HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

Table 38 Replication agreement attributes (continued)

ValuesDescriptionObject class or attribute

To use Start TLS, which initiates a secure

connection over a standard port, use

the standard port, 389, with the

nsds5ReplicaTransportInfo

attribute to TLS.

To use TLS/SSL, set this parameter to

SSL.

nsds5replicatransportinfo:

method

empty or LDAP (standard connection

over port 389)

SSL (secure connection over the secure

port, such as 636)

To use Start TLS, which initiates a secure

connection over a standard port, set

this parameter to TLS.

TLS (secure connection over the

standard port, 389, using Start TLS)

To use simple authentication or SASL,

set this parameter to LDAP.

Any DN; the recommended DN is

cn=Replication

Manager,cn=config.

The supplier bind DN used by the

supplier to bind to the consumer. This

is required for consumers, hubs, and

multi-master suppliers, but not for

single-master suppliers.

nsds5ReplicaBindDN: DN

The connection type for replication

between the servers. The connection

nsds5replicabindmethod: type SIMPLE

SSLCLIENTAUTH

type defines how the supplier

authenticates to the consumer.

SASL/GSSAPI

SASL/DIGEST-MD5

Leaving the bind method empty or

setting it to SIMPLE means that the

server uses basic password-based

authentication. This requires the

nsds5ReplicaBindDN and

nsds5ReplicaCredentials

attributes to give the bind information.

The SSLCLIENTAUTH option uses a

secure connection. This requires setting

the nsds5ReplicaTransportInfo

attribute be set to SSL or TLS. For

certificate-based authentication, the

consumer server must also have a

certificate mapping to map the subject

DN in the supplier's certificate to the

replication manager entry.

Using SASL/GSSAPI requires that the

nsds5ReplicaTransportInfo

attribute is set to LDAP; Directory Server

does not support using GSS-API over

TLS/SSL. The supplier server must have

a Kerberos keytab (as in “About the

KDC server and keytabs” (page 504)),

and the consumer server must have a

SASL mapping to map the supplier's

principal to the real replication

manager entry (as in “Configuring SASL

identity mapping from the

console” (page 505)).

The SASL/DIGEST-MD5 setting, like

SIMPLE, uses password-based

authentication and requires the

nsds5ReplicaBindDN and

nsds5ReplicaCredentials

attributes to give the bind information.

368 Managing Replication