.cf file....................................................................................................................29
Listing 19: Sample haresources file.........................................................................................................30
Listing 20: ha_propagate script location..................................................................................................30
Listing 21: ha_propagate..........................................................................................................................31
Listing 22: ifconfig output before starting heartbeat................................................................................32
Listing 23: Starting heartbeat...................................................................................................................32
Listing 24: log snippet from /var/log/ha-log on ldaphost1......................................................................33
Listing 25: ifconfig output after starting heartbeat..................................................................................34
Listing 26: Stopping heartbeat.................................................................................................................35
Listing 27: ifconfig output from ldaphost2 after stopping heartbeat on ldaphost1..................................35
Listing 28: log snippet from /var/log/ha-log on ldaphost2 after stopping heartbeat on ldaphost1..........36
Listing 29: /etc/hosts file from server ldaphost1 and ldaphost2..............................................................37
1 Introduction
As organizations add applications and services, centralized authentication services can increase
security and decrease administrative tasks. However, being dependent on a single server eventually
creates a "single point of failure" (SPOF), which can break the entire organization's authentication
system. To overcome this SPOF, we will be discussing here how to configure IBM Security Directory
Server (ISDS) with Heartbeat to deliver a highly available authentication system.
In this article, we will demonstrate one method to create a reliable authentication server using ISDS,
which can be adapted by many organization-wide applications. We will use the Heartbeat package
from the Linux HA project.
Starting with two identical ISDS servers (peer-to-peer replication), several configurations can be used.
First, we could do a "cold standby" where the master ISDS server has a virtual IP and a running ISDS
instance. The secondary ISDS server sits idle. When the master server fails, the ISDS instance and
virtual IP move to the cold node (secondary server). This is a very simple setup to implement. See
Figure 1: Directory operations under normal condition. However, the data synchronization between the
master and secondary servers could be a problem. To solve that, we will configure the servers with live
ISDS instances running on both the servers. In this way, updates to the master server are immediately
replicated to the secondary server.
Failure of the master ISDS server leaves our secondary ISDS server available to respond to client
queries. See Figure 2: Directory operations under failover condition
2 Environment setup
The example described in this article is based on a setup that requires:
Two ISDS v6.3.1 Servers, installed on RHEL 6.5 64-bit, configured in a peer-to-peer or
master-master replication.
Server1 hostname ldaphost1.in.ibm.com - 192.168.56.20
Server2 hostname ldaphost2.in.ibm.com - 192.168.56.21
Heartbeat version 3.0.4 installed on both servers (i.e., ldaphost1 and ldaphost2)
Note: See the "Resources" section to download ISDS and Heartbeat packages.
4 About Heartbeat
In an enterprise environment, certain servers (such as an authentication server) must always be up and
running for the business to keep functioning smoothly. These servers provide services that need to be
always available.
A cornerstone of any mission-critical service that always needs to be up with no downtime is being able
to transfer the service from one system to another gracefully. The magic that makes this possible is a
service called Heartbeat. Heartbeat is the main product of the High-Availability Linux project.
In this article, we have tested only an active/passive method with two ISDS peer servers, where the
active server provides the services and the passive server waits to take over in case the active server
goes down.
The best part of this method is that you do not need any hardware devices, which tend to be expensive,
to build a highly available authentication system.
5 Prerequisite
In this section, I assume that you have already installed ISDS on both systems (i.e., ldaphost1 and
ldaphost2).
I also assume that you have created an ISDS instance dsrdbm01 on both the servers, which runs on
port 389. If you have set up the instances properly, then you will see output from both servers similar
to the following two listings.
LISTEN
LISTEN
1755/ibmslapd
29489/ibmdiradm
LISTEN
LISTEN
14158/ibmslapd
4581/ibmdiradm
In the Server name field, enter a descriptive name for your ISDS instance. The best practice in creating
a server name is to use the hostname followed by the instance name (i.e., hostnameinstance_name). To use only the hostname, leave the field blank.
Hostname is the real server's name on which TDS instance is running, and the hostname must be
resolvable by your DNS, otherwise WAT will fail to contact the server. On the other hand, Server name
is for end user reference to give a meaningful name to the instance. Server name is confined to the
WAT portal only, whereas Hostname must be resolvable to a specific IP address.
The panel in Figure 6 also prompts you for a Port number and an Administration port number. Use
the command line tool idsilist -a to find out these values. See, for example, the output in Listing
5.
[root@ldaphost1 ~]# idsilist -a
Directory server instance(s):
-------------------------------------Instance 1:
Name: dsrdbm01
Version: 6.3.1
Location: /home/dsrdbm01
Description: IBM Security Directory Server Instance V6.3.1
IP Addresses: All available
Port: 389
Secure Port: 636
Admin Server Port: 3538
Admin Server Secure Port: 3539
Type: Directory Server
After you have added each server, press OK. Add the rest of the servers that you want to administer
remotely using WAT.
After all the servers have been added, you can display the list in the Manage console servers page.
After clicking on OK, as shown in Figure 11: Browse subtree(1), you are presented with a screen
similar to Figure 12: Select replication suffix, on which to choose the suffix or subtree to replicate.
o=ibm,c=in
objectclass=organization
objectclass=top
objectclass=ibm-replicationcontext
o=ibm
ibm-replicareferralurl=ldap://ldaphost1.in.ibm.com:389
ibm-replicaGroup=default,o=ibm,c=in
ibm-replicagroup=default
objectclass=ibm-replicagroup
objectclass=top
cn=ldaphost1.in.ibm.com:389,ibm-replicaGroup=default,o=ibm,c=in
objectclass=ibm-replicasubentry
objectclass=top
ibm-replicaserverid=de8e2ec0-bfa2-1032-950c-8d69c0d06df0
ibm-replicationserverismaster=TRUE
cn=ldaphost1.in.ibm.com:389
You now see a screen similar to Figure 19: Add credentials (2), where you need to enter a CN
(Common Name) under which your bind credentials will be stored. Click on Next to continue.
Refer to "Check replication-related entries in ISDS using command line" to find out the Listing 6
information for your server.
Click OK on Figure 21. You see a screen similar to that shown in Figure 22: Add master server.
Click on Additional to configure the peer replication server (ldaphost2.in.ibm.com). You are presented
with a new screen. Scroll down to the Consumer section and add the details as shown in Figure 23:
Add credential on peer server.
cn=Supplier1397416499356, cn=configuration
cn=Supplier1397416499356
ibm-slapdmasterdn=cn=manager
ibm-slapdmasterpw={AES256}mU4i4ChMyT7OytFazN+hIA==
ibm-slapdreplicasubtree=O=IBM, C=IN
objectclass=ibm-slapdconfigentry
objectclass=ibm-slapdsupplier
objectclass=top
cn=ldaphost2.in.ibm.com:389,ibm-replicaGroup=default,O=IBM,C=IN
objectclass=ibm-replicasubentry
objectclass=top
ibm-replicaserverid=7cf882c0-46f0-1033-8038-b508ef5ab1d7
ibm-replicationserverismaster=TRUE
cn=ldaphost2.in.ibm.com:389
cn=ldaphost1.in.ibm.com:389,cn=ldaphost2.in.ibm.com:389,ibmreplicaGroup=default,O=IBM,C=IN
ibm-replicamethod=1
ibm-replicaconsumerid=de8e2ec0-bfa2-1032-950c-8d69c0d06df0
ibm-replicationonhold=TRUE
ibm-replicacredentialsdn=cn=bindcreds,ibm-replicaGroup=default,O=IBM,C=IN
ibm-replicaurl=ldap://ldaphost1.in.ibm.com:389
objectclass=ibm-replicationagreement
objectclass=top
cn=ldaphost1.in.ibm.com:389
cn=ldaphost2.in.ibm.com:389,cn=ldaphost1.in.ibm.com:389,ibmreplicaGroup=default,O=IBM,C=IN
ibm-replicamethod=1
ibm-replicaconsumerid=7cf882c0-46f0-1033-8038-b508ef5ab1d7
ibm-replicationonhold=TRUE
ibm-replicacredentialsdn=cn=bindcreds,ibm-replicaGroup=default,O=IBM,C=IN
ibm-replicaurl=ldap://ldaphost2.in.ibm.com:389
objectclass=ibm-replicationagreement
objectclass=top
cn=ldaphost2.in.ibm.com:389
In addition, the following information has been added to server ldaphost2.in.ibm.com (Listing 10:
Information added to server ldaphost2):
o=ibm,c=in
objectclass=organization
objectclass=top
objectclass=ibm-replicationcontext
o=ibm
ibm-replicareferralurl=ldap://ldaphost1.in.ibm.com:389
ibm-replicaGroup=default,o=ibm,c=in
ibm-replicagroup=default
objectclass=ibm-replicagroup
objectclass=top
cn=ldaphost1.in.ibm.com:389,ibm-replicaGroup=default,o=ibm,c=in
objectclass=ibm-replicasubentry
objectclass=top
ibm-replicaserverid=de8e2ec0-bfa2-1032-950c-8d69c0d06df0
ibm-replicationserverismaster=TRUE
cn=ldaphost1.in.ibm.com:389
cn=ldaphost2.in.ibm.com:389,ibm-replicaGroup=default,O=IBM,C=IN
objectclass=ibm-replicasubentry
objectclass=top
ibm-replicaserverid=7cf882c0-46f0-1033-8038-b508ef5ab1d7
ibm-replicationserverismaster=TRUE
cn=ldaphost2.in.ibm.com:389
cn=ldaphost1.in.ibm.com:389,cn=ldaphost2.in.ibm.com:389,ibmreplicaGroup=default,O=IBM,C=IN
ibm-replicamethod=1
ibm-replicaconsumerid=de8e2ec0-bfa2-1032-950c-8d69c0d06df0
ibm-replicationonhold=TRUE
ibm-replicacredentialsdn=cn=bindcreds,ibm-replicaGroup=default,O=IBM,C=IN
ibm-replicaurl=ldap://ldaphost1.in.ibm.com:389
objectclass=ibm-replicationagreement
objectclass=top
cn=ldaphost1.in.ibm.com:389
cn=ldaphost2.in.ibm.com:389,cn=ldaphost1.in.ibm.com:389,ibm-replicaGroup=default
ibm-replicamethod=1
ibm-replicaconsumerid=7cf882c0-46f0-1033-8038-b508ef5ab1d7
ibm-replicationonhold=TRUE
ibm-replicacredentialsdn=cn=bindcreds,ibm-replicaGroup=default,O=IBM,C=IN
ibm-replicaurl=ldap://ldaphost2.in.ibm.com:389
objectclass=ibm-replicationagreement
objectclass=top
cn=ldaphost2.in.ibm.com:389
cn=bindcreds,ibm-replicaGroup=default,O=IBM,C=IN
replicacredentials=manager
description=Bind to replication server ldaphost2
objectclass=ibm-replicationcredentials
objectclass=ibm-replicationcredentialssimple
objectclass=top
replicabinddn=cn=manager
cn=bindcreds
Next, you are presented with a screen similar to that in Figure 26: Replication setup success
information.
For example,
idsldapsearch -h ldaphost1.in.ibm.com -p 389 -D cn=root -w root -s sub -b ""
objectclass=ibm-repl*
Note: You don't have to specify the port if it's 389, because 389 is the default port for LDAP. If the port
number is other than 389, then you must specify the port or else you'll receive an error message.
Use the following command to find out the replication-related entries within a subtree. For example, to
find out the replication-related entries under suffix "O=IBM,C=IN"
idsldapsearch -h ldaphost1.in.ibm.com -D cn=root -w root -s sub -b "O=IBM,C=IN"
objectclass=ibm-repl*
Note: For better performance, synchronize the directory servers that are taking part in the replication
cryptographically. See "Resources" for a link to Appendix J in the IBM Security Directory Server
Administration Guide.
6.6.2 Exporting data using salt and seed of the destination server
After you have obtained the seed and salt value of your destination serverin this case,
ldaphost2.in.ibm.comperform the following command to export the data from server
ldapohost1.in.ibm.com.
Syntax:
idsdb2ldif -I <instance_name> -k <seed_value> -t <salt_value> -o
<outfile.ldif>
For example, see Listing 11: Exporting data with seed and salt.
[root@ldaphost1 sbin]# pwd
/opt/ibm/ldap/V6.3.1/sbin
[root@ldaphost1 sbin]# ./idsdb2ldif -I dsrdbm01 -k abc0123456789 -t 'umU"mYJ4Oct0'
-o dsrdbm01_fullbackup.ldif
GLPCTL113I Largest core file size creation limit for the process (in bytes):
'0'(Soft limit) and '-1'(Hard limit).
GLPCTL119I Maximum Data Segment(Kbytes) soft ulimit for the process is -1 and the
prescribed minimum is 262144.
GLPCTL119I Maximum File Size(512 bytes block) soft ulimit for the process is -1 and
the prescribed minimum is 2097152.
GLPCTL122I Maximum Open Files soft ulimit for the process is 1024 and the
prescribed minimum is 500.
GLPCTL122I Maximum Stack Size(Kbytes) soft ulimit for the process is 10240 and the
prescribed minimum is 10240.
GLPCTL119I Maximum Virtual Memory(Kbytes) soft ulimit for the process is -1 and the
prescribed minimum is 1048576.
GLPSRV221I Replication of security attributes feature is disabled.
GLPSRV200I Initializing primary database and its connections.
GLPD2L011I 61 entries have been successfully exported from the directory.
Note: For security purposes, the encryption seed value is not stored anywhere in the server. While
creating the ISDS instance, be sure to make note of it so that you can remember it later.
Listing 13: Copy the exported LDIF file to the target server
On the destination server, ldaphost2.in.ibm.com, execute the command shown in Listing 14: Importing
data into the server to import the LDIF file.
[root@ldaphost2 sbin]# ./idsldif2db -I dsrdbm01 -i ~/dsrdbm01_fullbackup.ldif
GLPCTL113I Largest core file size creation limit for the process (in bytes):
'0'(Soft limit) and '-1'(Hard limit).
GLPCTL119I Maximum Data Segment(Kbytes) soft ulimit for the process is -1 and the
prescribed minimum is 262144.
GLPCTL119I Maximum File Size(512 bytes block) soft ulimit for the process is -1 and
the prescribed minimum is 2097152.
GLPCTL122I Maximum Open Files soft ulimit for the process is 1024 and the
prescribed minimum is 500.
GLPCTL122I Maximum Stack Size(Kbytes) soft ulimit for the process is 10240 and the
prescribed minimum is 10240.
GLPCTL119I Maximum Virtual Memory(Kbytes) soft ulimit for the process is -1 and the
prescribed minimum is 1048576.
GLPCOM022I The database plugin is successfully loaded from libback-config.so.
GLPSRV221I Replication of security attributes feature is disabled.
GLPSRV200I Initializing primary database and its connections.
GLPRPL137I Restricted Access to the replication topology is set to false.
GLPRDB052E Entry CN=IBMPOLICIES already exists.
GLPRDB052E Entry IBM-REPLICAGROUP=DEFAULT,CN=IBMPOLICIES already exists.
GLPRDB052E Entry globalGroupName=GlobalAdminGroup,cn=ibmpolicies already exists.
GLPRDB052E Entry cn=pwdpolicy,cn=ibmpolicies already exists.
GLPRDB052E Entry CN=REPLICATION,CN=IBMPOLICIES already exists.
GLPRDB052E Entry o=ibm,c=in already exists.
GLPRDB052E Entry ibm-replicaGroup=default,o=ibm,c=in already exists.
GLPRDB052E Entry cn=ldaphost1.in.ibm.com:389,ibm-replicaGroup=default,o=ibm,c=in
already exists.
GLPRDB052E Entry cn=bindcreds,ibm-replicaGroup=default,O=IBM,C=IN already exists.
GLPRDB052E Entry cn=ldaphost2.in.ibm.com:389,ibm-replicaGroup=default,O=IBM,C=IN
already exists.
GLPRDB052E Entry cn=ldaphost1.in.ibm.com:389,cn=ldaphost2.in.ibm.com:389,ibmreplicaGroup=default,O=IBM,C=IN already exists.
GLPRDB052E Entry cn=ldaphost2.in.ibm.com:389,cn=ldaphost1.in.ibm.com:389,ibmreplicaGroup=default,O=IBM,C=IN already exists.
GLPRDB002W ldif2db: 49 entries have been successfully added out of 61 attempted.
Note: The ISDS instance must be stopped before importing the LDIF file; otherwise it will not allow
you to import the data into it. Also, you can ignore the error message GLPRDB052E shown in Listing
14, as the entries were already present on the destination server, ldaphost2.in.ibm.com. The
idsldif2db utility will not change these entries; it will simply skip them.
At this point, both the source server (ldaphost1.in.ibm.com) and the destination server
(ldaphost2.in.ibm.com) are perfectly in sync. Now you can go ahead and resume the replication queue
to allow both the servers to replicate data to each other.
7 Heartbeat setup
Heartbeat is very flexible and powerful. In this article, I have touched on only the basic active/passive
mode with two servers, where the active server (ldaphost1.in.ibm.com) is providing the service and the
passive server (ldaphost2.in.ibm.com) is waiting to take over if necessary.
authkeys
ha.cf
haresources
The ha.cf and hareources files may be readable by everyone, but the authkeys file must not be.
The good news is that sample versions of these files may be found in the documentation directory. If
you installed Heartbeat using yum, then the following command will show you where they are on your
system:
rpm -q heartbeat -d
For example, see Listing 15: View Heartbeat's document.
[root@ldaphost1 ~]# rpm -q heartbeat -d
......
......
/usr/share/doc/heartbeat-3.0.4/authkeys
/usr/share/doc/heartbeat-3.0.4/ha.cf
/usr/share/doc/heartbeat-3.0.4/haresources
......
......
Three authentication methods are supported: CRC, MD5, and SHA1. CRC doesn't accept a key. You
normally have only one authentication method listed in a CRC file. It adds no security, except from
packet corruption, and should be used only on physically secure networks. Of the remaining two,
SHA1 is usually considered to be the best, followed by MD5.
Listing 16: The /etc/ha.d/authkeys file shows an example. Make the key long as it will improve
security and you will not have to type it again.
auth 1
1 sha a9e2189843e9c3fb7c5a1bf81587fc11
Since we have created all the three files (authkeys, ha.cf, and haresources) in ldaphost1.in.ibm.com, we
need to copy them over to ldaphost2.in.ibm.com. Execute the downloaded script to copy the three
configuration files. See Listing 21: ha_propagate
lo
If you see the above ifconfig output, a new Ethernet alias eth0:1 has been added with an IP address
of 192.168.56.252 as specified in the file /etc/ha.d/haresources.
If you see the above output, since Heartbeat is running on ldaphost1, it is shown as being "active."
Server ldaphost2 is shown as being "dead."
lo
Listing 27: ifconfig output from ldaphost2 after stopping heartbeat on ldaphost1
Check the log file /var/log/ha-log on server ldaphost2.in.ibm.com to see how the resources were
acquired. In this case, the IP alias eth0:1 will be destroyed on server ldaphost1.in.ibm.com and will be
created on the server ldaphost2.in.ibm.com.
Apr 20 13:02:18 ldaphost2.in.ibm.com heartbeat: [26755]: info: Received shutdown
notice from 'ldaphost1.in.ibm.com'.
Apr 20 13:02:18 ldaphost2.in.ibm.com heartbeat: [26755]: info: Resources being
acquired from ldaphost1.in.ibm.com.
........output omitted........
Apr 20 13:02:18 ldaphost2.in.ibm.com heartbeat: [27067]: info: local HA resource
acquisition completed (standby).
Apr 20 13:02:18 ldaphost2.in.ibm.com heartbeat: [26755]: info: Standby resource
acquisition done [foreign].
harc(default)[27093]:
2014/04/20_13:02:18 info: Running /etc/ha.d//rc.d/status
status
mach_down(default)[27110]:
2014/04/20_13:02:18 info: Taking over resource
group IPaddr::192.168.56.252/24/eth0:1/192.168.56.255
ResourceManager(default)[27137]:
2014/04/20_13:02:18 info: Acquiring
resource group: ldaphost1.in.ibm.com
IPaddr::192.168.56.252/24/eth0:1/192.168.56.255
/usr/lib/ocf/resource.d//heartbeat/IPaddr(IPaddr_192.168.56.252)[27165]:
2014/04/20_13:02:19 INFO: Resource is stopped
ResourceManager(default)[27137]:
2014/04/20_13:02:19 info: Running
/etc/ha.d/resource.d/IPaddr 192.168.56.252/24/eth0:1/192.168.56.255 start
IPaddr(IPaddr_192.168.56.252)[27293]:
2014/04/20_13:02:19 INFO: Adding inet
address 192.168.56.252/24 with broadcast address 192.168.56.255 to device eth0
(with label eth0:1)
IPaddr(IPaddr_192.168.56.252)[27293]:
2014/04/20_13:02:19 INFO: Bringing device
eth0 up
........output omitted........
Apr 20 13:02:19 ldaphost2.in.ibm.com heartbeat: [26755]: info: mach_down takeover
complete.
Apr 20 13:02:34 ldaphost2.in.ibm.com heartbeat: [26755]: WARN: node
ldaphost1.in.ibm.com: is dead
Apr 20 13:02:34 ldaphost2.in.ibm.com heartbeat: [26755]: info: Dead node
ldaphost1.in.ibm.com gave up resources.
Listing 28: log snippet from /var/log/ha-log on ldaphost2 after stopping heartbeat on ldaphost1
If you see output such as that in Listing 27, a new IP alias eth0:1 has been created and the same alias
has been destroyed on the server ldaphost1.in.ibm.com. Because of this floating IP address, your
services will never be down as long as one of the server nodes is running. Whenever the server
ldaphost1.in.ibm.com is up, resources from the secondary server ldaphost2.in.ibm.com will be acquired
again (i.e., IP alias eth0:1 will be destroyed on server ldaphost2.in.ibm.com and will be created on
primary server ldaphost1.in.ibm.com; the primary server will continue serving its clients).
Note: You need to remember that the ISDS client must be pointed to at its virtual IP address (i.e.,
192.168.56.252 here and not the physical IP address of the system), because this IP address will be
available at all times in case any of the physical servers goes down. Distributing the new IP address
(192.168.56.252) will not be a good idea, as it is very difficult to remember the IP addresses. Instead,
you should distribute a new hostname. At this point, however, you don't have a hostname for IP
address 192.168.56.252. Read on in the next section ("DNS hack") to solve this problem.
9 DNS hack
When you start Heartbeat, it creates a new IP alias with a new virtual IP address as specified in the
file /etc/ha.d/haresources. Refer to Listing 19: Sample haresources file.
Previously, we had two IP addresses: 192.168.56.20 with hostname ldaphost1.in.ibm.com and
192.168.56.21 with hostname ldaphost2.in.ibm.com. Now we have another IP address:
192.168.56.252, for which there is no DNS entry or any entry in file /etc/hosts (for Linux system).
You have two options:
You can tell your network administrator to add a new DNS entry for the new IP address (in this
case 192.168.56.252) with a new hostname, or
If the servers are serving a limited number of clients, then you can make use of the local hosts
file (/etc/hosts for Linux systems and %SystemRoot
%\System32\drivers\etc\hosts file for Windows systems) to resolve the IP addressto-hostname issue.
The first option is recommended for organizations having a large-scale deployment. However, for this
article, we are choosing the option 2 to simulate the behavior. See Listing 29: /etc/hosts file from server
ldaphost1 and ldaphost2
[root@ldaphost1 ~]# cat /etc/hosts
127.0.0.1
localhost localhost.localdomain localhost4
::1
localhost localhost.localdomain localhost6
192.168.56.20
ldaphost1.in.ibm.com ldaphost1
192.168.56.21
ldaphost2.in.ibm.com ldaphost2
192.168.56.252 ldapserver.in.ibm.com ldapserver
[root@ldaphost1 ~]# ssh ldaphost2 'cat /etc/hosts'
127.0.0.1
localhost localhost.localdomain localhost4
::1
localhost localhost.localdomain localhost6
192.168.56.21
ldaphost2.in.ibm.com ldaphost2
192.168.56.20
ldaphost1.in.ibm.com ldaphost1
192.168.56.252 ldapserver.in.ibm.com ldapserver
localhost4.localdomain4
localhost6.localdomain6
localhost4.localdomain4
localhost6.localdomain6
11 Resources
Learn
For assistance in installing IBM Security Directory Server, read the IBM Security Directory Server
Installation and Configuration Guide.
Visit the IBM Security Directory Server Version 6.3.1 information center,where you can find
information about installing, configuring, administering, and using the Directory Server.
Read "Setting up Tivoli Directory Server replication using the command line" for help with
configuring replication on an IBM Security Directory Server.
You can also download the source code for heartbeat at http://www.linux-ha.org/wiki/Downloads