15.4. Creating the Supplier Bind DN Entry
- It must be unique.
- It must be created on the consumer server (or hub) and not on the supplier server.
- It must correspond to an actual entry on the consumer server.
- It must be created on every server that receives updates from another server.
- It must not be part of the replicated database for security reasons.
- It must be defined in the replication agreement on the supplier server.
- It must have an idle timeout period set to a high enough limit to allow the initialization process for large databases to complete. Using the
nsIdleTimeOutoperational attribute allows the replication manager entry to override the global
cn=Replication Manager,cn=configcan be created under the
cn=configtree on the consumer server. This would be the supplier bind DN that all supplier servers would use to bind to the consumer to perform replication operations.
cn=configentry in the
cn=cn=configentry in the simple, flat
dse.ldifconfiguration file is not stored in the same highly scalable database as regular entries. As a result, if many entries, and particularly entries that are likely to be updated frequently, are stored under
cn=config, performance will suffer. However, although Red Hat recommends not storing simple user entries under
cn=configfor performance reasons, it can be useful to store special user entries such as the Directory Manager entry or replication manager (supplier bind DN) entry under
cn=configsince this centralizes configuration information.
- Stop the Directory Server. If the server is not stopped, the changes to the
dse.ldiffile will not be saved. See Section 1.4, “Starting and Stopping a Directory Server Instance” for more information on stopping the server.
- Create a new entry, such as
cn=replication manager,cn=config, in the
- Specify a
- Set an
nsIdleTimeoutperiod that gives the replication user a long enough time limit to allow replication initialization on large databases to complete.
- If password expiration policy is enabled or ever will be enabled, disable it on the replication manager entry to prevent replication from failing due to passwords expiring. To disable the password expiration policy on the
userPasswordattribute, add the
passwordExpirationTimeattribute with a value of
20380119031407Z, which means that the password will never expire.
- Restart the Directory Server. See Section 1.4, “Starting and Stopping a Directory Server Instance” for more information on starting the server.
Example 15.4. Example Supplier Bind DN Entry
dn: cn=replication manager,cn=config objectClass: top objectClass: device objectClass: simpleSecurityObject cn: replication manager userPassword: strong_password nsIdleTimeout: 0