[Freeipa-users] IPA Ldap only as Client on different IPA server

Sun Apr 9 02:09:57 UTC 2017

Matt . wrote:
> The issue you get here is that the IPA client is not enrolled anymore
> when you did an uninstall of the client before the IPA install on that
> "previous" client which needs to be client again after the IPA install
> on it.
> 
> This sounds messy but could be ideal for some situations of useraccess
> on systems.

Installing an IPA master configures it as a client for that master,
there is no way around it.

You can't (or shouldn't) mix and match discrete IPA installations.
Eventually there will be intra-IPA trust which will do you what I think
you are looking for.

rob

> 
> 2017-04-07 23:24 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
>> Matt . wrote:
>>> Nope, I provision my servers and they are added to my FreeIPA
>>> environment which auths my systeadmins. But on a server I provisioned
>>> I need to install FreeIPA as well, but without dns and ca, so it's
>>> doing ldap only actually.
>>>
>>> When I want to install FreeIPA server on this IPA client it tells me
>>> (which is logical):
>>>
>>> ipa.ipapython.install.cli.install_tool(Server): ERROR    IPA client is
>>> already configured on this system.
>>> Please uninstall it before configuring the IPA server, using
>>> 'ipa-client-install --uninstall'
>>>
>>> So what I want to do is install FreeIPA server on it but using local
>>> system accounts to be auth against the former IPA server the client
>>> was assigned to.
>>>
>>> So:
>>>
>>> IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed
>>> with FreeIPA (no dns and CA) as well but I want to have local
>>> sysaccounts that login to cli and such auth against IPA01 after it's
>>> installed with FreeIPA and the clientconfig for sssd is not there
>>> anymore because of the 'ipa-client-install --uninstall'
>>
>> Still very confusing. LDAP has nothing to do with this. IPA is always at
>> least LDAP + Kerberos + Apache + a few other minor services. So it's
>> better to just say no DNS and no CA, though that isn't really relevant
>> since those are always optional.
>>
>> It sounds like what you want to do is, on the same box, install IPA
>> server and configure the local machine to point to a DIFFERENT IPA
>> server for user/group lookups?
>>
>> You might be able to do it via sssd but it would be an unsupportable
>> nightmare.
>>
>> rob
>>
>>>
>>> 2017-04-07 23:11 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
>>>> Matt . wrote:
>>>>> When I have a full ipa setup and I want to add a host to it that is
>>>>> installed or needs to be installed as IPA LDAP server only, is that
>>>>> possible ?
>>>>
>>>> If you're asking if only 389-ds can be configured on an IPA server, no,
>>>> not using any IPA tools in any case.
>>>>
>>>>> Of course the ipa-server-install complains that the agent is already
>>>>> configured on the host but there might be a way ? Or just copy the
>>>>> config back faster the IPA LDAP only server is installed ?
>>>>
>>>> I don't understand. Seeing the error message and commands might help.
>>>>
>>>> rob
>>>>
>>