On 1.4.2015 04:47, Rob Crittenden wrote: > Janelle wrote: >> Hello again... >> >> Looking around, but probably just not in the right place. I would like >> to be able to disable httpd on all but a pair of servers, so we kind of >> force all updates to come from a "master" and "slave" pair. Just trying >> to keep updates defined to 2 servers rather than all of them in an 8 >> server configuration. >> >> Where might I find that? Or is it possible? Will it break anything? >> >> thank you >> ~J >> > > Not sure the complete reasoning behind that but... > > The safest route would be to just firewall ports 80 and 443 off. There > is a way to tell ipactl to not start a service but I haven't thought > through the implications. > > The CA interfaces on those machines will also be inaccessible.
Please keep in mind that this will not prevent users from making changes via LDAP or kpasswd protocol. E.g. password changes will be still possible, this only hides the web interface and API. Such configuration is not tested. Here be dragons. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project