Sergey Ivanov
2006-Oct-23 20:19 UTC
[Fedora-directory-users] how to set up Fedora Ds on a multinetwork host
Hi, I have installed Fedora Directory Server or a machine, which belongs to 2 different networks. One is local network with 192.168. prefix, and other is a real IP I''ve got from Internet Service provider. I want to have Directory Server, listening to both interfaces, with SSL certificates. How can I set up Directory Server to use different certificates for different IP addresses (and different hostnames)? Is it possible? I have not find the answer in documentation and in the internet. I tried to set up another Directory Server instance on the same host, but also I failed, because it refuses to share the same port number, and to bind to that port only on one of IP addresses. Please, help me. With best regards, Sergey Ivanov.
George Holbert
2006-Oct-23 20:32 UTC
Re: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host
Sergey, Do you want to have both interfaces talk to the same LDAP directory? Or do you want an entirely separate LDAP directory for each? -- George Sergey Ivanov wrote:> Hi, > I have installed Fedora Directory Server or a machine, which belongs to > 2 different networks. One is local network with 192.168. prefix, and > other is a real IP I''ve got from Internet Service provider. > > I want to have Directory Server, listening to both interfaces, with SSL > certificates. How can I set up Directory Server to use different > certificates for different IP addresses (and different hostnames)? Is it > possible? > > I have not find the answer in documentation and in the internet. I tried > to set up another Directory Server instance on the same host, but also I > failed, because it refuses to share the same port number, and to bind to > that port only on one of IP addresses. > > Please, help me. > > With best regards, > Sergey Ivanov. >
Mike Jackson
2006-Oct-23 20:33 UTC
Re: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host
Sergey Ivanov wrote:> Hi George, > I want to have the same LDAP directory for both interfaces, but with > different SSL certificates.Probably the fastest and easiest way to do it: 1. Setup directory server to only listen to interface1 (hostname1) 2. Install SSL cert for hostname1 3. Setup directory server to only listen to interface2 (hostname2) 4. Install SSL cert for hostname2 5. Setup multimaster replication between the two directory servers 6. Populate data Mike -- http://www.netauth.com - LDAP Directory Consulting
Sergey Ivanov
2006-Oct-23 20:36 UTC
Re: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host
Hi George, I want to have the same LDAP directory for both interfaces, but with different SSL certificates. -- Sergey. George Holbert wrote:> Sergey, > Do you want to have both interfaces talk to the same LDAP directory? > Or do you want an entirely separate LDAP directory for each? > -- George > > Sergey Ivanov wrote: >> Hi, >> I have installed Fedora Directory Server or a machine, which belongs to >> 2 different networks. One is local network with 192.168. prefix, and >> other is a real IP I''ve got from Internet Service provider. >> >> I want to have Directory Server, listening to both interfaces, with SSL >> certificates. How can I set up Directory Server to use different >> certificates for different IP addresses (and different hostnames)? Is it >> possible? >> >> I have not find the answer in documentation and in the internet. I tried >> to set up another Directory Server instance on the same host, but also I >> failed, because it refuses to share the same port number, and to bind to >> that port only on one of IP addresses. >> >> Please, help me. >> >> With best regards, >> Sergey Ivanov.
George Holbert
2006-Oct-23 21:15 UTC
Re: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host
Sergey, Mike''s recipe would do the trick. If you try that, also look into the nsslapd-listenhost and nsslapd-securelistenhost config variables (in directory server docs). These will allow you to arrange for each directory server instance to only listen on a single interface. I believe the default is to listen on all interfaces. -- George Mike Jackson wrote:> Sergey Ivanov wrote: >> Hi George, >> I want to have the same LDAP directory for both interfaces, but with >> different SSL certificates. > > Probably the fastest and easiest way to do it: > > 1. Setup directory server to only listen to interface1 (hostname1) > 2. Install SSL cert for hostname1 > 3. Setup directory server to only listen to interface2 (hostname2) > 4. Install SSL cert for hostname2 > 5. Setup multimaster replication between the two directory servers > 6. Populate data > > > > Mike >
Sergey Ivanov
2006-Oct-23 21:42 UTC
Re: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host
Thank you! -- With best regards, Sergey Ivanov. George Holbert wrote:> Sergey, > Mike''s recipe would do the trick. If you try that, also look into the > nsslapd-listenhost and nsslapd-securelistenhost config variables (in > directory server docs). These will allow you to arrange for each > directory server instance to only listen on a single interface. I > believe the default is to listen on all interfaces. > -- George > > Mike Jackson wrote: >> Sergey Ivanov wrote: >>> Hi George, >>> I want to have the same LDAP directory for both interfaces, but with >>> different SSL certificates. >> >> Probably the fastest and easiest way to do it: >> >> 1. Setup directory server to only listen to interface1 (hostname1) >> 2. Install SSL cert for hostname1 >> 3. Setup directory server to only listen to interface2 (hostname2) >> 4. Install SSL cert for hostname2 >> 5. Setup multimaster replication between the two directory servers >> 6. Populate data >> >> >> >> Mike >>
Sergey Ivanov
2006-Oct-25 17:15 UTC
Re: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host
I have a little problem with this advice.
I have installed fedora-ds rpm, then configured admin server and first
directory server to listen for local network and populated it with data.
With nsslapd-listenhost and nsslapd-securelistenhost I binded this
directory server to listen at this particular IP only.
Then, using Fedora Management Console, I created new instance of
directory server. When creating, it was listening on 0.0.0.0 at
different port.
When I have added bindning to external IP address by adding
nsslapd-listenhost and nsslapd-securelistenhost to it''s
config/dse.ldif,
I got into problem with communication between Fedora Management Console
and this new server. I can stop/start it with command line, and see that
it is binding to IP addresses correctly. I can do ldapsearch in this new
server from internet by this IP and port. But Fedora Management Console,
as I''m guessing, is still looking for this server to appear at local
network. So, it can not start/stop/connect it and reporting it as
"Stopped".
May be, there is some attribute to add to
NetscapeRoot/{mydomain}/{myhost}/Server Group/Fedora Directory
Server/slapd-{newname} to change expectation of Admin server about this
newly created Directory Server? How to find out, which attribute it can be?
--
Sergey.
George Holbert wrote:> Sergey,
> Mike''s recipe would do the trick. If you try that, also look into
the
> nsslapd-listenhost and nsslapd-securelistenhost config variables (in
> directory server docs). These will allow you to arrange for each
> directory server instance to only listen on a single interface. I
> believe the default is to listen on all interfaces.
> -- George
>
> Mike Jackson wrote:
>> Sergey Ivanov wrote:
>>> Hi George,
>>> I want to have the same LDAP directory for both interfaces, but
with
>>> different SSL certificates.
>>
>> Probably the fastest and easiest way to do it:
>>
>> 1. Setup directory server to only listen to interface1 (hostname1)
>> 2. Install SSL cert for hostname1
>> 3. Setup directory server to only listen to interface2 (hostname2)
>> 4. Install SSL cert for hostname2
>> 5. Setup multimaster replication between the two directory servers
>> 6. Populate data
>>
>>
>>
>> Mike
Sergey Ivanov
2006-Oct-25 22:08 UTC
Re: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host
I managed to workaround this problem, copying fresh installed directory structure of fedora-ds to another folder, then running there setup/setup and using the option to store configuration information in existing ldap server. But still interested in the right way to do it. -- Sergey. Sergey Ivanov wrote:> I have a little problem with this advice. > I have installed fedora-ds rpm, then configured admin server and first > directory server to listen for local network and populated it with data. > With nsslapd-listenhost and nsslapd-securelistenhost I binded this > directory server to listen at this particular IP only. > Then, using Fedora Management Console, I created new instance of > directory server. When creating, it was listening on 0.0.0.0 at > different port. > When I have added bindning to external IP address by adding > nsslapd-listenhost and nsslapd-securelistenhost to it''s config/dse.ldif, > I got into problem with communication between Fedora Management Console > and this new server. I can stop/start it with command line, and see that > it is binding to IP addresses correctly. I can do ldapsearch in this new > server from internet by this IP and port. But Fedora Management Console, > as I''m guessing, is still looking for this server to appear at local > network. So, it can not start/stop/connect it and reporting it as "Stopped". > May be, there is some attribute to add to > NetscapeRoot/{mydomain}/{myhost}/Server Group/Fedora Directory > Server/slapd-{newname} to change expectation of Admin server about this > newly created Directory Server? How to find out, which attribute it can be?