[Freeipa-users] freeipa behind a load balancer
Matt .
yamakasi.014 at gmail.com
Wed Apr 1 18:41:42 UTC 2015
Hi,
I'm not gicing up on this, so I'm testing.
I'm unsure at the moment about the keytab. The keytab is normally for
the user that needs to be able to do "stuff", but in this case we need
one for the loadbalancer name or the client .... maybe combined ?
I lost that overvieuw... would be nice to get some advice here.
Thanks!
Matt
2015-03-31 21:23 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
> OK, but we need to do this using IPA or (as IPA does some things
> different it seems).
>
> Anyone testing this perhaps ? (/me is multitasking atm)
>
> 2015-03-31 20:22 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
>> Brendan Kearney wrote:
>>> On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote:
>>>> On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote:
>>>>> But IPA is more complex and some operations will be performed directly
>>>>> against the specific server name, so you need to keep 2 sets of keys
>>>>> (one for the server name and one for the load balancer name), but that
>>>>> does not work right now.
>>>>
>>>> One experiment that can be done is to remove all "per-server" HTTP
>>>> services for the IPA server, and instead add their name as aliases on
>>>> the common load-balancer name.
>>>>
>>>> This would mean that all IPA servers would have just one key in their
>>>> HTTP keytab, but the KDC would release tickets readable by that key for
>>>> any name the clients may ask for.
>>>>
>>>> It is a bit tricky, every time you build a replica you want to
>>>> load-balance you'll have to go back and remove the service and switch
>>>> keytabs, but it may be an option. Of course if you brick IPA then you
>>>> get to keep the pieces :-)
>>>>
>>>> Simo.
>>>>
>>>
>>> careful there, as kerberos balks at CNAME records. i think you need to
>>> use A records. i ran into a couple odd issues and decided to only use
>>> A/PTR records for my stuff and never went "exploring" for
>>> options/alternatives.
>>>
>>
>> Not DNS aliases, Kerberos principal alises.
>>
>> rob
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list