Hi listers
version on the main server: openldap-2.2.17
on this site, we use openldap to manage the entire mail system. we do a backup of the directory each night at 1 o'clock. the ldap service is distributed on three servers, which are kept synced by the slurp daemon.
Before doing the backup, we restart the main openldap server with a configuration with "readonly on" set for the directory database: /etc/init.d/ldap.readonly restart
Then we do
/usr/local/openldap/sbin/slapcat -f /usr/local/openldap/etc/openldap/slapd.conf -l $HOME/backup/backup_file
After having done that, we restart the openldap server with a configuration with "readonly off" set for the directory database: /etc/init.d/ldap restart
This means: we are using the normal restart procedure from the /etc/init.d directory, because the openldap server may not have (?) a reload feature via the SIGHUP signal to make it reread the config-file.
Every now and then, we get a message from the postfix server, that the ldap server has not been accessible, when it tried to retrieve mail-parameters in the time between 1.00 and 1.09 in the night ("temporary lookup failure"), which means that the openldap server during this time cannot be accessed. This seems a very long time (9 minutes).
my questions:
can i set and clear the readonly flag for the directory using a direct command to the server, in order not to have to restart the server twice?
can i omit to set the readonly flag altogether before doing the slapcat?
is there another method to restart the openldap server much faster than via this method? e.g. can i send the openldap server a SIGHUP flag directly and not go through the /etc/init.d/ldap restart procedure?
any reply will be appreciated, thanks in adwance.
suomi
On 7/24/07, openldap openldap@ayni.com wrote:
Hi listers
version on the main server: openldap-2.2.17
Upgrade to 2.3.x.
on this site, we use openldap to manage the entire mail system. we do a backup of the directory each night at 1 o'clock. the ldap service is distributed on three servers, which are kept synced by the slurp daemon.
If you upgrade to 2.3.x, you should switch to syncrepl.
Before doing the backup, we restart the main openldap server with a configuration with "readonly on" set for the directory database:
Why ? E.g., if you are using ldbm, switch to bdb. Or, do you require a point-in-time backup ?
/etc/init.d/ldap.readonly restart
Then we do
/usr/local/openldap/sbin/slapcat -f /usr/local/openldap/etc/openldap/slapd.conf -l $HOME/backup/backup_file
After having done that, we restart the openldap server with a configuration with "readonly off" set for the directory database: /etc/init.d/ldap restart
This means: we are using the normal restart procedure from the /etc/init.d directory, because the openldap server may not have (?) a reload feature via the SIGHUP signal to make it reread the config-file.
In 2.3.x, you can do some configuration changes over the wire (in 2.4, you can/will be able to do all configuration changes over the wire).
Every now and then, we get a message from the postfix server, that the ldap server has not been accessible, when it tried to retrieve mail-parameters in the time between 1.00 and 1.09 in the night ("temporary lookup failure"), which means that the openldap server during this time cannot be accessed. This seems a very long time (9 minutes).
Well, if you have 2 slaves, why are you worried about this?
my questions:
can i set and clear the readonly flag for the directory using a direct command to the server, in order not to have to restart the server twice?
Not on 2.2.x.
can i omit to set the readonly flag altogether before doing the slapcat?
If you are using bdb, yes (but, you should upgrade, there were some bugs that might hit you - especially if you run the slapcat as root).
is there another method to restart the openldap server much faster than via this method? e.g. can i send the openldap server a SIGHUP flag directly and not go through the /etc/init.d/ldap restart procedure?
Not on 2.2.x. But, I am quite sure startup isn't taking 9 minutes (or even 4.5 minutes each time), so it might be that your LDAP server isn't responding due to excessive disk IO during your slapcat.
You should consult your monitoring system to see what the load averages are like, how much IO you're doing at the time, or test this on a development system.
If it is in fact the disk IO, then most likely you need more database cache (if you are using bdb, which you should).
Regards, Buchan
Hi Buchan thanks very much for your immediate and helpful reply. one of the backup servers is on openldap-2.3.34-0.fc7. so, from now on, i will use this one as primary server and follow your advices further on.
again many thanks.
suomi
Buchan Milne wrote:
On 7/24/07, openldap openldap@ayni.com wrote:
Hi listers
version on the main server: openldap-2.2.17
Upgrade to 2.3.x.
on this site, we use openldap to manage the entire mail system. we do a backup of the directory each night at 1 o'clock. the ldap service is distributed on three servers, which are kept synced by the slurp daemon.
If you upgrade to 2.3.x, you should switch to syncrepl.
Before doing the backup, we restart the main openldap server with a configuration with "readonly on" set for the directory database:
Why ? E.g., if you are using ldbm, switch to bdb. Or, do you require a point-in-time backup ?
/etc/init.d/ldap.readonly restart
Then we do
/usr/local/openldap/sbin/slapcat -f /usr/local/openldap/etc/openldap/slapd.conf -l $HOME/backup/backup_file
After having done that, we restart the openldap server with a configuration with "readonly off" set for the directory database: /etc/init.d/ldap restart
This means: we are using the normal restart procedure from the /etc/init.d directory, because the openldap server may not have (?) a reload feature via the SIGHUP signal to make it reread the config-file.
In 2.3.x, you can do some configuration changes over the wire (in 2.4, you can/will be able to do all configuration changes over the wire).
Every now and then, we get a message from the postfix server, that the ldap server has not been accessible, when it tried to retrieve mail-parameters in the time between 1.00 and 1.09 in the night ("temporary lookup failure"), which means that the openldap server during this time cannot be accessed. This seems a very long time (9 minutes).
Well, if you have 2 slaves, why are you worried about this?
my questions:
can i set and clear the readonly flag for the directory using a direct command to the server, in order not to have to restart the server twice?
Not on 2.2.x.
can i omit to set the readonly flag altogether before doing the slapcat?
If you are using bdb, yes (but, you should upgrade, there were some bugs that might hit you - especially if you run the slapcat as root).
is there another method to restart the openldap server much faster than via this method? e.g. can i send the openldap server a SIGHUP flag directly and not go through the /etc/init.d/ldap restart procedure?
Not on 2.2.x. But, I am quite sure startup isn't taking 9 minutes (or even 4.5 minutes each time), so it might be that your LDAP server isn't responding due to excessive disk IO during your slapcat.
You should consult your monitoring system to see what the load averages are like, how much IO you're doing at the time, or test this on a development system.
If it is in fact the disk IO, then most likely you need more database cache (if you are using bdb, which you should).
Regards, Buchan
openldap-software@openldap.org