Configuring the Directory Server
Configuring Security in the Directory Server
Configuring Replication With dsreplication
To Enable Replication Between Two Servers
To Initialize a Replicated Server
To Initialize an Entire Topology
To Obtain the Status of a Replicated Topology
Modifying the Replication Configuration With dsconfig
Retrieving the Replication Domain Name
Changing the Replication Purge Delay
To Change the Replication Purge Delay
Changing the Heartbeat Interval
To Change the Heartbeat Interval
To Change the Isolation Policy
Configuring Encrypted Replication
To Configure Encrypted Replication
Configuring Replication Groups
To Configure A Replication Group
Configuring Replication Status
To Configure the Degraded Status Threshold
Initializing a Replicated Server With Data
Initializing a Single Replicated Server
Initializing a New Replicated Topology
Adding a Directory Server to an Existing Replicated Topology
Changing the Data Set in an Existing Replicated Topology
To Change the Data Set With import-ldif or Binary Copy
Configuring Schema Replication
Replicating to a Read-Only Server
To Configure a Replica as Read-Only
Detecting and Resolving Replication Inconsistencies
In most deployment scenarios, the loosely consistent multi-master replication model is sufficient. However, certain scenarios might require tighter consistency between replicas. In such cases, you can configure assured replication, which provides the following benefits:
High availability of data. If a server crashes immediately after a modification is received on that server, there is a risk that the modification will be lost before it is replayed to other servers in the topology. With assured replication, any modification is replayed to another server in the topology before an acknowledgement is sent to the client application. The risk of losing data in the event of a server crash is therefore minimized.
Immediacy of data availability. Some applications might require modifications to be available on additional servers in the topology immediately after a modification is made.
Assured replication is an extension of the replication protocol and is configured per replicated domain. For more information, see Retrieving the Replication Domain Name.
Assured replication is not the same as synchronous replication. That is, changes do not occur simultaneously on all servers in the topology. However, assured replication can mimic the functionality of synchronous replication to an extent, as far as LDAP clients are concerned. This is achieved by delaying acknowledgements to the client application until a modification has been propagated to additional servers in the topology.
Note - Assured replication relies on replication groups. All replication servers and directory servers that function together in an assured replication configuration must be part of the same replication group.
Assured replication can function in two modes:
Safe data mode. Any update must be propagated to a defined number of replication servers before the client receives an acknowledgement that the update has been successful.
The number of replication servers that must be reached defines the safe data level. The higher the safe data level, the higher the overall data availability.
Safe read mode. Any update must be propagated to all the directory servers in the topology before the client receives an acknowledgement that the update has been successful.
In both safe data mode and safe read mode, you can configure a timeout interval to prevent LDAP client calls from hanging if certain servers in the topology are not available.
On each directory server, you can configure a global timeout that comes into effect when the directory server sends an update to its replication server, either safe data mode or safe read mode. If this timeout is reached, the LDAP client call returns immediately and a message is written to the replication log to track the event.
On each replication server, you can configure a global timeout that comes into effect when the replication server sends an update to a peer replication server or to another directory server, either in safe data mode or in safe read mode. If this timeout is reached, the acknowledgement message that is returned to the initiating server (either a directory server or a replication server) includes a message that indicates the timeout. The initial directory server then logs a message that the timeout occurred for that update.
Note - The default timeout of two seconds for a directory server and one second for a replication server should be satisfactory for most deployments. Only change the timeout if you are viewing timeouts in the logs and if you have a complete understanding of the impact of such a change. The value of the timeout should reflect the anticipated time that an update requires to go through its full path to reach its destination.
The timeout value on a directory server should always be higher than the value on the replication server. For example: DS1(timeout 2s) -> RS1(timeout 1s) -> RS2(timeout 1s) -> DS2.
For a detailed explanation of the assured replication mechanism and the various configurable options, see Assured Replication in Sun OpenDS Standard Edition 2.0 Architectural Reference.
This procedure configures assured replication in safe data mode for a topology. The procedure assumes that replication has already been configured.
$ dsconfig -D "cn=directory manager" -w password -n set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced \ --set assured-type:safe-data
$ dsconfig -D "cn=directory manager" -w password -n set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced \ --set assured-sd-level:2
If you have configured replication by using setup or dsreplication, your replication servers and directory servers will be on the same virtual machine. In this case, you must set the safe data level to 2 or higher.
$ dsconfig -D "cn=directory manager" -w password -n set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced\ --set assured-timeout:5s
Only change the timeout if you are viewing timeouts in the logs and if you have a complete understanding of the impact of such a change.
This should be the same for all replication servers and directory servers that form part of this replication group. For instructions on configuring the group ID, see Configuring Replication Groups.
$ dsconfig -D "cn=directory manager" -w password -n get-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced \ --property assured-type --property assured-sd-level --property assured-timeout Property : Value(s) -----------------:------------ assured-sd-level : 2 assured-timeout : 5 s assured-type : safe-data
$ dsconfig -D "cn=directory manager" -w password -n get-replication-server-prop \ --provider-name "Multimaster Synchronization" --advanced \ --property assured-timeout --property group-id Property : Value(s) --------------------------:--------- assured-timeout : 1 s group-id : 1
$ dsconfig -D "cn=directory manager" -w password -n set-replication-server-prop \ --provider-name "Multimaster Synchronization" --advanced \ --set assured-timeout:5s
Only change the timeout if you are viewing timeouts in the logs and if you have a complete understanding of the impact of such a change.
This should be the same for all replication servers and directory servers that form part of this replication group. For instructions on configuring the group ID, see Configuring Replication Groups.
Assured replication is configured per replicated domain. This procedure configures assured replication in safe read mode for a topology. The procedure assumes that replication has already been configured.
$ dsconfig -D "cn=directory manager" -w password -n set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced \ --set assured-type:safe-read
$ dsconfig -D "cn=directory manager" -w password -n set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced \ --set assured-timeout:5s
Only change the timeout if you are viewing timeouts in the logs and if you have a complete understanding of the impact of such a change.
This should be the same for all replication servers and directory servers that form part of this replication group. For instructions on configuring the group ID, see Configuring Replication Groups. For more information about groups and assured replication, see Assured Replication in Sun OpenDS Standard Edition 2.0 Architectural Reference.
$ dsconfig -D "cn=directory manager" -w password -n get-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced \ --property assured-type --property assured-timeout --property group-id Property : Value(s) -----------------:------------ assured-timeout : 5 s assured-type : safe-read group-id : 1
$ dsconfig -D "cn=directory manager" -w password -n get-replication-server-prop \ --provider-name "Multimaster Synchronization" --advanced \ --property assured-timeout --property degraded-status-threshold \ --property group-id Property : Value(s) --------------------------:--------- assured-timeout : 1 s degraded-status-threshold : 5000 group-id : 1
$ dsconfig -D "cn=directory manager" -w password -n set-replication-server-prop \ --provider-name "Multimaster Synchronization" --advanced \ --set assured-timeout:5s
Only change the timeout if you are viewing timeouts in the logs and if you have a complete understanding of the impact of such a change.
The degraded status threshold defines the stage at which the server is regarded as “too slow”, based on the number of updates queued in the replication server for that directory server. For more information, see Degraded Status in Sun OpenDS Standard Edition 2.0 Architectural Reference.
Do not adjust this value unless you observe timeouts in the logs.
$ dsconfig -D "cn=directory manager" -w password -n set-replication-server-prop \ --provider-name "Multimaster Synchronization" --advanced \ --set degraded-status-threshold:2000
This should be the same for all replication servers and directory servers that form part of this replication group. For instructions on configuring the group ID, see Configuring Replication Groups. For more information about groups and assured replication, see Assured Replication in Sun OpenDS Standard Edition 2.0 Architectural Reference.