[Freeipa-users] Re: LoadBalancer vs. DNS

Fri, 04 Nov 2022 01:35:50 -0700 

On pe, 04 marras 2022, Ronald Wimmer via FreeIPA-users wrote:

On 09.06.22 11:56, Ronald Wimmer via FreeIPA-users wrote:
IPA heavily relies on DNS entries. In my opinion, this design makes it more difficult to quickly disable one or more IPA servers - especially when using IPA in combination with external DNS (managed by a different department). 


Would it be possible to put all relevant DNS entries on a 
Loadbalancer VIP and let the LB resolve to all IPA servers?



e.g. instead of having 8 DNS entries for 
_kerberos-master._tcp.linux.oebb.at for every of our 8 IPA servers I 
would have just one _kerberos-master._tcp.linux.oebb.at entry. The 
LB would distribute requests in such a setup.


Is it possible to do that or would it break some IPA functionality?



As the question came up again I would highly appreciate to hear from 
the IPA developers.



IMHO using an enterprise grade load balancer would have several 
advantages over DNS round robin.


If you want something like that, please invest your own time and share
results of it. It may sound harsh but there are multiple issues with
centralized load balancers when interacting with Kerberos services,
specifically on degrading an overall security of that solution. You'd
need to understand what you are getting into and whether a specific
solution is secure enough for your own situation. There is no general
guideline but some of the problems and hints how to address them are
available in this old but true post of Simo: https://ssimo.org/blog/id_019.html


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to