[Freeipa-users] install IPA replica multi-hosts (ipa packages version 3.3.3-18)
Petr Spacek
pspacek at redhat.com
Mon Mar 10 08:11:23 UTC 2014
On 7.3.2014 16:57, Dmitri Pal wrote:
> On 03/07/2014 10:29 AM, artjazz at free.fr wrote:
>> Selon Petr Spacek<pspacek at redhat.com>:
>>
>>> > On 7.3.2014 14:16,artjazz at free.fr wrote:
>>>> > > I want to install ipa server with a replica. The replica has 2 NICs
>>>> : the
>>> > ipa
>>>> > > server is connected on the first interface and all the clients are
>>> > connected on
>>>> > > the second interface. The two networks are completely separated, 2
>>>> subnets
>>> > and
>>>> > > not routed.
>>> > I'm curious - what is the reasoning behind this?:-)
>> The goal is to separate the administration flux and the userland flux.
>>
> The problem is that it is not that clean.
> One server can connect to another on different ports and using different
> protocols for different purposes. And client can actually be a proxy that does
> some admin tasks via LDAP or executes remote administrative commands.
>
> I think may be it is better to explore FW rules.
> For example create a FW rule that would allow only Kerberos and LDAP
> connections from a set of hosts that would be clients. Hm but that again would
> prevent you from enrolling new systems since the ipa-client-install connects
> to IPA via admin interface during the enrollment stage.
>
> May be there is some magic that can be done using DNS zones but I am not sure...
Let me summarize this thread to:
Sorry, this is not supported.
It becomes extremely complex very quickly and we don't have manpower to
maintain support for this kind of scenarios.
Ideas and patches are welcome! :-)
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list