[Freeipa-users] subjectAlternitiveName for webservice
Petr Spacek
pspacek at redhat.com
Fri Mar 6 15:26:40 UTC 2015
On 6.3.2015 16:24, Matt . wrote:
> Hi,
>
> I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
> SRV won't fit here sorry to say.
>
> I auth users, so their keytab should be the same between two masters I believe ?
Keytabs are used by Kerberos and MIT kerberos libraries fully support SRV
records and failover.
>
> In that case... I need to add the altnames to the certs, but I'm not
> 100% there in step 6
I hope someone else can advise you how to do that but be prepared for hickups,
this setup is not tested.
Petr^2 Spacek
>
> Thanks again!
>
> Cheers,
>
> Matthijs
>
> 2015-03-06 16:16 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>> On 6.3.2015 15:39, Matt . wrote:
>>> I have 2 IPA servers where I kinit to and post to the api using curl/json.
>>
>> If we are talking purely about scripting, you can use IPA Python API. It will
>> handle fail over for you even without any load balancer. That would be easiest
>> way.
>>
>>> As I need redundancy and don't want to have it script managed, but one
>>> central point where I can tal to I use a loadbalancer.
>>
>> Well, if you can control clients then the easiest and most universal way is to
>> use DNS SRV records and add failover logic to clients. That solution works
>> even when servers are geographically distributed/in different networks and
>> does not have single point of failure (the load balancer).
>>
>>> As I connect to the loadbalancer using DNAT, so the client IP is known
>>> on the IPA server because this is needed for the http service
>>> principals I need to add the loadbalancer hostname to my IPA server
>>> and make it as an ALT name to it's Certificate.
>>>
>>> As the users are the same on both servers I would asume i can use a
>>> keytab for a user against both servers from my clients.
>>
>> I'm talking about keytabs on the FreeIPA servers - services running on IPA
>> server have their own keytabs too. Every service on every server has own
>> keytab with different key.
>>
>> You need to talk with Simo or some other Kerberos guru about possibility of
>> sharing keytabs between IPA services.
>>
>>> Does this make it more clear ?
>>
>> I'm still not sure if you want to have human users too or just API clients.
>>
>> Petr^2 Spacek
>>
>>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>> On 6.3.2015 15:13, Matt . wrote:
>>>>> Hi,
>>>>>
>>>>> But as the user is the same, I could use the same keytab for each ipa server ?
>>>>>
>>>>> I need to use the API indeed, so need to issue the http service.
>>>>>
>>>>> Any other options ?
>>>>
>>>> I do not really understand your use case. Could you describe it in detail, please?
>>>>
>>>> Petr^2 Spacek
>>>>
>>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>> On 6.3.2015 14:08, Martin Kosek wrote:
>>>>>>> I'm figuring out how to regenerate the webserver certificates so I can
>>>>>>> use a loadbalancer in front of my ipa servers.
>>>>>>
>>>>>> Are you talking about FreeIPA web interface? It is technically possible to use
>>>>>> load-balancer but it will be really hacky. You would have to solve
>>>>>> certificates and also distribute shared keytabs and so on.
>>>>>>
>>>>>> I would recommend you to use "something" which issues HTTP redirect to ipa
>>>>>> server 1/2/3/4/5 according to current state instead of using classical load
>>>>>> balancer on the network level. Normal HTTP redirect will not force you to mess
>>>>>> with certs and keytabs.
>>>>>>
>>>>>> --
>>>>>> Petr^2 Spacek
>>
>>
>> --
>> Petr Spacek @ Red Hat
--
Petr Spacek @ Red Hat
More information about the Freeipa-users
mailing list