On 03/07/2014 10:29 AM, artj...@free.fr wrote:
Selon Petr Spacek<pspa...@redhat.com>:

>  On 7.3.2014 14:16,artj...@free.fr  wrote:
>  >  I want to install ipa server with a replica. The replica has 2 NICs : the
>  ipa
>  >  server is connected on the first interface and all the clients are
>  connected on
>  >  the second interface. The two networks are completely separated, 2 subnets
>  and
>  >  not routed.
>  I'm curious - what is the reasoning behind this?:-)
The goal is to separate the administration flux and the userland flux.

The problem is that it is not that clean.
One server can connect to another on different ports and using different protocols for different purposes. And client can actually be a proxy that does some admin tasks via LDAP or executes remote administrative commands.

I think may be it is better to explore FW rules.
For example create a FW rule that would allow only Kerberos and LDAP connections from a set of hosts that would be clients. Hm but that again would prevent you from enrolling new systems since the ipa-client-install connects to IPA via admin interface during the enrollment stage.

May be there is some magic that can be done using DNS zones but I am not sure...

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to