Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0) |
Part I Directory Server Administration
2. Directory Server Instances and Suffixes
3. Directory Server Configuration
6. Directory Server Access Control
7. Directory Server Password Policy
8. Directory Server Backup and Restore
9. Directory Server Groups, Roles, and CoS
10. Directory Server Replication
Planning Your Replication Deployment
Recommended Interface for Configuring and Managing Replication
Summary of Steps for Configuring Replication
Summary of Steps for Configuring Replication
Enabling Replication on a Dedicated Consumer
To Create a Suffix for a Consumer Replica
To Perform Advanced Consumer Configuration
To Create a Suffix for a Hub Replica
To Modify Change Log Settings on a Hub Replica
Enabling Replication on a Master Replica
To Create a Suffix for a Master Replica
To Modify Change Log Settings on a Master Replica
Configuring the Replication Manager
Using a Non-Default Replication Manager
To Set A Non-Default Replication Manager
To Change the Default Replication Manager Password
Creating and Changing Replication Agreements
To Create a Replication Agreement
To Change the Destination of a Replication Agreement
Considerations for Fractional Replication
To Configure Fractional Replication
To Configure Replication Priority
To Initialize a Replicated Suffix from a Remote (Supplier) Server
Replica Initialization From LDIF
To Initialize a Replicated Suffix From LDIF
To Export a Replicated Suffix to LDIF
Filtering an LDIF File for Fractional Replication
Initializing a Replicated Suffix by Using Binary Copy
Restrictions for Using Binary Copy With Replication
Making a Binary Copy for Initializing a Server
Initializing Replicas in Cascading Replication
To Initialize Replicas in Cascading Replication
Incrementally Adding Many Entries to Large Replicated Suffixes
To Add Many Entries to Large Replicated Suffixes
Replication and Referential Integrity
To Configure Replication Operations for SSL
To Configure Client Authentication Based Replication for SSL
Configuring Network Parameters
Scheduling Replication Activity
To Schedule Replication Activity
Configuring Replication Compression
To Configure Replication Compression
Modifying the Replication Topology
Changing the Replication Manager
Managing Replication Agreements
Disabling a Replication Agreement
Enabling a Replication Agreement
Deleting a Replication Agreement
Promoting or Demoting Replicas
To Promote or Demote a Replica
To Disable a Replicated Suffix
Keeping Replicated Suffixes Synchronized
Moving a Master Replica to a New Machine
To Remove a Master From an Existing Replication Topology
To Add a Master to an Existing Replication Topology
Replication With Releases Prior to Directory Server 11g Release 1 (11.1.1.5.0)
Replicating Between Directory Server 11g Release 1 (11.1.1.5.0) and Directory Server 6 or 5.2
To Enable the Retro Change Log
To Configure the Retro Change Log to Record Updates for Specified Suffixes
To Configure the Retro Change Log to Record Attributes of a Deleted Entry
Access Control and the Retro Change Log
Getting Replication Status in DSCC
Getting Replication Status by Using the Command Line
Solving Common Replication Conflicts
Solving Replication Conflicts by Using DSCC
Solving Replication Conflicts by Using the Command Line
To Rename a Conflicting Entry That has a Multivalued Naming Attribute
To Rename a Conflicting Entry With a Single-Valued Naming Attribute
Solving Orphan Entry Conflicts
Solving Potential Interoperability Problems
13. Directory Server Attribute Value Uniqueness
15. Directory Server Monitoring
Part II Directory Proxy Server Administration
16. Directory Proxy Server Tools
17. Directory Proxy Server Instances
19. Directory Proxy Server Certificates
20. Directory Proxy Server Load Balancing and Client Affinity
21. Directory Proxy Server Distribution
22. Directory Proxy Server Virtualization
23. Virtual Data Transformations
24. Connections Between Directory Proxy Server and Back-End LDAP Servers
25. Connections Between Clients and Directory Proxy Server
26. Directory Proxy Server Client Authentication
27. Directory Proxy Server Logging
28. Directory Proxy Server Monitoring and Alerts
Part III Directory Service Control Center Administration
You can configure Directory Servers involved in replication so that all replication operations occur over an SSL connection.
This procedure shows example commands for setting up replication on a replication topology with two masters.
Note - This example shows a simple replication configuration, using a self-signed certificate as generated during instance creation. When setting up replication over SSL in a production environment, you will have better security if you use Certificate Authority trusted certificates instead.
Replication over SSL will fail if the supplier server certificate is an SSL server-only certificate that cannot act as a client during an SSL handshake.
While replication is secure by SSL, authentication of the replication manager is still done using a simple bind and password. You can use client-based authentication to fully secure replication, but this requires more complex settings. For more information about replication using client based authentication, see To Configure Client Authentication Based Replication for SSL
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dsadm create -p 1389 -P 1636 /local/ds1 $ dsadm create -p 2389 -P 2636 /local/ds2 $ dsadm start /local/ds1 $ dsadm start /local/ds2
For more information about configuring SSL, see Using SSL With Directory Server.
$ dsconf create-suffix -e -w password-file -p 1389 dc=example,dc=com $ dsconf create-suffix -e -w password-file -p 2389 dc=example,dc=com
$ dsconf set-server-prop -e -i -w password-file -h example1.server -p 1389 \ def-repl-manager-pwd-file:/local/ds1/replmanrpwd1.txt $ dsconf set-server-prop -e -i -w password-file -h example2.server -p 2389 \ def-repl-manager-pwd-file:/local/ds1/replmanrpwd2.txt
$ dsconf enable-repl -h example1.server -p 1389 -e -i -w password-file \ -d 1 master dc=example,dc=com $ dsconf enable-repl -h example2.server -p 2389 -e -i -w password-file \ -d 2 master dc=example,dc=com
$ dsadm show-cert -F der -o certfile1 /local/ds1 defaultCert $ dsadm show-cert -F der -o certfile2 /local/ds2 defaultCert
$ dsadm add-cert --ca /local/ds1 "ds2 Repl Manager Cert" certfile2 $ dsadm add-cert --ca /local/ds2 "ds1 Repl Manager Cert" certfile1
Note that secure LDAP ports are used for the replication agreements.
$ dsconf create-repl-agmt -h example1.server -p 1389 -e -i -w password-file\ --auth-protocol "ssl-simple" dc=example,dc=com example2.server:2636 $ dsconf create-repl-agmt -h example2.server -p 2389 -e -i -w password-file\ --auth-protocol "ssl-simple" dc=example,dc=com example1.server:1636
$ dsconf set-repl-agmt-prop -h example1.server -p 1389 -e -i -w password-file\ dc=example,dc=com example2.server:2636 auth-pwd-file:/local/ds1/replmanrpwd2.txt $ dsconf set-repl-agmt-prop -h example2.server -p 2389 -e -i -w password-file\ dc=example,dc=com example1.server:1636 auth-pwd-file:/local/ds1/replmanrpwd1.txt
After you have initialized the suffixes, the supplier will send all replication update messages to the consumer over SSL and will use certificates if you chose that option. Customer initialization will also use a secure connection if performed through DSCC using an agreement configure for SSL.
$ dsadm restart /local/ds1 $ dsadm restart /local/ds2
$ dsconf import -h example1.server -p 1389 -e -i \ -w password-file /tmp/Example.ldif dc=example,dc=com
$ dsconf init-repl-dest -e -i -w password-file \ -h example1.server -p 1389 dc=example,dc=com example1.server:2636
In the following procedure, it is assumed that you requested properly signed certificate/key pairs from a trusted Certificate Authority (CA) and the CA certificate of such authority is present in all security databases.
The certificate/key pairs should be issued to the user having replication rights, that is the certificate subject is the DN of a user allowed to transfer replication data between the servers. In the following example, such users are ou=user1,o=users and ou=user1,o=users; the certificates short names in the security database are replmgr1 and replmgr2 respectively.
$ dsadm create -p 1389 -P 1636 /local/ds1 $ dsadm create -p 2389 -P 2636 /local/ds2
$ dsadm import-cert /local/ds1 user1.der $ dsadm import-cert /local/ds2 user2.der
The user1.der and user2.der are the CA provided files.
$ dsadm show-cert -F ascii /local/ds1 replmgr1 > user1.ldif $ dsadm show-cert -F ascii /local/ds2 replmgr2 > user2.ldif
The files should contain base64 encoded binary certificates.
$ dsadm start /local/ds1 $ dsadm start /local/ds2
$ dsconf create-suffix -p 1389 -e o=example.com $ dsconf create-suffix -p 2389 -e o=example.com $ dsconf create-suffix -p 1389 -e o=users $ dsconf create-suffix -p 2389 -e o=users
Note - Alternatively, the users and their certificates could be in another suffix. It is not recommended to have the user in the same suffix that is to be replicated.
$ dsconf enable-repl -p 1389 -e -d 1 master o=example.com $ dsconf enable-repl -p 2389 -e -d 1 master o=example.com
dn: cn=user1,o=users objectclass: top objectclass: inetorgperson sn: user1 userCertificate;binary:: MIIBqDCCARGgAwIBAgI <...> dXNlcnMwHh <...> <...>
The files must be a valid LDIF files.
Get rid of the lines, BEGIN CERTIFICATE and END CERTIFICATE. The value of userCertificate;binary:: is simply the base64 encoding. If it spans multiple lines, the first character of the line must be a space.
$ ldapmodify -p 1389 -D binddn -w password -a < user2.ldif $ ldapmodify -p 2389 -D binddn -w password -a < user1.ldif
Note - Alternatively, you can issue the ldapmodify commands directly and create the two users interactively. Make sure that you use the correct syntax while setting the userCertifacte attribute.
$ dsconf -p 1389 set-suffix-prop repl-manager-bind-dn: cn=user2,o=users $ dsconf -p 2389 set-suffix-prop repl-manager-bind-dn: cn=user1,o=users
$ dsconf -p 1389 set-server-prop ssl-rsa-cert-name:replmgr1 $ dsconf -p 2389 set-server-prop ssl-rsa-cert-name:replmgr2
$ dsadm restart /local/ds1 $ dsadm restart /local/ds2
$ dsconf create-repl-agmt -p 1389 -e -A ssl-client o=example.com hostname:2636 $ dsconf create-repl-agmt -p 2389 -e -A ssl-client o=example.com hostname:1636