主页
产品
Red Hat Enterprise Linux
10
Installing Identity Management
1.5. Meeting DNS host name and DNS requirements for IdM

1.5. Meeting DNS host name and DNS requirements for IdM

The host name and DNS requirements for server and replica systems are outlined below and also how to verify that the systems meet the requirements.

警告

DNS records are vital for nearly all Identity Management (IdM) domain functions, including running LDAP directory services, Kerberos, and Active Directory integration. Be extremely cautious and ensure that:

You have a tested and functional DNS service available
The service is properly configured

This requirement applies to all IdM servers, both with and without integrated DNS.

Verify the server host name

The host name must be a fully qualified domain name, such as server.idm.example.com.

重要

Do not use single-label domain names, for example .company: the IdM domain must be composed of one or more subdomains and a top level domain, for example example.com or company.example.com.

The fully qualified domain name must meet the following conditions:

It is a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, such as underscores (_), in the host name cause DNS failures.
It is all lower-case. No capital letters are allowed.
It does not resolve to the loopback address. It must resolve to the system’s public IP address, not to 127.0.0.1.

To verify the host name, use the hostname utility on the system where you want to install:

# hostname
server.idm.example.com

The output of hostname must not be localhost or localhost6.

Verify the forward and reverse DNS configuration

Obtain the IP address of the server.

The ip addr show command displays both the IPv4 and IPv6 addresses. In the following example, the relevant IPv6 address is 2001:DB8::1111 because its scope is global:

[root@server ~]# ip addr show
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:1a:4a:10:4e:33 brd ff:ff:ff:ff:ff:ff
inet 192.0.2.1/24 brd 192.0.2.255 scope global dynamic eth0
valid_lft 106694sec preferred_lft 106694sec
inet6 2001:DB8::1111/32 scope global dynamic
valid_lft 2591521sec preferred_lft 604321sec
inet6 fe80::56ee:75ff:fe2b:def6/64 scope link
valid_lft forever preferred_lft forever
...

Verify the forward DNS configuration using the dig utility.
1. Run the command dig +short server.idm.example.com A. The returned IPv4 address must match the IP address returned by ip addr show:
  [root@server ~]# dig +short server.idm.example.com A 192.0.2.1
2. Run the command dig +short server.idm.example.com AAAA. If it returns an address, it must match the IPv6 address returned by ip addr show:
  [root@server ~]# dig +short server.idm.example.com AAAA 2001:DB8::1111
  注意
  If dig does not return any output for the AAAA record, it does not indicate incorrect configuration. No output only means that no IPv6 address is configured in DNS for the system. If you do not intend to use the IPv6 protocol in your network, you can proceed with the installation in this situation.
Verify the reverse DNS configuration (PTR records). Use the dig utility and add the IP address.
If the commands below display a different host name or no host name, the reverse DNS configuration is incorrect.
1. Run the command dig +short -x IPv4_address. The output must display the server host name. For example:
  [root@server ~]# dig +short -x 192.0.2.1 server.idm.example.com
2. If the command dig +short -x server.idm.example.com AAAA in the previous step returned an IPv6 address, use dig to query the IPv6 address too. The output must display the server host name. For example:
  [root@server ~]# dig +short -x 2001:DB8::1111 server.idm.example.com
  注意
  If dig +short server.idm.example.com AAAA in the previous step did not display any IPv6 address, querying the AAAA record does not output anything. In this case, this is normal behavior and does not indicate incorrect configuration.
  警告
  If a reverse DNS (PTR record) search returns multiple host names, httpd and other software associated with IdM may show unpredictable behavior. Red Hat strongly recommends configuring only one PTR record per IP.

Verify the standards-compliance of DNS forwarders (required for integrated DNS only)

Ensure that all DNS forwarders you want to use with the IdM DNS server comply with the Extension Mechanisms for DNS (EDNS0). To do this, inspect the output of the following command for each forwarder separately:

$ dig @IP_address_of_the_DNS_forwarder . SOA

The expected output displayed by the command contains the following information:

Status: NOERROR
Flags: ra

If either of these items is missing from the output, inspect the documentation for your DNS forwarder and verify that EDNS0 is supported and enabled.

Verify the /etc/hosts file

Verify that the /etc/hosts file fulfills one of the following conditions:

The file does not contain an entry for the host. It only lists the IPv4 and IPv6 localhost entries for the host.
The file contains an entry for the host and the file fulfills all the following conditions:
- The first two entries are the IPv4 and IPv6 localhost entries.
- The next entry specifies the IdM server IPv4 address and host name.
- The FQDN of the IdM server comes before the short name of the IdM server.
- The IdM server host name is not part of the localhost entry.
The following is an example of a correctly configured /etc/hosts file:

127.0.0.1 localhost localhost.localdomain \
localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain \
localhost6 localhost6.localdomain6
192.0.2.1 server.idm.example.com server
2001:DB8::1111 server.idm.example.com server

1.5. Meeting DNS host name and DNS requirements for IdM

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links