The PingDirectory Server provides a means to configure a hub-like, read-only directory server for legacy systems that require it.
The read-only directory server participates in replication but cannot respond to any update requests from an external client. You can configure the Directory Server by setting the writability mode to internal-only, which makes the server operate in read-only mode. Read-only mode directory servers can process update operations from internal operations but reject any write requests from external clients. Because the Directory Server cannot accept write requests, you can configure the server to send a referral, which redirects a client's request to a master server. The client must perform the operation again on the server named in the referral.
For Implementers of third party extensions, many Server SDK extensions use the
InternalConnection interface to process operations in the server,
rather than issuing LDAP requests over the network. If an extension does so in response to
an external update request, then any Directory Server using that extension
will effectively respond to external update requests, even though the Directory Server is configured to operate in read-only mode, as described
previously. One possible workaround is to split the extension into two extensions, one for
reads and one for writes, and then to disable (or not to deploy) the write-only extension
when configuring a Directory Server in read-only
Install two replicating directory servers.
For more information on various ways to set up your servers, see Enabling Replication.
On the second server, run the dsconfig command to set the
writability mode of the server to internal-only.
$ bin/dsconfig set-global-configuration-prop \ --set writability-mode:internal-only
On the second server, run the dsconfig command to create a referral
that instructs the server to redirect client write requests under
dc=example,dc=com to server1.example.com:1389.
The referral itself is defined as a plugin of type
referral-on-update. This command sets up the server to process read operations but redirects all write operations under dc=example,dc=com to another server.
$ bin/dsconfig create-plugin --plugin-name "Refer Updates" \ --type referral-on-update \ --set enabled:true \ --set referral-base-url:ldap://server1.example.com:1389/ \ --set "base-dn:dc=example,dc=com"
To test the referral, attempt to modify an entry and confirm that the server responds
with the result code of 10.
The resulting message is available in the server's access log.
$ bin/ldapmodify -p 2389 -D "cn=Directory Manager" -w password dn: uid=user.12,ou=People,dc=example,dc=com changetype:modify replace:telephoneNumber telephoneNumber: +1 408 555 1155
[06/Aug/2012:15:28:21.468 -0400] MODIFY RESULT conn=86 op=1 msgID=1 requesterIP="127.0.0.1" dn="uid=user.12,ou=People,dc=example,dc=com" resultCode=10 referralURLs="ldap://server1.example.com:1389/uid=user.12, ou=People,dc=example,dc=com" etime=0.223