Oliver Burtchen wrote:
Hi Rob,
thanks for the answer. I know about the externel CA-Cert possibility of ipa-
server- install. But it does not what I want.
I did setup a dogtag ca and a fedora-ds (389). It would be nice, if freeipa
could just use them. I find it a little bit inconsitent that dogtag tries to be
a central service, and freeipa claims to be the same, setting up a new one.
Well, it gets tricky because we need an RA certificate in IPA and there
is no automated way to get this with an existing dogtag installation.
This is why making IPA a subordinate CA is suggested, so you can
continue with your existing central authority.
I'm sure it's possible to wedge in an existing dogtag instance, it would
just take a bit of work and lots of code reading. Among the things you'd
have to do are:
- change the dogtag ports in IPA
- have your CA issue an RA certificate and trust that user in the
existing CA
- load that RA cert and private key into /etc/httpd/alias using the
right nickname
- set the right CA type in /etc/ipa/default.conf on the IPA server
Perhaps some other things I'm missing. I'm not sure how cloning will
work in this case.
BTW.: Freeipa setup tells me, that it should be the only 389-instance, and
exist gracefully. Well, my dogtag and bind setup with 389-backend works quiet
well, i just want freeipa to use them.
IPA is really geared for configuration on a fresh install. We have to
touch so many things the installation is difficult as it is. Having to
integrate with a lot of existing services makes this doubly more
difficult. You can always disable the check (only via code now, no
arguments for this).
Is there a possibility to setup freeipa this way? Thanks for the all in one
setup, but it means I cannot run an other ldap (389) server(-instance) on a
machine where freeipa is running. Is this right?
You can't if it is already installed, at least not without a small code
change.
We have to use the 80/20 rule here and try to have some control over the
initial environment before trying the installation. It is probably
possible to do what you want given time and patience but we are unlikely
to do this in the near future.
rob
Best regards,
Oli
Am Freitag, 9. April 2010 23:42:54 schrieb Rob Crittenden:
Oliver Burtchen wrote:
Hi @all,
is it possible to use an already configured und running dogtag-instance
for freeipa V2 in the installation process? I would like to give
ipa-server- install just the params for the dogtag-instance/server to
use, and skip its own creation-process (pkisilence ...).
Or are there arguments for an extra CA used by freeipa?
Background: I customized dogtag for my needs (using SHA256, default to 10
year validity of ca-SigningCert, organization and location defaults, etc.
).
Best regards,
Oli
Probably the best way to do it would be to use the external CA install
option (--external-ca). This is a two-step installation process. The
first step generates a CSR for the IPA CA. You take this CSR to your
existing CA and issue a subordinate CA certificate that will be used by
IPA. Then you continue the IPA Installation and it sets up a separate
dogtag instance with this subordinate CA.
It might be possible to wedge in an existing dogtag install into IPA in
another way but I haven't yet tried it.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
