Angus Clarke via FreeIPA-users wrote:
> Hello
> 
> We have a single mesh of FreeIPA servers in several different locations,
> we capture logs (apache ErrorLog directive) to a log server in each of
> those locations. When auditors ask us questions we have to trawl log
> servers from all locations as our IdM administrators might have used any
> of the IdM servers to make changes.
> 
> To limit that access to one site, I am considering stopping and
> disabling apache on all IdM servers at other sites and just wanted to
> check there are no unintended consequences in that action.
> 
> I'm not looking for enforcement, merely a means of persuading the team
> to use the web interface or command line tools at one site.

It's completely untested so if something went wrong you'd be pretty far
out on the ledge.

You're purposely creating a single-point-of-failure. You'd need to work
out some system to transition the web server to another server.

The chosen server would need to run a CA, otherwise it will try to find
one and fail at connecting since the CA connect is proxied through Apache.

Establishing a new CA would likewise almost certainly be problematic.

The ipa-ca CNAME is used so clients can use OCSP. You'd have to manually
limit this value to only the available web server. Same with CRL.

Running other administrative commands on those hosts would fail
miserably (ipa-certupdate, ipa-cacert-manage for sure).

I'm not certain if ipa-server-upgrade which is also run at package
installation needs local API access. IPA servers make certain
assumptions about what basic services are available.

So this could well be the kind of thing that seems to work, you relax
and forget about it, then all heck breaks loose.

Either way, masking/stopping the service wouldn't really work since it
is managed via ipactl. You'd have to mark the service as disabled in
IPA, and I'm not sure you can do that to an IPA service so you'd
probably have to do it manually using ldapmodify.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to