[Freeipa-devel] Suggestion for the A part of IPA

Innes, Duncan Duncan.Innes at virginmoney.com
Fri Jun 5 14:28:53 UTC 2015 

 

-----Original Message-----
From: Martin Kosek [mailto:mkosek at redhat.com] 
Sent: 05 June 2015 13:31
To: Innes, Duncan; freeipa-devel at redhat.com; Jakub Hrozek
Subject: Re: [Freeipa-devel] Suggestion for the A part of IPA

> On 06/02/2015 10:29 AM, Innes, Duncan wrote:
> > Just a bit of a head's up and a refresh of this with perhaps some
new 
> > data.
> >
> 
> We have more now! I created
> 
> https://www.freeipa.org/page/Centralized_Logging
> 
> where you can read more about this POC project and even see demo
showing
> what the current POC ELK server can do (with link to Docker server 
> container and  sources of course).

Excellent stuff - I fumbled together the page linked in your "Other
Resources" section at the bottom.

Will be upgrading my configs to replicate what you've done with respect
to
pulling in extra log files.

> >
> > Thoughts?  I'm not saying they should always be paired, but that if
a 
> > user designs a system with enough horse power, this piggy-backing 
> > could work well.
> 
> Ah, interesting idea and measurement. We have not thought about this
kind
> of architecture yet. What we did in our POC is to configure FreeIPA
> clients and servers to send the logs directly to the logging server
which
> was on completely different machine (container) than rest of the
> infrastructure.
> 
> It may be an alternative scheme, to have FreeIPA server containing the
> log processing and then forwarding further to other REK/ELK server and
> clients simply forwarding the logs to the same server as where they
are
> authenticating. 
> If all the log configuration is baked in
> ipa-{server,replica,client}-install, it would be extremely easy to
> integrate.
> 

I was also thinking that this kind of setup would work well in a heavily
firewalled environment.  We have both hardware and host-based iptables
firewalls across the estate.  In our case, pairing the firewall rules
for logging to the IPA servers is much easier than creating new servers
and requesting separate rules for them.  Every client need to talk to
the
IPA servers via the IPA ports after all.  Adding in an extra port to the
firewall rule group for IPA isn't hard to maintain.

> 
> I am not sure if the authentication+logging binding would be that
easy,
> nor that it belong together that much. SSSD would need to dynamically
> export the address of the FreeIPA server it communicates with, maybe
> similarly as it does with Kerberos
> (http://linux.die.net/man/8/sssd_krb5_locator_plugin) - but that does
> not seem as a good fit either.
> 

No - perhaps not.  Again I'm thinking more from my current situation.
We
were not given access to create _SRV_ records by the AD team, so we have
had to hard-code our IPA servers into the config files.  i.e.

[domain/unix.example.com]

cache_credentials = True
krb5_realm = UNIX.EXAMPLE.COM
ipa_domain = unix.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client01.unix.example.com
chpass_provider = ipa
ipa_server = ipa01.unix.example.com, ipa02.unix.example.com
ldap_tls_cacert = /etc/ipa/ca.crt

We try and figure out which IPA servers we can see, then randomise the
order of available servers and put it in the ipa_server setting.

So relatively simple for our setup to copy this config into an rsyslog.d
config file.  Less easy if you just use _srv_ in there.

Not sure how you'd do that to be fair.  But if it's possible to parse
the data coming back from the DNS _SRV_ query, couldn't all the
potential
IPA servers be included for rsyslog failover?

If all my remote servers are down, my failover reverts to /dev/null, so
no data will be written to disk if I'm isolated.

That's for rsyslog of course.  I'm also working on getting 
systemd-journal-upload to send direct to logstash (hopefully with the
http input plugin).

>
> In any case, CCing Jakub for reference.
> 
> Thanks,
> Martin

This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs.

This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message.

Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).

For further details of Virgin Money group companies please visit our website at virginmoney.com

More information about the Freeipa-devel mailing list