[Freeipa-users] Question: re replica install
Les Stott
Less at imagine-sw.com
Thu Dec 19 03:04:20 UTC 2013
Thanks Rob.
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: Thursday, 19 December 2013 12:08 PM
To: Les Stott; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Question: re replica install
Les Stott wrote:
> Hi All,
>
> (RHEL 6.4, FreeIPA 3.0.0-37)
>
> Say I want to install a replica server in a restricted network, but I
> don't want to enable http management on the replica.
>
> I am pretty sure the following is true, but ask the question just to
> be sure....
>
> Can a replica work (for authentication and replication) without http?
>
> I cant see a switch on ipa-replica-install to not setup http, so I
> imagine if the above was possible I could...
>
> 1.Install the replica
>
> 2.Let it configure http
>
> 3.Turn off http
You'd probably run into wierd corner-case problems, and how DNS is configured might work around some of them, until it doesn't.
I think the most likely pain points would be the ipa tool and certmonger.
certmonger will use the IPA configured in /etc/ipa/default.conf, so as long as you ensure that points to one of the other masters you'll probably be ok.
But that is only on the clients. On the master itself renewal of the IPA server certs will likely fail.
The ipa tool, which by default also uses default.conf, will fail over to other masters, but you might notice a delay.
What might be a better idea would be to firewall it rather than shutting down the service.
rob
More information about the Freeipa-users
mailing list