1

We have a network based on OSX, including using OpenDirectory as our directory service. Our network consists of one OD master and a pair of OD replicas. We've been trying to set it up so that when the master goes down the workstations will authenticate against one of the replicas. However, it seems that the clients continue to attempt to reach the master despite it being down. This is supposed to "just work" but it doesn't seem to be for us. Someone suggest that we would need to manually promote a replica to master in order to get the clients to fail over, but that seems somewhat ridiculous.

Has anyone made this configuration work? There's doesn't appear to be a whole lot of documentation about the details.

Kamil Kisiel
  • 12,184
  • 7
  • 48
  • 69

2 Answers2

2

Well according to this article, what you are doing ought to work. But it is confusing

After you set up an Open Directory replica, other computers will connect to it as needed.

Computers with v10.3 or v10.4 of Mac OS X or Mac OS X Server maintain a list of Open Directory replicas. If one of these computers can’t contact the Open Directory master for directory and authentication services, the computer connects to the nearest replica of the master.

On the one hand it implies above that it ought to work, but then it goes on to say...

You can configure Mac OS X computers to connect to an Open Directory replica instead of the Open Directory master for directory and authentication services. On each Mac OS X computer, you can use Directory Utility to create an LDAPv3 configuration for accessing the replica’s LDAP directory.

Now this arguably gives you a workaround instead of promoting a replica, so it's useful anyway, but I'm not sure if this paragraph doesn't contradict the first one. I do remember a lot of fiddling around with replicas when I did the Mac OSX Server training.

Rob Moir
  • 31,884
  • 6
  • 58
  • 89
  • Yes, I've read that. It's also possible that the second scenario they are describing is more appropriate for a remote site that replicates from a master site somewhere. The clients would then be configured authenticate with the replica by default simply because of proximity reasons. – Kamil Kisiel Jun 10 '09 at 23:45
0

I'm interested in a better answer than what I can give you. My understanding is that clients try to reach out to the Master and all of the Replicas.

It didn't work well for us, however. We had one master (started at 10.5.3, IIRC) and 12 replicas. For reasons we were unable to track down, the Open Directory Service would go down on the master, but the box was still up, and clients could not authenticate (even though bound to their local replicas). Rebooting the master resolved the problem (for a few hours). We did migrate the master, and things were better for a couple of months, and then the problem resurfaced.

Clinton Blackmore
  • 3,520
  • 6
  • 36
  • 61