Re: [Freeipa-users] where to disable components?
On 1.4.2015 04:47, Rob Crittenden wrote: Janelle wrote: Hello again... Looking around, but probably just not in the right place. I would like to be able to disable httpd on all but a pair of servers, so we kind of force all updates to come from a master and slave pair. Just trying to keep updates defined to 2 servers rather than all of them in an 8 server configuration. Where might I find that? Or is it possible? Will it break anything? thank you ~J Not sure the complete reasoning behind that but... The safest route would be to just firewall ports 80 and 443 off. There is a way to tell ipactl to not start a service but I haven't thought through the implications. The CA interfaces on those machines will also be inaccessible. Please keep in mind that this will not prevent users from making changes via LDAP or kpasswd protocol. E.g. password changes will be still possible, this only hides the web interface and API. Such configuration is not tested. Here be dragons. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] where to disable components?
On Tue, 31 Mar 2015, Janelle wrote: Hello again... Looking around, but probably just not in the right place. I would like to be able to disable httpd on all but a pair of servers, so we kind of force all updates to come from a master and slave pair. Just trying to keep updates defined to 2 servers rather than all of them in an 8 server configuration. Where might I find that? Or is it possible? Will it break anything? You wouldn't get anything by doing such a selecting 'disabling'. Every Kerberos authentication causes updates of LDAP objects on the KDC, so if you have 8 KDCs, all of them will be modifying LDAP store and replicating to each other. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] where to disable components?
Janelle wrote: Hello again... Looking around, but probably just not in the right place. I would like to be able to disable httpd on all but a pair of servers, so we kind of force all updates to come from a master and slave pair. Just trying to keep updates defined to 2 servers rather than all of them in an 8 server configuration. Where might I find that? Or is it possible? Will it break anything? thank you ~J Not sure the complete reasoning behind that but... The safest route would be to just firewall ports 80 and 443 off. There is a way to tell ipactl to not start a service but I haven't thought through the implications. The CA interfaces on those machines will also be inaccessible. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project