[Freeipa-users] freeipa behind a load balancer
Simo Sorce
simo at redhat.com
Tue Mar 31 17:54:10 UTC 2015
On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote:
> But IPA is more complex and some operations will be performed directly
> against the specific server name, so you need to keep 2 sets of keys
> (one for the server name and one for the load balancer name), but that
> does not work right now.
One experiment that can be done is to remove all "per-server" HTTP
services for the IPA server, and instead add their name as aliases on
the common load-balancer name.
This would mean that all IPA servers would have just one key in their
HTTP keytab, but the KDC would release tickets readable by that key for
any name the clients may ask for.
It is a bit tricky, every time you build a replica you want to
load-balance you'll have to go back and remove the service and switch
keytabs, but it may be an option. Of course if you brick IPA then you
get to keep the pieces :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list