Directory Services 7.3.5

Replication Server

Replication Servers publish updates to Directory Servers within a Replication Domain.

Dependencies

The following objects have Replication Servers:

Replication Server properties

You can use configuration expressions to set property values at startup time. For details, see Property value substitution.

Basic Properties Advanced Properties

advertised-listen-address
changelog-enabled
changelog-enabled-excluded-domains
confidentiality-enabled
listen-address
replication-db-directory
replication-port
weight

allow-updates-policy
allow-updates-server-fingerprints
cipher-key-length
cipher-transformation
disk-full-threshold
disk-low-threshold

Basic properties

Use the --advanced option to access advanced properties.

advertised-listen-address

Synopsis

The advertised address(es) which clients should use for connecting to this Replication Server.

Description

Multiple addresses may be provided as separate values for this attribute. The meta-address 0.0.0.0 is not permitted.

Default value

None

Allowed values

A hostname or an IP address.

Multi-valued

Yes

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

changelog-enabled

Synopsis

Specifies whether the "cn=changelog" backend will be available to client applications.

Default value

enabled

Allowed values

  • disabled: The "cn=changelog" backend will not be available to client applications.

  • enabled: The "cn=changelog" backend will be available to client applications. It will support searches using changelog cookies and "change numbers" as per the internet draft, https://datatracker.ietf.org/doc/html/draft-good-ldap-changelog-04. Change numbers are globally consistent across all servers. This mode requires additional CPU, disk accesses and storage, so it should not be used unless change number based browsing is required.

  • enabled-cookie-mode-only: The "cn=changelog" backend will be available to client applications. However, it will only support searches using changelog cookies. Changes are published immediately, and in an order which may vary from one server to another. This mode does not require additional server resources.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

changelog-enabled-excluded-domains

Synopsis

Specifies the base DNs of domains to exclude from the change number indexing when changelog is enabled.

Default value

When changelog is enabled, searches using "change numbers" is available for all domains (in other words, change number indexing includes all domains).

Allowed values

A valid DN.

Multi-valued

Yes

Required

No

Admin action required

None

Advanced

No

Read-only

No

confidentiality-enabled

Synopsis

Indicates whether the replication change-log should make records readable only by Directory Server. Throughput and disk space are affected by the more expensive operations taking place.

Description

Confidentiality is achieved by encrypting records on all domains managed by this replication server. Encrypting the records prevents unauthorized parties from accessing contents of LDAP operations. For complete protection, consider enabling secure communications between servers. Change number indexing is not affected by the setting.

Default value

false

Allowed values

true

false

Multi-valued

No

Required

No

Admin action required

None

Changes to this property take effect immediately but only affect operations performed after the change.

Advanced

No

Read-only

No

listen-address

Synopsis

The network interface(s) on which this Replication Server should listen for incoming client connections.

Description

Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the directory server will listen on all interfaces.

Default value

0.0.0.0

Allowed values

A hostname or an IP address.

Multi-valued

Yes

Required

No

Admin action required

None

Advanced

No

Read-only

No

replication-db-directory

Synopsis

The path where the Replication Server stores all persistent information.

Default value

changelogDb

Allowed values

A string.

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

Yes

replication-port

Synopsis

The port on which this Replication Server waits for connections from other Replication Servers or Directory Servers.

Default value

None

Allowed values

An integer.

Lower limit: 1.

Upper limit: 65535.

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

weight

Synopsis

The weight of the replication server.

Description

The weight affected to the replication server. Each replication server of the topology has a weight. When combined together, the weights of the replication servers of a same group can be translated to a percentage that determines the quantity of directory servers of the topology that should be connected to a replication server. For instance imagine a topology with 3 replication servers (with the same group id) with the following weights: RS1=1, RS2=1, RS3=2. This means that RS1 should have 25% of the directory servers connected in the topology, RS2 25%, and RS3 50%. This may be useful if the replication servers of the topology have a different power and one wants to spread the load between the replication servers according to their power.

Default value

1

Allowed values

An integer.

Lower limit: 1.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

Advanced properties

Use the --advanced option to access advanced properties.

allow-updates-policy

Synopsis

Define how to allow servers to send updates to this replication server

Description

The replication server will only accept updates from servers allowed by the specified strategy. It will discard updates coming from servers which are not allowed, without processing them nor storing them in its changelog.

Default value

all

Allowed values

  • all: All servers can send updates.

  • verify-certificate-fingerprint: Only servers whose certificate fingerprint is listed in allow-updates-server-fingerprints can send updates

  • verify-certificate-key-usage: Only servers whose certificates' ExtendedKeyUsage includes 1.3.6.1.4.1.36733.2.1.10.1 can send updates

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

allow-updates-server-fingerprints

Synopsis

Lists the certificate fingerprints of servers allowed to send updates to this replication server.

Description

This property is only applicable when allow-updates-policy is set to verify-certificate-fingerprint. In that case, this replication server will only process updates coming from servers whose certificates have a fingerprint matching one of the specified values.

Default value

None

Allowed values

A certificate fingerprint prefixed by its algorithm in curly braces.

Multi-valued

Yes

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

cipher-key-length

Synopsis

Specifies the key length in bits for the preferred cipher.

Default value

128

Allowed values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin action required

None

Changes to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced

Yes

Read-only

No

cipher-transformation

Synopsis

Specifies the cipher for the directory server using the syntax algorithm/mode/padding.

Description

The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms do not have a mode or padding, hence the fields must be specified using NONE as mode and NoPadding as padding. For example, ChaCha20/NONE/NoPadding.

Default value

AES/GCM/NoPadding

Allowed values

The cipher transformation.

Multi-valued

No

Required

No

Admin action required

None

Changes to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced

Yes

Read-only

No

disk-full-threshold

Synopsis

The free disk space threshold at which point a warning alert notification will be triggered and the replication server will disconnect from the rest of the replication topology.

Description

When the available free space on the disk used by the replication changelog falls below the value specified, this replication server will stop. Connected Directory Servers will fail over to another RS. The replication server will restart again as soon as free space rises above the low threshold.

Default value

5% of the filesystem size, plus 1 GB

Allowed values

Uses size syntax.

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

disk-low-threshold

Synopsis

The free disk space threshold at which point a warning alert notification will be triggered.

Description

When the available free space on the disk used by the replication changelog falls below the value specified, a warning is sent and logged. Normal operation will continue but administrators are advised to take action to free some disk space.

Default value

5% of the filesystem size, plus 5 GB

Allowed values

Uses size syntax.

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

Copyright © 2010-2024 ForgeRock, all rights reserved.