Skip to content

Configuring DS Replication with LDAP Tools

Jump to bottom
Endi S. Dewata edited this page Dec 3, 2023 · 5 revisions

Overview

This page describes the process to configure bi-directional replication between two DS instances using LDAP tools.

Prerequisites

  • Install primary DS

  • Import data into primary DS

  • Install secondary DS

Creating Replication Managers

To create replication manager on primary DS:

$ ldapadd \
    -H ldap://primaryds.example.com \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 << EOF
dn: ou=csusers,cn=config
objectClass: top
objectClass: organizationalUnit
ou: csusers

dn: cn=Replication Manager masterAgreement1-secondaryds.example.com-pki-tomcat,ou=csusers,cn=config
objectClass: top
objectClass: person
cn: Replication Manager masterAgreement1-secondaryds.example.com-pki-tomcat
sn: manager
userPassword: Secret.123
EOF

To create replication manager on secondary DS:

$ ldapadd \
    -H ldap://secondaryds.example.com \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 << EOF
dn: ou=csusers,cn=config
objectClass: top
objectClass: organizationalUnit
ou: csusers

dn: cn=Replication Manager cloneAgreement1-secondaryds.example.com-pki-tomcat,ou=csusers,cn=config
objectClass: top
objectClass: person
cn: Replication Manager cloneAgreement1-secondaryds.example.com-pki-tomcat
sn: manager
userPassword: <password>
EOF

Creating Replica Objects

To create replica object on primary DS:

$ ldapadd \
    -H ldap://primaryds.example.com \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123
dn: cn=replica,cn=\"dc=ca,dc=pki,dc=example,dc=com\",cn=mapping tree,cn=config
objectclass: top
objectclass: nsDS5Replica
objectclass: extensibleobject
cn: replica
nsDS5ReplicaRoot: dc=ca,dc=pki,dc=example,dc=com
nsDS5ReplicaType: 3
nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-secondaryds.example.com-pki-tomcat,ou=csusers,cn=config
nsDS5ReplicaId: 1
nsds5flags: 1

To create replica object on secondary DS:

$ ldapadd \
    -H ldap://secondaryds.example.com \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123
dn: cn=replica,cn=\"dc=ca,dc=pki,dc=example,dc=com\",cn=mapping tree,cn=config
objectclass: top
objectclass: nsDS5Replica
objectclass: extensibleobject
cn: replica
nsDS5ReplicaRoot: dc=ca,dc=pki,dc=example,dc=com
nsDS5ReplicaType: 3
nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-secondaryds.example.com-pki-tomcat,ou=csusers,cn=config
nsDS5ReplicaId: 2
nsds5flags: 1

Creating Replication Agreements

To create replication agreement on primary DS:

$ ldapadd \
    -H ldap://primaryds.example.com \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123
dn: cn=masterAgreement1-secondaryds.example.com-pki-tomcat,cn=replica,cn=\"dc=ca,dc=pki,dc=example,dc=com\",cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: masterAgreement1-secondaryds.example.com-pki-tomcat
nsDS5ReplicaRoot: dc=ca,dc=pki,dc=example,dc=com
nsDS5ReplicaHost: secondaryds.example.com
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-secondaryds.example.com-pki-tomcat,ou=csusers,cn=config
nsDS5ReplicaBindMethod: Simple
nsds5replicacredentials: Secret.123
description: masterAgreement1-secondaryds.example.com-pki-tomcat

To create replication agreement on secondary DS:

$ ldapadd \
    -H ldap://secondaryds.example.com \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123
dn: cn=cloneAgreement1-secondaryds.example.com-pki-tomcat,cn=replica,cn=\"dc=ca,dc=pki,dc=example,dc=com\",cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: cloneAgreement1-secondaryds.example.com-pki-tomcat
nsDS5ReplicaRoot: dc=ca,dc=pki,dc=example,dc=com
nsDS5ReplicaHost: primaryds.example.com
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-secondaryds.example.com-pki-tomcat,ou=csusers,cn=config
nsDS5ReplicaBindMethod: Simple
nsds5replicacredentials: Secret.123
description: cloneAgreement1-secondaryds.example.com-pki-tomcat

To replicate over SSL, use the following attributes:

nsDS5ReplicaPort: 636
nsDS5ReplicaTransportInfo: SSL

Initializing Replication Agreement

To initialize the replication agreement:

$ ldapmodify \
    -H ldap://primaryds.example.com \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123
dn: cn=masterAgreement1-secondaryds.example.com-pki-tomcat,cn=replica,cn=\"dc=ca,dc=pki,dc=example,dc=com\",cn=mapping tree,cn=config
changetype: modify
replace: nsds5beginreplicarefresh
nsds5beginreplicarefresh: start

Wait until the initialization is complete:

$ ldapsearch \
    -H ldap://primaryds.example.com \
    -b "cn=masterAgreement1-secondaryds.example.com-pki-tomcat,cn=replica,cn="dc=ca,dc=pki,dc=example,dc=com",cn=mapping tree,cn=config" \
    -s base \
    "(objectclass=*)" \
    nsds5beginreplicarefresh
dn: cn=masterAgreement1-secondaryds.example.com-pki-tomcat,cn=replica,cn="dc=ca,dc=pki,dc=example,dc=com",cn=mapping tree,cn=config
nsds5beginreplicarefresh:
nsds5replicalastinitstatus:
Clone this wiki locally