Replica server
Initialization, or population, of a replica directory requires several steps.
With basic replication, changes to the LDAP server schema entry on the replicating server are not replicated. A separate update of the LDAP server schema on the replica is required each time the schema is updated on the replicating server.
Replica servers must support the LDAP Version 3 protocol.
Populating a replica
- Either start the replica and replicating servers in maintenance mode or use the LDAP server MAINTMODE ON operator modify command on each of these LDAP servers to put these servers into maintenance mode.
- Unload the replicating server’s directory contents if there are any entries. For TDBM or LDBM, use the ds2ldif utility (see ds2ldif utility).
- Ensure that the schema
for the replica server is the same as the schema for the replicating server.
If the replica and replicating server are both z/OS servers, the schema can be unloaded from the replicating server using ds2ldif and reloaded into the replica by an LDAP root or schema administrator with the ldapmodify utility.
- Using a root administrator user, run the ldapadd utility
to add a single replica entry into the backend directory on the replicating
server to identify the new replica being populated.
Note that in order to load the replica entry, it is also necessary to load any parent entries in the directory hierarchy in hierarchy order.
- If the replicating server does not contain any entries, go to step 8.
- Transport the LDIF file created in step 2 to the replica server’s location.
- Load the LDIF file from 6 into the replica server. This can be done using an LDAP root administrator to run the ldapadd utility to load the LDIF file. Alternatively for TDBM, the replica server can be stopped and then the ldif2ds utility used to load the LDIF file.
- Configure the replica (see next section).
- Stop the replica server (if it is running) and then restart it in maintenance mode. If it contains a replica entry that defines this server as a replica of itself, use an LDAP root administrator to run the ldapdelete utility to remove that entry.
- Use the LDAP server MAINTMODE OFF command on the replica server and the replicating server to change these servers to normal mode.
Configuring the replica
- the IP address and port on which the replica server should listen for communication from the replicating server
- the type of connection expected by the replicating server when it communicates to the replica server, either over a non-secure or secure connection
- the DN and password used by the replicating server
The following table identifies the relationship between the attributes in the replica entry on a z/OS LDAP replicating server and the configuration options on an IBM® replica server. The values specified for these options must be equivalent. An example of what is meant by equivalent is when the replica server is listening on all of its network interfaces, then replicaHost must specify either the corresponding host name or an IP address of one of the addresses.
Attribute in replica entry on replicating server | Corresponding replica server configuration option or command line parameter |
---|---|
replicaHost | The host name or IP address specified on the listen configuration option or the -l LDAP server command line parameter. |
replicaPort | The port number that is specified on the listen configuration option or the -l LDAP server command line parameter. |
replicaUseSSL | Use of ldaps:// in the prefix of the listen configuration option or the -l LDAP server command line parameter corresponds to TRUE for replicaUseSSL; use of ldap:// corresponds to FALSE. |
replicaBindDn | masterServerDN or peerServerDN configuration option |
replicaCredentials | masterServerPW or peerServerPW configuration option |
Note:
|
LDAP update operations on read-only replicas
Update operations, such as add, delete, modify, and rename, should not be performed against a read-only replica server. Changes must be made to the master server, which then propagates the change to the read-only replica.
If update operations are sent to a read-only replica server, the replica server returns a referral containing the value in the masterServer option in the backend section of the LDAP server configuration file on the replica. The client then redirects the request to the master server. After the master server makes the update, it propagates the change to the read-only replica server, binding as the replicaBindDn value in the replica entry corresponding to that replica server (the replicaBindDn value must match the masterServerDN value in the replica server configuration file).
See SSL/TLS and basic replication for information about securing a directory.