Chapter 15. Managing Replication
15.1. Replication Overview
15.1.1. What Directory Units Are Replicated
15.1.2. Read-Write and Read-Only Replicas
15.1.3. Suppliers and Consumers
- In the case of cascading replication, the hub server holds a read-only replica that it supplies to consumers. Section 15.4, “Cascading Replication” has more information.
- In the case of multi-master replication, the masters are both suppliers and consumers for the same information. For more information, see Section 15.3, “Multi-Master Replication”.
dsctl db2bakcommand or the web console. Both ways, the RUVs are written to the database before the backup starts.
15.1.5. Replication Identity
- It is created on the consumer server in the
- Create this entry on every server that receives updates from another server, meaning on every hub or dedicated consumer.
- When a replica is configured as a consumer or hub, this entry must be specified as the one authorized to perform replication updates.
- The replication agreement is created on the supplier server, the DN of this entry must be specified in the replication agreement.
- This entry, with its special user profile, bypasses all access control rules defined on the consumer server for the database involved in that replication agreement.
15.1.6. Replication Agreement
- The database to be replicated.
- The consumer server to which the data is pushed.
- The days and times during which replication can occur.
- The DN and credentials that the supplier server must use to bind (the replication manager entry or supplier bind DN).
- How the connection is secured (TLS, client authentication).
- Any attributes that will not be replicated (fractional replication).
15.1.7. Replicating a Subset of Attributes with Fractional Replication
MAYkeyword) in the schema, it is possible to set different attributes to be replicated for an incremental update and a total update. The incremental update list (
nsDS5ReplicatedAttributeList) must always be set to enable fractional replication; if that is the only attribute set, then it applies to both incremental and total updates. The optional
nsDS5ReplicatedAttributeListTotalattribute sets an additional fractional replication list for total updates. This is described in Section 15.10.1, “Setting Different Fractional Replication Attributes for Total and Incremental Updates”.
nsds5ReplicaStripAttrsattribute adds a list of attributes which cannot be sent in an empty replication event and are stripped from the update sequence. This logically includes operational attribtes like
15.1.8. Replication over TLS
- Configure both the supplier and consumer servers to use TLS. See Section 9.4.1, “Enabling TLS in Directory Server”.
- Configure the consumer server to recognize the supplier server's certificate as the supplier DN. Do this only to use TLS client authentication rather than simple authentication. See Section 9.9, “Using Certificate-based Client Authentication”.
ImportantReplication configured over TLS with certificate-based authentication fails if the supplier's certificate is only capable of behaving as a server certificate and not also as a client during an TLS handshake. Replication with certificate-based authentication uses the Directory Server's server certificate for authentication to the remote server.If you use
certutilto generate the Certificate Signing Request (CSR), pass the
--nsCertType=sslClient,sslServeroption to the command to set the certificate required type.
Configuring Replication over TLS
- When using user name and password authentication:
- When using certificate-based authentication, see Section 15.5, “Configuring Replication Partners to use Certificate-based Authentication”.