Replication Connection

Use the Connection tab to display and configure the type of connection and authentication used by your replica during replication. You cannot change the connection type to or from "Use TLS/SSL (TLS/SSL encryption with LDAPS)" since this would require changing the port number. If you want to do this, re-create the agreement.

Use LDAP (no encryption). If you want the supplier and consumer servers to use plain LDAP with no security, select this radio button. This option must be selected to use SASL/GSSAPI authentication (see below).

Use TLS/SSL (TLS/SSL encryption with LDAPS). Deprecated. If you want the supplier and consumer servers to use TLS/SSL for secure communication using LDAPS, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL. This is Deprecated - use StartTLS instead.

Use StartTLS (TLS/SSL encryption with LDAP). If you want the supplier and consumer servers to use TLS/SSL for secure communication using StartTLS to start an encrypted channel using LDAP, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL.

Authentication Mechanism

Server TLS/SSL Certificate (requires TLS/SSL server set up). Select this option if you want the supplier to use its TLS/SSL server certificate for authentication. You cannot use certificate authentication unless the "Use TLS/SSL" or the "Use StartTLS" radio button in the Connection section is selected. Otherwise, this option will be disabled. The "Bind As" and Password fields are unavailable with this option because the server will use its certificate to authenticate.

To use this option, you must first do the following:

SASL/GSSAPI (requires Kerberos keytab). Select this option if you want the supplier to use its Kerberos server credentials for authentication. You must have the "Use LDAP" radio button in the Connection section selected. Otherwise, this option sill be disabled. Note that SASL/GSSAPI will use an encrypted channel, so TLS/SSL is not needed with this option.

To use this option, you must first do the following:

SASL/DIGEST-MD5 (SASL user id and password). Select this option if you want the supplier to use SASL/Digest-MD5 authentication. This option requires a SASL user id and password. You specify them in the Bind As and Password fields (see below). You must configure the consumer server with the appropriate SASL mapping to use this option.

Simple Authentication. Select this option if you want the supplier to use simple authentication during communication. You can choose "Use SSL/TLS" or "Use StartTLS" if you want the simple authentication to take place over a secure channel but without certificates.

Bind As. If you are using Simple or SASL/DIGEST-MD5 authentication, enter the supplier bind DN or SASL user id defined on the consumer server in the Bind As text box.

Password. Enter the password for the Supplier DN or SASL user id in the Password field.