how to set up Fedora Ds on a multinetwork host

Hi,
I have installed Fedora Directory Server or a machine, which
belongs to
2 different networks. One is local network with 192.168.
prefix, and
other is a real IP I've got from Internet Service provider.

I want to have Directory Server, listening to both
interfaces, with SSL
certificates. How can I set up Directory Server to use
different
certificates for different IP addresses (and different
hostnames)? Is it
possible?

I have not find the answer in documentation and in the
internet. I tried
to set up another Directory Server instance on the same
host, but also I
failed, because it refuses to share the same port number,
and to bind to
that port only on one of IP addresses.

Please, help me.

With best regards,
	Sergey Ivanov.

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

Sergey,
Do you want to have both interfaces talk to the same LDAP
directory?
Or do you want an entirely separate LDAP directory for each?
-- George

Sergey Ivanov wrote:
> Hi,
> I have installed Fedora Directory Server or a machine,
which belongs to
> 2 different networks. One is local network with
192.168. prefix, and
> other is a real IP I've got from Internet Service
provider.
>
> I want to have Directory Server, listening to both
interfaces, with SSL
> certificates. How can I set up Directory Server to use
different
> certificates for different IP addresses (and different
hostnames)? Is it
> possible?
>
> I have not find the answer in documentation and in the
internet. I tried
> to set up another Directory Server instance on the same
host, but also I
> failed, because it refuses to share the same port
number, and to bind to
> that port only on one of IP addresses.
>
> Please, help me.
>
> With best regards,
> 	Sergey Ivanov.
>   


--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

Hi George,
I want to have the same LDAP directory for both interfaces,
but with
different SSL certificates.
-- 
	Sergey.

George Holbert wrote:
> Sergey,
> Do you want to have both interfaces talk to the same
LDAP directory?
> Or do you want an entirely separate LDAP directory for
each?
> -- George
> 
> Sergey Ivanov wrote:
>> Hi,
>> I have installed Fedora Directory Server or a
machine, which belongs to
>> 2 different networks. One is local network with
192.168. prefix, and
>> other is a real IP I've got from Internet Service
provider.
>>
>> I want to have Directory Server, listening to both
interfaces, with SSL
>> certificates. How can I set up Directory Server to
use different
>> certificates for different IP addresses (and
different hostnames)? Is it
>> possible?
>>
>> I have not find the answer in documentation and in
the internet. I tried
>> to set up another Directory Server instance on the
same host, but also I
>> failed, because it refuses to share the same port
number, and to bind to
>> that port only on one of IP addresses.
>>
>> Please, help me.
>>
>> With best regards,
>>     Sergey Ivanov.

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

Sergey Ivanov wrote:
> Hi George,
> I want to have the same LDAP directory for both
interfaces, but with
> different SSL certificates.



Probably the fastest and easiest way to do it:

1. Setup directory server to only listen to interface1
(hostname1)
2. Install SSL cert for hostname1
3. Setup directory server to only listen to interface2
(hostname2)
4. Install SSL cert for hostname2
5. Setup multimaster replication between the two directory
servers
6. Populate data



Mike

-- 
http://www.netauth.com
- LDAP Directory Consulting

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

Sergey,
Mike's recipe would do the trick.  If you try that, also
look into the 
nsslapd-listenhost and nsslapd-securelistenhost config
variables (in 
directory server docs).  These will allow you to arrange for
each 
directory server instance to only listen on a single
interface.  I 
believe the default is to listen on all interfaces.
-- George

Mike Jackson wrote:
> Sergey Ivanov wrote:
>> Hi George,
>> I want to have the same LDAP directory for both
interfaces, but with
>> different SSL certificates.
>
> Probably the fastest and easiest way to do it:
>
> 1. Setup directory server to only listen to interface1
(hostname1)
> 2. Install SSL cert for hostname1
> 3. Setup directory server to only listen to interface2
(hostname2)
> 4. Install SSL cert for hostname2
> 5. Setup multimaster replication between the two
directory servers
> 6. Populate data
>
>
>
> Mike
>



--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

Thank you!
-- 
With best regards,
	Sergey Ivanov.

George Holbert wrote:
> Sergey,
> Mike's recipe would do the trick.  If you try that,
also look into the
> nsslapd-listenhost and nsslapd-securelistenhost config
variables (in
> directory server docs).  These will allow you to
arrange for each
> directory server instance to only listen on a single
interface.  I
> believe the default is to listen on all interfaces.
> -- George
> 
> Mike Jackson wrote:
>> Sergey Ivanov wrote:
>>> Hi George,
>>> I want to have the same LDAP directory for both
interfaces, but with
>>> different SSL certificates.
>>
>> Probably the fastest and easiest way to do it:
>>
>> 1. Setup directory server to only listen to
interface1 (hostname1)
>> 2. Install SSL cert for hostname1
>> 3. Setup directory server to only listen to
interface2 (hostname2)
>> 4. Install SSL cert for hostname2
>> 5. Setup multimaster replication between the two
directory servers
>> 6. Populate data
>>
>>
>>
>> Mike
>>

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

I have a little problem with this advice.
I have installed fedora-ds rpm, then configured admin server
and first
directory server to listen for local network and populated
it with data.
With nsslapd-listenhost and nsslapd-securelistenhost I
binded this
directory server to listen at this particular IP only.
Then, using Fedora Management Console, I created new
instance of
directory server. When creating, it was listening on 0.0.0.0
at
different port.
When I have added bindning to external IP address by adding
nsslapd-listenhost and nsslapd-securelistenhost to it's
config/dse.ldif,
I got into problem with communication between Fedora
Management Console
and this new server. I can stop/start it with command line,
and see that
it is binding to IP addresses correctly. I can do ldapsearch
in this new
server from internet by this IP and port. But Fedora
Management Console,
as I'm guessing, is still looking for this server to appear
at local
network. So, it can not start/stop/connect it and reporting
it as "Stopped".
May be, there is some attribute to add to
NetscapeRoot///Server Group/Fedora
Directory
Server/slapd- to change expectation of Admin server
about this
newly created Directory Server? How to find out, which
attribute it can be?
-- 
	Sergey.

George Holbert wrote:
> Sergey,
> Mike's recipe would do the trick.  If you try that,
also look into the
> nsslapd-listenhost and nsslapd-securelistenhost config
variables (in
> directory server docs).  These will allow you to
arrange for each
> directory server instance to only listen on a single
interface.  I
> believe the default is to listen on all interfaces.
> -- George
> 
> Mike Jackson wrote:
>> Sergey Ivanov wrote:
>>> Hi George,
>>> I want to have the same LDAP directory for both
interfaces, but with
>>> different SSL certificates.
>>
>> Probably the fastest and easiest way to do it:
>>
>> 1. Setup directory server to only listen to
interface1 (hostname1)
>> 2. Install SSL cert for hostname1
>> 3. Setup directory server to only listen to
interface2 (hostname2)
>> 4. Install SSL cert for hostname2
>> 5. Setup multimaster replication between the two
directory servers
>> 6. Populate data
>>
>>
>>
>> Mike

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

I have a little problem with this advice.
I have installed fedora-ds rpm, then configured admin server
and first
directory server to listen for local network and populated
it with data.
With nsslapd-listenhost and nsslapd-securelistenhost I
binded this
directory server to listen at this particular IP only.
Then, using Fedora Management Console, I created new
instance of
directory server. When creating, it was listening on 0.0.0.0
at
different port.
When I have added bindning to external IP address by adding
nsslapd-listenhost and nsslapd-securelistenhost to it's
config/dse.ldif,
I got into problem with communication between Fedora
Management Console
and this new server. I can stop/start it with command line,
and see that
it is binding to IP addresses correctly. I can do ldapsearch
in this new
server from internet by this IP and port. But Fedora
Management Console,
as I'm guessing, is still looking for this server to appear
at local
network. So, it can not start/stop/connect it and reporting
it as "Stopped".
May be, there is some attribute to add to
NetscapeRoot///Server Group/Fedora
Directory
Server/slapd- to change expectation of Admin server
about this
newly created Directory Server? How to find out, which
attribute it can be?
-- 
	Sergey.

George Holbert wrote:
> Sergey,
> Mike's recipe would do the trick.  If you try that,
also look into the
> nsslapd-listenhost and nsslapd-securelistenhost config
variables (in
> directory server docs).  These will allow you to
arrange for each
> directory server instance to only listen on a single
interface.  I
> believe the default is to listen on all interfaces.
> -- George
> 
> Mike Jackson wrote:
>> Sergey Ivanov wrote:
>>> Hi George,
>>> I want to have the same LDAP directory for both
interfaces, but with
>>> different SSL certificates.
>>
>> Probably the fastest and easiest way to do it:
>>
>> 1. Setup directory server to only listen to
interface1 (hostname1)
>> 2. Install SSL cert for hostname1
>> 3. Setup directory server to only listen to
interface2 (hostname2)
>> 4. Install SSL cert for hostname2
>> 5. Setup multimaster replication between the two
directory servers
>> 6. Populate data
>>
>>
>>
>> Mike

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

I managed to workaround this problem, copying fresh
installed directory
structure of fedora-ds to another folder, then running there
setup/setup
and using the option to store configuration information in
existing ldap
server. But still interested in the right way to do it.
-- 
	Sergey.


Sergey Ivanov wrote:
> I have a little problem with this advice.
> I have installed fedora-ds rpm, then configured admin
server and first
> directory server to listen for local network and
populated it with data.
> With nsslapd-listenhost and nsslapd-securelistenhost I
binded this
> directory server to listen at this particular IP only.
> Then, using Fedora Management Console, I created new
instance of
> directory server. When creating, it was listening on
0.0.0.0 at
> different port.
> When I have added bindning to external IP address by
adding
> nsslapd-listenhost and nsslapd-securelistenhost to it's
config/dse.ldif,
> I got into problem with communication between Fedora
Management Console
> and this new server. I can stop/start it with command
line, and see that
> it is binding to IP addresses correctly. I can do
ldapsearch in this new
> server from internet by this IP and port. But Fedora
Management Console,
> as I'm guessing, is still looking for this server to
appear at local
> network. So, it can not start/stop/connect it and
reporting it as "Stopped".
> May be, there is some attribute to add to
> NetscapeRoot///Server Group/Fedora
Directory
> Server/slapd- to change expectation of Admin
server about this
> newly created Directory Server? How to find out, which
attribute it can be?

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users