[Freeipa-users] load balancers?

Dmitri Pal dpal at redhat.com
Sat Apr 4 18:44:51 UTC 2015 

On 04/04/2015 12:30 PM, Nadav Mavor wrote:
> i use F5 and 3 IPA servers no big issues but some notes :
> 1) as note you cant use it for  kerberos
> 2) for the DNS we use group and not L/B do to the zone serial (the 
> zone serial num is not geting sync so if you round robin you will get 
> deferent zone num evey time and it will mess up  zone sync to external 
> dns servers)
> 3) for the  GUI (443) make sure to use stickiness  so the user wont 
> get bounce after the login

I did not quite get 2) above...
Can you please describe it in more details?
If you know how to make LB work with IPA's DNS and kerberos a nice HOWTO 
wiki page would be really welcome!


>
> On Sat, Apr 4, 2015 at 11:47 AM, Simo Sorce <simo at redhat.com 
> <mailto:simo at redhat.com>> wrote:
>
>     We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server.
>     If you want to load balance by using a common DNS name in front of all
>     servers, you will need to deal with issues with krb5 authentication.
>
>     At the very least you should add keys to all servers for a principal
>     named after the common name. However we do not test this scenario
>     and I
>     am not 100% sure it works correctly when you factor in that we use
>     GSSAPI also for replication.
>
>     Simo.
>
>     On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote:
>     > I believe LDAP can be load balanced without any problem. It is a TCP
>     > based protocol without persistent state between transactions so it
>     > should be just fine.
>     >
>     > Sent from my iPhone
>     >
>     > > On Apr 4, 2015, at 21:55, Janelle <janellenicole80 at gmail.com
>     <mailto:janellenicole80 at gmail.com>> wrote:
>     > >
>     > > Hello everyone,
>     > >
>     > > Probably a quiet weekend for any responses, but I will toss this
>     > out.  I was wondering if anyone has had any issues with load
>     balancers
>     > and IPA? Not with Kerberos, since I know the protocol is designed
>     > without load balancer support, but in the case of using the LDAP
>     > portion?  I am curious because the load balancing within sssd is not
>     > really load balancing, but more fail-over. I am wondering what
>     kind of
>     > experience and maybe suggestions for a good LB setup anyone might
>     > have.
>     > >
>     > > Thank You
>     > > ~J
>     > >
>     > > --
>     > > Manage your subscription for the Freeipa-users mailing list:
>     > > https://www.redhat.com/mailman/listinfo/freeipa-users
>     > > Go to http://freeipa.org for more info on the project
>     >
>
>
>     --
>     Simo Sorce * Red Hat, Inc * New York
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go to http://freeipa.org for more info on the project
>
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150404/a8e50ffd/attachment.htm>

More information about the Freeipa-users mailing list