Show Table of Contents
Chapter 17. Setting up Content Synchronization
Using the
Content Synchronization
plug-in, Directory Server supports the SyncRepl
protocol according to RFC 4533. This protocol enables LDAP servers and clients to use Red Hat Directory Server as a source to synchronize their local database with the changing content of Directory Server.
To use the
SyncRepl
protocol:
- Enable the
Content Synchronization
plug-in in Directory Server and optionally create a new user which the client will use to bind to Directory Server. The account must have permissions to read the content in the directory. - Configure the client. For example, set the search base for a subtree to synchronize. For further details, see your client's documentation.
Before clients are able to connect to Directory Server, set up the
Content Synchronization
plug-in:
- The
Content Synchronization
plug-in requires theRetro Changelog
plug-in to log thensuniqueid
attribute:- To verify if the retro changelog is already enabled, enter:
# ldapsearch -D "cn=Directory Manager" -W -x -b \ 'cn=Retro Changelog Plugin,cn=plugins,cn=config' nsslapd-pluginEnabled ... dn: cn=Retro Changelog Plugin,cn=plugins,cn=config nsslapd-pluginEnabled: off
If thensslapd-pluginEnabled
attribute is set tooff
, the retro changelog is disabled. To enable, see Section 15.23.1, “Enabling the Retro Changelog Plug-in”. - Add the
nsuniqueid
attribute to retro changelog plug-in configuration:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=Retro Changelog Plugin,cn=plugins,cn=config changetype: add add: nsslapd-attribute nsslapd-attribute: nsuniqueid:targetUniqueId
- Optionally, apply the following recommendations for improved performance:
- Set maximum validity for entries in the retro change log. For example, to set 2 days (
2d
):# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=changelog5,cn=config changetype: modify replace: nsslapd-changelogmaxage nsslapd-changelogmaxage: 2d
- If you know which back end or subtree clients access to synchronize data, limit the scope of the
Retro Changelog
plug-in. For example, to exclude thecn=demo,dc=example,dc=com
subtree, enter:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=Retro Changelog Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-exclude-suffix nsslapd-exclude-suffix: cn=demo,dc=example,dc=com
- Enable the
Content Synchronization
plug-in:- Using the command line:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=Retro Changelog Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
- Using the Directory Server Console: See Section 1.9.2.2, “Enabling Plug-ins in the Directory Server Console”.
- Using the defaults, Directory Server creates an access control instruction (ACI) in the
oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
entry that enables all users to use theSyncRepl
protocol:aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( read, search ) userdn = "ldap:///all";)
Optionally, update the ACI to limit using theSyncRepl
control. For further details about ACIs, see Section 18.13, “Defining Bind Rules”. - Restart Directory Server:
# systemctl restart dirsrv@instance_name
Clients are now able to synchronize data with Directory Server using the
SyncRepl
protocol.