Install node 2 - SSO
Stop Ubisecure SSO on node 1
Shut down Node 1 when installing Node 2.
On Node 1:
/etc/init.d/ubilogin-server stop /etc/init.d/ubilogin-directory stop
LDAP configuration
Add the two rows in Listing 3 to the file /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/slapd.conf
on node 1. Modify hostnames to correct ones.
vi /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/slapd.conf
These are addresses where Ubisecure Directory is running on different nodes:
serverID 1 ldap://<node1 hostname>:389 serverID 2 ldap://<node2 hostname>:389
Add the following lines to file on node 1 /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/cn=Ubilogin,dc=sso,dc=example,dc=com .conf :
Ensure that all quotation marks are standard quotation marks.
syncrepl rid=001 provider=ldap://<node1 hostname>:389 searchbase="cn=Ubilogin,dc=sso,dc=example,dc=com" bindmethod=simple binddn="uid=System,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com" credentials="secret" type=refreshAndPersist timeout=1 retry="1 10 60 10 600 +" syncrepl rid=002 provider=ldap://<node2 hostname>:389 searchbase="cn=Ubilogin,dc=sso,dc=example,dc=com" bindmethod=simple binddn="uid=System,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com" credentials="secret" type=refreshAndPersist timeout=1 retry="1 10 60 10 600 +" mirrormode on # overlay syncprov
There are configurations for both nodes. rid=001
is node 1 and rid=002
is node 2.
Provider | LDAP address must match Listing 3 |
Searchbase | Searchbase must match the suffix defined in unix.config |
Binddn | Enter suffix from from
|
Credentials | Enter openldap.root.password from unix.config |
Modify Ubisecure Directory startup script (settings.sh
) on node 1
vi /usr/local/ubisecure/ubilogin-sso/ubilogin/config/settings.sh
Add Node 1 local hostname address ldap://node1host:389
to settings.sh
ADD the following new line below the line reading "esac" LDAP_LISTEN_URLS="ldap://node1host:389 $LDAP_LISTEN_URLS"
On Node 2, create ubisecure folder and copy the ubilogin-sso
folder from node 1 to node 2.
mkdir -p /usr/local/ubisecure cd /usr/local/ubisecure/ scp -r <username>@<node1>:/usr/local/ubisecure/ubilogin-sso .
On Node 2, run the following command to set up the system user ubilogin. The newly-created user will be used for running the Ubisecure SSO and Ubisecure Directory.
./ubilogin/config/unix/setupuser.sh
On Node 2, modify Ubisecure Directory startup script settings.sh
file in /usr/local/ubisecure/ubilogin-sso/ubilogin/config/
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/config/
Add Node 2 hostname to ldap://node2host:389
to settings.sh
Modify the line below the line reading "esac" LDAP_LISTEN_URLS="ldap://node2host:389 $LDAP_LISTEN_URLS"
Install OpenLDAP service on node 2:
cd /usr/local/ubisecure/ubilogin-sso/ubilogin ./ldap/openldap/install.sh
When the OpenLDAP install script prompts for LDAP Password, type secret
and press return.
install.sh executes the following commands: /etc/init.d/ubilogin-directory start ./import.sh ../cnroot.ldif ./import.sh ../uas.ldif ./import.sh ../secrets.ldif ./import.sh ../system-password.ldif ./import.sh groups.ldif /etc/init.d/ubilogin-directory stop
Because install.sh
regenerates a number of configuration files, two files must be copied again from Node 1 at this point:
scp -r <username>@<node1>:/usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/cn* /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/ scp -r <username>@<node1>:/usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/slapd.conf /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/
Check that the ownership and access rights of these two files match Node 1.
Delete the OpenLDAP database from node 2. It will reappear through replication later.
cd /usr/local/ubisecure/ubilogin-sso/openldap/var/openldap-bdb/cn=Ubilogin,dc=sso,dc=example,dc=com rm -f *
Install Tomcat to node 2:
cd /usr/local/ubisecure/ubilogin-sso/ubilogin ./config/tomcat/install.sh
Start the Ubisecure SSO and Ubisecure Directory processes first on node 1 and the on node 2 by using the following commands:
On Node 1:
/etc/init.d/ubilogin-directory start /etc/init.d/ubilogin-server start
On Node 2:
/etc/init.d/ubilogin-directory start /etc/init.d/ubilogin-server start
Verify LDAP replication
List OpenLDAP folder on node 2 and verify that database files from node 1 have been copied automatically to node 2:
ls /usr/local/ubisecure/ubilogin-sso/openldap/var/openldap-bdb/cn=Ubilogin,dc=sso,dc=example,dc=com
Configuring LDAP failover
Each Ubisecure SSO can be configured to connect to the LDAP directory on the other node in case the local directory cannot be reached. This is recommended if SSO and the directory are run on separate servers. If SSO and directory are run on the same server (default configuration), LDAP failover is not always desired. In this case this chapter can be skipped.
For Ubisecure SSO, LDAP failover is configured in file /usr/local/ubisecure/ubilogin-sso/ubilogin/webapps/uas/jndi.properties
. An example of such configuration follows:
java.naming.factory.initial = com.ubisecure.util.ldap.jldap.JLDAP java.naming.provider.url = ldap://localhost:389/cn=Ubilogin,dc=localhost java.naming.security.authentication = simple java.naming.security.principal = cn=Server,ou=System,cn=Ubilogin,dc=localhost java.naming.security.credentials = secret com.ubisecure.util.ldap.server.list = ldap://node-1-hostname/ ldap://node-2-hostname/
The order of the servers in the server.list
value are insignificant. During startup, both servers are contacted at the same time. The server which responds fastest to the request is used until a failure situation occurs.
For other Ubisecure applications, LDAP failover is configured in the following configuration files:
- Ubisecure SSO Management:
<installation directory>/ubilogin/webapps/ubilogin/WEB-INF/jndi.properties
- Ubisecure Password application:
<installation directory>/ubilogin/webapps/password/WEB-INF/ubilogin.jndi.properties
- Ubisecure Search:
<installation directory>/ubilogin/webapps/search/WEB-INF/jndi.properties
- Ubisecure OTP Server:
<installation directory>/ubilogin/webapps/otpserver/WEB-INF/jndi.properties
- Ubisecure SSO REST API:
<installation directory>/ubilogin/webapps/sso-api/WEB-INF/jndi.properties
These changes must be made on both nodes.
After the change, activate the applications on each node:
/etc/init.d/ubilogin-server stop cd /usr/local/ubisecure/ubilogin-sso/ubilogin ./config/tomcat/update.sh /etc/init.d/ubilogin-server start
Verify LDAP failover functionality
Test 1
- Stop ubilogin-directory on Node 1.
- Start ubilogin-server on Node 1.
- Stop ubilogin-directory on Node 2.
- Start ubilogin-server on Node 2.
- Check that SSO Management application still responds after a few page refreshes.
Test 2
- Stop ubilogin-directory on Node 2.
- Start ubilogin-server on Node 2.
- Stop ubilogin-directory on Node 1.
- Start ubilogin-server on Node 1.
- Check that SSO Management application still responds after a few page refreshes.