Skip Headers
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2)
B14082-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

24 Oracle Internet Directory Replication Concepts

This chapter describes Oracle Internet Directory replication. It contains these topics:

24.1 About Directory Replication

This section briefly introduces some of the basic concepts of replication. Subsequent sections in this chapter explain these concepts in further detail.

Replication is the process of copying and maintaining the same naming contexts on multiple directory servers. It improves performance by providing more servers to handle queries, and reliability by eliminating risks associated with a single point of failure.

Replication can be either full or partial. Full replication involves propagating the entire DIT to another node. Partial replication involves propagating one or more subtrees, rather than the entire DIT, to another node.

The directory servers that participate in the replication of a given naming context form what is called a directory replication group (DRG). The relationship among the directory servers in a DRG is represented on each node by a special directory entry called a replication agreement.

Each copy of a naming context contained within a server is called a replica. Replicas can be read-only, updatable, or both. A server that sends the updates made to it to other servers is known as a supplier. A server that accepts those changes is called a consumer. A server can be both a supplier and a consumer.

A directory replication group can be single-master, multimaster, or fan-out as described in Table 24-1.

Table 24-1 Types of Directory Replication Groups

Group Description

Single-master

Has only one supplier replicating changes to one or more consumers. Only the supplier can be updated, and consumers are read-only.

Multimaster

Also called peer-to-peer or n-way replication, enables multiple sites, acting as equals, to manage groups of replicated data. In a multimaster replication environment, each node is both a supplier and a consumer node, and the entire directory is replicated on each node.

Fan-out

Also called a point-to-point replication group, has a supplier replicating directly to a consumer. That consumer can then replicate to one or more other consumers. The replication can be either full or partial.


In a directory replication group, the protocol for transferring data between nodes can be based on either Oracle Database Advanced Replication or LDAP.

24.2 Full and Partial Directory Replication

This section contains these topics:

24.2.1 Full Directory Replication

Full replication involves propagating the entire DIT to another node. This type of replication ensures the high availability of the entire directory. You can also use it to distribute operations on the entire directory among different nodes.

Full replication can be based on either Oracle Database Advanced Replication or LDAP.

24.2.2 Partial Directory Replication

Partial replication enables you to propagate one or more subtrees, rather than the entire DIT, to another node. Decentralizing a directory in this way enables you to balance the workload between servers and build a highly available distributed directory, complete with fault tolerance and failover. Because it brings data closer to the client, partial replication reduces response time and improves performance. You can configure partial replication by using the Replication Environment Management Tool.

Partial replication is LDAP-based only. It does not use Oracle Database Advanced Replication.


See Also:

The "remtool" command-line tool reference in Oracle Identity Management User Reference

Figure 24-1, "Example of Partial Replication" shows an example of partial replication.

Figure 24-1 Example of Partial Replication

This illustration is described in the text.

In a partial replication scenario, one or more naming contexts, but not the entire directory, are replicated. For example, in Figure 24-1, "Example of Partial Replication", Server 1 contains three naming contexts: A, B, and C. Naming contexts B and C are replicated to Server 2, but naming context A is not.

Table 24-2 compares the two types of replication.

Table 24-2 Comparison of Full and Partial Replication

Full Replication Partial Replication

Propagates an entire directory to other nodes

Propagates just part of the directory—for example, one or more, but not all, naming contexts—to other nodes

In a multimaster environment, allows a consumer to receive changes from more than one supplier

In a single-master environment, allows a consumer to receive changes from only one supplier


24.3 Directory Replication Groups

This section contains these topics:

24.3.1 Data Transfer Between Nodes in a Directory Replication Group

In a directory replication group, the protocol for transferring data can be based on either Oracle Database Advanced Replication or LDAP. Table 24-3 shows how each type handles various features of replication and points to sections of this chapter with more details.

Table 24-3 Types of Data Transfer Between Nodes in a Directory Replication Group

Feature LDAP-Based Replication Advanced Replication More Information

Change propagation

Change propagation from supplier to consumer happens over LDAP

Change propagation from supplier to consumer happens by using Advanced Replication

"Change Logs in Directory Replication"


Replica type supported

Read-only full replica

Read-only partial replica

Read/write full replica

"Full Directory Replication"

"Partial Directory Replication"


Configuration supported

Single-master replication

Fan-out replication

Multimaster replication

Single-master replication, by switching all masters in a multimaster configuration except one to read-only mode.

"Single-Master Replication Groups"

"Multimaster Replication Groups"

"Fan-Out Replication Groups"



24.3.2 Single-Master Replication Groups

A single-master replication group has only one supplier replica supplying changes to one or more consumers. Clients can update only the master replica, and can only read data on any of the consumers.

Figure 24-2, "Example of Single-Master Replication" shows a single-master replication environment.

Figure 24-2 Example of Single-Master Replication

Description of Figure 24-2  follows
Description of "Figure 24-2 Example of Single-Master Replication"

In Figure 24-2, each bullet represents a node of Oracle Internet Directory. Node A is a supplier that replicates consumer nodes B and C. Node A is read/write, and Nodes B and C are read-only. The data transfer protocol is LDAP.

24.3.3 Multimaster Replication Groups

A multimaster replication group, also called a peer-to-peer or n-way replication group, has two or more nodes acting as equals to manage groups of replicated data. In a multimaster replication group, each directory server is both a supplier and a consumer of changes, and the entire directory is replicated on each node.

The example in Figure 24-3 shows three nodes—A, B, and C—that update each other in a multimaster replication group.

Figure 24-3 Example of Multimaster Replication

Description of Figure 24-3  follows
Description of "Figure 24-3 Example of Multimaster Replication"

In Figure 24-3, each node is read/write, and the data transfer protocol is based on Advanced Replication.


Note:

Multimaster replication is the only replication mechanism supported in Oracle Application Server Single Sign-On as described in the section "Configuring Oracle Application Server Single Sign-On for Replication" in the chapter on high availability in the Oracle Application Server Single Sign-On Administrator's Guide


See Also:

"Multimaster Replication" for more information about multimaster replication

24.3.4 Fan-Out Replication Groups

A fan-out replication group, also called a point-to-point replication group, has a supplier replicating directly to a consumer. That consumer can then supply the same data to one or more other consumers. The replication can be either full or partial.

Figure 24-4 shows a fan-out replication environment.

Figure 24-4 Example of Fan-Out Replication

Description of Figure 24-4  follows
Description of "Figure 24-4 Example of Fan-Out Replication"

In Figure 24-4, supplier A replicates to two consumers, B and C. Consumer node B contains a partial replica of A, whereas consumer node C contains a full replica of A. Both consumer nodes B and C are read-only.

Each of these nodes, in turn, serves as a supplier that replicates data to two other consumers: Node B partially replicates to nodes D and E, and node C fully replicates to nodes F and G.

In fan-out replication, nodes transfer data by using LDAP.

24.3.5 Types of Directory Replication Compared

Table 24-4 compares multimaster, single-master, and fan-out replication.

Table 24-4 Multimaster. Single-Master, and Fan-Out Replication Compared

Multimaster Replication Single-Master Replication Fan-out Replication

Uses only Advanced Replication

Uses LDAP-based replication or Advanced Replication (by switching all masters in a multimaster configuration except one to read-only mode).

Uses LDAP-based replication

Updates can be made on any node, whether supplier or consumer.

Updates can be made on the supplier only. Changes to a consumer can be propagated to other fan-out consumers, but not back to the supplier.

Updates can be made on the supplier only. Changes to a consumer can be propagated to other fan-out consumers, but not back to the supplier. This is also true when the LDAP-based replica node is read/write.


24.3.6 Multimaster Replication with Fan-Out

Beginning with Oracle Internet Directory 10g (9.0.4), Oracle Internet Directory enables any node in a multimaster replication group to supply all or part of its data to a read-only consumer. This consumer can, in turn, supply data to other consumers in a fan-out configuration. Within the multimaster replication agreement, data transfer between the nodes occurs by way of Oracle Database Advanced Replication. Within the fan-out replication agreement, data transfer from supplier to consumer occurs by way of LDAP.


Note:

If an LDAP-based replica is read/write, then changes on this node propagate to consumers, but not to suppliers.

Figure 24-5 shows an example of multimaster replication used in conjunction with fan-out replication.

Figure 24-5 Example of Multimaster Replication with Fan-Out

This illustration is described in the text.

In the example in Figure 24-5, nodes A, B, and C form a multimaster replication group. They transfer data among them by using Advanced Replication.

Node B supplies changes to Node D, a read-only replica of the entire directory. Node D, in turn, supplies changes to Nodes F and G by using LDAP-based replication. Both Nodes F and G are read-only replicas of the entire directory. Similarly, Node E is a one-way full replica of Node C. Node E, in turn supplies changes to Node H, a read-only replica of the entire directory, and Node I, a read-only partial replica, by using LDAP-based replication.


See Also:

"Fan-Out and Partial Replication" for more information about fan-out replication

24.4 Included and Excluded Naming Contexts

In LDAP-based replication, you can include a given naming context for replication and exclude one or more of the subtrees within that naming context from replication. You can also exclude from replication one or more of the attributes in that naming context.

In Oracle Database Advanced Replication, you can only exclude naming contexts.

In LDAP-based replication, only naming contexts explicitly specified as included are replicated. In Oracle Database Advanced Replication, however, all naming contexts are included by default. To exclude a naming context from replication in Oracle Advanced Replication, specify it using the orclexcludednamingcontext attribute of the Oracle-Advanced-Replication-based-replication agreement entry orclagreementid=000001.

Figure 24-6 and the accompanying text further exemplify the use of the naming context container and its objects.

Figure 24-6 Example of a Naming Context Container and Its Objects

This illustration is described in the text.

In Figure 24-6, the naming context included for replication is c=us. Within that naming context, one subtree, namely cn=user1,cn=hr, c=us is excluded from replication. Moreover, two of the attributes of the c=us naming context are excluded from replication—namely, userPassword and telephonenumber.

24.5 Replication Agreements

A replication agreement is a special entry containing information about the relationship among servers in a DRG. In Oracle Internet Directory, all such entries reside under the container entry cn=replication configuration located at the root DSE. This entry resides on each node in a DRG, and contains all replication information for that node.

There are two kinds of replication agreements: those for Oracle Database Advanced Replication groups, and those for LDAP-based replication groups.

This section contains these topics:

24.5.1 Oracle Database Advanced Replication Agreements

For a multimaster replication group, replication agreements are based on Advanced Replication. The replication agreement on each node lists all of the nodes in the group. It is identical on each node except for local options such as partitioned naming contexts on the local directory server.

The entry for this kind of replication agreement resides immediately below the cn=replication configuration container entry. For example, the DN of such an agreement can look like this: orclagreementID=000001,cn=replication configuration.

24.5.2 LDAP-Based Replication Agreements

Unlike multimaster replication groups, in fan-out replication groups there is one replication agreement for each supplier-consumer relationship.

The entry for this kind of replication agreement resides immediately below the replica subentry of the node that serves as the supplier. Thus, the DN of the replication agreement as found on a supplier node is:

orclagreementID=unique_identifier_of_the_replication_agreeement, orclReplicaID=unique_identifier_of_supplier_node, cn=replication configuration

Similarly, the DN of the replication agreement as found on a consumer node is:

orclagreementID=unique_identifier_of_the_replication_agreeement, orclReplicaID=unique_identifier_of_supplier_node, cn=replication configuration

In a fan-out replication agreement, you can tell which node the agreement entry is associated with by looking at its parent. For example, look at the following replication agreement entry.

orclagreementID=000002,orclReplicaID=node_A,cn=replication configuration

In this example, you can determine that the replication agreement represented by orclagreementID=000002 is associated with node A. This is because the parent of orclagreementID=000002 is orclReplicaID=node_A.


Note:

The container entry cn=replication configuration is replicated on all nodes, but may not be identical on all nodes.


Note:

The orclreplicadn attribute of an LDAP-based replication agreement specifies the associated consumer node.

24.6 Replication Configuration Objects in the Directory

This section describes the objects in the directory that contain replication configuration information. It contains these topics:

24.6.1 The Replication Configuration Container

All replication information for a node resides in the container cn=replication configuration located at the root DSE. This entry resides on each node in a DRG. The following is a sample replication configuration container entry:

dn: cn=replication configuration
orclaci: access to entry by * (browse)
orclaci: access to attr=(*) by * (search,read)
orclnormdn: cn=replication configuration
cn: replication configuration
description: Replication agreement Container object
objectclass: top
objectclass: orclcontainerOC

24.6.2 The Replica Subentry

This subentry is created at installation under the replication configuration container. It contains attributes that identify and define the characteristics of the node it represents.

This subentry is associated with the object class orclReplicaSubentry. It contains the attribute orclreplicaID whose value specifies the name of the replica subentry. It is unique to each directory node. The local replica entry's orclreplicaID matches that of the orclreplicaID attribute at the root DSE. For example, inFigure 24-9 , a replica subentry is represented by orclReplicaID=UID_of_node_D,cn=replication configuration. The following is a sample replica subentry:

dn: orclreplicaid=myhost1_repl1,cn=replication configuration
objectclass: top
objectclass: orclreplicasubentry
orclreplicaid: myhost1_repl1
orclreplicauri: ldap://myhost1:3060/
orclreplicasecondaryuri: ldap://myhost1.mycompany.com:3060/


See Also:

""Replication Schema Elements" in Oracle Identity Management User Reference for descriptions of the attributes of the replica subentry.

24.6.3 The Replication Agreement Entry

This entry contains attributes that define the replication agreement between the two or more nodes and is associated with the orclReplAgreementEntry objectclass. There are two kinds of agreement:

  1. Oracle Database Advanced Replication Agreement. The replication agreement for Oracle Database Advanced Replication nodes resides under the replication configuration entry. For example: In Figure 24-8, an Oracle Database Advanced Replication agreement entry is represented by orclagreementID=000001.

  2. LDAP-based replication agreement. The replication agreement for LDAP nodes resides under the supplier's replica subentry. For example, in Figure 24-9, an LDAP-based replication agreement entry is represented by orclagreementID=000003, orclReplicaID=UID_of_node_D,cn=replication configuration.

The following is a sample replication agreement entry:

dn: orclagreementid=000002,orclreplicaid=myhost1_repl1,
 cn=replication configuration
orclagreementid: 000002
orclupdateschedule: 1
orclreplicationprotocol: ODS_LDAP_1.0
orcllastappliedchangenumber: 0
orclhiqschedule: 10
orclreplicadn: orclreplicaid=myhost2_repl2,cn=replication configuration
orclldapconnkeepalive: 1
objectclass: orclReplAgreementEntry
objectclass: top


See Also:

"Replication Schema Elements" in Oracle Identity Management User Reference for descriptions of the attributes of the replication agreement entry

24.6.4 The Replication Naming Context Container Entry

This entry contains all the LDAP naming context objects.

This entry has the RDN cn=replication namecontext, and it is created below the orclagreementID entry during replication configuration. The following is a sample replication naming context container entry:

dn: cn=replication namecontext,orclagreementid=000002, 
 orclreplicaid=myhost1_repl1,cn=replication configurationobjectclass: top
objectclass: orclcontainerOC
cn: replication namecontext

24.6.5 The Replication Naming Context Object Entry

This entry contains all the LDAP naming context objects. These objects specify what is to be either included in or excluded from replication to an LDAP-based partial replica.

This entry is created below the naming context container entry during replication configuration. It is configurable. For example, in Figure 24-9 , the replication naming context object is cn=namingcontext001,cn=replication namecontext,orclagreementID=000003,orclReplicaID=UID_of_node_D,cn=replication configuration

A replication naming context contains these attributes:

  • orclincludednamingcontexts—The root of the naming context to be replicated

  • orclexcludednamingcontexts—Within the included naming context, the root of a subtree to be excluded from replication

  • orclexcludedattributes—Within the included naming context, an attribute to be excluded from replication


    See Also:

    "Replication Schema Elements" in Oracle Identity Management User Reference for descriptions of the attributes in the replication naming context entry

The following is a sample replication naming context object entry.

dn: cn=includednamingcontext000001,cn=replication namecontext,
  orclagreementid=000002,orclreplicaid=myhost1_repl1,cn=replication configuration 
objectclass: orclreplnamectxconfig 
objectclass: top 
orclincludednamingcontexts: c=us 
orclexcludednamingcontexts: cn=groups,c=us 
orclexcludedattributes: userPassword 
orclexcludedattributes: telephonenumber 
cn: includednamingcontext000001 

24.6.6 Examples of Replication Configuration Objects in the Directory

The examples of replication objects in this section rely on the replication environment shown in Figure 24-7.

Figure 24-7 Example: Multimaster Replication and Fan-Out Replication

This illustration is described in the text.

In Figure 24-7, nodes A, B, and C form a multimaster replication group. Node C replicates to a fourth node, D, which, in turn, fans out to Node E.

The replication agreements in this environment are as follows:

  • Node A has one replication agreement representing its multimaster relationship with nodes B and C.

  • Node B has one replication agreement representing its multimaster relationship with nodes A and C.

  • Node C has two replication agreements, the first representing its multimaster relationship with nodes A and B, the second representing its relationship to node D in which it serves as the supplier and node D is the consumer.

  • Node D has two replication agreements, one representing its relationship to the supplier node C, from which it consumes changes, the other representing its relationship to consumer node E for which it is the supplier.

Figure 24-8 shows the replication objects in the DIT that pertain to node C in Figure 24-7 .

Figure 24-8 Example: Replication Configuration Entries for Node C

This illustration is described in the text.

For node C, the entry cn=replication configuration at the root DSE contains these RDNs:

  • orclagreementID=000001: The multimaster replication agreement in which node C participates with nodes A and B.

  • orclReplicaID=UID_of_node_C: Unique identifier of node C that contains information about it.

  • orclagreementID=000002: Unique identifier of the relationship between supplier node C and consumer node D. You know that, in this case, orclagreementID=000002 is the replication agreement of the supplier node C because node C is its parent.

    This entry contains the attribute orclreplicaDN. Its value is the replica entry DN of consumer node D, with which node C has the replication agreement.

  • cn=replication DN: The bind DN that the directory replication server on node C uses to bind to the directory server.

  • cn=replication namecontext: Container of information about naming contexts that are included in replication.

  • cn=namingcontext001 and cn=namingcontext002: The actual objects that are included in or excluded from replication. In the naming context included for replication, you can specify one or more subtrees to be excluded from replication. In that same included naming context, you can specify particular attributes to be excluded from replication.

Figure 24-9 shows the replication agreement entry in the DIT that pertains to node D in Figure 24-7.

Figure 24-9 Example: Replication Configuration Entries for Node D

This illustration is described in the text.

For node D, the entry cn=replication configuration at the root DSE contains these RDNs:

  • orclReplicaID=UID_of_node_D: Unique identifier of node D and contains information about it.

  • orclagreementID=000003: Unique identifier of the relationship between supplier node D and consumer node E. You know that, in this case, orclagreementID=000003 is the replication agreement of the supplier node D because node D is its parent.

    This entry contains the attribute orclreplicaDN, the value of which is the DN of consumer node E with which node D has the replication agreement.

  • cn=replication DN: Bind DN that the directory replication server on node D uses to bind to the directory server.

  • cn=replication namecontext: Container of information about naming contexts that are included in replication.

  • cn=namingcontext001 and cn=namingcontext002: Objects specifying naming contexts to be included in replication. In the naming context included in replication, you can specify one or more subtrees or particular attributes to be excluded from replication.

24.7 Replication Security

This section contains these topics:

24.7.1 Authentication and the Directory Replication Server

Authentication is the process by which the Oracle directory replication server establishes the true identity of itself when connecting to the directory server. It occurs when an LDAP session is established by means of an ldapbind operation.

It is important that the directory replication server be properly authenticated before it is allowed access to the directory.

The directory replication server uses a unique identity and a password to authenticate with the directory server. The identity of the directory replication server is of the form cn=replication dn,orclreplicaid=unique_identifier_of_node,cn=replication configuration.

When it starts, the directory replication server reads its identity and password from an Oracle Internet Directory secure wallet, and uses these credentials for authentication. If you want to change the password for the replication bind DN, then you must use the -pchgpwd, -presetpwd, or -pchgwalpwd option of the Replication Environment Management Tool. The wallet for replication identity is located at $ORACLE_HOME/ldap/admin/oidpwdrOracle_SID.


See Also:

The "remtool" command-line tool reference in Oracle Identity Management User Reference.


Note:

In earlier releases, the replication server required the directory server to allow anonymous bind. The replication server no longer requires that.

24.7.2 Secure Sockets Layer (SSL) and Oracle Internet Directory Replication

You can deploy Oracle Internet Directory replication with or without SSL. Replication automatically detects if the target Oracle Internet Directory instance is running at an SSL port. When the replication server binds to the SSL port of an Oracle Internet Directory instance, it will automatically work on top of the Secure Sockets Layer.


Note:

In Oracle Internet Directory 10g Release 2 (10.1.2), the Oracle directory replication server cannot communicate directly with an SSL-enabled LDAP server that supports two way (mutual) authentication. The replication server startup will fail and hang if the LDAP server is configured for SSL mutual authentication.

To configure LDAP-based replication to use SSL encryption, in the orclReplicaURI attribute, which contains the supplier contact information, specify the port number of the SSL port.

To configure Advanced Replication to use SSL encryption, use Oracle Advanced Security.


See Also:

Oracle Advanced Security Administrator's Guide for information on how to configure Advanced Replication to use SSL encryption

24.8 Change Logs in Directory Replication

Oracle Internet Directory records each change as an entry in the change log store. The directory replication server of the consumer retrieves changes residing in the change log store of the supplier and applies them to the consumer.

Each entry in the change log store—that is, each change log object—has a unique change number. The consumer keeps track of the change number of the last change it applied, and it retrieves from the supplier only those changes with numbers greater than that of the last change it applied.

Change logs are purged by the garbage collector after they have been consumed by the replication server.

24.9 Multimaster Replication

This section gives a detailed look at multimaster replication. A multimaster directory replication group has multiple nodes acting as equals to manage groups of replicated data. This section contains these topics:


See Also:

"Managing Replication" for information about how to configure replication agreements

Appendix F, "The Multimaster Replication Process"


24.9.1 Oracle Database Advanced Replication

In Oracle Database Advanced Replication, the transport of update information between nodes in a replication agreement is managed by Oracle Database Advanced Replication, a store-and-forward transport feature. Advanced Replication enables you to synchronize database tables across two Oracle databases.

Oracle Database Advanced Replication:

  • Stores local changes and periodically propagates them in batches to consumers. The consumer replication servers apply the remote changes to their own local directory servers, and then purge the applied remote changes from their local stores.

  • Enables read and update access to directory tables anywhere in the Oracle replication group. Typical Advanced Replication configurations use row-level replication.

  • Provides proven network tolerance. Data transfer can be controlled and monitored by Oracle Enterprise Manager 10g Application Server Control Console. Such manageability allows a high degree of flexibility in how the data transfer is scheduled.


    Note:

    The Oracle Application Server Single Sign-On database schema that resides in the same database as Oracle Internet Directory is also replicated by using Advanced Replication.


    See Also:

    • The section "Configuring Oracle Application Server Single Sign-On for Replication" in the chapter on high availability in the Oracle Application Server Single Sign-On Administrator's Guide

    • Oracle Database Advanced Replication in the Oracle Database Documentation Library for information about Advanced Replication


24.9.2 Architecture for Multimaster Replication

Typical Oracle Database Advanced Replication configurations use asynchronous data propagation—that is, suppliers write their changes to change logs, and then regularly send batched changes to other consumers. Consumers receive the change log data, then reproduce the changes locally.

When you configure replication, you specify which nodes in a replication group share changes. Regardless of the number of nodes you introduce into the replication environment, the basic architecture for replication remains the same. Local changes are distributed to a remote master site (RMS), where the replication server, acting as a client, sends commands to the directory server that implements them.

The rest of this section discusses, in general terms, the replication process, both from the standpoint of the supplier, and from that of the consumer.

24.9.2.1 The Multimaster Replication Process on the Supplier Side

Figure 24-10 and its accompanying text explain what happens on the supplier side during the multimaster replication process.

Figure 24-10 The Multimaster Replication Process on the Supplier Side

This illustration is described in the text.
  1. An LDAP client issues a directory modification.

  2. The Oracle directory server generates a change log object in the change log object store.

  3. At a scheduled time, the Oracle directory replication server launches an outbound change log processing thread. This thread translates the change log object into a row—for example, Change entry—in the change log table.

  4. When a change entry is committed to the change log table, Advanced Replication immediately copies the change into the deferred transaction queue.

  5. After a scheduled interval, Advanced Replication pushes pending transactions from the deferred transaction queue across the network to the consumer change log table.


    Note:

    All changes made to Oracle Application Server Single Sign-On tables by the single sign-on administrator application are also replicated by Advanced Replication.

24.9.2.2 The Multimaster Replication Process on the Consumer Side

Figure 24-11 and its accompanying text explain the multimaster replication process on the consumer side.

Figure 24-11 The Multimaster Replication Process on the Consumer Side

This illustration is described in the text.
  1. A change arrives in the consumer change log table from the supplier.

  2. The Oracle directory replication server launches a change log processing thread for each supplier, based on a scheduled replication cycle. This thread first consults the change status table for the last change applied from the supplier to the consumer.

  3. The Oracle directory replication server then fetches and applies all the new changes from the change log table to the Oracle directory server.

  4. The Oracle directory replication server then updates the change status table to record the last change applied from the supplier before exiting.

  5. Advanced Replication copies the change status update into the deferred transaction queue.

  6. After the scheduled Advanced Replication interval, Oracle Database Advanced Replication pushes pending change status updates from the deferred transaction queue to the supplier change status table.

Although in the previous figures the roles of supplier and consumer have been separated, in an actual multimaster replication environment, each directory server is both a supplier and a consumer. In such an environment, purging occurs regularly, removing entries that are already applied and those that are dropped as candidate changes. Remote change records in the local change log table are purged by the garbage collection thread if they have been applied locally. Local change records in the local change log table are purged by the garbage collection thread if they have been distributed to all the consumers.


See Also:

"Managing Replication" for information on configuring replication

24.9.3 Conflict Resolution in Multimaster Replication

Multimaster replication enables updates to multiple directory servers. Conflicts occur whenever the directory replication server attempts to apply remote changes from a supplier to a consumer and, for some reason, fails.

There are times when the replication process may not be able to apply a change. For example, suppose that Supplier Node A sends the consumer a change, and, immediately after that, Supplier Node B sends the consumer an update to the same entry. Then, suppose that a problem delays the transmission of the entry from Supplier Node A, but that no such problem delays transmission of the update from Supplier Node B. The result can be that the update from Supplier Node B arrives at the consumer ahead of the entry it is modifying. In this case, the replication server makes a specified number of retries to apply the change. If it fails to apply the change once that number is reached, then it moves the change to the human intervention queue, and attempts to apply the change at regular, less frequent intervals that you specify.

LDAP operations that can lead to conflicts include:

  • Addition

  • Deletion

  • Modification

  • Modification of either an RDN or a DN

24.9.3.1 Levels at Which Replication Conflicts Occur

There are two types of conflicts:

  • Entry-level conflicts

  • Attribute-level conflicts

Table 24-5 Types of Replication Conflict

Level of Replication Conflict Description

Entry-level conflicts

Caused when the directory replication server attempts to apply a change to the consumer. One of the following types of changes to the consumer could occur:

  • Adding an entry that already exists

  • Deleting an entry that does not exist

  • Modifying an entry that does not exist

  • Applying a modifyrdn operation when the DN does not exist

These conflicts can be difficult to resolve. For instance, it may be impossible to resolve a conflict because:

  • The entry has been moved to a different location

  • The entry has not yet arrived from a supplier

  • The entry has been deleted

  • The entry never existed on the consumer

If an entry exists and it should not, then it may be because it was added earlier, or that it recently underwent a modifydn operation.

Attribute-level conflicts

Caused when two directories are updating the same attribute with different values at different times. If the attribute is single-valued, then the replication process resolves the conflict by examining the timestamps of the changes involved in the conflict.


24.9.3.2 Typical Causes of Conflicts

Conflicts usually stem from differences in the timing of changes arising from the occasional slowness or transmission failure over wide area networks. Also, an earlier inconsistency might continue to cause conflicts if it is not resolved in a timely manner.

24.9.3.3 Automated Resolution of Conflicts

The directory replication server attempts to resolve all conflicts that it encounters by following this process:

  1. The conflict is detected when a change is applied.

  2. The replication process attempts to reapply the change a specific number of times or repetitively for a specific amount of time after a specific waiting period.

  3. If the replication process reaches the retry limit without successfully applying the change, it flags the change as a conflict, which it then tries to resolve. If the conflict cannot be resolved according to the resolution rules (described in the next section), the change is moved to a low-priority, human intervention queue. Changes are then applied according to the time unit specified in the orclHIQSchedule parameter in the replication agreement. Before it moves the change, the directory replication server writes the conflict into a log file for the system administrator.


    Note:

    There is no conflict resolution of schema, catalog, and group entries during replication. This is because attempting resolution of such large multivalued attributes would have a significant negative impact on performance. Be careful to avoid updating such entries from more than one master at a time.


    See Also:


24.10 Fan-Out and Partial Replication

This section gives a more detailed look at fan-out and partial replication.

In fan-out replication, a consumer replicates data directly from a supplier. That consumer can then be a supplier to one or more other consumers.

Figure 24-12 and its accompanying text explain the fan-out replication process.

Figure 24-12 The Fan-Out Replication Process

This illustration is described in the text.

As Figure 24-12 shows:

  1. An LDAP client issues a directory modification request to the directory on the supplier node.

  2. The Oracle directory server on the supplier node performs the required modification in the directory store and simultaneously updates the change log store.

  3. The directory replication server on the consumer node retrieves changes from the directory server on the supplier node and applies them to the directory server on the consumer.

  4. At the same time, the directory server on the consumer does the following:

    • It makes the required modification, replicating the change in its directory store

    • If the orcldiprepository attribute of its root DSE is TRUE it generates a shadow change log object in its change log store. This attribute is set to TRUE if the objects in this change log store are to be propagated to other fan-out consumers. It is also set to TRUE if the objects are to be propagated to other third party applications by the Oracle Directory Integration Platform server.

    • It updates the value of the orcllastappliedchangenumber attribute in the replication agreement entry to correspond to the number of the last change from the supplier node that it has applied


      See Also:

      "Change Logs in Directory Replication" for more information about the orcllastappliedchangenumber attribute

24.11 Rules for Oracle Database Advanced Replication Filtering

The following naming contexts cannot be replicated:

The following naming contexts cannot be excluded from replication:

24.12 Rules for Partial Replication Filtering

This section describes rules and best practices to follow when specifying naming contexts in partial replication. The discussion in this section relies on the sample naming context illustrated in Figure 24-13. A partial list of user attributes is shown under cn=user1, cn=user2, and cn=user1000.

Figure 24-13 A Sample Naming Context

This illustration is described in the text.

See Also:

"Replication Schema Elements" in Oracle Identity Management User Reference for descriptions of the attributes in the replication naming context entry

When two or more naming context objects are configured for replication, the filtering rules are as follows:

  1. The overall included naming context is the union of all included naming contexts defined in each naming context object.

  2. The overall excluded naming contexts is the union of all excluded naming contexts defined in each naming context object.

  3. The attribute exclusions in a naming context object are specific only to that naming context object.

  4. If there is a conflict between an included naming context and an excluded naming context, the excluded naming context overrules the included naming context. For example, if an included naming context in naming context object A is a subtree of an excluded naming context specified in another naming context object, B, the subtrees specified in orclexcludednamingcontexts of naming context object B will not be replicated. That is, replication filtering in naming context object A will be ignored.

The following examples show how these rules work:

Scenario A: The Included Naming Context in One Naming Context Object Is a Subtree of the Included Naming Context in Another Naming Context Object

In this scenario, the included naming context in naming context object #2 is a subtree of the included naming context in object #1.

Naming Context Object #1

dn:cn=namectx001,
 cn=replication namecontext,
 orclagreementid=unique_identifier_of_the_replication_agreement,
 orclreplicaid=unique_identifier_of_the_supplier,
 cn=replication configuration
orclincludednamingcontexts: cn=mycompany

Naming context object #1 includes the entire DIT under cn=myCompany, as shown in Figure 24-14.

Figure 24-14 Naming Context Object #1

The entire DIT is included.

Naming Context Object #2

dn:cn=namectx002,
 cn=replication namecontext,
 orclagreementid=unique_identifier_of_the_replication_agreement,
 orclreplicaid=unique_identifier_of_the_supplier,
 cn=replication configuration
orclincludednamingcontexts: cn=hr,c=us,cn=mycompany
orclexcludednamingcontexts: cn=user1,cn=hr,c=us,cn=mycompany
orclexcludedattributes: userPassword

Naming context object #2 includes the DIT under cn=hr,c=us,cn=mycompany, but excludes cn=user1 and the attribute userPassword, as shown in Figure 24-15.

Figure 24-15 Naming Context Object #2

This illustration is described in the text.

The result of combining naming context objects #1 and #2 is shown in Figure 24-16.

Figure 24-16 Result of Combining Naming Context Objects #1 and #2

This illustration is described in the text.

In this scenario, the naming context that is replicated is the highest one specified in the orclincludednamingcontexts attribute. Any excluded naming contexts are not replicated. All changes under the subtree cn=mycompany are replicated, except for cn=user1,cn=hr,c=us,cn=mycompany and the attribute userPassword under cn=hr,c=us,cn=mycompany, which are excluded. The attribute userPassword under the rest of the DIT, however, is not excluded from replication because exclusion of userPassword was specified only for naming context object #2, which only included the DIT under cn=hr.

Scenario B: The Included Naming Context in One Naming Context Object Is a Subtree of An Excluded Naming Context in Another Naming Context Object

In this scenario, the excluded naming context in naming context object #4 is a subtree of the excluded naming context defined in naming context object #3.

Naming Context Object #3

dn:cn=namectx001,cn=replication namecontext,
 orclagreementid=identifier,orclreplicaid=supplier,cn=replication configuration
orclincludednamingcontexts: cn=mycompany
orclexcludednamingcontexts: cn=us,cn=mycompany

Naming context object #3 excludes everything under c=us,cn=mycompany, as shown in Figure 24-17

Figure 24-17 Naming Context Object #3

Everything under cn=us is excluded

Naming Context Object #4

dn:cn=namectx002,cn=replication     
 namecontext,orclagreementid=identifier,orclreplicaid=supplier,
 cn=replication configuration
orclincludednamingcontexts: cn=hr, c=us,cn=mycompany
orclexcludednamingcontexts: cn=user1,cn=hr,c=us,cn=mycompany
orclexcludedattributes: userPassword

Naming context object #4 includes the DIT under cn=hr,c=us,cn=mycompany but excludes user1, as well as the userPassword attribute for all users, as shown in Figure 24-18

Figure 24-18 Naming Context Object #4

This illustration is described in the text.

The result of combining naming context objects #3 and #4 is shown in Figure 24-19.

Figure 24-19 Result of Combining Naming Context Objects #3 and #4

Result of Combining Naming Context Objects #3 and #4

In this scenario, the included naming context specified in naming context object #4 is not replicated. That naming context is a subtree of a specified excluded naming context in naming context object #3. In this case, naming context object #4 is ignored, and no changes under cn=hr,c=us,cn=mycompany are replicated.

24.12.1 Rules for Managing Naming Contexts and Attributes

The following naming contexts cannot be replicated:

  • DSE root-specific entry

  • orclagreementid=000001,cn=replication configuration

  • cn=subconfigsubentry

  • cn=Oracle Internet Directory

  • cn=subregistrysubentry

The following naming contexts cannot be excluded from replication:

  • cn=catalogs

  • cn=subschemasubentry

  • cn=oracleschemaversion

  • cn=replication configuration

The following attributes cannot be excluded from replication whether they are mandatory or optional. Even if you specify attributes in this list for exclusion from replication, they will always be replicated.

  • orclguid

  • creatorsname

  • createtimestamp

  • cn

  • dn

  • attributetypes

  • objectclasses

  • objectclass

  • orclindexedattribute

  • orclproductversion

You cannot exclude mandatory attributes from replication. For example, suppose that you have an object class named my_object_class, which includes the following attributes: mandatory_attribute_1, optional_attribute_1, and optional_attribute_2. In this case, you cannot exclude from replication mandatory_attribute_1.

If you attempt to exclude from replication an attribute that is required for the LDAP operation to be executed, replication will not occur.

If you are configuring partial replication from specific naming contexts in an Oracle Internet Directory node to fan-out replication nodes, then do not change the names of these naming context entries in the source node.

Partial replication will not replicate changes to the root entry of a naming context made by using ldapmoddn.

24.12.2 Optimization of Partial Replication Naming Context for Better Performance

You must plan partial replication carefully to avoid degrading the performance of the replication process. For best performance, use as few naming context objects as possible. For example, the combined use of naming context objects #5 and #6 fulfills the same requirement as the use of naming context object #7, but using naming context object #7 provides better performance.

This section contains these examples:

Naming Context Object #5

cn=namectx001,cn=replication namecontext,orclagreementid=identifier,orclreplicaid=supplier,cn=replication configuration
orclincludednamingcontexts: cn=mycompany
orclexcludednamingcontexts: c=europe,cn=mycompany
orclexcludedattributes: userPassword

Naming context object #5 is shown it Figure 24-20. It includes the DIT under cn=mycompany, but excludes everything under c=europe. It also excludes the attribute userPassword.

Figure 24-20 Naming Context Object #5

This illustration is described in the text.

Naming Context Object #6

cn=namectx002,cn=replication namecontext,orclagreementid=<id>,orclreplicaid=<supplier>,cn=replication configuration
orclincludednamingcontexts: cn=hr, c=us,cn=mycompany
orclexcludednamingcontexts: cn=user1,cn=hr, c=us,cn=mycompany
orclexcludedattributes: userPassword

Naming context object #6 is shown in Figure 24-21. It includes the DIT under cn=hr, c=us, cn=mycompany but excludes user1 and the attribute userPassword.

Figure 24-21 Naming Context Object #6

This illustration is described in the text.

If naming context objects #5 and #6 are combined, then all changes under cn=mycompany are replicated, except for cn=europe,c=mycompany, cn=user1,cn=hr,c=us,cn=mycompany, and the attribute userPassword.

You could fulfill the same requirement, however, by using naming context object #7. Using a single naming context object provides better partial replication performance.

Naming Context Object #7

cn=namectx001,cn=replication namecontext,orclagreementid=identifier,orclreplicaid=supplier,cn=replication configuration
orclincludednamingcontexts: cn=mycompany
orclexcludednamingcontexts: c=europe,cn=mycompany
orclexcludednamingcontexts: cn=user1,cn=hr, c=us,cn=mycompany
orclexcludedattributes: userPassword

Naming context object #7 is shown in Figure 24-22.

Figure 24-22 Naming Context Object #7

Naming Context Object #7