Learn replication
Replication provides automatic data synchronization between directory servers. It ensures that all directory servers eventually share a consistent set of directory data.
More about replication
Replication requires two or more directory servers and additional configuration. This page takes you though the setup process quickly, providing commands that you can reuse. It does not explain each command in detail.
For a full discussion of the subject, refer to Replication and the related pages.
Add a replica
High-level steps:
-
Unpack the files for a second directory server in a different folder.
-
Set up the new server as a replica of the first server using the generated
<deployment-id>
from Install DS.
The following example demonstrates the process:
-
Bash
-
PowerShell
-
Zsh
# Unpack files for a second, replica server in a different folder:
cd ~/Downloads && unzip ~/Downloads/DS-7.3.6.zip && mv opendj /path/to/replica
# Set up a second, replica server:
/path/to/replica/setup \
--serverId second-ds \
--deploymentId $DEPLOYMENT_ID \
--deploymentIdPassword password \
--rootUserDn uid=admin \
--rootUserPassword password \
--hostname localhost \
--ldapPort 11389 \
--ldapsPort 11636 \
--adminConnectorPort 14444 \
--replicationPort 18989 \
--bootstrapReplicationServer localhost:8989 \
--profile ds-evaluation \
--start \
--acceptLicense
# Unpack files for a second, replica server in a different folder:
Expand-Archive DS-7.3.6.zip C:\Temp
Rename-Item -Path C:\Temp\opendj -NewName C:\Temp\replica
Move-Item C:\Temp\replica C:\path\to
# Set up a second, replica server:
C:\path\to\replica\setup.bat `
--serverId second-ds `
--deploymentId <deployment-id> `
--deploymentIdPassword password `
--rootUserDn uid=admin `
--rootUserPassword password `
--hostname localhost `
--ldapPort 11389 `
--ldapsPort 11636 `
--adminConnectorPort 14444 `
--replicationPort 18989 \
--bootstrapReplicationServer locahost:8989 \
--profile ds-evaluation `
--start `
--acceptLicense
# Unpack files for a second, replica server in a different folder:
cd ~/Downloads && unzip ~/Downloads/DS-7.3.6.zip && mv opendj /path/to/replica
# Set up a second, replica server:
/path/to/replica/setup \
--serverId second-ds \
--deploymentId $DEPLOYMENT_ID \
--deploymentIdPassword password \
--rootUserDn uid=admin \
--rootUserPassword password \
--hostname localhost \
--ldapPort 11389 \
--ldapsPort 11636 \
--adminConnectorPort 14444 \
--replicationPort 18989 \
--bootstrapReplicationServer localhost:8989 \
--profile ds-evaluation \
--start \
--acceptLicense
Try replication
With the new replica set up and started, demonstrate that replication works:
-
Bash
-
PowerShell
-
Zsh
# Update a description on the first server:
ldapmodify \
--hostname localhost \
--port 1636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDn uid=bjensen,ou=People,dc=example,dc=com \
--bindPassword hifalutin <<EOF
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
replace: description
description: Replicate this
EOF
# On the first server, read the description to see the effects of your change:
ldapsearch \
--hostname localhost \
--port 1636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDn uid=bjensen,ou=People,dc=example,dc=com \
--bindPassword hifalutin \
--baseDn dc=example,dc=com \
"(cn=Babs Jensen)" \
description
# On the second server, read the description to see the change has been replicated:
ldapsearch \
--hostname localhost \
--port 11636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDn uid=bjensen,ou=People,dc=example,dc=com \
--bindPassword hifalutin \
--baseDn dc=example,dc=com \
"(cn=Babs Jensen)" \
description
# Update a description on the first server:
New-Item -Path . -Name "mod-desc.ldif" -ItemType "file" -Value @"
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
replace: description
description: Replicate this
"@
ldapmodify.bat `
--hostname localhost `
--port 1636 `
--useSsl `
--usePkcs12TrustStore C:\path\to\opendj\config\keystore `
--trustStorePassword:file C:\path\to\opendj\config\keystore.pin `
--bindDn uid=bjensen,ou=People,dc=example,dc=com `
--bindPassword password `
mod-desc.ldif
# On the first server, read the description to see the effects of your change:
ldapsearch.bat `
--hostname localhost `
--port 1636 `
--useSsl `
--usePkcs12TrustStore C:\path\to\opendj\config\keystore `
--trustStorePassword:file C:\path\to\opendj\config\keystore.pin `
--bindDn uid=bjensen,ou=People,dc=example,dc=com `
--bindPassword hifalutin `
--baseDn dc=example,dc=com `
"(cn=Babs Jensen)" `
description
# On the second server, read the description to see the change has been replicated:
ldapsearch.bat `
--hostname localhost `
--port 11636 `
--useSsl `
--usePkcs12TrustStore C:\path\to\opendj\config\keystore `
--trustStorePassword:file C:\path\to\opendj\config\keystore.pin `
--bindDn uid=bjensen,ou=People,dc=example,dc=com `
--bindPassword hifalutin `
--baseDn dc=example,dc=com `
"(cn=Babs Jensen)" `
description
# Update a description on the first server:
ldapmodify \
--hostname localhost \
--port 1636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDn uid=bjensen,ou=People,dc=example,dc=com \
--bindPassword hifalutin <<EOF
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
replace: description
description: Replicate this
EOF
# On the first server, read the description to see the effects of your change:
ldapsearch \
--hostname localhost \
--port 1636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDn uid=bjensen,ou=People,dc=example,dc=com \
--bindPassword hifalutin \
--baseDn dc=example,dc=com \
"(cn=Babs Jensen)" \
description
# On the second server, read the description to see the change has been replicated:
ldapsearch \
--hostname localhost \
--port 11636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDn uid=bjensen,ou=People,dc=example,dc=com \
--bindPassword hifalutin \
--baseDn dc=example,dc=com \
"(cn=Babs Jensen)" \
description
Also demonstrate that replication works despite crashes and network interruptions:
-
Bash
-
PowerShell
-
Zsh
# Stop the second server to simulate a network outage or server crash:
/path/to/replica/bin/stop-ds
# On the first server, update the description again:
ldapmodify \
--hostname localhost \
--port 1636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDn uid=bjensen,ou=People,dc=example,dc=com \
--bindPassword hifalutin <<EOF
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
replace: description
description: Second server is stopped
EOF
# On the first server, read the description to see the change:
ldapsearch \
--hostname localhost \
--port 1636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDn uid=bjensen,ou=People,dc=example,dc=com \
--bindPassword hifalutin \
--baseDn dc=example,dc=com \
"(cn=Babs Jensen)" \
description
# Start the second server again to simulate recovery:
/path/to/replica/bin/start-ds
# On the second server, read the description to check that replication has resumed:
ldapsearch \
--hostname localhost \
--port 11636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDn uid=bjensen,ou=People,dc=example,dc=com \
--bindPassword hifalutin \
--baseDn dc=example,dc=com \
"(cn=Babs Jensen)" \
description
# Stop the second server to simulate a network outage or server crash:
C:\path\to\replica\bat\stop-ds.bat
# On the first server, update the description again:
New-Item -Path . -Name "mod-desc2.ldif" -ItemType "file" -Value @"
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
replace: description
description: Second server is stopped
"@
ldapmodify.bat `
--hostname localhost `
--port 1636 `
--useSsl `
--usePkcs12TrustStore C:\path\to\opendj\config\keystore `
--trustStorePassword:file C:\path\to\opendj\config\keystore.pin `
--bindDn uid=bjensen,ou=People,dc=example,dc=com `
--bindPassword password `
mod-desc2.ldif
# On the first server, read the description to see the change:
ldapsearch.bat `
--hostname localhost `
--port 1636 `
--useSsl `
--usePkcs12TrustStore C:\path\to\opendj\config\keystore `
--trustStorePassword:file C:\path\to\opendj\config\keystore.pin `
--bindDn uid=bjensen,ou=People,dc=example,dc=com `
--bindPassword hifalutin `
--baseDn dc=example,dc=com `
"(cn=Babs Jensen)" `
description
# Start the second server again to simulate recovery:
C:\path\to\replica\bat\start-ds.bat
# On the second server, read the description to check that replication has resumed:
ldapsearch.bat `
--hostname localhost `
--port 11636 `
--useSsl `
--usePkcs12TrustStore C:\path\to\opendj\config\keystore `
--trustStorePassword:file C:\path\to\opendj\config\keystore.pin `
--bindDn uid=bjensen,ou=People,dc=example,dc=com `
--bindPassword hifalutin `
--baseDn dc=example,dc=com `
"(cn=Babs Jensen)" `
description
# Stop the second server to simulate a network outage or server crash:
/path/to/replica/bin/stop-ds
# On the first server, update the description again:
ldapmodify \
--hostname localhost \
--port 1636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDn uid=bjensen,ou=People,dc=example,dc=com \
--bindPassword hifalutin <<EOF
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
replace: description
description: Second server is stopped
EOF
# On the first server, read the description to see the change:
ldapsearch \
--hostname localhost \
--port 1636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDn uid=bjensen,ou=People,dc=example,dc=com \
--bindPassword hifalutin \
--baseDn dc=example,dc=com \
"(cn=Babs Jensen)" \
description
# Start the second server again to simulate recovery:
/path/to/replica/bin/start-ds
# On the second server, read the description to check that replication has resumed:
ldapsearch \
--hostname localhost \
--port 11636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDn uid=bjensen,ou=People,dc=example,dc=com \
--bindPassword hifalutin \
--baseDn dc=example,dc=com \
"(cn=Babs Jensen)" \
description
Unlike some databases, DS replication does not operate in active-passive mode. Instead, you read and write on any running server. Replication replays your changes as soon as possible. Demonstrate this to check your understanding:
-
Stop the first server.
Hint
Use the
stop-ds
command. -
Modify an entry on the second server.
Hint
For an example, refer to Modify.
-
Restart the first server.
Hint
Use the
start-ds
command. -
Search for the modified entry on the first server to check that replication replays the change.
Hint
For an example, refer to Search.
Notifications
Some applications require notification when directory data updates occur. For example, IDM can sync directory data with another database. Other applications start additional processing when certain updates occur.
Replicated DS directory servers publish an external change log over LDAP. This changelog allows authorized client applications to read changes to directory data:
-
Bash
-
PowerShell
-
Zsh
$ ldapsearch \
--hostname localhost \
--port 1636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDn uid=admin \
--bindPassword password \
--baseDN cn=changelog \
--control "ecl:false" \
"(&)" \
changes changeLogCookie targetDN
C:\> ldapsearch.bat `
--hostname localhost `
--port 1636 `
--useSsl `
--usePkcs12TrustStore C:\path\to\opendj\config\keystore `
--trustStorePassword:file C:\path\to\opendj\config\keystore.pin `
--bindDN uid=admin `
--bindPassword password `
--baseDN cn=changelog `
--control "ecl:false" `
"(objectclass=*)" `
changes changeLogCookie targetDN
% ldapsearch \
--hostname localhost \
--port 1636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--bindDN uid=admin \
--bindPassword password \
--baseDN cn=changelog \
--control "ecl:false" \
"(&)" \
changes changeLogCookie targetDN
When looking at the output of the command (not shown here),
notice that the changes
values are base64-encoded in LDIF because they include line breaks.
You can use the DS base64
command to decode them.
For details, refer to Changelog for notifications.