Menu Close
Settings Close

Language and Page Formatting Options

15.6. Configuring Replication Partners to use Certificate-based Authentication

Instead of using a bind DN and password to authenticate to a replication partner, you can use certificate-based authentication.
The following procedure describes how to add a new server named to the replication topology, and how to set up replication agreements between the new host and the existing using certificate-based authentication:
  1. On both hosts, set up certificate-based authentication. For details, see Section 9.9.1, “Setting up Certificate-based Authentication”.
  2. On the host:
    1. Create accounts for both servers, such as cn=server1,example,dc=com and cn=server2,dc=example,dc=com and add the client certificates to the corresponding accounts. For details, see:
      Both servers will later use these accounts and certificates to authenticate when they establish a replication connection to each other.
    2. Create a group, such as cn=repl_server,ou=Groups,dc=example,dc=com, and add both server accounts. See Section 8.1, “Using Groups”.
    3. Create the replica entry and set the nsds5ReplicaBindDNGroup attribute to the DN of the group created in the previous step:
      # dsconf -D "cn=Directory Manager" ldap:// replication \
          enable --suffix="dc=example,dc=com" --role="supplier" --replica-id="7" \
    4. Set the replica entry's interval in which Directory Server checks if the group has been changed to 0:
      # dsconf -D "cn=Directory Manager" ldap:// replication \
           set --suffix="dc=example,dc=com" --repl-bind-group-interval=0
  3. Initialize the new server:
    1. Create a temporary replication manager account, such as cn=Replication Manager,cn=config, on
    2. On, create a temporary replication agreement which uses the account from the previous step for authentication:
      # dsconf -D "cn=Directory Manager" ldap:// repl-agmt \
           create --suffix="dc=example,dc=com" --host="" --port=636 \
           --conn-protocol=LDAPS --bind-dn="cn=Replication Manager,cn=config" \
           --bind-passwd="password" --bind-method=SIMPLE --init \
      This agreement uses the previously-created replication manager account to initialize the database. Before this initialization, the database on is empty and the accounts with the associated certificates do not exist. Therefore, replication using certificates is not possible before the database is initialized.
  4. After the new server has been initialized:
    1. Remove the temporary replication agreement from
      # dsconf -D "cn=Directory Manager" ldap:// repl-agmt \
           delete --suffix="dc=example,dc=com" temporary_agreement
    2. Remove the temporary replication manager account from
      # dsconf -D "cn=Directory Manager" ldap:// replication \
           delete-manager --suffix="dc=example,dc=com" --name="Replication Manager"
  5. Create a replication agreement on both servers that use certificate-based authentication:
    1. On
      # dsconf -D "cn=Directory Manager" ldap:// repl-agmt \
           create --suffix="dc=example,dc=com" --host="" --port=636 \
           --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" \
           --init example_agreement
    2. On
      # dsconf -D "cn=Directory Manager" ldap:// repl-agmt \
           create --suffix="dc=example,dc=com" --host="" --port=636 \
           --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" \
           --init example_agreement
  6. To verify the replication works correctly, display the nsds5replicaLastUpdateStatus attribute in the replication agreement:
    # dsconf -D "cn=Directory Manager" ldap:// repl-agmt status --suffix="dc=example,dc=com" example_agreement
    For details about possible statuses, see the Replication Agreement Status appendix in the Red Hat Directory Server Configuration, Command, and File Reference.