An Generic LDAP Sync Source defines the source of a Sync Pipe that is a topology of LDAP server instances.
The Generic LDAP Sync Source is intended for use with LDAPv3 compliant servers that do not already have a specialized Sync Source. Examples include IBM Tivoli Directory Server, CA Directory Server, and OpenLDAP.
It may be necessary to implement a Change Detector using the Server SDK if the LDAP source does not have a cn=changelog implementation.
The Generic LDAP Sync Source component inherits from the Changelog Sync Source
The following components have a direct aggregation relation from Generic LDAP Sync Sources:
The properties supported by this managed object are as follows:
| Description | A description for this Sync Source |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the base DNs of the servers referenced by this Sync Source. These base DNs are used as the base of LDAP searches when locating entries. These base DNs must not overlap. |
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Modifications performed by users with the specified DN will not be synchronized. This property is particularly useful when also using Ping Identity Data Sync Server to synchronize changes to this source. In this case, a unique user DN should be used by the Sync Pipe that applies changes to this source, and that user DN should be specified here to prevent those changes from being synchronized back to their original source. Note: the DN of the user performing a delete operations is not normally available in the changelog. So delete operations by these users will not be ignored. |
| Default Value | cn=Sync User,cn=Root DNs,cn=config |
| Allowed Values | A valid DN. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the names of the generic LDAP instances that should be used as the source of synchronization. The order of values is important as it is used as a priority order for failover. When a location is defined on the Data Sync Server, it will always prefer to fail over to external servers in that same location or in one of the preferred failover locations for that location. If there are multiple external servers available in the target location, then the Data Sync Server will prefer the earliest one in this list and then work its way down. If there is no location defined on the Data Sync Server or if there are no external servers configured in the target location or any of the preferred failover locations, then the Data Sync Server will work its way down the list of servers in the order they are listed here. |
| Default Value | None |
| Allowed Values | The DN of any LDAP External Server. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the detector that should be used to replace the default changelog based change detection method used by this Generic LDAP Sync Source. |
| Default Value | The cn=changelog subtree will be polled for changes. |
| Allowed Values | The DN of any Third Party Change Detector. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the attribute which uniquely identifies an LDAP entry within the Sync Source. This is typically an operational attribute that is automatically generated by the server, such as entryUUID. If this is not provided, then only the DN of the entry will be used to identify the entry. During synchronization, when a change is detected from Generic LDAP Sync Source, the changed entry is first fetched from the source. Initially, the DN is used to search for the entry. If that search fails then a second search is performed using this unique ID attribute if it is defined. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
failover-changelog-replay-duration
| Description | This property only applies if the change-detector property is not set, which implies that changes are retrieved from cn=changelog. It controls the duration of changes that are replayed from the changelog when failing over to a new server. Replaying changes is necessary because there might be a replication delay between servers and the change numbers between replicas will be out-of-sync. When the Data Sync Server fails over to a different server, it will search backwards through the changelog until it finds a change that is more than failover-changelog-replay-duration behind the last change that was processed to account for replication delays and clock skews between servers. As a result, many changes will be replayed, but the likelihood of missed changes is reduced. The Data Sync Server always retrieves the latest copy of the entry from the source server, so no stale changes will be synchronized, but there could be warnings in the log about adds or deletes that have already been applied. This is expected and safe. It is important to ensure that the value provided for this property is well above the maximum expected replication delay between the source servers. In situations where there is a network partition that exceeds this duration, the 'realtime-sync set-startpoint' command should be used to have the Data Sync Server replay changes from before the partition occurred. |
| Default Value | 10 minutes |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
response-timeout (Advanced Property)
| Description | Specifies the maximum length of time that an operation should be allowed to block while waiting for a response from the server. A value of zero indicates that there should be no client-side timeout; the server's default will be used. This property indicates how long the Data Sync Server should wait for a response from a search request to a source server before failing with LDAP result code 85 (client-side timeout). When this happens, the Sync Source will retry the request according to the max-failover-error-code-frequency property before failing over to a different source server and performing the retry there. The total number of retries will not exceed the max-operation-attempts value defined in the Sync Pipe configuration. |
| Default Value | 1 m |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
max-failover-error-code-frequency (Advanced Property)
| Description | This property controls the frequency of how often a given LDAP error code may be encountered on a connection before the Data Sync Server fails over to a different source server. This allows the retry logic to be tuned, so that retries can be performed once on the same server before giving up and trying another server. The value can be set to zero if there is no acceptable error code frequency and failover should happen immediately. It can also be set to a very small value (such as 10 ms) if a high frequency of error codes is tolerable. As an example, if the value is set to 3 minutes, this says that a TIMEOUT error code from the currently connected server will not trigger a failover unless there was another TIMEOUT from the same server within the last 3 minutes. This property applies to all LDAP result codes except the following:
|
| Default Value | 3 m |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies sync source plugins that should be applied to operations that are synchronized by this LDAP Sync Source. If multiple plugins are provided, then they will be invoked in the order they are specified. |
| Default Value | None |
| Allowed Values | The DN of any LDAP Sync Source Plugin. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
sync-backlog-alert-threshold (Advanced Property)
| Description | This property specifies when the Data Sync Server should generate an administrative alert because of too many outstanding changes. If the Data Sync Server becomes severely backlogged, it may be desirable for it to generate an alert. The value of this property specifies the size (in number of unprocessed changes) at which an alert will be thrown. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
changelog-search-type (Advanced Property)
| Description | This property specifies how cn=changelog will be searched when the Data Sync Server is detecting changes. If a Change Detector is specified then this setting will be ignored. |
| Default Value | single-entry-searches |
| Allowed Values | range-searches - Indicates that this Generic LDAP Sync Source will perform subtree searches of the cn=changelog, and retrieve changes in batches. Under heavy load this is sometimes more efficient. single-entry-searches - Indicates that this Generic LDAP Sync Source will perform base level searches the cn=changelog, and retrieve a single entry at a time. This works around a problem in certain environments where searches on the 'changenumber' attribute are reported as unindexed. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Sync Sources:
dsconfig list-sync-sources
[--property {propertyName}] ...
To view the configuration for an existing Sync Source:
dsconfig get-sync-source-prop
--source-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Sync Source:
dsconfig set-sync-source-prop
--source-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Generic LDAP Sync Source:
dsconfig create-sync-source
--source-name {name}
--type {type}
--set base-dn:{propertyValue}
--set server:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Sync Source:
dsconfig delete-sync-source
--source-name {name}