What FQDN should the CA certificate have in the cert subjectDN? I usually use certutil to create a CA cert and distribute it across the servers and clients so that they can use TLS.
Thanks. -----Original Message----- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 24, 2012 11:00 AM To: Chaudhari, Rohit K. Cc: 389 Directory server developer discussion. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/24/2012 08:57 AM, Chaudhari, Rohit K. wrote: > Well ultimately, what we are trying to do is communicate between a server VM > on a host machine and a client VM on a local machine. When the user attempts > to log in to his/her account on the local machine, he/she authenticates > against the LDAP server on the host machine. Is there anything that would > have to change in order for this to work without DNS? As long as both the server and the client have both the client and the server in their /etc/hosts, with the FQDN listed first, and the LDAP server certificate has that same FQDN as the value of the cn attribute in the cert subjectDN, it should work. Otherwise, if you are having specific problems, and can provide specific error codes and error messages (and preferably directory server logs), we can try to figure out what is going on. But I will reiterate - DNS is not required to get this to work. > > Thanks for your time and speedy responses this morning. > > -----Original Message----- > From: Rich Megginson [mailto:rmegg...@redhat.com] > Sent: Tuesday, July 24, 2012 10:55 AM > To: Chaudhari, Rohit K. > Cc: 389 Directory server developer discussion. > Subject: Re: [389-devel] Setting up 389 DS without DNS > > On 07/24/2012 08:51 AM, Chaudhari, Rohit K. wrote: >> So just for clarification, is this how I set it up: >> >> create new entries for your VMs with unique MACs and IP addresses >> edit /etc/hosts - add entries for you IP addresses and your new hosts - make >> sure the FQDN is the first name e.g. 192.168.122.2 myhost.mydomain.com myhost >> >> If there is anything simpler or something that I missed just let me know. > No, that's it. That's what I use for doing TLS/SSL testing among > virtual machines on the same host system. > >> Thanks. >> >> -----Original Message----- >> From: Rich Megginson [mailto:rmegg...@redhat.com] >> Sent: Tuesday, July 24, 2012 10:49 AM >> To: 389 Directory server developer discussion. >> Cc: Chaudhari, Rohit K. >> Subject: Re: [389-devel] Setting up 389 DS without DNS >> >> On 07/23/2012 08:58 PM, Chaudhari, Rohit K. wrote: >>> Thanks everyone for the quick response. We do need to use TLS for doing >>> LDAP authentication for users to sign in. So based on the notes below, the >>> lack of DNS will not work. How can I get TLS and no-DNS to work together? >> It does work. Perhaps it is in violation of some spec somewhere >> (link?), but using /etc/hosts or even NIS host maps will work. DNS is >> not a requirement to get it to work. >> >>> Thanks. >>> ________________________________________ >>> From: 389-devel-boun...@lists.fedoraproject.org >>> [389-devel-boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson >>> [rmegg...@redhat.com] >>> Sent: Monday, July 23, 2012 8:09 PM >>> To: 389 Directory server developer discussion. >>> Subject: Re: [389-devel] Setting up 389 DS without DNS >>> >>> On 07/23/2012 05:13 PM, Paul Robert Marino wrote: >>> >>> On Jul 23, 2012 5:15 PM, "Rich >>> Megginson"<rmegg...@redhat.com<mailto:rmegg...@redhat.com>> wrote: >>>> On 07/23/2012 02:46 PM, Chaudhari, Rohit K. wrote: >>>>> Hey 389 community, >>>>> >>>>> >>>>> >>>>> I had a question. We want to set up 389-ds on a Red Hat VM without DNS. >>>>> I read online that disabling SELinux would allow us to accomplish this. >>>>> Is this true or false? >>>> False. AFAIK it has nothing to do with SELinux. Where did you read this? >>>> >>>> >>>>> If DNS cannot be disabled, how do we create a dummy DNS so that >>>>> replication and single sign-on from client to the server can occur? Do >>>>> we have to hard-code IP addresses or something else? Thank you for your >>>>> time this afternoon. >>>> It depends. If you are using Fedora/RHEL virtualization, you just have to >>>> virsh net-edit default - create new entries for your VMs with unique MACs >>>> and IP addresses >>>> edit /etc/hosts - add entries for you IP addresses and your new hosts - >>>> make sure the FQDN is the first name e.g. >>>> 192.168.122.2 myhost.mydomain.com<http://myhost.mydomain.com> myhost >>>> >>> This will only work if you don't intend to use TLS encryption >>> TLS requiers full forward and reverse 'DNS' lookup and won't work properly >>> with entries in the /etc/hosts file per the RFC that defines the TLS >>> standard. >>> >>> Hmm - I've successfully done this with /etc/hosts files - what exactly is >>> the problem with that? What specifically requires a DNS lookup and not a >>> getent hosts? >>> >>>>> Thanks. >>>>> >>>>> >>>>> >>>>> -- >>>>> 389-devel mailing list >>>>> 389-devel@lists.fedoraproject.org<mailto:389-devel@lists.fedoraproject.org> >>>>> https://admin.fedoraproject.org/mailman/listinfo/389-devel >>>> -- >>>> 389-devel mailing list >>>> 389-devel@lists.fedoraproject.org<mailto:389-devel@lists.fedoraproject.org> >>>> https://admin.fedoraproject.org/mailman/listinfo/389-devel >>> -- >>> 389-devel mailing list >>> 389-devel@lists.fedoraproject.org<mailto:389-devel@lists.fedoraproject.org> >>> https://admin.fedoraproject.org/mailman/listinfo/389-devel >>> >>> -- >>> 389-devel mailing list >>> 389-devel@lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
