HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

331

332

333

334

335

336

337

338

339

340

NOTE:

If attribute encryption is enabled, a secure connection must be used for the encrypted

attributes to be replicated.

4. Select the connection type. There are three options:

• Use LDAP

This sets either a standard, unencrypted connection or allows SASL encryption, because

Directory Server supports SASL over standard LDAP but not SSL.

• Use TLS/SSL

This uses a secure connection over the server's secure LDAPS port, such as 636. This

setting is required to use TLS/SSL, but it cannot be set if the authentication will be

performed with SASL.

• Use Start TLS

This uses Start TLS to establish a secure connection over the server's standard port.

5. Select the appropriate authentication method and supply the required information. This gives

the information that the supplier uses to authenticate and bind to the consumer server to send

updates.

• Simple

Means that the server connects over the standard port with no encryption. The only

required information is the bind DN and password for the Replication Manager (which

must exist on the consumer server).

• Server TLS/SSL Certificate

Uses the supplier's SSL certificate to authenticate to the consumer server. A certificate

must be installed on the supplier for certificate-based authentication, and the consumer

server must have certificate mapping configured so that it can map the subject DN in the

supplier's certificate to its Replication Manager entry.

Configuring SSL and certificate mapping is described in “Managing SSL” (page 469).

• SASL/DIGEST-MD5

Requires the standard port to connect to the server. Like simple authentication, this requires

only the bind DN and password to authenticate.

• SASL/GSSAPI

Also requires the standard LDAP connection because the Directory Server does not support

using GSS-API over TLS/SSL.

The supplier server must have a Kerberos keytab (as in “About the KDC server and

keytabs” (page 504)), and the consumer server must have a SASL mapping to map the

supplier's principal to the real replication manager entry (as in “Configuring SASL identity

mapping from the console” (page 505)).

6. Fractional replication controls which entry attributes are replicated between servers. By default,

all attributes are replicated. To select attributes that will not be replicated to the consumer,

check the Enable Fractional Replication checkbox. Then, highlight the attribute (or attributes)

in the Included column on the right, and click Remove. All attributes that will not be replicated

are listed in the Excluded column on the left, as well as in the summary the replication

agreement is complete.

8.4 Configuring single-master replication 331