Installing and Configuring LDAP-Based Replication

This section contains these topics:

• Rules for Configuring LDAP-Based Replication

• Installing an LDAP-Based Replica

• Configuring an LDAP-Based Replica

• Deleting an LDAP-Based Replica

• Determining What Is to Be Replicated in LDAP-Based Partial Replication

Rules for Configuring LDAP-Based Replication

The following rules apply to both full and partial LDAP-based replication:

• An LDAP-based replica cannot have two suppliers

• In LDAP-based replication, only the naming contexts listed in the namingcontexts attribute of the root DSE can be replicated to the consumer.

• The supplier of an LDAP-based replica can be either a standalone node or a member of a multimaster replication group.

• An LDAP-based replica can be a consumer for another LDAP-based replica. It is then called a fan-out replica.

  See Also: For instructions on installing on a standalone node, see "If you are installing on a Master Definition Site"

Installing an LDAP-Based Replica

When you install Oracle Internet Directory on any given node, follow these steps:

1. When you are prompted to select a product, choose the Oracle Application Server Infrastructure.

2. Choose the Identity Management and Oracle Application Server Metadata Repository installation type. Choose Next. The Select Configuration Options screen appears.

3. Deselect everything in the Select Configuration Options screen.

4. Choose Next.

Later, the Oracle Universal Installer asks for the host and port of Oracle Internet Directory. Specify the host and port number of the supplier. Verify that the server is running on that node.

After installation, create the wallet by entering the following:

$ORACLE_HOME/bin/Oidpasswd connect=connect_string  create_wallet=TRUE 

current_password=password_for_the_ODS_database_user

Start and shut down the Oracle Internet Directory processes by entering the following:

$ORACLE_HOME/bin/oidmon connect=connect_string start

$ORACLE_HOME/bin/oidctl connect=connect_string server=oidldapd instance=1 start

$ORACLE_HOME/bin/oidmon connect=connect_string stop

You can also start the Oracle Internet Directory instance by using the OPMNCTL utility. To do this:

1. Execute oidpasswd to create wallets.

2. Make sure opmn is running. Enter:

   opmnctl ping
   
   

3. If opmn is not running, then start it. To do this:
   1. Enter:

      opmnctl start 
      
      

   2. Repeat Step 2.

4. Change the status of the ias-component=OID in $ORACLE_HOME/opmn/conf/opmn.xml from disabled to enabled.

5. Reload the file opmn.xml:

   opmnctl reload
   
   

6. Start Oracle Internet Directory:

   opmnctl startproc ias-component=OID
   

Configuring an LDAP-Based Replica

How you configure an LDAP-based replica depends on whether you have backed up the directory by using the ldifwrite tool or by using automatic bootstrapping. Table 25-1 compares these two methods.

Table 25-1 A Comparison of Backup and Automatic Bootstrapping

Backup Using ldifwrite	Automatic Bootstrapping
Manual procedure Faster performance Good for a large amount of data	Automatic procedure Uses the filtering capability of partial replication Good for a smaller number of entries

Configuring an LDAP-Based Replica by Using Automatic Bootstrapping

This section discuss the general tasks you perform when configuring an LDAP-based replica by using automatic bootstrapping. It contains these topics:

• Task 1: Identify the Supplier Node

• Task 2: Add an LDAP-Based Replica by Using the Replication Environment Management Tool

• Task 3: Configure the Replica for Automatic Bootstrapping

• Task 4: Optional: Change Default Replication Parameters

• Task 5: Start the Directory Replication Server on the Consumer Replica

Task 1: Identify the Supplier Node

Identify the supplier for an LDAP-based replica. The supplier can be:

• A standalone directory

• A node of a multimaster replication group

• Another LDAP-based replica

Task 2: Add an LDAP-Based Replica by Using the Replication Environment Management Tool

To add a replica, enter the following:

remtool -paddnode [-v] [-bind supplier_host_name:port/replication_dn_password]

See Also: "The Replication Environment Management Tool" for more information about the Replication Environment Management Tool

Task 3: Configure the Replica for Automatic Bootstrapping

To use the automatic bootstrap capability, set the orclReplicaState attribute of the replica subentry to 0 as follows:

1. Edit the sample file mod.ldif as follows:

   Dn: orclreplicaid=<unique replica identifier>, cn=replication configuration
   Changetype:modify
   add:orclReplicaState
   OrclReplicaState: 0
   
   

2. Use ldapmodify to update the replica subentry orclreplicastate attribute.

   Ldapmodify -D "cn=orcladmin" -w administrator_password -h my_host -p 389 -f 
   mod.ldif
   

   See Also: "Managing Replication" for more information about the bootstrap capability of the LDAP-based replication

Task 4: Optional: Change Default Replication Parameters

You can change the default parameters for replication agreements and for the replica subentry.

See Also: "Viewing and Modifying Directory Replication Server Configuration Parameters" "Viewing and Modifying Parameters for Particular Replica Nodes" "Modifying Parameters for Replication Agreements" "Replication Configuration Objects in the Directory" "Determining What Is to Be Replicated in LDAP-Based Partial Replication"

Task 5: Start the Directory Replication Server on the Consumer Replica

See Also: "Starting an Oracle Directory Replication Server Instance"

Configuring an LDAP-Based Replica by Using the ldifwrite Tool

This section discuss the general tasks you perform when configuring an LDAP-based replica by using the ldifwrite tool. It contains these topics:

• Task 1: Start the Directory Server on Both the Supplier and the Consumer Nodes

• Task 2: Change the Directory Server at the Supplier to Read-Only Mode

• Task 5: Back Up the Naming Contexts to Be Replicated

• Task 3: Add an LDAP-Based Replica by Using the Replication Environment Management Tool

• Task 4: Initialize the lastappliedchangenumber Attribute

• Task 6: Change the Directory Server at the Supplier to Read/Write Mode

• Task 7: Load the Data on the LDAP-Based Replica

• Task 8: Optional: Change Default Replication Parameters

• Task 9: Start the Directory Replication Server on the Consumer Replica

Task 1: Start the Directory Server on Both the Supplier and the Consumer Nodes

Identify the supplier for an LDAP-based replica, and verify that the directory server is running on both the supplier and the consumer. The supplier can be:

• A standalone directory

• A node of a multimaster replication group

• Another LDAP-based replica

Task 2: Change the Directory Server at the Supplier to Read-Only Mode

To ensure data consistency, change the directory server on the supplier node to read-only. To do this:

1. Create an LDIF file containing the following:

   Dn:
   Changetype: modify
   Replace: orclservermode
   Orclservermode: r
   
   

2. On the supplier, run the following command:

   ldapmodify -D "cn=orcladmin" -w administrator_password -h host_name_of_
   supplier_node -p port -f name_of_LDIF_file.ldif
   

Task 3: Add an LDAP-Based Replica by Using the Replication Environment Management Tool

To add a replica, enter the following:

remtool -paddnode [-v] [-bind supplier_host_name:port/replication_dn_password]

See Also: "The Replication Environment Management Tool" for more information about the Replication Environment Management Tool

Task 4: Initialize the lastappliedchangenumber Attribute

To do this:

1. Search for the last applied change number on the supplier node.

   ldapsearch -D bind_DN -w password -h host_name -p port_number -b "" -s base 
   "objectclass=*" lastchangenumber
   
   

2. Modify the corresponding agreement with the retrieved last applied number at the supplier. To do this:
   1. On the supplier, create an LDIF file with the retrieved last applied change number:

      dn:orclagreementid=agreement_identifier,orclreplicaid=supplier_replica_
      identifier,cn=replication configuration
      changetype: modify
      replace: orclLastAppliedChangeNumber
      orclLastAppliedChangeNumber: last_change_number_retrieved_in_step_1.
      
      

   2. Modify the agreement by using ldapmodify:

      ldapmodify -D bind_DN -w password -h host_name -p port_number -f LDIF_
      file
      

Task 5: Back Up the Naming Contexts to Be Replicated

If there is a large number of entries in the naming contexts that you want to replicate to the LDAP-based replica, then Oracle Corporation recommends that you back up these naming contexts at the supplier node and then load them to the LDAP-based replica.

To back up the naming contexts:

1. Identify the replication agreement DN created in "Task 3: Add an LDAP-Based Replica by Using the Replication Environment Management Tool".

   ldapsearch -h supplier host -p port number -b "orclreplicaid=supplier 
   replica ID, cn=replication configuration" -s sub "(orclreplicadn= 
   orclreplicaid=consumer replica ID, cn=replication configuration)" dn
   

2. Use the following command to get the data from the supplier. Data loaded into the file will be based on the agreement configured:

   ldifwrite -c connect string of sponsor node  -b "replication agreement dn" 
   
   -f name of output LDIF file.ldif
   

   Note: You might want to perform "Task 8: Optional: Change Default Replication Parameters" before backing up the data so that additional changes in the agreement are taken care of during the backup.

   See Also: "Determining What Is to Be Replicated in LDAP-Based Partial Replication" "Example 2: Converting Part of a Specified Naming Context to an LDIF File" for more instructions on using ldifwrite to back up part of the naming context

Task 6: Change the Directory Server at the Supplier to Read/Write Mode

If you performed "Task 2: Change the Directory Server at the Supplier to Read-Only Mode", then change the directory server on the supplier back to read/write mode. To do this:

1. Create an LDIF file containing the following:

   Dn:
   Changetype: modify
   Replace: orclservermode
   Orclservermode: rw
   
   

2. On the supplier, run the following command:

   ldapmodify -D "cn=orcladmin" -w administrator_password -h host_name_of_
   supplier_node -p port -f name_of_LDIF_file.ldif
   

Task 7: Load the Data on the LDAP-Based Replica

To do this:

1. If there are multiple files, then combine them into one file--for example, backup_data.ldif.

2. If naming contexts exist on the LDAP-based consumer replica, then remove them by using bulkdelete. Enter the following:

   Bulkdelete.sh -connect connect_string_of_replica  -b "naming_context" 
   

Perform this step for each naming context that was backed up in "Task 5: Back Up the Naming Contexts to Be Replicated".

Load the data to the replica by using bulkload in the append mode. Enter the following:

Bulkload.sh -connect connect_string_of_replica -append -check -generate -load 
-restore backup_data.ldif

See Also: "bulkload Syntax" for instructions on using bulkload in either the default mode or the append mode

Task 8: Optional: Change Default Replication Parameters

You can change the default parameters for replication agreements and for the replica subentry.

See Also: "Viewing and Modifying Directory Replication Server Configuration Parameters" "Viewing and Modifying Parameters for Particular Replica Nodes" "Modifying Parameters for Replication Agreements" "Replication Configuration Objects in the Directory" "Determining What Is to Be Replicated in LDAP-Based Partial Replication"

Task 9: Start the Directory Replication Server on the Consumer Replica

See Also: "Starting an Oracle Directory Replication Server Instance"

Deleting an LDAP-Based Replica

This section explains how to delete an LDAP-based replica. It contains these topics:

• Task 1: Stop the Directory Replication Server on the Node to be Deleted

• Task 2: Stop the Directory Server on the Node to be Deleted

• Task 3: Delete the Replica from the Replication Group

  Note: You cannot delete a replica if it is a supplier for another replica. To delete such a replica, you must first delete all its consumers from the replication group.

Task 1: Stop the Directory Replication Server on the Node to be Deleted

See Also: "Stopping an Oracle Directory Replication Server Instance"

Task 2: Stop the Directory Server on the Node to be Deleted

See Also: "Stopping an Oracle Directory Server Instance"

Task 3: Delete the Replica from the Replication Group

Do this by using the Replication Environment Management Tool. Enter:

remtool -pdelnode [-v] [-bind hostname:port_number/replication_dn_password]

See Also: "The Replication Environment Management Tool"

Determining What Is to Be Replicated in LDAP-Based Partial Replication

In LDAP-based partial replication, you can determine what is or is not replicated by defining replica naming context objects. The parameters for these objects are stored in entries that have this DN:

cn=namingcontext_ID,cn=replication namecontext,

orclAgreementID=numeric_identifier_of_replication_agreement,

orclReplicaId=unique_identifier_of_replica, cn=replication configuration

Note: Because the directory replication server reads replica naming context objects from the agreement located at the supplier, you must apply all modifications against naming context objects at the supplier and, optionally, at the consumer.

Viewing and Modifying Replica Naming Context Objects by Using Oracle Directory Manager

To view and modify parameters for replica naming context objects:

1. In the navigator pane, expand in succession Oracle Internet Directory Servers, directory server instance, Replication Management, Replica Node: replica identifier, Replica Agreement: replication agreement identifier

2. Select the replica naming context you want to modify. The Replica Naming Context tab page appears in the right pane. The fields in this tab page are described in Table C-18.

3. After you have entered the appropriate information, choose OK.

Adding Replica Naming Context Objects by Using Oracle Directory Manager

1. In the navigator pane, expand in succession Oracle Internet Directory Servers, directory server instance, Replication Management, Replica Node: replica identifier, Replica Agreement: replication agreement identifier.

2. Select Naming Context:naming context identifier.

3. From the toolbar, choose Create. The New Replica Agreement Naming Context dialog box appears.

4. In the fields in the New Replica Agreement Naming Context dialog box, enter the appropriate information. The fields in this dialog box are described in Table C-18.

5. Choose OK.

Deleting Replica Naming Context Objects by Using Oracle Directory Manager

1. In the navigator pane, expand in succession Oracle Internet Directory Servers, directory server instance, Replication Management, Replica Node: replica identifier, Replica Agreement: replication agreement identifier.

2. Using your mouse, right-click Naming Context:naming context identifier.

3. Select Delete.

Modifying Replica Naming Context Object Parameters by Using ldapmodify

Replica naming context object parameters are listed and described in Table B-33.

Example 1: Adding a Naming Context Object for an LDAP-Based Replica

This example creates a naming context object that does the following:

• Replicates the naming context ou=Americas,cn=mycompany

• Excludes from replication the naming context cn=customer profile, ou=Americas, cn=mycompany

• Excludes from replication the attribute userpassword

The steps are:

1. Edit the example file mod.ldif as follows:

   dn: cn=naming_context_identifier,cn=replication 
   namecontext,orclagreementid=replication_agreement_
   identifier,orclreplicaid=consumer_replica_identifier,cn=replication 
   configuration
   orclincludednamingcontexts: ou=Americas,cn=mycompany
   orclexcludednamingcontexts: cn=customer profile, ou=Americas, cn=mycompany
   orclexcludedattributes: userpassword
   objectclass: top
   objectclass: orclreplnamectxconfig
   
   

2. Use ldapadd to add the partial replication naming context object to both the supplier and the consumer.

   ldapadd -D "bind_DN" -w administrator_password -h host -p port_number -f 
   mod.ldif
   

Example 2: Deleting a Naming Context Object for an LDAP-Based Replica

This example deletes from both the supplier and the consumer the naming context object created in the previous example.

The command is:

ldapdelete -D "bind_DN" -w administrator_password 

-h [supplier host | consumer host] 

-p port_number 

"cn=naming_context_identifier,

cn=replication namecontext,orclagreementid=replication_agreement_
identifier,orclreplicaid=consumer_replica_identifier,cn=replication 
configuration"

Example 3: Modifying the orclIncludedNamingcontexts Attribute for a Replica Naming Context Object

The directory replication server uses the orclIncludedNamingcontexts attribute value of the replica naming context object to specify the top-level subtree included in partial replication.

In this example, the included naming context is set to c=us, which means that cn=us is to be included in partial replication.

1. Edit the example file mod.ldif as follows:

   cn=naming_context_identifier,
   
   cn=replication namecontext,
   
   orclagreementid=replication_agreement_identifier,
   
   orclreplicaid=consumer_replica_identifier,
   
   cn=replication configuration
   Changetype:modify
   Replace: orclIncludedNamingcontexts
   orclIncludedNamingcontexts: c=us
   
   

2. Use ldapmodify to update the replication agreement orclupdateschedule attribute.

   ldapmodify -D "cn=orcladmin" -w administrator_password -h my_host -p port -f 
   mod.ldif
   
   

3. Restart the directory replication server.

Example 4: Modifying the orclExcludedNamingcontexts Attribute for a Replica Naming Context Object

The directory replication server uses the orclExcludedNamingcontexts attribute value of the replica naming context object to specify the top-level subtrees excluded from partial replication.

In this example, the excluded naming contexts are set to ou=Europe,c=us and ou=Americas,c=us, which means that these two naming contexts are to be excluded from partial replication.

1. Edit the example file mod.ldif as follows:

   cn=naming_context_identifier,
   
   cn=replication namecontext,orclagreementid=replication_agreement_
   identifier,orclreplicaid=consumer_replica_identifier,cn=replication 
   configuration 
   Changetype:modify
   Replace: orclExcludedNamingcontexts
   orclExcludedNamingcontexts: ou=Europe, c=us
   orclExcludedNamingcontexts: ou=Americas, c=us
   
   

2. Use ldapmodify to update the replication agreement orclupdateschedule attribute.

   ldapmodify -D "cn=orcladmin" -w administrator_password -h my_host -p port -f 
   mod.ldif
   
   

3. Restart the directory replication server.

   ti

   Note: A subtree specified in the orclexcludednamingcontexts attribute must also be a subtree of the specified includednamingcontext of the same replica naming context object.

Example 5: Modifying the orclExcludedAttributes Attribute for a Replica Naming Context Object

You can specify that certain changes made to the included naming context be excluded from partial replication. To determine which attributes are to be excluded, the directory replication server uses the value of the orclExcludedAttributes attribute of the replica naming context object.

In this example, the telephonenumber and title attributes of the naming context specified in the orclincludednamingcontexts attribute are excluded from replication.

1. Edit the example file mod.ldif as follows:

   cn=naming_context_identifier,
   
   cn=replication namecontext,orclagreementid=replication_agreement_
   identifier,orclreplicaid=consumer_replica_identifier,cn=replication 
   configuration 
   Changetype:modify
   Replace: orclExcludedAttributes
   orclExcludedAttributes: telephonenumber
   orclExcludedAttributes: title
   
   

2. Use ldapmodify to update the replication agreement orclupdateschedule attribute.

   ldapmodify -D "cn=orcladmin" -w administrator_password -h my_host -p port -f 
   mod.ldif
   
   

3. Restart the directory replication server.