Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 5. Configuring multi-supplier replication with certificate-based authentication

When you set up replication between two Directory Server instances, you can use certificate-based authentication instead of using a bind DN and password to authenticate to a replication partner.

You can do so by adding a new server to the replication topology and setting up replication agreements between the new host and the existing server using certificate-based authentication.

Important

Certificate-based authentication requires TLS-encrypted connections.

To use certificate-based authentication in replication agreements, first prepare the accounts and store the client certificates in the userCertificate attributes of these accounts. Additionally, this procedure creates a bind group that you later use in the replication agreements.

Perform this procedure on the existing host server1.example.com.

Prerequisites

  • You enabled TLS encryption in Directory Server.

  • You stored the client certificates in distinguished encoding rules (DER) format in the /root/server1.der and /root/server2.der files.

    For details about client certificates and how to request them from your certificate authority (CA), see your CA’s documentation.

Procedure

  1. Create the ou=services entry if it does not exist: 

    # ldapadd -D "cn=Directory Manager" -W -H ldaps://server1.example.com -x

dn: ou=services,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: services

  2. Create accounts for both servers, such as cn=server1,ou=services,dc=example,dc=com and cn=server2,ou=services,dc=example,dc=com: 

    # ldapadd -D "cn=Directory Manager" -W -H ldaps://server1.example.com -x

dn: cn=server1,ou=services,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
sn: server1
cn: server1
userPassword: password
userCertificate:< file:///root/server1.der

adding new entry "cn=server1,ou=services,dc=example,dc=com"

dn: cn=server2,ou=services,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
sn: server2
cn: server2
userPassword: password
userCertificate:< file:///root/server2.der

adding new entry "cn=server2,ou=services,dc=example,dc=com"

  3. Create a group, such as cn=repl_servers,dc=groups,dc=example,dc=com: 

    # dsidm <server1_instance_name> -b "dc=example,dc=com" group create --cn "repl_servers"

  4. Add the two replication accounts as members to the group: 

    # dsidm <server1_instance_name> -b "dc=example,dc=com" group add_member repl_servers "cn=server1,ou=services,dc=example,dc=com"

# dsidm <server1_instance_name> -b "dc=example,dc=com" group add_member repl_servers "cn=server2,ou=services,dc=example,dc=com"

Certificate-based authentication uses the certificates stored in the directory. However, before you initialize a new server, the database on server2.example.com is empty and the accounts with the associated certificates do not exist. Therefore, replication using certificates is not possible before the database is initialized. You can overcome this problem by initializing server2.example.com with a temporary replication manager account.

Prerequisites

  • You installed the Directory Server instance on server2.example.com. For details, see Setting up a new instance on the command line using a .inf file.
  • The database for the dc=example,dc=com suffix exists.
  • You enabled TLS encryption in Directory Server on both servers, server1.example.com and server2.example.com.

Procedure

  1. On server2.example.com, enable replication for the dc=example,dc=com suffix: 

    # dsconf <server2_instance_name> replication enable --suffix "dc=example,dc=com" --role "supplier" --replica-id 2 --bind-dn "cn=replication manager,cn=config" --bind-passwd "password"

    This command configures the server2.example.com host as a supplier for the dc=example,dc=com suffix, and sets the replica ID of this host to 2. Additionally, the command creates a temporary cn=replication manager,cn=config user with the specified password and allows this account to replicate changes for the suffix to this host.

    The replica ID must be a unique integer between 1 and 65534 for a suffix across all suppliers in the topology.

  2. On server1.example.com:

    1. Enable replication: 

      # dsconf <server1_instance_name> replication enable --suffix="dc=example,dc=com" --role="supplier" --replica-id="1"

    2. Create a temporary replication agreement which uses the temporary account from the previous step for authentication: 

      # dsconf <server1_instance_name> repl-agmt create --suffix="dc=example,dc=com" --host="server1.example.com" --port=636 --conn-protocol=LDAPS --bind-dn="cn=Replication Manager,cn=config" --bind-passwd="password" --bind-method=SIMPLE --init temporary_agreement

Verification

  1. Verify that the initialization was successful: 

    # dsconf <server1_instance_name> repl-agmt init-status --suffix "dc=example,dc=com" temporary_agreement
Agreement successfully initialized.

In a multi-supplier replication environment with certificate-based authentication, the replicas authenticate each others using certificates.

Prerequisites

  • You set up certificate-based authentication on both hosts, server1.example.com and server2.example.com.
  • Directory Server trusts the certificate authority (CA) that issues the client certificates.
  • The client certificates meet the requirements set in /etc/dirsrv/slapd-instance_name/certmap.conf on the servers.

Procedure

  1. On server1.example.com:

    1. Remove the temporary replication agreement: 

      # dsconf <server1_instance_name> repl-agmt delete --suffix="dc=example,dc=com" temporary_agreement

    2. Add the cn=repl_servers,dc=groups,dc=example,dc=com bind group to the replication settings: 

      # dsconf <server1_instance_name> replication set --suffix="dc=example,dc=com" --repl-bind-group "cn=repl_servers,dc=groups,dc=example,dc=com"

    3. Configure Directory Server to automatically check for changes in the bind group: 

      # dsconf <server1_instance_name> replication set --suffix="dc=example,dc=com" --repl-bind-group-interval=0

  2. On server2.example.com:

    1. Remove the temporary replication manager account: 

      # dsconf <server2_instance_name> replication delete-manager --suffix="dc=example,dc=com" --name="Replication Manager"

    2. Add the cn=repl_servers,dc=groups,dc=example,dc=com bind group to the replication settings: 

      # dsconf <server2_instance_name> replication set --suffix="dc=example,dc=com" --repl-bind-group "cn=repl_servers,dc=groups,dc=example,dc=com"

    3. Configure Directory Server to automatically check for changes in the bind group: 

      # dsconf <server2_instance_name> replication set --suffix="dc=example,dc=com" --repl-bind-group-interval=0

    4. Create the replication agreement with certificate-based authentication: 

      # dsconf <server2_instance_name> repl-agmt create --suffix="dc=example,dc=com" --host="server1.example.com" --port=636 --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" --init server2-to-server1*

  3. On server1.example.com, create the replication agreement with certificate-based authentication: 

    # dsconf <server1_instance_name> repl-agmt create --suffix="dc=example,dc=com" --host="server2.example.com" --port=636 --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" --init server1-to-server2

Verification

  1. Verify on each server that the initialization was successful: 

    # dsconf <server1_instance_name> repl-agmt init-status --suffix "dc=example,dc=com" server1-to-server2
Agreement successfully initialized.

# dsconf <server2_instance_name> repl-agmt init-status --suffix "dc=example,dc=com" server2-to-server1
Agreement successfully initialized.
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red HatRetour au début