{"id":40306215,"url":"https://github.com/lvps/389ds-replication","last_synced_at":"2026-01-20T06:05:19.795Z","repository":{"id":49105299,"uuid":"178694351","full_name":"lvps/389ds-replication","owner":"lvps","description":"Create replication agreements between 389DS server instances","archived":false,"fork":false,"pushed_at":"2025-04-01T20:46:06.000Z","size":56,"stargazers_count":13,"open_issues_count":0,"forks_count":10,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-01T21:34:48.563Z","etag":null,"topics":["389directory","389dirsrv","389ds","ansible","ansible-role","ldap","replication"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lvps.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-03-31T13:50:17.000Z","updated_at":"2025-04-01T20:46:10.000Z","dependencies_parsed_at":"2024-05-01T23:34:06.474Z","dependency_job_id":"cc849f2e-dc77-49a8-a5cc-e5e0fb4f49ac","html_url":"https://github.com/lvps/389ds-replication","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/lvps/389ds-replication","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lvps%2F389ds-replication","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lvps%2F389ds-replication/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lvps%2F389ds-replication/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lvps%2F389ds-replication/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lvps","download_url":"https://codeload.github.com/lvps/389ds-replication/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lvps%2F389ds-replication/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28597087,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-20T02:08:49.799Z","status":"ssl_error","status_checked_at":"2026-01-20T02:08:44.148Z","response_time":117,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["389directory","389dirsrv","389ds","ansible","ansible-role","ldap","replication"],"created_at":"2026-01-20T06:04:50.971Z","updated_at":"2026-01-20T06:05:19.778Z","avatar_url":"https://github.com/lvps.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# 389ds-replication\n\n![Build Status](https://github.com/lvps/389ds-replication/actions/workflows/lint.yml/badge.svg)\n[![Ansible Role](https://img.shields.io/ansible/role/d/lvps/389ds_replication)](https://galaxy.ansible.com/lvps/389ds_replication/)\n\nConfigure replication between 389DS server (LDAP server) instances.\n\n```shell\nansible-galaxy install lvps.389ds_replication\n```\n\n## Requirements\n\n- Ansible version: 2.7 or higher\n- OS: RHEL/Rocky/EL 7/8/9/..., OpenSUSE/SLES\n\nIf Ansible does not support the `ldap_attrs` module you're using an old version of collections, but you can try version 1.0.x of this role.\n\n## Role Variables\n\n| Variable | Default | Description | Can be changed | Role |\n|-----------------------------------------|--------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|------|\n| dirsv_replication_role | | Role of this server: 'supplier', 'consumer' or 'both' (master). Hub is not supported. | **No** | |\n| dirsrv_server_uri | \"ldap://localhost\" | URI of the server to configure. Since this runs on the Ansible target, localhost should be fine. It's possible to set it to `ldaps://localhost` to use TLS on port 636. | | CSB |\n| dirsrv_rootdn | \"cn=Directory Manager\" | Root DN (\"administrator\" account username) | | CSB |\n| dirsrv_rootdn_password | secret | Password for root DN account | | CSB |\n| dirsrv_use_starttls | true | Use StartTLS to connect to the server | | CSB |\n| dirsrv_tls_certificate_trusted | true | True if TLS certificate is from a trusted CA, false if self-signed or from a private CA, unused if TLS is not used | | CSB |\n| dirsrv_serverid | default | Server ID aka instance ID, e.g. if the server is installed in the dirsrv/slapd-example directory, \"example\" is the server ID | | CSB |\n| dirsrv_suffix | dc=example,dc=local | Root suffix | | CSB |\n| dirsrv_supplier_replica_id | 1 | Choose a number between 1 and 65534. Don't assign it to other servers or bad things may happen. | **No** | SB |\n| dirsrv_consumer_uri | \"ldap://consumer.example.com:389/\" | Full URI, including port, that the supplier will connect to and perform replication by pushing changes | **No** | SB |\n| dirsrv_replication_user_remote | Replication Manager | User account that exists on the consumer. The supplier will bind with this account to perform replication. \"Replication Manager\" means that the account is \"cn=Replication Manager,cn=config\" | Yes | SB |\n| dirsrv_replication_user_password_remote | | Password for the replication user (Replication Manager) account | Yes | SB |\n| dirsrv_replica_bind_method | \"PLAIN\" | Bind method that supplier uses to connect to the consumer (SIMPLE, PLAIN, SASL) | Yes | SB |\n| dirsrv_changelog_max_age | \"10d\" | Sets the value of `nsslapd-changelogmaxage` | Yes | SB |\n| dirsrv_replica_attributes_list | \"(objectclass=*) $ EXCLUDE authorityRevocationList accountUnlockTime memberof\" | Sets the value of `nsds5ReplicatedAttributeList`, the default of this variable is use throughout examples in the documentation | Yes | SB |\n| dirsrv_replica_attributes_list_total | \"(objectclass=*) $ EXCLUDE accountUnlockTime\" | Sets the value of `nsds5ReplicatedAttributeListTotal`, the default of this variable is use throughout examples in the documentation | Yes | SB |\n| dirsrv_replication_user | Replication Manager | User account to create on the consumer. This account will be used by the supplier to bind on this server (the consumer). \"Replication Manager\" means that the account will be created at \"cn=Replication Manager,cn=config\" | Yes | CB |\n| dirsrv_replication_user_password | | Password for that account. | Yes | CB |\n| dirsrv_begin_replication_immediately | true | Boolean, sets `nsds5ReplicaEnabled` to \"on\" or \"off\" in the replication agreement. This should be a safe: if you add a new server it won't start pushing its empty database to other servers in any case because they have a different generation ID and replication fails (see examples for more details), but if you want to be even safer or make some customizations to the replication agreement, set this to false | **No** | CB |\n| dirsrv_consumer_referral_to_supplier | \"ldap://supplier.example.com:389/\" | Full LDAP URI including port. When a client tries to write to a consumer, which is read-only, it will redirect the client to this server (a supplier that can accept writes). | Yes | C |\n\nFirst of all choose if the server is a supplier, consumer or both and set\ndirsv_role accordingly. Then set the variables related to that: look in the Role\ncolumn, C = Consumer, S = Supplier, B = Both.\n\nSome variables cannot be changed once they are set, changing them will produce\nunexcpected results ranging from \"nothing happens\" to \"the role fails\". Some\nothers (authentication details, suffix, etc...) should be set to the correct\nvalue for the server, can be changed as long as that makes sense, i.e. you can\nchange `dirsrv_rootdn_password` if you've changed the root DN password so that\nthis role can authenticate correctly, but changing `dirsrv_suffix` between one\nrun and the other on the same server is pointless, unless you somehow managed to\nchange the suffix in 389DS.\n\nThe following variables have the exact same name and meaning as in the\n[389ds-server](https://github.com/lvps/389ds-server) role, so if you're using\nboth roles in the same playbook you can define them just once:\n\n* dirsrv_rootdn\n+ dirsrv_rootdn_password\n* dirsrv_tls_certificate_trusted\n* dirsrv_serverid\n* dirsrv_suffix\n\n## Dependencies\n\nNone.\n\nBut do keep in mind that this role expects 389DS to be already up and running,\nit only configures replication between existing servers.\n\n## Example Playbook\n\nMore examples, including 389DS installation from the ground up and the needed\nVagrant configs to test them are available in the [389ds-examples](https://github.com/lvps/389ds-examples/)\nrepository.\n\nNote that, usually, replication doesn't start immediately because the\n[\"replica generation\" is different](https://github.com/colbyprior/389-ldap-server/pull/1#issuecomment-442694193)\nbetween the servers. This can be fixed with the \"replica refresh\" procedure,\nwhich is described for example in [section 15.2.5](https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-configuring-replication-cmd#Configuring-Replication-InitializingConsumers-cmd)\nof the Administration Guide. You will need to perform it on suppliers or\nservers with role \"both\".\n\nBasically, doing a \"replica refresh\" will forcefully push the database from one\nsupplier to a consumer, replacing the previous consumer database: do this\nstarting from one supplier and gradually moving toward the others, being careful\nto not replace a production database with the empty database of a server that\nhas just been installed. When two servers have the exact same database,\nreplication starts automatically and immediately.\n\nThe procedure is also exaplained in more details in the [389ds-examples](https://github.com/lvps/389ds-examples/#starting-replication)\nrepository.\n\n### Consumer and supplier\n\nConfigure the consumer first, this server will contain a read-only copy of the\ndatabase:\n\n```yaml\n- hosts: consumer\n become: true\n\n roles:\n -\n role: lvps.389ds_replication\n dirsrv_replica_role: consumer\n dirsrv_suffix: \"dc=example,dc=local\"\n dirsrv_server_uri: \"ldap://localhost\"\n dirsrv_rootdn_password: secret\n dirsrv_replication_user_password: foo # Will create cn=Replication Manager,cn=config with this password\n dirsrv_consumer_referral_to_supplier: \"ldap://supplier.example.local:389/\"\n```\n\nThe configure the supplier, this server will accept writes and push all changes\nto the consumer:\n\n```yaml\n- hosts: supplier\n become: true\n\n roles:\n -\n role: lvps.389ds_replication\n dirsrv_replica_role: supplier\n dirsrv_suffix: \"dc=example,dc=local\"\n dirsrv_server_uri: \"ldap://localhost\"\n dirsrv_rootdn_password: verysecret\n dirsrv_replication_user_password_remote: foo # Will bind with cn=Replication Manager,cn=config and this password on the other server\n dirsrv_consumer_uri: \"ldap://consumer.example.local:389/\" # The other server (the consumer defined above)\n dirsrv_supplier_replica_id: 123\n```\n\n### Multi-master with two masters\n\n```yaml\n- hosts: mm1\n become: true\n roles:\n -\n role: lvps.389ds_replication\n dirsrv_replica_role: 'both'\n dirsrv_suffix: \"dc=example,dc=local\"\n dirsrv_server_uri: \"ldap://localhost\"\n dirsrv_rootdn_password: secret1\n dirsrv_replication_user_password: \"aaaaaa\"\n dirsrv_replication_user_password_remote: \"bbbbbb\" # On the other server\n dirsrv_consumer_uri: \"ldap://mm2.example.local:389/\" # The other server\n dirsrv_supplier_replica_id: 1\n```\n\n```yaml\n- hosts: mm2\n become: true\n roles:\n -\n role: lvps.389ds_replication\n dirsrv_replica_role: 'both'\n dirsrv_suffix: \"dc=example,dc=local\"\n dirsrv_server_uri: \"ldap://localhost\"\n dirsrv_rootdn_password: secret2\n dirsrv_replication_user_password: \"bbbbbb\"\n dirsrv_replication_user_password_remote: \"aaaaaa\" # On the other server\n dirsrv_consumer_uri: \"ldap://mm1.example.local:389/\" # The other server\n dirsrv_supplier_replica_id: 2\n```\n\n## Known bugs\n\nIf `dirsrv_replication_user_password` is changed, no change is reported: this\nis because password actually changes on every run (Ansible can't tell if the\nprevious hashed password is the same as the new one, so it will be\nchanged and hashed again), but there's a `changed_when: false` to hide that\ndetail.\n\n## License\n\nMIT.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flvps%2F389ds-replication","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flvps%2F389ds-replication","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flvps%2F389ds-replication/lists"}