Chapter 8. Configuring multi-supplier replication with certificate-based authentication
When you set up replication between two Directory Server instances, you can use certificate-based authentication instead of using a bind DN and password to authenticate to a replication partner.
You can do so by adding a new server to the replication topology and setting up replication agreements between the new host and the existing server using certificate-based authentication.
Certificate-based authentication requires TLS-encrypted connections.
8.1. Preparing accounts and a bind group for the use in replication agreements with certificate-based authentication
To use certificate-based authentication in replication agreements, first prepare the accounts and store the client certificates in the userCertificate attributes of these accounts. Additionally, this procedure creates a bind group that you later use in the replication agreements.
Perform this procedure on the existing host server1.example.com.
Prerequisites
- You enabled TLS encryption in Directory Server.
You stored the client certificates in distinguished encoding rules (DER) format in the
/root/server1.derand/root/server2.derfiles.For details about client certificates and how to request them from your certificate authority (CA), see your CA’s documentation.
Procedure
Create the
ou=servicesentry if it does not exist:# ldapadd -D "cn=Directory Manager" -W -H ldaps://server1.example.com -x dn: ou=services,dc=example,dc=com objectClass: organizationalunit objectClass: top ou: services
Create accounts for both servers, such as
cn=server1,ou=services,dc=example,dc=comandcn=server1,ou=services,dc=example,dc=com:# ldapadd -D "cn=Directory Manager" -W -H ldaps://server1.example.com -x dn: cn=server1,ou=services,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson sn: server1 cn: server1 userPassword: password userCertificate:< file:///root/server1.der adding new entry "cn=server1,ou=services,dc=example,dc=com" dn: cn=server2,ou=services,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson sn: server2 cn: server2 userPassword: password userCertificate:< file:///root/server2.der adding new entry "cn=server2,ou=services,dc=example,dc=com"
Create a group, such as
cn=repl_servers,dc=groups,dc=example,dc=com:# dsidm -D "cn=Directory Manager" ldaps://server1.example.com -b "dc=example,dc=com" group create --cn "repl_servers"Add the two replication accounts as members to the group:
# dsidm -D "cn=Directory Manager" ldaps://server1.example.com -b "dc=example,dc=com" group add_member repl_servers "cn=server1,ou=services,dc=example,dc=com" # dsidm -D "cn=Directory Manager" ldaps://server1.example.com -b "dc=example,dc=com" group add_member repl_servers "cn=server2,ou=services,dc=example,dc=com"
Additional resources
8.2. Initializing a new server using a temporary replication manager account
Certificate-based authentication uses the certificates stored in the directory. However, before you initialize a new server, the database on server2.example.com is empty and the accounts with the associated certificates do not exist. Therefore, replication using certificates is not possible before the database is initialized. You can overcome this problem by initializing server2.example.com with a temporary replication manager account.
Prerequisites
-
You installed the Directory Server instance on
server2.example.com. -
The database for the
dc=example,dc=comsuffix exists. -
You enabled TLS encryption in Directory Server on both servers,
server1.example.comandserver2.example.com.
Procedure
On
server2.example.com, enable replication for thedc=example,dc=comsuffix:# dsconf -D "cn=Directory Manager" ldaps://server2.example.com replication enable --suffix "dc=example,dc=com" --role "supplier" --replica-id 2 --bind-dn "cn=replication manager,cn=config" --bind-passwd "password"This command configures the
server2.example.comhost as a supplier for thedc=example,dc=comsuffix, and sets the replica ID of this host to2. Additionally, the command creates a temporarycn=replication manager,cn=configuser with the specified password and allows this account to replicate changes for the suffix to this host.The replica ID must be a unique integer between
1and65534for a suffix across all suppliers in the topology.On
server1.example.com:Enable replication:
# dsconf -D "cn=Directory Manager" ldaps://server1.example.com replication enable --suffix="dc=example,dc=com" --role="supplier" --replica-id="1"Create a temporary replication agreement which uses the temporary account from the previous step for authentication:
# dsconf -D "cn=Directory Manager" ldaps://server1.example.com repl-agmt create --suffix="dc=example,dc=com" --host="server1.example.com" --port=636 --conn-protocol=LDAPS --bind-dn="cn=Replication Manager,cn=config" --bind-passwd="password" --bind-method=SIMPLE --init temporary_agreement
Verification
Verify that the initialization was successful:
# dsconf -D "cn=Directory Manager" ldaps://server1.example.com repl-agmt init-status --suffix "dc=example,dc=com" temporary_agreement Agreement successfully initialized.
8.3. Configuring multi-supplier replication with certificate-based authentication
In a multi-supplier replication environment with certificate-based authentication, the replicas authenticate each others using certificates.
Prerequisites
-
You set up certificate-based authentication on both hosts,
server1.example.comandserver2.example.com. - Directory Server trusts the certificate authority (CA) that issues the client certificates.
-
The client certificates meet the requirements set in
/etc/dirsrv/slapd-instance_name/certmap.confon the servers.
Procedure
On
server1.example.com:Remove the temporary replication agreement:
# dsconf -D "cn=Directory Manager" ldaps://server1.example.com repl-agmt delete --suffix="dc=example,dc=com" temporary_agreementAdd the
cn=repl_servers,dc=groups,dc=example,dc=combind group to the replication settings:# dsconf -D "cn=Directory Manager" ldaps://server1.example.com replication set --suffix="dc=example,dc=com" --repl-bind-group "cn=repl_servers,dc=groups,dc=example,dc=com"Configure Directory Server to automatically check for changes in the bind group:
# dsconf -D "cn=Directory Manager" ldaps://server1.example.com replication set --suffix="dc=example,dc=com" --repl-bind-group-interval=0
On
server2.example.com:Remove the temporary replication manager account:
# dsconf -D "cn=Directory Manager" ldaps://server2.example.com replication delete-manager --suffix="dc=example,dc=com" --name="Replication Manager"Add the
cn=repl_servers,dc=groups,dc=example,dc=combind group to the replication settings:# dsconf -D "cn=Directory Manager" ldaps://server2.example.com replication set --suffix="dc=example,dc=com" --repl-bind-group "cn=repl_servers,dc=groups,dc=example,dc=com"Configure Directory Server to automatically check for changes in the bind group:
# dsconf -D "cn=Directory Manager" ldap://server2.example.com replication set --suffix="dc=example,dc=com" --repl-bind-group-interval=0Create the replication agreement with certificate-based authentication:
dsconf -D "cn=Directory Manager" ldaps://server2.example.com repl-agmt create --suffix="dc=example,dc=com" --host="server1.example.com" --port=636 --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" --init server2-to-server1
On
server1.example.com, create the replication agreement with certificate-based authentication:dsconf -D "cn=Directory Manager" ldaps://server1.example.com repl-agmt create --suffix="dc=example,dc=com" --host="server2.example.com" --port=636 --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" --init server1-to-server2
Verification
Verify on each server that the initialization was successful:
# dsconf -D "cn=Directory Manager" ldaps://server1.example.com repl-agmt init-status --suffix "dc=example,dc=com" server1-to-server2 Agreement successfully initialized. # dsconf -D "cn=Directory Manager" ldaps://server2.example.com repl-agmt init-status --suffix "dc=example,dc=com" server2-to-server1 Agreement successfully initialized.
Additional resources
