15.7. Configuring Cascading Replication

Setting up cascading replication, as shown in Figure 15.4, “Cascading Replication”, has three major steps, for each server in the scenario, the supplier on Server A, which holds a read-write replica; the consumer/supplier on hub Server B, which holds a read-only replica; and the consumer on Server C, which holds a read-only replica:

15.7.1. Configuring the Read-Write Replica on the Supplier Server

Next, configure the supplier server, which holds the original copy of the database:
  1. Specify the supplier settings for the server.
    1. In the Directory Server Console, select the Configuration tab.
    2. In the navigation tree, select the Replication folder.
    3. In the right-hand side of the window, select the Supplier Settings tab.
    4. Check the Enable Changelog check box.
      This activates all of the fields in the pane below that were previously grayed out.
    5. Specify a changelog by clicking the Use default button, or click the Browse button to display a file selector.
    6. Set the changelog parameters for the number and age of the log files.
      Clear the unlimited check boxes to specify different values.
    7. Click Save.
  2. Specify the replication settings required for a read-write replica.
    1. In the navigation tree on the Configuration tab, expand the Replication node, and highlight the database to replicate.
      The Replica Settings tab opens in the right-hand side of the window.
    2. Check the Enable Replica check box.
    3. In the Replica Role section, select the Single Master radio button.
    4. In the Common Settings section, specify a Replica ID, which is an integer between 1 and 65534, inclusive.
      The replica ID must be unique for a given suffix, different from any other ID used for read-write replicas on this server and on other servers.
    5. In the Common Settings section, specify a purge delay in the Purge delay field.
      The purge delay is how often the state information stored for the replicated entries is deleted.
    6. Click Save.
After setting up the supplier replica, begin configuring the replication agreements.

15.7.2. Configuring the Read-Only Replica on the Consumer Server

  1. Create the database for the read-only replica if it does not exist. See Section 2.1.1, “Creating Suffixes” for instructions on creating suffixes.
  2. Create the entry for the supplier bind DN on the consumer server if it does not exist. The supplier bind DN is the special entry that the supplier will use to bind to the consumer. This is described in Section 15.4, “Creating the Supplier Bind DN Entry”.
  3. Specify the replication settings required for a read-only replica.
    1. In the Directory Server Console, select the Configuration tab.
    2. In the navigation tree, expand the Replication folder, and highlight the replica database.
      The Replica Settings tab for that database opens in the right-hand side of the window.
    3. Check the Enable Replica check box.
    4. In the Replica Role section, select the Dedicated Consumer radio button.
    5. In the Common Settings section, specify a purge delay in the Purge delay field.
      This option indicates how often the state information stored for the replicated entries is purged.
    6. In the Update Settings section, specify the bind DN that the supplier will use to bind to the replica. Enter the supplier bind DN in the Enter a new Supplier DN field, and click Add. The supplier bind DN appears in the Current Supplier DNs list.
      The supplier bind DN should be the entry created in step 2. The supplier bind DN is a privileged user because it is not subject to access control in the replicated database.

      Note

      There can be multiple supplier bind DNs per consumer but only one supplier DN per replication agreement.
    7. Specify the URL (hostname:port or IP_address:port, with IPv4 or IPv6 addresses) for any supplier servers to which to refer updates.
      By default, all updates are first referred to the supplier servers that are specified here. If no suppliers are set here, updates are referred to the supplier servers that have a replication agreement that includes the current replica.
      In cascading replication, referrals are automatically sent to the hub server, which in turn refers the request to the original supplier. Therefore, set a referral to the original supplier to replace the automatically generated referral.
  4. Click Save.
Repeat these steps for every consumer server in the replication configuration, then configure the hub replica.

15.7.3. Configuring the Read-Only Replica on the Hub

Do this to set up a hub, which receives replication updates from the supplier and propagates them to consumers:
  1. Create the database for the read-only replica if it does not exist. See Section 2.1.1, “Creating Suffixes” for instructions on creating suffixes.
  2. Create the entry for the supplier bind DN on the consumer server if it does not exist. The supplier bind DN is the special entry that the supplier will use to bind to the consumer. This is described in Section 15.4, “Creating the Supplier Bind DN Entry”.
  3. Create the changelog for the hub server.
    The hub must maintain a changelog even though it does not accept update operations because it records the changes sent from the supplier server.
    1. In the Directory Server Console, select the Configuration tab.
    2. In the navigation tree, select the Replication folder.
    3. In the right-hand side of the window, select the Supplier Settings tab.
    4. Check the Enable Changelog check box.
      This activates all of the fields in the pane below that were previously grayed out.
    5. Specify a changelog by clicking the Use default button, or click the Browse button to display a file selector.
    6. Set the changelog parameters for the number and age of the log files.
      Clear the unlimited check boxes to specify different values.
    7. Click Save.
  4. Specify the required hub replica settings.
    1. In the Directory Server Console, select the Configuration tab.
    2. In the navigation tree, expand the Replication folder, and highlight the replica database.
      The Replica Settings tab for that database opens in the right-hand side of the window.
    3. Check the Enable Replica check box.
    4. In the Replica Role section, select the Hub radio button.
    5. In the Common Settings section, specify a purge delay in the Purge delay field.
      This option sets how often the state information stored for the replicated entries is purged.
    6. In the Update Settings section, specify the bind DN that the supplier will use to bind to the replica. Enter the supplier bind DN in the Enter a new Supplier DN field, and click Add. The supplier bind DN appears in the Current Supplier DNs list.
      The supplier bind DN should be the entry created in step 2. The supplier bind DN is a privileged user because it is not subject to access control in the replicated database.

      Note

      There can be multiple supplier bind DNs per consumer but only one supplier DN per replication agreement.
    7. Specify the URL for any supplier servers to which to refer updates.
      By default, all updates are first referred to the supplier servers that are specified here. If no suppliers are set here, updates are referred to the supplier servers that have a replication agreement that includes the current replica.
      Automatic referrals assume that clients bind over a regular connection; this has a URL in the form ldap://hostname:port. For clients to bind to the supplier using TLS, use this field to specify a referral of the form ldaps://hostname:port, where the s in ldaps indicates a secure connection.

      Note

      It is also possible to use IPv4 or IPv6 addresses instead of the host name.
  5. Click Save.
When all the hubs are configured, then configure the supplier replica.

15.7.4. Setting up the Replication Agreements

Cascading replication requires two sets of replication agreements, the first between the supplier and the hub and the second between the hub and the consumer. To set up the replication agreements:
  1. Create the replication agreement on the supplier for the hub, then use the supplier server to initialize the replica on the hub server.
  2. Then create the replication agreement on the hub for each consumer, and initialize the consumer replicas from the hub.
To set up a replication agreement:
  1. In the navigation tree of the Configuration tab, right-click the database to replicate, and select New Replication Agreement.
    Alternatively, highlight the database, and select New Replication Agreement from the Object menu to start the Replication Agreement Wizard.
  2. In the first screen, fill in a name and description for the replication agreement, and hit Next.
  3. In the Source and Destination screen, fill in the URL (hostname:port or IP_address:port, with IPv4 or IPv6 addresses) for the consumer and the supplier bind DN and password on that consumer. If the target server is not available, hit in other to fill in the information manually.
    • Unless there is more than one instance of Directory Server configured, by default, there are no consumers available in the drop-down menu. The server URL can be entered manually as .hostname:port or IP_address:port, with IPv4 or IPv6 addresses.
    • The port listed is the non-TLS port, even if the Directory Server instance is configured to run over TLS. This port number is used only for identification of the Directory Server instance in the Console; it does not specify the actual port number or protocol that is used for replication.
    • If TLS is enabled on the servers, it is possible to select the Using encrypted SSL connection radio button for TLS client authentication. Otherwise, fill in the supplier bind DN and password.

      Note

      If attribute encryption is enabled, a secure connection must be used for the encrypted attributes to be replicated.
  4. Select the connection type. There are three options:
    • Use LDAP. This sets a standard, unencrypted connection.
    • Use TLS/SSL. This uses a secure connection over the server's secure LDAPS port, such as 636. This setting is required to use TLS.
    • Use Start TLS. This uses Start TLS to establish a secure connection over the server's standard port.

    Note

    If secure binds are required for simple password authentication (Section 19.11.1, “Requiring Secure Binds”), then any replication operations will fail unless they occur over a secure connection. Using a secure connection (TLS and Start TLS connections or SASL authentication) is recommended, anyway.
  5. Select the appropriate authentication method and supply the required information. This gives the information that the supplier uses to authenticate and bind to the consumer server to send updates.
    • Simple means that the server connects over the standard port with no encryption. The only required information is the bind DN and password for the Replication Manager (which must exist on the consumer server).
    • Server TLS/SSL Certificate uses the supplier's TLS certificate to authenticate to the consumer server. A certificate must be installed on the supplier for certificate-based authentication, and the consumer server must have certificate mapping configured so that it can map the subject DN in the supplier's certificate to its Replication Manager entry.
      Configuring TSL and certificate mapping is described in Section 9.4, “Enabling TLS”.
    • SASL/DIGEST-MD5, like simple authentication, requires only the bind DN and password to authenticate. This can run over a standard or TLS connection.
    • SASL/GSSAPI requires the supplier server to have a Kerberos keytab (as in Section 9.10.2.2, “About the KDC Server and Keytabs”), and the consumer server to have a SASL mapping to map the supplier's principal to the real replication manager entry (as in Section 9.9.3.1, “Configuring SASL Identity Mapping from the Console”).
  6. Hit Next.
  7. Fractional replication controls which entry attributes are replicated between servers. By default, all attributes are replicated. To select attributes that will not be replicated to the consumer, check the Enable Fractional Replication check box. Then, highlight the attribute (or attributes) in the Included column on the right, and click Remove. All attributes that will not be replicated are listed in the Excluded column on the left, as well as in the summary the replication agreement is complete.
  8. Set the schedule for when replication runs. By default, replication runs continually.

    Note

    The replication schedule cannot cross midnight (0000). So, it is possible to set a schedule that begins at 0001 and ends at 2359 on the same day, but it is not possible to set one that begins at 2359 on one day and ends at 0001 on the next.
    Hit Next.
  9. Set when the consumer is initialized. Initializing a consumer manually copies all data over from the supplier to the consumer. The default is to create an initialization file (an LDIF of all supplier data) so that the consumer can be initialized later. It is also possible to initialize the consumer as soon as the replication agreement is completed or not at all. For information on initializing consumers, see Section 15.18, “Initializing Consumers”. For cascading replication, consider the following:
    • Create the supplier-hub replication agreement on the supplier first, and initialize the hub from the supplier.
    • Create the hub-consumer replication agreements on the hub, and initialize the consumers from the hub.

    Note

    Replication will not begin until the consumer is initialized.

    Important

    For multi-master replication, be sure that consumers are only initialized once, by one supplier. When checking the replication status, be sure to check the replication agreement entry, on the appropriate supplier, which was used to initialize the consumer.
    Hit Next.
  10. The final screen shows the settings for the replication agreement, as it will be included in the dse.ldif file. Hit Done to save the agreement.

Note

After creating a replication agreement, the connection type (TLS or non-TLS) cannot be change because LDAP and LDAPS connections use different ports. To change the connection type, re-create the replication agreement.