[Freeipa-users] Unable to connect to IPA server: File Not Found
root
freeipa at voidembraced.net
Mon Mar 8 23:23:39 UTC 2010
>> Turned out to be webservice getting reconfigured out from under me. We
>> didn't know that the management interface website was necessary for the
>> command-line management tools.
>> This raises a couple more questions:
>> 1) Is the free-ipa website needed only for management (i.e.: changes) to
>> the IPA (e.g.: user additions, password changes, service deletions,
>> etc.), or is it required for the fundamental workings of authentication
>> -- we think this unlikely as this should be handled by kerberos/ldap,
>> etc., and we were able to auth while the website was down.
>
> Apache provides a vehicle for getting to the TurboGears UI (via mod_proxy)
> and for the XML-RPC API used by the command-line. It isn't used for
> authentication/authorization.
Understood. This is as expected.
>> 2) What is the simplest way to configure the free-ipa website for
>> command-line only usage -- is there a stand-alone daemon we can run for
>> the free-ipa command-line utilities to work so we need not worry about
>> free-ipa in our apache configs?
>
> It only runs from within Apache right now and there are no plans to do
> otherwise. We have all of the IPA configuration centralized in two files:
> ipa.conf and ipa-rewrite.conf, if that helps.
Unfortunately it's not that simple, as configuration bleeds over, but this
is not your problem -- or, at least, you do not intend to provide the means
for non-apache/CLI only administration of Free-IPA.
I don't necessarily blame you, but it sure would be nice if we could nix
apache from the mix. :D
>> 3) It is worthy of mention that we do have redundant configuration
>> between two servers, and will need them to be able to propogate changes
>> across -- is the free-ipa website in any way related to this, or is this
>> entirely handled by internal kerberos/ldap faculties?
>
> Data (users, groups, etc) replication is handled by 389-ds.
Understood. This, too, is as expected.
> Per-service configuration is generally done on a per-box basis. We don't
> have integration with a configuration management system like puppet to
> keep configuration files in sync, if that is what you are asking.
No, you answered the question above. I only care about the internal
configuration/state of free-ipa for the purpose of this inquiry. It appears
that free-ipa [correctly] stores all it's data in kerberos/ldap, and that
free-ipa itself is used only to maintain that kerberos/ldap stored data.
Well, with the possible exception of adding/removing servers to the free-ipa
management cluster.
Thank you for your prompt attention to this matter.
Regards,
-Don
{void}
More information about the Freeipa-users
mailing list