[Freeipa-users] Server Ports
Justin Brown
justin.brown at fandingo.org
Thu Apr 3 07:46:32 UTC 2014
Petr,
I'll try another replica for testing tomorrow, and unfortunately the
logs were purged when I reinstalled. The error message was not helpful
and said something along the lines of CA installation failed, but did
not list any reason. I'll get you the exact message tomorrow. I'll
also try some more network tests as I have all of the ports that you
listed plus some additional Dogtag ports, which I've come to
understand are now proxied through 7389.
> Patches are welcome :-)
Yes, you've got me. ;) I'll review the Firewalld packaging in more
detail and try to come up with a workable solution. It's not currently
possible to do meta-services in firewalld, and I'm sure the FreeIPA
developers don't want a hard dependency on firewalld via a
hypothetical freeipa-server-firewalld dependency. I'm sure some
solution is possible -- maybe even just in the documentation.
Thanks,
Justin
On Thu, Apr 3, 2014 at 2:25 AM, Petr Spacek <pspacek at redhat.com> wrote:
> On 3.4.2014 07:55, Justin Brown wrote:
>>
>> I'm having some trouble determining which ports my servers need open
>> to communicate and what ports client servers and users will need. The
>> last documentation that I was able to find was included in Fedora 15
>>
>> (http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html).
>
> http://www.freeipa.org/page/Documentation
> is the ultimate source of documentation.
>
> Latest documentation build is on
> http://www.freeipa.org/docs/master/html-desktop/index.html
>
>
>> I opened those ports with firewalld, but I encountered errors when
>> joining my replica server. (I retried the replica install with
>> firewalld, and it succeeded, so it's clearly a problem with the
>> firewall settings.)
>>
>> I'm joining the wave of the future, so please excuse the firewalld
>> XML, but it should be pretty obvsious. All of the services are built
>> into firewalld, except "dogtag", which I made myself and is defined at
>> the end.
>
>
> ipa-replica-conncheck utility should tell you what is missing.
>
>
>> On a side note, it would be nice if the firewalld packagers included a
>> freeipa-server service (nudge nudge).
>
>
> Patches are welcome :-)
>
> --
> Petr^2 Spacek
More information about the Freeipa-users
mailing list