15.5. Configuring Bootstrap Credentials

When you use bind distinguished name (DN) groups in a replication agreement, there can be situations where the group is not present or outdated:
  • During online initialization where you must authenticate to the replica before the database is initialized
  • When you use GSSAPI as authentication method and the Kerberos credentials are changed
If you configured bootstrap credentials in a replication agreement, Directory Server uses these credentials in case that the connection failed because one of the following errors:
  • LDAP_INVALID_CREDENTIALS (err=49)
  • LDAP_INAPPROPRIATE_AUTH (err=48)
  • LDAP_NO_SUCH_OBJECT (err=32)
If the bind succeeds with the bootstrap credentials, the server establishes the replication connection and a new replication session begins. This allows any updates to the bind DN group members to be updated. By default on the next replication session, Directory Server uses the default credentials in the agreement, that now succeeds.
The bootstrap credentials also fail, Directory Server stops trying to connect.

Procedure

To set the bootstrap credentials when you create a replication agreement:
# dsconf -D "cn=Directory Manager" ldap://supplier.example.com repl-agmt create ... --bootstrap-bind-dn "bind_DN" --bootstrap-bind-passwd "password" --bootstrap-bind-method bind_method --bootstrap-conn-protocol connection protocol ...
To set the bootstrap credentials in an existing replication agreement:
# dsconf -D "cn=Directory Manager" ldap://supplier.example.com repl-agmt set --suffix="suffix" --bootstrap-bind-dn "bind_DN" --bootstrap-bind-passwd "password" --bootstrap-bind-method bind_method --bootstrap-conn-protocol connection protocol agreement_name