Thanks Alexander. Reviewing the proxy requirements now.

On Tue, Nov 25, 2014 at 3:32 PM, Alexander Bokovoy <>

> On Tue, 25 Nov 2014, Dimitar Georgievski wrote:
>> My case for HTTP load balancing is little different. Ideally I would like
>> to use a real load balancer (A10 in this case) for balancing HTTP and
>> services.
>> Would that be possible?
>> Based on the info in this thread, and Apache configuration for IPA
>> (ipa.conf) the following steps were performed
>> - Added host for
>> - Added service for HTTP/
>> - added new entry for HTTP/ to /etc/httpd/conf/ipa.keytab.
>> This keytab is listed in the conf.d/ipa.conf under the Location '/ipa'
>> groups of directives.
>>  ipa-getkeytab -s `hostname` -p HTTP/ -k
>> /etc/httpd/conf/ipa.keytab
>> - modifed the conf.d/ipa-rewrite.conf and ipa-pki-proxy.conf to redirect
>> requests to
>> The login page loads but unfortunately authentication is failing with HTTP
>> 401 (unauthorized) response from the server. I wonder what I am doing
>> wrong.
> Can you show your /var/log/krb5kdc.log, lines concerning
> HTTP/ principal at the time you are trying to access IPA
> UI.
> FreeIPA limits service principals' ability to impersonate user
> principals (or any other principals). FreeIPA UI runs as HTTP/ principal
> and is given permission to impersonate user principal when talking to
> ldap/ service. This setup is explicit and requires additional
> configuration for those Kerberos principals which ask for additional
> access.
> For more detailed description read my article at
> with-FreeIPA/index.html
> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to