15.5. Configuring Replication Partners to use Certificate-based Authentication

Instead of using a bind DN and password to authenticate to a replication partner, you can use certificate-based authentication.
The following procedure describes how to add a new server named server2.example.com to the replication topology, and how to set up replication agreements between the new host and the existing server1.example.com using certificate-based authentication:
  1. On both hosts, set up certificate-based authentication. For details, see Section 9.9.1, “Setting up Certificate-based Authentication”.
  2. On the server1.example.com host:
    1. Create accounts for both servers, such as cn=server1,example,dc=com and cn=server2,dc=example,dc=com and add the client certificates to the corresponding accounts. For details, see:
      Both servers will later use these accounts and certificates to authenticate when they establish a replication connection to each other.
    2. Create a group, such as cn=repl_server,ou=Groups,dc=example,dc=com, and add both server accounts. See Section 8.1, “Using Groups”.
    3. Create the replica entry and set the nsds5ReplicaBindDNGroup attribute to the DN of the group created in the previous step:
      # dsconf -D "cn=Directory Manager" ldap://server1.example.com replication \
          enable --suffix="dc=example,dc=com" --role="master" --replica-id="7" \
          --bind-group-dn="cn=repl_server,ou=Groups,dc=example,dc=com"
    4. Set the replica entry's interval in which Directory Server checks if the group has been changed to 0:
      # dsconf -D "cn=Directory Manager" ldap://server1.example.com replication \
           set --suffix="dc=example,dc=com" --repl-bind-group-interval=0
  3. Initialize the new server:
    1. Create a temporary replication manager account, such as cn=Replication Manager,cn=config, on server2.example.com.
    2. On server1.example.com, create a temporary replication agreement which uses the account from the previous step for authentication:
      # dsconf -D "cn=Directory Manager" ldap://server2.example.com repl-agmt \
           create --suffix="dc=example,dc=com" --host="server1.example.com" --port=636 \
           --conn-protocol=LDAPS --bind-dn="cn=Replication Manager,cn=config" \
           --bind-passwd="password" --bind-method=SIMPLE --init \
           temporary_agreement
      This agreement uses the previously-created replication manager account to initialize the database. Before this initialization, the database on server2.example.com is empty and the accounts with the associated certificates do not exist. Therefore, replication using certificates is not possible before the database is initialized.
  4. After the new server has been initialized:
    1. Remove the temporary replication agreement from server1.example.com:
      # dsconf -D "cn=Directory Manager" ldap://server1.example.com repl-agmt \
           delete --suffix="dc=example,dc=com" temporary_agreement
    2. Remove the temporary replication manager account from server2.example.com:
      # dsconf -D "cn=Directory Manager" ldap://server2.example.com replication \
           delete-manager --suffix="dc=example,dc=com" --name="Replication Manager"
  5. Create a replication agreement on both servers that use certificate-based authentication:
    1. On server1.example.com:
      # dsconf -D "cn=Directory Manager" ldap://server1.example.com repl-agmt \
           create --suffix="dc=example,dc=com" --host="server2.example.com" --port=636 \
           --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" \
           --init example_agreement
    2. On server2.example.com:
      # dsconf -D "cn=Directory Manager" ldap://server2.example.com repl-agmt \
           create --suffix="dc=example,dc=com" --host="server1.example.com" --port=636 \
           --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" \
           --init example_agreement
  6. To verify the replication works correctly, display the nsds5replicaLastUpdateStatus attribute in the replication agreement:
    # dsconf -D "cn=Directory Manager" ldap://server1.example.com repl-agmt status --suffix="dc=example,dc=com" example_agreement
    For details about possible statuses, see the Replication Agreement Status appendix in the Red Hat Directory Server Configuration, Command, and File Reference.