Disabling Replication in OpenDJ 2.4.

Enabling replication between multiple instances of the OpenDJ LDAP directory server is pretty simple and straightforward. You can check for yourself in the Replication chapter of the Administration Guide.

But fully disabling replication can be tricky with OpenDJ 2.4, mostly because of a known issue with the dsreplication disable –disableAll command : OPENDJ-249 : Doing dsreplication disable –disableAll is throwing a javax.naming.CommunicationException when removing contents of “cn=admin data”.

We are fixing this issue in OpenDJ 2.5, but for those who have deployed OpenDJ 2.4 and want to know how to fully remove all references to a replica in the topology, here are the steps to manually disable replication :

Note, all these steps should be done using ldapmodify, or an LDAP browser such as OpenDJ Control-Panel’s Manage Entry or Apache Directory Studio.

  1. For each replica to be disabled connect to it on the admin port (4444) and:
    1. MANDATORY: set the “ds-cfg-enabled” property to “false” in “cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config”
    2. OPTIONAL: recursively remove the entries beneath “cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config” using individual delete operations. Note that the configuration backend does not support the sub-tree delete control, so this has to be done iteratively. This step is also not mandatory, since replication was fully disabled in the previous step
    3. MANDATORY: remove each entry beneath “cn=Servers,cn=admin data” except the entry itself. I find the easiest way to do this is to perform a sub-tree delete and then add back the base entry
    4. OPTIONAL: remove (purge) unused instance keys from beneath “cn=instance keys,cn=admin data” *except* own key. This step is really independent of replication: administrators should periodically purge unused instance keys anyway when they are sure that they are no longer needed (e.g. used for signing backups, etc)
    5. MANDATORY: delete “uniqueMember” in “cn=all-servers,cn=Server Groups,cn=admin data”
  2. On one of the remaining enabled replicas, connect to it via the admin port and:
    1. MANDATORY: remove each disabled server beneath “cn=Servers,cn=admin data”
    2. OPTIONAL: remove (purge) each disabled instance key beneath “cn=Servers,cn=admin data” (see 1.4)
    3. MANDATORY: remove each disabled server from uniqueMember in “cn=all-servers,cn=Server Groups,cn=admin data”
    4. MANDATORY: get list of all remaining servers from “cn=all-servers,cn=Server Groups,cn=admin data”
  3. For each of the remaining enabled replicas obtained in step 2.4 connect to it via the admin port and:
    1. MANDATORY: remove each disabled server(rsPort) from ds-cfg-replication-server in “cn=replication server,cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config”
    2. MANDATORY: remove each disabled server(rsPort) from ds-cfg-replication-server in “cn=*,cn=domains,cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config”

5 thoughts on “Disabling Replication in OpenDJ 2.4.

  1. Karthik 10 July 2012 / 22:40

    Hi Ludovic,

    We tried disabling replication between the servers using disableAll option. The parameters with this were admin port, hostname and we passed the global admin user and its password (created before enabling replication). The disabling of replication was successfull. But when we restarted the server the OpenDJ process was going for maintenance needed state. We were unable to recover the server. The error in the process logs has following message:

    ” 0 caught error thread={main(1)} method={publishInstanceKeyEntryInADS(CryptoManagerImpl.java:713)} caught={org.opends.server.types.DirectoryException: Failed to add entry “ds-cfg-key-id=0EF2740D5F1F4D80F7BFA042922693DB,cn=instance keys,cn=admin data”}
    [09/Jul/2012:23:10:38 -0400] 1 caught error thread={main(1)} method={main(DirectoryServer.java:9675)} caught={org.opends.server.types.InitializationException: CryptoManager failed to publish the instance-key-pair public-key-certificate entry in ADS: Failed to add entry “ds-cfg-key-id=0EF2740D5F1F4D80F7BFA042922693DB,cn=instance keys,cn=admin data” (id=262812)}
    [09/Jul/2012:23:10:38 -0400] category=CORE severity=NOTICE msgID=458891 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerShutdown, alert ID 458893): The Directory Server has started the shutdown process. The shutdown was initiated by an instance of class org.opends.server.core.DirectoryServer and the reason provided for the shutdown was An error occurred while trying to start the Directory Server: CryptoManager failed to publish the instance-key-pair public-key-certificate entry in ADS: Failed to add entry “ds-cfg-key-id=0EF2740D5F1F4D80F7BFA042922693DB,cn=instance keys,cn=admin data” (id=262812)”

    We tried one more way. Instead of passing global admin user and password we passed bindDN (cn=Directory Manager) and its password when we were disabling replication between the server. This did not cause any issue with server restart after disabling replication between the server. Could you please let us know which one of these is valid to use.

    • Ludo 16 July 2012 / 14:38

      Normally, you would disable replication with the global admin, as it is guarantee that the user has access to all servers.
      However, due to the issue I mention in the article, it’s preferable to run as cn=Directory Manager and do the cleanup on each instance.
      The error you’re seeing seems to indicate that either cn=admin data suffix is not working or that the entry “cn=instance keys,cn=admin data” is missing.
      I hope this helps.


      • Robb 28 July 2012 / 05:13

        Hi Ludo,

        Can I modify the $OpenDJ 2.4/config/config.ldif directly
        when I can’t startup the OpenDJ process.

      • Ludo 28 July 2012 / 07:33

        Sure, but make sure you do not mess with Ldif syntax. Spaces are significant.

      • Robb 01 August 2012 / 03:30


        I solved my problems;

        I found that the $OpenDJ 2.4/config/admin-backend.ldif was empty, and I think this made “cn=instance keys,cn=admin data” missing and made the OpenDJ’s startup fail;

        My solution is restore the “cn=admin data” and its sub-entries to admin-backend.ldif, this works for me;

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s