< draft-ietf-ldup-infomod-07.txt   draft-ietf-ldup-infomod-08.txt >
Internet Draft Richard Huber Internet Draft Richard Huber
Document: draft-ietf-ldup-infomod-07.txt AT&T Laboratories Document: draft-ietf-ldup-infomod-08.txt AT&T Laboratories
Expires: December 2003 John McMeeking Expires: April 30 2004 John McMeeking
IBM Intended Category: Experimental IBM
Ryan Moats Ryan Moats
Lemur Networks Lemur Networks
June 2003 October 2003
LDUP Replication Information Model LDUP Replication Information Model
draft-ietf-ldup-infomod-07.txt draft-ietf-ldup-infomod-08.txt
1. Status of this Memo 1. Status of this Memo
This document is an Internet-Draft and is in full conformance This document is an Internet-Draft and is in full conformance
with all provisions of Section 10 of RFC2026. with all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at line 44 skipping to change at page 1, line 45
This Internet-Draft expires March, 2002. This Internet-Draft expires March, 2002.
2. Abstract 2. Abstract
[LDUP Model] describes the architectural approach to replication of [LDUP Model] describes the architectural approach to replication of
LDAP directory contents. This document describes the information LDAP directory contents. This document describes the information
model and schema elements which support LDAP Replication Services model and schema elements which support LDAP Replication Services
which conform to [LDUP Model]. which conform to [LDUP Model].
Directory schema is extended to provide object classes, subentries, Directory schema are extended to provide object classes,
and attributes to describe areas of the namespace which are under subentries, and attributes to describe areas of the namespace which
common administrative authority, units of replication (i.e., are under common administrative authority, units of replication
subtrees, or partitions of the namespace, which are replicated), (i.e., subtrees, or partitions of the namespace, which are
servers which hold replicas of various types for the various replicated), servers which hold replicas of various types for the
partitions of the namespace, which namespaces are held on given various partitions of the namespace, which namespaces are held on
servers, and the progress of various namespace management and given servers, and the progress of various namespace management and
replication operations. Among other things, this knowledge of replication operations. Among other things, this knowledge of
LDUP Information Model
where directory content is located will provide the basis for where directory content is located will provide the basis for
dynamic generation of LDAP referrals for clients who can follow dynamic generation of LDAP referrals for clients who can follow
them. them.
The controlling framework by which the relationships, types, and The controlling framework by which the relationships, types, and
health of replicas of the directory content will be defined so health of replicas of the directory content will be defined so
that, as much as possible, directory content is itself used to that, as much as possible, directory content is itself used to
monitor and control the environment. monitor and control the environment.
Security information, including access control policy identifiers Security information, including access control policy identifiers
and information will be treated as directory content by the and information will be treated as directory content by the
replication protocols when specified by the LDAPEXT group. replication protocols when specified by the LDAPEXT group. Note
that [RFC2820] specifies that access control information must be
stored as LDAP attributes. Access control information will be
replicated properly under any access control scheme that satisfies
this requirement.
The information model will describe required and optional house- The information model will describe required and optional house-
keeping duties for compliant systems to implement, such as garbage keeping duties for compliant systems to implement, such as garbage
collection of deleted objects, reconciliation of moved and renamed collection of deleted objects, reconciliation of moved and renamed
objects, update sequencing and transaction bracketing of changes, objects, update sequencing and transaction bracketing of changes,
etc. etc.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC 2119 this document are to be interpreted as described in RFC 2119
[RFC2119]. The sections below reiterate these definitions and [RFC2119]. The sections below reiterate these definitions and
include some additional ones. include some additional ones.
3. Table of Contents LDUP Information Model
1. Status of this Memo ...........................................1
2. Abstract ......................................................1
3. Table of Contents .............................................3
4. Recent document changes .......................................5
5. Introduction ..................................................7
5.1. Scope ......................................................7
5.2. Terms and Definitions ......................................7
6. Data design ...................................................7
7. Directory Knowledge ...........................................7
8. Schema ........................................................8
8.1. Data Structure Definitions .................................8
8.1.1. LdapChangeSequenceNumber .................................9
8.2. Attribute Definitions .....................................10
8.2.1. supportedReplicationProtocols ...........................10
8.2.2. replicaSubentries .......................................10
8.2.3. attributeExclusionFilter ................................11
8.2.4. attributeInclusionFilter ................................11
8.2.5. replicaURI ..............................................12
8.2.6. replicationStatus .......................................12
8.2.7. replicaType .............................................13
8.2.8. updateVector ............................................14
8.2.9. replicaSecondaryURI .....................................14
8.2.10. lostAndFoundEntryDN .....................................15
8.2.11. replicaOnline ...........................................15
8.2.12. replicaDN ...............................................15
8.2.13. replicationMechanismOID .................................15
8.2.14. replicationCredentialsDN ................................16
8.2.15. replicationScheduleDN ...................................16
8.2.16. updateVectorTrigger .....................................16
8.2.17. secondsToWaitDefault ....................................17
8.2.18. secondsToWait1 ..........................................17
8.2.19. attrReplicationGroup1 ...................................18
8.2.20. secondsToWait2 ..........................................18
8.2.21. attrReplicationGroup2 ...................................18
8.2.22. scheduleTimePeriod ......................................19
8.2.23. scheduleMonthOfYearMask .................................19
8.2.24. scheduleDayOfMonthMask ..................................19
8.2.25. scheduleDayOfWeekMask ...................................20
8.2.26. scheduleTimeOfDayMask ...................................20
8.2.27. scheduleLocalOrUtcTime ..................................20
8.3. Class Definitions .........................................20
8.3.1. ReplicationContext ......................................20
8.3.2. replicaSubentry .........................................21
8.3.3. replicaAgreement ........................................22
8.3.4. replicaEventSchedule ....................................23
8.3.5. replicaTimeSchedule .....................................24
9. Semantics of the information model ...........................25
10. Object Identifier Assignments ..............................29
11. Security Considerations ....................................30
12. Copyright Notice ...........................................31
13. Acknowledgements ...........................................32
14. Authors' Addresses .........................................32
4. Recent document changes
Changes in this version
- Explicitly change replicaAgreement to not be a subentry.
- Explicitly allow multiple replicaSubentries per replicaContext
- Added replicaDN to examples.
Changes made to previous versions 3. Table of Contents
- Fixed OID values to have correct prefix: 1. Status of this Memo...........................................1
2.16.840.1.113719.1.142 2. Abstract......................................................1
- Fixed formatting to avoid strange single quote characters in 3. Table of Contents.............................................3
text formatted file 4. Introduction..................................................5
- Changed name of attrs1 and attrs2 to attrReplicationGroup1 and 4.1. Scope......................................................5
attrReplicationGroup2 4.2. Terms and Definitions......................................5
- Made obsolete timeScheduledSubentry and eventScheduledSubentry 5. Data design...................................................5
- Re-based replicaSubEntry and other object classes on subentry 6. Directory Knowledge...........................................5
schema from draft-zeilenga-ldap-subentry-00.txt 7. Schema........................................................6
- Clarified that root DSE attribute replicaSubentries should be 7.1. Data Structure Definitions.................................6
automatically updated on both add and delete of these entries 7.1.1. LdapChangeSequenceNumber.................................7
- Made obsolete replicaSubEntry and replicaAgreementSubentry 7.2. Attribute Definitions......................................8
object classes 7.2.1. supportedReplicationProtocols............................8
- Defined replacement object classes replicaSubEntry2 and 7.2.2. attributeExclusionFilter.................................8
replicaAgreementSubentry2 7.2.3. attributeInclusionFilter.................................9
- Defined replicaEventSchedule and replicaTimeSchedule object 7.2.4. replicaURI...............................................9
classes and associated attributes 7.2.5. replicationStatus.......................................10
- Defined attributes that must appear in the server's root DSE 7.2.6. replicaType.............................................10
entry as part of the LDUP information model 7.2.7. updateVector............................................11
- Many editorial fixes 7.2.8. replicaSecondaryURI.....................................11
- Clarified the notion that the updateVector is a replicated 7.2.9. lostAndFoundEntryDN.....................................12
attribute and thus, itself, has CSN information for its 7.2.10. replicaOnline...........................................12
attribute values 7.2.11. replicaDN...............................................12
- Introduced the notion that replicaAgreementSubentry entries 7.2.12. replicationMechanismOID.................................12
represent constraints to what is, by default, "immediate" 7.2.13. replicationCredentialsDN................................13
replication session initiation 7.2.14. replicationScheduleDN...................................13
- LDAP Schedule Subentry definition is defined. 7.2.15. updateVectorTrigger.....................................13
- LDAP Access Point removed in favor of just using the DN of the 7.2.16. secondsToWaitDefault....................................14
server holding the replica (so a new syntax isn't required). 7.2.17. secondsToWait1..........................................14
- LDAP Change Sequence Number syntax eliminated in favor of just 7.2.18. attrReplicationGroup1...................................15
calling it a CaseIgnoreString, so new comparison rules aren't 7.2.19. secondsToWait2..........................................15
required. 7.2.20. attrReplicationGroup2...................................16
- Deleted ldapSearchFilter definition from here. Sparse 7.2.21. scheduleTimePeriod......................................16
replicas is deferred. Might sparse be supported for single- 7.2.22. scheduleMonthOfYearMask.................................16
master configurations (read-only, of course). 7.2.23. scheduleDayOfMonthMask..................................16
- Fractional are okay in multi-master configurations, but again, 7.2.24. scheduleDayOfWeekMask...................................17
only on read-only replicas. 7.2.25. scheduleTimeOfDayMask...................................17
- Changed the naming convention upper-lower case usage to look 7.2.26. scheduleLocalOrUtcTime..................................17
less weird. 7.3. Class Definitions.........................................17
- Consistency discussion 7.3.1. ReplicationContext......................................17
- Schema document must clearly indicate that clients can and 7.3.2. replicaSubentry.........................................18
should inspect the replica subentries to understand the 7.3.3. replicaAgreement........................................19
single-master/multi-master nature of the naming context to 7.3.4. replicaEventSchedule....................................20
which they're talking. 7.3.5. replicaTimeSchedule.....................................22
- The paradigm change, to distributed data, needs to be LDUP Information Model
exhaustively discussed in the profile documents. How old
applications which assume single-master behave or misbehave in
a multi-master environment is critical to make clear. Draw
examples from SMP pre-emptive programming practices, from DNS
vs. host file models, etc.
-
To do: 8. Semantics of the information model...........................22
9. Object Identifier Assignments................................25
10. Security Considerations....................................27
11. Copyright Notice...........................................28
12. Acknowledgements...........................................29
13. Authors' Addresses.........................................29
LDUP Information Model
- verify LDUP OID number(s) with Novell 4. Introduction
- verify all OIDs assigned
- verify all OIDs documented at the end of the document
5. Introduction
5.1. Scope 4.1. Scope
This document describes schema for information used to control This document describes schema for information used to control
replication. replication.
Management and status schema elements are defined. Management and status schema elements are defined.
Semantic interpretation of schema elements, including any special Semantic interpretation of schema elements, including any special
handling expectations are to be provided here. handling expectations, are provided here.
5.2. Terms and Definitions 4.2. Terms and Definitions
Definitions are provided in [LDUP Requirements]. Definitions are provided in [RFC3384].
6. Data design 5. Data design
As described in [LDUP Model], knowledge of replicated portions of As described in [LDUP Model], knowledge of replicated portions of
the directory information tree (DIT) is stored in the directory the directory information tree (DIT) is stored in the directory
itself. itself.
An auxiliary class is defined to designate containers, or nodes, in An auxiliary class is defined to designate containers, or nodes, in
the DIT which are the root-most, or base, of replication contexts. the DIT which are the root-most, or base, of replication contexts.
Directory subentries [LDAP Subentry] are used to hold information Directory subentries [LDAP Subentry] are used to hold information
about replicas and replica agreements. about replicas.
In defining the replication agreement data model, describing the In defining the replication agreement data model, describing the
constraints under which replication between two replicas will constraints under which replication between two replicas will
occur, this document describes only the least set of information occur, this document describes only the least set of information
necessary to ensure interoperability between implementations. The necessary to ensure interoperability between implementations. The
current document defines data elements sufficient to describe most current document defines data elements sufficient to describe most
common replication needs. The specification of complex replication common replication needs. The specification of complex replication
agreements and constraints is better served by usage of the agreements and constraints is better served by usage of the
emerging "policy model" [Policy schema]. emerging "policy model" [Policy schema].
7. Directory Knowledge 6. Directory Knowledge
Information about what replicas exist, what they contain, their Information about what replicas exist, what they contain, their
types, where they are stored, and how they may be contacted types, where they are stored, and how they may be contacted
inevitably provides the basis for distributed directory knowledge. inevitably provides the basis for distributed directory knowledge.
As namespaces from stand-alone servers are inter-connected with one As namespaces from stand-alone servers are inter-connected with one
another, this replica information can and will be used by name another, this replica information can and will be used by name
resolution operations to locate servers holding copies of specific resolution operations to locate servers holding copies of specific
objects, and to optimize distributed searches which span multiple objects, and to optimize distributed searches which span multiple
Naming Contexts. Naming Contexts.
However, the focus of this document is NOT to fully enable such However, the focus of this document is NOT to fully enable such
distributed directory uses. Instead, we are focused on how distributed directory uses. Instead, we are focused on how
portions of the namespace (Directory Information Tree - DIT) may be portions of the namespace (Directory Information Tree - DIT) may be
replicated, and how those replicas are configured and related to replicated, and how those replicas are configured and related to
one another via Replication Agreements. one another via Replication Agreements.
As such, the following high level description (from [LDUP Model]) LDUP Information Model
of the information model envisioned is provided as reference for
As such, the following high-level description (from [LDUP Model])
of the information model envisioned is provided as a reference for
the reader before presenting the detailed specifications. the reader before presenting the detailed specifications.
Generally, the DSE Naming Context attribute of an LDAPv3 server Generally, the DSE Naming Context attribute of an LDAPv3 server
names the Naming Contexts for which there are replicas on that names the Naming Contexts for which there are replicas on that
server. server.
The Replication Context Auxiliary Class (replicationContext) is The Replication Context Auxiliary Class (replicationContext) is
added to container objects which may have separately defined added to container objects which may have separately defined
replication policy. replication policy.
Immediately subordinate to a Replication Context object are the Immediately subordinate to a Replication Context object are the
Replica Subentry containers which identify where the identified Replica Subentry containers which identify where the identified
replica resides (i.e., its LDAP Access Point), its type (Primary, replica resides (i.e., its LDAP Access Point), its type
Updateable, ReadOnly), if it is sparse, the LDAP search filter (Updateable, ReadOnly), if it is sparse, the LDAP search filter
which defines what object classes it holds, and if it is which defines what object classes it holds, and if it is
fractional, the attributes it does or does not hold. fractional, the attributes it does or does not hold.
Immediately subordinate in the namespace to a Replica Subentry are Immediately subordinate in the namespace to a Replica Subentry are
Replication Agreement leaf entries which each identify another Replication Agreement leaf entries which each identify another
Replica, the scheduling policy for replication operations Replica, the scheduling policy for replication operations
(including times when replication is to be performed, when it is (including times when replication is to be performed, when it is
not to be performed, or the policies governing event-driven not to be performed, or the policies governing event-driven
replication initiation). These Replication Agreements are used to replication initiation). These Replication Agreements are used to
specify constraints on when the replica will supply what changes to specify constraints on when the replica will supply what changes to
the "pointed to" other replica, as either the replication initiator the "pointed to" other replica, as either the replication initiator
or responder. or responder.
Replication Agreements are not defined to cover the following Replication Agreements are not defined to cover the following
advanced policy characteristics: advanced policy characteristics:
- when a replica would allow consumers to request a replication - when a replica would allow consumers to request a replication
session session
- when a replica would allow suppliers to start a replication - when a replica would allow suppliers to start a replication
session session
- when a replica would request a replication session from a - when a replica would request a replication session from a
supplier. supplier.
These advanced policy specifications imply the specification of These advanced policy specifications imply the specification of
complex replication agreements and constraints. This is better complex replication agreements and constraints. This is better
served by usage of the emerging "policy model" [Policy schema]. served by usage of the emerging "policy model" [Policy schema].
Interoperable policies for replication agreements is left as a Interoperable policies for replication agreements is left as a
follow-on work effort. follow-on work effort.
8. Schema 7. Schema
8.1. Data Structure Definitions 7.1. Data Structure Definitions
For the purposes of defining the encoding rules for attribute For the purposes of defining the encoding rules for attribute
structures, the BNF definitions in section 4.1 of [RFC2252] will be structures, the BNF definitions in section 4.1 of [RFC2252] will be
used. They are based on the BNF styles of [RFC822]. used. They are based on the BNF styles of [RFC822].
LDUP Information Model
To avoid requiring new syntax support to be added unnecessarily to To avoid requiring new syntax support to be added unnecessarily to
existing LDAPv3 directory service implementations (and the existing LDAPv3 directory service implementations (and the
accompanying matching rules, etc. they would entail), a string accompanying matching rules, etc. they would entail), a string
encoding is defined for ldapChangeSequenceNumber which can use encoding is defined for ldapChangeSequenceNumber which can use
CaseIgnoreString matching rules for ordering and equality. CaseIgnoreString matching rules for ordering and equality.
8.1.1. LdapChangeSequenceNumber 7.1.1. LdapChangeSequenceNumber
( 1.3.6.1.4.1.1466.115.121.1.TBD ( 1.3.6.1.4.1.1466.115.121.1.TBD
DESC 'LDAP Change Sequence Number' ) DESC 'LDAP Change Sequence Number' )
Values in this syntax are encoded according to the following BNF. Values in this syntax are encoded according to the following BNF.
Note there MUST NOT be any white space separators, unless they are Note there MUST NOT be any white space separators, unless they are
in replicaID, which must be encoded according to the instructions in replicaID, which must be encoded according to the instructions
below. below.
This encoding is specified so that the CaseIgnoreString equality This encoding is specified so that the CaseIgnoreString equality
skipping to change at line 365 skipping to change at page 8, line 4
The GeneralizedTime is used as described (cf. [X680] section 39.3 The GeneralizedTime is used as described (cf. [X680] section 39.3
case b) without separators or white space, and representing a case b) without separators or white space, and representing a
coordinated universal time (i.e., Greenwich Mean Time, or GMT). coordinated universal time (i.e., Greenwich Mean Time, or GMT).
All times referenced by this syntax MUST be normalized to GMT - no All times referenced by this syntax MUST be normalized to GMT - no
local times, nor time zone offsets are permitted. To simplify local times, nor time zone offsets are permitted. To simplify
comparisons of two CSNs, the "Z" MUST be the UTF-8 capital-Z comparisons of two CSNs, the "Z" MUST be the UTF-8 capital-Z
character. character.
The ReplicaID represents the specific Replica of this Naming The ReplicaID represents the specific Replica of this Naming
Context where the event associated with this Context where the event associated with this
LDUP Information Model
LDAPChangeSequenceNumber occurred. Note that in actual transfer, LDAPChangeSequenceNumber occurred. Note that in actual transfer,
the replicaID MAY be represented by a number which is associated the replicaID MAY be represented by a number which is associated
with the entryUUID of the replicaSubEntry associated with the with the entryUUID of the replicaSubEntry associated with the
replica (see the specification of the replicaIDTable in [LDUP replica (see the specification of the replicaIDTable in [LDUP
Update Protocol]). When associated with an item of information Update Protocol]). When associated with an item of information
within a replica, the replicaID should be traceable to the within a replica, the replicaID should be traceable to the
entryUUID of the replicaSubEntry associated with the replica on entryUUID of the replicaSubEntry associated with the replica on
which the modification was made. This allows for compressed which the modification was made. This allows for compressed
internal storage of change sequence numbers while still ensuring internal storage of change sequence numbers while still ensuring
that change sequence numbers will be universally unique regardless that change sequence numbers will be universally unique regardless
of the replication context from which they were first produced. of the replication context from which they were first produced.
S1 and S2 are sequence numbers which are used to order two events S1 and S2 are sequence numbers which are used to order two events
with the same Generalized Time and replicaID. In order to use with the same Generalized Time and replicaID. In order to use
string matching rules for equality and ordering with values with string matching rules for equality and ordering with values with
this encoding, the length of each field must be consistent. Thus, this encoding, the length of each field must be consistent. Thus,
all instances of S1 MUST be represented with the same number of all instances of S1 MUST be represented with the same number of
digits, using leading zeros as necessary. The same with S2 and digits, using leading zeros as necessary. The same with S2 and
replicaID. replicaID.
8.2. Attribute Definitions 7.2. Attribute Definitions
8.2.1. supportedReplicationProtocols 7.2.1. supportedReplicationProtocols
( 2.16.840.1.113719.1.142.4.x NAME 'supportedReplicationProtocols' ( 2.16.840.1.113719.1.142.4.x NAME 'supportedReplicationProtocols'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
DESC 'set of OIDs which represent the (set of) protocols DESC 'set of OIDs which represent the (set of) protocols
supported by this server' ) supported by this server' )
This attribute is added to the root DSE entry of servers which This attribute is added to the root DSE entry of servers which
support replication as defined by [LDUP Model]. support replication as defined by [LDUP Model].
{THIS IS NOT TRUE SINCE WE ALLOW MULTIPLE REPLICAS ROOTED AT THE 7.2.2. attributeExclusionFilter
SAME REPLICATION CONTEXT. DO WE JUST REMOVE THIS PARAGRAPH, OR DO
WE REQUIRE THAT THE SERVER CHECK (HOW?) SOME SORT OF _REFERENCE
COUNT_ AND DELETE A GIVEN CONTECT FROM REPLICACONTEXTROOTS ONLY
WHEN ALL REPLICAS WITH THAT ROOT CONTEXT HAVE BEEN REMOVED?
JOHN - RYAN AND RICK CAN'T SEE ANY REASON TO KEEP THIS; IT DOESN'T
SEEM USEFUL SINCE YOU CAN ALWAYS FIND REPLICA ROOTS BY SEARCHING
FOR replicaSubentry AS AN OBJECTCLASS. IS THIS REQUIRED FOR X.500
OR SOMETHING?}
8.2.2. replicaSubentries
( 2.16.840.1.113719.1.142.4.x NAME 'replicaSubentries'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
EQUALITY distinguishedNameMatch
DESC 'names of all replicaSubEntry entries that correspond
to the replicas on this server. This is contrasted
with the replicaContextRoots which notes the replication
contexts, but not the replicaSubEntry sub-entries
for this server within the replication context' )
This attribute in the root DSE entry names the replicaSubentry
entries that correspond to the replicas that are held on "this"
server. This is slightly different than the replicaContextRoots
root DSE entry attribute which lists the replication contexts held
on this server. The replicaSubentries attribute indicates "this"
server's replicaSubentry entry within each replication context.
When replicas are defined on the server, servers MUST add the name
of the replicaSubentry representing "this" server to this root DSE
attribute. When replicas are removed from the server, servers MUST
remove the name from this root DSE attribute if a value exists in
this root DSE attribute. {IS THIS CONSISTENT WITH MRM? THIS SAYS
THAT THE SERVER MUST MANAGE THIS ENTRY. IS THIS REALLY USEFUL??
SHOULD WE DELETE?}
8.2.3. attributeExclusionFilter
( 2.16.840.1.113719.1.142.4.1 NAME 'attributeExclusionFilter' ( 2.16.840.1.113719.1.142.4.1 NAME 'attributeExclusionFilter'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
SINGLE-VALUE SINGLE-VALUE
USAGE dSAOperation ) USAGE dSAOperation )
The attributeExclusionFilter is intended to contain a list of The attributeExclusionFilter is intended to contain a list of
attributes in the form of an AttributeDescriptionList as described attributes in the form of an AttributeDescriptionList as described
in section 4.5.1 Search Request of [RFC2251] with the following in section 4.5.1 Search Request of [RFC2251] with the following
interpretation: an empty attributeExclusionFilter means that no interpretation: an empty attributeExclusionFilter means that no
attributes are excluded; the special values "*" and "1.1" mean that attributes are excluded; the special values "*" and "1.1" mean that
ALL attributes are excluded. ALL attributes are excluded.
A non-empty attributeExclusionFilter attribute on a replica A non-empty attributeExclusionFilter attribute on a replica
subentry describes the attributes NOT PRESENT on entries held by subentry describes the attributes NOT PRESENT on entries held by
that replica. Replicas MUST NOT accept changes for attributes that replica. Replicas MUST NOT accept changes for attributes
LDUP Information Model
they're not permitted to hold, per the attributeInclusionFilter and they're not permitted to hold, per the attributeInclusionFilter and
attributeExclusionFilter attributes on their replica subentry. attributeExclusionFilter attributes on their replica subentry.
A non-empty attributeExclusionFilter attribute on a replication A non-empty attributeExclusionFilter attribute on a replication
agreement subentry describes which additional attributes are to be agreement subentry describes which additional attributes are to be
excluded from the updates to be sent from the supplier replica to excluded from the updates to be sent from the supplier replica to
the consumer replica. the consumer replica.
8.2.4. attributeInclusionFilter 7.2.3. attributeInclusionFilter
( 2.16.840.1.113719.1.142.4.2 NAME 'attributeInclusionFilter' ( 2.16.840.1.113719.1.142.4.2 NAME 'attributeInclusionFilter'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
SINGLE-VALUE SINGLE-VALUE
USAGE dSAOperation ) USAGE dSAOperation )
The attributeInclusionFilter is intended to contain a list of The attributeInclusionFilter is intended to contain a list of
attributes in the form of an AttributeDescriptionList as described attributes in the form of an AttributeDescriptionList as described
in section 4.5.1 Search Request of [RFC2251] with the following in section 4.5.1 Search Request of [RFC2251] with the following
skipping to change at line 486 skipping to change at page 9, line 40
A non-empty attributeInclusionFilter attribute on a replica A non-empty attributeInclusionFilter attribute on a replica
subentry describes the attributes that may be PRESENT on entries subentry describes the attributes that may be PRESENT on entries
held by that replica. Replicas MUST NOT accept changes for held by that replica. Replicas MUST NOT accept changes for
attributes they're not permitted to hold, per the attributes they're not permitted to hold, per the
attributeInclusionFilter and attributeExclusionFilter attributes on attributeInclusionFilter and attributeExclusionFilter attributes on
their replica subentry. their replica subentry.
It is an error to specify both an attributeExclusionFilter and an It is an error to specify both an attributeExclusionFilter and an
attributInclusionFilter in the same replicaSubentry. attributInclusionFilter in the same replicaSubentry.
8.2.5. replicaURI 7.2.4. replicaURI
( 2.16.840.1.113719.1.142.4.x NAME 'replicaURI' ( 2.16.840.1.113719.1.142.4.x NAME 'replicaURI'
DESC 'LDAP URLs which indicate how to connect to this replica' DESC 'LDAP URLs which indicate how to connect to this replica'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch EQUALITY caseExactMatch
USAGE dSAOperation ) USAGE dSAOperation )
The replicaURI attribute is a multi-valued attribute used to list The replicaURI attribute is a multi-valued attribute used to list
the set of LDAP URLs that should be used to contact the replica for the set of LDAP URLs that should be used to contact the replica for
replication sessions. If all URLs in the replicaURL attribute are replication sessions. If all URLs in the replicaURL attribute are
not contactable, the replicaSecondaryURL attribute values should be not contactable, the replicaSecondaryURL attribute values should be
used to establish a replication session with the replica. used to establish a replication session with the replica.
The replicaURI MUST be an LDAP URL as specified in RFC 2255. The The replicaURI MUST be an LDAP URL as specified in RFC 2255. The
replicaURI SHOULD specify only the host name (or IP address) of the replicaURI SHOULD specify only the host name (or IP address) of the
destination replica and possibly a port number. Filters, base DN, destination replica and possibly a port number. Filters, base DN,
and other LDAP URL components MUST be ignored if they are supplied. and other LDAP URL components MUST be ignored if they are supplied.
8.2.6. replicationStatus LDUP Information Model
7.2.5. replicationStatus
(2.16.840.1.113719.1.142.4.3 NAME 'replicationStatus' (2.16.840.1.113719.1.142.4.3 NAME 'replicationStatus'
DESC 'human readable status of last replication attempt' DESC 'human readable status of last replication attempt'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE SINGLE-VALUE
NO-USER-MODIFICATION NO-USER-MODIFICATION
USAGE dSAOperation ) USAGE dSAOperation )
The replicationStatus attribute MAY be used to hold a human The replicationStatus attribute MAY be used to hold a human
readable message describing the most recent replication session readable message describing the most recent replication session
skipping to change at line 525 skipping to change at page 10, line 27
readable message describing the most recent replication session readable message describing the most recent replication session
attempt for a replication agreement. attempt for a replication agreement.
For example, such a messages might include For example, such a messages might include
1) 9980805162203Z # Success # 1) 9980805162203Z # Success #
2) 19980805162322Z # Failure # Server too busy, try again 2) 19980805162322Z # Failure # Server too busy, try again
3) 19980805170215Z # Failure # Unable to connect to DSA 3) 19980805170215Z # Failure # Unable to connect to DSA
4) 19980806002301Z # Failure # Authentication failed 4) 19980806002301Z # Failure # Authentication failed
5) 19980806003201Z # Failure # lost connection, reset by peer 5) 19980806003201Z # Failure # lost connection, reset by peer
It is suggested, but not required, that the time of a replication It is suggested, but not required, that the time of a replication
attempt (completion, if successful or failure, if not), the result attempt (completion, if successful or failure, if not), the result
of the attempt, and any additional information about a failure be of the attempt, and any additional information about a failure be
included in the string message. included in the string message.
It is suggested, but not required, that the messages be stored with It is suggested, but not required, that the messages be stored with
language tags (English, French, German, Japanese, Chinese, per language tags (English, French, German, Japanese, Chinese, per
[RFC2596]) particularly if multiple translations of the error [RFC2596]) particularly if multiple translations of the error
messages are available to the DSA implementers. messages are available to the DSA implementers.
Sequences of status entries SHOULD be written to log files or other Sequences of status entries SHOULD be written to log files or other
persistent storage, or in multi-valued replication history persistent storage, or in multi-valued replication history
attributes, but are not specified here. attributes, but are not specified here.
8.2.7. replicaType 7.2.6. replicaType
(2.16.840.1.113719.1.142.4.4 NAME 'replicaType' (2.16.840.1.113719.1.142.4.4 NAME 'replicaType'
DESC 'Enum: 0-reserved, 1-Primary, 2-Updateable, DESC 'Enum: 0-reserved, 1-reserved, 2-Updateable,
3-ReadOnly, all others reserved' 3-ReadOnly, all others reserved'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
EQUALITY integerMatch EQUALITY integerMatch
SINGLE-VALUE SINGLE-VALUE
NO-USER-MODIFICATION
USAGE dSAOperation ) USAGE dSAOperation )
ReplicaType is a simple enumeration, used to identify what kind of ReplicaType is a simple enumeration, used to identify what kind of
replica is being described in a Replica object entry. replica is being described in a Replica object entry.
LDUP Information Model
A ReadOnly replica only accepts LDAP Search operations (to Read A ReadOnly replica only accepts LDAP Search operations (to Read
entries, list containers, and search for entries). Because no entries, list containers, and search for entries). Because no
updates ever originate from ReadOnly replicas, they never have updates ever originate from ReadOnly replicas, they never have
changes to send to another replica. However, a ReadOnly replica changes to send to another replica. However, a ReadOnly replica
may be designated a supplier DSA in a replica agreement, if it is may be designated a supplier DSA in a replica agreement, if it is
simply passing along information it receives from Updateable simply passing along information it receives from Updateable
replicas about entries and their changes. replicas about entries and their changes.
ReadOnly replicas may be partial replicas. ReadOnly replicas may be partial replicas.
An Updateable replica may accept both LDAP Search operations (to An Updateable replica may accept both LDAP Search operations (to
read, list, or search entries), as well as modification operations read, list, or search entries), as well as modification operations
(to add, modify, or delete entries). (to add, modify, or delete entries).
The consequences of having partial updateable replicas are not The consequences of having partial updateable replicas are not
fully understood. LDAP DSAs MAY require updateable replicas to be fully understood. LDAP DSAs MAY require updateable replicas to be
complete replicas. complete replicas.
A Primary replica is an Updateable replica, but it is "more
special" than other Updateable replicas. When LDAP application
want to direct their operations to a single replica, so that the
application can be sure that all application LDAP modification
(add, delete, modify) operations will be immediately visible to
application readers, the Primary replica is a good choice. Such a
use would be consistent with High Confidence DAP option [X518].
One such application might be a management application which
creates new naming contexts or joins two naming contexts into a
single naming context. Another application might be one which
creates new replicas, or replication agreements.
There SHOULD be only one Primary replica defined for a naming
context at any time. If applications, expecting there to be a
Primary replica discover, by search or inspection of ReplicaType
attributes of the defined Replicas of a naming context, find more
than one _ they should realize that something is wrong.
There MAY be NO primary replica defined for a naming context.
Primary replicas MAY NOT be partial replicas.
The way in which replicas change their type, as from ReadOnly to The way in which replicas change their type, as from ReadOnly to
Updateable, or Updateable to Primary is outside the scope of this Updateable, is discussed in [LDUP MRM].
document.
Section 5.1 "Replica Type" of [LDUP MODEL] details the permissible Section 5.1 "Replica Type" of [LDUP MODEL] details the permissible
combinations of replica types and sparse/fractional replicas. combinations of replica types and sparse/fractional replicas.
8.2.8. updateVector 7.2.7. updateVector
( 2.16.840.1.113719.1.142.4.6 NAME 'updateVector' ( 2.16.840.1.113719.1.142.4.6 NAME 'updateVector'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.TBD SYNTAX 1.3.6.1.4.1.1466.115.121.1.TBD
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch ORDERING caseIgnoreOrderingMatch
NO-USER-MODIFICATION NO-USER-MODIFICATION
USAGE dSAOperation ) USAGE dSAOperation )
The attribute updateVector is a multi-valued attribute which The attribute updateVector is a multi-valued attribute which
contains information for a replica describing the latest changes contains information for a replica describing the latest changes
received by the replica from other replicas. received by the replica from other replicas.
There may be only one ldapChangeSequenceNumber entry from each There may be only one ldapChangeSequenceNumber entry from each
replica in the updateVector. That is to say, there is a unique replica in the updateVector. That is to say, there is a unique
value constraint on the ReplicaID component of entries in the list. value constraint on the ReplicaID component of entries in the list.
8.2.9. replicaSecondaryURI 7.2.8. replicaSecondaryURI
( 2.16.840.1.113719.1.142.4.x NAME 'replicaSecondaryURI' ( 2.16.840.1.113719.1.142.4.x NAME 'replicaSecondaryURI'
DESC 'LDAP URLs which indicate how to connect to this replica' DESC 'LDAP URLs which indicate how to connect to this replica'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch EQUALITY caseExactMatch
USAGE dSAOperation ) USAGE dSAOperation )
The replicaSecondaryURI attribute is a multi-valued attribute used The replicaSecondaryURI attribute is a multi-valued attribute used
to list the set of LDAP URLs that should be used to contact the to list the set of LDAP URLs that should be used to contact the
LDUP Information Model
replica for replication sessions if all LDAP URLs in the replicaURL replica for replication sessions if all LDAP URLs in the replicaURL
attribute are not contactable. attribute are not contactable.
8.2.10. lostAndFoundEntryDN 7.2.9. lostAndFoundEntryDN
( 2.16.840.1.113719.1.142.4.x NAME 'lostAndFoundEntryDN' ( 2.16.840.1.113719.1.142.4.x NAME 'lostAndFoundEntryDN'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
EQUALITY distinguishedNameMatch EQUALITY distinguishedNameMatch
SINGLE-VALUE SINGLE-VALUE
DESC 'name of the entry under which orphaned entries will DESC 'name of the entry under which orphaned entries will
be moved during replication update processing by this be moved during replication update processing by this
replica.' ) replica.' )
This attribute indicates the location under which the replica will This attribute indicates the location under which the replica will
move orphaned entries that are encountered while performing move orphaned entries that are encountered while performing
replication updates. The attribute is single-valued and is replication updates. The attribute is single-valued and is
specific to each replica. specific to each replica.
8.2.11. replicaOnline 7.2.10. replicaOnline
( 2.16.840.1.113719.1.142.4.x NAME 'replicaOnline' ( 2.16.840.1.113719.1.142.4.x NAME 'replicaOnline'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
EQUALITY booleanMatch EQUALITY booleanMatch
SINGLE-VALUE SINGLE-VALUE
DESC 'indicates whether or not the replica will DESC 'indicates whether or not the replica will
will initiate and/or respond to replication will initiate and/or respond to replication
session start requests.' ) session start requests.' )
This attribute indicates whether the replica is ready and willing This attribute indicates whether the replica is ready and willing
to participate in replication sessions with other replicas that are to participate in replication sessions with other replicas that are
defined as holding the replication context. defined as holding the replication context.
8.2.12. replicaDN 7.2.11. replicaDN
( 2.16.840.1.113719.1.142.4.x NAME 'replicaDN' ( 2.16.840.1.113719.1.142.4.x NAME 'replicaDN'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
EQUALITY distinguishedNameMatch EQUALITY distinguishedNameMatch
SINGLE-VALUE SINGLE-VALUE
DESC 'name of the consumer replicaSubentry entry that the DESC 'name of the consumer replicaSubentry entry that the
replicaAgreement links to.' ) replicaAgreement links to.' )
This attribute is used to link a replicaAgreement entry (associated This attribute is used to link a replicaAgreement entry (associated
with a supplier of replication update information) to the consumer with a supplier of replication update information) to the consumer
replica that will be contacted by replication sessions constrained replica that will be contacted by replication sessions constrained
by the replicaAgreement. by the replicaAgreement.
8.2.13. replicationMechanismOID 7.2.12. replicationMechanismOID
( 2.16.840.1.113719.1.142.4.x NAME 'replicationMechanismOID' ( 2.16.840.1.113719.1.142.4.x NAME 'replicationMechanismOID'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SINGLE-VALUE SINGLE-VALUE
DESC 'the OID which represents the specific DESC 'the OID which represents the specific
replication protocol used for replication replication protocol used for replication
LDUP Information Model
sessions between the identified supplier and sessions between the identified supplier and
consumer replicas.' ) consumer replicas.' )
This attribute identifies the specific replication protocol used This attribute identifies the specific replication protocol used
for replication sessions between the supplier and consumer replicas for replication sessions between the supplier and consumer replicas
associated by the replicaAgreement entry. This attribute must be a associated by the replicaAgreement entry. This attribute must be a
value that is within the set of attribute values for the value that is within the set of attribute values for the
supportedReplicationProtocols attribute in the root DSE entry. supportedReplicationProtocols attribute in the root DSE entry.
8.2.14. replicationCredentialsDN 7.2.13. replicationCredentialsDN
( 2.16.840.1.113719.1.142.4.x NAME 'replicationCredentialsDN' ( 2.16.840.1.113719.1.142.4.x NAME 'replicationCredentialsDN'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
EQUALITY distinguishedNameMatch EQUALITY distinguishedNameMatch
SINGLE-VALUE SINGLE-VALUE
DESC 'name of a separate entry in the directory tree which DESC 'name of a separate entry in the directory tree which
contains the credentials information used in identifying contains the credentials information used in identifying
the supplier replica to the consumer replica when the supplier replica to the consumer replica when
initiating a replication session.' ) initiating a replication session.' )
This attribute is used to establish a separate entry in the This attribute is used to establish a separate entry in the
directory tree that will hold the credentials information that is directory tree that will hold the credentials information that is
used to establish the supplier's identity at the consumer when used to establish the supplier's identity at the consumer when
starting a replication session. By placing credentials information starting a replication session. By placing credentials information
in a separate entry, "pointed to" with this attribute, credentials in a separate entry, "pointed to" with this attribute, credentials
information can be placed in a portion of the directory tree that information can be placed in a portion of the directory tree that
is not replicated across multiple replicas. It can also be is not replicated across multiple replicas. It can also be
_shared_ by several replication contexts. ôsharedö by several replication contexts.
8.2.15. replicationScheduleDN 7.2.14. replicationScheduleDN
( 2.16.840.1.113719.1.142.4.x NAME 'replicationScheduleDN' ( 2.16.840.1.113719.1.142.4.x NAME 'replicationScheduleDN'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
EQUALITY distinguishedNameMatch EQUALITY distinguishedNameMatch
SINGLE-VALUE SINGLE-VALUE
DESC 'name of an entry which contains the specific DESC 'name of an entry which contains the specific
information used to establish when replication information used to establish when replication
sessions will be initiated by this replica sessions will be initiated by this replica
supplier.' ) supplier.' )
This attribute is used to "point to" either a replicaEventSchedule This attribute is used to "point to" either a replicaEventSchedule
or replicaTimeSchedule entry which describes when replication or replicaTimeSchedule entry which describes when replication
sessions should be initiated by a replica supplier. If not sessions should be initiated by a replica supplier. If not
specified, a default schedule is assumed. See the section specified, a default schedule is assumed. See the section
describing the replicaAgreement for more details. describing the replicaAgreement for more details.
8.2.16. updateVectorTrigger 7.2.15. updateVectorTrigger
( 2.16.840.1.113719.1.142.4.x NAME 'updateVectorTrigger' ( 2.16.840.1.113719.1.142.4.x NAME 'updateVectorTrigger'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
EQUALITY booleanMatch EQUALITY booleanMatch
SINGLE-VALUE SINGLE-VALUE
DESC 'indicates whether or not updates made to the DESC 'indicates whether or not updates made to the
replicas updateVector should be treated as replicas updateVector should be treated as
LDUP Information Model
updates that cause the secondsToWaitDefault updates that cause the secondsToWaitDefault
attribute value to be used in determining attribute value to be used in determining
when to initiate a replication session.' ) when to initiate a replication session.' )
This attribute is used to indicate whether or not changes to the This attribute is used to indicate whether or not changes to the
replica's updateVector should be included as updates that cause the replica's updateVector should be included as updates that cause the
secondsToWaitDefault attribute value to be used when determining secondsToWaitDefault attribute value to be used when determining
when to initiate replication sessions. when to initiate replication sessions.
If updateVectorTrigger is set to FALSE, then secondsToWaitDefault If updateVectorTrigger is set to FALSE, then secondsToWaitDefault
will not be used when the replica's updateVector is updated. This will not be used when the replica's updateVector is updated. This
implies that some other update will need to be performed to the implies that some other update will need to be performed to the
replica before the updated updateVector will be sent via a replica before the updated updateVector will be sent via a
replication session. replication session.
skipping to change at line 764 skipping to change at page 14, line 34
Note that setting secondsToWaitDefault to 0 coupled with Note that setting secondsToWaitDefault to 0 coupled with
updateVectorTrigger to TRUE would cause replication sessions to updateVectorTrigger to TRUE would cause replication sessions to
continually "chase themselves", potentially clogging networks with continually "chase themselves", potentially clogging networks with
an infinite loop of replication sessions. This combination SHOULD an infinite loop of replication sessions. This combination SHOULD
be prevented in implementations. be prevented in implementations.
If not specified, the value for updateVectorTrigger is assumed to If not specified, the value for updateVectorTrigger is assumed to
be FALSE. be FALSE.
8.2.17. secondsToWaitDefault 7.2.16. secondsToWaitDefault
(2.16.840.1.113719.1.142.4.x NAME 'secondsToWaitDefault' (2.16.840.1.113719.1.142.4.x NAME 'secondsToWaitDefault'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
EQUALITY integerMatch EQUALITY integerMatch
SINGLE-VALUE SINGLE-VALUE
DESC 'The number of seconds to wait after an update DESC 'The number of seconds to wait after an update
is made to the replica before initiating a is made to the replica before initiating a
replication session.' replication session.'
USAGE dSAOperation ) USAGE dSAOperation )
skipping to change at line 786 skipping to change at page 14, line 56
This attribute indicates the number of seconds that a replica This attribute indicates the number of seconds that a replica
should wait after an update is made to the replica before should wait after an update is made to the replica before
initiating a replication session. If not specified, the value is initiating a replication session. If not specified, the value is
assumed to be 0. This attribute value is used for updates to all assumed to be 0. This attribute value is used for updates to all
attributes that are NOT specified by either the attrs1 or attrs2 attributes that are NOT specified by either the attrs1 or attrs2
attributes. attributes.
This attribute is always used for updates made to the replica's This attribute is always used for updates made to the replica's
updateVector if the updateVectorTrigger attribute is set to TRUE. updateVector if the updateVectorTrigger attribute is set to TRUE.
8.2.18. secondsToWait1 7.2.17. secondsToWait1
(2.16.840.1.113719.1.142.4.x NAME 'secondsToWait1' (2.16.840.1.113719.1.142.4.x NAME 'secondsToWait1'
LDUP Information Model
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
EQUALITY integerMatch EQUALITY integerMatch
SINGLE-VALUE SINGLE-VALUE
DESC 'The number of seconds to wait after an update DESC 'The number of seconds to wait after an update
is made to any attributes named in the attrs1 is made to any attributes named in the attrs1
attribute before initiating a replication session.' attribute before initiating a replication session.'
USAGE dSAOperation ) USAGE dSAOperation )
This attribute is similar to the secondsToWaitDefault attribute in This attribute is similar to the secondsToWaitDefault attribute in
how it is used. This attribute, however, is used to apply only to how it is used. This attribute, however, is used to apply only to
the attributes listed in the attrs1 attribute. This allows updates the attributes listed in the attrs1 attribute. This allows updates
to different attributes to cause replication sessions to be to different attributes to cause replication sessions to be
initiated either sooner or later than updates made to other initiated either sooner or later than updates made to other
attributes. attributes.
8.2.19. attrReplicationGroup1 7.2.18. attrReplicationGroup1
( 2.16.840.1.113719.1.142.4.x NAME 'attrReplicationGroup1' ( 2.16.840.1.113719.1.142.4.x NAME 'attrReplicationGroup1'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
DESC 'the set of attributes that are associated with DESC 'the set of attributes that are associated with
the secondsToWait1 attribute. When updates are the secondsToWait1 attribute. When updates are
made to any of these attributes on the replica, made to any of these attributes on the replica,
a replication session will be delayed until a replication session will be delayed until
after secondsToWait1 seconds have passed.' ) after secondsToWait1 seconds have passed.' )
This attribute identifies a set of attributes that are associated This attribute identifies a set of attributes that are associated
with the secondsToWait1 attribute. When secondsToWait1 seconds with the secondsToWait1 attribute. When secondsToWait1 seconds
have passed since an update to any attribute identified in the have passed since an update to any attribute identified in the
attrs1 attribute, a replication session will be initiated. attrs1 attribute, a replication session will be initiated.
8.2.20. secondsToWait2 7.2.19. secondsToWait2
(2.16.840.1.113719.1.142.4.x NAME 'secondsToWait2' (2.16.840.1.113719.1.142.4.x NAME 'secondsToWait2'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
EQUALITY integerMatch EQUALITY integerMatch
SINGLE-VALUE SINGLE-VALUE
DESC 'The number of seconds to wait after an update DESC 'The number of seconds to wait after an update
is made to any attributes named in the attrs2 is made to any attributes named in the attrs2
attribute before initiating a replication session.' attribute before initiating a replication session.'
USAGE dSAOperation ) USAGE dSAOperation )
This attribute is similar to the secondsToWaitDefault attribute in This attribute is similar to the secondsToWaitDefault attribute in
how it is used. This attribute, however, is used to apply only to how it is used. This attribute, however, is used to apply only to
the attributes listed in the attrs2 attribute. This allows updates the attributes listed in the attrs2 attribute. This allows updates
to different attributes to cause replication sessions to be to different attributes to cause replication sessions to be
initiated either sooner or later than updates made to other initiated either sooner or later than updates made to other
attributes. attributes.
8.2.21. attrReplicationGroup2 LDUP Information Model
7.2.20. attrReplicationGroup2
( 2.16.840.1.113719.1.142.4.x NAME 'attrReplicationGroup2' ( 2.16.840.1.113719.1.142.4.x NAME 'attrReplicationGroup2'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
DESC 'the set of attributes that are associated with DESC 'the set of attributes that are associated with
the secondsToWait2 attribute. When updates are the secondsToWait2 attribute. When updates are
made to any of these attributes on the replica, made to any of these attributes on the replica,
a replication session will be delayed until a replication session will be delayed until
after secondsToWait2 seconds have passed.' ) after secondsToWait2 seconds have passed.' )
This attribute identifies a set of attributes that are associated This attribute identifies a set of attributes that are associated
with the secondsToWait2 attribute. When secondsToWait2 seconds with the secondsToWait2 attribute. When secondsToWait2 seconds
have passed since an update to any attribute identified in the have passed since an update to any attribute identified in the
attrs2 attribute, a replication session will be initiated. attrs2 attribute, a replication session will be initiated.
8.2.22. scheduleTimePeriod 7.2.21. scheduleTimePeriod
( 2.16.840.1.113719.1.142.4.x NAME 'scheduleTimePeriod' ( 2.16.840.1.113719.1.142.4.x NAME 'scheduleTimePeriod'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
SINGLE-VALUE SINGLE-VALUE
DESC 'the absolute time range over which this time DESC 'the absolute time range over which this time
specification is valid.' ) specification is valid.' )
This attribute is patterned after the TimePeriod property This attribute is patterned after the TimePeriod property
identified in RFC 3060 [RFC3060] and [Policy Schema]. Refer to identified in RFC 3060 [RFC3060] and [Policy Schema]. See these
these references for details on the format and interpretation of references for details on the format and interpretation of this
this attribute. attribute.
8.2.23. scheduleMonthOfYearMask 7.2.22. scheduleMonthOfYearMask
( 2.16.840.1.113719.1.142.4.x NAME 'scheduleMonthOfYearMask' ( 2.16.840.1.113719.1.142.4.x NAME 'scheduleMonthOfYearMask'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
SINGLE-VALUE SINGLE-VALUE
DESC 'mask identifying the months of the year during DESC 'mask identifying the months of the year during
which replication sessions should be performed.' ) which replication sessions should be performed.' )
This attribute is patterned after the MonthOfYearMask property This attribute is patterned after the MonthOfYearMask property
identified in RFC 3060 [RFC3060] and [Policy Schema]. Refer to identified in RFC 3060 [RFC3060] and [Policy Schema]. See these
these references for details on the format and interpretation of references for details on the format and interpretation of this
this attribute. attribute.
8.2.24. scheduleDayOfMonthMask 7.2.23. scheduleDayOfMonthMask
( 2.16.840.1.113719.1.142.4.x NAME 'scheduleDayOfMonthMask' ( 2.16.840.1.113719.1.142.4.x NAME 'scheduleDayOfMonthMask'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
SINGLE-VALUE SINGLE-VALUE
DESC 'mask identifying the days of the month during DESC 'mask identifying the days of the month during
which replication sessions should be performed.' ) which replication sessions should be performed.' )
This attribute is patterned after the DayOfMonthMask property This attribute is patterned after the DayOfMonthMask property
identified in RFC 3060 [RFC3060] and [Policy Schema]. Refer to identified in RFC 3060 [RFC3060] and [Policy Schema]. See these
these references for details on the format and interpretation of LDUP Information Model
this attribute.
8.2.25. scheduleDayOfWeekMask references for details on the format and interpretation of this
attribute.
7.2.24. scheduleDayOfWeekMask
( 2.16.840.1.113719.1.142.4.x NAME 'scheduleDayOfWeekMask' ( 2.16.840.1.113719.1.142.4.x NAME 'scheduleDayOfWeekMask'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
SINGLE-VALUE SINGLE-VALUE
DESC 'mask identifying the days of the week during DESC 'mask identifying the days of the week during
which replication sessions should be performed.' ) which replication sessions should be performed.' )
This attribute is patterned after the DayOfWeekMask property This attribute is patterned after the DayOfWeekMask property
identified in RFC 3060 [RFC3060] and [Policy Schema]. Refer to identified in RFC 3060 [RFC3060] and [Policy Schema]. See these
these references for details on the format and interpretation of references for details on the format and interpretation of this
this attribute. attribute.
8.2.26. scheduleTimeOfDayMask 7.2.25. scheduleTimeOfDayMask
( 2.16.840.1.113719.1.142.4.x NAME 'scheduleTimeOfDayMask' ( 2.16.840.1.113719.1.142.4.x NAME 'scheduleTimeOfDayMask'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
EQUALITY caseIgnoreMatch EQUALITY caseIgnoreMatch
DESC 'mask identifying the times during the day when DESC 'mask identifying the times during the day when
replication sessions should be initiated.' ) replication sessions should be initiated.' )
This attribute is patterned after the TimeOfDayMask property This attribute is patterned after the TimeOfDayMask property
identified in RFC 3060 [RFC3060] and [Policy Schema]. Refer to identified in RFC 3060 [RFC3060] and [Policy Schema]. See these
these references for details on the format and interpretation of references for details on the format and interpretation of this
this attribute. attribute.
8.2.27. scheduleLocalOrUtcTime 7.2.26. scheduleLocalOrUtcTime
( 2.16.840.1.113719.1.142.4.x NAME 'scheduleLocalOrUtcTime' ( 2.16.840.1.113719.1.142.4.x NAME 'scheduleLocalOrUtcTime'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
EQUALITY integerMatch EQUALITY integerMatch
SINGLE-VALUE SINGLE-VALUE
DESC 'flag indicating whether or not times in the DESC 'flag indicating whether or not times in the
scheduleTimeOfDayMask are in UTC time or scheduleTimeOfDayMask are in UTC time or
local time.' ) local time.' )
This attribute is patterned after the LocaOrUtcTime property This attribute is patterned after the LocaOrUtcTime property
identified in RFC 3060 [RFC3060] and [Policy Schema]. Refer to identified in RFC 3060 [RFC3060] and [Policy Schema]. See these
these references for details on the format and interpretation of references for details on the format and interpretation of this
this attribute. attribute.
8.3. Class Definitions 7.3. Class Definitions
8.3.1. ReplicationContext 7.3.1. ReplicationContext
( 2.16.840.1.113719.1.142.6.2.2 NAME 'replicationContext' ( 2.16.840.1.113719.1.142.6.2.2 NAME 'replicationContext'
SUP top SUP top
AUXILIARY ) AUXILIARY )
The replicationContext auxiliary class, when present on an object, The replicationContext auxiliary class, when present on an object,
indicates the beginning, or root, of a naming context. The naming indicates the beginning, or root, of one or more replication
context is said to be rooted at the entry with the LDUP Information Model
replicationContext auxiliary class in its list of object classes.
The root-most entry of a naming context is the entry with the contexts. The replication context is said to be rooted at the
replicationContext auxiliary class in its list of object classes. entry with the replicationContext auxiliary class in its list of
object classes. The root-most entry of a replication context is
the entry with the replicationContext auxiliary class in its list
of object classes.
Characteristics of the replication topology of a naming context are Characteristics of the replication topology of a replication
defined in the replicaSubentry sub-entries associated with the context are defined in the replicaSubentry sub-entries associated
naming context. with the replication context.
The attribute accessControlPolicyOID has been removed from here, The attribute accessControlPolicyOID has been removed from here,
and should be published as an subentry subordinate to the and should be published as an subentry subordinate to the
replicationContext, instead. replicationContext, instead.
The attribute nameContextCreationTimestamp used here in previous The attribute nameContextCreationTimestamp used here in previous
drafts has been eliminated as redundant. The drafts has been eliminated as redundant. The
ldapChangeSequenceNumber associated with the replicationContext ldapChangeSequenceNumber associated with the replicationContext
value in the list of objectclass attribute values serves the same value in the list of objectclass attribute values serves the same
purpose. purpose.
8.3.2. replicaSubentry 7.3.2. replicaSubentry
( 2.16.840.1.113719.1.142.6.3.2 NAME 'replicaSubentry-2' ( 2.16.840.1.113719.1.142.6.3.2 NAME 'replicaSubentry-2'
SUP subentry SUP subentry
STRUCTURAL STRUCTURAL
MUST ( cn $ MUST ( cn $
replicaURI $ replicaURI $
replicaType $ replicaType $
lostAndFoundEntryDN $ lostAndFoundEntryDN $
replicaOnline ) replicaOnline )
MAY ( attributeExclusionFilter $ MAY ( attributeExclusionFilter $
attributeInclusionFilter $ attributeInclusionFilter $
replicaSecondaryURI $ replicaSecondaryURI $
description $ description $
updateVector ) ) updateVector ) )
Entries of type replicaSubentry MUST be named by their cn attribute Entries of type replicaSubentry MUST be named by their cn attribute
as defined in [LDAP Subentry]. A replicationContext may have more as defined in [LDAP Subentry]. A replicationContext may have more
than one replicaSubentry. than one replicaSubentry. All replicaSubentries MUST be placed
just below their associated replicationContext root entries in the
directory tree.
All replicas MUST hold all replicaSubentries for the replication
context. This is required for update vectors.
The attributes attributeExclusionFilter and The attributes attributeExclusionFilter and
attributeInclusionFilter, if present, govern which entries and attributeInclusionFilter, if present, govern which entries and
attributes from the local naming context are to be sent (or not attributes from the local naming context are to be sent (or not
sent) to the replica named in replicaDN of replica agreements for sent) to the replica named in replicaDN of replica agreements for
this replica. The attributeExclusionFilter names attributes which this replica. The attributeExclusionFilter names attributes which
SHOULD NOT be sent. The attributeInclusionFilter names attributes SHOULD NOT be sent. The attributeInclusionFilter names attributes
which SHOULD be sent. which SHOULD be sent.
LDUP Information Model
The attribute replicaURI contains information in ldapURI format The attribute replicaURI contains information in ldapURI format
that can be used to contact (i.e., open a connection to) this that can be used to contact (i.e., open a connection to) this
replica. The replicaSecondaryURI contains the set of ldapURI replica. The replicaSecondaryURI contains the set of ldapURI
format addresses that can be used as backup addresses if the format addresses that can be used as backup addresses if the
replicaURI values cannot be used. replicaURI values cannot be used.
The lostAndFoundEntryDN attribute is single-valued attribute that The lostAndFoundEntryDN attribute is single-valued attribute that
contains the distinguished name of the lost and found entry under contains the distinguished name of the lost and found entry under
which orphaned entries are placed. which orphaned entries are placed.
skipping to change at line 1023 skipping to change at page 19, line 36
The attribute updateVector contains a set of The attribute updateVector contains a set of
ldapChangeSequenceNumbers, one for each of the other replicas for ldapChangeSequenceNumbers, one for each of the other replicas for
this naming context, which records, from this replicas perspective, this naming context, which records, from this replicas perspective,
the last change event received from the other indicated replica. the last change event received from the other indicated replica.
The subtreespecification attribute of the subentry superior object The subtreespecification attribute of the subentry superior object
class is used to define the scope of the replication context. Use class is used to define the scope of the replication context. Use
of the subtreespecification value SHOULD be limited to the base and of the subtreespecification value SHOULD be limited to the base and
components of ChopSpecification portions of this attribute. components of ChopSpecification portions of this attribute.
8.3.3. replicaAgreement 7.3.3. replicaAgreement
( ?? NAME 'replicaAgreement' ( ?? NAME 'replicaAgreement'
SUP subentry SUP top
STRUCTURAL STRUCTURAL
MUST ( cn ) MUST ( cn )
MAY ( description $ MAY ( description $
replicaDN $ replicaDN $
replicationMechanismOID $ replicationMechanismOID $
replicationStatus $ replicationStatus $
replicationCredentialsDN $ replicationCredentialsDN $
replicationScheduleDN ) ) replicationScheduleDN ) )
Entries of this type MUST be placed just below replicaSubentry If present, entries of this type MUST be placed just below
entries in the directory tree. replicaSubentry entries in the directory tree.
If replicaAgreements are used, each replica MUST hold all replica
agreements for which it is a supplier as well as the entries
containing control information referred to by those replica
agreements (credentials, schedules, etc.).
Name subordination is used to associate a replicaAgreement with the Name subordination is used to associate a replicaAgreement with the
replicaSubentry representing the supplier of changes for all replicaSubentry representing the supplier of changes for all
subordinate replication agreements. subordinate replication agreements.
LDUP Information Model
Processing of allowable changes to be sent is as follows: Processing of allowable changes to be sent is as follows:
1) the attributeInclusionFilter from the replica subentry defines a 1) the attributeInclusionFilter from the replica subentry defines a
set of attributes which SHOULD be sent, less exclusions; set of attributes which SHOULD be sent, less exclusions;
2) the union of attributes excluded by the attributeExclusionFilter 2) the union of attributes excluded by the attributeExclusionFilter
from the replicaSubentry and the attributeExclusionFilter from the from the replicaSubentry and the attributeExclusionFilter from the
replicaAgreement defines a set of attributes which SHOULD NOT be replicaAgreement defines a set of attributes which SHOULD NOT be
sent; sent;
3) the subtraction of attributes which SHOULD NOT be sent by (2) 3) the subtraction of attributes which SHOULD NOT be sent by (2)
from the attributes which SHOULD be sent by (1) constitute the set from the attributes which SHOULD be sent by (1) constitute the set
of attributes for which changes MAY be sent. of attributes for which changes MAY be sent.
The attribute description contains a human-readable description of The attribute description contains a human-readable description of
the sub-entry. the sub-entry.
The attribute replicaDN of syntax distinguishedName names another The attribute replicaDN of syntax distinguishedName names another
sub-entry of type replicaSubentry to whom changes are to be sent. sub-entry of type replicaSubentry to whom changes are to be sent.
If there is no value for the replicaDN attribute on a If there is no value for the replicaDN attribute on a
skipping to change at line 1091 skipping to change at page 20, line 56
this information to be placed outside of the replication context. this information to be placed outside of the replication context.
The attribute replicationScheduleDN, if present, names an entry The attribute replicationScheduleDN, if present, names an entry
which governs the schedule for replication attempts. If not which governs the schedule for replication attempts. If not
present, replication MUST be attempted when there are changes to be present, replication MUST be attempted when there are changes to be
sent (i.e. a default replica schedule of type replicaEventSchedule sent (i.e. a default replica schedule of type replicaEventSchedule
is assumed with secondsToWaitDefault=0 and is assumed with secondsToWaitDefault=0 and
updateVectorTrigger=FALSE). See Section on replicaEventSchedule updateVectorTrigger=FALSE). See Section on replicaEventSchedule
for more information about these attributes and their meaning. for more information about these attributes and their meaning.
The subtreespecification attribute of the subentry superior object 7.3.4. replicaEventSchedule
class is ignored.
8.3.4. replicaEventSchedule
( 2.16.840.1.113719.1.142.6.x.1 NAME 'replicaEventSchedule' ( 2.16.840.1.113719.1.142.6.x.1 NAME 'replicaEventSchedule'
SUP subentry LDUP Information Model
SUP top
STRUCTURAL STRUCTURAL
MUST ( cn ) MUST ( cn )
MAY ( description $ MAY ( description $
updateVectorTrigger $ updateVectorTrigger $
secondsToWaitDefault $ secondsToWaitDefault $
secondsToWait1 $ secondsToWait1 $
attrs1 $ attrs1 $
secondsToWait2 $ secondsToWait2 $
attrs2 ) ) attrs2 ) )
skipping to change at line 1151 skipping to change at page 22, line 5
The secondsToWait2 attribute is similar to the secondsToWait1 The secondsToWait2 attribute is similar to the secondsToWait1
attribute but is associated with the attrs2 attribute. attribute but is associated with the attrs2 attribute.
Note that whenever any of these seconds-to-wait time periods has Note that whenever any of these seconds-to-wait time periods has
expired, a replication session should be initiated and the full set expired, a replication session should be initiated and the full set
of information that needs to be replicated should be sent to the of information that needs to be replicated should be sent to the
consumer replica. This implies that some information would be consumer replica. This implies that some information would be
replicated before its associated seconds-to-wait time period had replicated before its associated seconds-to-wait time period had
expired. expired.
The subtreespecification attribute of the subentry superior object LDUP Information Model
class is ignored.
8.3.5. replicaTimeSchedule 7.3.5. replicaTimeSchedule
( 2.16.840.1.113719.1.142.6.x.1 NAME 'replicaTimeSchedule' ( 2.16.840.1.113719.1.142.6.x.1 NAME 'replicaTimeSchedule'
SUP subentry SUP top
STRUCTURAL STRUCTURAL
MUST ( cn ) MUST ( cn )
MAY ( description $ MAY ( description $
scheduleTimePeriod $ scheduleTimePeriod $
scheduleMonthOfYearMask $ scheduleMonthOfYearMask $
scheduleDayOfMonthMask $ scheduleDayOfMonthMask $
scheduleDayOfWeekMask $ scheduleDayOfWeekMask $
scheduleTimeOfDayMask $ scheduleTimeOfDayMask $
scheduleLocalOrUtcTime ) ) scheduleLocalOrUtcTime ) )
skipping to change at line 1191 skipping to change at page 22, line 44
The remaining attributes in this object class are patterned after The remaining attributes in this object class are patterned after
the attributes defined for the policyTimePeriodCondition construct the attributes defined for the policyTimePeriodCondition construct
defined in the Policy Core Information Model [RFC3060]. Because defined in the Policy Core Information Model [RFC3060]. Because
the LDAP schema mapping for this portion of the CIM model is not the LDAP schema mapping for this portion of the CIM model is not
complete at this time, these attributes are defined specifically complete at this time, these attributes are defined specifically
for this LDUP-related object class. Refer to RFC 3060 for details for this LDUP-related object class. Refer to RFC 3060 for details
of the formats for the scheduleTimePeriod, scheduleMonthOfYearMask, of the formats for the scheduleTimePeriod, scheduleMonthOfYearMask,
scheduleDayOfMonthMask, scheduleDayOfWeekMask, scheduleDayOfMonthMask, scheduleDayOfWeekMask,
scheduleTimeOfDayMask, and scheduleLocalOrUtcTime attributes. scheduleTimeOfDayMask, and scheduleLocalOrUtcTime attributes.
The subtreespecification attribute of the subentry superior object 8. Semantics of the information model
class is ignored.
9. Semantics of the information model
The intent of this information model is to allow for useful and The intent of this information model is to allow for useful and
expected operation while requiring a minimum amount of data to be expected operation while requiring a minimum amount of data to be
specified. In this spirit, replicaAgreement entries are treated as specified. In this spirit, replicaAgreement entries are treated as
"constraints" on when to initiate replication sessions, not "constraints" on when to initiate replication sessions, not
"requirements" on being able to initiate replication sessions. "requirements" on being able to initiate replication sessions.
To clarify this concept, two examples are provided in this section. To clarify this concept, two examples are provided in this section.
The first example shows the minimal set of information required to The first example shows the minimal set of information required to
get replication going between three replicas: get replication going between three replicas:
dn: ou=accounting, o=your company dn: ou=accounting, o=your company
objectclass: organizationalUnit objectclass: organizationalUnit
objectclass: replicationContext objectclass: replicationContext
LDUP Information Model
ou: accounting ou: accounting
dn: cn=replica1, ou=accounting, o=your company dn: cn=replica1, ou=accounting, o=your company
objectclass: subentry objectclass: subentry
objectclass: replicaSubentry-2 objectclass: replicaSubentry-2
cn: replica1 cn: replica1
subtreespecification: {} subtreespecification: {}
description: replica in location 1 description: replica in location 1
replicaURI: ldap://sys1.yourcompany.com replicaURI: ldap://sys1.yourcompany.com
replicaType: 2 replicaType: 2
skipping to change at line 1261 skipping to change at page 23, line 57
sessions would be initiated to ALL OTHER replicas. As this shows, sessions would be initiated to ALL OTHER replicas. As this shows,
maximal replication is defined using a minimal amount of maximal replication is defined using a minimal amount of
configuration. configuration.
The second example shows how replication sessions can be The second example shows how replication sessions can be
constrained by replicaAgreement entries. This example builds on constrained by replicaAgreement entries. This example builds on
the data shown in the first example. Assume that the following the data shown in the first example. Assume that the following
entries are added to the entries defined in the first example: entries are added to the entries defined in the first example:
dn: cn=agreement1->2, cn=replica1, ou=accounting, o=your company dn: cn=agreement1->2, cn=replica1, ou=accounting, o=your company
objectclass: subentry
objectclass: replicaAgreement objectclass: replicaAgreement
cn: agreement1->2 cn: agreement1->2
subtreespecification: {}
description: Replica agreement constraining replication sessions description: Replica agreement constraining replication sessions
from replica 1 to replica 2. LDUP Information Model
from replica 1 to replica 2.
replicationScheduleDN: cn=schedule1, cn=replica1, replicationScheduleDN: cn=schedule1, cn=replica1,
ou=accounting, o=your company ou=accounting, o=your company
replicaDN: cn=replica2, ou=accounting, o=your company replicaDN: cn=replica2, ou=accounting, o=your company
dn: cn=agreement1->3, cn=replica1, ou=accounting, o=your company dn: cn=agreement1->3, cn=replica1, ou=accounting, o=your company
objectclass: subentry
objectclass: replicaAgreement objectclass: replicaAgreement
cn: agreement1->3 cn: agreement1->3
subtreespecification: {}
description: Replica agreement constraining replication sessions description: Replica agreement constraining replication sessions
from replica 1 to replica 3. from replica 1 to replica 3.
replicationScheduleDN: cn=schedule1, cn=replica1, replicationScheduleDN: cn=schedule1, cn=replica1,
ou=accounting, o=your company ou=accounting, o=your company
replicaDN: cn=replica3, ou=accounting, o=your company replicaDN: cn=replica3, ou=accounting, o=your company
dn: cn=schedule1, cn=replica1, ou=accounting, o=your company dn: cn=schedule1, cn=replica1, ou=accounting, o=your company
objectclass: subentry
objectclass: replicaEventSchedule objectclass: replicaEventSchedule
cn: schedule1 cn: schedule1
subtreespecification: {}
description: schedule that initiates replication one minute description: schedule that initiates replication one minute
after any update (including to the updateVector) is made after any update (including to the updateVector) is made
to the replica. to the replica.
secondsToWaitDefault: 60 secondsToWaitDefault: 60
updateVectorTrigger: TRUE updateVectorTrigger: TRUE
dn: cn=agreement2->1, cn=replica2, ou=accounting, o=your company dn: cn=agreement2->1, cn=replica2, ou=accounting, o=your company
objectclass: subentry
objectclass: replicaAgreement objectclass: replicaAgreement
cn: agreement2->1 cn: agreement2->1
subtreespecification: {}
description: Replica agreement constraining replication sessions description: Replica agreement constraining replication sessions
from replica 2 to replica 1. from replica 2 to replica 1.
replicationScheduleDN: cn=schedule2, cn=replica2, replicationScheduleDN: cn=schedule2, cn=replica2,
ou=accounting, o=your company ou=accounting, o=your company
replicaDN: cn=replica1, ou=accounting, o=your company replicaDN: cn=replica1, ou=accounting, o=your company
dn: cn=agreement2->3, cn=replica2, ou=accounting, o=your company dn: cn=agreement2->3, cn=replica2, ou=accounting, o=your company
objectclass: subentry
objectclass: replicaAgreement objectclass: replicaAgreement
cn: agreement2->3 cn: agreement2->3
subtreespecification: {}
description: Replica agreement constraining replication sessions description: Replica agreement constraining replication sessions
from replica 2 to replica 3. from replica 2 to replica 3.
replicationScheduleDN: cn=schedule2, cn=replica2, replicationScheduleDN: cn=schedule2, cn=replica2,
ou=accounting, o=your company ou=accounting, o=your company
replicaDN: cn=replica2, ou=accounting, o=your company replicaDN: cn=replica2, ou=accounting, o=your company
dn: cn=schedule2, cn=replica2, ou=accounting, o=your company dn: cn=schedule2, cn=replica2, ou=accounting, o=your company
objectclass: subentry
objectclass: replicaEventSchedule objectclass: replicaEventSchedule
cn: schedule2 cn: schedule2
subtreespecification: {}
description: schedule that initiates replication two minutes description: schedule that initiates replication two minutes
after any update (including to the updateVector) is made after any update (including to the updateVector) is made
to the replica. to the replica.
secondsToWaitDefault: 120 secondsToWaitDefault: 120
updateVectorTrigger: TRUE updateVectorTrigger: TRUE
dn: cn=agreement3->1, cn=replica3, ou=accounting, o=your company dn: cn=agreement3->1, cn=replica3, ou=accounting, o=your company
objectclass: subentry
objectclass: replicaAgreement objectclass: replicaAgreement
cn: agreement3->1 cn: agreement3->1
subtreespecification: {}
description: Replica agreement constraining replication sessions description: Replica agreement constraining replication sessions
LDUP Information Model
from replica 3 to replica 1. from replica 3 to replica 1.
replicationScheduleDN: cn=schedule3, cn=replica3, replicationScheduleDN: cn=schedule3, cn=replica3,
ou=accounting, o=your company ou=accounting, o=your company
replicaDN: cn=replica1, ou=accounting, o=your company replicaDN: cn=replica1, ou=accounting, o=your company
dn: cn=agreement3->2, cn=replica3, ou=accounting, o=your company dn: cn=agreement3->2, cn=replica3, ou=accounting, o=your company
objectclass: subentry
objectclass: replicaAgreement objectclass: replicaAgreement
cn: agreement3->2 cn: agreement3->2
subtreespecification: {}
description: Replica agreement constraining replication sessions description: Replica agreement constraining replication sessions
from replica 3 to replica 2. from replica 3 to replica 2.
replicationScheduleDN: cn=schedule3, cn=replica3, replicationScheduleDN: cn=schedule3, cn=replica3,
ou=accounting, o=your company ou=accounting, o=your company
replicaDN: cn=replica2, ou=accounting, o=your company replicaDN: cn=replica2, ou=accounting, o=your company
dn: cn=schedule3, cn=replica3, ou=accounting, o=your company dn: cn=schedule3, cn=replica3, ou=accounting, o=your company
objectclass: subentry
objectclass: replicaEventSchedule objectclass: replicaEventSchedule
cn: schedule3 cn: schedule3
subtreespecification: {}
description: schedule that initiates replication one minute description: schedule that initiates replication one minute
after any update (including to the updateVector) is made after any update (including to the updateVector) is made
to the replica. to the replica.
secondsToWaitDefault: 60 secondsToWaitDefault: 60
updateVectorTrigger: TRUE updateVectorTrigger: TRUE
In this example, replication sessions are limited such that they In this example, replication sessions are limited such that they
will begin one or two minutes after an update is made to any one will begin one or two minutes after an update is made to any one
replica, depending on the replica on which the update was made. replica, depending on the replica on which the update was made.
This "constrains" the replication session initiation from the This "constrains" the replication session initiation from the
default of "immediate replication" of updates. default of "immediate replication" of updates.
There are many ways in which the constraints around when to There are many ways in which the constraints around when to
initiate and/or accept replication sessions between two replicas. initiate and/or accept replication sessions between two replicas.
The information model defined here provides a small set of options. The information model defined here provides a small set of options.
More elaborate policies can be defined and this is left as a future More elaborate policies can be defined and this is left as a future
exercise. It is hoped that the work from the Policy workgroup can exercise. It is hoped that the work from the Policy workgroup can
offer schema that would support the creation of these complex offer schema that would support the creation of these complex
policies. policies.
10. Object Identifier Assignments 9. Object Identifier Assignments
The LDUP OID prefix is The LDUP OID prefix is
ID ::= OBJECT IDENTIFIER ID ::= OBJECT IDENTIFIER
ldup ID ::= { joint-iso-ccitt(2) country(16) us(840) ldup ID ::= { joint-iso-ccitt(2) country(16) us(840)
organization(1) novell(113719) novell-internal- organization(1) novell(113719) novell-internal-
OIDS(1) ldup(142) } OIDS(1) ldup(142) }
The OID assignments defined in this document are: The OID assignments defined in this document are:
Attributes: Attributes:
attributeExclusionFilter ID ::= 2.16.840.1.113719.1.142.4.1 attributeExclusionFilter ID ::= 2.16.840.1.113719.1.142.4.1
attributeInclusionFilter ID ::= 2.16.840.1.113719.1.142.4.2 attributeInclusionFilter ID ::= 2.16.840.1.113719.1.142.4.2
LDUP Information Model
replicationStatus ID ::= 2.16.840.1.113719.1.142.4.3 replicationStatus ID ::= 2.16.840.1.113719.1.142.4.3
replicaType ID ::= 2.16.840.1.113719.1.142.4.4 replicaType ID ::= 2.16.840.1.113719.1.142.4.4
secToWaitClass1 ID ::= 2.16.840.1.113719.1.142.4.5.1 - secToWaitClass1 ID ::= 2.16.840.1.113719.1.142.4.5.1 -
OBSOLETE OBSOLETE
secToWaitClass2 ID ::= 2.16.840.1.113719.1.142.4.5.2 - secToWaitClass2 ID ::= 2.16.840.1.113719.1.142.4.5.2 -
OBSOLETE OBSOLETE
secToWaitClass3 ID ::= 2.16.840.1.113719.1.142.4.5.3 - secToWaitClass3 ID ::= 2.16.840.1.113719.1.142.4.5.3 -
OBSOLETE OBSOLETE
secToWaitClass4 ID ::= 2.16.840.1.113719.1.142.4.5.4 - secToWaitClass4 ID ::= 2.16.840.1.113719.1.142.4.5.4 -
OBSOLETE OBSOLETE
skipping to change at line 1435 skipping to change at page 26, line 51
replicaSubentries ID ::= 2.16.840.1.113719.1.142.4.x replicaSubentries ID ::= 2.16.840.1.113719.1.142.4.x
Object Classes: Object Classes:
eventScheduledSubentry ID ::= 2.16.840.1.113719.1.142.6.1 - eventScheduledSubentry ID ::= 2.16.840.1.113719.1.142.6.1 -
OBSOLETE OBSOLETE
nameContext ID ::= 2.16.840.1.113719.1.142.6.2.1 - nameContext ID ::= 2.16.840.1.113719.1.142.6.2.1 -
OBSOLETE OBSOLETE
replicaSubentry ID ::= 2.16.840.1.113719.1.142.6.3.1 - replicaSubentry ID ::= 2.16.840.1.113719.1.142.6.3.1 -
OBSOLETE OBSOLETE
replicaAgreementSubentry ID ::= 2.16.840.1.113719.1.142.6.4.1 _ replicaAgreementSubentry ID ::= 2.16.840.1.113719.1.142.6.4.1 û
OBSOLETE OBSOLETE
replicationContext ID ::= 2.16.840.1.113719.1.142.6.2.2 replicationContext ID ::= 2.16.840.1.113719.1.142.6.2.2
replicaSubEntry-2 ID ::= 2.16.840.1.113719.1.142.6.3.2 replicaSubEntry-2 ID ::= 2.16.840.1.113719.1.142.6.3.2
replicaAgreementSubEntry-2 ID ::= 2.16.840.1.113719.1.142.6.4.2 - replicaAgreementSubEntry-2 ID ::= 2.16.840.1.113719.1.142.6.4.2 -
OBSOLETE OBSOLETE
eventScheduledSubentry ID ::= 2.16.840.1.113719.1.142.6.1 - eventScheduledSubentry ID ::= 2.16.840.1.113719.1.142.6.1 -
OBSOLETE OBSOLETE
replicaEventSchedule ID ::= 2.16.840.1.113719.1.142.6.x.1 replicaEventSchedule ID ::= 2.16.840.1.113719.1.142.6.x.1
LDUP Information Model
replicaTimeSchedule ID ::= 2.16.840.1.113719.1.142.6.x.1 replicaTimeSchedule ID ::= 2.16.840.1.113719.1.142.6.x.1
replicaAgreement ID ::= TBD replicaAgreement ID ::= TBD
Note: Object Class OIDs have version numbers, Attribute OIDs Note: Object Class OIDs have version numbers, Attribute OIDs
don't. don't.
11. Security Considerations 10. Security Considerations
Many of the attributes and object classes described in this Many of the attributes and object classes described in this
document should be considered "security sensitive", and protected document should be considered "security sensitive", and protected
from unintended modification by LDAP servers. Generally, creating from unintended modification by LDAP servers. Generally, creating
Naming Contexts, Replicas and Replica Agreement entries should only Naming Contexts, Replicas and Replica Agreement entries should only
be allowed by directory administrators who are authorized to do so. be allowed by directory administrators who are authorized to do so.
The values of attributes defined here are intended to control the The values of attributes defined here are intended to control the
behavior of the directory service agents, themselves. Unintended behavior of the directory service agents, themselves. Unintended
modification of their values may result in incomplete replication modification of their values may result in incomplete replication
skipping to change at line 1478 skipping to change at page 27, line 40
replication MUST ALWAYS be authenticated using an authentication replication MUST ALWAYS be authenticated using an authentication
mechanism appropriate for the nature of information to be mechanism appropriate for the nature of information to be
exchanged. exchanged.
References References
[LDUP Model] - J. Merrells, E. Reed, U. Srinivisan, "An Abstract [LDUP Model] - J. Merrells, E. Reed, U. Srinivisan, "An Abstract
Model of LDAP Replication", Internet draft, draft-ietf-ldup-model- Model of LDAP Replication", Internet draft, draft-ietf-ldup-model-
08.txt, March 2003. 08.txt, March 2003.
[LDUP Requirements] - E. Stokes, R. Weiser, R. Moats, R. Huber, [LDUP MRM] û R. Moats, R. Huber, J. McMeeking, ôMandatory LDAP
"Lightweight Directory Access Protocol (version 3) Replication Replica Management,ö Internet Draft, draft-ietf-ldup-mrm-02.txt,
Requirements", RFC 3384, October 2002. March 2003.
[LDAP Subentry] _ K. Zeilenga, Stephen Legg, "Subentries in LDAP", [LDAP Subentry] û K. Zeilenga, Stephen Legg, "Subentries in LDAP",
Internet draft, draft-zeilenga-ldap-subentry-07.txt, August 2002. Internet draft, draft-zeilenga-ldap-subentry-07.txt, August 2002.
[LDUP Update Protocol] _ J. McMeeking, "The LDUP Replication Update [LDUP Update Protocol] û J. McMeeking, "The LDUP Replication Update
Protocol", Internet Draft, draft-ietf-ldup-protocol-04.txt, March Protocol", Internet Draft, draft-ietf-ldup-protocol-04.txt, March
2003. 2003.
[Policy Schema] - J. Strassner, B. Moore, R. Moats, E. Ellesson, [Policy Schema] - J. Strassner, B. Moore, R. Moats, E. Ellesson,
"Policy Core LDAP Schema", Internet draft, draft-ietf-policy-core- "Policy Core LDAP Schema", Internet draft, draft-ietf-policy-core-
schema-16.txt, October 2002. schema-16.txt, October 2002.
[RFC822] _ D. Crocker, "STANDARD FOR THE FORMAT OF ARPA INTERNET [RFC822] û D. Crocker, "STANDARD FOR THE FORMAT OF ARPA INTERNET
TEXT MESSAGES", August 1982, RFC 822 TEXT MESSAGES", August 1982, RFC 822.
[RFC2251] _ M. Wahl, T. Howes, S. Kille, "Lightweight Directory LDUP Information Model
Access Protocol (v3)", December 1997, RFC 2251
[RFC2252] _ M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight [RFC2251] û M. Wahl, T. Howes, S. Kille, "Lightweight Directory
Access Protocol (v3)", December 1997, RFC 2251.
[RFC2252] û M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
Directory Access Protocol (v3): Attribute Syntax Definitions", Directory Access Protocol (v3): Attribute Syntax Definitions",
December 1997, RFC 2252 December 1997, RFC 2252.
[RFC2255] _ T. Howes, M. Smith, _The LDAP URL Format_, December [RFC2255] û T. Howes, M. Smith, ôThe LDAP URL Formatö, December
1997, RFC 2255. 1997, RFC 2255.
[RFC2596] - 2596 M. Wahl, T. Howes, _Use of Language Codes in [RFC2596] - 2596 M. Wahl, T. Howes, ôUse of Language Codes in
LDAP_, May 1999, RFC2596. LDAPö, May 1999, RFC 2596.
[RFC3060] _ B. Moore, E. Ellesson, J. Strassner, A. Westerinen, [RFC2820] û E. Stokes, D. Byrne, B. Blakley, P. Behara, ôAccess
"Policy Core Information Model _ Version 1 Specification", February Control Requirements for LDAP,ö May 2000, RFC 2820.
2001, RFC 3060
[RFC3060] û B. Moore, E. Ellesson, J. Strassner, A. Westerinen,
"Policy Core Information Model û Version 1 Specification", February
2001, RFC 3060.
[RFC3384] - E. Stokes, R. Weiser, R. Moats, R. Huber, "Lightweight
Directory Access Protocol (version 3) Replication Requirements",
October 2002, RFC 3384.
[X518] - ITU-T Recommendation X.518 (1997) | ISO/IEC 9594-4:1998, [X518] - ITU-T Recommendation X.518 (1997) | ISO/IEC 9594-4:1998,
Information Technology _ Open Systems Interconnection _ The Information Technology û Open Systems Interconnection û The
Directory: Procedures for Distributed Operation Directory: Procedures for Distributed Operation.
[X680] - ITU-T Recommendation X.680 (1994) | ISO/IEC 8824-1:1995, [X680] - ITU-T Recommendation X.680 (1994) | ISO/IEC 8824-1:1995,
Information technology _ Abstract Syntax Notation One (ASN.1): Information technology û Abstract Syntax Notation One (ASN.1):
Specification of Basic Notation Specification of Basic Notation.
12. Copyright Notice 11. Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain others, and derivative works that comment on or otherwise explain
it or assist in its implementation may be prepared, copied, it or assist in its implementation may be prepared, copied,
published and distributed, in whole or in part, without restriction published and distributed, in whole or in part, without restriction
of any kind, provided that the above copyright notice and this of any kind, provided that the above copyright notice and this
paragraph are included on all such copies and derivative works. paragraph are included on all such copies and derivative works.
However, this document itself may not be modified in any way, such However, this document itself may not be modified in any way, such
as by removing the copyright notice or references to the Internet as by removing the copyright notice or references to the Internet
Society or other Internet organizations, except as needed for the Society or other Internet organizations, except as needed for the
purpose of developing Internet standards in which case the purpose of developing Internet standards in which case the
procedures for copyrights defined in the Internet Standards process procedures for copyrights defined in the Internet Standards process
must be followed, or as required to translate it into languages must be followed, or as required to translate it into languages
other than English. other than English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
LDUP Information Model
This document and the information contained herein is provided on This document and the information contained herein is provided on
an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
13. Acknowledgements 12. Acknowledgements
The authors would like to thank Ed Reed and Tim Han, the authors of The authors would like to thank Ed Reed and Tim Han, the authors of
the original infomod draft, for all their work. the original infomod draft, for all their work.
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the has made any effort to identify any such rights. Information on the
skipping to change at line 1574 skipping to change at page 29, line 39
to obtain a general license or permission for the use of such to obtain a general license or permission for the use of such
proprietary rights by implementers or users of this specification proprietary rights by implementers or users of this specification
can be obtained from the IETF Secretariat. can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF Executive
Director. Director.
14. Authors' Addresses 13. Authors' Addresses
Richard Huber Richard Huber
AT&T Laboratories AT&T Laboratories
Email: rvh@att.com Email: rvh@att.com
John McMeeking John McMeeking
IBM IBM
Email: jmcmeek@us.ibm.com Email: jmcmeek@us.ibm.com
Ryan Moats Ryan Moats
 End of changes. 137 change blocks. 
337 lines changed or deleted 257 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/