Friday, February 28, 2020

[389-users] Re: 389ds and dual stack IPV4/6, also...

Hi Williman,

I mistyped the hostname of my computer, the ipv4 was associated with
"annuaire.telerys.inTra" instead of "annuaire.telerys.inFra" so
really, basic typo.
That explains also why only ipv6 was properly handled.

Besides that, I've assigned the same hostname "annuaire.telerys.infra"
to both "cn=config" parameters mentioned by Mark :
nsslapd-listenhost: annuaire.telerys.infra
nsslapd-securelistenhost: annuaire.telerys.infra

Beswt regards,
Nick Rand

2020-02-28 2:53 UTC+01:00, William Brown <wbrown@suse.de>:
>
>
>> On 28 Feb 2020, at 01:54, N R <randria.nicolas@gmail.com> wrote:
>>
>> I've been able to find what was wrong in my configuration, I had a
>> typo in the /etc/hosts file.
>> ^_^'
>
> Can I ask what the typo was? I'm curious how that caused this to listen on
> v6 only? What was the setting of your securelisthost value in cn=config?
>
> Thanks!
>
>>
>> Thank you a lot for your time and your precious advices.
>
> All good, happy to help!
>
>>
>> Best regards,
>> Nick Rand
>>
>> 2020-02-27 16:25 UTC+01:00, Mark Reynolds <mreynolds@redhat.com>:
>>>
>>> On 2/27/20 10:13 AM, N R wrote:
>>>> Hi Mark,
>>>>
>>>> Thanks for your replies.
>>>>
>>>>> How did you configure the instance exactly?
>>>> The host is a Fedora 30 VM, I installed 389ds using the package
>>>> manager (dnf) and the setup-ds-admin.pl script.
>>>> I enabled LDAPS over TLS on the standard port (636).
>>>> The VM has a single network interface with both ipv4 and ipv6 address
>>>> on
>>>> it.
>>>> There is no DNS service on the network so I'm using /etc/hosts to
>>>> associate the hostname with IPs.
>>>> The hostname is annuaire.telerys.infra
>>>>
>>>>> What do you have for nsslapd-localhost in the cn=config
>>>>> entry(dse.ldif)?
>>>> nsslapd-localhost: annuaire.telerys.infra
>>>>
>>>>> nsslapd-listenhost, so it would be interesting to see if this has any
>>>>> impact on your situation:
>>>> I've tried several things with this parameter and had strange results
>>>> with netstat -tunlp (snippet below only show lines relative to slapd):
>>>>
>>>> nsslapd-listenhost: annuaire.telerys.infra
>>>> tcp6 0 0 [IPV6 address]:389 :::* LISTEN
>>>> 1208/ns-slapd
>>>> tcp6 0 0 ::1:389 :::*
>>>> LISTEN 1208/ns-slapd
>>>> tcp6 0 0 :::636 :::*
>>>> LISTEN 1208/ns-slapd
>>>>
>>>> nsslapd-listenhost: [IPV4 address]
>>>> tcp 0 0 [IPV4 address]:389 0.0.0.0:*
>>>> LISTEN 1136/ns-slapd
>>>> tcp6 0 0 :::636 :::*
>>>> LISTEN 1136/ns-slapd
>>>>
>>>> nsslapd-listenhost: [IPV6 address]
>>>> tcp6 0 0 [IPV6 address]:389 :::* LISTEN
>>>> 1285/ns-slapd
>>>> tcp6 0 0 :::636 :::*
>>>> LISTEN 1285/ns-slapd
>>>>
>>>> Why is the service always listening for IPV6 on port 636 whatever the
>>>> parameter is set to?
>>> Then you want to use: nsslapd-securelistenhost
>>>>
>>>> Best regards,
>>>>
>>>> Nick rand
>>>>
>>>> 2020-02-27 14:10 UTC+01:00, Mark Reynolds <mreynolds@redhat.com>:
>>>>> On 2/27/20 8:03 AM, Mark Reynolds wrote:
>>>>>> On 2/27/20 5:30 AM, N R wrote:
>>>>>>> Hello all,
>>>>>>>
>>>>>>> It's my first message on this list thanks in advance for your
>>>>>>> answers.
>>>>>>>
>>>>>>> I've configured a 389ds instance with ipv6 address and it's working
>>>>>>> great with it.
>>>>> How did you configure the instance exactly?
>>>>>
>>>>> What do you have for nsslapd-localhost in the cn=config
>>>>> entry(dse.ldif)?
>>>>>
>>>>> It should be a hostname, not an IP. And the hostname must correctly
>>>>> resolve to this system. DS is very sensitive to the hostame/dns - it
>>>>> very important for things like TLS and replication.
>>>>>
>>>>> Mark
>>>>>
>>>>>>> I need for this instance to be reachable via ipv4 also but despite
>>>>>>> hours of research on the web and the archive of the list, I couldn't
>>>>>>> find any good help or how-to to setup 389ds to listen on both ipv4
>>>>>>> and
>>>>>>> ipv6 addresses.
>>>>>> The server listens on all interfaces, there is nothing special you
>>>>>> need to do in DS for IPv6 or IPv4. I'm not a network expert, but it
>>>>>> would seem to be a system issue, not a DS issue. Now, we do have
>>>>>> nsslapd-listenhost, so it would be interesting to see if this has any
>>>>>> impact on your situation:
>>>>>>
>>>>>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-nsslapd_listenhost_Listen_to_IP_Address
>>>>>>
>>>>>>
>>>>>>
>>>>>> Maybe someone else on this list has seen this before?
>>>>>>
>>>>>> HTH,
>>>>>> Mark
>>>>>>
>>>>>>> I can't find a parameter specifying the listening interfaces.
>>>>>>>
>>>>>>> Has anyone faced this kind of setup and managed to make it work?
>>>>>>> Can 389ds work this way?
>>>>>>>
>>>>>>> Best regards,
>>>>> --
>>>>>
>>>>> 389 Directory Server Development Team
>>>>>
>>>>>
>>>>
>>> --
>>>
>>> 389 Directory Server Development Team
>>>
>>>
>>
>>
>> --
>> Nicolas Randrianarisoa
>> _______________________________________________
>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>


--
Nicolas Randrianarisoa
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

No comments:

Post a Comment