4.2 Enabling Multi-Master Replication Between the Access Manager Configuration Data Instances

This section contains the instructions to enable multi-master replication (MMR) between two directory masters. This includes creating replication agreements between the masters and initializing the second directory master with the data and schema from the first directory master. The previously created am-config instances will serve as the two masters. An illustration of the architecture can be seen in Figure 4–1.

Use the following list of procedures as a checklist for completing the tasks.

1. To Enable Multi-Master Replication for the Directory Server 1 Configuration Data Instance

2. To Enable Multi-Master Replication for the Directory Server 2 Configuration Data Instance

3. To Change the Default Replication Manager Passwords for Each Configuration Data Instance

4. To Create Replication Agreements for Each Configuration Data Instance

5. To Initialize the Configuration Data Instance Replication Agreements

6. To Verify that Configuration Data Replication Works Properly

To Enable Multi-Master Replication for the Directory Server 1 Configuration Data Instance

1. As a root user, log in to the DirectoryServer–1 host machine.

2. (Optional) Run dsconf list-suffixes to verify that the instance is not already enabled for replication.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsconf list-suffixes -p 1389 -v Enter "cn=Directory Manager" password: d1rm4n4ger ... dc=example,dc=com 1 not-replicated N/A N/A 29 The "list-suffixes" operation succeeded on "localhost:1389"

   The base suffix of the instance is not-replicated as displayed in the resulting list.

3. Run dsconf enable-repl to enable replication.

   # ./dsconf enable-repl -h DirectoryServer-1.example.com -p 1389 -d 11 master dc=example,dc=com Enter "cn=Directory Manager" password: d1rm4n4ger Use "dsconf create-repl-agmt" to create replication agreements on "dc=example,dc=com".

   The -d option takes as input a randomly chosen identifier to represent the Directory Server 1 configuration data instance; in this case, 11. master indicates that the instance is a master and not a replica. The base suffix is specified as dc=example,dc=com.

4. Run dsconf list-suffixes again to verify that the instance is now enabled for replication.

   # ./dsconf list-suffixes -p 1389 -v Enter "cn=Directory Manager" password: d1rm4n4ger ... dc=example,dc=com 1 master(11) N/A N/A 29 The "list-suffixes" operation succeeded on "localhost:1389"

   The base suffix of the instance is master(11) as displayed in the resulting list, indicating that the master was successfully enabled.

5. Log out of the DirectoryServer–1 host machine.

To Enable Multi-Master Replication for the Directory Server 2 Configuration Data Instance

1. As a root user, log in to the DirectoryServer–2 host machine.

2. (Optional) Run the dsconf list-suffixes command to verify that the instance is not already enabled for replication.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsconf list-suffixes -p 1389 -v Enter "cn=Directory Manager" password: d1rm4n4ger ... dc=example,dc=com 1 not-replicated N/A N/A 29 The "list-suffixes" operation succeeded on "localhost:1389"

   The base suffix of the instance is not-replicated as displayed in the resulting list.

3. Run dsconf enable-repl to enable replication.

   # ./dsconf enable-repl -h DirectoryServer-2.example.com -p 1389 -d 22 master dc=example,dc=com Enter "cn=Directory Manager" password: d1rm4n4ger Use "dsconf create-repl-agmt" to create replication agreements on "dc=example,dc=com".

   The -d option takes as input a randomly chosen identifier to represent the Directory Server 2 configuration data instance; in this case, 22. master indicates that the instance is a master and not a replica. The base suffix is specified as dc=example,dc=com.

4. Run dsconf list-suffixes again to verify that the instance is now enabled for replication.

   # ./dsconf list-suffixes -p 1389 -v Enter "cn=Directory Manager" password: d1rm4n4ger ... dc=example,dc=com 1 master(22) N/A N/A 29 The "list-suffixes" operation succeeded on "localhost:1389"

   The base suffix of the instance is master(22) as displayed in the resulting list, indicating that the master was successfully enabled.

5. Log out of the DirectoryServer–2 host machine.

To Change the Default Replication Manager Passwords for Each Configuration Data Instance

The replication manager is the user that suppliers use to bind to the consumer server when sending replication updates. (In MMR the consumer server refers to whichever master happens to be the consumer for that particular operation.) It is recommended by the Directory Server documentation to change the default password created during the process of enabling replication.

1. As a root user, log in to the DirectoryServer–1 host machine.

2. Create a temporary file that contains the new replication manager password.

   This file will be read once, and the password stored for future use.

   # cd /var/opt/mps/serverroot/ds6/bin # echo replm4n4ger > pwd.txt

3. Verify that the file was successfully created.

   # cat pwd.txt replm4n4ger

4. Run dsconf set-server-prop to set the new replication manager password using pwd.txt as input.

   # ./dsconf set-server-prop -h DirectoryServer-1.example.com -p 1389 def-repl-manager-pwd-file:pwd.txt Enter "cn=Directory Manager" password: d1rm4n4ger

5. Remove the pwd.txt file.

6. Log out of the DirectoryServer–1 host machine.

7. As a root user, log in to the DirectoryServer–2 host machine.

8. Create a temporary file that contains the new replication manager password.

   This file will be read once, and the password stored for future use.

   # cd /var/opt/mps/serverroot/ds6/bin # echo replm4n4ger > pwd.txt

9. Verify that the file was successfully created.

   # cat pwd.txt replm4n4ger

10. Run dsconf set-server-prop to set the new replication manager password using pwd.txt as input.

    # ./dsconf set-server-prop -h DirectoryServer-2.example.com -p 1389 def-repl-manager-pwd-file:pwd.txt Enter "cn=Directory Manager" password: d1rm4n4ger

11. Remove the pwd.txt file.

12. Log out of the DirectoryServer–2 host machine.

To Create Replication Agreements for Each Configuration Data Instance

A replication agreement is a set of parameters on a supplier that controls how updates are sent to a given consumer. In this case, we are making the configuration data instances aware of each other.

1. As a root user, log in to the DirectoryServer–1 host machine.

2. Run dsconf create-repl-agmt to create the replication agreement.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsconf create-repl-agmt -h DirectoryServer-1.example.com -p 1389 dc=example,dc=com DirectoryServer-2.example.com:1389 Enter "cn=Directory Manager" password: d1rm4n4ger Use "dsconf init-repl-dest dc=example,dc=com DirectoryServer-2.example.com:1389" to start replication of "dc=example,dc=com" data.

3. Run dsconf list-repl-agmts to verify that the replication agreement was successfully created.

   # ./dsconf list-repl-agmts -p 1389 Enter "cn=Directory Manager" password: d1rm4n4ger dc=example,dc=com DirectoryServer-2.example.com:1389

   The response indicates that the Directory Server 1 configuration data base suffix will be replicated to Directory Server 2.

4. Log out of the DirectoryServer–1 host machine.

5. As a root user, log in to the DirectoryServer–2 host machine.

6. Run dsconf create-repl-agmt to create the replication agreement.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsconf create-repl-agmt -h DirectoryServer-2.example.com -p 1389 dc=example,dc=com DirectoryServer-1.example.com:1389 Enter "cn=Directory Manager" password: d1rm4n4ger Use "dsconf init-repl-dest dc=example,dc=com DirectoryServer-1.example.com:1389" to start replication of "dc=example,dc=com" data.

7. Run dsconf list-repl-agmts to verify that the replication agreement was successfully created.

   # ./dsconf list-repl-agmts -p 1389 Enter "cn=Directory Manager" password: d1rm4n4ger dc=example,dc=com DirectoryServer-1.example.com:1389

   The response indicates that the Directory Server 2 configuration data base suffix will be replicated to Directory Server 1.

8. Log out of the DirectoryServer–2 host machine.

To Initialize the Configuration Data Instance Replication Agreements

In this procedure, initialize the configuration data instance on Directory Server 1. The previously created replication agreement will replicate the data to Directory Server 2.

Initialization is not required on both instances when configuring for MMR.

1. As a root user, log in to the DirectoryServer–1 host machine.

2. Run dsconf show-repl-agmt-status to verify that the replication agreements have not yet been initialized.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsconf show-repl-agmt-status -h DirectoryServer-1.example.com -p 1389 dc=example,dc=com DirectoryServer-2.example.com:1389 Enter "cn=Directory Manager" password: d1rm4n4ger Configuration Status : OK Authentication Status : OK Initialization Status : NOT OK Status: : Dest. Not Initialized

3. Run dsconf init-repl-dest to initialize the replication agreements.

   # ./dsconf init-repl-dest -h DirectoryServer-1.example.com -p 1389 dc=example,dc=com DirectoryServer-2.example.com:1389 Enter "cn=Directory Manager" password: d1rm4n4ger Sent 1 entries... Sent 2 entries... Completed initialization of "DirectoryServer-2.example.com:1389"; May 15, 2007 1:53:32 PM

4. Run dsconf show-repl-agmt-status again to verify that the replication agreements are now initialized.

   # ./dsconf show-repl-agmt-status -h DirectoryServer-1.example.com -p 1389 dc=example,dc=com DirectoryServer-2.example.com:1389 Enter "cn=Directory Manager" password: d1rm4n4ger Configuration Status : OK Authentication Status : OK Initialization Status : OK Status: : Enabled Last Update Date : Jul 12, 2007 8:47 PM

5. Log out of the DirectoryServer–1 host machine.

To Verify that Configuration Data Replication Works Properly

1. As a root user, log in to the Directory Server 1 host machine.

2. Run ldapmodify to create a new directory entry.

   # ldapmodify -a -h DirectoryServer-1.example.com -p 1389 -D cn=admin,cn=Administrators,cn=config -w d1rm4n4ger dn: ou=People,dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: People description: Container for user entries Hit ENTER to indicate end of input. adding new entry ou=People,dc=example,dc=com Hit Control C to terminate the command. ^C

   This step creates a new organization unit on Directory Server 1.

3. As a root user, log in to the Director Server–2 host machine.

4. Run ldapsearch on Directory Server 2 to verify that the entry was successfully replicated.

   # ldapsearch -b "dc=example,dc=com" -p 1389 -D "cn=Directory Manager" -w d1rm4n4ger "objectclass=organizationalUnit" version: 1 dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: People description Container for user entries

5. Run ldapdelete on Directory Server 2 to delete the entry.

   # ldapdelete -h DirectoryServer-2.example.com -p 1389 -D "cn=Directory Manager" -w d1rm4n4ger "ou=People,dc=example,dc=com"

6. Run ldapsearch on Directory Server 1 to verify that the entry was deleted.

   # ldapsearch -b "dc=example,dc=com" -p 1389 -D "cn=Directory Manager" -w d1rm4n4ger "objectclass=organizationalUnit"

   If the delete was successfully replicated to Directory Server 1, the search will return no results.

7. Log out of the Directory Server host machines.