[Freeipa-users] Accessing IPA servers on no-standard port
Petr Spacek
pspacek at redhat.com
Fri Sep 27 07:40:24 UTC 2013
On 27.9.2013 07:23, Chandan Kumar wrote:
> Hi Rob,
>
> Thanks for the info. Sure I will create the ticket and will certainly try
> to pick the low-hanging fruit :-)
>
>
> --
> http://about.me/chandank
>
>
> On Thu, Sep 26, 2013 at 7:51 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
>> Chandan Kumar wrote:
>>
>>> Hello,
>>>
>>> I have basic configuration question, my apologies if it has already been
>>> discussed.
>>>
>>> I have ipa-server-3 server installed with default parameters with
>>> replication.
>>>
>>> We have Linux machines across different geo location and I would like to
>>> integrate them into IPA server, however, I don't want external clients
>>> to connect the server on standard port.
>>>
>>> For example, during ipa-client registration it requires all IPA services
>>> to be running on default port.
>>>
>>> Such as : trying https://ipa01.my.net/ipa/xml
>>>
>>> kdc = ipa01.my.net:88 <http://ipa01.my.net:88>
>>> master_kdc = ipa01.my.net:88 <http://ipa01.my.net:88>
>>> admin_server = ipa01.my.net:749 <http://ipa01.my.net:749>
>>>
>>>
>>> Is there any way in ipa-client-install or sssd file to instruct IPA
>>> client to connect to IPA server on no-standard ports such as
>>>
>>> trying https://ipa01.my.net:8080/ipa/**xml<https://ipa01.my.net:8080/ipa/xml>
>>>
>>> This way I don't have to allocate a separate IP or additional web server
>>> to redirect the requests a simple NAT at firewall will do such as
>>> external 8080 -> internal 443
>>>
>>
>> Currently there is no way to do this. I'd have sworn we had a ticket to
>> add this but a quick search didn't turn it up. If you'd like this supported
>> feel free to open a ticket at https://fedorahosted.org/**freeipa/newticket<https://fedorahosted.org/freeipa/newticket>
>>
>> I don't think this would be tremendously difficult to do, the trick would
>> be communicating the port to clients somehow while they are trying to
>> enroll. A command-line option would probably be the shortest path.
>>
>> This may be decent low-hanging fruit if you're interested in being a
>> contributor to IPA.
Speaking specifically about Kerberos, LDAP and NTP - it should be possible to
change port number in SRV records in DNS and that is it. I'm not sure if
client libraries really support this, but you can try it.
HTTP and HTTPS will be more problematic because there there are no SRV records
for them.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list