Tuesday, 1 July 2008

High Available setup of Oracle Authentication Services for Operating Systems

Oracle Authentication Services for Operating Systems (OASfOS) is the way to use the Oracle Internet Directory (OID) LDAP server for user management of the users on a Unix or Linux system.
This works fine and is explained in the manuals that come with the download from Oracle Technology Network: http://www.oracle.com/technology/products/oid/oracleauthenticationservices.html

But the scripts that come with this OASfOS download assume that a single instance OID ldap server is used. The script that should be run on the OID server get the host name of that server and creates the script that should be run on the Linux or Unix servers that will be using the OID as there user base.
But the strength of the OID is that it can be setup with a cluster database in the back-end. Using a hardware load balancer in from of the OID processes can mitigate against all kinds of hardware and software failures. The hardware load balancer will be setup with a Virtual DNS name which will direct the ldap requests to either of the OID processes in the cluster. The back-end of the OID processes a Real Application Cluster (RAC) database is used.

The procedure for setting up OASfOS in a cluster is slightly different from setting it up for a single instance.
The server script is that run on the first instance should be adjusted. Instead of getting the hostname of the machine on which this OID is running, it should use the LDAP Virtual Address that is used in the load balancer.
That adjusted script will create a client script that will the use the virtual address of the load balancer instead of one of the host addresses.
In the following text the bit that is changed in the server script is shown in red:

if [ "X$dmName" = "X(none)" -o "X$dmName" = "X" ]
# rootDN="cn=`hostname`,${realm}"
# hostName="`hostname`"
# rootDN="cn=`hostname`.${dmName},${realm}"
# hostName="`hostname`.${dmName}"

On the other instance the only change that is made is that the Wallet for SSL traffic that is created on the first instance is copied to the same place on the second instance. The same instructions as described in the documentation for changing the standard certificate can be used.
The server script should not be run on the second instance, since it also changes the contents of the OID, but since RAC is used that is already changed when the script is run on the first instance.

No comments: