On la, 16 tammi 2021, Robert Gabriel via FreeIPA-users wrote:
Is it possible to enrol a host using `ipa-client-install` behind a TLS proxy?
No. I don't know anyone who asked for this for last decade or so, so
this is definitely not a tested and tried scenario.
I need to enrol hosts that can only reach `my.proxy.host:443` due to
I see there is MS-KKDCP for kinit, kpasswd etc.
We don't have much need for Kerberos ATM and are mainly using user,
group lookups along with SSH pubkeys and Sudo rules. I'm assuming that
at the very least we are using 389/636 for the above lookups? Then you
would at least have to proxy your LDAPS? I have not done a `tcpdump`
yet to ascertain what ports are in use.
A full list of firewall considerations in FreeIPA environment I have
can be found here: https://vda.li/drafts/firewall-considerations.txt
It needs few updates for FreeIPA 4.9 series but for older versions it
should be up to date.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland