Thanks Rob. -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, 19 December 2013 12:08 PM To: Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Question: re replica install
Les Stott wrote: > Hi All, > > (RHEL 6.4, FreeIPA 3.0.0-37) > > Say I want to install a replica server in a restricted network, but I > don't want to enable http management on the replica. > > I am pretty sure the following is true, but ask the question just to > be sure.... > > Can a replica work (for authentication and replication) without http? > > I cant see a switch on ipa-replica-install to not setup http, so I > imagine if the above was possible I could... > > 1.Install the replica > > 2.Let it configure http > > 3.Turn off http You'd probably run into wierd corner-case problems, and how DNS is configured might work around some of them, until it doesn't. I think the most likely pain points would be the ipa tool and certmonger. certmonger will use the IPA configured in /etc/ipa/default.conf, so as long as you ensure that points to one of the other masters you'll probably be ok. But that is only on the clients. On the master itself renewal of the IPA server certs will likely fail. The ipa tool, which by default also uses default.conf, will fail over to other masters, but you might notice a delay. What might be a better idea would be to firewall it rather than shutting down the service. rob _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users