Hi Mark, > Replication does not use the server's certificate for SSL Client > Authentication. It uses the client certificate in the "Replication > Manager" entry. Sounds like you did not add a user certificate to this > entry.
Your hint seems to clarify something. Thanx for that. First this lead me to the chapter in the documentation which I didn't step over before: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-configuring-replication-cmd#configuring_replication_partners_to_use_certificate-based_authentication From there I understand that there needs to be an account entry on the supplier corresponding to the supplier's hostname, and that I need to add a client certificate to that entry. It says "Both servers will later use these accounts and certificates to authenticate when they establish a replication connection to each other." So I did that and put the server certificate (issued by the same CA, 'u' flag set) to the account entry. Furthermore as shown in the chapter I put the account entries to a group which is referenced (nsds5replicabinddngroup) in the replica entry on the supplier. I skipped the steps with the temporary replication manager account (with password) and agreement, because I setup the two servers in parallel so I make sure the accounts with the certificates on the consumer do already exist when initializing the replication. Result for now: Still doesn't work. The supplier doesn't send the certificate in the account entry at "cn=supplierhost,dc=..." of the supplier's database. It doesn't send any certificate. This brings me to another question to you: The replication manager entry is the entry on the consumer server from the perspective of the supplier that starts the replication. From where does the supplier take the certificate in a single master scenario where there is no replication manager account on its side? Somehow there is still a missing link between the supplier's hostname and the place for the supplier to get the certificate from to use it in the TLS handshake with the consumer. Regards, Eugen _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
