Skip navigation

Open Directory Master & Replica

2097 Views 14 Replies Latest reply: Oct 31, 2013 4:34 AM by Relliott930 RSS
dvassallo Level 1 Level 1 (0 points)
Currently Being Moderated
Apr 4, 2012 7:27 PM

1) In an environement that contains two directory servers (one master, one replica), how does a client find the replica in the event that the master goes offline?

2) Is there any command to issue from the client side that will return all available directory servers in the domain?

  • Jonathan Melville Level 2 Level 2 (450 points)
    Currently Being Moderated
    Apr 5, 2012 7:19 AM (in response to dvassallo)

    I'll tell you exactly what an Apple engineer told me a few months ago.

     

    If you have an Open Directory Master on your network and replicas also, you should bind your clients to the master. I've seen other people talk about the "fail up" nature of Open Directory, meaning you should bind clients to replicas and if the replica fails, the client will automatically look upstream to another replica or to the master. Again, this is not how it was explained to me by Apple and I've never found authoritative documentation that states with certainty that OD fails up from replica to master.

     

    Somebody please jump in and correct me if I'm wrong.

     

    The way I understand it to work is when you bind your clients to the master, they will also receive the 'replication tree' containing the addresses of replicas on the network. If the master fails, the clients will start looking to the replicas.

    Is there any command to issue from the client side that will return all available directory servers in the domain?

     

    Run this from your master to view the replicas: sudo slapconfig -getmasterconfig

  • John.Kitzmiller Level 3 Level 3 (870 points)
    Currently Being Moderated
    Apr 5, 2012 8:14 AM (in response to Jonathan Melville)

    This is conflicting of everything I've ever learned. Client machines should always be bound to the closest replica, and will indeed fail up to the master should the replica become unavailable. It does not work the other way around.

     

    I think you may have gotten some misinfomation from Apple, or there was a miscommunication somewhere along the line.

  • Jonathan Melville Level 2 Level 2 (450 points)
    Currently Being Moderated
    Apr 5, 2012 8:29 AM (in response to John.Kitzmiller)

    Edit: This is from Apple documentation that dates back to 10.5, but still...

     

    If an Open Directory master or its replicas become unavailable, its client computers with version 10.3–10.5 of Mac OS X or Mac OS X Server automatically find an available replica and connect to it.

     

    This seems to support what I was told by Apple.

     

     

    ------------------------------------------


    Hey John, I knew somebody would chime in!

     

    Agreed, the 'fail up' model is what I've always heard. I told the tech I had always heard you should bind to the replica (just for clarification) but was told I should be binding to the master.

     

    Anyway, thanks for responding. Do you have some documentation that clearly states how the fail-up process works?

     

    Message was edited by: Jonathan Melville

  • Jonathan Melville Level 2 Level 2 (450 points)
    Currently Being Moderated
    Apr 5, 2012 8:40 AM (in response to dvassallo)

    Please report back when you do.

     

    Keep this in mind: When you go to System Preferences > Users and Groups > Login Options and see the address of your directory server, this address will not change after a failover (I'm pretty sure that's correct).

     

    So right now I'm bound to our company's master and it shows odmaster.mynetwork.net. If your replica is called odreplica.mynetwork.net, this address won't change in system preferences, it will still show the address of the master but it will be looking to the replica.

     

    An easy way to test OD authentication. In terminal type dscl /LDAPv3/hostname.domain.com -authonly username

     

    Replace with your domain and an actual username. It will prompt you for the users password. If you don't get an error from this, OD authentication is working properly.

  • John.Kitzmiller Level 3 Level 3 (870 points)
    Currently Being Moderated
    Apr 5, 2012 11:19 AM (in response to Jonathan Melville)

    Your quote doesn't really support binding to the OD master any more than it supports binding to the replica.

     

    This document has a lot of great info: http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf

     

    Granted, it's for 10.6 but the majorty of it is still relavent in 10.7.

     

    When you start to look at the cascading OD setups described in there, it becomes clear why binding to a replica is a best practice, especially in larger environments.

  • Jonathan Melville Level 2 Level 2 (450 points)
    Currently Being Moderated
    Apr 5, 2012 12:01 PM (in response to John.Kitzmiller)

    Your quote doesn't really support binding to the OD master any more than it supports binding to the replica.

     

    I agree with you, it doesn't support one more than then other. But it also doesn't support the idea that binding to the master is "improper" because it has nowhere to "fail up" to if the master fails, which is the argument I hear most.

     

    I agree with your point about cascading OD setups in large environments. Thousands of clients authenticating to a single master seems like trouble. It even made a point in the manual you linked to about having a replica on every floor of a building to authenticate users. So your point there is well taken.

     

    But again, I've never seen anything that suggests Open Directory "fails up" to the master.

    "If the Open Directory master fails, computers connected to it switch to a nearby replica. This automatic failover behavior is a feature of Mac OS X and Mac OS X Server v10.4 and 10.5 or later."


    (Note this doesn't describe failing-up to the master, but failing over to a replica)


    Also...


    "If an Open Directory master or its replicas become unavailable, client computers find an available replica and connect to it."

     

    To me, this implies you bind to either the Master or a Replica, but binding to the Master isn't 'improper'. it will still failover to a replica.

  • techgal Calculating status...
    Currently Being Moderated
    Aug 10, 2012 9:23 PM (in response to dvassallo)

    Just to clarify.. it also works if one is bound to the replica?

    Thanks

  • techgal Level 1 Level 1 (5 points)
    Currently Being Moderated
    Aug 11, 2012 8:32 AM (in response to dvassallo)

    That would be great. Also, do you know much about replicating servers and configuring use by them in distributed environments? ie., file sharing, home directories?

    Thanks again.

  • techgal Level 1 Level 1 (5 points)
    Currently Being Moderated
    Aug 12, 2012 4:31 PM (in response to dvassallo)

    I guess though that if the home directory was on the replica, as in a mobile account with syncing or a network account where login depends on successful communication with the replica, it would not work.

  • Relliott930 Calculating status...
    Currently Being Moderated
    Oct 31, 2013 4:34 AM (in response to techgal)

    Hi all, I have just found this thread. I am having serious problems and am at the end of my tether! I cannot believe Apple can get away with releasing such poor, bug filled software and passing it off as a network operating system, but that is a rant for another day.

     

    My Issue is, I have two servers, both 10.7.5. One Master and one replica. I had multiple issues with getting the replication to work (_LDAP_REPLICATOR binding errors) but for some reason, after leaving it overnight, this has started working now.

     

    The failover to the replica is not working correctly. I have some 10.8.x clients, bound to the master. When the master goes down, these clients find the replica with no issues. If the master is down for an extended amount of time however, these start failing logon too, however there is no red dot, they just hang. I have a couple hundred 10.7.5 clients. These will NOT find the replica if the master goes down. DNS is working with no issues. I then tried binding a 10.7.5 client to the replica instead. I then killed the masters connection, after a short delay, this seemed to work! great I thought. I logged in and out a few times, everything was fine. Rebooted the mac.... "network accounts are not available..". From this moment on, the client would no longer find the master. If i manually bind to the master, no problems. What is going on??

     

    Also, every bit of documentation I can find (what little there is) states that a replica is a read only copy of the master. In the latest iteration, you are also supposed to be able to change limited things on the replica, such as passwords. Why is it then , that I can modify passwords, modify MCX, create users etc and these changes are immediately passed to the master ? how can this be read only!!? it is definitely a replica, as viewed in server admin.

     

    Can anyone shed some light?

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.