I've used shared keytabs before to create a loadbalanced squid instance. This way you don't even need to use sticky balancing since all nodes that have the key material will be able to decrypt TGSs for the shared service. Be sure to use the -r option with ipa-getkeytab, otherwise the secret will be reset. Alternatively you can just copy the keytab entries.
Verzonden vanaf mijn Samsung-apparaat -------- Oorspronkelijk bericht -------- Van: William Muriithi via FreeIPA-users <firstname.lastname@example.org> Datum: 11-08-17 21:02 (GMT+01:00) Aan: email@example.com Cc: William Muriithi <william.murii...@gmail.com> Onderwerp: [Freeipa-users] Can Load balanced HTTP service use kerberos authentication? Afternoon, I am attempting to add redundancy to a system that we are currently using and that use apache as web server. The apache is using IPA for user authentication To do this, I will have to use a load balancer in front of the two servers and the original setup don't seem to work fine with the load balancer in front. For one, the load balancer is not an IPA client, so can't setup Service Principal Name there. Is this kind of setup supported currently by IPA? Have anyone deployed it and wouldn't mind sharing the experience? I am just a bit cautions taking the steps as the system is already in production. I have researched this morning and the only link I see is this. https://www.freeipa.org/page/V4/Keytab_Retrieval Not sure if it was ever implemented as there is no discussion of it on the Free-IPA mailing list IPA server: ipa-server-4.4.0-14.el7_3.6.x86_64 Apache: (IPA client) httpd-2.4.6-45.el7 Regards, William _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org