How To Setup A Backup LDAP Server Through LDAP Replication With TLS Authentication

Tags: ldapldap replication tlstls authentication

Published on: July 5, 2012 by Scott S

How To Setup A Backup LDAP Server Through LDAP Replication With TLS Authentication


If you have set up replication between servers, it is an always a better practice to encrypt (StartTLS) the replication traffic to stop others from sniffing your data. This is distinct from using encryption with authentication as we did in . Le us see discuss how to do the LDAP replication with tls authetication.

The assumption here is that you have set up replication between Provider and Consumer following and have configured TLS for authentication on the Provider by following


As I mentioned before, the objective for us with replication is high availability for the LDAP service. Since we have TLS for authentication on the Provider we will require the same on the Consumer. What other things to be done is to create a key and certificate for the Consumer and then configure accordingly. We will generate the key/certificate on the Provider, to avoid having to create another CA certificate, and then transfer the necessary files over to the Consumer.

On the Provider(

Create a holding directory (which will be used for the eventual transfer) and then the Consumer’s private key:

root@ldapserver:]# mkdir ldapreplserver-ssl

root@ldapserver:]# cd ldapreplserver-ssl

root@ldapserver:ldapreplserver-ssl]# certtool –generate-privkey –bits 1024 –outfile

Create an info file,, for the Consumer server, adjusting it’s values accordingly:

root@ldapserver:]# vi


organization = Support Sages

cn =




expiration_days = 3650


The expiration_days attribute define the number of days the cert is valid. The above certificate is good for 10 years.(Rough calculation)

Create the Consumer’s certificate:

root@ldapserver:]# certtool –generate-certificate –load-privkey –load-ca-certificate /etc/ssl/certs/cacert.pem  –load-ca-privkey /etc/ssl/private/cakey.pem –template –outfile


Get a copy of the CA certificate:

root@ldapserver:ldapreplserver-ssl]# cp /etc/ssl/certs/cacert.pem .

We’re done. Now transfer the ldapreplserver-ssl directory to the Consumer.

Here we use scp (adjust accordingly):

root@ldapserver:ldapreplserver-ssl]# cd ..

root@ldapserver:]# scp -r ldapreplserver-ssl root@ldapreplserver:

On the Consumer

Install the ssl-cert package first:

root@ldapreplserver:]# apt-get install ssl-cert

Add the openldap user to ssl-cert group and adjust the permissions as shown below:

root@ldapreplserver:]# adduser openldap ssl-cert

root@ldapreplserver:]# cp /etc/ssl/certs

root@ldapreplserver:]# cp /etc/ssl/private

root@ldapreplserver:]# chgrp ssl-cert /etc/ssl/private/

root@ldapreplserver:]# chmod g+r /etc/ssl/private/

root@ldapreplserver:]# chmod o-r /etc/ssl/private/

Create the file /etc/ssl/certinfo.ldif with the following contents (adjust accordingly):

root@ldapreplserver:]# vi /etc/ssl/certinfo.ldif


dn: cn=config

add: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem

add: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ssl/certs/

add: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ssl/private/


Configure the slapd-config database:

root@ldapreplserver:]# ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

Configure /etc/default/slapd as on the Provider (SLAPD_SERVICES).

On the Consumer, configure TLS for Consumer-side replication. Modify the existing olcSyncrepl attribute by tacking on some TLS options. In so doing, we will see, for the first time, how to change an attribute’s value(s).

Create the file consumer_sync_tls.ldif with the following contents:

root@ldapreplserver:]# vi consumer_sync_tls.ldif


dn: olcDatabase={1}hdb,cn=config

replace: olcSyncRepl

olcSyncRepl: rid=0 provider=ldap:// bindmethod=simple binddn=”cn=admin,dc=int,dc=sages,dc=com” credentials=sages123 searchbase=”dc=int,dc=sages,dc=com” logbase=”cn=accesslog” logfilter=”(&(objectClass=auditWriteObject)(reqResult=0))”

schemachecking=on type=refreshAndPersist retry=”60 +” syncdata=accesslog

starttls=critical tls_reqcert=demand


The extra options specify, respectively, that the consumer must use StartTLS and that the CA certificate is required to verify the Provider’s identity.

Implement these changes to our LDAP tree:

root@ldapreplserver:]# ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif

And restart slapd:

root@ldapreplserver:]# /etc/init.d/slapd restart



On the Provider(,

Check to see that a TLS session has been established. In /var/log/syslog, providing you have ‘conns’-level logging set up, you should see messages similar to:


slapd[3620]: conn=1047 fd=20 ACCEPT from IP=xx.xx.xx.xx:57922 (IP=

slapd[3620]: conn=1047 op=0 EXT oid=

slapd[3620]: conn=1047 op=0 STARTTLS

slapd[3620]: conn=1047 op=0 RESULT oid= err=0 text=

slapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128 ssf=128

slapd[3620]: conn=1047 op=1 BIND dn=”cn=admin,dc=int,dc=sages,dc=com” method=128

slapd[3620]: conn=1047 op=1 BIND dn=”cn=admin,dc=int,dc=sages,dc=com” mech=SIMPLE ssf=0

slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text


Category : General, Howtos, Linux

Scott S

Scott S

Scott follows his heart and enjoys design and implementation of advanced, sophisticated enterprise solutions. His never ending passion towards technological advancements, unyielding affinity to perfection and excitement in exploration of new areas, helps him to be on the top of everything he is involved with. This amateur bike stunting expert probably loves cars and bikes much more than his family. He currently spearheads the Enterprise Solutions and Infrastructure Consultancy wing of SupportSages.

You may also read:


Add new commentSIGN IN

Let's Connect


Your Cart

Cart is empty.

Send this to a friend