Skip to content

Configuring DS Replication with PKI Tools

Jump to bottom
Endi S. Dewata edited this page Dec 13, 2023 · 21 revisions

Overview

This page describes the process to configure bi-directional replication between two DS instances using PKI tools.

Prerequisites

  • Install primary DS

  • Import data into primary DS

  • Install secondary DS

Preparing DS Backend

$ pki-server ca-db-create

Enabling Replication

To enable replication on the primary DS:

$ pki-server ca-db-repl-enable \
    --url ldap://primaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --replica-bind-dn "cn=Replication Manager,cn=config" \
    --replica-bind-password Secret.123 \
    --replica-id=1 \
    --suffix dc=ca,dc=pki,dc=example,dc=com

To enable replication on the secondary DS:

$ pki-server ca-db-repl-enable \
    --url ldap://secondaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --replica-bind-dn "cn=Replication Manager,cn=config" \
    --replica-bind-password Secret.123 \
    --replica-id=2 \
    --suffix dc=ca,dc=pki,dc=example,dc=com

Availability: Since PKI 11.5

Creating Replication Agreements

To create replication agreement on the primary DS:

$ pki-server ca-db-repl-agmt-add \
    --url ldap://primaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --replica-url ldap://secondaryds.example.com:3389 \
    --replica-bind-dn "cn=Replication Manager,cn=config" \
    --replica-bind-password Secret.123 \
    --suffix dc=ca,dc=pki,dc=example,dc=com \
    primaryds-to-secondaryds

To create replication agreement on the secondary DS:

$ pki-server ca-db-repl-agmt-add \
    --url ldap://secondaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --replica-url ldap://primaryds.example.com:3389 \
    --replica-bind-dn "cn=Replication Manager,cn=config" \
    --replica-bind-password Secret.123 \
    --suffix dc=ca,dc=pki,dc=example,dc=com \
    secondaryds-to-primaryds

Availability: Since PKI 11.5

Initializing Replication Agreement

To initialize the replication agreement on the primary DS:

$ pki-server ca-db-repl-agmt-init \
    --url ldap://primaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --suffix dc=ca,dc=pki,dc=example,dc=com \
    primaryds-to-secondaryds

Availability: Since PKI 11.5

Clone this wiki locally