Hi Stephen,
True. I understand that, but I think we are getting off track to my original question. Can you run a FIPS FreeIPA server and still have the clients work with it? It't not necessarily required to have the clients FIPS compliant, but the server must since it has to do the encryption for data that it stores.
And I appreciate that everyone is trying to save me some time, but it has been decided that we will use FIPS unless it proves not beneficial.
FIPS compliance basically says the system will only use a certain subset of encryption algorithms and no others. Where this can cause problems are the following:
1. Systems with old software or hardware. If your environment has hardware/software from before 2012, then they may not be able to talk to EL8 systems in FIPS mode without software being updated on those systems.
2. Systems with really new software. The general place I see this is where someone sets their algorithms to FUTURE or some brand-new 'I am writing a paper for an RFC to the IETF which will cover this' method.
3. Systems which are configured to use modern but non-compliant algorithms (I think GOST, some elliptical algoritms etc.)
In those cases, you end up with weird 'why isn't this working' problems which can take a while to diagnose in a large environment. In smaller ones it is usually 'well don't do that' or 'time for your manager to approve that upgrade budget'.