[Freeipa-users] install IPA replica multi-hosts (ipa packages version 3.3.3-18)
Dmitri Pal
dpal at redhat.com
Fri Mar 7 15:57:21 UTC 2014
On 03/07/2014 10:29 AM, artjazz at free.fr wrote:
> Selon Petr Spacek<pspacek at redhat.com>:
>
>> > On 7.3.2014 14:16,artjazz at free.fr wrote:
>>> > > I want to install ipa server with a replica. The replica has 2 NICs : the
>> > ipa
>>> > > server is connected on the first interface and all the clients are
>> > connected on
>>> > > the second interface. The two networks are completely separated, 2 subnets
>> > and
>>> > > not routed.
>> > I'm curious - what is the reasoning behind this?:-)
> The goal is to separate the administration flux and the userland flux.
>
The problem is that it is not that clean.
One server can connect to another on different ports and using different
protocols for different purposes. And client can actually be a proxy
that does some admin tasks via LDAP or executes remote administrative
commands.
I think may be it is better to explore FW rules.
For example create a FW rule that would allow only Kerberos and LDAP
connections from a set of hosts that would be clients. Hm but that again
would prevent you from enrolling new systems since the
ipa-client-install connects to IPA via admin interface during the
enrollment stage.
May be there is some magic that can be done using DNS zones but I am not
sure...
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list