[Freeipa-users] Accessing IPA servers on no-standard port
Chandan Kumar
chandank.kumar at gmail.com
Fri Sep 27 17:58:36 UTC 2013
Ticket created : Ticket #3955
--
http://about.me/chandank
On Fri, Sep 27, 2013 at 12:40 AM, Petr Spacek <pspacek at redhat.com> wrote:
> On 27.9.2013 07:23, Chandan Kumar wrote:
>
>> Hi Rob,
>>
>> Thanks for the info. Sure I will create the ticket and will certainly try
>> to pick the low-hanging fruit :-)
>>
>>
>> --
>> http://about.me/chandank
>>
>>
>> On Thu, Sep 26, 2013 at 7:51 PM, Rob Crittenden <rcritten at redhat.com>
>> wrote:
>>
>> Chandan Kumar wrote:
>>>
>>> Hello,
>>>>
>>>> I have basic configuration question, my apologies if it has already been
>>>> discussed.
>>>>
>>>> I have ipa-server-3 server installed with default parameters with
>>>> replication.
>>>>
>>>> We have Linux machines across different geo location and I would like to
>>>> integrate them into IPA server, however, I don't want external clients
>>>> to connect the server on standard port.
>>>>
>>>> For example, during ipa-client registration it requires all IPA services
>>>> to be running on default port.
>>>>
>>>> Such as : trying https://ipa01.my.net/ipa/xml
>>>>
>>>> kdc = ipa01.my.net:88 <http://ipa01.my.net:88>
>>>> master_kdc = ipa01.my.net:88 <http://ipa01.my.net:88>
>>>> admin_server = ipa01.my.net:749 <http://ipa01.my.net:749>
>>>>
>>>>
>>>> Is there any way in ipa-client-install or sssd file to instruct IPA
>>>> client to connect to IPA server on no-standard ports such as
>>>>
>>>> trying https://ipa01.my.net:8080/ipa/****xml<https://ipa01.my.net:8080/ipa/**xml>
>>>> <https://ipa01.my.net:**8080/ipa/xml<https://ipa01.my.net:8080/ipa/xml>
>>>> >
>>>>
>>>>
>>>> This way I don't have to allocate a separate IP or additional web server
>>>> to redirect the requests a simple NAT at firewall will do such as
>>>> external 8080 -> internal 443
>>>>
>>>>
>>> Currently there is no way to do this. I'd have sworn we had a ticket to
>>> add this but a quick search didn't turn it up. If you'd like this
>>> supported
>>> feel free to open a ticket at https://fedorahosted.org/****
>>> freeipa/newticket <https://fedorahosted.org/**freeipa/newticket><
>>> https://**fedorahosted.org/freeipa/**newticket<https://fedorahosted.org/freeipa/newticket>
>>> >
>>>
>>>
>>> I don't think this would be tremendously difficult to do, the trick would
>>> be communicating the port to clients somehow while they are trying to
>>> enroll. A command-line option would probably be the shortest path.
>>>
>>> This may be decent low-hanging fruit if you're interested in being a
>>> contributor to IPA.
>>>
>>
> Speaking specifically about Kerberos, LDAP and NTP - it should be possible
> to change port number in SRV records in DNS and that is it. I'm not sure if
> client libraries really support this, but you can try it.
>
> HTTP and HTTPS will be more problematic because there there are no SRV
> records for them.
>
> --
> Petr^2 Spacek
>
> ______________________________**_________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130927/80873d3f/attachment.htm>
More information about the Freeipa-users
mailing list