Browse Source

Major update.

pull/10/head
cns 16 years ago
committed by butlerx
parent
commit
98a5f49fe9
1 changed files with 144 additions and 29 deletions
  1. +144
    -29
      RRS-SYNC.TXT

+ 144
- 29
RRS-SYNC.TXT View File

@@ -2,96 +2,186 @@
# Steps required to use a standalone RRS setup and then sync in changes
# afterwards.
#
# $Id$
# $Id: RRS-SYNC.TXT,v 1.1 2003/10/24 16:10:30 cns Exp cns $
#

#======================================================================
# BEFORE C&S DAY
#======================================================================

# There are three prompts used in the commands given here
# to indicate which machine they should be used on...
#
[useradm] # The redbrick server that hosts useradm
[rrs] # The standalone server that hosts rrs for c&s day
[ldap-master] # The redbrick server that is the LDAP master

# Some general notes on using slapadd and slapcat:
#
# Purge the ldap database files before doing a slapadd. Always add
# everything in one go with slapadd as this is faster. Always use
# the dry-run (-u) option before adding for real.
#
# slapcat should only be run when slapd is r/o or not running.
# If slapd can't be stopped or made r/o and a copy of the tree is
# needed, use this:
#
# ldapsearch -xLLL -y /etc/ldap.secret -D cn=root,ou=ldap,o=redbrick > rb.ldif
#
# Also, it's best to log your session (e.g. with script) when running the
# various batch commands that produce a lot of output.


# Make master ldap r/o (add "readonly on" to slapd.conf)
# Stop slurpd.

# Take backup of current tree, now that ldap is r/o.
#
slapcat -l slapcat.pre-sync
[ldap-master] slapcat -l slapcat.pre-newyear

# At the start of each academic year, before c&s day, yearsPaid
# has to be decremented by 1 and newbie set to False for every account.
# This can be done online with LDAP or offline with LDIF. LDIF method
# is given here:
#
[ldap-master] ./newyear_ldif.py < slapcat.pre-newyear > slapcat.pre-rrs

# If using the LDIF method, slapadd slapcat.pre-rrs back again (ldap still r/o)
#
# The mailing out of renewal reminders can be done before or after c&s day.
# If done after, there'll be less mails sent out.
#
[useradm] useradm unpaid_warn

# Take pre_sync backup copy for running sync with the new tree later on.
# This is used to keep a record of current home directories and usertypes
# for all accounts, which is needed for any renamed and/or converted accounts.
#
useradm pre_sync
[useradm] useradm pre_sync

# Copy RRS directory and master slapd setup to the standalone RRS
# computer. Make sure user web server runs as can read and execute the CGIs,
# write to rrs.log and the tracebacks directory (and nothing else). Setup a
# write to rrs.log and the tracebacks directory (and nothing else). As
# the webserver won't (well, *shouldn't*) have write access to the rrs/
# directory, any changes made to the *.py files won't result in the automatic
# update of the corresponding .pyc file, so it's best to make sure these are
# updated manually: this is only to help speed up execution. Setup a
# .htaccess file to require a password. Enforce SSL only if possible.
# Modify rbconfig.py to point to the localhost LDAP.

# If there is no network connection, the DCU LDAP tree needs to be imported
# into the redbrick one. However, this should be done regardless of network
# connectivity!
#
[rrs] ./make-rb-dcu-tree.sh

# Join rb & dcu trees into one ldif file to add in one go as this will
# speed things up a lot!
#
[rrs] cat slapcat.pre-rrs rb-dcu-tree.ldif > slapcat.pre-rrs-dcu

# Truncate rrs.log.
# Always do a dry run before any major slapadd:
#
[rrs] slapadd -v -u -l slapcat.pre-rrs-dcu

# Adding this for real will take a long time. Although there is a -q
# (quick) option for slapadd, it might be best not to use it.
#
:> rrs.log
[rrs] slapadd -v -l slapcat.pre-rrs-dcu

# Make sure uidNumber.txt is correct (should be, if copied across!).
# Truncate rrs.log. This should always be empty before starting to use
# rrs for real! Make sure the CGI can still write to it!
#
useradm create_uidNumber
[rrs] :> rrs.log

# After using rrs, shutdown slapd and do a slapcat:
# Make sure uidNumber.txt is correct (it should be, if copied across!).
#
[rrs] useradm create_uidNumber

# At this point, rrs should be ready to go.
#
# If you're paranoid, the continous_rrs_backup.sh script will prove useful.
#
pkill slapd
slapcat -l slapcat.rrs

# Copy rrs.log and slapcat.rrs back to useradm machine.
#======================================================================
# AFTER C&S DAY
#======================================================================

# Turn off MTA until ldap is back and all accounts are in sync again.
# After using rrs, i.e. c&s day is finished, shutdown slapd and do a
# slapcat, removing the dcu tree from the output:
#
[rrs] pkill slapd
[rrs] slapcat -l - | remove_dcutree_ldif.py > slapcat.rrs

# Copy rrs.log, uidNumber.txt and slapcat.rrs back to useradm machine.

# Turn off *all* MTAs until ldap is back and all accounts are in sync again.
# Home directories will be moving around a bit, so we don't want mail getting
# bounced.
#
/etc/init.d/exim stop
#
# XXX: This only disables the smtp daemon, invoking sendmail from the command
# line might still start up a local delivery ?

# Any machines which point nss & pam at the master need to be pointed at a
# backup ldap server on another machine as the ldap rebuild will take a few
# minutes, might as well be nice to our users :-)

# Turn off master sldapd & slurpd.
# Turn off master slapd & slurpd.
#
/etc/init.d/slapd stop
[ldap-master] /etc/init.d/slapd stop

# Move ldap dbs out to clear db, but keep a backup just in case.
#
mv /var/db/ldap/redbrick /var/db/ldap/redbrick.pre-sync
mkdir /var/db/ldap/redbrick
[ldap-master] mv /var/db/ldap/redbrick /var/db/ldap/redbrick.pre-sync
[ldap-master] mkdir /var/db/ldap/redbrick

# Now add the new tree.
#
slapadd -v -l slapcat.rrs
[ldap-master] slapadd -v -l slapcat.rrs

# Make master ldap r/w again, but restrict write access to root only.
# Make master ldap r/w again, but restrict write access to root only
# by commenting out any "by self write" ACLs in slapd.conf as useradm
# sync needs to set passwords for the new users.
# Start master slapd up again. Don't start slurpd.
#
/etc/init.d/slapd start
[ldap-master] /etc/init.d/slapd start

# Remove files which indicate if a renewal has been mailed. These might still
# be here from a previous run.
# be here from a previous year's run.
#
rm -rf renewal_mailed/
[useradm] rm -rf renewal_mailed/

# Do sync stuff. Run *1* step at a time. First with -T to make sure it will do
# the right thing then run the step for real. This will involve hitting ^C
# after completing each step so that test mode can be run on the next step i.e:
#
useradm sync -T
[useradm] useradm sync -T
# ^C at prompt for next step
useradm sync
[useradm] useradm sync
# ^C at prompt for next step, rinse, wash, repeat.

# The sync command is designed to be run again and again, i.e. there won't
# be any repeated actions (which is why a record is kept of which users were
# sent a renewal mail). This is useful if it bombs out at any stage!

# Stop master slapd.
#
/etc/init.d/slapd stop
[ldap-master] /etc/init.d/slapd stop

# Take post-sync backup now that it's shutdown.
#
slapcat -v -l slapcat.post-sync
[ldap-master] slapcat -v -l slapcat.post-sync

# Move ldap dbs out to clear db, but keep a backup just in case.
#
mv /var/db/ldap/redbrick /var/db/ldap/redbrick.post-sync
mkdir /var/db/ldap/redbrick
[ldap-master] mv /var/db/ldap/redbrick /var/db/ldap/redbrick.post-sync
[ldap-master] mkdir /var/db/ldap/redbrick

# Re-add post-sync backup so that it's all nicely indexed.
#
slapcat -v -l slapcat.post-sync
[ldap-master] slapcat -v -l slapcat.post-sync

# Go back to full r/w slapd again, so re-enable user write access.
# Point nss & pam back to master server on machines that were changed.
@@ -101,3 +191,28 @@ slapcat -v -l slapcat.post-sync
# Load slapcat.post-sync on ldap backup servers using similar procedure
# (redirect nss & pam, shutdown slapd, move dbs out, slapadd, start slapd,
# point nss & pam back again)

#======================================================================
# LATER ON...
#======================================================================

# A month or two after c&s day, unpaid accounts need to be disabled
# and the unpaid accounts from last year (the "grace" accounts) need
# to be deleted. This is a good time to make a backup! And don't forget
# to log your session, so you have a record. It's also no harm to look
# through the list of accounts to be deleted in case you spot one that
# shouldn't be on the list!
#
[useradm] useradm list_unpaid_grace # ...these will be deleted!
[useradm] useradm unpaid_disable
[useradm] useradm unpaid_delete

# Usually people who haven't paid (yet) request their shell to be
# enabled again. Admins can find these fee-evaders:
#
[useradm] useradm list_unpaid_reset

# ...and then crack down on them:
#
[useradm] useradm unpaid_disable


Loading…
Cancel
Save