[Freeipa-users] IPA Server Web UI multiple network access

[Martin Basti]

On 29.04.2016 15:34, GOLDBERG, RUSSELL J GG-12 USAF ACC 453 EWS/EWP wrote:
> I'm attempting to figure out if it's possible to configure IPA's web UI in such a way that it can be accessed from both a private and a public network infrastructure.
>
> I've installed IPA server (version 3.0.0) on a RHEL 6.7 host (ipa.dev.internal) and configured an IPA domain (dev.internal). Our client machines reside on a separate domain (dev.external) and network, which the IPA server is additionally connected to.
>
> >From hosts on the internal network (10.1.0.0/16), I am able to access the IPA web UI without issue, as expected.
>
> >From hosts on the external network (192.168.1.0/24), I was initially presented with a blank screen when attempting to access the web UI.
>
> I attempted to disable the httpd rewrite rules located in /etc/httpd/conf.d/ipa-rewrite.conf and restarted the httpd server: this allowed me to see the login page, but immediately presented me with a web app error dialog.
>
> Lastly, I attempted to modify the ipa-rewrite.conf, replacing all instances of the initial FQDN (ipa.dev.internal) with the public FQDN (ipa.dev.external): this allowed me to see the login page and even to successfully submit login credentials. However, upon entered valid login credentials I am immediately redirected back to the login page in an infinite redirect loop.
>
> Are there any glaring oversights I'm making? I imagine that the problem ultimately lies with Kerberos (and possibly my external client's HTTP referrer), but admittedly I lack expertise in that area.
>
> Any help in getting this issue solved would be greatly appreciated.
>
> Thanks,
>
> Russell
>
>
>
I'm not sure if this is possible do safely. Please read following links, 
it may help, I'm not expert in this area.
https://ssimo.org/blog/id_019.html
https://www.redhat.com/archives/freeipa-users/2015-May/msg00026.html

Martin