Hi, I'm trying to setup multi-supplier replication with certificate-based authentication. The only documentation I have found on the subject is: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht... however it doesn't seems to be complete.
I have been doing my test with openSUSE 15.3 and RHEL/CentOS 8 with SELinux disabled.
Attached there are a couple of scripts (dmtest-init and dmtest-agmt) that will help you reproduce my setup so you can tell me what I'm missing or doing wrong.
For testing you need two (virtual) machines and their ip addresses. A minimum text/server installation will do.
Run on the first machine: ./dmtest-init <IP1> <IP2>
The script will configure /etc/hosts so that the machine with IP1 can be reached as host1.example.com and the other as host2.example.com. 389-ds will be installed if not present. A new ds instance will be created, started (password is: password) and configured. /etc/openldap/ldap.conf is configured appropriately. group1 and user1 are created.
Now run on the second machine the same command: ./dmtest-init <IP1> <IP2> the script will setup the second machine in the same way but with the following differences: The CA database is imported with rsync from host1. A new Server-Cert is created using the CA certificate from host1. group1 and user1 are not created. They should appear on host2 after host1 will replicate his database. A temporary replication manager account is created.
At this point the following commands should work on both machines:
ldapsearch -H ldaps://host1.example.com -D "cn=Directory Manager" -w password ldapsearch -H ldaps://host2.example.com -D "cn=Directory Manager" -w password
Binding with a user certificate should also work: openssl req -subj "/DC=com/DC=example/OU=people/UID=user1" -newkey rsa:2048 -nodes -keyout cert.key -new -out cert.csr certutil -C -d /etc/dirsrv/ssca -f /etc/dirsrv/ssca/pwdfile.txt -a -i cert.csr -o cert.crt -c Self-Signed-CA LDAPTLS_CERT=$PWD/cert.crt LDAPTLS_KEY=$PWD/cert.key ldapsearch -H ldaps://host1.example.com -D "uid=user1,ou=people,dc=example,dc=com"
The next step is the replication setup. Run on host1: ./dstest-agmt this script will: - create the group repl_server for nsds5ReplicaBindDNGroup - create accounts for both hosts - add the client certificates to the corresponding accounts - add both accounts to the group repl_server - create the replica entry - create the replication agreement (with bootstrapt parameters)
These are essentially the steps described in the RedHat Directory Server 11 documentation: 15.6
Now a look at /var/log/dirsrv/slapd-ldaptest/errors shows that the replication bind with the bootstrap parameters works (group1 and user1 are now present on host2) but the replication bind with EXTERNAL auth fails.
- ERR - slapi_ldap_bind - Error: could not bind id [(anon)] authentication mechanism [EXTERNAL]: error 49 (Invalid credentials) - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=agreement" (host2:636) - Replication bind with EXTERNAL auth failed: LDAP error 49 (Invalid credentials) () - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=agreement" (host2:636): Replication bind with SIMPLE auth resumed
Clearly there is something wrong with the client certificate setup, but I could not figure out what. Any help is appreciated.
Giacomo Comes