[Freeipa-users] load balancers?
Dmitri Pal
dpal at redhat.com
Sat Apr 4 18:44:51 UTC 2015
On 04/04/2015 12:30 PM, Nadav Mavor wrote:
> i use F5 and 3 IPA servers no big issues but some notes :
> 1) as note you cant use it for kerberos
> 2) for the DNS we use group and not L/B do to the zone serial (the
> zone serial num is not geting sync so if you round robin you will get
> deferent zone num evey time and it will mess up zone sync to external
> dns servers)
> 3) for the GUI (443) make sure to use stickiness so the user wont
> get bounce after the login
I did not quite get 2) above...
Can you please describe it in more details?
If you know how to make LB work with IPA's DNS and kerberos a nice HOWTO
wiki page would be really welcome!
>
> On Sat, Apr 4, 2015 at 11:47 AM, Simo Sorce <simo at redhat.com
> <mailto:simo at redhat.com>> wrote:
>
> We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server.
> If you want to load balance by using a common DNS name in front of all
> servers, you will need to deal with issues with krb5 authentication.
>
> At the very least you should add keys to all servers for a principal
> named after the common name. However we do not test this scenario
> and I
> am not 100% sure it works correctly when you factor in that we use
> GSSAPI also for replication.
>
> Simo.
>
> On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote:
> > I believe LDAP can be load balanced without any problem. It is a TCP
> > based protocol without persistent state between transactions so it
> > should be just fine.
> >
> > Sent from my iPhone
> >
> > > On Apr 4, 2015, at 21:55, Janelle <janellenicole80 at gmail.com
> <mailto:janellenicole80 at gmail.com>> wrote:
> > >
> > > Hello everyone,
> > >
> > > Probably a quiet weekend for any responses, but I will toss this
> > out. I was wondering if anyone has had any issues with load
> balancers
> > and IPA? Not with Kerberos, since I know the protocol is designed
> > without load balancer support, but in the case of using the LDAP
> > portion? I am curious because the load balancing within sssd is not
> > really load balancing, but more fail-over. I am wondering what
> kind of
> > experience and maybe suggestions for a good LB setup anyone might
> > have.
> > >
> > > Thank You
> > > ~J
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> >
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150404/a8e50ffd/attachment.htm>
More information about the Freeipa-users
mailing list