---
title: Configuring a read-only server
description: The PingDirectory server provides a means to configure a hub-like, read-only server for legacy systems that require it.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_config_read_only_server
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_config_read_only_server.html
revdate: September 13, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
  example-2: Example:
  example-3: Example:
  result: Result:
---

# Configuring a read-only server

The PingDirectory server provides a means to configure a hub-like, read-only server for legacy systems that require it.

## About this task

The read-only PingDirectory server participates in replication but cannot respond to any update requests from an external client. You can configure the PingDirectory server by setting the writability mode to internal-only, which makes the server operate in read-only mode. The Read-only mode PingDirectory server can process update operations from internal operations but reject any write requests from external clients. Because the PingDirectory server cannot accept write requests, you can configure the server to send a referral, which redirects a client's request to a primary server. The client must perform the operation again on the server named in the referral.

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For Implementers of third party extensions, many Server SDK extensions use the `InternalConnection` interface to process operations in the server, rather than issuing LDAP requests over the network. If an extension does so in response to an external update request, then any PingDirectory server using that extension will effectively respond to external update requests, even though the PingDirectory server is configured to operate in read-only mode, as described previously. One possible workaround is to split the extension into two extensions, one for reads and one for writes, and then to disable (or not to deploy) the write-only extension when configuring a PingDirectory server in read-only mode. |

## Steps

1. Install two replicating PingDirectory servers.

   For more information on various ways to set up your servers, see [Enabling replication](pd_ds_enable_replication.html).

2. On the second server, run the `dsconfig` command to set the writability mode of the server to internal-only.

   ### Example:

   ```shell
   $ bin/dsconfig set-global-configuration-prop \
     --set writability-mode:internal-only
   ```

3. On the second server, run the `dsconfig` command to create a referral that instructs the server to redirect client write requests under `dc=example,dc=com` to server1.example.com:1389.

   The referral itself is defined as a plugin of type `referral-on-update`. This command sets up the server to process read operations but redirects all write operations under `dc=example,dc=com` to another server.

   ### Example:

   ```shell
   $ bin/dsconfig create-plugin --plugin-name "Refer Updates" \
     --type referral-on-update \
     --set enabled:true \
     --set referral-base-url:ldap://server1.example.com:1389/ \
     --set "base-dn:dc=example,dc=com"
   ```

4. To test the referral, attempt to modify an entry and confirm that the server responds with the result code of 10.

   The resulting message is available in the server's access log.

   ### Example:

   ```shell
   $ bin/ldapmodify -p 2389 -D "cn=Directory Manager" -w password
   dn: uid=user.12,ou=People,dc=example,dc=com
   changetype:modify
   replace:telephoneNumber
   telephoneNumber: +1 408 555 1155
   ```

   ### Result:

   ```
   [06/Aug/2012:15:28:21.468 -0400] MODIFY
   RESULT conn=86 op=1 msgID=1 requesterIP="127.0.0.1"
   dn="uid=user.12,ou=People,dc=example,dc=com" resultCode=10
   referralURLs="ldap://server1.example.com:1389/uid=user.12,
   ou=People,dc=example,dc=com" etime=0.223
   ```