DS Replication Setup
From Dogtag
Contents
Configuration Replication Agreements
A clone will have the following entries in the CS.cfg:
internaldb.replication.master=masterAgreement1-replica.example.com-pki-tomcat internaldb.replication.consumer=cloneAgreement1-replica.example.com-pki-tomcat
Creating Replication Managers
To create replication manager on master:
$ ldapadd -h master.example.com -x -D "cn=Directory Manager" -w Secret.123 << EOF dn: ou=csusers,cn=config objectClass: top objectClass: organizationalUnit ou: csusers dn: cn=Replication Manager masterAgreement1-replica.example.com-pki-tomcat,ou=csusers,cn=config objectClass: top objectClass: person cn: Replication Manager masterAgreement1-replica.example.com-pki-tomcat sn: manager userPassword: <password> EOF
To create replication manager on replica:
$ ldapadd -h replica.example.com -x -D "cn=Directory Manager" -w Secret.123 << EOF dn: ou=csusers,cn=config objectClass: top objectClass: organizationalUnit ou: csusers dn: cn=Replication Manager cloneAgreement1-replica.example.com-pki-tomcat,ou=csusers,cn=config objectClass: top objectClass: person cn: Replication Manager cloneAgreement1-replica.example.com-pki-tomcat sn: manager userPassword: <password> EOF
Getting Instance Directory
$ ldapsearch -x -D "cn=Directory Manager" -w Secret.123 -b "cn=config,cn=ldbm database,cn=plugins,cn=config" "(nsslapd-directory=*)"
Creating Change Log
To create change log on master:
$ ldapadd -h master.example.com -x -D "cn=Directory Manager" -w Secret.123 dn: cn=changelog5,cn=config objectClass: top objectClass: extensibleObject cn: changelog5 nsslapd-changelogdir: /var/lib/dirsrv/slapd-pki-tomcat/changelogs
To create change log on replica:
$ ldapadd -h replica.example.com -x -D "cn=Directory Manager" -w Secret.123 dn: cn=changelog5,cn=config objectClass: top objectClass: extensibleObject cn: changelog5 nsslapd-changelogdir: /var/lib/dirsrv/slapd-pki-tomcat/changelogs
Enabling Replication
To enable replication on master:
$ ldapadd -h master.example.com -x -D "cn=Directory Manager" -w Secret.123 dn: cn=replica,cn=\"dc=ca,dc=pki,dc=example,dc=com\",cn=mapping tree,cn=config objectclass: top objectclass: nsDS5Replica objectclass: extensibleobject cn: replica nsDS5ReplicaRoot: dc=ca,dc=pki,dc=example,dc=com nsDS5ReplicaType: 3 nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-replica.example.com-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaId: <replica ID> nsds5flags: 1
To enable replication on replica:
$ ldapadd -h replica.example.com -x -D "cn=Directory Manager" -w Secret.123 dn: cn=replica,cn=\"dc=ca,dc=pki,dc=example,dc=com\",cn=mapping tree,cn=config objectclass: top objectclass: nsDS5Replica objectclass: extensibleobject cn: replica nsDS5ReplicaRoot: dc=ca,dc=pki,dc=example,dc=com nsDS5ReplicaType: 3 nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-replica.example.com-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaId: <replica ID> nsds5flags: 1
Configuring Replica ID
dbs.beginReplicaNumber=<replica ID>
Creating Replication Agreements
To create replication agreement on master:
$ ldapadd -h master.example.com -x -D "cn=Directory Manager" -w Secret.123 dn: cn=masterAgreement1-replica.example.com-pki-tomcat,cn=replica,cn=\"dc=ca,dc=pki,dc=example,dc=com\",cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: masterAgreement1-replica.example.com-pki-tomcat nsDS5ReplicaRoot: dc=ca,dc=pki,dc=example,dc=com nsDS5ReplicaHost: replica.example.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-replica.example.com-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsds5replicacredentials: <password> nsDS5ReplicaTransportInfo: <SSL|TLS> description: masterAgreement1-replica.example.com-pki-tomcat
To create replication agreement on replica:
$ ldapadd -h replica.example.com -x -D "cn=Directory Manager" -w Secret.123 dn: cn=cloneAgreement1-replica.example.com-pki-tomcat,cn=replica,cn=\"dc=ca,dc=pki,dc=example,dc=com\",cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: cloneAgreement1-replica.example.com-pki-tomcat nsDS5ReplicaRoot: dc=ca,dc=pki,dc=example,dc=com nsDS5ReplicaHost: master.example.com nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-replica.example.com-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsds5replicacredentials: <password> nsDS5ReplicaTransportInfo: <SSL|TLS> description: cloneAgreement1-replica.example.com-pki-tomcat
Initializing Consumer
$ ldapmodify -h master.example.com -x -D "cn=Directory Manager" -w Secret.123 dn: cn=masterAgreement1-replica.example.com-pki-tomcat,cn=replica,cn=\"dc=ca,dc=pki,dc=example,dc=com\",cn=mapping tree,cn=config changetype: modify replace: nsds5beginreplicarefresh nsds5beginreplicarefresh: start
Checking Replication Status
$ ldapsearch -h master.example.com -b "cn=masterAgreement1-replica.example.com-pki-tomcat,cn=replica,cn="dc=ca,dc=pki,dc=example,dc=com",cn=mapping tree,cn=config" -s base "(objectclass=*)" nsds5beginreplicarefresh dn: cn=masterAgreement1-replica.example.com-pki-tomcat,cn=replica,cn="dc=ca,dc=pki,dc=example,dc=com",cn=mapping tree,cn=config nsds5beginreplicarefresh: nsds5replicalastinitstatus: