From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, 19 December 2013 12:08 PM
To: Les Stott; firstname.lastname@example.org
Subject: Re: [Freeipa-users] Question: re replica install
Les Stott wrote:
> Hi All,
> (RHEL 6.4, FreeIPA 3.0.0-37)
> Say I want to install a replica server in a restricted network, but I
> don't want to enable http management on the replica.
> I am pretty sure the following is true, but ask the question just to
> be sure....
> Can a replica work (for authentication and replication) without http?
> I cant see a switch on ipa-replica-install to not setup http, so I
> imagine if the above was possible I could...
> 1.Install the replica
> 2.Let it configure http
> 3.Turn off http
You'd probably run into wierd corner-case problems, and how DNS is configured
might work around some of them, until it doesn't.
I think the most likely pain points would be the ipa tool and certmonger.
certmonger will use the IPA configured in /etc/ipa/default.conf, so as long as
you ensure that points to one of the other masters you'll probably be ok.
But that is only on the clients. On the master itself renewal of the IPA server
certs will likely fail.
The ipa tool, which by default also uses default.conf, will fail over to other
masters, but you might notice a delay.
What might be a better idea would be to firewall it rather than shutting down
Freeipa-users mailing list