Oliver Burtchen wrote: > Hi Rob, > > thanks for the answer. I know about the externel CA-Cert possibility of ipa- > server- install. But it does not what I want. > > I did setup a dogtag ca and a fedora-ds (389). It would be nice, if freeipa > could just use them. I find it a little bit inconsitent that dogtag tries to > be > a central service, and freeipa claims to be the same, setting up a new one. > > BTW.: Freeipa setup tells me, that it should be the only 389-instance, and > exist gracefully. Well, my dogtag and bind setup with 389-backend works quiet > well, i just want freeipa to use them. > > Is there a possibility to setup freeipa this way? Thanks for the all in one > setup, but it means I cannot run an other ldap (389) server(-instance) on a > machine where freeipa is running. Is this right? > >
The whole point of freeIPA is to make things simple for less sophisticated setups than you have. I am not sure something like what you are asking is possible with freeIPA but I will defer to Rob to confirm. I think you would have to effectively redo the freeIPA installer to make things work the way you need. There is no contradiction between what you observe. The freeIPA is in a long term coming as a replacement of just stand alone CA, DS, KDC, DNS etc. This is the vision. And as far as I remember you are maintaining a separate instance of CA just because of the lack functionality in the upstream CA. I remember seeing some thread about it on the Dogtag list. For us it would be a higher priority to address your original issue that causes you to maintain a separate instance rather than move freeIPA into the direction of supporting external instances. Can you give a me a summary of the issues that force you to maintain a separate instance? I will see what can be done about it. Thanks Dmitri > Best regards, > Oli > > > > > Am Freitag, 9. April 2010 23:42:54 schrieb Rob Crittenden: > >> Oliver Burtchen wrote: >> >>> Hi @all, >>> >>> is it possible to use an already configured und running dogtag-instance >>> for freeipa V2 in the installation process? I would like to give >>> ipa-server- install just the params for the dogtag-instance/server to >>> use, and skip its own creation-process (pkisilence ...). >>> >>> Or are there arguments for an extra CA used by freeipa? >>> >>> Background: I customized dogtag for my needs (using SHA256, default to 10 >>> year validity of ca-SigningCert, organization and location defaults, etc. >>> ). >>> >>> Best regards, >>> Oli >>> >> Probably the best way to do it would be to use the external CA install >> option (--external-ca). This is a two-step installation process. The >> first step generates a CSR for the IPA CA. You take this CSR to your >> existing CA and issue a subordinate CA certificate that will be used by >> IPA. Then you continue the IPA Installation and it sets up a separate >> dogtag instance with this subordinate CA. >> >> It might be possible to wedge in an existing dogtag install into IPA in >> another way but I haven't yet tried it. >> >> rob >> >> > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users