On Fri, Mar 13, 2015 at 4:44 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> The CA-less install was improved in IPA 3.3. It can sorta work in 3.0
> but it will be bumpy. A number of bugs were fixed in
> ipa-server-certinstall, the tool used to replace the IPA certs with
> user-provided certs. Or you can pass in PKCS#12 files during the install
> but the root CA is implicit in that case so you need to be careful in
> creating the file.
> You still need an SSL cert for LDAP as well. SSL is used to bootstrap
> replication when a new master is set up. When that is done the agreement
> is converted to using GSSAPI.

Aha, I was about to ask about this since a CA-less install still requires
dirsrv cert. Thanks.

> The clients (depending on version) will still ask for a host cert on
> install but it is generally treated as a non-fatal error if one isn't
> obtained.

Was also going to ask about this since the v3 CA-less wiki page mentions
the need to obtain host certs but is not very clear about what it was used

> Otherwise it should work, but as Dmitri points out you are limiting
> yourself upgrade-wise. The only migration paths from one version of IPA
> to another is replication, in which case you still wouldn't be able to
> add a CA, or via the LDAP migration routines which only migrate users
> and groups currently.

Not being able to do the upgrade easily will definitely be a showstopper.
Ok, I'm going to go back to attempting to sign the IPA CA with our own,
then, and I'll open a separate thread if that doesn't work. I may just
start from scratch with that.

Thank you Dmitri and Rob for the clear/concise info.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to