[Freeipa-users] subjectAlternitiveName for webservice
Matt .
yamakasi.014 at gmail.com
Fri Mar 6 14:39:10 UTC 2015
I have 2 IPA servers where I kinit to and post to the api using curl/json.
As I need redundancy and don't want to have it script managed, but one
central point where I can tal to I use a loadbalancer.
As I connect to the loadbalancer using DNAT, so the client IP is known
on the IPA server because this is needed for the http service
principals I need to add the loadbalancer hostname to my IPA server
and make it as an ALT name to it's Certificate.
As the users are the same on both servers I would asume i can use a
keytab for a user against both servers from my clients.
Does this make it more clear ?
2015-03-06 15:31 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
> On 6.3.2015 15:13, Matt . wrote:
>> Hi,
>>
>> But as the user is the same, I could use the same keytab for each ipa server ?
>>
>> I need to use the API indeed, so need to issue the http service.
>>
>> Any other options ?
>
> I do not really understand your use case. Could you describe it in detail, please?
>
> Petr^2 Spacek
>
>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>> On 6.3.2015 14:08, Martin Kosek wrote:
>>>> I'm figuring out how to regenerate the webserver certificates so I can
>>>> use a loadbalancer in front of my ipa servers.
>>>
>>> Are you talking about FreeIPA web interface? It is technically possible to use
>>> load-balancer but it will be really hacky. You would have to solve
>>> certificates and also distribute shared keytabs and so on.
>>>
>>> I would recommend you to use "something" which issues HTTP redirect to ipa
>>> server 1/2/3/4/5 according to current state instead of using classical load
>>> balancer on the network level. Normal HTTP redirect will not force you to mess
>>> with certs and keytabs.
>>>
>>> --
>>> Petr^2 Spacek
More information about the Freeipa-users
mailing list