Sun Directory Server Enterprise Edition 7.0 Administration Guide

Using a Non-Default Replication Manager

The replication manager is the user that suppliers will use to bind to a consumer server when sending replication updates. All servers that contain suffixes receiving updates must have at least one replication manager entry.

Directory Server has a default replication manager entry that you can use on every server, especially for simple replication scenarios: cn=replication manager,cn=replication,cn=config. The replication mechanism automatically configures consumer replicas with this user, simplifying the deployment of replicas.

If you have a more complex replication scenario, you might want several replication managers with a different password for each replicated suffix. You can replace the existing default replication manager with one or more new replication managers.

Caution – Caution –

Never bind or perform operations on the server using the DN and password of the replication manager. The replication manager is for use only by the replication mechanism. Any other use might require reinitializing the replicas.

Never use the Directory Manager as the replication manager. Because the cn=admin,cn=Administrators,cn=config entry is used for other administrative tasks, you must also not use this user or any other user in the administrator group as the replication manager.

After you have chosen the replication manager for each consumer, ensure that you remember the replication manager DN that you chose or created. You will need this DN and its password later when creating the replication agreement with this consumer on its supplier.

ProcedureTo Set A Non-Default Replication Manager

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. On all consumer (destination) replicated suffixes, create a new replication manager and password.

    $ ldapmodify -a -h host -p port -D cn=admin,cn=Administrators,cn=config -w -
    Enter bind password:
    objectclass: top
    objectclass: person

    For example:

    $ ldapmodify -a -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w -
    Enter bind password:
    objectclass: top
    objectclass: person
  2. On all consumer (destination) replicated suffixes, set the replication manager bind DN.

    $ dsconf set-suffix-prop -h host -p port suffix-DN \

    For example:

    $ dsconf set-suffix-prop -h host1 -p 1389 dc=example,dc=com \
  3. For all replication agreements that you have created on all supplier (source) replicated suffixes, set the replication manager bind DN.

    1. Create a temporary file for setting the new replication manager password.

      This file is read once, and the password is stored for future use.

      $ echo password > password-file
    2. Set the replication manager bind DN and password to be used by the replication mechanism when performing updates.

      $ dsconf set-repl-agmt-prop -h host -p port suffix-DN host:port \
       auth-bind-dn:"cn=new-replication-manager,cn=replication,cn=config" \

      For example:

      $ dsconf set-repl-agmt-prop -h host2 -p 1389 dc=example,dc=com host1:1389 \
       auth-bind-dn:"cn=ReplicationManager3,cn=replication,cn=config" \
    3. Remove the temporary password file.

      $ rm password-file