Oliver Burtchen wrote:
> Hi Rob,
> thanks for the answer. I know about the externel CA-Cert possibility of ipa-
> server- install. But it does not what I want.
> I did setup a dogtag ca and a fedora-ds (389). It would be nice, if freeipa 
> could just use them. I find it a little bit inconsitent that dogtag tries to 
> be 
> a central service, and freeipa claims to be the same, setting up a new one. 
> BTW.: Freeipa setup tells me, that it should be the only 389-instance, and 
> exist gracefully. Well, my dogtag and bind setup with 389-backend works quiet 
> well, i just want freeipa to use them.
> Is there a possibility to setup freeipa this way? Thanks for the all in one 
> setup, but it means I cannot run an other ldap (389) server(-instance) on a 
> machine where freeipa is running. Is this right?

The whole point of freeIPA is to make things simple for less
sophisticated setups than you have.
I am not sure something like what you are asking is possible with
freeIPA but I will defer to Rob to confirm.
I think you would have to effectively redo the freeIPA installer to make
things work the way you need.

There is no contradiction between what you observe. The freeIPA is in a
long term coming as a replacement of just stand alone CA, DS, KDC, DNS etc.
This is the vision.

And as far as I remember you are maintaining a separate instance of CA
just because of the lack functionality in the upstream CA.
I remember seeing some thread about it on the Dogtag list. For us it
would be a higher priority to address your original issue that causes
you to maintain a separate instance rather than move freeIPA into the
direction of supporting external instances.

Can you give a me a summary  of the issues that force you to maintain a
separate instance?
I will see what can be done about it.


> Best regards,
> Oli
> Am Freitag, 9. April 2010 23:42:54 schrieb Rob Crittenden:
>> Oliver Burtchen wrote:
>>> Hi @all,
>>> is it possible to use an already configured und running dogtag-instance
>>> for freeipa V2 in the installation process? I would like to give
>>> ipa-server- install just the params for the dogtag-instance/server to
>>> use, and skip its own creation-process (pkisilence ...).
>>> Or are there arguments for an extra CA used by freeipa?
>>> Background: I customized dogtag for my needs (using SHA256, default to 10
>>> year validity of ca-SigningCert, organization and location defaults, etc.
>>> ).
>>> Best regards,
>>> Oli
>> Probably the best way to do it would be to use the external CA install
>> option (--external-ca). This is a two-step installation process. The
>> first step generates a CSR for the IPA CA. You take this CSR to your
>> existing CA and issue a subordinate CA certificate that will be used by
>> IPA. Then you continue the IPA Installation and it sets up a separate
>> dogtag instance with this subordinate CA.
>> It might be possible to wedge in an existing dogtag install into IPA in
>> another way but I haven't yet tried it.
>> rob

Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to