Thanks Rob.

-----Original Message-----
From: Rob Crittenden [] 
Sent: Thursday, 19 December 2013 12:08 PM
To: Les Stott;
Subject: Re: [Freeipa-users] Question: re replica install

Les Stott wrote:
> Hi All,
> (RHEL 6.4, FreeIPA 3.0.0-37)
> Say I want to install a replica server in a restricted network, but I 
> don't want to enable http management on the replica.
> I am pretty sure the following is true, but ask the question just to 
> be sure....
> Can a replica work (for authentication and replication) without http?
> I cant see a switch on ipa-replica-install to not setup http, so I 
> imagine if the above was possible I could...
> 1.Install the replica
> 2.Let it configure http
> 3.Turn off http

You'd probably run into wierd corner-case problems, and how DNS is configured 
might work around some of them, until it doesn't.

I think the most likely pain points would be the ipa tool and certmonger.

certmonger will use the IPA configured in /etc/ipa/default.conf, so as long as 
you ensure that points to one of the other masters you'll probably be ok.

But that is only on the clients. On the master itself renewal of the IPA server 
certs will likely fail.

The ipa tool, which by default also uses default.conf, will fail over to other 
masters, but you might notice a delay.

What might be a better idea would be to firewall it rather than shutting down 
the service.


Freeipa-users mailing list

Reply via email to