Re: [389-devel] Setting up 389 DS without DNS
On 07/24/2012 08:51 AM, Chaudhari, Rohit K. wrote: So just for clarification, is this how I set it up: create new entries for your VMs with unique MACs and IP addresses edit /etc/hosts - add entries for you IP addresses and your new hosts - make sure the FQDN is the first name e.g. 192.168.122.2 myhost.mydomain.com myhost If there is anything simpler or something that I missed just let me know. No, that's it. That's what I use for doing TLS/SSL testing among virtual machines on the same host system. Thanks. -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 24, 2012 10:49 AM To: 389 Directory server developer discussion. Cc: Chaudhari, Rohit K. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/23/2012 08:58 PM, Chaudhari, Rohit K. wrote: Thanks everyone for the quick response. We do need to use TLS for doing LDAP authentication for users to sign in. So based on the notes below, the lack of DNS will not work. How can I get TLS and no-DNS to work together? It does work. Perhaps it is in violation of some spec somewhere (link?), but using /etc/hosts or even NIS host maps will work. DNS is not a requirement to get it to work. Thanks. From: 389-devel-boun...@lists.fedoraproject.org [389-devel-boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson [rmegg...@redhat.com] Sent: Monday, July 23, 2012 8:09 PM To: 389 Directory server developer discussion. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/23/2012 05:13 PM, Paul Robert Marino wrote: On Jul 23, 2012 5:15 PM, Rich Megginsonrmegg...@redhat.commailto:rmegg...@redhat.com wrote: On 07/23/2012 02:46 PM, Chaudhari, Rohit K. wrote: Hey 389 community, I had a question. We want to set up 389-ds on a Red Hat VM without DNS. I read online that disabling SELinux would allow us to accomplish this. Is this true or false? False. AFAIK it has nothing to do with SELinux. Where did you read this? If DNS cannot be disabled, how do we create a dummy DNS so that replication and single sign-on from client to the server can occur? Do we have to hard-code IP addresses or something else? Thank you for your time this afternoon. It depends. If you are using Fedora/RHEL virtualization, you just have to virsh net-edit default - create new entries for your VMs with unique MACs and IP addresses edit /etc/hosts - add entries for you IP addresses and your new hosts - make sure the FQDN is the first name e.g. 192.168.122.2 myhost.mydomain.comhttp://myhost.mydomain.com myhost This will only work if you don't intend to use TLS encryption TLS requiers full forward and reverse 'DNS' lookup and won't work properly with entries in the /etc/hosts file per the RFC that defines the TLS standard. Hmm - I've successfully done this with /etc/hosts files - what exactly is the problem with that? What specifically requires a DNS lookup and not a getent hosts? Thanks. -- 389-devel mailing list 389-devel@lists.fedoraproject.orgmailto:389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.orgmailto:389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.orgmailto:389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] Setting up 389 DS without DNS
Well ultimately, what we are trying to do is communicate between a server VM on a host machine and a client VM on a local machine. When the user attempts to log in to his/her account on the local machine, he/she authenticates against the LDAP server on the host machine. Is there anything that would have to change in order for this to work without DNS? Thanks for your time and speedy responses this morning. -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 24, 2012 10:55 AM To: Chaudhari, Rohit K. Cc: 389 Directory server developer discussion. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/24/2012 08:51 AM, Chaudhari, Rohit K. wrote: So just for clarification, is this how I set it up: create new entries for your VMs with unique MACs and IP addresses edit /etc/hosts - add entries for you IP addresses and your new hosts - make sure the FQDN is the first name e.g. 192.168.122.2 myhost.mydomain.com myhost If there is anything simpler or something that I missed just let me know. No, that's it. That's what I use for doing TLS/SSL testing among virtual machines on the same host system. Thanks. -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 24, 2012 10:49 AM To: 389 Directory server developer discussion. Cc: Chaudhari, Rohit K. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/23/2012 08:58 PM, Chaudhari, Rohit K. wrote: Thanks everyone for the quick response. We do need to use TLS for doing LDAP authentication for users to sign in. So based on the notes below, the lack of DNS will not work. How can I get TLS and no-DNS to work together? It does work. Perhaps it is in violation of some spec somewhere (link?), but using /etc/hosts or even NIS host maps will work. DNS is not a requirement to get it to work. Thanks. From: 389-devel-boun...@lists.fedoraproject.org [389-devel-boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson [rmegg...@redhat.com] Sent: Monday, July 23, 2012 8:09 PM To: 389 Directory server developer discussion. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/23/2012 05:13 PM, Paul Robert Marino wrote: On Jul 23, 2012 5:15 PM, Rich Megginsonrmegg...@redhat.commailto:rmegg...@redhat.com wrote: On 07/23/2012 02:46 PM, Chaudhari, Rohit K. wrote: Hey 389 community, I had a question. We want to set up 389-ds on a Red Hat VM without DNS. I read online that disabling SELinux would allow us to accomplish this. Is this true or false? False. AFAIK it has nothing to do with SELinux. Where did you read this? If DNS cannot be disabled, how do we create a dummy DNS so that replication and single sign-on from client to the server can occur? Do we have to hard-code IP addresses or something else? Thank you for your time this afternoon. It depends. If you are using Fedora/RHEL virtualization, you just have to virsh net-edit default - create new entries for your VMs with unique MACs and IP addresses edit /etc/hosts - add entries for you IP addresses and your new hosts - make sure the FQDN is the first name e.g. 192.168.122.2 myhost.mydomain.comhttp://myhost.mydomain.com myhost This will only work if you don't intend to use TLS encryption TLS requiers full forward and reverse 'DNS' lookup and won't work properly with entries in the /etc/hosts file per the RFC that defines the TLS standard. Hmm - I've successfully done this with /etc/hosts files - what exactly is the problem with that? What specifically requires a DNS lookup and not a getent hosts? Thanks. -- 389-devel mailing list 389-devel@lists.fedoraproject.orgmailto:389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.orgmailto:389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.orgmailto:389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] Setting up 389 DS without DNS
On 07/24/2012 08:57 AM, Chaudhari, Rohit K. wrote: Well ultimately, what we are trying to do is communicate between a server VM on a host machine and a client VM on a local machine. When the user attempts to log in to his/her account on the local machine, he/she authenticates against the LDAP server on the host machine. Is there anything that would have to change in order for this to work without DNS? As long as both the server and the client have both the client and the server in their /etc/hosts, with the FQDN listed first, and the LDAP server certificate has that same FQDN as the value of the cn attribute in the cert subjectDN, it should work. Otherwise, if you are having specific problems, and can provide specific error codes and error messages (and preferably directory server logs), we can try to figure out what is going on. But I will reiterate - DNS is not required to get this to work. Thanks for your time and speedy responses this morning. -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 24, 2012 10:55 AM To: Chaudhari, Rohit K. Cc: 389 Directory server developer discussion. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/24/2012 08:51 AM, Chaudhari, Rohit K. wrote: So just for clarification, is this how I set it up: create new entries for your VMs with unique MACs and IP addresses edit /etc/hosts - add entries for you IP addresses and your new hosts - make sure the FQDN is the first name e.g. 192.168.122.2 myhost.mydomain.com myhost If there is anything simpler or something that I missed just let me know. No, that's it. That's what I use for doing TLS/SSL testing among virtual machines on the same host system. Thanks. -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 24, 2012 10:49 AM To: 389 Directory server developer discussion. Cc: Chaudhari, Rohit K. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/23/2012 08:58 PM, Chaudhari, Rohit K. wrote: Thanks everyone for the quick response. We do need to use TLS for doing LDAP authentication for users to sign in. So based on the notes below, the lack of DNS will not work. How can I get TLS and no-DNS to work together? It does work. Perhaps it is in violation of some spec somewhere (link?), but using /etc/hosts or even NIS host maps will work. DNS is not a requirement to get it to work. Thanks. From: 389-devel-boun...@lists.fedoraproject.org [389-devel-boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson [rmegg...@redhat.com] Sent: Monday, July 23, 2012 8:09 PM To: 389 Directory server developer discussion. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/23/2012 05:13 PM, Paul Robert Marino wrote: On Jul 23, 2012 5:15 PM, Rich Megginsonrmegg...@redhat.commailto:rmegg...@redhat.comwrote: On 07/23/2012 02:46 PM, Chaudhari, Rohit K. wrote: Hey 389 community, I had a question. We want to set up 389-ds on a Red Hat VM without DNS. I read online that disabling SELinux would allow us to accomplish this. Is this true or false? False. AFAIK it has nothing to do with SELinux. Where did you read this? If DNS cannot be disabled, how do we create a dummy DNS so that replication and single sign-on from client to the server can occur? Do we have to hard-code IP addresses or something else? Thank you for your time this afternoon. It depends. If you are using Fedora/RHEL virtualization, you just have to virsh net-edit default - create new entries for your VMs with unique MACs and IP addresses edit /etc/hosts - add entries for you IP addresses and your new hosts - make sure the FQDN is the first name e.g. 192.168.122.2 myhost.mydomain.comhttp://myhost.mydomain.commyhost This will only work if you don't intend to use TLS encryption TLS requiers full forward and reverse 'DNS' lookup and won't work properly with entries in the /etc/hosts file per the RFC that defines the TLS standard. Hmm - I've successfully done this with /etc/hosts files - what exactly is the problem with that? What specifically requires a DNS lookup and not a getent hosts? Thanks. -- 389-devel mailing list 389-devel@lists.fedoraproject.orgmailto:389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.orgmailto:389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.orgmailto:389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] Setting up 389 DS without DNS
What FQDN should the CA certificate have in the cert subjectDN? I usually use certutil to create a CA cert and distribute it across the servers and clients so that they can use TLS. Thanks. -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 24, 2012 11:00 AM To: Chaudhari, Rohit K. Cc: 389 Directory server developer discussion. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/24/2012 08:57 AM, Chaudhari, Rohit K. wrote: Well ultimately, what we are trying to do is communicate between a server VM on a host machine and a client VM on a local machine. When the user attempts to log in to his/her account on the local machine, he/she authenticates against the LDAP server on the host machine. Is there anything that would have to change in order for this to work without DNS? As long as both the server and the client have both the client and the server in their /etc/hosts, with the FQDN listed first, and the LDAP server certificate has that same FQDN as the value of the cn attribute in the cert subjectDN, it should work. Otherwise, if you are having specific problems, and can provide specific error codes and error messages (and preferably directory server logs), we can try to figure out what is going on. But I will reiterate - DNS is not required to get this to work. Thanks for your time and speedy responses this morning. -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 24, 2012 10:55 AM To: Chaudhari, Rohit K. Cc: 389 Directory server developer discussion. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/24/2012 08:51 AM, Chaudhari, Rohit K. wrote: So just for clarification, is this how I set it up: create new entries for your VMs with unique MACs and IP addresses edit /etc/hosts - add entries for you IP addresses and your new hosts - make sure the FQDN is the first name e.g. 192.168.122.2 myhost.mydomain.com myhost If there is anything simpler or something that I missed just let me know. No, that's it. That's what I use for doing TLS/SSL testing among virtual machines on the same host system. Thanks. -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 24, 2012 10:49 AM To: 389 Directory server developer discussion. Cc: Chaudhari, Rohit K. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/23/2012 08:58 PM, Chaudhari, Rohit K. wrote: Thanks everyone for the quick response. We do need to use TLS for doing LDAP authentication for users to sign in. So based on the notes below, the lack of DNS will not work. How can I get TLS and no-DNS to work together? It does work. Perhaps it is in violation of some spec somewhere (link?), but using /etc/hosts or even NIS host maps will work. DNS is not a requirement to get it to work. Thanks. From: 389-devel-boun...@lists.fedoraproject.org [389-devel-boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson [rmegg...@redhat.com] Sent: Monday, July 23, 2012 8:09 PM To: 389 Directory server developer discussion. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/23/2012 05:13 PM, Paul Robert Marino wrote: On Jul 23, 2012 5:15 PM, Rich Megginsonrmegg...@redhat.commailto:rmegg...@redhat.comwrote: On 07/23/2012 02:46 PM, Chaudhari, Rohit K. wrote: Hey 389 community, I had a question. We want to set up 389-ds on a Red Hat VM without DNS. I read online that disabling SELinux would allow us to accomplish this. Is this true or false? False. AFAIK it has nothing to do with SELinux. Where did you read this? If DNS cannot be disabled, how do we create a dummy DNS so that replication and single sign-on from client to the server can occur? Do we have to hard-code IP addresses or something else? Thank you for your time this afternoon. It depends. If you are using Fedora/RHEL virtualization, you just have to virsh net-edit default - create new entries for your VMs with unique MACs and IP addresses edit /etc/hosts - add entries for you IP addresses and your new hosts - make sure the FQDN is the first name e.g. 192.168.122.2 myhost.mydomain.comhttp://myhost.mydomain.commyhost This will only work if you don't intend to use TLS encryption TLS requiers full forward and reverse 'DNS' lookup and won't work properly with entries in the /etc/hosts file per the RFC that defines the TLS standard. Hmm - I've successfully done this with /etc/hosts files - what exactly is the problem with that? What specifically requires a DNS lookup and not a getent hosts? Thanks. -- 389-devel mailing list 389-devel@lists.fedoraproject.orgmailto:389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.orgmailto:389-devel@lists.fedoraproject.org https
Re: [389-devel] Setting up 389 DS without DNS
On 07/24/2012 09:39 AM, Chaudhari, Rohit K. wrote: What FQDN should the CA certificate have in the cert subjectDN? I usually use certutil to create a CA cert and distribute it across the servers and clients so that they can use TLS. The subjectDN for the LDAP server certificate should have a subjectDN that looks something like this: cn=hostname.domain.com,ou=my organization,c=company The stuff after the cn RDN doesn't really matter, but it may help diagnose problems The really important thing is that the server hostname.domain.com and all of the clients of hostname.domain.com (including other servers e.g. replication) must be able to resolve hostname.domain.com to the correct IP address, and must be able to resolve that IP address back to hostname.domain.com (that is, not just hostname, but the full FQDN). Whether that resolution is done with /etc/hosts or NIS or DNS or whatever doesn't matter. Thanks. -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 24, 2012 11:00 AM To: Chaudhari, Rohit K. Cc: 389 Directory server developer discussion. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/24/2012 08:57 AM, Chaudhari, Rohit K. wrote: Well ultimately, what we are trying to do is communicate between a server VM on a host machine and a client VM on a local machine. When the user attempts to log in to his/her account on the local machine, he/she authenticates against the LDAP server on the host machine. Is there anything that would have to change in order for this to work without DNS? As long as both the server and the client have both the client and the server in their /etc/hosts, with the FQDN listed first, and the LDAP server certificate has that same FQDN as the value of the cn attribute in the cert subjectDN, it should work. Otherwise, if you are having specific problems, and can provide specific error codes and error messages (and preferably directory server logs), we can try to figure out what is going on. But I will reiterate - DNS is not required to get this to work. Thanks for your time and speedy responses this morning. -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 24, 2012 10:55 AM To: Chaudhari, Rohit K. Cc: 389 Directory server developer discussion. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/24/2012 08:51 AM, Chaudhari, Rohit K. wrote: So just for clarification, is this how I set it up: create new entries for your VMs with unique MACs and IP addresses edit /etc/hosts - add entries for you IP addresses and your new hosts - make sure the FQDN is the first name e.g. 192.168.122.2 myhost.mydomain.com myhost If there is anything simpler or something that I missed just let me know. No, that's it. That's what I use for doing TLS/SSL testing among virtual machines on the same host system. Thanks. -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 24, 2012 10:49 AM To: 389 Directory server developer discussion. Cc: Chaudhari, Rohit K. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/23/2012 08:58 PM, Chaudhari, Rohit K. wrote: Thanks everyone for the quick response. We do need to use TLS for doing LDAP authentication for users to sign in. So based on the notes below, the lack of DNS will not work. How can I get TLS and no-DNS to work together? It does work. Perhaps it is in violation of some spec somewhere (link?), but using /etc/hosts or even NIS host maps will work. DNS is not a requirement to get it to work. Thanks. From: 389-devel-boun...@lists.fedoraproject.org [389-devel-boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson [rmegg...@redhat.com] Sent: Monday, July 23, 2012 8:09 PM To: 389 Directory server developer discussion. Subject: Re: [389-devel] Setting up 389 DS without DNS On 07/23/2012 05:13 PM, Paul Robert Marino wrote: On Jul 23, 2012 5:15 PM, Rich Megginsonrmegg...@redhat.commailto:rmegg...@redhat.com wrote: On 07/23/2012 02:46 PM, Chaudhari, Rohit K. wrote: Hey 389 community, I had a question. We want to set up 389-ds on a Red Hat VM without DNS. I read online that disabling SELinux would allow us to accomplish this. Is this true or false? False. AFAIK it has nothing to do with SELinux. Where did you read this? If DNS cannot be disabled, how do we create a dummy DNS so that replication and single sign-on from client to the server can occur? Do we have to hard-code IP addresses or something else? Thank you for your time this afternoon. It depends. If you are using Fedora/RHEL virtualization, you just have to virsh net-edit default - create new entries for your VMs with unique MACs and IP addresses edit /etc/hosts - add entries for you IP addresses and your new hosts - make sure the FQDN is the first name e.g. 192.168.122.2 myhost.mydomain.comhttp://myhost.mydomain.com
Re: [389-devel] Setting up 389 DS without DNS
On 07/23/2012 02:46 PM, Chaudhari, Rohit K. wrote: Hey 389 community, I had a question. We want to set up 389-ds on a Red Hat VM without DNS. I read online that disabling SELinux would allow us to accomplish this. Is this true or false? False. AFAIK it has nothing to do with SELinux. Where did you read this? If DNS cannot be disabled, how do we create a dummy DNS so that replication and single sign-on from client to the server can occur? Do we have to hard-code IP addresses or something else? Thank you for your time this afternoon. It depends. If you are using Fedora/RHEL virtualization, you just have to virsh net-edit default - create new entries for your VMs with unique MACs and IP addresses edit /etc/hosts - add entries for you IP addresses and your new hosts - make sure the FQDN is the first name e.g. 192.168.122.2 myhost.mydomain.com myhost Thanks. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] Setting up 389 DS without DNS
On Jul 23, 2012 5:15 PM, Rich Megginson rmegg...@redhat.com wrote: On 07/23/2012 02:46 PM, Chaudhari, Rohit K. wrote: Hey 389 community, I had a question. We want to set up 389-ds on a Red Hat VM without DNS. I read online that disabling SELinux would allow us to accomplish this. Is this true or false? False. AFAIK it has nothing to do with SELinux. Where did you read this? If DNS cannot be disabled, how do we create a dummy DNS so that replication and single sign-on from client to the server can occur? Do we have to hard-code IP addresses or something else? Thank you for your time this afternoon. It depends. If you are using Fedora/RHEL virtualization, you just have to virsh net-edit default - create new entries for your VMs with unique MACs and IP addresses edit /etc/hosts - add entries for you IP addresses and your new hosts - make sure the FQDN is the first name e.g. 192.168.122.2 myhost.mydomain.com myhost This will only work if you don't intend to use TLS encryption TLS requiers full forward and reverse 'DNS' lookup and won't work properly with entries in the /etc/hosts file per the RFC that defines the TLS standard. Thanks. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
