[Freeipa-users] Question: re replica install
Rob Crittenden
rcritten at redhat.com
Thu Dec 19 01:08:05 UTC 2013
Les Stott wrote:
> Hi All,
>
> (RHEL 6.4, FreeIPA 3.0.0-37)
>
> Say I want to install a replica server in a restricted network, but I
> don’t want to enable http management on the replica.
>
> I am pretty sure the following is true, but ask the question just to be
> sure….
>
> Can a replica work (for authentication and replication) without http?
>
> I cant see a switch on ipa-replica-install to not setup http, so I
> imagine if the above was possible I could…
>
> 1.Install the replica
>
> 2.Let it configure http
>
> 3.Turn off http
You'd probably run into wierd corner-case problems, and how DNS is
configured might work around some of them, until it doesn't.
I think the most likely pain points would be the ipa tool and certmonger.
certmonger will use the IPA configured in /etc/ipa/default.conf, so as
long as you ensure that points to one of the other masters you'll
probably be ok.
But that is only on the clients. On the master itself renewal of the IPA
server certs will likely fail.
The ipa tool, which by default also uses default.conf, will fail over to
other masters, but you might notice a delay.
What might be a better idea would be to firewall it rather than shutting
down the service.
rob
More information about the Freeipa-users
mailing list