[Freeipa-users] load balancers?

Janelle janellenicole80 at gmail.com
Sat Apr 4 19:04:10 UTC 2015 

On 4/4/15 11:44 AM, Dmitri Pal wrote:
> On 04/04/2015 12:30 PM, Nadav Mavor wrote:
>> i use F5 and 3 IPA servers no big issues but some notes :
>> 1) as note you cant use it for  kerberos
>> 2) for the DNS we use group and not L/B do to the zone serial (the 
>> zone serial num is not geting sync so if you round robin you will get 
>> deferent zone num evey time and it will mess up  zone sync to 
>> external dns servers)
>> 3) for the  GUI (443) make sure to use stickiness  so the user wont 
>> get bounce after the login
>
> I did not quite get 2) above...
> Can you please describe it in more details?
> If you know how to make LB work with IPA's DNS and kerberos a nice 
> HOWTO wiki page would be really welcome!
>
>
>>
>> On Sat, Apr 4, 2015 at 11:47 AM, Simo Sorce <simo at redhat.com 
>> <mailto:simo at redhat.com>> wrote:
>>
>>     We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server.
>>     If you want to load balance by using a common DNS name in front
>>     of all
>>     servers, you will need to deal with issues with krb5 authentication.
>>
>>     At the very least you should add keys to all servers for a principal
>>     named after the common name. However we do not test this scenario
>>     and I
>>     am not 100% sure it works correctly when you factor in that we use
>>     GSSAPI also for replication.
>>
>>     Simo.
>>
>>     On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote:
>>     > I believe LDAP can be load balanced without any problem. It is
>>     a TCP
>>     > based protocol without persistent state between transactions so it
>>     > should be just fine.
>>     >
>>     >
>>
The reason I brought this up -

been doing some testing with different LBs and well, some of them seem 
to cause a lot of stuck/CLOSE_WAIT ports, while others don't. My guess 
is I am just incorrectly configuring the ones that are causing 
problems.  But I guess too, I was wondering if there were any known bugs 
in some LBs for others, that would cause issues?

~J


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150404/1d7f6987/attachment.htm>

More information about the Freeipa-users mailing list