[Freeipa-users] IPA Ldap only as Client on different IPA server

Sun Apr 9 10:42:46 UTC 2017

HI Rob,

As you say I figured out the same indeed and tested to see what
happens, no way around it (also cert stuff and so on). I would have
been a workaround for... I'm looking forward to some intra-IPA trust
in the future, would be awesome!

Thanks!

2017-04-09 4:09 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> The issue you get here is that the IPA client is not enrolled anymore
>> when you did an uninstall of the client before the IPA install on that
>> "previous" client which needs to be client again after the IPA install
>> on it.
>>
>> This sounds messy but could be ideal for some situations of useraccess
>> on systems.
>
> Installing an IPA master configures it as a client for that master,
> there is no way around it.
>
> You can't (or shouldn't) mix and match discrete IPA installations.
> Eventually there will be intra-IPA trust which will do you what I think
> you are looking for.
>
> rob
>
>>
>> 2017-04-07 23:24 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>> Nope, I provision my servers and they are added to my FreeIPA
>>>> environment which auths my systeadmins. But on a server I provisioned
>>>> I need to install FreeIPA as well, but without dns and ca, so it's
>>>> doing ldap only actually.
>>>>
>>>> When I want to install FreeIPA server on this IPA client it tells me
>>>> (which is logical):
>>>>
>>>> ipa.ipapython.install.cli.install_tool(Server): ERROR    IPA client is
>>>> already configured on this system.
>>>> Please uninstall it before configuring the IPA server, using
>>>> 'ipa-client-install --uninstall'
>>>>
>>>> So what I want to do is install FreeIPA server on it but using local
>>>> system accounts to be auth against the former IPA server the client
>>>> was assigned to.
>>>>
>>>> So:
>>>>
>>>> IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed
>>>> with FreeIPA (no dns and CA) as well but I want to have local
>>>> sysaccounts that login to cli and such auth against IPA01 after it's
>>>> installed with FreeIPA and the clientconfig for sssd is not there
>>>> anymore because of the 'ipa-client-install --uninstall'
>>>
>>> Still very confusing. LDAP has nothing to do with this. IPA is always at
>>> least LDAP + Kerberos + Apache + a few other minor services. So it's
>>> better to just say no DNS and no CA, though that isn't really relevant
>>> since those are always optional.
>>>
>>> It sounds like what you want to do is, on the same box, install IPA
>>> server and configure the local machine to point to a DIFFERENT IPA
>>> server for user/group lookups?
>>>
>>> You might be able to do it via sssd but it would be an unsupportable
>>> nightmare.
>>>
>>> rob
>>>
>>>>
>>>> 2017-04-07 23:11 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
>>>>> Matt . wrote:
>>>>>> When I have a full ipa setup and I want to add a host to it that is
>>>>>> installed or needs to be installed as IPA LDAP server only, is that
>>>>>> possible ?
>>>>>
>>>>> If you're asking if only 389-ds can be configured on an IPA server, no,
>>>>> not using any IPA tools in any case.
>>>>>
>>>>>> Of course the ipa-server-install complains that the agent is already
>>>>>> configured on the host but there might be a way ? Or just copy the
>>>>>> config back faster the IPA LDAP only server is installed ?
>>>>>
>>>>> I don't understand. Seeing the error message and commands might help.
>>>>>
>>>>> rob
>>>>>
>>>
>