Configuring the entry-balancing PingDirectoryProxy server
After the PingDirectoryProxy server has been installed, it can be automatically configured using the create-initial-proxy-config
tool.
About this task
This tool can only be used once for this initial configuration after which you will have to use dsconfig
to make any changes to the PingDirectoryProxy server configuration.
Steps
-
Run the
create-initial-proxy-config
tool.Example:
root@austin-proxy1: ./bin/create-initial-proxy-config
-
If the topology meets the requirements, press Enter to continue.
Example:
Some assumptions are made about the topology to keep this tool simple: 1) all servers will be accessible via a single user account 2) all servers support the same communication security type 3) all servers are PingDirectoryProxy Servers If your topology does not have these characteristics you can use this tool to define a basic configuration and then use the 'dsconfig' tool or the Administrative Console to fine tune the configuration. Would you like to continue? (yes / no) [yes]:
-
Provide the external server access credentials.
All of the proxies have identical proxy user accounts and passwords.
Example:
Enter the DN of the proxy user account [cn=Proxy User,cn=Root DNs,cn=config]: Enter the password for 'cn=Proxy User,cn=Root DNs,cn=config': Confirm the password for 'cn=Proxy User,cn=Root DNs,cn=config':
-
Specify the type of security that the PingDirectoryProxy server will use to communicate with PingDirectory servers.
-
Enter a base distinguished name (DN) of the PingDirectory server instances that will be accessed by the PingDirectoryProxy server.
-
Define the balancing point as a separate base DN, which is entry balanced.
Example:
Enter another base DN of the directory server instances that will be accessed through the Directory Proxy Server: 1)Remove dc=example,dc=com b)back q)quit Enter a DN or choose a menu item [Press ENTER when finished entering base DNs]: ou=people,dc=example,dc=com Are entries within 'ou=people,dc=example,dc=com' split across multiple servers so that each server stores only a subset of the entries (i.e. is this base DN 'entry balanced')? (yes / no) [no]: yes
-
Because the data in
ou=people,dc=example,dc=com
will be split across two backend sets, enter2
to specify that the data will be balanced across two sets of servers.Example:
Across how many sets of servers is the data balanced? c) cancel creating ou=people,dc=example,dc=com q) quit Enter a number greater than one or choose a menu item: 2
-
Because the balancing point is the same as the base DN,
ou=people,dc=example,dc=com
, use it as the entry balancing base.Example:
>>>> Entry Balancing Base The entry balancing base DN specifies the entry below which the data is balanced. Entries not below this entry must be duplicated in all the server sets. If all the entries in the base DN are distributed the entry balancing base DN is the same as the base DN. c) cancel creating ou=people,dc=example,dc=com b) back q) quit Enter the entry balancing base DN or choose a menu item [ou=people,dc=example,dc=com]: ou=people,dc=example,dc=com
-
To improve the performance for equality search filters referencing the
uid
attribute, create auid
global index. Enteryes
to add a new attribute to the global index. -
Specify the
uid
attribute.Example:
Enter attributes that you would like to add to the global index: c)cancel creating ou=people,dc=example,dc=com b)back q)quit Enter an attribute name or choose a menu item [Press ENTER when finished entering index attributes]: uid
-
To optimize PingDirectoryProxy server performance from the moment it starts accepting connections, enter the number corresponding to
Yes, and all subsequent attributes
. -
Press Enter to finish specifying index attributes.
-
Press Enter to enable relative distinguished name (RDN) index priming.
Example:
Would you like to enable RDN index priming for 'ou=people,dc=example,dc=com'? (yes / no) [yes]:
-
Press Enter to finish specifying base DNs.
Example:
Enter another base DN of the directory server instances that will be accessed through the Directory Proxy Server: 1) Remove dc=example,dc=com 2) Remove ou=people,dc=example,dc=com (distributed) b) back q) quit Enter a DN or choose a menu item [Press ENTER when finished entering base DNs]:
-
The external servers are spread among two locations, New York and Austin. Define austin as the location of this PingDirectoryProxy server instance.
Example:
A good rule of thumb when naming locations is to use the name of your data centers or the cities containing them. b) back q) quit Enter a location name or choose a menu item: austin 1) Remove austin b) back q) quit
-
Define the newyork location.
Example:
Enter another location name or choose a menu item [Press ENTER when finished entering locations]: newyork 1) Remove austin 2) Remove newyork b) back q) quit Enter another location name or choose a menu item [Press ENTER when finished entering locations]:
-
Select the austin location for this PingDirectoryProxy server instance.
Example:
Choose the location for this Directory Proxy Server 1) austin 2) newyork b) back q) quit Enter choice [1]:
-
Specify the LDAP external server instances associated with this location.
Example:
Enter the host and port (host:port) of the first directory server in 'austin' b) back q) quit Enter a host:port or choose a menu item [localhost:389]: austin-set1.example.com:389
-
Specify that the
austin-set1
server can handle requests from the global domain and from set 1 restricted domain.Example:
Assign server austin-set1.example.com:389 to handle requests for one or more of the defined sets of data: 1) dc=example,dc=com 2) ou=people,dc=example,dc=com; Server Set 1 3) ou=people,dc=example,dc=com; Server Set 2 Enter one or more choices separated by commas: 1,2
-
Enter the number corresponding to
Yes, and all subsequent servers
to prepare the server for access by the Directory Proxy Server.Example:
Would you like to prepare austin-set1.example.com:389 for access by the Directory Proxy Server? 1)Yes 2)No 3)Yes, and all subsequent servers 4)No, and all subsequent servers Enter choice [3]:
-
Select the entry-balanced data set that the
austin-set1
server replicates with other servers.Example:
You may choose a single entry-balanced data set with which austin-set1.example.com:389 will replicate data with other servers 1) ou=people,dc=example,dc=com; Server Set 1 2) None, data will not be replicated Enter choice: 1 Testing connection to austin-set1.example.com:389 ..... Done Testing 'cn=Proxy User,cn=Root DNs,cn=config' access ....Denied
-
Modify the root user for use by the PingDirectoryProxy server, specifying the directory manager password for the initial creation of the proxy user.
Example:
Would you like to create or modify root user 'cn=Proxy User, cn=Root DNs,cn=config' so that it is available for this Directory Proxy Server? (yes / no) [yes]: Enter the DN of an account on austin-set1.example.com:389 with which to create or manage the 'cn=Proxy User,cn=Root DNs, cn=config' account and configuration [cn=Directory Manager]: Enter the password for 'cn=Directory Manager': Created 'cn=Proxy User,cn=Root DNs,cn=config' Testing 'cn=Proxy User,cn=Root DNs,cn=config'privileges...Done Setting replication set name .....
-
Because the replication set name has already been configured, you do not need to use the name created automatically by the PingDirectoryProxy server.
Example:
This server is currently configured for replication set 'dataset1'. Would you like to reconfigure this server for replication set 'set-1'? (yes / no) [no]: Setting replication set name ..... Done Verifying backend 'dc=example,dc=com' ..... Done Verifying backend 'ou=people,dc=example,dc=com' ..... Done Testing 'cn=Proxy User' privileges ..... Done Verifying backend 'dc=example,dc=com' ..... Done
-
Define the other Austin and New York servers using the same procedure in steps 17-24.
Example:
Enter another server in 'austin' 1) Remove austin-set1.example.com:389 b) back q) quit Enter a host:port or choose a menu item [Press ENTER when finished entering servers]: austin-set2.example.com:389 Assign server austin-set2.example.com:389 to handle requests for one or more of the defined sets of data 1) dc=example,dc=com 2) ou=people,dc=example,dc=com; Server Set 1 3) ou=people,dc=example,dc=com; Server Set 2 Enter one or more choices separated by commas: 1,3 You may choose a single entry-balanced data set with which austin-set2.example.com:389 will replicate data with other servers 1) ou=people,dc=example,dc=com; Server Set 2 2) None, data will not be replicated Enter choice: 1 Testing connection to austin-set2.example.com:389 ....Done Testing 'cn=Proxy User,cn=Root DNs,cn=config' access ... Denied Would you like to create or modify root user 'cn=Proxy User, cn=Root DNs,cn=config' so that it is available for this Directory Proxy Server? (yes / no) [yes]: Would you like to use the previously entered manager credentials to access all prepared servers? (yes / no) [yes]: Created 'cn=Proxy User,cn=Root DNs,cn=config' Testing 'cn=Proxy User,cn=Root DNs,cn=config' privileges...Done Setting replication set name ..... This server is currently configured for replication set 'dataset2'. Would you like to reconfigure this server for replication set 'set-2'? (yes / no) [no]: Setting replication set name ..... Done Verifying backend 'dc=example,dc=com' ..... Done Verifying backend 'ou=people,dc=example,dc=com' ..... Done Enter another server in 'austin' 1) Remove austin-set1.example.com:389 2) Remove austin-set2.example.com:389 b) back q) quit Enter a host:port or choose a menu item [Press ENTER when finished entering servers]: >>>> >>>> Location 'newyork' Details >>>> External Servers External Servers identify directory server instances including host, port, and authentication information. Enter the host and port (host:port) of the first directory server in 'newyork': b) back q) quit Enter a host:port or choose a menu item [localhost:389]: newyork-set1.example.com:389 Assign server newyork-set1.example.com:389 to handle requests for one or more of the defined sets of data 1) dc=example,dc=com 2) ou=people,dc=example,dc=com; Server Set 1 3) ou=people,dc=example,dc=com; Server Set 2 Enter one or more choices separated by commas: 1,2 You may choose a single entry-balanced data set with which newyork-set1.example.com:389 will replicate data with other servers 1) ou=people,dc=example,dc=com; Server Set 1 2) None, data will not be replicated Enter choice: 1 Testing connection to newyork-set1.example.com:389 ....Done Testing 'cn=Proxy User,cn=Root DNs,cn=config' access ... Denied Would you like to create or modify root user 'cn=Proxy User, cn=Root DNs,cn=config' so that it is available for this Directory Proxy Server? (yes / no) [yes]: Created 'cn=Proxy User,cn=Root DNs,cn=config' Testing 'cn=Proxy User,cn=Root DNs,cn=config' privileges...Done Setting replication set name ..... This server is currently configured for replication set 'dataset1'. Would you like to reconfigure this server for replication set 'set-1'? (yes / no) [no]: Setting replication set name ..... Done Verifying backend 'dc=example,dc=com' ..... Done Verifying backend 'ou=people,dc=example,dc=com' ..... Done Enter another server in 'newyork' 1) Remove newyork-set1.example.com:389 b) back q) quit Enter a host:port or choose a menu item [Press ENTER when finished entering servers]: newyork-set2.example.com:389 Assign server newyork-set2.example.com:389 to handle requests for one or more of the defined sets of data: 1) dc=example,dc=com 2) ou=people,dc=example,dc=com; Server Set 1 3) ou=people,dc=example,dc=com; Server Set 2 Enter one or more choices separated by commas: 1,3 You may choose a single entry-balanced data set with which new-york-set2.example.com:389 will replicate data with other servers 1) ou=people,dc=example,dc=com; Server Set 2 2) None, data will not be replicated Enter choice: 1 Testing connection to newyork-set2.example.com:389 ..... Done Testing 'cn=Proxy User,cn=Root DNs,cn=config' access.... Denied Would you like to create or modify root user 'cn=Proxy User, cn=Root DNs,cn=config' so that it is available for this Directory Proxy Server? (yes / no) [yes]: Created 'cn=Proxy User,cn=Root DNs,cn=config' Testing 'cn=Proxy User,cn=Root DNs,cn=config' privileges...Done Setting replication set name ..... This server is currently configured for replication set 'dataset2'. Would you like to reconfigure this server for replication set 'set-2'? (yes / no) [no]: Setting replication set name ..... Done Verifying backend 'dc=example,dc=com' ..... Done Verifying backend 'ou=people,dc=example,dc=com' ..... Done Enter another server in 'newyork' 1)Remove newyork-set1.example.com:389 2)Remove newyork-set2.example.com:389 b)back q)quit Enter a host:port or choose a menu item [Press ENTER when finished entering servers]: >>>> >>>> Configuration Summary External Server Security: None Proxy User DN: cn=Proxy User,cn=Root DNs,cn=config Location austin Failover Order: newyork Servers: austin-set1.example.com:389, austin-set2.example.com:389 Location newyork Failover Order: austin Servers: newyork-set1.example.com:389, newyork-set2.example.com:389 Base DN: dc=example,dc=com Servers: austin-set1.example.com:389, austin-set2.example.com:389, newyork-set1.example.com:389, newyork-set2.example.com:389 Base DN:vou=people,dc=example,dc=com Entry Balancing Base: ou=people,dc=example,dc=com Server Set 1: austin-set1.example.com:389, newyork-set1.example.com:389 Server Set 2: austin-set2.example.com:389, newyork-set2.example.com:389 Index Attributes: uid (primed,unique) Prime RDN Index: Yes NOTE: The Directory Proxy Server must be restarted after this tool has completed to have index priming take place b) back q) quit w) write configuration Enter choice [w] >>>> Write Configuration The configuration will be written to a 'dsconfig' batch file that can be used to configure other Directory Proxy Servers. Writing Directory Proxy Server configuration to /proxy/dps-cfg.txt.....Done
-
To apply the configuration changes to the PingDirectoryProxy server, enter
yes
.Example:
Apply these configuration changes to the local Directory Proxy Server? (yes /no) [yes]: How do you want to connect to the Directory Proxy Server on localhost? 1) LDAP 2) LDAP with SSL 3) LDAP with StartTLS Enter choice [1]: Administrator user bind DN [cn=Directory Manager]: Password for user 'cn=Directory Manager': Creating Locations ..... Done Updating Failover Locations ..... Done Updating Global Configuration ..... Done Creating Health Checks ..... Done Creating External Servers ..... Done Creating Load-Balancing Algorithm for dc=example,dc=com .... Done Creating Request Processor for dc=example,dc=com ..... Done Creating Subtree View for dc=example,dc=com ..... Done Updating Client Connection Policy for dc=example,dc=com ..... Done Creating Load-Balancing Algorithm for ou=people,dc=example,dc=com; Server Set 1 ..... Done Creating Request Processor for ou=people,dc=example,dc=com; Server Set 1...Done Creating Load-Balancing Algorithm for ou=people,dc=example,dc=com; Server Set 2 .... Done Creating Request Processor for ou=people,dc=example,dc=com; Server Set 2...Done Creating Entry Balancing Request Processor for ou=people,dc=example,dc=com ..... Done Creating Placement Algorithm for ou=people,dc=example,dc=com .... Done Creating Global Attribute Indexes for ou=people,dc=example,dc=com ..... Done Creating Subtree View for ou=people,dc=example,dc=com ..... Done Updating Client Connection Policy for ou=people,dc=example,dc=com ..... Done See /logs/create-initial-proxy-config.log for a detailed log of this operation To see basic server configuration status and configuration you can launch /bin/status