Thanks Alexander. Reviewing the proxy requirements now.
On Tue, Nov 25, 2014 at 3:32 PM, Alexander Bokovoy <aboko...@redhat.com>
> On Tue, 25 Nov 2014, Dimitar Georgievski wrote:
>> My case for HTTP load balancing is little different. Ideally I would like
>> to use a real load balancer (A10 in this case) for balancing HTTP and
>> Would that be possible?
>> Based on the info in this thread, and Apache configuration for IPA
>> (ipa.conf) the following steps were performed
>> - Added host for sso.example.com
>> - Added service for HTTP/sso.example.com
>> - added new entry for HTTP/sso.example.com to /etc/httpd/conf/ipa.keytab.
>> This keytab is listed in the conf.d/ipa.conf under the Location '/ipa'
>> groups of directives.
>> ipa-getkeytab -s `hostname` -p HTTP/sso.example.com -k
>> - modifed the conf.d/ipa-rewrite.conf and ipa-pki-proxy.conf to redirect
>> requests to sso.example.com
>> The login page loads but unfortunately authentication is failing with HTTP
>> 401 (unauthorized) response from the server. I wonder what I am doing
> Can you show your /var/log/krb5kdc.log, lines concerning
> HTTP/sso.example.com principal at the time you are trying to access IPA
> FreeIPA limits service principals' ability to impersonate user
> principals (or any other principals). FreeIPA UI runs as HTTP/ principal
> and is given permission to impersonate user principal when talking to
> ldap/ service. This setup is explicit and requires additional
> configuration for those Kerberos principals which ask for additional
> For more detailed description read my article at
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project