On 27.9.2013 07:23, Chandan Kumar wrote:
Hi Rob,

Thanks for the info. Sure I will create the ticket and will certainly try
to pick the low-hanging fruit :-)


On Thu, Sep 26, 2013 at 7:51 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

Chandan Kumar wrote:


I have basic configuration question, my apologies if it has already been

I have ipa-server-3 server installed with default parameters with

We have Linux machines across different geo location and I would like to
integrate them into IPA server, however, I don't want external clients
to connect the server on standard port.

For example, during ipa-client registration it requires all IPA services
to be running on default port.

Such as : trying https://ipa01.my.net/ipa/xml

kdc = ipa01.my.net:88 <http://ipa01.my.net:88>
master_kdc = ipa01.my.net:88 <http://ipa01.my.net:88>
admin_server = ipa01.my.net:749 <http://ipa01.my.net:749>

Is there any way in ipa-client-install or sssd file to instruct IPA
client to connect to IPA server on no-standard ports such as

trying https://ipa01.my.net:8080/ipa/**xml<https://ipa01.my.net:8080/ipa/xml>

This way I don't have to allocate a separate IP or additional web server
to redirect the requests a simple NAT at firewall will do such as
external 8080 -> internal 443

Currently there is no way to do this. I'd have sworn we had a ticket to
add this but a quick search didn't turn it up. If you'd like this supported
feel free to open a ticket at 

I don't think this would be tremendously difficult to do, the trick would
be communicating the port to clients somehow while they are trying to
enroll. A command-line option would probably be the shortest path.

This may be decent low-hanging fruit if you're interested in being a
contributor to IPA.

Speaking specifically about Kerberos, LDAP and NTP - it should be possible to change port number in SRV records in DNS and that is it. I'm not sure if client libraries really support this, but you can try it.

HTTP and HTTPS will be more problematic because there there are no SRV records for them.

Petr^2 Spacek

Freeipa-users mailing list

Reply via email to