Configuring DS Replication with PKI Tools

Overview

This page describes the process to configure bi-directional replication between two DS instances using PKI tools.

Prerequisites

Install primary DS
Import data into primary DS
Install secondary DS

Preparing DS Backend

To create a new DS backend in the secondary DS:

$ pki-server ca-db-create

Availability: Since PKI 11.5

Enabling Replication

To enable replication on the primary DS:

$ pki-server ca-db-repl-enable \
    --url ldap://primaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --replica-bind-dn "cn=Replication Manager,cn=config" \
    --replica-bind-password Secret.123 \
    --replica-id=1 \
    --suffix dc=ca,dc=pki,dc=example,dc=com

To enable replication on the secondary DS:

$ pki-server ca-db-repl-enable \
    --url ldap://secondaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --replica-bind-dn "cn=Replication Manager,cn=config" \
    --replica-bind-password Secret.123 \
    --replica-id=2 \
    --suffix dc=ca,dc=pki,dc=example,dc=com

Availability: Since PKI 11.5

Creating Replication Agreements

To create replication agreement on the primary DS:

$ pki-server ca-db-repl-agmt-add \
    --url ldap://primaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --replica-url ldap://secondaryds.example.com:3389 \
    --replica-bind-dn "cn=Replication Manager,cn=config" \
    --replica-bind-password Secret.123 \
    --suffix dc=ca,dc=pki,dc=example,dc=com \
    primaryds-to-secondaryds

To create replication agreement on the secondary DS:

$ pki-server ca-db-repl-agmt-add \
    --url ldap://secondaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --replica-url ldap://primaryds.example.com:3389 \
    --replica-bind-dn "cn=Replication Manager,cn=config" \
    --replica-bind-password Secret.123 \
    --suffix dc=ca,dc=pki,dc=example,dc=com \
    secondaryds-to-primaryds

Availability: Since PKI 11.5

Initializing Replication Agreement

To initialize the replication agreement on the primary DS:

$ pki-server ca-db-repl-agmt-init \
    --url ldap://primaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --suffix dc=ca,dc=pki,dc=example,dc=com \
    primaryds-to-secondaryds

Availability: Since PKI 11.5

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Configuring DS Replication with PKI Tools

Overview

Prerequisites

Preparing DS Backend

Enabling Replication

Creating Replication Agreements

Initializing Replication Agreement

Clone this wiki locally