Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


A module to configure 389 DS and multimaster replication.

Works with RHEL7, probably also works with Fedora. Not tested or targeted at any other distribution.

Known bugs:

  • Assumes/requires TLS configured if doing replication even if enable_ssl is false.
  • Only able to configure multi-master type replication agreements

Sample usage:

class { 'ds389': }

$replicas = [ '','', '' ]

$root_dn_pass = 'password'
$supplier_dn_pass = 'another_password'

  ds389::site { 'example' :
    root_dn_pass           => 'password',
    supplier_bind_dn_pass  => 'different_password',
    suffix                 => 'dc=example,dc=org',
    cafile                 => '/path/to/ca.pem',
    caname                 => 'Example-CA-Cert',
    certfile               => '/path/to/key_cert.p12',
    enable_ssl             => true,
    enable_replication     => true,
    schema_install         => [ 'eduorg.ldif' ],
    instance_hostname      => "${::fqdn}",
    # delete myself from replicas defined on myself
    replicas               => delete($replicas, "${::fqdn}"),
    replica_id             => 1,
    replica_init           => false  # only true on 1 of your replicas, run puppet on that one last 
  ds389::ldif { 'example.ldif': 
      root_dn_pass  => $root_dn_pass,
      instance      => 'example',
      template_path => 'ldapx'  # lookup templates under ldapx/templates in your module paths 

In actual usage you might keep passwords encrypted in hiera eyaml and look them up to pass to the module. See for information on that.

The ds389::site resource accepts a list of replicas (not including local machine) and configures appropriate replica agreements. One of the replicas should have the replica_init parameter set to true and this one should have puppet run last after the other replicas are configured and running. So the process to start 3 hosts, with host1 being given the replica_init flag:

  1. Generate a key and cert to use for TLS.
  2. The key and cert need to be turned into a pkcs12 keycert whose path will be given as a module param.
  3. Configure puppet code to call module appropriately. Ensure 'replica_init' param is not set on host3 and host2, and ensure you specify unique replica_id param for each host.
  4. Stop puppet service on all 3 hosts (so it doesn't surprise you by running on schedule)
  5. On host3 run 'puppet agent -t'
  6. On host2 run 'puppet agent -t'
  7. Verify in /var/log/dirsrv-/errors and /access that the services on host3 and host2 are running correctly and that SSL/TLS started up. TLS connection is hardcoded into the replication agreements the module creates.
  8. On host1 run 'puppet agent -t'
  9. Check on replication status with the command noted below.

To check on replication status:

ldapsearch -x -b "cn=mapping tree,cn=config" -D "cn=Directory Manager" -W objectClass=nsDS5ReplicationAgreement -LL

If something goes wrong, or you choose not to initialize during puppet setup (replica_init false on all 3 hosts) you can initialize manually from any ONE of the replicas. Choose one host and initialize the others from it…do not repeat the initialization on the other hosts. The example below intializes one replica, repeat ldif with other ldap replica(s).

Either run ldapmodify and paste in the block followed by hitting enter twice, pipe it to ldap modify from a file, or specify the file to use with '-f file.ldif':

ldapmodify -v -x -D "root_dn" -w root_dn_pass

dn: cn=ExampleAgreementName,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config
changetype: modify
replace: nsds5BeginReplicaRefresh
nsds5BeginReplicaRefresh: start

Repeat for each replication agreement on your chosen host (do not re-initialize from other hosts in multi-master config)

More information about setting up and troubleshooting replication from the CLI is available from Redhat. The instructions below are implemented by this module.

Information on monitoring replication status with tools such as Nagios is detailed here:

We have a slight revision of the replication check Nagios script available from our Git repository:


A module to configure 389 DS and multimaster replication






No releases published


No packages published