[Freeipa-users] freeipa behind a load balancer

[Matt .]

Simo,

Yes that was where I was thinking of also, so you say faking by DNS ?

@Brendan, cnames are not that nice in networks indeed.

2015-03-31 20:10 GMT+02:00 Brendan Kearney <bpk678 at gmail.com>:
> On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote:
>> On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote:
>> > But IPA is more complex and some operations will be performed directly
>> > against the specific server name, so you need to keep 2 sets of keys
>> > (one for the server name and one for the load balancer name), but that
>> > does not work right now.
>>
>> One experiment that can be done is to remove all "per-server" HTTP
>> services for the IPA server, and instead add their name as aliases on
>> the common load-balancer name.
>>
>> This would mean that all IPA servers would have just one key in their
>> HTTP keytab, but the KDC would release tickets readable by that key for
>> any name the clients may ask for.
>>
>> It is a bit tricky, every time you build a replica you want to
>> load-balance you'll have to go back and remove the service and switch
>> keytabs, but it may be an option. Of course if you brick IPA then you
>> get to keep the pieces :-)
>>
>> Simo.
>>
>
> careful there, as kerberos balks at CNAME records.  i think you need to
> use A records.  i ran into a couple odd issues and decided to only use
> A/PTR records for my stuff and never went "exploring" for
> options/alternatives.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project