[Freeipa-users] freeipa behind a load balancer
Brendan Kearney
bpk678 at gmail.com
Tue Mar 31 18:10:45 UTC 2015
On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote:
> On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote:
> > But IPA is more complex and some operations will be performed directly
> > against the specific server name, so you need to keep 2 sets of keys
> > (one for the server name and one for the load balancer name), but that
> > does not work right now.
>
> One experiment that can be done is to remove all "per-server" HTTP
> services for the IPA server, and instead add their name as aliases on
> the common load-balancer name.
>
> This would mean that all IPA servers would have just one key in their
> HTTP keytab, but the KDC would release tickets readable by that key for
> any name the clients may ask for.
>
> It is a bit tricky, every time you build a replica you want to
> load-balance you'll have to go back and remove the service and switch
> keytabs, but it may be an option. Of course if you brick IPA then you
> get to keep the pieces :-)
>
> Simo.
>
careful there, as kerberos balks at CNAME records. i think you need to
use A records. i ran into a couple odd issues and decided to only use
A/PTR records for my stuff and never went "exploring" for
options/alternatives.
More information about the Freeipa-users
mailing list