Enable peer to peer replication over TLS using idsldapreplcfg

Basic guide to configure IBM SDS peer to peer replication over TLS using idsldapreplcfg.

Author(s): Richard Lennert | Created: 16 December 2021 | Last modified: 16 December 2021
Tested on: IBM Security Directory Server V6.4 FP 24

Enable peer to peer replication over TLS using idsldapreplcfg

In this short guide we will show you how to enable peer to peer (master-master) replication on an existing environment using the idsldapreplcfg utility. This way manual LDIF edits are not required.

In this guide the following prerequisite steps are assumed:

  • server1.hu.ibm.com and server2.hu.ibm.com are freshly installed, empty LDAP servers
  • The instances on both servers were created using the same encryption seed and salt
  • TLS is enabled on both servers, with the certificates of both servers located in the same keystore file called keystore_common.kdb (for convenience) with server1_ISDS_cert and server2_ISDS_cert labels
  • O=IBM,C=HU is the top level entry
  • /opt/IBM/ldap/V6.4 is the installation location on both servers
  • sdsinst is the instance name on both servers
  • /home/sdsinst/idsslapd-sdsinst is the instance location on both servers
  • The instance owner's DN is cn=root, its password is P@ssw0rd

If the conditions above are met, running the following command will set up peer to peer replication between the nodes over TLS using simple bind (username and password authentication).

Run the following command on only one of the two nodes.

/opt/ibm/ldap/V6.4/bin/idsldapreplcfg -v -Z -s "O=IBM,C=HU" -topo PP -h1 server1.hu.ibm.com -h2 server2.hu.ibm.com -p1 636 -p2 636 -D1 cn=root -D2 cn=root -w1 P@ssw0rd -w2 P@ssw0rd -K1 keystore_common.kdb -K2 keystore_common.kdb -P1 P@ssw0rd -P2 P@ssw0rd -N1 server1_ISDS_cert -N2 server2_ISDS_cert

Verify replication is working

You can verify replication is working between the two servers by issuing the following command against both servers:

/opt/IBM/ldap/V6.4/bin/idsldapsearch -h server1.hu.ibm.com -p 389 -D cn=root -w P@ssw0rd -b '' -s sub objectclass=ibm-replicationAgreement ibm-replicationState ibm-replicationPendingChangeCount ibm-replicationfailedchanges ibm-replicationfailedchangecount
/opt/IBM/ldap/V6.4/bin/idsldapsearch -h server2.hu.ibm.com -p 389 -D cn=root -w P@ssw0rd -b '' -s sub objectclass=ibm-replicationAgreement ibm-replicationState ibm-replicationPendingChangeCount ibm-replicationfailedchanges ibm-replicationfailedchangecount

Both commands should report that ibm-replicationState is ready, ibm-replicationPendingChangeCount and ibm-replicationfailedchangecount shoud both be 0.

Final step is to modify an entry on server 1 and verify on server 2 that the change is replicated, then vica versa.

Happy replication!