First, we prepare the external directory servers, ds-central-01 and ds-central-02, by creating the proxy user account and the supporting access rules. In this example, we will connect to the ds-central-01 PingDirectory Server using StartTLS. Because we are using StartTLS, we need to capture the ds-central-01 server’s certificate and put it in the trust store on our Directory Proxy Server instance.
The prepare-external-server tool is located in the bin or bat directory of the server root directory, PingDirectoryProxy. In this example, we run the tool on the ds-east-01 instance of the Directory Proxy Server.
Run the prepare-external-server tool to prepare the two new
servers. On the first attempted bind to the server, the tool will report a "failed to
bind" message as it cannot bind to the cn=Proxy User entry due
to its not being created yet. The tool sets up the cn=Proxy User
entry so that the Directory Proxy Server can access it and tests
the communication settings to the server.
root@proxy-east-01: ./prepare-external-server \ --hostname ds-central-01.example.com --port 389 \ --baseDN dc=example,dc=com \ --proxyBindPassword password \ --useStartTLS \ --proxyTrustStorePath ../config/ExampleTruststore.jks Failed to bind as ‘cn=Proxy User’ Would you like to create or modify root user ‘cn=Proxy User” so that it is available for this Directory Proxy Server? (yes / no)[yes]: Enter the DN of an account on ds-central-01:389 with which to create or manage the ‘cn=Proxy User’ account [cn=Directory Manager]: Enter the password for ‘cn=Directory Manager’: Created ‘cn=Proxy User,cn=Root DNs,cn=config’ Testing ‘cn=Proxy User’ privileges ....Done
Repeat the process on the other new server in the central location, ds-central-02.
Note: For entry-balancing deployments, the global base DN is required when using prepare-external-server.