[Freeipa-users] freeipa behind a load balancer

Petr Spacek pspacek at redhat.com
Tue Mar 31 13:03:59 UTC 2015 

On 31.3.2015 14:35, Matt . wrote:
> Hi Petr,
> 
> As this is not my topic it's for me quite "simple".
> 
> I need to post to /ipa/json through a loadbalancer, nothing more.
> 
> i have
> 
> ldap-01.domain.tld (ipa1)
> ldap-01.domain.tld (ipa2)
> 
> and my loadbalancer is ldap.domain.tld
> 
> ldap requests over a loadbalancer are quite simple and working, but
> the json part is more difficult because of the ticket and the dns
> name. I have added a san ldap.domain.tld to the webgui and there is a
> http/ldap.domain.tld service on the ipa server.
> 
> I get a nonvalid kerberos ticket when I go through ldap.domain.tld to
> ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld
> after it failed my ticket is OK for ldap-01.domain.tld and works.
> 
> Is this enough information for you ?

Well, I still do not understand the use case. What are your clients? Are you
using 'ipa' command to do something? Or some other clients?

Usually the best thing is to use DNS SRV records because it works even with
geographically distributed clusters and does not have single point of failure
(the load balancer).

This requires clients with support for DNS SRV but if your machines are using
SSSD then you do not need to change anything and it should just work.

That is why I'm asking for the use case :-)

Petr^2 Spacek

> 2015-03-31 14:21 GMT+02:00 Petr Spacek <pspacek at redhat.com>:
>> On 31.3.2015 14:02, Matt . wrote:
>>> HI Phasant,
>>>
>>> Check my mailings about it, it's not easy at least the kerberos part
>>> not, SRV records are used for that normally.
>>>
>>> Are you talking about the webgui or the ldap part ?
>>
>> I would recommend you to step back and describe use-case you have in mind. It
>> is important for us to understand to your use-case to propose optimal solution.
>>
>> Petr^2 Spacek
>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2015-03-31 13:56 GMT+02:00 Prashant Bapat <prashant at apigee.com>:
>>>> Hi,
>>>>
>>>> I'm trying to get 2 FreeIPA servers in a replicated mode behind a load
>>>> balancer, specifically Amazon ELB.
>>>>
>>>> I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like
>>>> there is more to it than just this file.
>>>>
>>>> Any suggestions ?
>>>>
>>>> Thanks.
>>>> --Prashant

More information about the Freeipa-users mailing list