On Fri, 22 Jan 2010 11:35:22 -0800
Doug Chapman <prjctg...@gmail.com> wrote:

> We're currently running SunDS and using Citrix (Netscaler) load
> balancers to keep the load on our client facing LDAP servers balanced
> between 2 hosts.
> I'm evaluating FreeIPA and wondered if anyone can share any
> experience with using IPA behind a load balancer (or point me at
> wikidocs)?
> I know the ldap portion will work, it's the kerberos bits I'm
> unfamiliar with.  Note, this would only be for client connections,
> not replication.

Hi Doug,
sorry for not replying earlier, I'd missed this message.

With krb5 you only have a problem if you wan to use SASL/GSSAPI to
authenticate LDAP clients to your servers.

That's because clients need to acquire a ticket for the server their are
going to connect, but you basically lie to clients by using a load
balancer and changing target server without their knowledge.
so clients will try to acquire a ticket in the name of the balancer
(assuming you created a principal for it) and when they reach the server
the server will not be able to use it.

If you are not planning to use SASL/GSSAPI to authenticate clients to
the LDAP server there should be no other issues.

Note that in v2 with sssd as a client we assume we can use SASL/GSSAPI
by default, but with current clients/freeipa server we don't.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to