Using Replication With Other Directory Server Features - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

As their network needs changes, then Example Corp.'s administrators adjust their replication strategy:
• Choose a single server in one of the two buildings to contain a master copy of the directory data.
This server should be placed in the building that contains the largest number of people responsible
for the master copy of the directory data. We shall refer to this building as Building A.
• Replicate at least once within Building A for high availability of directory data.
Use a multi-master replication configuration to ensure write-failover.
• Create two replicas in the second building (Building B).
• If there is no need for close consistency between the supplier and consumer server, schedule
replication so that it occurs only during off-peak hours.

6.4. Using Replication with Other Directory Server Features

Replication interacts with other Directory Server features to provide advanced replication features. The
following sections describe feature interactions to better design the replication strategy.
6.4.1. Replication and Access Control
The directory service stores ACIs as attributes of entries. This means that the ACI is replicated
together with other directory content. This is important because Directory Server evaluates ACIs
locally.
For more information about designing access control for the directory, see
Secure Directory.
6.4.2. Replication and Directory Server Plug-ins
Replication works with most of the plug-ins delivered with Directory Server. There are some
exceptions and limitations in the case of multi-master replication with the following plug-ins:
• Attribute Uniqueness Plug-in
The Attribute Uniqueness Plug-in validate attribute values added to local entries to make sure that
all values are unique. However, this checking is done directly on the server, not replicated from other
suppliers. For example, Example Corp. requires that the mail attribute be unique, but two users are
added with the same mail attribute to two different supplier servers at the same time. As long as
there it no a naming conflict, then there is no replication conflict, but the mail attribute is not unique.
• Referential Integrity Plug-in
Referential integrity works with multi-master replication, provided that this plug-in is enabled on only
one supplier in the multi-master set. This ensures that referential integrity updates occur on only one
of the supplier servers and propagated to the others.
NOTE
By default, these plug-ins are disabled, and they must be manually enabled.
Using Replication with Other Directory Server Features
Chapter 8, Designing a
95