Show Table of Contents
15.4. Creating the Supplier Bind DN Entry
A critical part of setting up replication is to create the entry, called the replication manager or supplier bind DN entry, that the suppliers use to bind to the consumer servers to perform replication updates.
The supplier bind DN must meet the following criteria:
- It must be unique.
- It must be created on the consumer server (or hub) and not on the supplier server.
- It must correspond to an actual entry on the consumer server.
- It must be created on every server that receives updates from another server.
- It must not be part of the replicated database for security reasons.
- It must be defined in the replication agreement on the supplier server.
- It must have an idle timeout period set to a high enough limit to allow the initialization process for large databases to complete. Using the
nsIdleTimeOutoperational attribute allows the replication manager entry to override the globalnsslapd-idletimeoutsetting.
For example, the entry
cn=Replication Manager,cn=config can be created under the cn=config tree on the consumer server. This would be the supplier bind DN that all supplier servers would use to bind to the consumer to perform replication operations.
Note
Avoid creating simple entries under the
cn=config entry in the dse.ldif file. The cn=cn=config entry in the simple, flat dse.ldif configuration file is not stored in the same highly scalable database as regular entries. As a result, if many entries, and particularly entries that are likely to be updated frequently, are stored under cn=config, performance will suffer. However, although Red Hat recommends not storing simple user entries under cn=config for performance reasons, it can be useful to store special user entries such as the Directory Manager entry or replication manager (supplier bind DN) entry under cn=config since this centralizes configuration information.
On each server that acts as a consumer in replication agreements, create a special entry that the supplier will use to bind to the consumers. Make sure to create the entry with the attributes required by the authentication method specified in the replication agreement.
- Stop the Directory Server. If the server is not stopped, the changes to the
dse.ldiffile will not be saved. See Section 1.4, “Starting and Stopping a Directory Server Instance” for more information on stopping the server. - Create a new entry, such as
cn=replication manager,cn=config, in thedse.ldiffile. - Specify a
userPasswordattribute-value pair. - Set an
nsIdleTimeoutperiod that gives the replication user a long enough time limit to allow replication initialization on large databases to complete. - If password expiration policy is enabled or ever will be enabled, disable it on the replication manager entry to prevent replication from failing due to passwords expiring. To disable the password expiration policy on the
userPasswordattribute, add thepasswordExpirationTimeattribute with a value of20380119031407Z, which means that the password will never expire. - Restart the Directory Server. See Section 1.4, “Starting and Stopping a Directory Server Instance” for more information on starting the server.
The final entry should resemble Example 15.4, “Example Supplier Bind DN Entry”.
Example 15.4. Example Supplier Bind DN Entry
dn: cn=replication manager,cn=config objectClass: top objectClass: device objectClass: simpleSecurityObject cn: replication manager userPassword: strong_password nsIdleTimeout: 0
When configuring a replica as a consumer, use the DN of this entry to define the supplier bind DN.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.