Red Hat Training

A Red Hat training course is available for Red Hat Directory Server

15.5. Configuring Single-Master Replication

To set up single-master replication such as the configuration shown in Figure 15.1, “Single-Master Replication”, between supplier Server A, which holds a read-write replica, and the two consumers Server B and Server C, which each hold a read-only replica, there are three major steps:

15.5.1. Configuring the Read-Write Replica on the Supplier Server

  1. Specify the supplier settings for the server.
    1. In the Directory Server Console, select the Configuration tab.
    2. In the navigation tree, select the Replication folder.
    3. In the right-hand side of the window, select the Supplier Settings tab.
    4. Check the Enable Changelog check box.
      This activates all of the fields in the pane below that were previously grayed out.
    5. Specify a changelog by clicking the Use default button, or click the Browse button to display a file selector.
    6. Set the changelog parameters for the number and age of the log files.
      Clear the unlimited check boxes to specify different values.

      Note

      Red Hat recommends setting the maximum changelog age to 7 days.
    7. Click Save.
  2. Specify the replication settings required for a read-write replica.
    1. In the navigation tree on the Configuration tab, expand the Replication node, and highlight the database to replicate.
      The Replica Settings tab opens in the right-hand side of the window.
    2. Check the Enable Replica check box.
    3. In the Replica Role section, select the Single Master radio button.
    4. In the Common Settings section, specify a Replica ID, which is an integer between 1 and 65534, inclusive.
      The replica ID must be unique for a given suffix, different from any other ID used for read-write replicas on this server and on other servers.
    5. In the Common Settings section, specify a purge delay in the Purge delay field.
      The purge delay is how often the state information stored for the replicated entries is deleted.
    6. Click Save.

15.5.2. Configuring the Read-Only Replica on the Consumer

  1. Create the database for the read-only replica if it does not exist. See Section 2.1.1, “Creating Suffixes” for instructions on creating suffixes.
  2. Create the entry for the supplier bind DN on the consumer server if it does not exist. The supplier bind DN is the special entry that the supplier will use to bind to the consumer. This is described in Section 15.4, “Creating the Supplier Bind DN Entry”.
  3. Specify the replication settings required for a read-only replica.
    1. In the Directory Server Console, select the Configuration tab.
    2. In the navigation tree, expand the Replication folder, and select the replica database.
      If you want to replicate the o=NetscapeRoot database, see Section 15.22, “Replicating o=NetscapeRoot for Administration Server Failover”.
    3. In the Replica Settings tab of the selected database, check the Enable Replica check box.
    4. In the Replica Role section, select the Dedicated Consumer radio button.
    5. In the Common Settings section, specify a purge delay in the Purge delay field.
      This option indicates how often the state information stored for the replicated entries is purged.
    6. In the Update Settings section, specify the bind DN that the supplier will use to bind to the replica. Enter the supplier bind DN in the Enter a new Supplier DN field, and click Add. The supplier bind DN appears in the Current Supplier DNs list.
      The supplier bind DN should be the entry created in step 2. The supplier bind DN is a privileged user because it is not subject to access control.

      Note

      There can be multiple supplier bind DNs per consumer but only one supplier DN per replication agreement.
    7. Specify the URL for any supplier servers to which to refer updates.
      By default, all updates are first referred to the supplier servers that are specified here. If no suppliers are set here, updates are referred to the supplier servers that have a replication agreement that includes the current replica.
      Automatic referrals assume that clients bind over a regular connection; this has a URL in the form ldap://hostname:port. For clients to bind to the supplier using TLS, use this field to specify a referral of the form ldaps://hostname:port, where the s in ldaps indicates a secure connection.

      Note

      It is also possible to use IPv4 or IPv6 addresses instead of the host name.
  4. Click Save.
Repeat these steps for every consumer server in the replication configuration.

15.5.3. Creating the Replication Agreement

On the supplier, create one replication agreement for each read-only replica. For example, in the scenario illustrated in Figure 15.1, “Single-Master Replication”, Server A has two replication agreements, one for Server B and one for Server C.
  1. In the navigation tree of the Configuration tab, right-click the database to replicate, and select New Replication Agreement.
    Alternatively, highlight the database, and select New Replication Agreement from the Object menu to start the Replication Agreement Wizard.
  2. In the first screen, fill in a name and description for the replication agreement, and hit Next.
  3. In the Source and Destination screen, fill in the URL (hostname:port or IP_address:port, with IPv4 or IPv6 addresses) for the consumer and the supplier bind DN and password on that consumer. If the target server is not available, hit in other to fill in the information manually.
    • Unless there is more than one instance of Directory Server configured, by default, there are no consumers available in the drop-down menu.
    • The port listed is the non-TLS port, even if the Directory Server instance is configured to run over TLS. This port number is used only for identification of the Directory Server instance in the Console; it does not specify the actual port number or protocol that is used for replication.
    • If TLS is enabled on the servers, it is possible to select the Using encrypted SSL connection radio button for TLS client authentication. Otherwise, fill in the supplier bind DN and password.

      Note

      If attribute encryption is enabled, a secure connection must be used for the encrypted attributes to be replicated.
  4. Select the connection type. There are three options:
    • Use LDAP. This sets a standard, unencrypted connection.
    • Use TLS/SSL. This uses a secure connection over the server's secure LDAPS port, such as 636. This setting is required to use TLS.
    • Use Start TLS. This uses Start TLS to establish a secure connection over the server's standard port.

    Note

    If secure binds are required for simple password authentication (Section 19.11.1, “Requiring Secure Binds”), then any replication operations will fail unless they occur over a secure connection. Using a secure connection (TLS and Start TLS connections or SASL authentication) is recommended, anyway.
  5. Select the appropriate authentication method and supply the required information. This gives the information that the supplier uses to authenticate and bind to the consumer server to send updates.
    • Simple means that the server connects over the standard port with no encryption. The only required information is the bind DN and password for the Replication Manager (which must exist on the consumer server).
    • Server TLS/SSL Certificate uses the supplier's TLS certificate to authenticate to the consumer server. A certificate must be installed on the supplier for certificate-based authentication, and the consumer server must have certificate mapping configured so that it can map the subject DN in the supplier's certificate to its Replication Manager entry.
      Configuring TLS and certificate mapping is described in Section 9.4, “Enabling TLS”.
    • SASL/DIGEST-MD5, like simple authentication, this insecure method requires only the bind DN and password to authenticate. This can run over a standard or TLS connection.
    • SASL/GSSAPI requires the supplier server to have a Kerberos keytab (as in Section 9.10.2.2, “About the KDC Server and Keytabs”), and the consumer server to have a SASL mapping to map the supplier's principal to the real replication manager entry (as in Section 9.9.3.1, “Configuring SASL Identity Mapping from the Console”).
  6. Fractional replication controls which entry attributes are replicated between servers. By default, all attributes are replicated. To select attributes that will not be replicated to the consumer, check the Enable Fractional Replication check box. Then, highlight the attribute (or attributes) in the Included column on the right, and click Remove. All attributes that will not be replicated are listed in the Excluded column on the left, as well as in the summary the replication agreement is complete.
  7. Set the schedule for when replication runs. By default, replication runs continually.

    Note

    The replication schedule cannot cross midnight (0000). So, it is possible to set a schedule that begins at 0001 and ends at 2359 on the same day, but it is not possible to set one that begins at 2359 on one day and ends at 0001 on the next.
    Hit Next.
  8. Select Initialize consumer now, to start initializing after the replication agreement was completed, and click Next.

    Note

    Replication will not begin until the consumer is initialized.
    For further details on initializing consumers, see Section 15.18, “Initializing Consumers”.
  9. The final screen shows the settings for the replication agreement, as it will be included in the dse.ldif file. Hit Done to save the agreement.
The replication agreement is set up.

Note

After creating a replication agreement, the connection type (TLS or non-TLS) cannot be changed because LDAP and LDAPS connections use different ports. To change the connection type, re-create the replication agreement.