[Freeipa-users] Using already running dogtag-instance possible?

Rob Crittenden rcritten at redhat.com
Tue Apr 13 17:58:23 UTC 2010 

Oliver Burtchen wrote:
> Hi Rob,
> 
> thanks for the answer. I know about the externel CA-Cert possibility of ipa-
> server- install. But it does not what I want.
> 
> I did setup a dogtag ca and a fedora-ds (389). It would be nice, if freeipa 
> could just use them. I find it a little bit inconsitent that dogtag tries to be 
> a central service, and freeipa claims to be the same, setting up a new one. 

Well, it gets tricky because we need an RA certificate in IPA and there 
is no automated way to get this with an existing dogtag installation. 
This is why making IPA a subordinate CA is suggested, so you can 
continue with your existing central authority.

I'm sure it's possible to wedge in an existing dogtag instance, it would 
just take a bit of work and lots of code reading. Among the things you'd 
have to do are:

- change the dogtag ports in IPA
- have your CA issue an RA certificate and trust that user in the 
existing CA
- load that RA cert and private key into /etc/httpd/alias using the 
right nickname
- set the right CA type in /etc/ipa/default.conf on the IPA server

Perhaps some other things I'm missing. I'm not sure how cloning will 
work in this case.

> BTW.: Freeipa setup tells me, that it should be the only 389-instance, and 
> exist gracefully. Well, my dogtag and bind setup with 389-backend works quiet 
> well, i just want freeipa to use them.

IPA is really geared for configuration on a fresh install. We have to 
touch so many things the installation is difficult as it is. Having to 
integrate with a lot of existing services makes this doubly more 
difficult. You can always disable the check (only via code now, no 
arguments for this).

> Is there a possibility to setup freeipa this way? Thanks for the all in one 
> setup, but it means I cannot run an other ldap (389) server(-instance) on a 
> machine where freeipa is running. Is this right?

You can't if it is already installed, at least not without a small code 
change.

We have to use the 80/20 rule here and try to have some control over the 
  initial environment before trying the installation. It is probably 
possible to do what you want given time and patience but we are unlikely 
to do this in the near future.

rob

> 
> Best regards,
> Oli
> 
> 
> 
> 
> Am Freitag, 9. April 2010 23:42:54 schrieb Rob Crittenden:
>> Oliver Burtchen wrote:
>>> Hi @all,
>>>
>>> is it possible to use an already configured und running dogtag-instance
>>> for freeipa V2 in the installation process? I would like to give
>>> ipa-server- install just the params for the dogtag-instance/server to
>>> use, and skip its own creation-process (pkisilence ...).
>>>
>>> Or are there arguments for an extra CA used by freeipa?
>>>
>>> Background: I customized dogtag for my needs (using SHA256, default to 10
>>> year validity of ca-SigningCert, organization and location defaults, etc.
>>> ).
>>>
>>> Best regards,
>>> Oli
>> Probably the best way to do it would be to use the external CA install
>> option (--external-ca). This is a two-step installation process. The
>> first step generates a CSR for the IPA CA. You take this CSR to your
>> existing CA and issue a subordinate CA certificate that will be used by
>> IPA. Then you continue the IPA Installation and it sets up a separate
>> dogtag instance with this subordinate CA.
>>
>> It might be possible to wedge in an existing dogtag install into IPA in
>> another way but I haven't yet tried it.
>>
>> rob
>>
>

More information about the Freeipa-users mailing list