I think you need to break apart the pieces of IPA you want to load
balance. The LDAP pieces might be handled differently than the Kerberos
token pieces.
I am not using IPA, but I do have load balanced OpenLDAP and "load
sharing" MIT KDCs. My LDAP instances are behind HAProxy. I needed to
add the olcSuffix directive to the config database in all cases. This
tells the instances to answer queries for the stated DN, dc=bpk2,dc=com
in my case. I am not sure if this can be done in IPA, or what means are
required in order to implement it if it can be done.
A fancy trick I did with HAProxy is to have multiple VIPs setup, using
the same name but a different port, so that I could access the
individual LDAP servers via alternate ports, or access the whole pool of
servers on the standard port 389. By using the same DNS name on the
VIP, and having the Kerberos Principal match the VIP name, I am able to
use Kerberos to AuthN against all the servers. So, one DNS name, with
matching Kerberos Principal, and multiple ports (389 for all, 390 for
server1, 391 for server2,...) gets me load balanced LDAP. Trust me,
having the individual access the servers is a huge troubleshooting and
testing advantage.
I setup my KAdmin servers in the same fashion as above, as they are
stateful communications and are TCP protocols, but did not go through
the effort of setting up the alternate ports. It might be something I
do in the near future. It's mostly a copy/paste/reload effort, since I
have the main VIP setup in HAProxy already.
Because HAProxy does not load balance UDP, i chose to use Anycast for
the UDP KRB5KDC protocol, which is stateless. You might choose to
implement nginx, which might cover both the TCP and UDP protocols,
instead of HAProxy and Anycast like I did.
I run the quagga routing package on the servers, so they participate in
dynamic routing. I chose iBGP over OSPF, but you can use either. I
configured KRB5KDC to listen on a virtual interface stacked on the
loopback, ala lo:6 (yes, there are 5 other Anycast services running...
points if you can guess what they are). On each of the servers, the
lo:6 interface has the IP 192.168.254.6 assigned. With iBGP, and
"maximum-paths" set to 4, i can have up to 4 hosts injecting a route to
192.168.254.6, for active load sharing via Anycast. The IP resolves to
the DNS entries I use in krb5.conf, etc or what is configured in the SRV
records.
Because the servers inject the route, the DNS name stays the same, and
does not need to be updated because a new or different server is
introduced to the mix. The Anycast solution does not have much logic
for fault tolerance. The load sharing, as I call it, is simply a
routing decision based on a hash of the source and destination. It's a
little more intelligent than DNS round-robin, but not quite a load
balancing algorithm like least connections.
I do not have an elegant solution for when a service crashes or
otherwise goes down, and a means to tie the event to the route being
pulled. I am looking at how I can tie things together via systemd and
the BindsTo directive. Sadly, there are a couple pieces to tie together
and not everything is straight forward. krb5kdc.service would need to be
bound to a systemd-networkd interface, which is monitored by quagga's
built-in "link-detect" directive, but becasue I am stacking things on
the loopback, the "link-detect" mechanism does not work. quagga
considers the interface as a pseudo interface and therefore does not pay
attention to it. I say this because in Production use, outages will
occur when an Anycast'd service goes down and the dynamic routing does
not update with the appropriate route being removed.
hope this helps,
brendan
On 6/9/22 5:56 AM, Ronald Wimmer via FreeIPA-users wrote:
IPA heavily relies on DNS entries. In my opinion, this design makes it
more difficult to quickly disable one or more IPA servers - especially
when using IPA in combination with external DNS (managed by a
different department).
Would it be possible to put all relevant DNS entries on a Loadbalancer
VIP and let the LB resolve to all IPA servers?
e.g. instead of having 8 DNS entries for
_kerberos-master._tcp.linux.oebb.at for every of our 8 IPA servers I
would have just one _kerberos-master._tcp.linux.oebb.at entry. The LB
would distribute requests in such a setup.
Is it possible to do that or would it break some IPA functionality?
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
