[Freeipa-users] where to disable components?
Petr Spacek
pspacek at redhat.com
Wed Apr 1 07:41:56 UTC 2015
On 1.4.2015 04:47, Rob Crittenden wrote:
> Janelle wrote:
>> Hello again...
>>
>> Looking around, but probably just not in the right place. I would like
>> to be able to disable httpd on all but a pair of servers, so we kind of
>> force all updates to come from a "master" and "slave" pair. Just trying
>> to keep updates defined to 2 servers rather than all of them in an 8
>> server configuration.
>>
>> Where might I find that? Or is it possible? Will it break anything?
>>
>> thank you
>> ~J
>>
>
> Not sure the complete reasoning behind that but...
>
> The safest route would be to just firewall ports 80 and 443 off. There
> is a way to tell ipactl to not start a service but I haven't thought
> through the implications.
>
> The CA interfaces on those machines will also be inaccessible.
Please keep in mind that this will not prevent users from making changes via
LDAP or kpasswd protocol. E.g. password changes will be still possible, this
only hides the web interface and API.
Such configuration is not tested. Here be dragons.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list