Turned out to be webservice getting reconfigured out from under me.  We
didn't know that the management interface website was necessary for the
command-line management tools.
This raises a couple more questions:
1) Is the free-ipa website needed only for management (i.e.: changes) to
the IPA (e.g.: user additions, password changes, service deletions,
etc.), or is it required for the fundamental workings of authentication
-- we think this unlikely as this should be handled by kerberos/ldap,
etc., and we were able to auth while the website was down.

Apache provides a vehicle for getting to the TurboGears UI (via mod_proxy) and for the XML-RPC API used by the command-line. It isn't used for authentication/authorization.

Understood. This is as expected.

2) What is the simplest way to configure the free-ipa website for
command-line only usage -- is there a stand-alone daemon we can run for
the free-ipa command-line utilities to work so we need not worry about
free-ipa in our apache configs?

It only runs from within Apache right now and there are no plans to do otherwise. We have all of the IPA configuration centralized in two files: ipa.conf and ipa-rewrite.conf, if that helps.

Unfortunately it's not that simple, as configuration bleeds over, but this is not your problem -- or, at least, you do not intend to provide the means for non-apache/CLI only administration of Free-IPA. I don't necessarily blame you, but it sure would be nice if we could nix apache from the mix. :D

3) It is worthy of mention that we do have redundant configuration
between two servers, and will need them to be able to propogate changes
across -- is the free-ipa website in any way related to this, or is this
entirely handled by internal kerberos/ldap faculties?

Data (users, groups, etc) replication is handled by 389-ds.

Understood. This, too, is as expected.

Per-service configuration is generally done on a per-box basis. We don't have integration with a configuration management system like puppet to keep configuration files in sync, if that is what you are asking.

No, you answered the question above. I only care about the internal configuration/state of free-ipa for the purpose of this inquiry. It appears that free-ipa [correctly] stores all it's data in kerberos/ldap, and that free-ipa itself is used only to maintain that kerberos/ldap stored data. Well, with the possible exception of adding/removing servers to the free-ipa management cluster.

Thank you for your prompt attention to this matter.

Freeipa-users mailing list

Reply via email to