Calendar Server 6.3 and Multiple Directory Servers

Hi,

> I'm working through Calendar Server 6.3 with

> Directory Server EE 6 (JCS 5) and it occurred to me

> that it would be a good thing to be able to point

> Calendar at multiple LDAP servers.

This is theoretically possible, although I haven't tried it myself. This document applied to 6.1 of calendar server but should also apply to 6.3 (although I'm not sure about the final point):

1. Configure the following in ics.conf where ldaphost1 and ldaphost2 are

the names of your failover ldap servers:

local.ugldapuselocal = "yes"

local.authldaphost = "ldaphost1 ldaphost2"

local.ugldaphost = "ldaphost1 ldaphost2"

local.ldapconnecttimeout = "30"

2. Because of the increased duration of the LDAP connection timeout, it is possible that you may need to increase the ics.conf start timeout parameters:

! Number of seconds to wait between checking for started,

! stopped, or ready calendar service

service.admin.sleeptime = "10"

!

! Number of seconds to wait for any calendar service to start

service.admin.starttime = "600"

3. You may have to use repeated attempts with start-cal to get ALL the services started.

4. start-cal may incorrectly report a "Failure to start" even though the processes are running. You have to manually check the process status using "ps -ef | grep icsuser" and/or do a "more cal/data/proc/*" to make sure the process is in the "ready" state. Because of the timeout impact, it may take longer than normal to achieve.

> I'm envisioning two DSEE 6 servers running the same

> version of DSEE, same platform, both with

> comm_dssetup.pl applied for schema 2.

>

> These servers would essentially be multimaster

> servers.

Yep, for 6.X you needed to point at a MMR configuration. So for DSEE 6 you get this by default due to the new architecture.

> I can't find anything in the calendar docs

> specifically about doing this, I can find info for

> Communications Express. but this isn't quite the same

> thing as far as I can tell.

Unfortunately not documented. Which is a shame really.

> Should I be using Directory Proxy Server or a

> hardware load balancer to do this instead - i.e.

> failover activity in front of the calendar server so

> to speak but not in the calendar server.

Using a DPS leaves you with the same issue, namely a single-point-of-failure. Try the steps above and see how it goes... if you could provide feedback that would be good for future reference.

Things you could test:

-> starting up the calendar server with the 'primary' host down.

-> using calendar server when the 'primary' host goes down.

-> shutting down calendar server with the 'primary' goes down.

-> having the primary go down, then see if the fail-over and eventually fail-back works.

-> try alternating between primary then secondary then primary going down.

Regards,

Shane.

shane_hjortha at 2007-7-11 22:49:12 >

I successfully did this today, need to do it again to confirm but here is what I did:

1. LDAP running on multi-master DSEE 6 nodes Marge and Homer for the suffixes o=comms-config, o=pab, o=PiServerDb, and my domain o=foobar.com,o=gov

2. I'm running JCS5 so I setup LDAP failover in all components around Communications Express:

Calendar ics.conf

local.authldaphost="marge homer:389"

local.ugldaphost="marge homer:389"

Restart Calendar services

Messaging Server

configutil -o local.ugldaphost -v "marge homer"

configutil -o local.service.pab.ldaphost -v "marge homer"

configutil -o local.ugldapuselocal -v "yes"

Stop and start Messaging Server services

Access Manager (we use SSO with Comm Express)

vi /etc/opt/SUNWam/config/serverconfig.xml

Add a line like this after 'Server1' line:

<Server name="Server2" host="homer" port="389" type="SIMPLE" />

Stop and start the web container

The AM docs mention this method. In the console there is a place to add additional LDAP servers for authentication:

http://server/amserver/console

Login as amadmin

Choose Configuration tab

Choose 'LDAP' under Authentication

Add my secondary server including port (homer:389)

Save

Doesn't seem to be necessary as I didn't do this in my test. Not sure what this is used for exactly in AM, need to research.

Communications Express

cd /var/opt/SUNWuwc/WEB-INF/config

vi uwcauth.properties and set the following:

ldapusersession.ldapport (should be LDAP port, 389 by default)

ldapusersession.ldaphost to marge.foobar.com,homer.foobar.com

Stop and start the web container

IM - not sure if this is supported or not

Delegated Administrator - not sure if this is supported or not

Logged into CE and then shutdown DSEE on Marge. There was a slight delay when I accessed my calendar but it worked.

Logged out of CE and logged back in with a different user account. Worked fine.

Stopped DSEE on Homer and was unable to login which is expected.

Restarted DSEE on Marge and was able to login and access mail and calendar in CE.

nate_keegana at 2007-7-11 22:49:12 >