JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0)
search filter icon
search icon

Document Information

Preface

Part I Directory Server Administration

1.  Directory Server Tools

2.  Directory Server Instances and Suffixes

3.  Directory Server Configuration

4.  Directory Server Entries

5.  Directory Server Security

6.  Directory Server Access Control

7.  Directory Server Password Policy

8.  Directory Server Backup and Restore

9.  Directory Server Groups, Roles, and CoS

10.  Directory Server Replication

Planning Your Replication Deployment

Recommended Interface for Configuring and Managing Replication

Summary of Steps for Configuring Replication

Summary of Steps for Configuring Replication

Enabling Replication on a Dedicated Consumer

To Create a Suffix for a Consumer Replica

To Enable a Consumer Replica

To Perform Advanced Consumer Configuration

Enabling Replication on a Hub

To Create a Suffix for a Hub Replica

To Enable a Hub Replica

To Modify Change Log Settings on a Hub Replica

Enabling Replication on a Master Replica

To Create a Suffix for a Master Replica

To Enable a Master Replica

To Modify Change Log Settings on a Master Replica

Configuring the Replication Manager

Using a Non-Default Replication Manager

To Set A Non-Default Replication Manager

To Change the Default Replication Manager Password

Creating and Changing Replication Agreements

To Create a Replication Agreement

To Change the Destination of a Replication Agreement

Fractional Replication

Considerations for Fractional Replication

To Configure Fractional Replication

Replication Priority

To Configure Replication Priority

Initializing Replicas

To Initialize a Replicated Suffix from a Remote (Supplier) Server

Replica Initialization From LDIF

To Initialize a Replicated Suffix From LDIF

To Export a Replicated Suffix to LDIF

Filtering an LDIF File for Fractional Replication

Initializing a Replicated Suffix by Using Binary Copy

Restrictions for Using Binary Copy With Replication

Making a Binary Copy for Initializing a Server

Initializing Replicas in Cascading Replication

To Initialize Replicas in Cascading Replication

Indexing Replicated Suffixes

Incrementally Adding Many Entries to Large Replicated Suffixes

To Add Many Entries to Large Replicated Suffixes

Replication and Referential Integrity

Replication Over SSL

To Configure Replication Operations for SSL

To Configure Client Authentication Based Replication for SSL

Replication Over a WAN

Configuring Network Parameters

Configuring Window Size

Configuring Group Size

Scheduling Replication Activity

To Schedule Replication Activity

Configuring Replication Compression

To Configure Replication Compression

Modifying the Replication Topology

Changing the Replication Manager

Managing Replication Agreements

Disabling a Replication Agreement

Enabling a Replication Agreement

Deleting a Replication Agreement

Promoting or Demoting Replicas

To Promote or Demote a Replica

Disabling a Replicated Suffix

To Disable a Replicated Suffix

Keeping Replicated Suffixes Synchronized

Replication Retry Algorithm

To Force Replication Updates

Moving a Master Replica to a New Machine

To Remove a Master From an Existing Replication Topology

To Add a Master to an Existing Replication Topology

Replication With Releases Prior to Directory Server 11g Release 1 (11.1.1.5.0)

Replicating Between Directory Server 11g Release 1 (11.1.1.5.0) and Directory Server 6 or 5.2

Using the Retro Change Log

To Enable the Retro Change Log

To Configure the Retro Change Log to Record Updates for Specified Suffixes

To Configure the Retro Change Log to Record Attributes of a Deleted Entry

To Trim the Retro Change Log

Access Control and the Retro Change Log

Getting Replication Status

Getting Replication Status in DSCC

Getting Replication Status by Using the Command Line

Solving Common Replication Conflicts

Solving Replication Conflicts by Using DSCC

Solving Replication Conflicts by Using the Command Line

Solving Naming Conflicts

To Rename a Conflicting Entry That has a Multivalued Naming Attribute

To Rename a Conflicting Entry With a Single-Valued Naming Attribute

Solving Orphan Entry Conflicts

Solving Potential Interoperability Problems

11.  Directory Server Schema

12.  Directory Server Indexing

13.  Directory Server Attribute Value Uniqueness

14.  Directory Server Logging

15.  Directory Server Monitoring

Part II Directory Proxy Server Administration

16.  Directory Proxy Server Tools

17.  Directory Proxy Server Instances

18.  LDAP Data Views

19.  Directory Proxy Server Certificates

20.  Directory Proxy Server Load Balancing and Client Affinity

21.  Directory Proxy Server Distribution

22.  Directory Proxy Server Virtualization

23.  Virtual Data Transformations

24.  Connections Between Directory Proxy Server and Back-End LDAP Servers

25.  Connections Between Clients and Directory Proxy Server

26.  Directory Proxy Server Client Authentication

27.  Directory Proxy Server Logging

28.  Directory Proxy Server Monitoring and Alerts

Part III Directory Service Control Center Administration

29.  Directory Service Control Center Configuration

Index

Solving Common Replication Conflicts

Multimaster replication uses a loose consistency replication model. This means that the same entries may be modified simultaneously on different servers. When updates are sent between the two servers, any conflicting changes must be resolved. Most resolution occurs automatically. For example, the timestamp associated with the change on each server is resolved by the most recent change taking precedence. However, some change conflicts require manual intervention to reach a resolution.

This section covers the following topics:

Solving Replication Conflicts by Using DSCC

The easiest way to resolve a replication conflict is by using DSCC. See the DSCC online help for information.

Solving Replication Conflicts by Using the Command Line

You can solve replication conflicts by using the command line. Entries that have a change conflict that cannot be resolved automatically by the replication process contain the operational attribute nsds5ReplConflict as a conflict marker.

To find entries with conflicts, periodically search for entries that contain this attribute. For example, you could use the following ldapsearch command to find entries with conflicts:

$ ldapsearch -h host2 -p 1389 -D cn=admin,cn=Administrators,cn=config \
 -w - -b "dc=example,dc=com" "(nsds5ReplConflict=*)"

Note that the nsds5ReplConflict attribute is indexed by default.

Solving Naming Conflicts

Entries with identical DNs may be created on separate masters if they are created before the servers replicate the changes to each other. Upon replication, the conflict resolution mechanism will automatically rename the second entry created.

An entry with a DN naming conflict is renamed by including its unique identifier, provided by the operational attribute nsuniqueid, in its DN.

For example, if the entry uid=bjensen,ou=People,dc=example,dc=com is created simultaneously on two masters, both will have the following two entries after replication:

The second entry must be given a useful DN. You can delete the conflicting entry and add it again with a non-conflicting name. However, renaming the entry ensures that its contents have not changed. The renaming procedure depends on whether the naming attribute is single-valued or multivalued. See the following procedures.

To Rename a Conflicting Entry That has a Multivalued Naming Attribute

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Rename the entry while keeping the old RDN value, for example:
    $ ldapmodify -h host2 -p 1389 -D cn=admin,cn=Administrators,cn=config -w -
    Enter bind password:
    dn: nsuniqueid=66446001-1dd211b2-66225011-2ee211db+uid=bjensen,dc=example,dc=com
    changetype: modrdn
    newrdn: uid=bj66446001
    deleteoldrdn: 0
    ^D

    You cannot delete the old RDN value in this step because it also contains the nsuniqueid operational attribute, which cannot be deleted.

  2. Remove the old RDN value of the naming attribute and the conflict marker attribute, for example:
    $ ldapmodify -h host2 -p 1389 -D cn=admin,cn=Administrators,cn=config -w -
    Enter bind password:
    dn: uid=bj66446001,dc=example,dc=com
    changetype: modify
    delete: uid
    uid: bjensen
    -
    delete: nsds5ReplConflict
    ^D

To Rename a Conflicting Entry With a Single-Valued Naming Attribute

When the naming attribute in a duplicate entry is single-valued, for example dc (domain component), you cannot simply rename the entry to another value of the same attribute. Instead, you must give the entry a temporary name.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Rename the entry by using a different naming attribute, and keep the old RDN, for example:
    $ ldapmodify -h host2 -p 1389 -D cn=admin,cn=Administrators,cn=config -w -
    Enter bind password:
    dn: nsuniqueid=66446001-1dd211b2-66225011-2ee211db+dc=HR,dc=example,dc=com
    changetype: modrdn
    newrdn: o=TempHREntry
    deleteoldrdn: 0
    ^D

    You cannot delete the old RDN value in this step because it also contains the nsuniqueid operational attribute, which cannot be deleted.

  2. Change the desired naming attribute to a unique value and remove the conflict marker attribute, for example:
    $ ldapmodify -h host2 -p 1389 -D cn=admin,cn=Administrators,cn=config -w -
    Enter bind password:
    dn: o=TempHREntry,dc=example,dc=com
    changetype: modify
    replace: dc
    dc: NewHR
    delete: nsds5ReplConflict
    ^D
  3. Rename the entry back to the intended naming attribute, for example:
    $ ldapmodify -h host2 -p 1389 -D cn=admin,cn=Administrators,cn=config -w -
    Enter bind password:
    dn: dc=NewHR,dc=example,dc=com
    changetype: modrdn
    newrdn: dc=HR
    deleteoldrdn: 1
    ^D

    By setting the value of the deleteoldrdn attribute to 1, you delete the temporary attribute-value pair o=TempHREntry. If you want to keep this attribute, set the value of the deleteoldrdn attribute to 0.

Solving Orphan Entry Conflicts

When a delete operation is replicated, and the consumer server finds that the entry to be deleted has child entries, the conflict resolution procedure creates a glue entry to avoid having orphaned entries in the directory.

In the same way, when an add operation is replicated, and the consumer server cannot find the parent entry, the conflict resolution procedure creates a glue entry representing the parent so that the new entry is not an orphan entry.

Glue entries are temporary entries that include the object classes glue and extensibleObject. Glue entries can be created in various ways:

Solving Potential Interoperability Problems

For interoperability with applications that rely on attribute uniqueness, such as a mail server, you might need to restrict access to the entries that contain the nsds5ReplConflict attribute. If you do not restrict access to these entries, the applications that require only one attribute will pick up both the original entry and the conflict resolution entry that contains the nsds5ReplConflict and operations will fail.

To restrict access, you need to modify the default ACI that grants anonymous read access using the following command:

$ ldapmodify -h host2 -p 1389 -D cn=admin,cn=Administrators,cn=config -w -
Enter bind password:
dn: dc=example,dc=com
changetype: modify
delete: aci
aci: (target ="ldap:///dc=example,dc=com")
 (targetattr !="userPassword"
 (version 3.0;acl "Anonymous read-search  access";
 allow (read, search, compare)(userdn = "ldap:///anyone");)
-
add: aci
aci: (target="ldap:///dc=example,dc=com")
 (targetattr!="userPassword")
 (targetfilter="(!(nsds5ReplConflict=*))")(version 3.0;acl
 "Anonymous read-search access";allow (read, search, compare)
 (userdn="ldap:///anyone");)
^D

The new ACI will keep entries that contain the nsds5ReplConflict attribute from being returned in search results.