Consumer server entries

If the consumer server is a read only replica server, the only required replication-related entry is the consumer server credentials entry. If the consumer server is a peer or forwarding server, a replica subentry and a consumer server credentials entry are required. The consumer server credentials entry must exist under the cn=configuration suffix in the CDBM backend.

Note: The consumer server credentials entry differs from the supplier server credentials entry. See Credentials entries for more information about the supplier server credentials entry.

The consumer server credentials entry is used on the consumer server to verify that it is actually a supplier server performing a simple or SASL EXTERNAL bind. A consumer server only accepts update operations from its supplier server and any LDAP administrator when using the Server Administration control. There are two types of consumer server credential entries that can be used, one that has an objectclass of ibm-slapdReplication and the other has an objectclass of ibm-slapdSupplier.

When a supplier server replicates updates to its consumer server, a special entry is used to indicate that the supplier server has master level access to the consumer server. Master level access bypasses ACL and entry owner restrictions and allows updates to be made even when the server is a read-only consumer, cascading consumer, or under a quiesced replication context. If the supplier server authenticates to the consumer server with a simple bind, the DN specified by the replicaBindDN attribute value in the replication agreement entry is used as the bind DN. If the supplier server authenticates to the consumer server with a SASL EXTERNAL bind, the bind DN is extracted from the SSL certificate unless the sslMapCertificate configuration options first value is set to replace. See sslMapCertificate {off | check | add | replace} {fail | ignore} for more information about certificate mapping.

If the ibm-slapdMasterDN attribute value in an ibm-slapdReplication entry matches the bind DN, the supplier server (or user) is allowed master level access to all replication contexts. If the ibm-slapdMasterDN attribute value in an ibm-slapdSupplier entry matches the bind DN, the supplier server (or user) is only allowed master level access to the replication contexts indicated by the multi-valued ibm-replicaSubtree attribute value.

Note: The consumer server credentials entry must be present on both the consumer and supplier servers and exist under the cn=configuration suffix in the CDBM backend. The topology entries are the only way for the servers to know their roles in the topology as a whole, therefore, are needed on all the servers in the topology.

Table 1. **ibm-slapdReplication** objectclass schema definition (required and optional attributes)
Attribute description and example
cn A required attribute that specifies the common name of the consumer server credentials entry. Example: `cn: master server`
ibm-slapdMasterDN Specifies the distinguished name (DN) that the supplier server uses to authenticate with the consumer server. If the supplier server authenticates to the consumer server with a simple bind, this value matches the replicaBindDN attribute value in the simple bind supplier server credentials entry used by the replication agreement entry. If the supplier server authenticates to the consumer server with a SASL EXTERNAL bind, this value matches the bind DN extracted from the SSL certificate unless the sslMapCertificate configuration options first value is set to replace. See sslMapCertificate {off \| check \| add \| replace} {fail \| ignore} for more information about certificate mapping. Example: `ibm-slapdMasterDN: cn=supplier,cn=localhost`
ibm-slapdMasterPW Contains the simple bind authentication information needed for the replicating server to authenticate with the consumer server using the ibm-slapdMasterDN. This password value matches the replicaCredentials attribute value in the simple bind supplier server credentials entry used by the replication agreement entry. This password value is encrypted if it is added or modified when the secretEncryption configuration option is set to AES or DES in the CDBM backend. If secretEncryption is set to AES or DES, directory security improves because the password is no longer stored in the directory in clear text. If a SASL EXTERNAL bind is used, this attribute value is not specified. Note: This value is only used if the entry specified in the ibm-slapdMasterDN attribute value does not exist under a configured suffix in the LDAP server. Example: `ibm-slapdMasterPW: secret`
ibm-slapdMasterReferral A single valued attribute that contains the LDAP URL of the supplier server. The LDAP URL syntax is documented in RFC 2255. If an update operation is done by a user other than the supplier server or any LDAP administrator with the Server Administration control, this value is returned as one of the referral values. See Replication topology hints and tips for more information about referrals with advanced replication. Example: `ibm-slapdMasterReferral: ldap://master1.ibm.com:500`
ibm-slapdNoReplConflictResolution A boolean (true or false) indicating whether the consumer server participates in replication conflict resolution. If set to true, the consumer server does not participate in conflict resolution. If set to false, or the attribute is not specified, the consumer server does participate in conflict resolution. Conflict resolution is used to automatically attempt to resolve conflicts with entries that are no longer synchronized between a supplier and consumer server. The modifyTimestamp attribute value of the entry is used to detect a conflict between the two servers. Example: `ibm-slapdNoReplConflictResolution: true`

For the examples in Table 1, the supplier server located at master1.ibm.com on non-secure port 500 does a simple bind to the consumer server by binding with the cn=supplier,cn=localhost entry and specifying a password of secret. The consumer server is not configured for conflict resolution.

Table 2. **ibm-slapdSupplier** objectclass schema definition (required and optional attributes)
Attribute description and example
cn A required attribute that specifies the common name of the consumer server credentials entry. Example: `cn: master server`
ibm-slapdMasterDN Specifies the distinguished name (DN) that the supplier server uses to authenticate with the consumer server. If the supplier server authenticates to the consumer server with a simple bind, this value matches the replicaBindDN attribute value in the simple bind supplier server credentials entry used by the replication agreement entry. If the supplier server authenticates to the consumer server with a SASL EXTERNAL bind, this value matches the bind DN extracted from the SSL certificate unless the sslMapCertificate configuration options first value is set to replace. See sslMapCertificate {off \| check \| add \| replace} {fail \| ignore} for more information about certificate mapping. Example: `ibm-slapdMasterDN: cn=supplier,cn=localhost`
ibm-slapdMasterPW Contains the simple bind authentication information needed for the replicating server to authenticate with the consumer server using the ibm-slapdMasterDN. This password value matches the replicaCredentials attribute value in the simple bind supplier server credentials entry used by the replication agreement entry. This password value is encrypted if it is added or modified when the secretEncryption configuration option is set to AES or DES in the CDBM backend. If secretEncryption is set to AES or DES, directory security improves because the password is no longer stored in the directory in clear text. If a SASL EXTERNAL bind is used, this attribute value is not specified. Note: This value is only used if the entry specified in the ibm-slapdMasterDN attribute value does not exist under a configured suffix in the LDAP server. Example: `ibm-slapdMasterPW: secret`
ibm-slapdReplicaSubtree A multi-valued attribute that specifies the distinguished names of replication contexts that are subject to this consumer server credentials entry. The bound user has master server level access to the replication contexts that are specified for this attribute. Example: `ibm-slapdReplicaSubtree: o=ibm`

For the examples in Table 2, when the supplier server replicates updates to the o=ibm replication context on the consumer server, the supplier server performs a simple bind using the cn=supplier,cn=localhost entry and specifying a password of secret.