Thanks for your input Rob - you've said enough to scare me off the topic!
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: 08 October 2020 20:52
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Angus Clarke <angus(a)charworth.com>
Subject: Re: [Freeipa-users] Stop/Disable Apache on IdM servers
Angus Clarke via FreeIPA-users wrote:
We have a single mesh of FreeIPA servers in several different locations,
we capture logs (apache ErrorLog directive) to a log server in each of
those locations. When auditors ask us questions we have to trawl log
servers from all locations as our IdM administrators might have used any
of the IdM servers to make changes.
To limit that access to one site, I am considering stopping and
disabling apache on all IdM servers at other sites and just wanted to
check there are no unintended consequences in that action.
I'm not looking for enforcement, merely a means of persuading the team
to use the web interface or command line tools at one site.
It's completely untested so if something went wrong you'd be pretty far
out on the ledge.
You're purposely creating a single-point-of-failure. You'd need to work
out some system to transition the web server to another server.
The chosen server would need to run a CA, otherwise it will try to find
one and fail at connecting since the CA connect is proxied through Apache.
Establishing a new CA would likewise almost certainly be problematic.
The ipa-ca CNAME is used so clients can use OCSP. You'd have to manually
limit this value to only the available web server. Same with CRL.
Running other administrative commands on those hosts would fail
miserably (ipa-certupdate, ipa-cacert-manage for sure).
I'm not certain if ipa-server-upgrade which is also run at package
installation needs local API access. IPA servers make certain
assumptions about what basic services are available.
So this could well be the kind of thing that seems to work, you relax
and forget about it, then all heck breaks loose.
Either way, masking/stopping the service wouldn't really work since it
is managed via ipactl. You'd have to mark the service as disabled in
IPA, and I'm not sure you can do that to an IPA service so you'd
probably have to do it manually using ldapmodify.