Thanks Alexander. Reviewing the proxy requirements now.

On Tue, Nov 25, 2014 at 3:32 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Tue, 25 Nov 2014, Dimitar Georgievski wrote:
>
>> My case for HTTP load balancing is little different. Ideally I would like
>> to use a real load balancer (A10 in this case) for balancing HTTP and
>> HTTPS
>> services.
>> Would that be possible?
>>
>> Based on the info in this thread, and Apache configuration for IPA
>> (ipa.conf) the following steps were performed
>> - Added host for sso.example.com
>> - Added service for HTTP/sso.example.com
>> - added new entry for HTTP/sso.example.com to /etc/httpd/conf/ipa.keytab.
>> This keytab is listed in the conf.d/ipa.conf under the Location '/ipa'
>> groups of directives.
>>  ipa-getkeytab -s `hostname` -p HTTP/sso.example.com -k
>> /etc/httpd/conf/ipa.keytab
>>
>> - modifed the conf.d/ipa-rewrite.conf and ipa-pki-proxy.conf to redirect
>> requests to sso.example.com
>>
>> The login page loads but unfortunately authentication is failing with HTTP
>> 401 (unauthorized) response from the server. I wonder what I am doing
>> wrong.
>>
> Can you show your /var/log/krb5kdc.log, lines concerning
> HTTP/sso.example.com principal at the time you are trying to access IPA
> UI.
>
> FreeIPA limits service principals' ability to impersonate user
> principals (or any other principals). FreeIPA UI runs as HTTP/ principal
> and is given permission to impersonate user principal when talking to
> ldap/ service. This setup is explicit and requires additional
> configuration for those Kerberos principals which ask for additional
> access.
>
> For more detailed description read my article at
> http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-
> with-FreeIPA/index.html
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to