Consumer server entries
The consumer server credentials entry is used on the consumer server to verify that it is actually a supplier server performing a simple or SASL EXTERNAL bind. A consumer server only accepts update operations from its supplier server and any LDAP administrator when using the Server Administration control. There are two types of consumer server credential entries that can be used, one that has an objectclass of ibm-slapdReplication and the other has an objectclass of ibm-slapdSupplier.
When a supplier server replicates updates to its consumer server, a special entry is used to indicate that the supplier server has master level access to the consumer server. Master level access bypasses ACL and entry owner restrictions and allows updates to be made even when the server is a read-only consumer, cascading consumer, or under a quiesced replication context. If the supplier server authenticates to the consumer server with a simple bind, the DN specified by the replicaBindDN attribute value in the replication agreement entry is used as the bind DN. If the supplier server authenticates to the consumer server with a SASL EXTERNAL bind, the bind DN is extracted from the SSL certificate unless the sslMapCertificate configuration options first value is set to replace. See sslMapCertificate {off | check | add | replace} {fail | ignore} for more information about certificate mapping.
Attribute description and example |
---|
cn A required attribute that specifies the common name of the consumer server credentials entry. Example:
|
ibm-slapdMasterDN Specifies the distinguished name (DN) that the supplier server uses to authenticate with the consumer server. If the supplier server authenticates to the consumer server with a simple bind, this value matches the replicaBindDN attribute value in the simple bind supplier server credentials entry used by the replication agreement entry. If the supplier server authenticates to the consumer server with a SASL EXTERNAL bind, this value matches the bind DN extracted from the SSL certificate unless the sslMapCertificate configuration options first value is set to replace. See sslMapCertificate {off | check | add | replace} {fail | ignore} for more information about certificate mapping. Example:
|
ibm-slapdMasterPW Contains the simple bind authentication information needed for the replicating server to authenticate with the consumer server using the ibm-slapdMasterDN. This password value matches the replicaCredentials attribute value in the simple bind supplier server credentials entry used by the replication agreement entry. This password value is encrypted if it is added or modified when the secretEncryption configuration option is set to AES or DES in the CDBM backend. If secretEncryption is set to AES or DES, directory security improves because the password is no longer stored in the directory in clear text. If a SASL EXTERNAL bind is used, this attribute value is not specified. Note: This
value is only used if the entry specified in the ibm-slapdMasterDN attribute
value does not exist under a configured suffix in the LDAP server.
Example:
|
ibm-slapdMasterReferral A single valued attribute that contains the LDAP URL of the supplier server. The LDAP URL syntax is documented in RFC 2255. If an update operation is done by a user other than the supplier server or any LDAP administrator with the Server Administration control, this value is returned as one of the referral values. See Replication topology hints and tips for more information about referrals with advanced replication. Example:
|
ibm-slapdNoReplConflictResolution A boolean (true or false) indicating whether the consumer server participates in replication conflict resolution. If set to true, the consumer server does not participate in conflict resolution. If set to false, or the attribute is not specified, the consumer server does participate in conflict resolution. Conflict resolution is used to automatically attempt to resolve conflicts with entries that are no longer synchronized between a supplier and consumer server. The modifyTimestamp attribute value of the entry is used to detect a conflict between the two servers. Example:
|
For the examples in Table 1, the supplier
server located at master1.ibm.com
on non-secure port 500
does
a simple bind to the consumer server by binding with the cn=supplier,cn=localhost
entry
and specifying a password of secret
. The consumer
server is not configured for conflict resolution.
Attribute description and example |
---|
cn A required attribute that specifies the common name of the consumer server credentials entry. Example:
|
ibm-slapdMasterDN Specifies the distinguished name (DN) that the supplier server uses to authenticate with the consumer server. If the supplier server authenticates to the consumer server with a simple bind, this value matches the replicaBindDN attribute value in the simple bind supplier server credentials entry used by the replication agreement entry. If the supplier server authenticates to the consumer server with a SASL EXTERNAL bind, this value matches the bind DN extracted from the SSL certificate unless the sslMapCertificate configuration options first value is set to replace. See sslMapCertificate {off | check | add | replace} {fail | ignore} for more information about certificate mapping. Example:
|
ibm-slapdMasterPW Contains the simple bind authentication information needed for the replicating server to authenticate with the consumer server using the ibm-slapdMasterDN. This password value matches the replicaCredentials attribute value in the simple bind supplier server credentials entry used by the replication agreement entry. This password value is encrypted if it is added or modified when the secretEncryption configuration option is set to AES or DES in the CDBM backend. If secretEncryption is set to AES or DES, directory security improves because the password is no longer stored in the directory in clear text. If a SASL EXTERNAL bind is used, this attribute value is not specified. Note: This
value is only used if the entry specified in the ibm-slapdMasterDN attribute
value does not exist under a configured suffix in the LDAP server.
Example:
|
ibm-slapdReplicaSubtree A multi-valued attribute that specifies the distinguished names of replication contexts that are subject to this consumer server credentials entry. The bound user has master server level access to the replication contexts that are specified for this attribute. Example:
|
For the examples in Table 2, when
the supplier server replicates updates to the o=ibm
replication
context on the consumer server, the supplier server performs a simple
bind using the cn=supplier,cn=localhost
entry and
specifying a password of secret
.