When a DSA needs to communicate with another DSA (either for chaining or replication) it will create a link. In X.500, this is called a DSP (Directory System Protocol) link. X.500 defines a directory service allowing multiple DSAs to service requests from a single entry point. There are 3 types of DSP link that can be created between 2 DSAs, one for each level of authentication (anonymous, clear-password, ssl-auth).
The authentication level is determines by how a client has authenticated against directory. For example, if a client has connected via LDAP using a userDN/password, then this request will be sent over a DSP clear-password authenticated link.
The reason I've gone into this level of detail is that the "dsa-password" field is used when creating a DSP link at the clear-password authentication level.
DSA A knowledge (Host 1 & Host2)
- prefix = <c AU><o CA>
- address = "1.1.1.1"
- dsa-name = <c AU><o CA><cn "DSA A">
- dsa-password = "passwordA"
- auth-levels = anonymous, clear-password, ssl-auth
DSA B knowledge (Host 1 & Host2)
- prefix = <c AU><o CA>
- address = "1.1.1.2"
- dsa-name = <c AU><o CA><cn "DSA B">
- dsa-password = "passwordB"
- auth-levels = anonymous, clear-password, ssl-auth
Example
- LDAP bind to DSA A using userDN/password
- LDAP sends modify request to DSA A
- DSA A performs the update
- DSA A replicates the update
- DSA A creates a clear-password authenticated DSP link, as the original request was sent in at this level
- DSA A creates a DSP bind request using the "dsa-name" and "dsa-password" from it's own knowledge file (DSA A), in this case name = <c AU><o CA><cn "DSA A">, password = "passwordA"
- DSA B receives the bind request
- DSA B firstly checks if it has a knowledge file with the same "dsa-name" and finds "DSA A"
- If DSA B finds a match then it will check that the "dsa-password" received matches the local copy "passwordA"
- If the "dsa-password" matches, DSA B checks the address against the address "1.1.1.1" that the bind request was received on
- If the address check passes then a DSP bind confirm is sent back to DSA A
- Once the link is created the update will be replicated from DSA A to DSA B
In summary,
- The "dsa-password" is used when DSAs need to create links with each other
- For each copy of a knowledge file, the "dsa-password" needs to be the same, for example, each host should have the same version of knowledge/dsaA.dxc
- The "dsa-password" is only used for clear-password authenticated links
- The "dsa-password" can differ between DSAs, but not the same DSA knowledge on different machines. Typically most customers just leave this the same for all DSAs
- The "dsa-password" can be obfuscated using the output of "dxpassword -P CADIR password"
Note: DSP links are shared between users, that is requests received from multiple LDAP clients will be sent down the same DSP link.