Source and Destination

Use this dialog box to identify the consumer to which you will replicate directory entries. In addition, this dialog box allows you to define whether or not SSL is used for the connection, and the content you want replicated.

Supplier. This field contains a static display of the name and port number of the supplier server in this agreement. NOTE: This field is only used for naming purposes. If you have chosen to perform replication using TLS/SSL with LDAPS, using the secure port, the Supplier field may still display the non-secure port number - this is ok. Please refer to the Connection and Authentication values below to see if the connection is really using TLS/SSL or not.

Consumer. Select the consumer server in the replication agreement from this drop-down menu. To ensure that all servers in your deployment appear in this drop-down menu, you must bind as Administrator. If the consumer server you want still does not appear in the list, click Other button to enter the host and port of the consumer.

Connection

Use LDAP (no encryption). If you want the supplier and consumer servers to use plain LDAP with no security, select this radio button. This option must be selected to use SASL/GSSAPI authentication (see below).

Use TLS/SSL (TLS/SSL encryption with LDAPS). Deprecated. If you want the supplier and consumer servers to use TLS/SSL for secure communication using LDAPS, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL. This is Deprecated - use StartTLS instead.

Use StartTLS (TLS/SSL encryption with LDAP). If you want the supplier and consumer servers to use TLS/SSL for secure communication using StartTLS to start an encrypted channel using LDAP, select this radio button. To use this option, you must have first configured your servers to use TLS/SSL.

Authentication Mechanism

Server TLS/SSL Certificate (requires TLS/SSL server set up). Select this option if you want the supplier to use its TLS/SSL server certificate for authentication. You cannot use certificate authentication unless the "Use TLS/SSL" or the "Use StartTLS" radio button in the Connection section is selected. Otherwise, this option will be disabled. The "Bind As" and Password fields are unavailable with this option because the server will use its certificate to authenticate.

To use this option, you must first do the following:

SASL/GSSAPI (requires Kerberos keytab). Select this option if you want the supplier to use its Kerberos server credentials for authentication. You must have the "Use LDAP" radio button in the Connection section selected. Otherwise, this option sill be disabled. Note that SASL/GSSAPI will use an encrypted channel, so TLS/SSL is not needed with this option.

To use this option, you must first do the following:

SASL/DIGEST-MD5 (SASL user id and password). Select this option if you want the supplier to use SASL/Digest-MD5 authentication. This option requires a SASL user id and password. You specify them in the Bind As and Password fields (see below). You must configure the consumer server with the appropriate SASL mapping to use this option.

Simple Authentication. Select this option if you want the supplier to use simple authentication during communication. You can choose "Use SSL/TLS" or "Use StartTLS" if you want the simple authentication to take place over a secure channel but without certificates.

Bind As. If you are using Simple or SASL/DIGEST-MD5 authentication, enter the supplier bind DN or SASL user id defined on the consumer server in the Bind As text box.

Password. Enter the password for the Supplier DN or SASL user id in the Password field.

Subtree. Identifies the content to be replicated.

When you are creating a new replication agreement from the Replication folder, you can choose the subtree you want to replicate. If you are creating a new replication agreement from a database under the Replication folder, the subtree is the same as that contained by the database and cannot be changed.