Show Table of Contents
Chapter 17. Setting up Content Synchronization
Using the
Content Synchronization plug-in, Directory Server supports the SyncRepl protocol according to RFC 4533. This protocol enables LDAP servers and clients to use Red Hat Directory Server as a source to synchronize their local database with the changing content of Directory Server.
To use the
SyncRepl protocol:
- Enable the
Content Synchronizationplug-in in Directory Server and optionally create a new user which the client will use to bind to Directory Server. The account must have permissions to read the content in the directory. - Configure the client. For example, set the search base for a subtree to synchronize. For further details, see your client's documentation.
Before clients are able to connect to Directory Server, set up the
Content Synchronization plug-in:
- The
Content Synchronizationplug-in requires theRetro Changelogplug-in to log thensuniqueidattribute:- To verify if the retro changelog is already enabled, enter:
# ldapsearch -D "cn=Directory Manager" -W -x -b \ 'cn=Retro Changelog Plugin,cn=plugins,cn=config' nsslapd-pluginEnabled ... dn: cn=Retro Changelog Plugin,cn=plugins,cn=config nsslapd-pluginEnabled: offIf thensslapd-pluginEnabledattribute is set tooff, the retro changelog is disabled. To enable, see Section 15.21.1, “Enabling the Retro Changelog Plug-in”. - Add the
nsuniqueidattribute to retro changelog plug-in configuration:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=Retro Changelog Plugin,cn=plugins,cn=config changetype: add add: nsslapd-attribute nsslapd-attribute: nsuniqueid:targetUniqueId
- Optionally, apply the following recommendations for improved performance:
- Set maximum validity for entries in the retro change log. For example, to set 2 days (
2d):# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=changelog5,cn=config changetype: modify replace: nsslapd-changelogmaxage nsslapd-changelogmaxage: 2d
- If you know which back end or subtree clients access to synchronize data, limit the scope of the
Retro Changelogplug-in. For example, to exclude thecn=demo,dc=example,dc=comsubtree, enter:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=Retro Changelog Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-exclude-suffix nsslapd-exclude-suffix: cn=demo,dc=example,dc=com
- Enable the
Content Synchronizationplug-in:- Using the command line:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=Retro Changelog Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
- Using the Directory Server Console: See Section 1.9.2.2, “Enabling Plug-ins in the Directory Server Console”.
- Using the defaults, Directory Server creates an access control instruction (ACI) in the
oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=configentry that enables all users to use theSyncReplprotocol:aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( read, search ) userdn = "ldap:///all";)
Optionally, update the ACI to limit using theSyncReplcontrol. For further details about ACIs, see Section 18.13, “Defining Bind Rules”. - Restart Directory Server:
# systemctl restart dirsrv@instance_name
Clients are now able to synchronize data with Directory Server using the
SyncRepl protocol.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.