Oliver Burtchen wrote:
> Hi Rob,
> thanks for the answer. I know about the externel CA-Cert possibility of ipa-
> server- install. But it does not what I want.
> I did setup a dogtag ca and a fedora-ds (389). It would be nice, if freeipa
> could just use them. I find it a little bit inconsitent that dogtag tries to
> a central service, and freeipa claims to be the same, setting up a new one.
> BTW.: Freeipa setup tells me, that it should be the only 389-instance, and
> exist gracefully. Well, my dogtag and bind setup with 389-backend works quiet
> well, i just want freeipa to use them.
> Is there a possibility to setup freeipa this way? Thanks for the all in one
> setup, but it means I cannot run an other ldap (389) server(-instance) on a
> machine where freeipa is running. Is this right?
The whole point of freeIPA is to make things simple for less
sophisticated setups than you have.
I am not sure something like what you are asking is possible with
freeIPA but I will defer to Rob to confirm.
I think you would have to effectively redo the freeIPA installer to make
things work the way you need.
There is no contradiction between what you observe. The freeIPA is in a
long term coming as a replacement of just stand alone CA, DS, KDC, DNS etc.
This is the vision.
And as far as I remember you are maintaining a separate instance of CA
just because of the lack functionality in the upstream CA.
I remember seeing some thread about it on the Dogtag list. For us it
would be a higher priority to address your original issue that causes
you to maintain a separate instance rather than move freeIPA into the
direction of supporting external instances.
Can you give a me a summary of the issues that force you to maintain a
I will see what can be done about it.
> Best regards,
> Am Freitag, 9. April 2010 23:42:54 schrieb Rob Crittenden:
>> Oliver Burtchen wrote:
>>> Hi @all,
>>> is it possible to use an already configured und running dogtag-instance
>>> for freeipa V2 in the installation process? I would like to give
>>> ipa-server- install just the params for the dogtag-instance/server to
>>> use, and skip its own creation-process (pkisilence ...).
>>> Or are there arguments for an extra CA used by freeipa?
>>> Background: I customized dogtag for my needs (using SHA256, default to 10
>>> year validity of ca-SigningCert, organization and location defaults, etc.
>>> Best regards,
>> Probably the best way to do it would be to use the external CA install
>> option (--external-ca). This is a two-step installation process. The
>> first step generates a CSR for the IPA CA. You take this CSR to your
>> existing CA and issue a subordinate CA certificate that will be used by
>> IPA. Then you continue the IPA Installation and it sets up a separate
>> dogtag instance with this subordinate CA.
>> It might be possible to wedge in an existing dogtag install into IPA in
>> another way but I haven't yet tried it.
Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list