Chapter 17. Setting up Content Synchronization

Using the Content Synchronization plug-in, Directory Server supports the SyncRepl protocol according to RFC 4533. This protocol enables LDAP servers and clients to use Red Hat Directory Server as a source to synchronize their local database with the changing content of Directory Server.
To use the SyncRepl protocol:
  • Enable the Content Synchronization plug-in in Directory Server and optionally create a new user which the client will use to bind to Directory Server. The account must have permissions to read the content in the directory.
  • Configure the client. For example, set the search base for a subtree to synchronize. For further details, see your client's documentation.
Before clients are able to connect to Directory Server, set up the Content Synchronization plug-in:
  1. The Content Synchronization plug-in requires the Retro Changelog plug-in to log the nsuniqueid attribute:
    1. To verify if the retro changelog is already enabled, enter:
      # ldapsearch -D "cn=Directory Manager" -W -x -b \
           'cn=Retro Changelog Plugin,cn=plugins,cn=config' nsslapd-pluginEnabled
      ...
      dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
      nsslapd-pluginEnabled: off
      If the nsslapd-pluginEnabled attribute is set to off, the retro changelog is disabled. To enable, see Section 15.22.1, “Enabling the Retro Changelog Plug-in”.
    2. Add the nsuniqueid attribute to retro changelog plug-in configuration:
      # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
      
      dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
      changetype: add
      add: nsslapd-attribute
      nsslapd-attribute: nsuniqueid:targetUniqueId
    3. Optionally, apply the following recommendations for improved performance:
      1. Set maximum validity for entries in the retro change log. For example, to set 2 days (2d):
        # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
        
        dn: cn=changelog5,cn=config
        changetype: modify
        replace: nsslapd-changelogmaxage
        nsslapd-changelogmaxage: 2d
      2. If you know which back end or subtree clients access to synchronize data, limit the scope of the Retro Changelog plug-in. For example, to exclude the cn=demo,dc=example,dc=com subtree, enter:
        # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
        
        dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
        changetype: modify
        replace: nsslapd-exclude-suffix
        nsslapd-exclude-suffix: cn=demo,dc=example,dc=com
  2. Enable the Content Synchronization plug-in:
  3. Using the defaults, Directory Server creates an access control instruction (ACI) in the oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config entry that enables all users to use the SyncRepl protocol:
    aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";
       allow( read, search ) userdn = "ldap:///all";)
    Optionally, update the ACI to limit using the SyncRepl control. For further details about ACIs, see Section 18.13, “Defining Bind Rules”.
  4. Restart Directory Server:
    # systemctl restart dirsrv@instance_name
Clients are now able to synchronize data with Directory Server using the SyncRepl protocol.