You may be over complicating things by using a load balancer, IPA does a
fairly good job of balancing things
itself, for example the default SSSD config is to have this:

ipa_server = _srv_, <other ipa server as fallback>

meaning it will select which host to communicate with via the DNS service
records, which are automatically
created. You can refine the server selection by setting up locations if
desired. This naturally is not perfect
but does have the additional advantage of being maintained by IPA. Adding a
third server updates everything
for you so you don't have to reconfigure a load balancer.

In short do away with the load balancer, you shouldn't need it.


On Tue, Aug 8, 2017 at 9:06 AM, ridha.zorgui--- via FreeIPA-users <> wrote:

> I set up a FreeIPA master and replica behind an elastic load balancer in
> AWS cloud. FreeIPA Clients will be contacting the replica and the master
> sever through the load balancer so the dns name used when configurting the
> clients is the ELB CNAME. The problem is when retreiving ldap data and
> during the authentication, the SSL handshake fails as the certificate sent
> back from the master or replica has a hostname different than the one used
> in the sssd ( the ELB CNAME). so the connection is terminated.  There is a
> workaround which is the use reqcert=allow but this bring a security issue
> with a MITM attack. another solution i found is the use SAN. I was able to
> add the ELB DNS as a SAN in freeipa servers certificate. i made sure it is
> there by downloading the certificate and checking that the elb san exist
> but when testing it the same problem remain. Please help.
> _______________________________________________
> FreeIPA-users mailing list --
> To unsubscribe send an email to
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to