On 03/07/2014 10:29 AM, artj...@free.fr wrote:
Selon Petr Spacek<pspa...@redhat.com>:
> On 7.3.2014 14:16,artj...@free.fr wrote:
> > I want to install ipa server with a replica. The replica has 2 NICs : the
> ipa
> > server is connected on the first interface and all the clients are
> connected on
> > the second interface. The two networks are completely separated, 2 subnets
> and
> > not routed.
> I'm curious - what is the reasoning behind this?:-)
The goal is to separate the administration flux and the userland flux.
The problem is that it is not that clean.
One server can connect to another on different ports and using different
protocols for different purposes. And client can actually be a proxy
that does some admin tasks via LDAP or executes remote administrative
commands.
I think may be it is better to explore FW rules.
For example create a FW rule that would allow only Kerberos and LDAP
connections from a set of hosts that would be clients. Hm but that again
would prevent you from enrolling new systems since the
ipa-client-install connects to IPA via admin interface during the
enrollment stage.
May be there is some magic that can be done using DNS zones but I am not
sure...
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
