Menu Close
Settings Close

Language and Page Formatting Options

Chapter 8. Configuring multi-supplier replication with certificate-based authentication

When you set up replication between two Directory Server instances, you can use certificate-based authentication instead of using a bind DN and password to authenticate to a replication partner.

You can do so by adding a new server to the replication topology and setting up replication agreements between the new host and the existing server using certificate-based authentication.

Important

Certificate-based authentication requires TLS-encrypted connections.

8.1. Preparing accounts and a bind group for the use in replication agreements with certificate-based authentication

To use certificate-based authentication in replication agreements, first prepare the accounts and store the client certificates in the userCertificate attributes of these accounts. Additionally, this procedure creates a bind group that you later use in the replication agreements.

Perform this procedure on the existing host server1.example.com.

Prerequisites

  • You enabled TLS encryption in Directory Server.
  • You stored the client certificates in distinguished encoding rules (DER) format in the /root/server1.der and /root/server2.der files.

    For details about client certificates and how to request them from your certificate authority (CA), see your CA’s documentation.

Procedure

  1. Create the ou=services entry if it does not exist:

    # ldapadd -D "cn=Directory Manager" -W -H ldaps://server1.example.com -x
    
    dn: ou=services,dc=example,dc=com
    objectClass: organizationalunit
    objectClass: top
    ou: services
  2. Create accounts for both servers, such as cn=server1,ou=services,dc=example,dc=com and cn=server1,ou=services,dc=example,dc=com:

    # ldapadd -D "cn=Directory Manager" -W -H ldaps://server1.example.com -x
    
    dn: cn=server1,ou=services,dc=example,dc=com
    objectClass: top
    objectClass: person
    objectClass: inetOrgPerson
    sn: server1
    cn: server1
    userPassword: password
    userCertificate:< file:///root/server1.der
    
    adding new entry "cn=server1,ou=services,dc=example,dc=com"
    
    dn: cn=server2,ou=services,dc=example,dc=com
    objectClass: top
    objectClass: person
    objectClass: inetOrgPerson
    sn: server2
    cn: server2
    userPassword: password
    userCertificate:< file:///root/server2.der
    
    adding new entry "cn=server2,ou=services,dc=example,dc=com"
  3. Create a group, such as cn=repl_servers,dc=groups,dc=example,dc=com:

    # dsidm -D "cn=Directory Manager" ldaps://server1.example.com -b "dc=example,dc=com" group create --cn "repl_servers"
  4. Add the two replication accounts as members to the group:

    # dsidm -D "cn=Directory Manager" ldaps://server1.example.com -b "dc=example,dc=com" group add_member repl_servers "cn=server1,ou=services,dc=example,dc=com"
    
    # dsidm -D "cn=Directory Manager" ldaps://server1.example.com -b "dc=example,dc=com" group add_member repl_servers "cn=server2,ou=services,dc=example,dc=com"

8.2. Initializing a new server using a temporary replication manager account

Certificate-based authentication uses the certificates stored in the directory. However, before you initialize a new server, the database on server2.example.com is empty and the accounts with the associated certificates do not exist. Therefore, replication using certificates is not possible before the database is initialized. You can overcome this problem by initializing server2.example.com with a temporary replication manager account.

Prerequisites

  • You installed the Directory Server instance on server2.example.com.
  • The database for the dc=example,dc=com suffix exists.
  • You enabled TLS encryption in Directory Server on both servers, server1.example.com and server2.example.com.

Procedure

  1. On server2.example.com, enable replication for the dc=example,dc=com suffix:

    # dsconf -D "cn=Directory Manager" ldaps://server2.example.com replication enable --suffix "dc=example,dc=com" --role "supplier" --replica-id 2 --bind-dn "cn=replication manager,cn=config" --bind-passwd "password"

    This command configures the server2.example.com host as a supplier for the dc=example,dc=com suffix, and sets the replica ID of this host to 2. Additionally, the command creates a temporary cn=replication manager,cn=config user with the specified password and allows this account to replicate changes for the suffix to this host.

    The replica ID must be a unique integer between 1 and 65534 for a suffix across all suppliers in the topology.

  2. On server1.example.com:

    1. Enable replication:

      # dsconf -D "cn=Directory Manager" ldaps://server1.example.com replication enable --suffix="dc=example,dc=com" --role="supplier" --replica-id="1"
    2. Create a temporary replication agreement which uses the temporary account from the previous step for authentication:

      # dsconf -D "cn=Directory Manager" ldaps://server1.example.com repl-agmt create --suffix="dc=example,dc=com" --host="server1.example.com" --port=636 --conn-protocol=LDAPS --bind-dn="cn=Replication Manager,cn=config" --bind-passwd="password" --bind-method=SIMPLE --init temporary_agreement

Verification

  1. Verify that the initialization was successful:

    # dsconf -D "cn=Directory Manager" ldaps://server1.example.com repl-agmt init-status --suffix "dc=example,dc=com" temporary_agreement
    Agreement successfully initialized.

8.3. Configuring multi-supplier replication with certificate-based authentication

In a multi-supplier replication environment with certificate-based authentication, the replicas authenticate each others using certificates.

Prerequisites

  • You set up certificate-based authentication on both hosts, server1.example.com and server2.example.com.
  • Directory Server trusts the certificate authority (CA) that issues the client certificates.
  • The client certificates meet the requirements set in /etc/dirsrv/slapd-instance_name/certmap.conf on the servers.

Procedure

  1. On server1.example.com:

    1. Remove the temporary replication agreement:

      # dsconf -D "cn=Directory Manager" ldaps://server1.example.com repl-agmt delete --suffix="dc=example,dc=com" temporary_agreement
    2. Add the cn=repl_servers,dc=groups,dc=example,dc=com bind group to the replication settings:

      # dsconf -D "cn=Directory Manager" ldaps://server1.example.com replication set --suffix="dc=example,dc=com" --repl-bind-group "cn=repl_servers,dc=groups,dc=example,dc=com"
    3. Configure Directory Server to automatically check for changes in the bind group:

      # dsconf -D "cn=Directory Manager" ldaps://server1.example.com replication set --suffix="dc=example,dc=com" --repl-bind-group-interval=0
  2. On server2.example.com:

    1. Remove the temporary replication manager account:

      # dsconf -D "cn=Directory Manager" ldaps://server2.example.com replication delete-manager --suffix="dc=example,dc=com" --name="Replication Manager"
    2. Add the cn=repl_servers,dc=groups,dc=example,dc=com bind group to the replication settings:

      # dsconf -D "cn=Directory Manager" ldaps://server2.example.com replication set --suffix="dc=example,dc=com" --repl-bind-group "cn=repl_servers,dc=groups,dc=example,dc=com"
    3. Configure Directory Server to automatically check for changes in the bind group:

      # dsconf -D "cn=Directory Manager" ldap://server2.example.com replication set --suffix="dc=example,dc=com" --repl-bind-group-interval=0
    4. Create the replication agreement with certificate-based authentication:

      dsconf -D "cn=Directory Manager" ldaps://server2.example.com repl-agmt create --suffix="dc=example,dc=com" --host="server1.example.com" --port=636 --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" --init server2-to-server1
  3. On server1.example.com, create the replication agreement with certificate-based authentication:

    dsconf -D "cn=Directory Manager" ldaps://server1.example.com repl-agmt create --suffix="dc=example,dc=com" --host="server2.example.com" --port=636 --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" --init server1-to-server2

Verification

  1. Verify on each server that the initialization was successful:

    # dsconf -D "cn=Directory Manager" ldaps://server1.example.com repl-agmt init-status --suffix "dc=example,dc=com" server1-to-server2
    Agreement successfully initialized.
    
    # dsconf -D "cn=Directory Manager" ldaps://server2.example.com repl-agmt init-status --suffix "dc=example,dc=com" server2-to-server1
    Agreement successfully initialized.