Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 5. Configuring multi-supplier replication with certificate-based authentication

When you set up replication between two Directory Server instances, you can use certificate-based authentication instead of using a bind DN and password to authenticate to a replication partner.

You can do so by adding a new server to the replication topology and setting up replication agreements between the new host and the existing server using certificate-based authentication.

Important

Certificate-based authentication requires TLS-encrypted connections.

To use certificate-based authentication in replication agreements, first prepare the accounts and store the client certificates in the userCertificate attributes of these accounts. Additionally, this procedure creates a bind group that you later use in the replication agreements.

Perform this procedure on the existing host server1.example.com.

Prerequisites

  • You enabled TLS encryption in Directory Server.

  • You stored the client certificates in distinguished encoding rules (DER) format in the /root/server1.der and /root/server2.der files.

    For details about client certificates and how to request them from your certificate authority (CA), see your CA’s documentation.

Procedure

  1. Create the ou=services entry if it does not exist: 

    # ldapadd -D "cn=Directory Manager" -W -H ldaps://server1.example.com -x

dn: ou=services,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: services
    Copy to Clipboard Toggle word wrap

  2. Create accounts for both servers, such as cn=server1,ou=services,dc=example,dc=com and cn=server2,ou=services,dc=example,dc=com: 

    # ldapadd -D "cn=Directory Manager" -W -H ldaps://server1.example.com -x

dn: cn=server1,ou=services,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
sn: server1
cn: server1
userPassword: password
userCertificate:< file:///root/server1.der

adding new entry "cn=server1,ou=services,dc=example,dc=com"

dn: cn=server2,ou=services,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
sn: server2
cn: server2
userPassword: password
userCertificate:< file:///root/server2.der

adding new entry "cn=server2,ou=services,dc=example,dc=com"
    Copy to Clipboard Toggle word wrap

  3. Create a group, such as cn=repl_servers,dc=groups,dc=example,dc=com: 

    # dsidm <server1_instance_name> -b "dc=example,dc=com" group create --cn "repl_servers"
    Copy to Clipboard Toggle word wrap

  4. Add the two replication accounts as members to the group: 

    # dsidm <server1_instance_name> -b "dc=example,dc=com" group add_member repl_servers "cn=server1,ou=services,dc=example,dc=com"

# dsidm <server1_instance_name> -b "dc=example,dc=com" group add_member repl_servers "cn=server2,ou=services,dc=example,dc=com"
    Copy to Clipboard Toggle word wrap

5.2. Initializing a new server using a temporary replication manager account
Copiar o link

Certificate-based authentication uses the certificates stored in the directory. However, before you initialize a new server, the database on server2.example.com is empty and the accounts with the associated certificates do not exist. Therefore, replication using certificates is not possible before the database is initialized. You can overcome this problem by initializing server2.example.com with a temporary replication manager account.

Prerequisites

  • You installed the Directory Server instance on server2.example.com. For details, see Setting up a new instance on the command line using a .inf file.
  • The database for the dc=example,dc=com suffix exists.
  • You enabled TLS encryption in Directory Server on both servers, server1.example.com and server2.example.com.

Procedure

  1. On server2.example.com, enable replication for the dc=example,dc=com suffix: 

    # dsconf <server2_instance_name> replication enable --suffix "dc=example,dc=com" --role "supplier" --replica-id 2 --bind-dn "cn=replication manager,cn=config" --bind-passwd "password"
    Copy to Clipboard Toggle word wrap

    This command configures the server2.example.com host as a supplier for the dc=example,dc=com suffix, and sets the replica ID of this host to 2. Additionally, the command creates a temporary cn=replication manager,cn=config user with the specified password and allows this account to replicate changes for the suffix to this host.

    The replica ID must be a unique integer between 1 and 65534 for a suffix across all suppliers in the topology.

  2. On server1.example.com:

    1. Enable replication: 

      # dsconf <server1_instance_name> replication enable --suffix="dc=example,dc=com" --role="supplier" --replica-id="1"
      Copy to Clipboard Toggle word wrap

    2. Create a temporary replication agreement which uses the temporary account from the previous step for authentication: 

      # dsconf <server1_instance_name> repl-agmt create --suffix="dc=example,dc=com" --host="server1.example.com" --port=636 --conn-protocol=LDAPS --bind-dn="cn=Replication Manager,cn=config" --bind-passwd="password" --bind-method=SIMPLE --init temporary_agreement
      Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the initialization was successful: 

    # dsconf <server1_instance_name> repl-agmt init-status --suffix "dc=example,dc=com" temporary_agreement
Agreement successfully initialized.
    Copy to Clipboard Toggle word wrap

5.3. Configuring multi-supplier replication with certificate-based authentication
Copiar o link

In a multi-supplier replication environment with certificate-based authentication, the replicas authenticate each others using certificates.

Prerequisites

  • You set up certificate-based authentication on both hosts, server1.example.com and server2.example.com.
  • Directory Server trusts the certificate authority (CA) that issues the client certificates.
  • The client certificates meet the requirements set in /etc/dirsrv/slapd-instance_name/certmap.conf on the servers.

Procedure

  1. On server1.example.com:

    1. Remove the temporary replication agreement: 

      # dsconf <server1_instance_name> repl-agmt delete --suffix="dc=example,dc=com" temporary_agreement
      Copy to Clipboard Toggle word wrap

    2. Add the cn=repl_servers,dc=groups,dc=example,dc=com bind group to the replication settings: 

      # dsconf <server1_instance_name> replication set --suffix="dc=example,dc=com" --repl-bind-group "cn=repl_servers,dc=groups,dc=example,dc=com"
      Copy to Clipboard Toggle word wrap

    3. Configure Directory Server to automatically check for changes in the bind group: 

      # dsconf <server1_instance_name> replication set --suffix="dc=example,dc=com" --repl-bind-group-interval=0
      Copy to Clipboard Toggle word wrap

  2. On server2.example.com:

    1. Remove the temporary replication manager account: 

      # dsconf <server2_instance_name> replication delete-manager --suffix="dc=example,dc=com" --name="Replication Manager"
      Copy to Clipboard Toggle word wrap

    2. Add the cn=repl_servers,dc=groups,dc=example,dc=com bind group to the replication settings: 

      # dsconf <server2_instance_name> replication set --suffix="dc=example,dc=com" --repl-bind-group "cn=repl_servers,dc=groups,dc=example,dc=com"
      Copy to Clipboard Toggle word wrap

    3. Configure Directory Server to automatically check for changes in the bind group: 

      # dsconf <server2_instance_name> replication set --suffix="dc=example,dc=com" --repl-bind-group-interval=0
      Copy to Clipboard Toggle word wrap

    4. Create the replication agreement with certificate-based authentication: 

      # dsconf <server2_instance_name> repl-agmt create --suffix="dc=example,dc=com" --host="server1.example.com" --port=636 --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" --init server2-to-server1*
      Copy to Clipboard Toggle word wrap

  3. On server1.example.com, create the replication agreement with certificate-based authentication: 

    # dsconf <server1_instance_name> repl-agmt create --suffix="dc=example,dc=com" --host="server2.example.com" --port=636 --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" --init server1-to-server2
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify on each server that the initialization was successful: 

    # dsconf <server1_instance_name> repl-agmt init-status --suffix "dc=example,dc=com" server1-to-server2
Agreement successfully initialized.

# dsconf <server2_instance_name> repl-agmt init-status --suffix "dc=example,dc=com" server2-to-server1
Agreement successfully initialized.
    Copy to Clipboard Toggle word wrap
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat