Re: [Freeipa-users] Server Ports

2014-04-03 Thread Petr Spacek

On 3.4.2014 07:55, Justin Brown wrote:

I'm having some trouble determining which ports my servers need open
to communicate and what ports client servers and users will need. The
last documentation that I was able to find was included in Fedora 15
(http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html).

http://www.freeipa.org/page/Documentation
is the ultimate source of documentation.

Latest documentation build is on
http://www.freeipa.org/docs/master/html-desktop/index.html


I opened those ports with firewalld, but I encountered errors when
joining my replica server. (I retried the replica install with
firewalld, and it succeeded, so it's clearly a problem with the
firewall settings.)

I'm joining the wave of the future, so please excuse the firewalld
XML, but it should be pretty obvsious. All of the services are built
into firewalld, except dogtag, which I made myself and is defined at
the end.


ipa-replica-conncheck utility should tell you what is missing.


On a side note, it would be nice if the firewalld packagers included a
freeipa-server service (nudge nudge).


Patches are welcome :-)

--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Server Ports

2014-04-03 Thread Justin Brown
Petr,

I'll try another replica for testing tomorrow, and unfortunately the
logs were purged when I reinstalled. The error message was not helpful
and said something along the lines of CA installation failed, but did
not list any reason. I'll get you the exact message tomorrow. I'll
also try some more network tests as I have all of the ports that you
listed plus some additional Dogtag ports, which I've come to
understand are now proxied through 7389.

 Patches are welcome :-)

Yes, you've got me. ;) I'll review the Firewalld packaging in more
detail and try to come up with a workable solution. It's not currently
possible to do meta-services in firewalld, and I'm sure the FreeIPA
developers don't want a hard dependency on firewalld via a
hypothetical freeipa-server-firewalld dependency. I'm sure some
solution is possible -- maybe even just in the documentation.

Thanks,
Justin

On Thu, Apr 3, 2014 at 2:25 AM, Petr Spacek pspa...@redhat.com wrote:
 On 3.4.2014 07:55, Justin Brown wrote:

 I'm having some trouble determining which ports my servers need open
 to communicate and what ports client servers and users will need. The
 last documentation that I was able to find was included in Fedora 15

 (http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html).

 http://www.freeipa.org/page/Documentation
 is the ultimate source of documentation.

 Latest documentation build is on
 http://www.freeipa.org/docs/master/html-desktop/index.html


 I opened those ports with firewalld, but I encountered errors when
 joining my replica server. (I retried the replica install with
 firewalld, and it succeeded, so it's clearly a problem with the
 firewall settings.)

 I'm joining the wave of the future, so please excuse the firewalld
 XML, but it should be pretty obvsious. All of the services are built
 into firewalld, except dogtag, which I made myself and is defined at
 the end.


 ipa-replica-conncheck utility should tell you what is missing.


 On a side note, it would be nice if the firewalld packagers included a
 freeipa-server service (nudge nudge).


 Patches are welcome :-)

 --
 Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Server Ports

2014-04-03 Thread Martin Kosek
On 04/03/2014 09:46 AM, Justin Brown wrote:
 Petr,
 
 I'll try another replica for testing tomorrow, and unfortunately the
 logs were purged when I reinstalled. The error message was not helpful
 and said something along the lines of CA installation failed, but did
 not list any reason. I'll get you the exact message tomorrow. I'll
 also try some more network tests as I have all of the ports that you
 listed plus some additional Dogtag ports, which I've come to
 understand are now proxied through 7389.
 
 Patches are welcome :-)
 
 Yes, you've got me. ;) I'll review the Firewalld packaging in more
 detail and try to come up with a workable solution. It's not currently
 possible to do meta-services in firewalld, and I'm sure the FreeIPA
 developers don't want a hard dependency on firewalld via a
 hypothetical freeipa-server-firewalld dependency. I'm sure some
 solution is possible -- maybe even just in the documentation.
 
 Thanks,
 Justin

Hi Justin,

Petr is right, patches and contributions are extremely welcome :-)

Let me just pass the initial information in case you'd want to accept this
challenge:

How to contribute: http://www.freeipa.org/page/Contribute/Code
Trac ticket with related information and links to Bugzillas:
https://fedorahosted.org/freeipa/ticket/2110

Actually I do not think that freeipa-server-firewalld or similar is that bad
idea. We already thought of shipping our own firewalld file(s) and such
subpackage may be a way to go. This is something that can be discussed on
freeipa-devel list.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users