[Freeipa-users] Services and Keytabs for load-balanced hostnames
Dimitar Georgievski
mitkany at gmail.com
Wed Nov 26 22:41:06 UTC 2014
Thanks Alexander. Reviewing the proxy requirements now.
On Tue, Nov 25, 2014 at 3:32 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Tue, 25 Nov 2014, Dimitar Georgievski wrote:
>
>> My case for HTTP load balancing is little different. Ideally I would like
>> to use a real load balancer (A10 in this case) for balancing HTTP and
>> HTTPS
>> services.
>> Would that be possible?
>>
>> Based on the info in this thread, and Apache configuration for IPA
>> (ipa.conf) the following steps were performed
>> - Added host for sso.example.com
>> - Added service for HTTP/sso.example.com
>> - added new entry for HTTP/sso.example.com to /etc/httpd/conf/ipa.keytab.
>> This keytab is listed in the conf.d/ipa.conf under the Location '/ipa'
>> groups of directives.
>> ipa-getkeytab -s `hostname` -p HTTP/sso.example.com -k
>> /etc/httpd/conf/ipa.keytab
>>
>> - modifed the conf.d/ipa-rewrite.conf and ipa-pki-proxy.conf to redirect
>> requests to sso.example.com
>>
>> The login page loads but unfortunately authentication is failing with HTTP
>> 401 (unauthorized) response from the server. I wonder what I am doing
>> wrong.
>>
> Can you show your /var/log/krb5kdc.log, lines concerning
> HTTP/sso.example.com principal at the time you are trying to access IPA
> UI.
>
> FreeIPA limits service principals' ability to impersonate user
> principals (or any other principals). FreeIPA UI runs as HTTP/ principal
> and is given permission to impersonate user principal when talking to
> ldap/ service. This setup is explicit and requires additional
> configuration for those Kerberos principals which ask for additional
> access.
>
> For more detailed description read my article at
> http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-
> with-FreeIPA/index.html
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141126/979805b9/attachment.htm>
More information about the Freeipa-users
mailing list