15.6. Configuring Replication Partners to use Certificate-based Authentication
Instead of using a bind DN and password to authenticate to a replication partner, you can use certificate-based authentication.
The following procedure describes how to add a new server named
server2.example.com
to the replication topology, and how to set up replication agreements between the new host and the existing server1.example.com
using certificate-based authentication:
- On both hosts, set up certificate-based authentication. For details, see Section 9.9.1, “Setting up Certificate-based Authentication”.
- On the
server1.example.com
host:- Create accounts for both servers, such as
cn=server1,example,dc=com
andcn=server2,dc=example,dc=com
and add the client certificates to the corresponding accounts. For details, see:Both servers will later use these accounts and certificates to authenticate when they establish a replication connection to each other. - Create a group, such as
cn=repl_server,ou=Groups,dc=example,dc=com
, and add both server accounts. See Section 8.1, “Using Groups”. - Create the replica entry and set the
nsds5ReplicaBindDNGroup
attribute to the DN of the group created in the previous step:# dsconf -D "cn=Directory Manager" ldap://server1.example.com replication \ enable --suffix="dc=example,dc=com" --role="supplier" --replica-id="7" \ --bind-group-dn="cn=repl_server,ou=Groups,dc=example,dc=com"
- Set the replica entry's interval in which Directory Server checks if the group has been changed to
0
:# dsconf -D "cn=Directory Manager" ldap://server1.example.com replication \ set --suffix="dc=example,dc=com" --repl-bind-group-interval=0
- Initialize the new server:
- Create a temporary replication manager account, such as
cn=Replication Manager,cn=config
, onserver2.example.com
. - On
server1.example.com
, create a temporary replication agreement which uses the account from the previous step for authentication:# dsconf -D "cn=Directory Manager" ldap://server2.example.com repl-agmt \ create --suffix="dc=example,dc=com" --host="server1.example.com" --port=636 \ --conn-protocol=LDAPS --bind-dn="cn=Replication Manager,cn=config" \ --bind-passwd="password" --bind-method=SIMPLE --init \ temporary_agreement
This agreement uses the previously-created replication manager account to initialize the database. Before this initialization, the database onserver2.example.com
is empty and the accounts with the associated certificates do not exist. Therefore, replication using certificates is not possible before the database is initialized.
- After the new server has been initialized:
- Remove the temporary replication agreement from
server1.example.com
:# dsconf -D "cn=Directory Manager" ldap://server1.example.com repl-agmt \ delete --suffix="dc=example,dc=com" temporary_agreement
- Remove the temporary replication manager account from
server2.example.com
:# dsconf -D "cn=Directory Manager" ldap://server2.example.com replication \ delete-manager --suffix="dc=example,dc=com" --name="Replication Manager"
- Create a replication agreement on both servers that use certificate-based authentication:
- On
server1.example.com
:# dsconf -D "cn=Directory Manager" ldap://server1.example.com repl-agmt \ create --suffix="dc=example,dc=com" --host="server2.example.com" --port=636 \ --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" \ --init example_agreement
- On
server2.example.com
:# dsconf -D "cn=Directory Manager" ldap://server2.example.com repl-agmt \ create --suffix="dc=example,dc=com" --host="server1.example.com" --port=636 \ --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" \ --init example_agreement
- To verify the replication works correctly, display the
nsds5replicaLastUpdateStatus
attribute in the replication agreement:# dsconf -D "cn=Directory Manager" ldap://server1.example.com repl-agmt status --suffix="dc=example,dc=com" example_agreement
For details about possible statuses, see the Replication Agreement Status appendix in the Red Hat Directory Server Configuration, Command, and File Reference.