I am working on ticket #1107 and I am looking for some ideas hot to deal
with it.

The problem is that when we are installing a replica and have firewall
on, the installation may fail or (even worse) hang. There question is
how to deal with this situation since we cannot test if the ports are
not blocked locally. It must be done from the remote master.

I discussed this with Rob and I see two solutions here:

1) Don't complicate this and limit our user handholding (my favorite) -
just tell him what ports he should open before proceeding with the
installation. If he doesn't, the installation will fail later. The
problem is when the installation hangs - its hard to detect. This is the
easy way.

2) Implement and register a mod_wsgi application on a master server and
let it test remotely if the ports on the replica are open. We would have
to open and listen them in ipa-replica-install as we cannot tell if port
is not-yet-opened or firewalled just from the network error code. If the
application would report a firewalled port, we would throw an error in
the ipa-replica-install.

However, as Rob pointed out, it would open a possible security hole as
we would basically behave as port scanner.

Any opinions, suggestions, ideas on this?


Freeipa-devel mailing list

Reply via email to