[Freeipa-users] load balancers?
Janelle
janellenicole80 at gmail.com
Sat Apr 4 19:04:10 UTC 2015
On 4/4/15 11:44 AM, Dmitri Pal wrote:
> On 04/04/2015 12:30 PM, Nadav Mavor wrote:
>> i use F5 and 3 IPA servers no big issues but some notes :
>> 1) as note you cant use it for kerberos
>> 2) for the DNS we use group and not L/B do to the zone serial (the
>> zone serial num is not geting sync so if you round robin you will get
>> deferent zone num evey time and it will mess up zone sync to
>> external dns servers)
>> 3) for the GUI (443) make sure to use stickiness so the user wont
>> get bounce after the login
>
> I did not quite get 2) above...
> Can you please describe it in more details?
> If you know how to make LB work with IPA's DNS and kerberos a nice
> HOWTO wiki page would be really welcome!
>
>
>>
>> On Sat, Apr 4, 2015 at 11:47 AM, Simo Sorce <simo at redhat.com
>> <mailto:simo at redhat.com>> wrote:
>>
>> We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server.
>> If you want to load balance by using a common DNS name in front
>> of all
>> servers, you will need to deal with issues with krb5 authentication.
>>
>> At the very least you should add keys to all servers for a principal
>> named after the common name. However we do not test this scenario
>> and I
>> am not 100% sure it works correctly when you factor in that we use
>> GSSAPI also for replication.
>>
>> Simo.
>>
>> On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote:
>> > I believe LDAP can be load balanced without any problem. It is
>> a TCP
>> > based protocol without persistent state between transactions so it
>> > should be just fine.
>> >
>> >
>>
The reason I brought this up -
been doing some testing with different LBs and well, some of them seem
to cause a lot of stuck/CLOSE_WAIT ports, while others don't. My guess
is I am just incorrectly configuring the ones that are causing
problems. But I guess too, I was wondering if there were any known bugs
in some LBs for others, that would cause issues?
~J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150404/1d7f6987/attachment.htm>
More information about the Freeipa-users
mailing list